Deep Web Profile: AgainstTheWest / BlueHornet [Part 2]

As explained in the first part, the famous leak group AgainstTheWest/BlueHornet decided to shut their operations after their unsuccessful private forum attempt. Still, two significant incidents had crucial effects on their decision: the shutdown of RaidForums on the 25th of February and, most importantly, the Russian-Ukraine crisis starting on the 24th.

Part 2: The Aftermath of the Russian Ukraine Crisis

SOCRadar’s analysts think that a vast advertisement opportunity has risen as the world is focused on Russia and Ukraine could have made them abandon their decision to shut their operations. In addition, the fact that the shutdown of RaidForums has given them a new chance to become famous and reach new audiences on different platforms such as Telegram and Twitter could also have assisted them in their decision to continue.

Keep track of what’s on the hackers‘ agenda with SOCRadar’s free DarkMirror tool. Create the feed you need via country, industry, or custom tags.

Escaping RaidForums, Gave AgainstTheWest New Platforms To Reach New Audiences

After RaidForums had shut down, AgainstTheWest/BlueHornet did not wait long to carry their operations to new platforms. On the 26th of February, they opened their Telegram leak channel and announced that they would continue posting leaks of the companies they have leaked here.

From now on, their primary focus of interest was Russian enterprises while occasionally leaking Chinese companies. SOCRadar has been monitoring multiple platforms AgainstTheWest/BlueHornet is actively using to share their leaks to bring you the latest news and updates about their victims. Below, you can see an example Telegram post monitored by SOCRadar.

One of the first leaks on ATW’s Telegram channel monitored by SOCRadar

With SOCRadar& ThreatFusion, search for IRC, Telegram, and Discord channels used by threat actors and get the latest cybersecurity news, vulnerabilities, IoCs, and dark web information.

Along with Telegram, ATW/BH has opened a Twitter account to interact with its followers. They have been actively using Twitter, but their account keeps getting suspended by Twitter, which they just continue on a new account.

An interesting thing about the group is that ATW/BH occasionally decides to announce that they have shut their operations, which they did not stop and continued their operations in each case.

ATW/BH announcing they are quitting after their Twitter account gets suspended

AgainstTheWest Joins a New Hacker Forum: breached.co

A new hacker forum emerged on the 16th of March to fill the void RaidForums had created, with the link breached. co. ATW/BH does not wait long to join the new platform that is getting popular each day. ATW/BH joins breached.co. After two days, the forum opened and started posting its leaks on the forum. Some of their leaks are still being posted on their Telegram account, while others are being published on their page.

It is essential to state that they continue attacking Russian companies and Chinese enterprises. They are actively leaking sensitive data of major companies on breached.co and Telegram. However, SOCRadar’s analysts have detected a repeating trend in their leak posts. Some of the companies they have leaked have been leaked before in their earlier posts dating back to October 2021. Are they reuploading old leaks?

AgainstTheWest leaks Alibaba Cloud’s source code in November 2021

AgainstTheWest leaks Alibaba Cloud’s source code once again along with additional data

It is crucial to consider the possibility that the group could have been posting old leaks since their popularity has risen since October/November 2021. Another option is that significant events that were not intriguing back in the group’s first months could have become necessary after some circumstances, such as the Russian Ukraine crisis.

People would be interested in the previously unpopular leaks, so the group gets more recognition, and their follower base expands by reuploading old leaks. Still, there’s no way to know without checking the contents of both leaks, we cannot say for sure that the group has been reuploading old leaks, but the possibility exists.

Announcing AgainstTheWest’s End Once Again

AgainstTheWest’s announcement on their breached.co page

On April 12th, 2022, AgainstTheWest announced that they had completed their goals and are stopping their operations. The group also states that they are a state-sponsored group without disclosing the state’s name. Still, they say that they are told to infiltrate, attack, and leak companies and government agencies of China, Russia, Iran, North Korea, and Belarus.

So, is this the end for AgainstTheWest, or will they come back just as they did in their old announcements on shutting down their operations?