Profiling Team Snatch: Cybercriminal Group Publishes Five New Breaches

Profiling Team Snatch:  Cybercriminal Group Publishes Five New Breaches
10 minute read


In this article we detail the recent activities of Team Snatch, a cybercriminal group first associated with ransomware operations who now partake in more general data theft and exposure beyond simply leveraging ransomware threats. This group previously achieved notoriety in late April 2019 with their publication of data stolen from CityComp, a German IT services company.

In response, Motherboard published an article detailing the breach, including an overview of the attack and information about an onion site used to host the breached data. Picking up where their research left off, we present a timeline of recent attacks by Team Snatch and an analysis of their TTPs and newly published breach data. In the CityComp breach and following attacks, Team Snatch worked with the intent to get money via extortion, posting sensitive and private company data of those that have not met their demands, most likely in hopes of instilling fear in future victims. Briefly, we also compare the team’s known activity to other financial cybercrime actors. In examining the details and attributes of these events, we hope to help the community better understand—and prepare for—risks of similar type.

CityComp Breach

Team Snatch first became mainstream with their breach of the company CityComp, which quickly became national news. With the breach came a publicly accessible listing of CityComp’s data for anyone to download. The reported reason for making the data public was CityComp’s refusal to pay a blackmail fee to the group. At the time, the Team Snatch onion site only offered access to the CityComp breach (shown below):

Expanding to new targets

By and large, the Github-style directory listing mirrored their openweb site, https://citycomp[.].de, and on May 1, the group announced a new website layout via social media, including a reference to their movie-inspired namesake:

Following this post, Twitter users noted the listing of additional breaches being hosted alongside the CityComp data:

Indeed, a visit to the group’s onion site confirmed such reports:

Each of the newly listed companies (BMK, KCSA, Tecnicas Hidraulicas, and Myatt Blume & Olson) had directory listing pages similar to CityComp, and—in addition to providing general information about the data breaches—each page also included an rsync link for visitors to download the respective datasets. Going public with these data troves shows a pattern for the group, where if companies do not respond to the demands then they will be listed on their website. The group provides basic instructions on how to download the data, and it requires no payment or special access to download.

The datasets, as listed on the website when clicking “View,” are as follows:

  • BMK
  • Financial and Private Information on all clients
  • Unpacked: 97,065 files in 10,259 folders, over 70 Gb data
  • Packed: 31 files, 45 Gb
  • KCSA
  • Financial and private information on all clients
  • Unpacked: 188,403 files in 22,321 folders, over 244 Gb data
  • Packed: 3 files, 190 Gb
  • Tecnicas Hidraulicas
  • Financial and private information on all clients
  • Unpacked: 13,152 files in 4,148 folders, over 25 Gb data
  • Packed: 6 files, 19 Gb
  • Myatt Blume & Olson
  • Financial and private information on all clients
  • Unpacked: 82,673 files and 9,816 folders, over 107 Gb data
  • Packed: 1 files, 40 Gb

After reviewing the breach data, the team found gigabytes of confidential documents, slide decks, PII (passports and identification cards), database and infrastructure credentials, HR documents, policy documents, invoices and contracts.

Key Information

The ZeroFox Alpha Team obtained the data from the Team Snatch servers to verify their authenticity, alert the affected companies, and share with them their respective datasets. We also contacted the appropriate CERT organizations when victims did not respond to communication via phone calls, email, or social media. Since the data is public, it leaves very little time for companies to respond, especially when the actors are actively marketing the data to their social media followers.

In reviewing the leaked files, the ZeroFox Alpha Team concluded with HIGH confidence that the files are confidential and authentic. We are unsure how they were obtained, but based on the previous CityComp breach and its associated actors, it’s likely that the affected companies declined or did not respond to blackmail or extortion demands.

