“Achilles”, Hacker Behind Attacks on Military Shipbuilders, UNICEF & International Corporations

Updated: Oct 8, 2021

Executive Summary

  • Background: “Achilles” is an English-speaking threat actor primarily operating on various English-language underground hacking forums as well as through secure messengers. Achilles specializes in obtaining accesses to high-value corporate internal networks.

  • Verticals: Achilles victims are primarily private sector entities; however, the actor also targeted public domains, government-affiliated companies, and international organizations. Targeted verticals include defense, energy, tourism, finance, real estate, and information technology.

  • Tactics, Techniques & Procedures (TTPs): usually Achilles utilizes living-off-the land (LotL) tactics: the actor prefers to avoid using external malware kits. Instead, they either compromise a Remote Desktop Protocol (RDP) or leverage stolen credentials to establish stable and secure external Virtual Private Network (VPN) access into the victim's network. The actor usually obtains the initial foothold via password bruteforcing targeting company external portal and remote services. Then, the actor routinely tries to access and elevate privileges and hunt network environments via Active Directory (AD). Both RDPs and VPN access to the network are then often sold by Achilles in the criminal underground.

  • Attribution: Achilles was likely operating under the alias "the.Joker" on a now-defunct top-tier English-language darkweb forum “KickAss” as they made an identical offer using both aliases. The actor may be potentially affiliated with an Iranian cybercrime domain; however, this association may only be supported by secondary evidence.

  • Notable activities: On May 4, 2019, Achilles claimed to have access to UNICEF network as well as networks of several high-profile corporate entities. They were able to provide evidence of their presence within the UNICEF network and two private sector companies. It is noteworthy that they provided access to networks at a relatively low price range of $5,000 USD to $2,000 USD.

  • Responsible Disclosure: AdvIntel keeps the names of the affected entities protected for which Achilles provided sufficient evidence undisclosed due to a threat remediation effort. By the time of this writing, the US law enforcement has been notified about the breach, one entity has been completely secured by the collective effort of its Cyber Threat Intelligence Team and AdvIntel, whereas the second entity has been informed about the threat.

Major Activities

The majority of Achilles offers are related to breaches into multinational corporate networks via external VPN and compromised RDPs. Targets include private companies and government organizations, primarily in the British Commonwealth. Achilles has been particularly active on forums through the last seven months, with rising spikes in activities in Fall 2018 and Spring 2019.

Through Fall 2018, the actor attempted to sell multiple compromised accesses; they included the following entities:

  • UK Government domains DNS server access

  • Australian Capital Territory Government full staff database

  • Austal defense shipbuilder internal data

  • Unspecified oil company: RDP & network access

  • Information and credentials of employees of the following companies:

  • GoDaddy

  • DHL

  • Citrix

  • BBC

  • Facebook

Image 1: Achilles has a record of targeting governments or government-affiliated companies.

In April 2019, Achilles posted another set of high-profile offers on the English-language hacking forum l33t which included the following:

  • 600 GB of data from unspecified UK companies

  • RDP & network access for unspecified UK companies