Difference between revisions of "DATE Europe Threat Actors"

Overview

There are a number of Trans-National criminal organizations operating within the region; some are also prevalent within wider Mainland Europe, including the Baltic countries, Poland and Donovia.

Atbrivosana/ATB

ATB translates directly as "release" and is a cyber-criminal organization operating in every country in the Baltic region. Not associated with the Anonymous movement, they nonetheless use many of the same tactics using a veneer of anarchist political leanings. In truth, they are hackers-for-hire in the criminal world.

Common tactics include ransomware, distributed denial of services (DDOS) attacks, introduction of malware (logic bombs, worms, viruses, etc) into servers and individual computers, and defacing public websites. Emerging criminal areas include illegal cryptocurrency mining and associated money laundering, "Darknet" operations, and use of "Dark Wallets".

Additionally ATB runs spear-phishing campaigns, brute force hacking techniques, watering-hole attacks, man-in-the-middle attacks, driveby downloads, spoofing attacks, rogue software (manipulating databases and changing access credentials), and falsification of information stored in cyberspace. ATB’s most successful efforts are the following:

• Smuggled large quantities of cocaine and heroin in 2015, from South America into Europe by hacking into the Riga port systems and manipulating the unique 9 digit PIN numbers assigned to every sea going container is allocated. The group were then able to mark the containers as being customs cleared.
• Used financial Trojans to affect a multiple systems across Europe.
• Engaged in targeted intrusion attacks to steal data from large companies.
• Targeted Latvijas Banka in a series of attacks, which have resulted in a large amount of customer data being stolen.

They are not vocal concerning their desires and objectives, and normally assume a low profile even when successful exploiting a bank system or spreading malware to target sensitive servers. They are suspected of assisting Donovia in disinformation campaigns in the past. ATP has no allegiance to NATO or the Gulf of Bothnia Cooperation Council (GBCC) countries, but will work with them for the right price. ATP is directly linked to the Ziepiekkalns Izturiba (ZI) transnational criminal organization in Latvia and acts for self-benefit, as a provider of services, or even as an extension of a criminal network.                 

Cyber analysts agree that ATB is a small organization, working regionally in support of ZI, and does not go for high cyber targets. This being said, ATB has caused embarrassment to the security services, by being able to bypass, and hack around multiple system logs to grant access to buildings, clear customs, and even steal information.                                                                                                                  

Donovian Mafia

An extension of the Donovian Mafia in the Caucasus, their membership now includes some Torrikans. While openly proud of their Donovian heritage, the main victims of their activities are Donovian expatriates working and living in Bothnia. The Donovian Mafia specializes in prostitution, drug trafficking, financial crimes (illegal Bitcoin mining and money laundering), European smuggling, protection rackets, and extortion. Members greet each other as “moy va brat” (my brother). Non-members are never referred to with that title. Unlike the Torrike branch, the Donovian Mafia in Bothnia is a carefully structured Cosa Nostra–type family with specific rules about member activities and expectations of the organization. In 2016, Bothnian customs officials seized 54 kg of methamphetamines being smuggled from Bothnia to Donovia. The perpetrators were all known associates of the Donovian Mafia.          

Baltic Buddy

This is a transnational criminal organization which specializes in cyber theft, media manipulation, perception management through the Internet, and development and dissemination of “fake news”. Not as prolific as ATB, Baltic Buddy has been exceptionally successful at eluding location, arrest, and incarceration. They are known to have operatives in Estonia, Latvia, and Lithuania. They are suspected of having cells scattered throughout Europe using the dark web for communications. Funding also comes form illegal cryptocurrency mining, money laundering, and "Darknet"/"Dark Wallet" operations.

BalticBuddy, is a ‘hacktivist’ group that first appeared in the Baltic region in 2014. Their focus is leaking information, mass spamming, blogs, discussion forums, phishing for data, sensitive transmissions, and propaganda dissemination. They are a clear supporter of keeping NATO and the EU out of the Baltic Sea Region. They have been very successful in targeting government systems and leaking sensitive and embarrassing documents, such as diplomatic cables. Unconfirmed open source information reports that BalticBuddy is composed of paid media specialists, able to engineer stories, prepare and deploy a cyber campaign. It appears they are less sophisticated than Spruce 3, as they were not able to completely mask their anonymity, as noted by the recent finding that the IP addresses leaking documents, were mainly of Bothnian origin.

