“Achilles”, Hacker Behind Attacks on Military Shipbuilders, UNICEF & International Corporations
Updated: Sep 4, 2020
Background: “Achilles” is an English-speaking threat actor primarily operating on various English-language underground hacking forums as well as through secure messengers. Achilles specializes in obtaining accesses to high-value corporate internal networks.
Verticals: Achilles victims are primarily private sector entities; however, the actor also targeted public domains, government-affiliated companies, and international organizations. Targeted verticals include defense, energy, tourism, finance, real estate, and information technology.
Tactics, Techniques & Procedures (TTPs): usually Achilles utilizes living-off-the land (LotL) tactics: the actor prefers to avoid using external malware kits. Instead, they either compromise a Remote Desktop Protocol (RDP) or leverage stolen credentials to establish stable and secure external Virtual Private Network (VPN) access into the victim's network. The actor usually obtains the initial foothold via password bruteforcing targeting company external portal and remote services. Then, the actor routinely tries to access and elevate privileges and hunt network environments via Active Directory (AD). Both RDPs and VPN access to the network are then often sold by Achilles in the criminal underground.
Attribution: Achilles was likely operating under the alias "the.Joker" on a now-defunct top-tier English-language darkweb forum “KickAss” as they made an identical offer using both aliases. The actor may be potentially affiliated with an Iranian cybercrime domain; however, this association may only be supported by secondary evidence.
Notable activities: On May 4, 2019, Achilles claimed to have access to UNICEF network as well as networks of several high-profile corporate entities. They were able to provide evidence of their presence within the UNICEF network and two private sector companies. It is noteworthy that they provided access to networks at a relatively low price range of $5,000 USD to $2,000 USD.
Responsible Disclosure: AdvIntel keeps the names of the affected entities protected for which Achilles provided sufficient evidence undisclosed due to a threat remediation effort. By the time of this writing, the US law enforcement has been notified about the breach, one entity has been completely secured by the collective effort of its Cyber Threat Intelligence Team and AdvIntel, whereas the second entity has been informed about the threat.
The majority of Achilles offers are related to breaches into multinational corporate networks via external VPN and compromised RDPs. Targets include private companies and government organizations, primarily in the British Commonwealth. Achilles has been particularly active on forums through the last seven months, with rising spikes in activities in Fall 2018 and Spring 2019.
Through Fall 2018, the actor attempted to sell multiple compromised accesses; they included the following entities:
UK Government domains DNS server access
Australian Capital Territory Government full staff database
Austal defense shipbuilder internal data
Unspecified oil company: RDP & network access
Information and credentials of employees of the following companies:
In April 2019, Achilles posted another set of high-profile offers on the English-language hacking forum l33t which included the following:
600 GB of data from unspecified UK companies
RDP & network access for unspecified UK companies
List of companies made through a private offer (see below)
The actor offered additional details and information regarding the names of the companies via personal messaging. They received positive reviews from other members on the criminal underground and insists on making deals through forum escrow for some of their sales which has added to the actor’s credibility within the underground community.
The specific intentions of Achilles as of yet remain unclear. Partial evidence suggests that the actor may be related to an Iranian hacker operating under the alias "Mr.Xhat". According to Iran Cyber News, Mr.Xhat was responsible for multiple attacks in 2014. On January 6, 2014, they reportedly hacked Tajikistan DNS registrar control panel website domain[.]tj. This allowed the actor to control DNS records for many .tj websites, including, Yahoo, Twitter, Google, and Amazon and redirect requests to a defaced web page.
The likely use of password spraying, as well as several mentions of Citrix VPN systems by Achilles, may loosely suggest their potential association with an Iranian IRIDIUM hacker group. The group was identified widely using “spray and pray” tactics and was allegedly responsible for breaching Citrix data in March 2019, a timeline when Achilles activities on forums and on secure messengers sharply increased.
Finally, in October 2018, Achilles offered access to data from a defense shipbuilder on l33t and KickAss forums. Additional evidence provided by Achilles suggests that the information was stolen from an Australian shipbuilder Austal. According to the Australian media, The Australian Cyber Security Centre (ACSC) attributed the breach of information to an Iranian-based hacker attack.
Finally, Achilles daily activities and responses correlate within the timezone of Iran. When asked directly if it would be more convenient for them to speak Farsi instead of English, Achilles replied: that “they need more trust for this”.
Overall, the allegations of Achilles being connected to Iranian cybercrime remain only partially justified.
Tactics, Techniques and Procedures (TTPs)
Achilles primarily uses Living-off-the-Land (LotL) tactics which presumes that an attacker uses system tools such as legitimate administrator native network software and not the external malware toolkit or other methods.
Based on AdvIntel sensitive source intelligence, an Achilles typical attack against a corporate network starts with a search for an access point to actualize the LotL tactics. This can be either the Microsoft Remote Desktop Protocol (RDP) tool compromised by Achilles or login credentials to access a corporate external VPN account. Then, the actor routinely tries to access and elevate privileges and hunt network environments via Active Directory (AD) enumerating additional user accounts with privileged access.
After taking over an RDP, Achilles tends to keep access and sell the access as soon as possible using their underground accounts. In case an external RDP is absent, Achilles uses stolen credentials. They most likely obtain the external VPN perimeter credentials via bruteforcing, spearphishing and/or the use of botnet logs.
Achilles main skill is tested after these credentials are received as the actor will need to secretly preserve their presence in the system and escalate their access privileges. First, they enter the corporate VPN using the stolen credentials, then they advance to a VPN client home page and only then proceed to an actual work station. From there, Achilles can laterally move to other stations and networks.
Traditionally, Achilles tends to target network accesses which are not protected by a multifactor authentication security protocol.
AdvIntel began to actively track the actor in April 2019 due to their increasing presence on l33t and other underground forums. On May 4, 2019, Achilles stated that they can provide accesses to corporate networks including:
Hash Animation (hash[.]com)
Private entities: names undisclosed
Achilles claimed that these were secured accesses into corporate networks: specifically, they then stated that UNICEF breach alone provides access to 4 TB of data. UNICEF access was priced for $4,000 USD, another victim, for which the evidence was provided for $5,000 USD; however, the price dropped to $2,000 USD.
On May 15, 2019, Achilles stated that they have access to the following entities:
According to the hacker, Transat was breached on May 12 or May 13. However, they have not provided any evidence proving that they actually have access to these networks.
Conclusion: Recommendations & Mitigation
Based on sensitive source intelligence, evidence provided by the threat actor, their positive reputation within the underground community, as well as a record of previous sales, AdvIntel investigators assess with a high degree of confidence that Achilles is a credible threat actor which may attempt to escalate and advance their offensive activities against corporate entities and international organizations.
To mitigate this threat, AdvIntel provides the following possible mitigations and recommendations:
To prevent RDP exposure: monitoring and reviewing the network perimeter for any externally-exposed RDP servers might enable to identify any exposed servers.
To prevent password spraying and bruteforcing: using strong passwords for all your accounts and monitoring external VPN portal might allow identifying possible automated account enumeration.
To prevent the secure presence of the actor within the system: monitoring of behavioral patterns, specifically, related to timezones activities as well as for the third-party external VPNs might allow detecting the actor activity on the network.
To prevent access into the network: using multifactor or 2FA security protocol, as this actor traditionally tries to avoid 2FA-protected networks.
AdvIntel notified US law enforcement regarding potential threats to US-based companies and organizations. We will keep monitoring and tracking the actor’s activities and timely update our customers regarding any threats emerging from them.