Unit 42, the cyber security research arm of U.S.-based cyber security company Palo Alto Networks, has identified a Pakistani hacking group they call the Gorgon Group that is engaged in both criminal and nation-state cyber activities.
Unit 42 researchers had been tracking a hacker called Subaat since 2017, and observed the individual engaged in attacking targets with other hackers that Unit 42 collectively calls the Gorgon Group.
The Gorgon Group conducts attacks against targets around the world for criminal purposes mostly, but has been observed to quickly use its resources for targeted attacks against governmental organisations in Russia, Spain, United Kingdom, and the United States. The Gorgon Group mostly relies upon social engineering techniques, such as phishing emails with attachments using titles such as “Pakistan eying Sukhoi-35 figther planes as part of defense deal from Rusia” (note the misspelling of fighter and Russia). Once the attachment is opened by a victim their computer and networks are infected with malware.
Unit 42 notes that the Gorgon Group uses the same tools, infrastructure, and command and control methods for both it criminal activities and its targeted attacks that could be at the behest of a state sponsor. While Unit 42 suspects that members of the Gorgon Group are Pakistani (indeed, many of the Gorgon Group members self-identify as Pakistani), they refrain from naming who the alleged state sponsor might be.
The operational security and sophistication of the Gorgon Group is not all that impressive, according to researchers, but their effectiveness is noteworthy. This suggests that the victims of the Gorgon Group may have been attacked due to poor cyber security capabilities and practices on their part.
“Gorgon Group isn’t the first actor group we’ve witnessed dabble in both nation state level and criminal attacks. What makes Gorgon Group unique is, that despite the group’s operational security failures, they still remained particularly effective. Looking closer at the actors participating in Gorgon Group gave us a unique perspective into the inner workings of an attack…Leveraging the same infrastructure for targeted attacks and criminal enterprises made for an interesting cross-section of mixed intentions. Ultimately, this lead us to the conclusion that several of Gorgon Group’s members have a nexus in Pakistan,” Unit 42 researchers said.