In recent years, cybercrime has left the realm of science fiction and entered our everyday lives. No one is safe. Large and small companies , as well as randomly (or not-so-randomly) selected 'lucky' individuals, are falling victim to a variety of internet-based scams, from large-scale ransomware attacks to sophisticated phishing campaigns. Entire wars are fought online, with cyberwarfare being more prominent than ever as the conflicts between Russia and Ukraine and Israel and Palestine unfold. But who are the mysterious “hackers” behind the attacks? The following groups are some of the most notorious cybercrime syndicates of the recent years.

Anonymous

If there is one hacking group many people are familiar with, it is the Guy Fawkes mask-wearing vigilantes from Anonymous. Anonymous is a decentralised organisation with no hierarchy, where the operations and targets to attack are pitched to the group and then chosen by popular consensus. Unlike other groups, Anonymous does not carry out attacks for the purpose of financial gain, instead the members of the group act as hacktivists, who use cyberattacks to bring attention to a political or social issue. In particular, Anonymous uses cyberattacks to combat censorship and government control, and to promote freedom of speech.

In recent years, Anonymous carried out multiple cyberattacks on various Russian and Belarussian websites, as well as international businesses who continued working with Russia, in protest against Russia’s invasion of Ukraine in February 2022. By July 2022, the group claimed to have hacked, and in some instances leaked stolen data from, over 2,500 websites.

DarkSide

DarkSide, which made its first appearance in August 2020, is a Russian hacker group that gained the public’s attention after its attack on Colonial Pipeline in May 2021 that earned them approximately $5 million in ransomware payment. As of 2023, the incident is still known for being one of the attacks with the highest pay-outs in ransomware history.

Unlike Anonymous, DarkSide claims to be apolitical and motivated by financial gain only. It operates a ransomware-as-a-service business model and checks all companies that cybercriminals using their tools and services want to attack in order to “avoid social consequences in the future”, as it stated on their now defunct Tor-based blog. Nevertheless, multiple data breaches accredited to DarkSide have been known to cause a lot of disruption, with the attack on Colonial causing the largest fuel pipeline in the US to shut down entirely for the first time in its 57 years history.

CL0P

Ransomware is a common way for bad actors to make money. CL0P is yet another financially motivated group employing this tactic. Good news for the general public – CL0P is only known for targeting high-profile industry giants (favouring finance, IT and manufacturing industries the most) who have the means to pay the exorbitant ransoms that the group demands for the safe retrieval of their data. After the attack on German tech firm Software AG in October 2020, CL0P made history by being the first ransomware gang to request a payment exceeding $20 million.

The group still poses an active threat to cybersecurity and is getting arrogant. Unlike the “traditional” ransomware attacks, where attackers email their ransom demands to their victims, in the recent large-scale attack on multiple British companies in June 2023 (including the BBC, Boots and the British Airways) the group posted an update on the dark web requesting the affected companies to contact the gang themselves in order to start negotiations and avoid the publication of the stolen data.

Lapsus$

Another big player in the ransomware game is the Lapsus$ gang. This group does not shy away from the healthcare sector and gained the public’s attention after compromising millions of lines of COVID-19 vaccination data as part of its ransomware attack against the Brazilian Ministry of Health in December 2021. In contrast to many other ransomware groups, Lapsu$ does not waste its time encrypting stolen data, but simply demands payment for not making it public.

Instead of a website on the dark web, Lapsus$ uses Telegram, a messaging app, to recruit new members and also to post the data of companies who have failed to pay ransoms. A number of high-profile cyberattacks attributed to Lapsus$, including attacks on Nvidia and Uber, have been carried out by an 18-year-old teenager who was arrested in September 2022 for blackmail, fraud and other offences.

Lazarus

Not all hacking groups are run by bored teenagers looking to make a few million in extra cash after school. Some hacker groups are created by governments and are used to gather information, as well as to cause disruption. Lazarus (or Lazarus Group) is a North Korean state-backed group that considers itself a cyber warfare agency. According to some sources, the group has been active from as far back as 1998.

The group came to prominence in 2014 after the outrage over the Sony Pictures black comedy about an attempted assassination of the North Korean leader Kim Jong-Un. “The Interview” caused the group to steal data from Sony in an attempt to stop “the movie of terrorism which can break the regional peace and cause the War” (source). Eventually, Lazarus published the data, including thousands of security numbers, email correspondence, card and passport details.