The associated rsync URLs all lead to the same Tor website run by Team Snatch. Connecting over Tor was trivial and required no special software or credentials to access the data. We have HIGH confidence that the group published this data for anyone to download, and it will continue this TTP as the group collects more confidential data from organizations who refuse to give in to blackmail threats.

The data trove contains multiple 7z compressed files, as listed in Appendix 1.

In reviewing the new datasets, our team found no apparent overlap with the original CityComp Breach file listings hosted on the citycomp[.]de website. However, without access to the full data (it has since been taken down), we are unable to reach this conclusion with absolute certainty. Tweets made by the group to news outlets and affected companies also imply the data breaches are disparate:

The #ابتزاز#Citycomp German information technology company, which provides Internet infrastructure to dozens #الشركات, has been infiltrated by hackers with stolen data belonging to some of the world's largest companies.

It can be argued that Team Snatch is implying that these companies were part of CityComp, or that they were hacked alongside other companies in the CityComp breach. ZeroFox has LOW-MEDIUM confidence that the data is part of the original breach due to the specific “call-outs” on the onion site.

On or around May 14 2019, the Team Snatch Twitter account was removed from the Twitter platform and, subsequently, the team took down their onion website and rsync services. However, the website returned on or around May 17, 2019, with Perceptics, a new data breach victim, listed in their inventory:

The directory listing for Perceptics is provided in Appendix 2.

Analysis & TTPs

Based on the CityComp incident, the social media engagements, their public website and the additional breaches, it’s clear that this group is willing to publicize their actions if their demands are not met. What is not clear is if the 5 additional victims refused to give into their blackmail demands which then led to the breach. It is important to note that CityComp is a much bigger and more global company than the other 5, and is arguably the groups Magnum Opus.

The directory-style listing and the directions on their website to download the data show that Team Snatch wants to create a wall of sheep for their victims. This wall of sheep fits their modus operandi - they would rather burn their opportunity down rather than accept that victim organizations will not give into their demands. This website could also be a way to prove how serious they are for future victims, and it may tip companies into playing ball with their demands.

This Billy the Kid style of cybercrime isn’t new, but is becoming more common in the age of social and digital media. The Dark Overlord gained popularity by engaging with the media, keeping an active social media presence, flagrantly posting on multiple “hacker” forums, and maintaining their own wall of sheep via Pastebin, Reddit and Steemit.

We believe Team Snatch will continue publishing data and using its rolodex of logos to threaten companies that they compromise. This tactic drifts from traditional ransomware attacks in two ways. First, the confidential data is exfiltrated from the victim rather than the private key for ransomware. Two, the group could use the victim rolodex as a way to trick potential victims that something was exfiltrated when indeed it was not, much akin to the RDoS (ransom denial of service attacks), and the threat alone could be enough for a company to pay the actors. Overall, security organizations should be aware that their defense in depth strategies should include monitoring of the social and digital realm in order to gain visibility and protect themselves from these types of attacks moving forward.

Appendix 1

Breach Details

Dump 1 contains IT and PII information.

root@extreme:~/dumps/ torsocks rsync -av --progress rsync://REDACTED.onion:/REDACTED
receiving incremental file list

drwxr-xr-x          4,096 2019/05/04 13:13:43 .
-rw-r--r--        546,383 2019/05/04 09:00:47 IT Utilities_.7z
-rw-r--r-- 201,139,259,783 2019/05/04 13:11:14 Shared.7z
-rw-r--r--  2,002,044,605 2019/05/04 13:16:12 Vol1.7z

Dump 2 contains client information, receipts, and invoices.

root@extreme:~/dumps/REDACTED[2]# torsocks rsync -av rsync://REDACTED.onion:/REDACTED[2]
receiving incremental file list
drwxr-xr-x          4,096 2019/05/04 12:49:01 .
-rw-r--r--     80,962,497 2019/05/04 11:42:04 Administracion.7z
-rw-r--r--  9,266,280,694 2019/05/04 11:59:53 Comercial.7z
-rw-r--r-- 10,284,130,423 2019/05/04 12:35:44 Comunicacion.7z
-rw-r--r--     82,836,577 2019/05/04 12:48:22 Direccion.7z
-rw-r--r--     64,034,207 2019/05/04 12:48:33 Fabricacion.7z
-rw-r--r--         41,150 2019/05/04 12:48:35 Relacion Barcos-Clientes.7z

