Surge in 8Base Ransomware Operations Raises Questions of Connections to Phobos and RansomHouse
In June 2023, activity related to 8base ransomware operations increased significantly, although the exact reason for this surge remains unknown. [1]
Messages listed on the group’s onion site indicate that it has been active since at least April 2022. The actor deploys double extortion technique, exfiltrating and encrypting sensitive data and threatening with publication if the ransom is not paid in time. 8Base has compromised organizations globally, spanning multiple sectors.
OSINT reporting shows similarities between 8base and RansomHouse - another ransomware operation. The ransom notes used by both operations share a 99% similarity, indicating a strong connection. Furthermore, the language utilized on the 8base leak site closely resembles that of RansomHouse, suggesting a potential link between the two groups.
There are also some differences between 8base and RansomHouse. While RansomHouse openly advertises its partnerships and actively recruits for collaborations, 8base does not engage in such practices. Moreover, the layout design and structure of the leak site for 8base differs from that of RansomHouse, further distinguishing the two operations.
There are also parallels between 8base and another ransomware group known as Phobos. Phobos utilized the file extension ".8base" for its encrypted files in the past. According to VMware, a “comparison of Phobos and the 8Base sample revealed that 8Base was using Phobos ransomware version 2.9.1”. Since Phobos was available as a ransomware-as-a-service (RAAS) offering, it is plausible that the actor modified the variant to their own needs.
It is yet to be determined if 8Base is a derivative of Phobos or RansomHouse.
SmugX: Chinese Cyber Threat Targeting European Governments
Check Point researchers revealed a targeted campaign by a Chinese threat actor, against European governmental entities, particularly those focused on foreign and domestic policies. [2] The campaign has been active since December 2022 and primarily targets Eastern European countries like the Czech Republic, Slovakia, Hungary, as well as the UK.
The operation overlaps with the activities of other Chinese Advanced Persistent Threat (APT) actors, such as RedDelta and Mustang Panda, and is likely a continuation of previously reported activity.
The SmugX campaign uses new delivery methods, including HTML smuggling, to deploy a new variant of PlugX, a remote access trojan frequently linked to Chinese threat actors.
The lures used in the campaign are heavily focused on European domestic and foreign policies, with most of the documents containing diplomatic-related content. In several instances, the content was directly related to China and human rights issues in the country. The names of the archived files suggest that the intended victims were diplomats and public servants in these government organizations. The goal is almost certainly to acquire sensitive information on these countries' foreign policies.
CISA Issues Warning on DDoS Attacks Across U.S. Sectors, Allegedly Linked to Russian-Connected Group
On June 30th, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about ongoing distributed denial-of-service (DDoS) attacks targeting U.S. organizations across multiple sectors. [3]
The warning comes after several DDoS attacks claimed by Anonymous Sudan, a threat actor believed to be linked to Russia. The attacks have targeted both private and government organizations, taking their online portals offline.
Earlier in June, Killnet, Anonymous Sudan, and REvil announced plans to launch cyber-attacks on US and European banking systems in retaliation for continued support of Ukraine by Western allies. [4] In Europe, the European Investment Bank (EIB) had been targeted by a Denial-of-Service attack, allegedly carried out by Russian hackers. [5] This attack led to the temporary unavailability of some EIB websites.
Structured Data
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: TAXII v1 Discovery services.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Intelligence and Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.
You might also be interested in:
New Vulnerabilities Related to Moveit; Potential Impact of Legislation on Large Language Models
Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure
Appendix
[1] “8Base Ransomware: A Heavy Hitting Player,” VMware Security Blog, Jun. 28, 2023. https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html (accessed Jul. 03, 2023).
[2] matthewsu, “SmugX: Unveiling a Chinese-Based APT Operation Targeting European Governmental Entities: Check Point Research Exposes a Shifting Trend,” Check Point Blog, Jul. 03, 2023. https://blog.checkpoint.com/securing-user-and-access/smugx-unveiling-a-chinese-based-apt-operation-targeting-european-governmental-entities-check-point-research-exposes-a-shifting-trend/ (accessed July 3, 2023).
[3] “DoS and DDoS Attacks against Multiple Sectors | CISA,” Jun. 30, 2023. https://www.cisa.gov/news-events/alerts/2023/06/30/dos-and-ddos-attacks-against-multiple-sectors (accessed July 2, 2023).
[4] vx-underground [@vxunderground], “Topor Live, a large Telegram-based news outlet based out of Russia, with over 3.9M followers, reported that REvil, Anonymous Sudan, and Killnet are going to take down the European banking system in 48 hours. Following this attack, Linus Torvalds will switch to Windows. https://t.co/i1CK2OtEpN,” Twitter, Jun. 14, 2023. https://twitter.com/vxunderground/status/1669034104619245587 (accessed July 2, 2023).
[5] G. Corfield, “European Investment Bank hit by cyber attack after Russian hackers vow to bring down financial system,” The Telegraph, Jun. 19, 2023. https://www.telegraph.co.uk/business/2023/06/19/european-investment-bank-cyber-attack-russian-hackers/ (accessed July 2, 2023).
