Warfare has changed over time in society to reflect advances in technology, and it continues to do so. Nations conducting warfare using outdated tactics and strategy often are not successful when faced with a near pear adversary using tactics and strategy supported by modern technology. The prolific use of social media and small individual UAS systems by Ukrainian forces against Russia is one example. These small UAS systems have been modified to drop hand grenades into Russian armored vehicle hatches and open trenches. Cyberwarfare activities conduced by non-state actors is an advanced tactic of the modern battlespace. These non-state actors are often state sponsored and receive funding or other resources from a conventional government. Similar to privateers, non-state cyber actors conduct a vast amount of cyber attacks against their chosen adversary even when there are no formal or declared kinetic military operations. These non-state actors have a range of motivations, including military success, espionage, financial gain, and activism. Non-state cyber actor groups, like LockBit, Mustard Tempest, and Royal, as discussed below, are at the forefront of cyberwarfare and these three examples highlight the sophisticated practices developed by non-state actors on the cyberwarfare front.
Gold Mystic’s LockBit: Preparing for a Comeback
Gold Mystic, creator of the LockBit ransomware product, was the worlds most prolific ransomware group in 2022. This organization is in the business of developing, maintaining, selling, and using ransomware. Ransomware, at its base, is a type of malicious software designed to block access to a computer system until a sum of money is paid. Ransomware groups like Gold Mystic are commonly referred to as cybercriminal organizations. This particular group is responsible for the development and deployment of its own ransomware product. This organization develops its own ransomware products which gives it greater flexibility to proliferate its malware through a Ransomware-as-a-service (RaaS) model.
Ransomware-as-a-service model allows Gold Mystic to lease or license their ransomware to affiliated groups that conduct their own cyber-attacks using the leased software. This model has many advantages for Gold Mystic, including high profitability. In exchange for the license, Gold Mystic earns a share of their affiliate cybercriminal groups. In other words, Gold Mystic is earning a piece from multiple groups. This model enables Gold Mystic to focus more on refining and updating their ransomware product and providing a service desk level of customer support to its affiliates and even victims.
Gold Mystic, like similar cybercriminal groups, operates anonymously. This makes it particularly difficult for law enforcement and security professionals to trace their activities and secure positive identification on the people behind the operation. It is believed by intelligence professionals that Gold Mystic has a core team of developers who design, maintain, and update the code behind the LockBit ransomware product. A logical conclusion is that this group creates the code and updates it to improve efficiencies and continue to evade detection. Similar to a legitimate SaaS business, it is also apparent that Gold Mystic has leadership and support personnel given its sophistication and vast scale of operations. Aside from the core team of developers, leaders, and support personnel, Gold Mystic licenses its ransomware product to affiliated cybercriminal groups in exchange for a share of ransoms collected by the affiliates who perpetuate the cyberattack. Some notable affiliates include mX1, Boriselcin, and Uhodiransomwar. Those affiliate groups have been linked to an individual known as Mikhail Matveev and the United States Department of State has offered a ten-million-dollar reward for information leading to his arrest.
Overall, Gold Mystic appears to operate like a standard SaaS business, the business just happens to be in the Ransomware vertical. In addition to the core developers, leadership, and support personnel, Gold Mystic’s business activities include recruitment of top hacker talent. This recruitment takes place in the form of sponsored underground technical writing contests. (cisa.gov 2023). Additional business activities include the hiring of network access brokers and what appears to be the acquisition of competitor or affiliate code. Gold Mystic’s LockBit product has undergone three major version updates. However, active security teams and law enforcement activities has compromised the current version, LockBit 3.0.
The compromise of Gold Mystic’s ransomware product combined with the loss of a key organization leader does not seem to have slowed the organization’s operations. On May 7, 2024, the United States issued criminal charges and heavy sanctions against Dmitry Khoroshev. This person was purported to be an administrator and developer of the LockBit ransomware product. However, on May 21, 2024, Gold Mystic, doing business as LockBit, claimed responsibility for a major breach of the Canadian retail chain, London Drugs. The timing of the attack seems to bolster the claim that Gold Mystic is a sophisticated enterprise. In other words, Gold Mystic appeared to have a business continuity plan in place in the event of the arrest or identification of a key leader.
The cyberattack by LockBit against London Drugs had a significant impact on the victim. The attack manifested in April-May of 2024 and Gold Mystic has claimed responsibility under the name of its ransomware product, LockBit. This group claims to be apolitical and solely motivated by money. To that end, Gold Mystic issued a demand of twenty-five-million dollars to London Drugs. In this case, the victim was forced to shut down all of its seventy-nine locations for ten days while it investigated the matter and secured their process of intake of important data, like its customer’s personal health information and personally identifiable information. In the end, London Drugs determined that Gold Mystic was not able to exfiltrate their critical customer or employee data. As such they refused to pay the ransom.
Mustard Tempest: a broker of initial access
Another cybercriminal business model is that of an initial access broker (IAB). This type of activity involves a cybercriminals or cybercrime organizations who has specializes in gaining unauthorized access to computer networks and systems. Essentially initial access brokers conduct part of the cyber kill chain, and then sell or lease the unauthorized access to another bad actor who then completes the cyber kill chain. The primary role of the Initial access broker is to shape a cyber target’s network in preparation for an attack by another group. Initial access brokers are used by many non-state cyber threat actors in support of their operations. Specifically, Non-state initial access brokers, like Mustard Tempest, sell or lease the access they developed to ransomware groups.
