TGIF!!! Happy Friday everybody!!! What a week this has been, both professionally and personally. Anyways, as we close out the week, I was thinking about the topics that I could write on. It occurred to me that as much as I have written about Cyber attackers and the threats that they pose, I have really never written about what a Cyber attack group is really like. Well, today’s post is going to change, to a certain extent, that course.
Today, I came across an article which profiles such a group in pretty good detail – in fact, the most detail I have seen so far in the years of research and writing that I have done. The Cyber terrorist group is known as the “Gorgon Group”, with firm links to Pakistan. Here are some of the known details about them:
*They have targeted government organizations across the United Kingdom, the United States, Spain and Russia;
*They just don’t target government agencies, but they also target other victims on a worldwide basis (specific victims in this aspect are not known yet);
*They also make use of a what is known as a “Shared Malicious Infrastructure”. In a way, this is like a Cloud platform Cyber attacker use in order to gain tools quickly and effectively, but it is only available on the Dark Web;
*This group is notorious for making use of malware in which to infect not only just computers, but other wireless devices, in particular, Smartphones (targeting primarily the Android and the iPhone based models);
*In particular, they make use of the the prolific Trickbot banking malware and NjRAT as well as RevengeRAT, RemcosRAT, NanoCoreRAT and Lokibot;
*The group likely consists of five members, one of whom is known as Subaat;
*It is not sure if the group actually resides in Pakistan, but online personas support the fact that they appear to be based out of the nation of Pakistan;
*The group conducts both regular crime and targeted Cyber attacks using the same domain infrastructure over time, rarely changing their attack profile or threat vector;
*Between April 1, 2018 and May 30, 2018, it was observed that the domain stevemike-fireforce[.]info used to infiltrate more than 2,300 emails and 19 confidential documents related to the Intellectual Property of businesses and corporations;
*This same domain was also used during the same time frame in targeted and pointed attacks against several worldwide nation governmental agencies;
*Cyber researchers discovered that the Gorgon Group uses unique domains for both cybercrime and money laundering schemes;
*Their main Cyber attack vehicle is the use of the malware known as “Bitly” in order to shorten the domain names;
*The Gorgon Group is one of the first Cyber attack organizations to make use of a combined repertoire of both cybercriminal and targeted attacks.
Well, there you have it, the complete profile of what is known so far about the Gorgon Group. My thoughts on this? At first review of all of this, they seem to be the typical Cyber attack group. They are not large, they are about the average size. They seem to be knowledgable in what they do, but they are not too sophisticated when compared to other Cyber attack groups, such as the SamSam Ransomware.
My hunch is that the individuals who comprise the Gorgon Group are probably either in college, or have just recently graduated, and are just starting to learn Penetration Testing skills. But, they do appear to be sophisticated in hiding their tracks thus far, as no individuals have yet been apprehended by authorities.
But no matter how novice the Gorgon Group might be, one point is already made clear and evident, which is summed up nicely by this quote: “Overall, in spite of the lack of sophistication in Gorgon Group’s activity, they were still relatively successful; once again proving that simple attacks on individuals without proper protections, work.” (SOURCE: https://cyware.com/news/pakistan-linked-gorgon-group-found-engaging-in-both-cybercrime-and-targeting-governments-c5785dae).
So, this underscores the fact that always keep your IT infrastructure up to date with the latest patches and software upgrades. And of course, be vigilant about your Security environment.
Also, keep in mind that the Cyber attacker of tomorrow is getting extremely sophisticated – they are taking their own sweet time to research your businesses’ weaknesses and vulnerabilities, and will strike when you least expect it. In fact, you will probably never even realize that you have been hit, or worst yet, even know that you have become a victim until it is too late.