A sophisticated “hacker for hire” operation is using a strain of malware never before seen to target financial institutions in South East Asia. Discovered by BlackBerry and dubbed “CostaRicto”, the group is part of a growing trend towards outsourcing cybercrime.

Blackberry says it has been monitoring CostaRicto for six months, witnessing the group deploy bespoke malware tooling and complex VPN proxy and SSH tunnelling capabilities for just about anyone that can afford their services.

“In this case, we see a lot of disparate targets from government, political, religious to standard business,” BlackBerry’s VP Research Operations Eric Milam told Which-50.

“This means the clients could range from nation state to competitor looking to gain access to IP or financial/personnel documentation.”

CostaRicto has targets all around the world, including Australia, but the biggest concentration appears to be in India, Bangladesh and Singapore, suggesting the group may have a South East Asian base. The victim’s profile is diverse but a large portion are financial institutions.

Outsourcing espionage

BlackBerry says the group is using sophisticated attacks methods similar or more advanced than state level actors, and has likely existed since at least 2017.

Milam says the outsourcing of cybercrime is being driven by the “layer of obfuscation” it creates for the client and attackers’ notoriety.

“These are probably known entities that are highly trained. I imagine it would be similar to the U.S. government outsourcing the build of a super-secret jet to Boeing.”

Mercenary groups offering advanced persistent threats are springing up around the world, according to BlackBerry, and are often so sophisticated as to resemble state sponsored campaigns.

While Australian organisations have been targeted by CostaRicto, BlackBerry has not shared their analysis directly with the government. 

“We did not share directly with the Australian government at this time as the majority of what was found was in public domain. Additionally, there is still much work to do in order to ascertain an attribution. Normally when an attribution is viable, we will include governments to share knowledge.”

Previous post

Ping Identity Launches Consumer Data Right Integration Kit for Australian banks and fintechs

Next post

Minicast: How Experience Drives Customer Loyalty