Mercenary APTs – An Exploration

Mercenary advanced persistent threat (APT) groups, sometimes called “hackers-for-hire”, and dubbed private-sector offensive actors (PSOAs) by Microsoft, have become a significant part of the threat landscape in recent years. These ‘cyber soldiers of fortune’ have increasingly executed attack campaigns on behalf of clients, usually nation-states, that are looking for surveillance capabilities. Not all countries have the technical capability to launch their own attacks: many have the financial resources to pay someone who does.

Over the last decade, over a dozen mercenary APT campaigns have been disclosed. These can range from the highly sophisticated to the highly persistent. Victims often include politicians, human rights activists, journalists, academics, embassy workers, and dissidents from around the world. They frequently target end-to-end encrypted (E2EE) applications that are used to thwart traditional government surveillance tactics: these include Signal, WhatsApp, and Telegram. A growing number of these mercenary APT campaigns are now actively infiltrating and stealing intellectual property and other sensitive information from enterprises.

These campaigns are supported by a significant market for 0day exploits and malware developers. As such, nation-states that want to begin hacking campaigns no longer need the technical expertise, they just need to be well-resourced. Further, even though these APTs have existed for decades, the capabilities previously uniquely associated with them are more accessible than ever. And, in the case of nation-state APTs, it has become easier to predict which companies and sectors are most likely to be attacked.

If the threat landscape is evolving in the way these mercenary groups suggest, however, where anyone can hire mercenaries for a broad spectrum of intrusion campaigns, even this minor advantage may have been lost.

Hackers For Hire – A Line-Up

In September 2021, the US Department of Justice revealed that three former US intelligence agency employees have been fined $1.69 million and barred from ever receiving security clearance again. The employees violated US computer abuse laws by spying for the UAE government. The three men admitted to selling sensitive military technology while working for Project Raven, the codename for a secretive company, DarkMatter, that acted as a clandestine spying unit for the UAE.

Project Raven leveraged computer network exploitation (CNE) to compromise the accounts of human rights activists, journalists, and rival governments. Whilst engaged in Project Raven, the three men reportedly targeted the US and exported spying software to a foreign government without gaining the required permission from the US State Department’s Directorate of Defense Trade Controls (DDTC). The three men are former US National Security Agency (NSA) employees and worked for DarkMatter in the UAE between January 2016 and November 2019 – per a Reuters investigation. While working for DarkMatter, the ex-NSA employees helped develop and deploy two iOS zero-click exploits called Karma and Karma 2. These were reportedly used against iPhones belonging to dissidents, reporters, and government opposition leaders. The US Department of Justice also noted that this agreement was the first resolution of its kind for two types of criminal activity: providing unlicensed export-controlled services in support of hacking campaigns and a commercial company supporting a foreign government to access networks and devices of computers worldwide, including in Qatar, Yemen, and the US. [1, 2]

In November 2020, BlackBerry researchers disclosed a new mercenary APT, dubbed CostaRicto. This group was targeting organisations around the world but predominantly in South Asia – India, Bangladesh, and Singapore – Africa, Europe, and the Americas. The victims are spread across several verticals, with many in the financial sector. It is unclear where these hackers-for-hire are located themselves: however, as they mainly focus on South Asia, the researchers believe they are most likely to be based there.

For many of its campaigns, CostaRicto uses spear-phishing attacks to drop a custom backdoor, dubbed SombRAT, that has rarely been seen in the wild. The code suggests there are multiple versions, indicating the backdoor can be flexibly adapted for different attacks. The earliest compilation timestamps for SombRAT date back to 2017. The group has also compromised its targets via stolen credentials, reportedly purchased on the darknet. [1, 2]