Dump 3 contains database credentials, policy files, scan files, configuration backups, passports, PII, HR files, and Financial Planning/Investment Confidential Documents.

root@extreme:~/dumps/REDACTED[3]# torsocks rsync -av --progress rsync://REDACTED.onion:/REDACTED[3]
receiving incremental file list
drwxr-xr-x          4,096 2019/05/04 08:38:24 .
-rw-r--r--     56,888,271 2019/05/04 07:22:02 Adminisrative File.7z
-rw-r--r--    200,944,505 2019/05/04 07:23:22 BMKPROD_01012018.7z
-rw-r--r--     15,049,168 2019/05/04 07:23:23 BMKW001.7z
-rw-r--r--    195,952,411 2019/05/04 07:24:41 BMK_19042017.7z
-rw-r--r--    254,936,046 2019/05/04 07:24:56 BMK_22012018_1350.7z
-rw-r--r--    351,662,849 2019/05/04 07:25:20 CEO_Secretary.7z
-rw-r--r--  2,061,437,731 2019/05/04 07:28:07 CMA_Mails.7z
-rw-r--r--    145,777,993 2019/05/04 07:28:16 Compliance.7z
-rw-r--r-- 22,108,327,215 2019/05/04 07:52:05 ComplianceAML.7z
-rw-r--r--  1,087,668,325 2019/05/04 07:53:17 Corporate_Finance.7z
-rw-r--r--      1,967,871 2019/05/04 07:53:17 DDC timesheet.7z
-rw-r--r--    118,411,863 2019/05/04 07:53:36 Elite_Real_Estate_Fund.7z
-rw-r--r--     42,342,740 2019/05/04 07:53:42 GCC_Equity_private_placement_fund.7z
-rw-r--r--    937,124,508 2019/05/04 07:56:20 HR.7z
-rw-r--r--      8,011,859 2019/05/04 07:56:21 HR_Finance.7z
-rw-r--r--     10,516,003 2019/05/04 07:56:22 IPO Subscription.7z
-rw-r--r--        158,111 2019/05/04 07:56:22 IPOFundIncomeassumptionsandAnalysis.7z
-rw-r--r--    107,611,426 2019/05/04 07:56:31 MGT.7z
-rw-r--r--     25,481,145 2019/05/04 07:56:34 O.7z
-rw-r--r--     79,769,284 2019/05/04 07:56:41 RealEstateFunds.7z
-rw-r--r--      5,845,214 2019/05/04 07:56:42 Scan document.7z
-rw-r--r--      1,117,343 2019/05/04 07:56:42 Sophos Config BACKUP.7z
-rw-r--r--      1,896,815 2019/05/04 07:56:42 Technical File.7z
-rw-r--r--  2,951,460,238 2019/05/04 07:59:32 UserFolders.7z
-rw-r--r--  7,785,102,685 2019/05/04 08:06:47 docs.7z
-rw-r--r--     15,120,927 2019/05/04 08:34:10 id proof.7z
-rw-r--r--    285,852,399 2019/05/04 08:34:29 letters.7z
-rw-r--r--  1,882,491,579 2019/05/04 08:38:15 mail_dammamdev_com_sa.7z
-rw-r--r--      1,944,362 2019/05/04 08:38:15 passwords.7z
-rw-r--r--    109,352,208 2019/05/04 08:38:23 releases.7z
-rw-r--r--  6,838,649,193 2019/05/04 08:45:12 scan.7z

Dump 4 contains audit related files and financial information.

