- Background: “Achilles” is an English-speaking threat actor primarily operating on various English-language underground hacking forums as well as through secure messengers. Achilles specializes in obtaining accesses to high-value corporate internal networks.
- Verticals: Achilles victims are primarily private sector entities; however, the actor also targeted public domains, government-affiliated companies, and international organizations. Targeted verticals include defense, energy, tourism, finance, real estate, and information technology.
- Tactics, Techniques & Procedures (TTPs): usually Achilles utilizes living-off-the land (LotL) tactics: the actor prefers to avoid using external malware kits. Instead, they either compromise a Remote Desktop Protocol (RDP) or leverage stolen credentials to establish stable and secure external Virtual Private Network (VPN) access into the victim’s network. The actor usually obtains the initial foothold via password bruteforcing targeting company external portal and remote services. Then, the actor routinely tries to access and elevate privileges and hunt network environments via Active Directory (AD). Both RDPs and VPN access to the network are then often sold by Achilles in the criminal underground.
- Attribution: Achilles was likely operating under the alias “the.Joker” on a now-defunct top-tier English-language darkweb forum “KickAss” as they made an identical offer using both aliases. The actor may be potentially affiliated with an Iranian cybercrime domain; however, this association may only be supported by secondary evidence.
Read more on Advanced Intelligence, LLC