Asylum Ambuscade: Crimeware or cyberespionage?
Asylum Ambuscade is a threat group that came under research scrutiny after it targeted European government personnel in late February 2022, just after the beginning of the Russia-Ukraine war.
During the intervening months, dozens of different threat actors have been caught by the security community attacking Ukrainian institutions and their allies. So what makes Asylum Ambuscade different from the others?
First, our investigation reveals that the group is engaged in both espionage and crimeware-related activities. Since March 2022, it has been spying on European diplomats, probably in order to steal confidential information related to the Russia-Ukraine war. At the same time, it has been compromising bank customers and cryptocurrency traders all around the world, including Canada and the United States. We noticed that the group is particularly interested in accessing cryptocurrency wallets stored on common coin exchanges.
Second, since the beginning of the war, not only did Asylum Ambuscade target Ukrainian institutions and their allies, but also individuals and local officials in Russia. Note that we believe that some members of the group are Russian speakers.
Third, the group goes after high-value espionage targets using a custom crimeware-like toolkit. This is very different from other groups operating in the same region such as the Dukes, Sandworm, or Turla, which run only cyberespionage campaigns.
In this presentation, we will describe the whole compromise chain, allowing us to link the group to past crimeware activities from 2020. We will also present an overview of the victimology and the TTPs of the group. Finally, we will discuss why a crimeware group could be engaged in espionage activities.