CostaRicto

CostaRicto, a threat actor group first reported by Blackberry Cylance in November 2020, has been identified as a potential cyber-espionage-for-hire criminal entity. The group is known for its custom proxy tool and the use of a Rich header, both associated with the CostaRicto campaign. Their bespoke malware toolset, internally named CostaBricks, was first detected in October 2019 and has been rarely observed since then. Unlike many state-sponsored Advanced Persistent Threat (APT) actors, CostaRicto does not appear to discriminate based on victims' geographical locations. The CostaRicto campaign targets are dispersed across various continents including Europe, the Americas, Asia, Australia, and Africa. However, a significant concentration of their activities has been noticed in South Asia, especially in India, Bangladesh, and Singapore. This suggests that while the threat actor could be based in this region, they operate globally, possibly working on commissions from diverse clients. Despite some speculation, BlackBerry researchers believe that a direct link between CostaRicto and APT28 is highly unlikely. Dubbed CostaRicto by BlackBerry, the group is believed to be operated by "hackers-for-hire." These mercenaries possess complex VPN proxy and SSH tunnelling capabilities, along with bespoke malware tooling. This combination of skills and tools allows them to carry out sophisticated cyber-espionage activities on behalf of their clients. Their indiscriminate choice of victims and global reach make them a significant concern for cybersecurity professionals worldwide.