Mercenary ‘hacker-for-hire’ group CostaRicto hits businesses all over the world

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Credit: Dreamstime

Security researchers from BlackBerry Research are tracking a cyber espionage group dubbed CostaRicto whose targets are unusually varied, indicating that it’s selling hacker-for-hire services to other entities. The group uses its own custom-built malware and a complex network of proxies, VPNs and SSH tunnels to hide its activity.

“Mercenary groups offering APT-style attacks are becoming more and more popular,” the BlackBerry researchers said in their report. “Their tactics, techniques, and procedures (TTPs) often resemble highly sophisticated state-sponsored campaigns, but the profiles and geography of their victims are far too diverse to be aligned with a single bad actor’s interests.”

CostaRicto targets multiple industries, geographic regions

The APT group has been operating since at least October 2019, but potentially as far back as 2017, based on timestamps in samples of its unique backdoor program. Its victims span multiple industry verticals, but many of them are financial institutions.

In terms of geography, the targets are based all over the world, but a concentration has been observed in South Asia, especially in India, Bangladesh and Singapore, suggesting the group might be based in and working for entities in that region. The list of other countries where victims were observed include China, the US, Bahamas, Australia, Mozambique, France, the Netherlands, Austria, Portugal and the Czech Republic.

Hacker-for-hire groups sit at the intersection of two trends observed over the past few years: the adoption of APT techniques by non-state groups, including those traditionally associated with cyber crime, and the commoditisation of cyber espionage through a new APT-as-a-service model.

These changes in the threat landscape challenge traditional threat models and leave many organisations exposed because they haven’t considered themselves as a potential target for cyber espionage in the past and don’t have the necessary defences in place.

This year we’ve seen reports of mercenary…