Full Report
A new actor called 0APT is causing a stir after they launched a dark web leak site and posted a large number of major companies, both genuine and fake, triggering real incident responses for named companies on the site. S-RM assesses this actor is an impostor who has posted a list of fake victims on their site accompanied by fake data. Why take such action? While the threat actor's motive is unknown, it remains plausible that this is a scam to lure payments from alleged victims, or a way of scamming cybercriminals who attempt to join the group. In either scenario, companies listed on the site should complete their due diligence to confirm its fake data but react with proportionality and avoid large-scale technical responses. S-RM's Cyber Threat Intelligence team responded to several requests to investigate a new threat actor group known as 0APT. Here we share the key outcomes following our investigations.
Analysis Summary
# Threat Actor: 0APT
## Attribution & Identity
**Identification:** A new threat actor group described as an "impostor."
**Aliases:** 0APT
**Known Associations:** Not explicitly associated with established threat groups, but operating as a potential fake Ransomware-as-a-Service (RaaS) operator.
## Activity Summary
0APT launched a dark web leak site and began posting lists of major companies, claiming to be victims. Investigations by S-RM have revealed that many, if not all, listed victims appear fraudulent, evidenced by the inclusion of a fictional entity like "Metropolis City Municipal." Data packaged as proof of compromise contains 'dummy' or 'null' data, content scraped from git repositories, or data likely generated by a Large Language Model (LLM). Crucially, there is no evidence of ransom notes being left in victim networks, nor is there proof of genuine data exfiltration.
## Tactics, Techniques & Procedures
- **Leak Site Operation:** Established a dark web leak site to announce victim names.
- **Data Presentation:** Posted 'proof' data consisting of 1% of claimed stolen data, which was found to be fake, null, or LLM-generated content.
- **Infrastructure Instability:** The leak site suffered from intermittent disconnections and extremely slow download speeds, hindering full data validation by victims/vendors.
- **Lack of Classic Extortion:** Absence of ransom notes left inside victim networks, which is typical for genuine ransomware incidents.
## Targeting
- **Sectors:** Claims to be targeting a wide array including major manufacturers, production facilities, hospitals and healthcare providers, ports and logistics, mining and extractives, and aeronautics and aviation.
- **Geography:** Not specified, but targeting global "major companies."
- **Victims:** Listed both genuine and fake large organizations. Investigations found evidence of fictional entities being listed initially.
## Tools & Infrastructure
- **Malware Families Used:** None explicitly identified as being utilized in a live breach scenario.
- **Infrastructure (C2, domains, IPs):** Operates a dark web leak site used to display victims and alleged proof data. Infrastructure appears deliberately slow or unstable to impede full validation of claimed data.
## Implications
The primary implication is that 0APT is likely an **impostor or scam operation**, not a functioning ransomware group.
1. **Scam Targeting Victims:** The act is plausible as a scam designed to lure payments from panicked alleged victims who cannot quickly validate the data's legitimacy.
2. **Scam Targeting Cybercriminals:** The group appears to be operating a facade, advertising RaaS access for a fee (1 Bitcoin, approx. 59,000 EUR) to lure and potentially scam other cybercriminals looking to join or buy access.
3. **Resource Misallocation:** Real companies experiencing listing on the site may waste significant resources on large-scale incident response efforts before concluding the threat is fake.
## Mitigations
- **Due Diligence:** Listed companies must immediately complete due diligence to confirm the veracity of the claimed data.
- **Proportional Response:** Companies should react with proportionality and avoid initiating large-scale technical responses based solely on the leak site's claims.
- **No Payment:** Do not pay any ransom, as there is no evidence the threat actor has obtained legitimate data.
- **No Communication:** Avoid initiating contact via the actor's designated contact page, as this may be used to pressure potential victims into payment.
- **Forensic Validation:** Engage third parties to download, scan, and unpack proof data to confirm its contents are illegitimate. Inform key stakeholders about the illegitimate claim.