BlackBerry’s security team has published details today about a new hacker-for-hire mercenary group they discovered earlier this year, and which they tied to attacks to victims all over the world.
The group, which BlackBerry named CostaRicto, is the fifth hacker-for-hire group discovered this year after the likes of:
- BellTrox (aka Dark Basin) [1, 2, 3]
- DeathStalker (aka Deceptikons) [1, 2]
- Bahamut [1, 2]
- Unnamed group 
CostaRicto’s discovery also comes to retroactively confirm a Google report from May, when the US tech giant highlighted the increasing number of hacker-for-hire mercenary groups, and especially those operating out of India.
However, while BellTrox has been linked to an Indian entity and Bahamut is suspected of operating out of India as well, details about CostaRicto’s current origins and whereabouts still remain unknown.
What is currently known is that the group has orchestrated attacks all over the globe across different countries in Europe, the Americas, Asia, Australia, and Africa.
However, BlackBerry says the biggest concentration of victims appears to be in South Asia, and especially India, Bangladesh, and Singapore, suggesting that the threat actor could be based in the region, “but working on a wide range of commissions from diverse clients.”
As for the nature of the targets, the BlackBerry Research and Intelligence Team said in a report today that “the victims’ profiles are diverse across several verticals, with a large portion being financial institutions.”
Furthermore, BlackBerry says that “the diversity and geography of the victims doesn’t fit a picture of a campaign sponsored by a particular state” but suggests that they are “a mix of targets that could be explained by different assignments commissioned by disparate entities.”
CostaRicto group linked to new sophisticated Sombra malware
BlackBerry also adds that while the group is using custom-built and never-before-seen malware, they are not operating using any innovative techniques.
Most of their attacks rely on stolen credentials or spear-phishing emails as the initial entry vector. These emails usually deliver a backdoor trojan that BlackBerry has named Sombra or SombRAT.
The backdoor trojan allows CostaRicto operators to access infected hosts, search for sensitive files, and exfiltrate important documents.
This data is usually sent back to CostaRicto command-and-control infrastructure, which BlackBerry says it is usually hosted on the dark web, and accessible only via Tor.
Furthermore, the infected hosts usually connect these servers via a layer of proxies and SSH tunnels to hide the malicious traffic from the infected organizations.
All in all, BlackBerry says these practices “reveal better-than-average operation security,” when compared to your usual hacking groups.
All the CostaRicto malware samples that BlackBerry discovered have been traced back to as early as October 2019, but other clues in the gang’s servers suggest the group might have been active even earlier, as far back as 2017.
Furthermore, researchers said they also discovered an overlap with past campaigns from APT28, one of Russia’s military hacking units, but BlackBerry believes the server overlap may have been accidental.
Hacker-for-hire groups — the new landscape
For many years, most hacking groups have operated as stand-alone groups, carrying out financially-motivated attacks, stealing data, and selling for their own profit.
The public exposures of BellTrox, DeathStalker, Bahamut, and CostaRicto this year show a maturing hacker-for-hire scene, with more and more groups renting their services to multiple customers with different agendas, instead of operating as lone wolfs.
The next step in investigating these groups will need to look at who their clients are. Are they private corporations or foreign governments. Or are they both?