Full Report
A joint operation between the Thai and Singapore police has resulted in the arrest of a man allegedly responsible for over 90 data extortion attacks worldwide
Analysis Summary
# Threat Actor: Unnamed Data Extortion Actor (Arrested in Thailand)
## Attribution & Identity
The actor is a 39-year-old man arrested in Thailand following a joint operation by the Royal Thai Police and the Singapore Police Force, supported by Group-IB.
**Known Aliases:** Altdos, Desorden, Ghostr, and 0mid16B.
**Associated Groups:** Described as one of "the most active cybercriminals in the Asia-Pacific since 2021."
## Activity Summary
The actor is responsible for over 90 data extortion attacks globally, including 65 incidents across the Asia-Pacific region, with other victims in the UK, US, Canada, and the Middle East. The primary goal was to exfiltrate databases containing personal data and demand payment to prevent disclosure. The actor was known on data leak forums, selling over 13TB of personal data on the dark web. He pressured victims by notifying media/data regulators, publishing data on dark web forums, and sending direct customer notifications. He was arrested after his activities were investigated. Law enforcement seized electronic devices and luxury goods allegedly purchased with illicit profits.
## Tactics, Techniques & Procedures
- **Initial Access/Exploitation:** Utilized SQL injection tools (specifically mentioning **sqlmap**) and exploited vulnerable **Remote Desktop Protocol (RDP)** servers.
- **Command & Control (C2):** Used a cracked version of the **Cobalt Strike** pentesting toolkit for server control.
- **Data Handling:** Focused on quickly exfiltrating data to rented cloud servers, with little observed lateral movement.
- **Extortion Method:** Primarily data exposure/extortion; occasionally encrypted victim databases.
- **Pressure Tactics:** Media notification, regulator notification, dark web posting, and direct customer emails/instant messages.
- **Evasion:** Changed aliases frequently to hinder investigation.
- [No specific MITRE ATT&CK IDs were mentioned in the article.]
## Targeting
- **Sectors:** Healthcare, retail, property investment, finance, hospitality, and insurance.
- **Geography:** Primarily Asia-Pacific (starting in Thailand), with secondary targets in the UK, US, Canada, and the Middle East (totaling over 90 incidents).
- **Victims:** Organizations across the mentioned sectors globally.
## Tools & Infrastructure
- **Malware families used:** Cracked version of **Cobalt Strike**.
- **Infrastructure:** Rented cloud servers for data exfiltration; utilized **sqlmap** tool.
- **URLs/IPs:** No specific URLs or IPs were provided in a format requiring defanging.
## Implications
This arrest removes a highly active and prolific data extortion threat actor, particularly impactful in the Asia-Pacific region since 2021. The case highlights the evolution of cybercriminal tactics beyond technical exploits to include sophisticated coercion, intimidation, and reputational threats aimed at securing ransom payments.
## Mitigations
- Harden RDP configurations and monitor for unauthorized access.
- Implement controls to detect and prevent SQL injection vulnerabilities.
- Monitor data leak forums and dark web marketplaces for organizational data.
- Review security practices concerning data exfiltration paths (e.g., unauthorized cloud storage use).