Asylum Ambuscade: What do we know about the prolific cybercrime group?

Asylum Ambuscade is a cybercriminal group operating since 2020. They have been particularly active in 2023 with attacks against 4,500 separate targets recorded from January to June. Victims of their cyber-attacks range from individuals to government entities.

Historically, Asylum Ambuscade typically target cryptocurrency traders, small-to-medium businesses, and individual bank accounts using phishing. A malicious document or link delivered by email is used to deploy SUNSEED, a Lua-script malware. Then, AHKBOT or NODEBOT (modified AutoHotKey malware) is downloaded, and used to spy on the victim’s machine using screenshotters, password stealers, keyloggers, and other plugins.

It is currently unconfirmed how the group monetises their access to this data, however they may be selling the data to other malicious actors, as opposed to the direct theft of cryptocurrency.

This pattern of activity changed in March 2022, shortly after the invasion of Ukraine. Proofpoint identified the use of SUNSEED malware in a February attack against members of European governmental departments via a compromised Ukrainian military email address. This attack was linked to the threat actor TA-445 (also known as UNC-1151 or GHOSTWRITER), which Mandiant had previously located to Belarus with high confidence in 2021.

TA-445 have also been linked to disinformation campaigns against NATO operations in Eastern Europe, domestic political interference in the countries bordering Belarus, and anti-migrant narratives during the 2021 Belarus/EU border crisis.

Notably, when CERT-UA (Computer Emergency Response Team of Ukraine) issued their warning of the February 2022 attack, they also indicated that the group responsible were “officers of the Ministry of Defence of the Republic of Belarus”.

The use of mirrored attack methods to Asylum Ambuscade and other technical indicators indicate that Asylum Ambuscade and TA-445 are likely to be closely linked or possibly even the same entity - though this cannot be definitively proven. No member associated with either group has ever been caught.

Targeting for both economic gain and political effect is rare, often because the broader the target set the faster the responsible group’s profile is likely to rise, and more resources are likely to be brought against them. In this respect they are comparable to the Lazarus group, a North Korean (DPRK) state supported group.

Lazarus have been highly successful over the last decade. Their operations include multi-million dollar virtual bank heists, though the profits of these are often minimised through the difficulty of physically laundering such sums. Notably, this group can afford to be much more brazen than most, as they are protected by the DPRK’s refusal to extradite its own citizens or to co-operate with foreign Governments. Such large thefts are also likely encouraged by the North Korean state as a way to mitigate the effects of sanctions, which have throttled DPRK’s economy since 2006. While multiple members of Lazarus have been indicted by the US department of justice, none are in US custody.

Relationship to Belarus: Plausible explanations

Asylum Ambuscade however differ from the Lazarus Group, as their relationship to their patron government is far less clear. Below are three plausible explanations as to how this relationship may have developed:

1. They are independent and opportunistic

Asylum Ambuscade may still be independent and solely financially motivated, intending to profit from the invasion of Ukraine by offering their services to the Belarussian government as ‘hackers-for-hire’. They may have also recognised that conflict opens new opportunities for targeting government officials with social engineering, prompting attack attempts against Western governments in order to steal valuable data.

2. They have always been a state asset

Asylum Ambuscade may have long been a state-sponsored proxy actor. Belarus, similarly to DPRK, have been heavily sanctioned since 2006 due to domestic human rights abuses. Maintaining a for-profit group would then be an attractive prospect to help ease the burden of sanctions. They could also be protected while on Belarussian soil, with any possible requests for extradition denied. At the outbreak of the invasion, it is plausible that the Belarussian intelligence agency (KGB RB) could have identified that Asylum Ambuscade’s capabilities are valuable for espionage, and quickly re-tasked them towards supporting the war.

3. They have been co-opted

Asylum Ambuscade may have previously been independent but tacitly allowed to operate from Belarus, as their disruption against Western targets would likely be viewed as tangentially beneficial. However, at the outbreak of war, it is plausible that the KGB RB identified the need to quickly bolster their cyber capability, and sought to either persuade or coerce Asylum Ambuscade into service. This could also explain why both espionage and for-profit operations have continued, with Asylum Ambuscade being offered limited autonomy in exchange for supporting the government.

‍

Of the three, the third scenario represents the highest risk to Ukraine and her allies due to the risk of adversarial intelligence agencies further absorbing established cyber groups. While Russia almost certainly already influences domestic cyber actors, this connection is left intentionally loose to reduce the numerous risks of attribution; intelligence leaks, or even state-infrastructure compromise.    

In this case, there are currently no indicators of which scenario is the most likely, limiting reliable assessment of their future offensive actions. This uncertainty is particularly daunting given their wide target set, increasing the importance of interagency and interstate co-operation to tackle the long-term threat from the group.

Overall, Asylum Ambuscade’s recent prevalence serves to highlight the potential for conflict to drive change in the cyber threat landscape, and the shared collateral risk to governments and businesses alike.