Active since 2016, a mercenary APT known as Bahamut (connected to WindShift) has launched multiple highly targeted ongoing campaigns against Android users in the Middle East. Individuals targeted by the group have usually been human rights activists, military officers, royal family members, diplomats, religious leaders, and business executives. Bahamut’s targets have also been located in other parts of the globe, such as the US. The group usually uses malicious mobile applications distributed via legitimate application stores, masquerading as fitness trackers or password managers. Once downloaded by a victim, all sorts of personal information are extracted and can be used for any number of activities, with what are likely to be serious implications. [1, 2, 3]

In June 2020, researchers from Citizen Lab disclosed that thousands of individuals and hundreds of institutions had been targeted by a mercenary group known as DarkBasin. Targets included advocacy groups, journalists, and senior government officials, as well as hedge funds and other organisations from various sectors. The group mainly targeted American non-profits, especially those working on a campaign operating under the hashtag #ExxonKnew, which claims ExxonMobil hid information concerning climate change for decades. DarkBasin was also linked to phishing campaigns targeting net-neutrality advocates.

Further investigation into the group uncovered several ties to an Indian cybersecurity company, called BellTroX InfoTech Services, which subsequently disappeared once the investigation was made public. Analysis of DarkBasin’s phishing infrastructure, which used a custom URL shortener, revealed 28,000 additional URLs containing emails of targets. [1, 2]

In August 2020, Kaspersky researchers disclosed an unusual Russian-speaking mercenary APT group called DeathStalker (originally named Deceptikons). Unlike the other groups mentioned above, DeathStalker primarily focuses on law firms and financial institutions. These mercenaries are reportedly tasked with gathering sensitive business information in suspected corporate espionage campaigns. The group uses custom malware distributed in highly targeted spear-phishing emails. For C&C communication, the malware uses so-called dead drop resolvers, which is where safe websites, such as GitHub, Facebook, YouTube, Reddit, and Twitter, are used to host the locations of C&C servers. This means the communication is camouflaged amongst legitimate traffic, like spies using a dead drop to pass messages undercover. DeathStalker’s victims are spread around the world in countries such as the UK, Switzerland, the UAE, India, China, Taiwan, Israel, Lebanon, Jordan, Cyprus, Argentina, and Turkey. [1, 2]

Fig. 1 – Geographic targeting of known Mercenary APTs


While Mercenary APTs carry out the hacking for you, there are also a growing number of licensed companies selling malicious software. Intelligence agencies, law enforcement, and military units around the world are increasingly acquiring off-the-shelf hacking software, buying exploits for 0day vulnerabilities, and paying others to develop spying tools.

FinFisher, also known as FinSpy, is a surveillance software created and distributed by Gamma International. The standard defence of their ethically dubious products routinely wheeled out by these companies is that their software is used to fight terrorism and organised crime. More often than not, however, their products end up being used to target human rights defenders, journalists, lawyers, activists, and dissidents. Gamma International was breached in 2014 by an individual with the moniker Phineas Fisher, who stole and leaked an archive containing 40GB of data from Gamma International servers, which included price lists, source code, invoices, and other private data. Another company that was hacked by Phineas Fisher was Hacking Team, which suffered a much more serious attack than Gamma International and went out of business.

The attack on HackingTeam left a gap in the market, from mid-2015 onwards, for surveillance tools. This was filled by Gamma International with its FinFisher spyware suite. Although Gamma International was breached by the same individual, the incident was not as serious and the spyware firm was able to recover, operating in the vacuum left by HackingTeam. The Phineas Fisher leaks unveiled what many suspected about these commercial spyware developers: they were knowingly selling surveillance tools to authoritarian regimes who used it to spy on civilians. [1, 2, 3]

Fig. 2 – Graphical User Interface of FinSpy (circa 2011)

In July, Microsoft released new information regarding a private-sector offensive actor (PSOA) it tracks as Sourgum, which reportedly belongs to an Israel-based company called Candiru. The organisation has targeted over 100 victims around the world, including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents with a malware family called DevilsTongue. Approximately half of the victims were found in the Palestinian Authority, with others in Israel, Iran, Lebanon, Yemen, Spain (specifically Catalonia), the UK, Turkey, Armenia, and Singapore. However, the identification of victims of the malware in a country is not indicative that an agency in that country is a Candiru customer, as international targeting is common.