Armageddon/Gamaredon

Russia is well known for its hackers and cybercriminal groups that are used for a variety of purposes. Linked to Russia’s Federal Security Service (FSB) in Moscow, Armageddon, also known as Gamaredon, is fighting Russia’s corner in the ongoing conflict between Russia and Ukraine on the world wide web. Targeting Ukrainian state services, the group conducts cyberespionage as well as cyberattacks, infecting computers using specially-developed malware and phishing campaigns.

Reportedly, Armageddon includes former officers of the Security Service of Ukraine in the Autonomous Republic of Crimea who defected to “the other side”. The group still operates from the Crimean peninsula.

Fancy Bear

Another group known for its strong ties to the Russian military (in this case the Russian military intelligence agency GRU) is Fancy Bear. Sometimes referred to as APT28, the group has been active since 2004 and has gained reputation as an Advanced Persistent Threat.

Their usual methods involve using sophisticated phishing attacks against high-profile targets, often in the political or defence sectors that appear to match the strategic interests of the Russian government. Their extensive list of cyberattacks includes a phishing campaign on the US Democratic Party as well as NATO, Polish government websites and Georgia ministries. The group tends to use email domains that look almost identical to the official websites of their victims, making it harder for even the best prepared individuals to notice the scam.

Evil Corp

Not every hacker in Russia is dedicated to proving political points. A financially motivated group with the ominous name of Evil Corp, that has been active since about 2009, has allegedly stolen more than $100 million from hundreds of banks worldwide. Their malware of choice is the Dridex banking. Normally delivered through phishing emails, Dridex is used to steal sensitive information like banking credentials and other financial data.

In their years of operation, Evil Corp have gained many high-ranking enemies across the globe. The group has been sanctioned multiple times for using various malwares: in 2019 law enforcement agencies from different countries led a joint operation which resulted in Evil Corp being sanctioned over the development and active use of Dridex. Despite the US government pursuing Evil Corp for years, no arrests have been made thus far and the group is still in active operation.

REvil

Russian, evil and motivated by money. Named after the Resident Evil film series, this ransomware group lived up to its name when it shut down after receiving pressure from the Biden administration following REvil’s attack on the US-based software provider Kaseya in July 2021 They came back to life like a zombie in August 2022.

REvil operates similarly to other ransomware groups – compromising machines, encrypting and exfiltrating data and demanding a ransom payment to gain access to stolen files as well as to avoid them being published online. They were the most active in 2021 when they accounted for 37% of all ransomware attacks. Apart from Kaseya, Revil are known for attacking the Taiwanese tech giant Acer and the world’s largest meat processing company JBS. They are also famous for leaking over 2 GB of data from the American pop-star and actress Lady Gaga.

LockBit

LockBit is another ransomware giant in the world of cybercrime. Accounting for 46 percent of all ransomware-related breach events for the first quarter of 2022, the group is still going strong and posting updates on their Tor-based leak site daily. Unsurprisingly located in Russia, LockBit’s modus operandi includes blocking user access to infected computer systems, promising to unblock only in exchange for a ransom payment. Victims are normally blackmailed with the threat of data publication in case the demanded payment is not made.

However, LockBit are also known as criminals with a heart. In December 2022, the gang issued an apology and released a file decryption key for free after one of their members broke the rules and attacked the Hospital for Sick Children (known as Sick Kids). According to LockBit, they have a policy to not attack healthcare organizations.

Now what?

The world of cybercrime is, unsurprisingly, rich and complex, and evolving constantly. Although large cybercriminal syndicates mostly focus on high-profile victims, it is vital to stay vigilant. It is also important to remember that every attack is a lesson to affected companies who update and upgrade their software and processes accordingly. On an individual level, keeping our software up to date along with double checking emails and messages requesting downloads or containing links to second party websites are just some of the simple steps that can be taken to avoid falling victim to cybercrime.

Sources:

https://www.cnbc.com/2022/07/28/how-is-anonymous-attacking-russia-the-top-six-ways-ranked-.html

https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/

https://www.standard.co.uk/news/tech/clop-gang-russian-hackers-cyberattacks-bbc-british-airways-b1086008.html

https://www.theverge.com/2023/8/23/23842746/lapsus-member-uber-rockstar-games-hack

https://www.theguardian.com/film/2014/dec/18/sony-hack-the-interview-timeline

https://us.norton.com/blog/emerging-threats/hacker-groups

https://therecord.media/armageddon-gamaredon-russian-hacking-group-increasingly-targeting-ukraine-government

https://www.techtarget.com/searchsecurity/definition/Evil-Corp

https://www.cobalt.io/blog/top-10-most-notorious-hacker-groups

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.