BalticBuddy methods of operation include:

• Use third-party companies and individuals as ‘cyber trolls’ or “troll factories” to support an anti-NATO/EU propaganda media campaign, proving professional command of the domain and ability to generate the desired effects on the public.
• Exploit NATO partners, both military and non-military through server vulnerabilities, to snoop and phish for sensitive data and communications that could cause international embarrassment and/or friction between NATO nations; such as exposing public scandals or financial assets.
• Conduct mass spamming of social media.
• Flood social media platforms with multiple accounts, leading discussions over generated mass fake news, reports, misinformation, twisting of facts and exploiting NATO/EU mistakes.

Not much is known about the inner composition of Baltic Buddy’s network, but its web activity and frequent change of quality of writing and posts, suggest a large number of members. Law enforcement analysts speculate Baltic Buddy is run by an inner circle of Bothnian media specialists, with enough resources to contract or establish third-party companies to serve as their massive troll group branch, following their predefined information operations campaign.

A single troll factory typically employs 80 hackers maintaining around-the-clock operations. These are generically divided into eight groups, each with a specific focus.

• Group 1: Online media. Monopoly of opinions and discredit of the relayed information on major national news networks.
• Group 2: Social networks. Dissemination of tailor-made information on major social media platforms.
• Group 3: Blogs/Forums. Harassment of opinion makers and troll-posting.
• Group 4: Companies and industry. Influencing the market by targeting world retailers and spawning opinions against target.
• Group 5: Political parties. Generating war of opinions between parties and candidates. Promoting political warfare and general confusion.
• Group 6: Major events. Manipulation of facts, promoting strategic outcomes and generating band-wagoning.
• Group 7: Disinformation and fake news. Overt publication of alternative facts on locally and regionally owned news outlets.
• Group 8: Conspiracy theories. Engineering of half-truth theories that cast shadows of doubts on the democratic governments of NATO and EU members.

Nutakus

Olvanans in Nutaku tend to keep a very low profile while using low level criminals to conduct street work. Nutakus specialize in Asian smuggling and corruption of ship crews, stevedores at ports, local law enforcement officers, and judges. In the last ten years, the Nutakus in Bothnia have added counterfeiting and sale of false government papers (national identity cards, passports, customs inspections, etc). These are sold to smugglers and human traffickers as well as local criminals. A percentage of earnings are sent to Nutaku leadership in Olvana. 

Saints of Cognitio (SoC)

SoC is a transnational criminal organization with elements in Ariana, Atropia, Bothnia, and Donovia. SoC uses a variety of INFOWAR actions to right perceived wrongs as well as to raise revenue. Where effective INFOWAR capabilities were once limited to state actors, SoC is known to employ a combination of media manipulation and information activities, alongside computer warfare, to disrupt organizations—state or non-state—that it believes act outside of its own moral code. While their motivations are predominantly ethical, they are not averse to forming short-term alliances with other irregular actors to raise revenue or to achieve maximum effect. Their normal target is national police and security forces, government facilities and major corporations.

Uber Cyber “Tree”, also known as “SPRUC_3”, “Spruce 3”, “3ntity”, and “Entity”

This is a decentralized Anonymous network of “Blackhat” hackers which is anti-NATO in political position. Spruce-3 is linked to numerous hackers throughout Europe.

Its criminal activity includes infiltration and exploitation of banking vulnerabilities, stealing large amounts of “virtual money” later converted into bitcoins, illegal cryptocurrency mining, money laundering, and "Dark Wallet" operations. The financing network and channeling of funds have not yet been identified. Spruce 3 successfully mounted a complex center of operations in the Onion Tor network (DeepWeb), using encrypted access to establish a secure communication network on the “darknet”.

Spruce 3’s motto is “The backbone of surprise is fusing speed with secrecy”. They act quickly and decisively against voices raised in support of NATO and the EU, or in protest of GBCC policies and agreements. Common internet users believe the myth that Spruce 3 sees all, acting as the sword of justice, cutting down all cyber unfairness towards Bothnian interests. The organization appears to be a decentralized, anonymous global network of ‘blackhat’ hackers pushing a Bothnian agenda. It is believed they are composed of extremely high skilled individuals on all cyber subdomains with university level degrees and ages comprised between 25 – 45 years old. Recruitment and training happens in Arnish, Bothnian, and Torrikan universities and in conferences and workshops. Analysts identified crypto and stenographic puzzles as a form of recruitment of like-minded people with enough technical knowledge to crack the puzzles.

