‘Cyber-merc’ outfit claims to have police insiders

A new cybercriminal gang that offers its services for as little as 15 euros claims to have contacts within law enforcement agencies across Europe, according to a report by Cyberint.

Atlas Intelligence Group, also known as the Atlantis Cyber Army, made the startling assertion on its dedicated forum on the Telegram messaging app, which has already garnered thousands of followers.

“Hello everyone, we add a new service to this market,” reads one advert observed by Cyberint. “With our connection in some police station [giving access to a police database in Germany] we can check and search peoples personally [sic] information.”

It is what Cyberint says is one of several alarming posts by Atlas “claiming they have connections with people across several law enforcement entities in Europe that can deliversensitive information about certain individuals exclusively.”

“This capability is impressive – not just because of the potential information that might be obtained, but also because it shows how deep the group goes as they are committed to their crime organization not only in the cyber realm,” said Cyberint.

Screenshot taken by Cyberint of Atlas claiming to have a police insider with access to data.
Screenshot image from Cyberint featuring Atlas 'advert'.

Dirty work

As well as being apparently well-connected, Atlas is versatile. Its services start from leaked – mostly government-related – databases selling at 15 euros apiece and distributed-denial-of-service attacks for 20 euros a victim, ranging up to more than $1,000 for hacked control panels and initial access to larger-scale targets such as corporations.

Much of this “dirty work” is done by “cyber mercenaries” contracted by Atlas, which never reveals the true identity of the threat actors at the heart of its operation.

“What makes this group unique compared to all the other groups we have seen lately, is therecruiting of cyber-mercenaries to do specific jobs as a part of bigger campaigns that are known only to the admins,” said Cyberint.

“When observing most threat groups, the pattern is clear,” it added. “The groups often recruit individuals with certain capabilities that they will have to reuse, and everyone gets involved in the campaign.” By contrast, Atlas is thinking “out of the box” and apparently only the gang’s ringleaders have access to full knowledge of its criminal enterprises.

Cyberint cited as an example another advert, this time for recruitment of a spear phisher with university-level knowledge of psychology – presumably to serve as an expert in the social engineering techniques required to get such scams to work. But the post gives away very little details about who is doing the hiring.

“This technique creates segregation between the participants and keeps everyone that does the ‘dirty work’ in the dark,” said Cyberint. “Applying this technique enables a high level of operational security for the operators and helps them avoid ongoing relationships with other threat actors.”

It added: “This is not an ordinary threat group, both in the way they behave and the way they manage their campaigns.”

Screenshot of Atlas asking for details of London police.

We’re hiring!

To facilitate its recruitment of hired cyber crooks, Atlas uses three channels on Telegram, a messaging app popular with hacktivists, black-hat hackers, and the like.

“The most interesting one is the channel in which the leader and the admins publish the contracts and the subscribers have the opportunity to offer their services,” said Cyberint. “This channel serves the group in finding red teamers, social engineers, malware developers, and information on certain individuals.”

One example of the latter type of request is a post on Telegram that reads: “To all from UK [...] if someone has a connection to a police officer in London and can check his address am ready to pay for it.”

The author is said to be Mr Eagle, thought by Cyberint to be the mastermind of the new cybercriminal enterprise, which also shares “exploit kits” and malware source codes to enable hirelings to complete their nefarious tasks.

Eagle-eyed mastermind

Another channel is used to dox or “out” scammers and – in a bizarre twist – pedophiles by revealing their personal information, as well as to post updates about upcoming cybercriminal campaigns. The doxing of other crooks apparently signifies that Mr Eagle is punctilious about protecting his “guys” from being conned themselves, perhaps explaining the loyalty of his followers.

Describing him as “a unique individual,” Cyberint said: “The leader of the group seems to be a very mature and professional figure, as his decisions and behavior are purely logical with no room for errors. Mr Eagle tends to have very strict rules, including banning scammers and other threat actors that try to advertise their products. It seems that Mr Eagle maintains very high reliability among the group’s followers.”

The high degree of professionalism suggests that the core threat actors behind Atlas previously worked for or with other cybercriminal gangs, before setting up for themselves. Cyberint added that its research had uncovered a possible link between Atlas and DDosArmy, another group.

Atlas is not thought to be targeting a specific country or type of organization, but “operates worldwide, pursuing whatever campaign will be the most beneficial.” Warning that the gang’s pool of mercenaries is growing daily, Cyberint added that it was probably “just a matter of time” before it gets into the ransomware sector as well.