While threat actors like Cozy Bear and Fancy Bear get a lot of attention, there is another sophisticated crime actor that companies need to be watching out for. The group is called TA505 and it is believed to be a Russian criminal operation. However, there may be more to this group’s activities than purely financial motives.
Prevailion has observed TA505 compromises in a wide range of US and international companies and organizations, from the financial sector to energy and healthcare. From the evidence our team has seen, TA505 is highly active, sophisticated and effective, and may be involved in nation-state activities. Whether backed by a foreign adversary or not, we consider it one of the most prolific threat groups in the world today.
In our research, we have been able to connect TA505 to many Fortune/Global 500 compromises, as well as public organizations. Though many of these remain active, evidence suggests that they are likely undetected by the victim organization.
Since first being identified in 2014, TA505 has been identified in campaigns targeting a wide range of industries. In January, Microsoft Security Intelligence warned that the TA505 cybercrime gang, was using malicious attachments with HTML redirectors for delivering malicious Excel docs. The group has been seen leaving behind Locky ransomware as well as, “spreading the persistent SDBbot remote-access trojan (RAT) laterally throughout an entire corporate environment,” according to Threatpost. These actors have been identified as among those sending malicious attachments related to the coronavirus, another indication that their activity is far from limited.
In December 2019, the group had reportedly attacked a hospital in France. These malicious actors seemingly have offered hospitals struggling to serve those in need of COVID-19 related infections little relief. Security Boulevard recently reported that the group is believed to have, “carried out a series of attacks against pharmaceutical and manufacturing companies in Germany and Belgium in late January 2020.”
Earlier this year, the University of Maastricht in The Netherlands reportedly paid out $240,000 after it was hit with a ransomware attack believed to be the work of TA505 actors. What’s concerning about this range of activity is that it crosses so many industries–from healthcare to manufacturing and critical infrastructure–making it difficult to understand the group’s agenda.
What we do know is that the group has been seen using unidentified tools that are not in Virus Total, suggesting TA505 is regularly updating its toolkit or creating custom malware. Regardless, the group seems very well organized in its ability to use different tools depending on the environment it compromises. They are able to deploy some sort of credential stealer in one organization where they might use ransomware against another. Despite the group’s diverse activity, no one has been able to label the group as anything other than a cybercrime group, though it feels like these actors could have nation state backing.
The malware in its own right doesn’t suggest the actor’s intention. But, if a known actor has a malware deployed and that malware is communicating back to an APT group, it’s concerning as it is an indication of the threat actor’s intention to leverage the malware.
There’s an alarming difference between a piece of malware that gets deployed, is calling out, but no one is answering and the malware that is communicating with infrastructure that is owned by known threat actors. When these threat actors are seen beaconing back to command and control without any kind of change in the environment, it’s likely that the weaponry or malware they are using is not being identified by defensive tools. Organizations need to know when this activity is happening.
That’s why organizations need visibility into evidence of compromise. Reliance of conventional tools isn’t working for the malware used by this group, so detecting intrusion requires a deeper analysis. For attacks perpetrated by these types of sophisticated actors, knowledge is power. They are using malware that is sophisticated enough to evade detection, and organizations need to know when the malware is beaconing.
Hijazi discusses Microsoft hack parallels with SolarWinds and how China and Russia likely execute their cyber campaigns.
See Prevailion CEO, Karim Hijazi, comment on how nation states use proxy groups to compromise organizations through weaker supply chain points.
See Prevailion CEO, Karim Hijazi, weigh in on a second solar winds hack and how elite hacker groups have likely already compromised many top companies around