The Intersection of Financial Heists and Cyber Espionage in the “Asylum Ambuscade” Cyberattack

Researchers Link Financially Motivated Attacks and Espionage Activities to Asylum Ambuscade Cybercrime Group

Security researchers have discovered a cybercrime group that has been active since at least 2020, which has been linked to a series of financially motivated attacks and a set of advanced persistent threat- (APT) like espionage activities. According to an ESET analysis, this week, the group, named Asylum Ambuscade, straddles the line between the two motivations. The researchers noted that the group’s activity sets were thought to be the work of two different actors, but they discovered that the crimeware compromise chain is very similar in all campaigns. The primary difference is the compromise vector the actors used, with financially motivated attacks primarily using malicious Google ads and redirection chains. In contrast, the espionage activities used spear-phishing campaigns to steal confidential information and webmail credentials from official government webmail portals.

Activities of Asylum Ambuscade

Asylum Ambuscade appears to have been behind a constellation of financially motivated cybercrime attacks that ESET has been following for some time, and these attacks have targeted bank customers and cryptocurrency traders worldwide since January 2022. In that time, ESET has counted more than 4,500 victims worldwide of these linked campaigns, with most of them in North America but also in Asia, Africa, Europe, and South America. Meanwhile, the cybersecurity firm Proofpoint reported in March 2022 that a group, presumed advanced persistent threat actors, had targeted European government staff involved in helping Ukrainian refugees ahead of the Russian invasion. This campaign used spear-phishing to steal confidential information and webmail credentials from official government webmail portals.

Cybersecurity Implications

The Asylum Ambuscade case highlights the growing trend of cybercriminals who use blended operations to achieve their objectives. Historical evidence shows that some hackers or hacker groups sometimes bridge gaps between criminal behavior and nation-state-led activities. While it is uncertain if the Asylum Ambuscade group is a self-driven opportunistic group, a professional hack-for-hire outfit or a state-sponsored actor, it is unusual to see a cybercrime group running dedicated cyberespionage campaigns. Therefore, security researchers should keep a close eye on Asylum Ambuscade’s activities, as the evolution and blending of attack motivations can pose even greater risks to organizations that may fall victim to its activities.

Protecting Against Asylum Ambuscade and Similar Advanced Threat Actors

Organizations must establish robust cybersecurity policies and procedures to either prevent or mitigate the impact of a cybersecurity event. One of the simplest ways to combat spear-phishing attacks is to introduce multi-factor authentication, so even if an attacker obtains a user’s password, they still would not be able to access their account without additional credentials. Deploying anti-malware, intrusion prevention, and detection systems should be a priority. Given that Asylum Ambuscade uses spray-and-pray style malicious Google ads and redirection chains to compromise their victims’ systems, employees should be educated on identifying and not clicking on unfamiliar links or ads.

Conclusion

The discovery of Asylum Ambuscade’s activities highlight the ever-evolving trend of blending cyber operations by cybercriminals. These types of attacks pose a particular challenge to organizations since the threat actors are harder to trace and the motivation of the attacks can be highly variable. As such, it is imperative that organizations stay vigilant by putting in place robust cybersecurity strategies such as multi-factor authentication, intrusion prevention and detection systems, and a robust security awareness program that educates employees on identifying and avoiding potential threats.