Hackers hack victims hacked by other hackers

Regular internet users and corporations are not the only victims of malicious hackers. Sometimes, the hackers themselves get hacked.

That is what happened in an unusual hacking campaign, where an unknown group of hackers targeted systems already compromised by a prolific cybercrime group known as TeamPCP. Once the hackers broke into those systems, they immediately kicked out TeamPCP hackers and removed their tools, according to a new report by cybersecurity firm SentinelOne. 

From there, the hackers use their access to deploy code designed to replicate across different cloud infrastructure like a self-spreading worm, steal various types of credentials, and finally send the stolen data back to their infrastructure.

TeamPCP is a cybercriminal group that has gathered headlines in the last few weeks, thanks to a series of high-profile hacks attributed to the group. Those hacks have included a breach of the European Commission’s cloud infrastructure, and a broadscale cyberattack against widely used vulnerability scanner tool Trivvy, which affected any company that relied on it, including LiteLLM and AI recruiting startup Mercor, among others.

Alex Delamotte, the SentinelOne senior researcher who found the new hacking campaign and dubbed it “PCPJack,” told TechCrunch that it’s not clear who is behind it. At this point, Delamotte said her three theories are that the hackers are either disgruntled ex-TeamPCP members, are part of a rival group, or are a third party “who chose to directly model their attack tools on TeamPCP’s earlier campaigns,” many of which targeted cloud infrastructure. 

“The services targeted by PCPJack strongly resemble the December-January TeamPCP campaigns, before the alleged change in group membership that happened in February-March,” said Delamotte. 

Delamotte also noted that the hackers don’t just target systems compromised by TeamPCP, but they also scan the internet for exposed services such as the virtual machine cloud platform Docker, databases running MongoDB, and others. But SentinelOne said the group appeared largely focused on targeting TeamPCP.  

According to the report, the hackers’ own tools keep a tally of the number of hacked targets where they successfully evicted TeamPCP by sending this information back to its infrastructure.

The goals of the PCPJack hackers appear to be purely financial, as they steal credentials with a focus on monetizing them. The hackers do this by reselling them, selling access to the hacked systems as so-called initial access brokers — hackers who break into systems and then let paying customers into the hacked machines, or by extorting the victims directly.

The hackers, however, do not try to install software to mine crypto on the hacked systems, likely because that strategy requires more time to reap rewards, according to Delamotte.

As part of some of their attacks, the hackers are using domains that suggest they are phishing for password manager credentials and using fake help desk websites, according to Delamotte.