root@extreme:~/dumps/REDACTED[4]# torsocks rsync -av --progress rsync://REDACTED.onion:/REDACTED[4].com
receiving incremental file list
drwxr-xr-x          4,096 2019/05/04 11:30:54 .
-rw-r--r-- 42,189,468,036 2019/05/04 10:42:35 AUDITFILES.7z

Appendix 2

root@extreme:~/dumps/REDACTED[5]# ls -lah
total 20G
drwxr-xr-x 1 root root    0 May 18 23:22 .
drwxr-xr-x 1 root root    0 May 18 23:22 ..
-rw-r--r-- 1 root root 525M May 20 07:51 backup.rar
-rw-r--r-- 1 root root 557M May 20 08:17 bosheda.rar
-rw-r--r-- 1 root root  59M May 17 17:00 datamap.txt
-rw-r--r-- 1 root root 2.2M May  2 09:10 Deployment.rar
-rw-r--r-- 1 root root 815M May 19 17:38 Docs.rar
-rw-r--r-- 1 root root 917M May 19 19:05 Enterprise_DB.rar
-rw-r--r-- 1 root root 883M Apr 30 08:26 ERP_Planning.rar
-rw-r--r-- 1 root root 563M May 19 19:41 Exchange.rar
-rw-r--r-- 1 root root  51M Apr 30 08:26 Foundation.rar
-rw-r--r-- 1 root root 134M Apr 30 08:27 HR.rar
-rw-r--r-- 1 root root 4.3K May 19 16:49 index.html
-rw-r--r-- 1 root root 331M May 19 21:06 Inventory.rar
-rw-r--r-- 1 root root 1.2G Apr 30 08:42 ITI.rar
-rw-r--r-- 1 root root 1.1G May 19 21:56 MFGDOCS.rar
-rw-r--r-- 1 root root 1.2G May 19 23:07 Microsoft.rar
-rw-r--r-- 1 root root 124M May 18 14:55 MSSQL_internal.tar
-rw-r--r-- 1 root root 257M Apr 30 08:41 MVS_Projects.rar
-rw-r--r-- 1 root root 1.1G May 19 23:57 NAV_DB.rar
-rw-r--r-- 1 root root  13M May  2 10:01 NAV_DOC_LINKS.rar
-rw-r--r-- 1 root root 9.4M May  2 10:06 Perceptics_WIG_2.rar
-rw-r--r-- 1 root root 3.9G May 20 02:30 Perceptics_WIG.rar
-rw-r--r-- 1 root root 295M Apr 30 08:45 PlateDatabase.rar
-rw-r--r-- 1 root root  68M Apr 30 08:44 PlateWorkbench.rar
-rw-r--r-- 1 root root  11M May  2 10:03 Price_Lists.rar
-rw-r--r-- 1 root root  82K Apr 30 08:43 Project_Summary.rar
-rw-r--r-- 1 root root 250M May  2 10:06 Proposals.rar
-rw-r--r-- 1 root root 1.4G May  5 09:07 QA_Process_Improvement.rar
-rw-r--r-- 1 root root   27 May 17 18:13
-rw-r--r-- 1 root root 2.7G May 20 06:32 Sales_and_Marketing.rar
-rw-r--r-- 1 root root 489M Apr 30 08:45 Sales_Conops.rar
-rw-r--r-- 1 root root 548M Apr 30 08:44 ScannedFiles.rar
-rw-r--r-- 1 root root 3.6M Apr 30 08:42 Senior_Team.rar
-rw-r--r-- 1 root root 562M May 20 07:28 Shoreline_Data.rar
-rw-r--r-- 1 root root 249K Apr 30 08:42 Software_Licensing_Agreement_DB.rar
-rw-r--r-- 1 root root 165K Apr 30 08:42 SO_Log.rar
-rw-r--r-- 1 root root 120M Apr 30 08:43 STM_Strategy.rar

See ZeroFox in action