Ikaruz Red Team | |
Location | Turkey |
Date of Initial Activity | 2004 |
Suspected attribution | Hactivist Group |
Government Affiliation | Unknown |
Associated Groups | Turk Hack Team, PHEDS |
Motivation | Hacktivism |
Associated tools | LockBit Ransomware (modified variants including LockBit 3.0) |
Software | Windows, Linux |
Overview
The main targets of the Ikaruz Red Team (IRT) are primarily organizations in the Philippines. Their attacks are directed at a range of entities, including:
Government Agencies: IRT has targeted various government departments and agencies in the Philippines, including critical infrastructure sectors and government institutions. Notable examples include the Department of Science & Technology and the National Privacy Commission.
Private Sector Organizations: The group has also attacked private companies and businesses in the Philippines. These attacks often involve ransomware deployment and data leaks.
Cybersecurity and Government Initiatives: IRT has targeted official cybersecurity initiatives and government-sponsored events, such as the Hack4Gov challenge organized by the Philippine Department of Information and Communications Technology (DICT). They co-opted imagery and branding from these initiatives to enhance the visibility of their attacks.
Critical Infrastructure: Their attacks extend to critical infrastructure entities, which are essential for the functioning of the country’s economy and public services. This includes sectors such as technology and communications.
Attack Vectors
Phishing
Ransomware
DDoS Attacks
Exploiting Vulnerabilities
Social Engineering
How they operate
IRT’s approach to cyberattacks combines both technical prowess and strategic messaging. Initially known for their web defacements and nuisance attacks, the group has evolved to employ ransomware payloads to further their disruptive objectives. They have utilized modified LockBit 3.0 ransomware payloads, often bundled with custom icons and configurations. This modified ransomware is used to encrypt files across local and networked systems, with encrypted files and ransom notes reflecting IRT’s branding, albeit using default contact information from the LockBit builder. This suggests a primary focus on causing disruption rather than engaging in negotiations typical of more professional ransomware operations.
A significant aspect of IRT’s strategy is their use of cloud storage services for communication and data exfiltration. Variations of their ransomware have employed cloud storage platforms like Dropbox and OneDrive to retrieve and upload malicious payloads, circumventing traditional detection methods associated with web shells and direct HTTP communication.
IRT’s operations are deeply intertwined with their geopolitical motivations. They have targeted various entities in the Philippines, including government and military organizations, as part of a broader wave of hacktivist activity in the region. This targeting aligns with the geopolitical tensions in the Indo-Pacific and reflects the strategic importance of the Philippines. By co-opting official imagery and branding, such as that from the Philippine Department of Information and Communications Technology (DICT) and their Hack4Gov initiative, IRT not only disrupts but also mocks the government’s cybersecurity efforts, further amplifying their political statements.
MITRE Tactics and Techniques
T1071.001 – Application Layer Protocol: Web Protocols
Used for communication and command-and-control operations.
T1071.003 – Application Layer Protocol: File Transfer Protocols
Employed for transferring stolen data and tools.
T1105 – Ingress Tool Transfer
Used to transfer tools and payloads into the target environment.
T1070.001 – Indicator Removal on Host: Clear Windows Event Logs
Used to clear logs to evade detection.
T1566 – Phishing
Techniques used to deliver malicious payloads through social engineering attacks.
T1203 – Exploitation for Client Execution
Exploits vulnerabilities in client applications to execute malicious payloads.
T1098 – Account Manipulation
Modifying or creating accounts to maintain access.
T1040 – Network Sniffing
Used to gather information from network traffic.
T1027 – Obfuscated Files or Information
Techniques to obfuscate payloads and evade detection.
T1553 – Subvert Trust Controls
Exploits trust relationships and certificates to establish malicious communications.
T1078 – Valid Accounts
Use of compromised valid accounts for maintaining access.
Impact / Significant Attacks
April 8, 2024 – Attack on the Department of Science & Technology (DOST), Philippines. This attack led to a breach of critical government infrastructure and prompted an investigation by the National Privacy Commission (NPC).
January 2023 – September 2023 – Various ransomware attacks against multiple entities in the Philippines. The ransomware families used included LockBit, JellyFish (Medusa), Vice Society, ALPHV, BianLian, 8base, and Cl0p.
September 2023 – Breach of Yakult Philippines Incorporated. This attack was publicly announced on Ikaruz Red Team’s social media and also listed on Cl0p’s data leak site.