Candiru uses a chain of vulnerabilities in web browsers and Windows to install its DevilsTongue modular multi-threaded backdoor. This custom malware is written and can steal credentials from web browsers, such as Chrome or Firefox. It also decrypts and exfiltrates conversations from Signal, the E2EE messaging app. The attacks begin with a single-use URL that is sent via messaging applications, such as WhatsApp. These threat actors have also weaponised Windows 0day vulnerabilities, tracked as CVE-2021-31979 and CVE-2021-33771, to support delivery. Successful exploitation led to privilege escalation, giving an attacker the ability to escape browser sandboxes and gain kernel code execution. Spy agencies in Uzbekistan, the UAE, and Saudi Arabia are among the list of Candiru’s alleged previous customers. [1, 2]

In August, CitizenLab disclosed that the infamous NSO Group, an Israeli spyware developer, was once again implicated in an unethical surveillance campaign. The latest Pegasus spyware campaign targeted at least nine Bahraini activists, a French Lawyer, and an Indian journalist via a new iOS exploit, dubbed FORCEDENTRY. This exploit was a highly sophisticated zero-click 0day vulnerability in iMessage, meaning it could be triggered without viewing the message or clicking the link.

The NSO Group, however, allegedly does not carry out hacking itself, the most recent campaign being orchestrated by a Pegasus customer and operator, dubbed LULU, who has been linked to the government of Bahrain. The technically impressive part of the FORCEDENTRY exploit is that it could bypass BlastDoor, which Apple recently developed to protect from such attacks. It places parts of iMessage inside a sandbox to isolate malicious code from interacting with the underlying operating system (OS). Interestingly, four of the phone numbers of the victims of this campaign were present in the recent list of 50,000 potential Pegasus targets obtained by Forbidden Stories and Amnesty International in July.  The leaked phone numbers belong to hundreds of business executives, religious figures, academics, NGO employees, union officials, and government officials. The leak also shows NSO Group clients from at least 11 countries, including Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the UAE. [1, 2]

Fig. 3 – Graphical User Interface of Pegasus spyware (circa 2012)

A Mercenary Future

Mercenary APTs, malicious software developers, and 0day brokers significantly lower the barrier to entry for launching advanced hacking campaigns. Having technical expertise and a small army of highly skilled individuals is no longer required to perform such attacks. It currently only requires resources, of which nation-states have a lot. The previously technically impossible is made available through 0day exploits worth millions of dollars on underground markets. Mercenary APTs develop bespoke malware tooling, manage their own infrastructure, perform their own reconnaissance, and execute all phases of the intrusion.

A mercenary APT’s tactics, techniques, and procedures (TTPs) often resemble highly sophisticated state-sponsored campaigns, but the profiles and geography of their victims are far too diverse to be aligned with one state’s interests. Therefore, these cybercriminals must carefully choose their targets to avoid the risk of being exposed and having their operations shut down: this is the reason many go undetected for several years. Even notorious adversaries, experienced in cyber-espionage, can benefit from adding a layer of obfuscation to their campaigns. By using a mercenary group as a proxy, the real attacker can better protect their identity and thwart attempts at attribution.

Defending against this powerful threat can lead to so-called security nihilism, a mindset in which it seems that nothing can be done to prevent these sophisticated attacks. This conclusion, however, is incorrect. The majority of these attacks rely on victims making simple mistakes, such as clicking on a link, opening a document, or leaving devices unpatched. As such, by practising proper security awareness, using password managers and multi-factor authentication, keeping devices and applications updated, and investing in security software, attackers’ campaigns will be frustrated to the point that they will eventually move on to softer targets.