Threat actors
Phishing can be a highly profitable enterprise. The number of malicious groups and individuals that use phishing tactics is unknowable — although it wouldn’t be unreasonable to assume the number measures in the thousands, and perhaps higher.
Despite the prevalence of phishing, certain malicious actors have achieved a degree of notoriety (and perhaps even infamy) for the innovative and effective methods they use. Here are three of the most high-profile examples.
North Korea is often described as “the hermit kingdom,” where a combination of crushing international sanctions and an internal policy of isolationism has virtually cut the country off from the outside world. And yet, North Korea is highly reliant on external trade in order to fund the lifestyle of its hereditary leader, Kim Jong-Un, as well as its nuclear weapons program.
To obtain the funds it needs, the country has turned to cybercrime. The Lazarus Group is widely suspected to be the cyberwarfare wing of the North Korean government, and over the past decade, has performed devastating attacks against foreign financial services entities, cryptocurrency companies, and overseas adversaries of the regime.
The Lazarus Group is suspected to be the culprit of the 2017 Wannacry ransomware attack. It has used phishing to spread compromised documents to organizations in the defense and cryptocurrency space, allowing the group to steal funds and information that could prove useful to North Korea’s military.
Its ability to use phishing — combined with the group’s sophisticated software engineering skills — allowed The Lazarus Group to steal an estimated $400 million in cryptocurrency in 2021 alone, with both private individuals and startups in their crosshairs.
Also known as APT28, Fancy Bear is a state-sponsored cyber espionage group believed to be part of Russia’s GRU — its military intelligence organization. As with the Lazarus Group, Fancy Bear relies heavily on phishing methods.
Its targets are predominantly those opposed to the Kremlin, including journalists, supranational organizations (like the World Anti-Doping Agency), and foreign governments and militaries.
Unlike the original Guccifer — a Romanian man believed responsible for compromising the email accounts of several high-profile US political operatives — Guccifer 2.0 is believed to be a state-sponsored entity under the control of the Russian GRU.
Guccifer 2.0 is most notable for its activities during the 2016 election, where it obtained access to the emails of the Democratic National Committee (DNC) and subsequently leaked the contents to Wikileaks. One of the victims included John Podesta, the chairman of Hilary Clinton’s presidential campaign.
To conduct this attack, Guccifer 2.0 relied on phishing emails that impersonated Gmail and warned that the victim’s account credentials had been compromised and needed to be reset. Although this attracted the suspicion of many victims, including Podesta, they were nonetheless successful. This was, in part, due to a mistake by a campaign tech employee who described them as “legitimate” when they meant to type “illegitimate.”
