Full Report
Google on Wednesday shed light on a financially motivated threat actor named TRIPLESTRENGTH for its opportunistic targeting of cloud environments for cryptojacking and on-premise ransomware attacks. "This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity," the tech giant's cloud division said in its 11th
Analysis Summary
# Threat Actor: TRIPLESTRENGTH
## Attribution & Identity
**Identified By:** Google Cloud (via 11th Threat Horizons Report).
**Known Aliases and Associated Groups:** None explicitly named, but they utilize RCRU64 ransomware-as-a-service (RaaS) and solicit partners for ransomware and blackmail operations in Telegram hacking channels. They engage in advertising access to various cloud platforms to other threat actors.
## Activity Summary
TRIPLESTRENGTH is a financially motivated threat actor conducting a "trifecta" of malicious activities:
1. **Cryptocurrency Mining (Cryptojacking):** Hijacking cloud resources for illicit mining.
2. **Ransomware and Extortion:** Deploying ransomware primarily against on-premises systems.
3. **Access Brokering:** Selling access to compromised cloud environments.
**Recent Campaigns and Operations:**
* Engaged in cryptocurrency mining operations on hijacked cloud resources.
* Deployed ransomware, including a noted RCRU64 incident in May 2024.
* Advertised RCRU64 RaaS and sought partners for ransomware/blackmail operations on Telegram.
## Tactics, Techniques & Procedures
- **Initial Access (Cloud):** Stolen credentials and cookies, sometimes originating from Raccoon information stealer infection logs.
- **Account Takeover/Privilege Escalation:** Leveraging highly privileged accounts to invite attacker-controlled accounts as billing contacts on victim cloud projects to establish large compute resources for mining.
- **Execution (Cryptojacking):** Use of the `unMiner` application with the `unMineable` mining pool, targeting both CPU and GPU resources.
- **Execution (Ransomware):** Deployment of Phobos, RCRU64, and LokiLocker ransomware variants on on-premises systems.
- **Ransomware Chain (Example):** In a May 2024 RCRU64 incident, initial access was achieved via Remote Desktop Protocol (RDP), followed by lateral movement and antivirus evasion.
- **Lateral Movement:** Mentioned specifically in the RCRU64 incident path.
- **Antivirus Evasion (AV):** Mentioned as part of the post-RDP compromise steps.
- **MITRE ATT&CK IDs:** Not explicitly provided in the source text.
## Targeting
- **Sectors:** General victims targeted across cloud environments (for cryptojacking) and organizations with on-premises infrastructure (for ransomware).
- **Geography:** Not explicitly detailed, but targeting global cloud providers suggests broad geographic reach.
- **Victims (Cloud Platforms Targeted/Abused):** Google Cloud, Amazon Web Services (AWS), Microsoft Azure, Linode, OVHCloud, and Digital Ocean.
- **Victims (Ransomware):** On-premises systems compromised via RDP.
## Tools & Infrastructure
- **Malware Families Used:**
- **Cryptojacking:** unMiner application, unMineable mining pool.
- **Ransomware:** Phobos, RCRU64, LokiLocker.
- **Infrastructure (C2, Domains, IPs):**
- Stolen access derived partly from Raccoon information stealer logs.
- Communication/Advertising Channels: Telegram hacking channels (used to advertise RaaS and solicit partners).
## Implications
TRIPLESTRENGTH presents a dual threat model: opportunistic financial exploitation of poorly secured cloud environments through cryptojacking, and targeted destructive attacks (ransomware) aimed at non-cloud infrastructure. Their presence in RaaS communities suggests they may evolve their capabilities or act as enablers for other groups by selling cloud access.
## Mitigations
- **Cloud Security:** Review cloud configurations for unauthorized billing changes and monitor for the invitation of suspicious external billing contacts.
- **Credential Management:** Implement strict credential hygiene, especially protecting against information stolen by commodity stealers like Raccoon. Strong MFA enforcement is critical for *all* cloud access.
- **On-Premises Security:** Harden RDP access via network segmentation, strong passwords, and potentially limiting RDP exposure to the internet in favor of VPNs or identity-aware proxies.
- **Endpoint Defense:** Ensure endpoint detection and response (EDR) solutions are robust against common ransomware strains like Phobos and RCRU64, and monitor for evasion attempts.