Threat Group ‘Desorden’ Actively Targeting Asian Conglomerates

Summary

A confidential source has shared previously unknown details about the newly emerging threat actor group Desorden which is actively targeting Asian Conglomerates.

A confidential source has shared previously unknown details about the newly emerging threat actor group Desorden.

TLP: GREEN

About Desorden

  • In September 2021, a financially motivated threat actor group dubbed ‘Desorden started breaching Asian companies and sharing the breached data on a popular English language cybercrime forum.
  • The group’s first post on the forum was published on 30 September 2021. The post advertised the database of the Malaysian subsidiary of a global logistics company based in Hong Kong. The post included sample data, as proof of the group’s claims and credibility.
  • Since the first post, the group has consistently advertised the data of various Asian companies. As of January 2022 i.e. 4 months, since the group became active, they have shared the data of 10 companies.                                                                                                                  
Desorden victim profile
Desorden victim profile

 

Desorden Modus Operandi

A confidential source, directly in contact with the Desorden group, has shared information about the groups motives and their preferred Tactics, Techniques, and Procedures (TTPs).

Motives and Collaborations

  • Currently, the group has no interest in breaching former USSR or European countries.
  • The group carefully plans and selects their victims, which are primarily conglomerates in Asia that have high revenues.
  • They claim to be a ‘for-hire’ hacking group and do not identify as a ransomware group, despite operating like one.
  • The group is looking to recruit hackers who can exploit an organization’s vulnerabilities and build new scripts.
  • Desorden is engaged in deals with various ransomware groups that don’t focus on Asia. In what seems like an agreement to divide and conquer, Desorden sells vulnerabilities and accesses, to companies in Europe and North America, to ransomware groups that focus on those regions.

Tactics, Techniques, and Procedures (TTPs)

  • The group initiates an attack by first performing reconnaissance of the infrastructure and technologies used by the target organization.
  • Based on the recon, they develop custom Advanced Package Tool (APT) scripts to infiltrate the organization. The group also uses Python, PowerShell, and C#, based on their requirements.
  • The group doesn’t crypto-lock a victim’s data, like ransomware groups do. Instead, they exfiltrate sensitive information from the victim, and threaten to publicize the data if the company does not heed to their ransom demands.
  • The group purportedly works discreetly with the victims to collect the ransom.
    • If a victim pays the demanded ransom, they do not advertise the breach or the company’s data.
    • If a victim is initially unresponsive, they publicize the breach, without releasing their data, in an attempt to pressure the victim into paying the ransom.
    • However, if a company refuses to pay the ransom even after these attempts, they dump or sell their data on cybercrime forums.

 

Desorden’s Victim Profile

Since September 2021, Desorden has shared or advertised the databases of 10 high-revenue organizations operating or headquartered in Asia.

CountryNo. of VictimsVictim Profile
Singapore3
  • Recruitment Firm
  • Department Store
  • Cinema Chain

:

:

:

PII and login credentials

PII, NRIC details, login credentials

Not Available

Malaysia2
  • Logistics Company
  • Carrier Service

:

:

200 GB customer and partner data

Customer database

Thailand2
  • Hotel Chain
  • Restaurant Group

:

:

400 GB of PII, financial and corporate data

80 GB of PII, financial and transaction data

Taiwan1
  • Electronics Corp
:Employee info, list of vulnerable servers
Philippines1
  • Supermarket Chain
:300 GB database
India1
  • Electronics Corp
:60 GB of customer and corporate data

Table of Contents

Request an easy and customized demo for free