A group of cybercriminals, dubbed ‘Asylum Ambuscade’ by researchers, has been linked to financially motivated attacks and advanced persistent threat (APT)-like espionage activities. While these attack sets were previously attributed to separate actors, analysis by ESET revealed they are in fact the work of a single entity. The group appears to straddle the line between the two motivations. It has been active since at least 2020 but remained unknown until March 2022 when Proofpoint detailed an APT-presumed campaign aimed at European government staff helping Ukrainian refugees ahead of Russia’s invasion. The attackers used spear-phishing to steal confidential information and webmail credentials from official government webmail portals.
At the same time, ESET researchers noticed a constellation of financially motivated cybercrime attacks targeting bank customers and cryptocurrency traders that had been active since January 2022. The researchers counted over 4,500 victims worldwide from the linked campaigns, mainly in North America but also in Asia, Africa, Europe, and South America.
The crimeware compromise chain observed was very similar to that of the cyber-espionage campaigns. The custom malware variants used, named SunSeed and AHKBOT, were the same, but the compromise vector in the financial attacks involved malicious Google Ads and redirection chains. According to ESET’s analysis, “the compromise chains are almost identical in all campaigns, and SunSeed and AHKBOT have been widely used for both cybercrime and cyberespionage. [We] don’t believe that SunSeed and AHKBOT are sold on the underground market.”
As a result, ESET determined that “Asylum Ambuscade is a cybercrime group that is doing some cyberespionage on the side [and] it appears to be branching out … against governments in Central Asia and Europe from time to time.” The group’s motivation is still unclear; it may be a hack-for-hire outfit, a state-sponsored actor, or merely self-driven opportunists. However, the fact that a cybercrime group is running dedicated cyber-espionage operations is unusual and warrants close tracking of Asylum Ambuscade activities.
Although it is uncommon for cybercrime groups to engage in cyber-espionage activities, it is not the first time that the two halves of the cybercrime world have blended. The infamous North Korean APT, Lazarus Group, carries out cryptojacking and other financial heists to help fund the regime in Pyongyang while simultaneously acting as a virulent cyber-espionage actor.
Researchers advise keeping a close eye on Asylum Ambuscade’s activities due to their unprecedented mix of cybercrime and cyber-espionage activities. By doing so, they hope to gain valuable insights into the group’s motivations, their targets, and how to defend against their attacks. As always, staying vigilant and up-to-date with the latest security solutions is essential in protecting organizations and individuals against cyber threats.