Critical infrastructure, spanning sectors such as healthcare, energy, and transportation, has become a prime target for sophisticated non-state cyber criminal groups. These adversaries leverage advanced tactics, including ransomware attacks, initial access campaigns, and other disruptive techniques, to compromise essential services. Such attacks not only threaten operational continuity but also put public safety and national security at significant risk. As the frequency and complexity of these threats continue to grow, understanding the groups driving these campaigns and their underlying motivations has become essential for organizations aiming to bolster their defenses.

By identifying the key players, analyzing their tactics, techniques, and procedures (TTPs), and recognizing their objectives, organizations can craft more targeted and effective security strategies. Below is a detailed examination of five prominent non-state actor groups that pose significant threats to critical infrastructure.

1. LockBit Ransomware Group

Overview:
LockBit operates as a Ransomware-as-a-Service (RaaS) organization. Its model recruits affiliates who carry out ransomware attacks using LockBit’s tools, in exchange for a share of the ransom. This decentralized approach allows the group to scale its operations and remain agile, making LockBit one of the most active ransomware groups globally.

Targeted Sectors:
LockBit has been implicated in attacks across numerous critical infrastructure sectors, including healthcare, energy, education, transportation, and government services. Its victims range from small businesses to multinational corporations.

Tactics and Techniques:
LockBit employs double extortion tactics, encrypting victim data while threatening to release sensitive information unless the ransom is paid. The group often exploits known vulnerabilities in unpatched systems and conducts phishing campaigns to gain initial access.

Motivations:
LockBit is driven primarily by financial gain. The group’s focus on critical infrastructure reflects a strategy to target entities likely to pay large ransoms due to the essential nature of their services.

2. Clop (Cl0p) Ransomware Group

Overview:
Clop is a ransomware group known for conducting high-profile attacks on critical infrastructure and exfiltrating sensitive data. The group is part of a larger cybercriminal ecosystem, often collaborating with other malicious actors to amplify its reach.

Targeted Sectors:
Clop has targeted healthcare, transportation, and education sectors. Its attacks on universities and healthcare providers have drawn significant attention due to the societal impact of these disruptions.

Tactics and Techniques:
Clop is known for exploiting vulnerabilities in third-party applications, such as file transfer services, to gain access to networks. Once inside, the group deploys ransomware to encrypt files and demands payment for their release. Clop also leaks sensitive information on dark web platforms to pressure victims.

Motivations:
Clop’s operations are financially motivated, with a focus on maximizing ransom payments. Their choice of targets reflects an understanding of the operational pressures on critical infrastructure organizations, making them more likely to comply with extortion demands.

3. Evil Corp

Overview:
Evil Corp is a notorious cybercriminal group with roots in the creation and distribution of Dridex malware. Over the years, the group has evolved its operations to include ransomware attacks and other financially motivated cybercrimes.

Targeted Sectors:
Evil Corp has attacked organizations in the healthcare, energy, and financial services sectors. Its focus on these industries is likely due to their reliance on uninterrupted operations, increasing the likelihood of ransom payments.

Tactics and Techniques:
The group specializes in phishing campaigns to distribute its malware, which is used to steal credentials and move laterally within networks. Evil Corp’s ransomware campaigns often target high-value systems, ensuring maximum disruption.

Motivations:
Evil Corp is primarily financially motivated. Their sophisticated operations and consistent targeting of critical infrastructure highlight a deliberate strategy to maximize profits while leveraging the importance of their victims’ services.

4. SCATTERED SPIDER

Overview:
SCATTERED SPIDER, a key member of the broader “The Community” (often referred to as “The Comm”), is a highly skilled cybercriminal group focused on advanced cybercrime activities. Their operations have disrupted numerous industries through data theft and system compromises.

Targeted Sectors:
SCATTERED SPIDER has targeted telecommunications, technology, and financial services, often leveraging their access for financial gain, but, by proxy of doing so has damaged networks and causing down time.

Tactics and Techniques:
The group employs social engineering tactics, including phishing and vishing, to gain access to credentials. They then use these credentials to infiltrate networks, exfiltrate sensitive data, and conduct disruptive attacks.

Motivations:
Financial gain drives SCATTERED SPIDER’s operations, but their methods suggest a secondary goal of gaining notoriety within the cybercriminal community. Their bold tactics indicate a willingness to take significant risks for high rewards.

5. The Comm

Overview:
The Comm, short for “The Community,” is an informal yet coordinated collective of cyber criminals involved in a range of activities, including ransomware attacks, data theft, and disruptive operations like swatting. The group has gained notoriety for its widespread impact and the audacity of its campaigns.

Targeted Sectors:
The Comm has been known to disrupt sectors such as education, public services, and private enterprises. Its swatting incidents and cyberattacks have caused widespread panic and operational disruptions.

Tactics and Techniques:
The group’s operations often involve exploiting social media platforms and communication tools to conduct harassment campaigns. They also leverage readily available tools and techniques to launch ransomware attacks and steal data.

Motivations:
The Comm’s motivations are multifaceted. Financial extortion is a primary driver, but their campaigns also aim to cause disruption and chaos, likely as a form of notoriety and entertainment for their members.

Conclusion

Non-state actor groups targeting critical infrastructure pose a multifaceted challenge for organizations responsible for delivering essential services. These groups, including high-profile adversaries like LockBit, Clop, Evil Corp, SCATTERED SPIDER, and The Comm, represent a spectrum of threats encompassing ransomware campaigns, sophisticated social engineering schemes, and highly disruptive cyberattacks. While financial gain remains their primary motivation, the ripple effects of their actions can extend far beyond monetary loss, jeopardizing public safety, national security, and economic stability. The potential to disrupt critical services such as healthcare, energy, transportation, and water supplies underscores the urgent need to address these threats.

Effectively countering these adversaries requires a deep understanding of their evolving tactics, techniques, and procedures (TTPs). Organizations must prioritize the integration of proactive cybersecurity measures into their operations. This includes investing in advanced threat intelligence capabilities to anticipate attacks, implementing comprehensive incident response plans to minimize damage, and maintaining continuous monitoring to detect anomalies in real time. By fostering a culture of vigilance and adaptability, organizations can bolster their resilience against the sophisticated and persistent threats posed by these cyber criminal groups.