The darker world of cybercrime is nebulous. As such, many initial access brokers ca also conduct the full spectrum of the cyber kill chain. Mustard Tempest is a financially motivated non-state actor group. They make money through their initial access brokerage, but if the opportunity and right situation is presented, an initial access broker can use the access they developed for their own ransomware attacks or exfiltration of target data. To gain initial access to applicable target organizations and individuals, Mustard Tempest utilizes several tools and techniques.
The first step in Mustard Tempest’s initial access attack include conducting reconnaissance. This is where the individuals behind Mustard Tempest conducts background research necessary to identify and select a target. These reconnaissance activities can include but are not limited to, network sweeps of known IP address belonging to the target, port scans, operating systems fingerprinting, conducting vulnerability scans, and probing the system for such vulnerabilities.
Following reconnaissance and target selection, Mustard Tempest is then able to weaponize and deliver a cyber payload in hopes of gaining access. Mustard Tempest has primarily used social engineering techniques and tactics to do so. Among others, Spearphishing has been widely used by Mustard Tempest. This act involves Mustard Tempest agents sending the target organization’s employees fake email messages containing links to compromised websites. Mustard Tempest is also attributed with search engine optimization (SEO) poising. This activity involves manipulating search engine results to return fake and malicious software updates. Another notable method Mustard Tempest uses to develop initial access into a target environment is a drive-by compromise. This activity involves the use of a malicious program installed onto the target network without the target’s consent. This is typically achieved through a redirection to a compromised website. Just by visiting the website, the target inadvertently installs the malicious software onto their machine.
Once Mustard Tempest successfully and covertly gains initial access to a target environment, they can either exploit the access themselves by exfiltrating data or installing ransomware, or Mustard Tempest can sell or lease (or collect a promised payment) their initial access to a partner non-state cyber actor group for either a flat fee, a barter, or a cut of the ransom. One such instance of partnership existed between Mustard Tempest and APT29, a financially motivated non-state actor ransomware group.
Mustard Tempest was able to gain access to a company called Solar Wind. Once initial access was established, Mustard Tempest then essentially turned over the access to APT29 who picked up the cyber-attack from there. APT29 primarily focused the ransomware attack on accessing and encrypting Solar Wind’s customer data and thereby disrupting the supply chain on both ends of the company. Overall, eighteen thousand Solar Wind customers were affected by this cyberattack, including several US federal agencies like the Department of Homeland Security and the Treasury Department. Because of the impact on US government agencies, many intelligence professionals believe that APT 29 was also motivated by espionage. Even if that was not the case, an opportunistic cyber threat group can conduct both ransomware attacks and exfiltration of sensitive date with the intent to sell the sensitive data to a nation’s intelligence organizations.
Royal: Pending a Rebrand
The shadowy world of non-state cyberattack organizations has varying levels of sophistication among the organizations that facilitate and/or perpetuate cyberattacks. There is a constant struggle between cyber security engineers and law enforcement and non-state cyberattack organizations. Technology, staffing, resources, anonymity, physical location, and much more play a significant role in the creation and operation of a non-state cyberattack organization. All factors considered, much like legitimate businesses, non-state cyberattack organizations often rebrand. One such group undergoing a possible rebrand is the organization known now as Royal.
Royal is a non-state actor. Specifically, they are a cybercriminal ransomware organization. This group is well known for using aggressive targets coupled with high ransom demand. This organization is believed to be comprised of highly skilled developers and cybercriminals. Often referred to as a cyber gang, Royal is a relatively new cyber threat actor. Originally, this organization operated as Zeon until it was discovered in 2022. Following its discovery the same organization appears to have rebranded as Royal Ransomware, also known as Royal Hacking Group. This group has seen success in targeting the public health industries and local governments.
Generally, Royal is not believed to work with many affiliates within the criminal ransomware world. It is currently believed that DEV-0569, also known as Storm-0569 has played a key role in developing and distributing some of Royal’s software. Royal also uses a unique double extortion ransom method. Not only does Royal encrypt a target’s files, Royal also exfiltrates data and holds each hostage. Both facts above support the assertion that Royal conducts the full spectrum of the cyber kill chain which makes this group particularly capable and dangerous to organizations.
One notable attack by Royal occurred in May, 2023, against the city of Dallas, Texas. In the after-action report prepared by Texas, Royal was identified as the attacker, and the motivation behind this attack appears to be financial in nature. The ransom demand and whether it was paid was information readily available. However, this attack did have a substantial impact on the city. The costs to the city for direct mitigation were eight million five hundred thousand dollars and a manhour cost has been estimated at thirty-nine thousand five hundred hours to correct the vulnerability.
Recently, Royal has been identified as using an encryption product called BlackSuit. This product is believed to have been developed by another group called BlackSuit, which is believed to have been created by the individuals behind different ransomware products. As such, it appears that the Royal name is gaining too much notoriety following the Dallas attack and is in the process of rebranding to BlackSuit. The integration also indicates that the ransomware business is beginning to mature and develop, with attackers using what they have learned to network and capitalize on new relationships and opportunities. Non-state cyber actors seem to dissolve or fracture as the business and individuals behind them mature and increase their skill levels.
