Cyber-mercenaries for hire represent shifting criminal business model

An emerging and fast-growing threat group is using a unique business model to offer cybercriminals a broad range of services that span from leaked databases and distributed denial-of-service (DDoS) attacks to hacking scripts and, in the future, potentially ransomware.

The Atlas Intelligence Group – or AIG or Atlantis Cyber-Army – was first detected in May and initially appeared to be a run-of-the-mill data leakage gang, according to threat intelligence researchers at Cyberint. However, as a clearer picture of AIG emerged, it became obvious that the group's operations were anything but business as usual.

As cybercrime becomes more profitable, with some groups bringing in hundreds of millions of dollars, threat groups have evolved to include business models that mirror those of many corporations, with everything from CEOs to HR departments to time-off policies for their employees. That was illustrated earlier this year by the information leaks of ransomware group Conti's operations.

That said, the number and variety of services AIG offers are different than most cybercriminal gangs. In addition, rather than hiring people that tend to stay with the operators, as most gangs do, Atlas hires what Cyberint calls "cyber-mercenaries" to do specific jobs for particular campaigns and then recruits other such freelancers for other jobs with other attacks.

Only the leader of AIG and a handful of administrators know what the full campaign looks like. The cyber-mercenaries work only on particular tasks but don't have a view of the larger picture.

"This technique creates segregation between the participants and keeps all those doing the 'dirty work' in the dark," the Cyberint researchers wrote in a report. "Applying this technique results in a high level of operations security (OpSec) for the operators and helps them avoid ongoing relationships with other threat actors."

The reports adds: "this is not an ordinary threat group, both in the way they behave and the way they manage their campaigns. When comparing them to other crime syndicates, we see the clear behavior of a cartel as we witness their leaders serve as architects of the campaigns, while the mercenaries follow the masterminds' orders."

The leader of the group is called Mr.Eagle and underneath him is at last four admins: El Rojo, Mr.Shawji, S41T4M4, and Coffee. The researchers wrote that Mr.Eagle appears to be mature and professional with strict rules for managing the group, including banning and kicking out cybercriminals who try to advertise themselves and their products.

The admins run the Atlas' advertising, management, and the operations of its channels, at times communicating with followers. None of the cyber-mercenaries are permanent members of the group or its campaigns. In its recruiting of mercenaries, AIG appears to seek out red teamers and experts in social engineering and open-source intelligence (OSINT). Because the contracts given out by Atlas are recurring, Cyberint said it appears the group's leaders aren't tied to the same individuals and that their campaigns have different mercenaries.

• Microsoft closes off two avenues of attack: Office macros, RDP brute-forcing
• DoJ, FBI recover $500,000 in ransomware payments to Maui gang
• After 40 years in tech, I see every innovation contains its dark opposite
• Jailed crooks told to cough up $600k for COVID fraud

The researchers saw ads for open contracts for single jobs – without joining the Atlas gang – for people skilled in spear phishing and social engineering and offers of publishing contracts for web hackers.

Services like DDoS and leaked databases are in line with what other groups offer. Atlas charges about $20.50 per DDoS victim and has leaked databases for sale starting at about $15.40. The databases come from all over the world and from a range of business sectors, including education, finance, government, manufacturing, and tech.

However, other services are more sophisticated and require more skills, such as hacked panels and initial access the group has into targeted organizations, with sales starting at $1.000. There also are what Atlas calls "VIP Services," with the gang advertising that it has connections with people in law enforcement in Europe who can supply sensitive information about certain individuals.

"This capability is impressive, not just because of the potential information that might be obtained, but also because it shows how deep the group goes as they are committed to their crime organization not only in the cyber realm," Cyberint researchers wrote.

AIG runs three channels on the Telegram social network that have thousands of subscribers. The first channel is a database marketplace and the second is where Mr.Eagle and his admins publish contracts. Through this, subscribers can offer their services. The third channel is used to post the group's announcements, including doxing scammers, upcoming targets and updates.

Through Telegram, Atlas also shares exploit kits and malicious content – including source code from various malware families – as a way to find the right mercenaries that the group needs for a particular campaign.

AIG also uses an ecommerce store on the Sellix.io platform to sell its services, with payment coming in cryptocurrency. Sellix.io operates as a middleman for Atlas, which gives the group another layer of anonymity and security, according to Cyberint.

The AIG gang seems to do whatever benefits it most. There aren't specific industries or regions it focuses on. That said, looking at the groups ecommerce store, the researchers found that most of the databases for sale are government-related and that access to Remote Desktop Protocol (RDP) clients and webshells tend to come from organizations in the finance, education, and manufacturing industries.

In an unusual twist, Atlas also appears to make a point of hunting down and doxxing pedophiles, having published the personal data – including home addresses, phone numbers, and pictures – of several people in Europe.

"Over the past months we have seen many new threat groups emerging, some from the ransomware sector, some data leakers, and some from the malware development sector, but all of them use pretty much the same advertising and team assembling techniques," the researchers wrote. "In Atlas' case … it seems that the cybercrime industry is being introduced to a sophisticated, highly anonymous, ambitious, purely logical and nonchalant threat actor who is looking to leave his mark and establish a dominant threat group in the future." ®