Some might wonder where threat actors get their origin, where do they learn their expertise? The ‘Community’ also referred to as ‘The Com’ or ‘The Comm’ is an online presence filled with individuals from diverse backgrounds including gamers, hackers, and recreational users. More than hundreds of individuals take part in various activities from innocent meme-sharing to more sinister activities involving cybercrime and physical violence.
The Community’s Focus
While the interests of ‘The Com’ rotates upon member, its focus regarding cybercrime seems to be a universal one for all engaging. SIM swaps, a cyberattack completed by tricking a mobile phone provider into switching activation to a new SIM card, has been proven to be connected to this community historically. Threat actors associated with the online presence have been seen utilizing this form of identity theft to not only gain access to victim’s cryptocurrency accounts but conduct more sophisticated attacks involving social engineering to deliver ransomware to their victim’s mobile phones.
Outside of financial endeavors, ‘The Com’ has been flagged by the FBI for having an interest in the nationwide epidemic of swatting calls to schools across the nation. A swatting call refers to hoax phone calls sent to schools and universities, causing the SWAT team to be deployed, similar to a false bomb or shooter threat. No matter the focus, it is important to note that the community of threat actors continues evolving, whether that be in physical violence form or cybercrime, hosting some of the largest ransomware attacks ever seen.
In early 2023, the group announced they were affiliating with BlackCat/ALPHV, one of the most notorious ransomware groups. It is unclear if the group started with ‘The Com’ or if they emerged in a different light, but what is known is that they are affiliated now. Further analysis on attacks, such as the data breach that MGM fell victim to in 2023 when BlackCat and Scattered Spider combined their forces to breach $100 million in customer PII data, can be used to strengthen proof of the affiliation.
Threat Actors
At least fourteen threat actors got their start due to this online community, with LAPSUS$, Star Fraud, RA Group, and Chuckling Squad being just a few. While the most notorious of the community have switched gears from SIM Swap attacks to joining forces with BlackCat/ALPHV, some of the lesser-known actors are just as dangerous and enjoy wreaking havoc.
LAPSUS$, an international extortion-focused hacker group, have proven themselves to be less professional than others by failing to honor their promises to destroy stolen data after ransomware attacks. Found to be of South American origin, the actor maintains a public profile communicating via Telegram and emails, leaving little to be unknown to the public. LAPSUS$ is known for gaining access to their victim’s networks via stolen credentials for remote desktop protocols. Some common tactics, techniques, and procedures (TTPs) they utilize are not limited to social engineering, credential harvesting, SIM swapping attacks, phishing, and extortion.
Star Fraud, otherwise known as Octo Tempest, UNC3944, Muddled Libra, or Scattered Spider, started out as a small unorganized group of individuals engaging in SIM swapping attacks like their fellow community members. As of 2023, the group has evolved to target larger corporations such as MGM and their IT help desks in attacks leaving victims struggling to gain control on their finances while tackling customer safety. Star Fraud actors are considered to be some of the best when it comes to carrying out social engineering campaigns, utilizing multiple different TTPs with the IT help desk impersonations being their most used.
RA World, or RA Group, another ransomware threat actor, stemmed from the source code Babuk ransomware sometime in 2023 and typically target the manufacturing and healthcare sectors. Causing maximum damage in their attacks while steering clear from detection, RA World began choosing their victims that resided in the United States and South Korea, but have expanded since then to Germany, India, and Taiwan. While still utilizing the Babuk payload, they can move quickly to manipulate Group Policy Object (GPO) settings in the process of executing PowerShell scripts.
Chuckling Squad, the threat actors behind the infamous hack of X, formerly Twitter, CEO Jack Dorsey’s account, made their first appearance in the cyber realm in 2019. Focusing on some less serious cyberattacks, mainly SIM swaps of celebrities, the threat actor group took over numerous X accounts before eight of their men got arrested in 2021 by the United Kingdom’s National Crime Agency. Since the arrest, not much is to be known of Chuckling Squad other than that they originated from ‘The Com’ and enjoying causing chaos in their attacks, hence the name.
The Future of ‘The Com’
While the FBI recognizes ‘The Com’ as a highly sophisticated community of interconnected threat actors, the gravity of their activities goes further than what we may ever know. To gain the level of persistence and severity that some of these actors have achieved could only be strengthened by working as a group. For the future of ‘The Com’, suspicions lead to assume more ransomware attacks are to be worked on now that BlackCat is affiliated and more dangerous than ever. As generative AI (GenAI) rises in the cyberattack realm and gaps in security postures are becoming more known, it will be interesting to see how the affiliated actors evolve to match future trends.