Spruce 3 leadership is known as “3ntity”, or “Entity”. The “white–hat hacker” community agrees that Spruce 3 may be led by one individual, a series of individuals, or none at all. This means Spruce 3 may operate on orders given from a centralized third-party actor; state figure or private group. There is no substantial information available regarding the organization of Spruce 3, besides the fact that there is high probability that Spruce 3 is a system of systems, decentralized, possibly controlled by a state figure or a private group. Spruce 3 may have specialized nodes in different domains, responsible for new targets and tailor made jobs. This organization acts world-wide and is believed to have members across the globe.

Spruce 3 appears to focus on offensive cyber capabilities, like penetration tools, SCADA attacks, DDOSs, floods and disruption of critical sewage, water, electrical and transport (SWET) systems. They have the knowledge and capability to exploit vulnerabilities in NATO AGS, AGS ground stations, NAEW, and attacking NATO’s Mission Network. Spruce 3 may have tampered with avionics software, compromising the safety and efficiency of the air missions. They also conduct anti-NATO/anti-EU disinformation campaigns.

Spruce 3 methods of operation include:

• Organization and planning done through a series of VPNs possibly connected to Onion and IP2 networks,  allowing for a high level of anonymous and difficult to trace activity
• Disrupting SWET systems by injecting custom made C2 protocols through malware
• Standard cryptographic protocols to deliver C2 payloads
• File deletions
• File and directory
• Credentials manipulation
• Multiband Communications
• Brute Force Tactics
• Exfiltration protocols
• Manipulation of AIS systems; software hijacking of freights and cruise liners; ability to hijack and control military UAVs

Outlaw Motorcycle Gangs

EUROPOL is especially concerned about the spread of outlaw motorcycle gangs into Europe from the U.S., Canada, and Australia. Since 2015, there has been steady growth in the membership of such gangs worldwide. In Europe, the number of clubs has more than doubled.

The main threat to public safety from outlaw motorcycle gangs stems from their propensity for extreme forms of violence. This includes the use of firearms and explosive devices such as grenades. In general, the use of intimidation and violence is intrinsic to the subculture of outlaw motorcycle gangs and serves to exert control over group members, rival gangs and others, such as victims of extortion.

Founded originally in the southeastern United States, Furnace is the largest and most dangerous group, and the only transnational biker gang in Bothnia. There are smaller gangs which are being slowly subsumed into Furnace after the ‘Nordic Biker Wars’ of the 1990s. The Furnace MC goal is to have Bothnia as a “one patch country” where only the Furnace patch is allowed. This is a multi-racial gang, unlike most other clubs which are organized along racial lines. Other large U.S. gangs are attempting to establish themselves in Bothnia, and several local gangs refuse to “patch over” to Furnace. This has led to violent encounters which have made national attention. Furnace MC in Bothnia specializes in local drug production (methamphetamines, ecstasy, etc.) and distribution, smuggling, extortion, and murder for hire. There are suspected cases of them working for the Donovian Mafia. Furnace MC is known to work closely with the Bocyowicz Crime Family (BCF) in Atropia. See DATE Caucasus for more information on BCF.

FURNACE MC define themselves as “the oven where trash is burned and steel is hardened”. Club colors are black and red. Full members wear back patch of a flaming skull. Top rocker is club name. Bottom rocker is chapter location. MC patch on right. 1%er patch on left. In Otso, this is translated to “Yksi Prosentti”: Otsan language translation for One Percenter, or outlaw biker. The name “FLAMER” is the only name tag allowed on the front of a member’s colors unless he is the chapter president or enforcer. Prospects wear only the bottom rocker on the back, and an embroidered name tag in the left-front which says “BLASTER”. No other patches are allowed on a prospect’s colors.

Titles/Name tags:

• “Breaker”. Chapter President.
• “Blaster”. Prospective member, usually a year or longer, must “survive the blast”, or successfully complete all tasks assigned without question or concern.
• “Flamer”. Full patch member.
• “Destructor”. Club enforcer, a member who has killed for the club. A destructor is a special member function that ends the life of a competitor. The purpose of the destructor is to free up the resources of the victim and acquire them for the club.

Club tattoos are allowed only for full members. Anyone with these tattoos that are not Furnace members (including Blasters) will be beaten, and the tattoo will be removed with a razor or burned off with a torch. All full members have the black flames on their right forearm. The flaming skull shown in the photo on either the right or left shoulder indicates a Destructor. Full members may have the back patch tattooed to their back. Flame representations may only be red or black. All clothing and accessories with Furnace emblems are considered club property and are kept when a member dies or leaves the club.