Full Report
How do you profile actors and defend your systems when multiple threat actors are working together? In Part 2, Cisco Talos proposes an extended Diamond Model to analyze complex relationships between attackers.
Analysis Summary
# Threat Actor: ToyMaker
## Attribution & Identity
ToyMaker is identified as a financially-motivated initial access (FIA) group. They operate by selling access they gain to other threat actors, specifically mentioning relationships with the Cactus ransomware group.
## Activity Summary
ToyMaker's primary documented activity involves gaining initial access to victim environments and then selling that access to established ransomware operators. In a specific campaign examined, ToyMaker provided initial access to the Cactus ransomware group, who then utilized compromised credentials gained from the first wave of attacks. This behavior mirrors historical patterns where groups providing initial access (like Maze and Egregor predecessors) sold access to subsequent ransomware deployment groups.
## Tactics, Techniques & Procedures
The article focuses less on low-level TTPs of ToyMaker and more on their *role* in the kill chain:
- Functioning as an Initial Access Broker (FIA).
- Selling access (handing off the intrusion chain) to ransomware groups like Cactus.
- Deployment of the 'LAGTOY' backdoor malware on victim systems to facilitate access transfer.
## Targeting
- Sectors: Not explicitly detailed, but implied to be organizations targeted by financially motivated ransomware groups.
- Geography: Not specified in the excerpt.
- Victims: Organizations targeted by precursor attacks leading to ransomware deployment by groups like Cactus.
## Tools & Infrastructure
- Malware families used: **LAGTOY** (a backdoor used to maintain access for handoff).
- Infrastructure (C2, domains, IPs - defang URLs): Not explicitly detailed in this excerpt.
## Implications
ToyMaker's activities exemplify the trend of "compartmentalized attack kill chains." Their involvement complicates attribution and threat modeling because defenders must account for multiple actors in a single intrusion (e.g., ToyMaker handing off to Cactus). Failure to identify ToyMaker's access points (like the LAGTOY backdoor) may lead to misattribution if defenders only focus on the secondary malware (Cactus tools). Their actions serve as a precursor to significant impacts like ransomware deployment.
## Mitigations
- **Focus on Initial Access Indicators:** Maintain vigilance and focus on indicators associated with initial access groups like ToyMaker, as these are precursors to major incidents.
- **Hunt for LAGTOY:** Security teams should actively hunt for the presence of the LAGTOY backdoor, as hosts infected with this tool are candidates for subsequent ransomware attacks by groups like Cactus.
- **Update Analytical Models:** Adopt analytical frameworks (like the proposed extended Diamond Model) that incorporate a "Relationship Layer" to accurately model and pivot analysis across actors involved in a single intrusion chain.