Mercenary hacking groups offering Advanced Package Tools (APT) attacks are becoming more popular and their tactics, techniques and procedures can resemble highly sophisticated state-sponsored campaigns. 

Blackberry Research have documented the activity of a hackers-for-hire group, named as CostaRicto which has been monitored using new form of malware to target South Asian financial institutions and global entertainment companies.  The profiles and geography of their victims are very varied and so it is unlikely that this is just one hacking band and its likely that there are several different groups for hire.

Although in theory the customers of a mercenary APT might include anyone who can afford it, the more sophisticated actors will naturally choose to work with patrons of the highest profile, be it large organizations, influential individuals, or even governments.

Cyber criminals must choose very carefully when selecting their commissions to avoid the risk of being exposed. ​Outsourcing an espionage campaign, or part of it, to a mercenary group might be very compelling, especially to businesses and individuals who seek intelligence on their competition yet may not have the required tooling, infrastructure and experience to conduct an attack themselves. But even notorious adversaries experienced in cyber-espionage can benefit from adding a layer of indirection to their attacks. By using a mercenary as their proxy, the real attacker can better protect their identity and thwart attempts at attribution.


Unlike most of the state-sponsored APT actors, the CostaRicto adversary seems to be indiscriminate when it comes to the victims’ geography. Their targets are located in numerous countries across the globe with just a slight concentration in the South-Asian region. The list of other countries where victims were observed include China, the US, Bahamas, Australia, Mozambique, France, the Netherlands, Austria, Portugal and the Czech Republic.

Blackberry analysts noticed that one of the IP addresses employed in the attacks of the group has been linked to an earlier phishing campaign initially attributed to the Russia-linked APT28 group. This circumstance suggests that the Costaricto APT carried out attacks on behalf of other threat actors.

The victims’ profiles are diverse across several verticals, with a large portion being financial institutions. Like many of the other hacker-for-hire operations, this one appears to have been operational for at least many months, according to BlackBerry. While the earliest time stamps for the custom backdoor date to October of last year, the time stamps on the payload stagers, which date to 2017, could suggest a longer-running operation.

Source: Cyber Security Intelligence