SOCRadar® Cyber Intelligence Inc. | Deep Web Profile: AgainstTheWest / BlueHornet [Part 1]


Apr 15, 2022
5 Mins Read

Deep Web Profile: AgainstTheWest / BlueHornet [Part 1]

In October 2021, a new leak group emerged in RaidForums with the handle AgainstTheWest. They have started actively targeting major organizations and state-affiliated corporations in China.

Part 1: The Birth of AgainstTheWest

Their fame grew exponentially as they hacked and leaked Chinese corporations with a high reputation worldwide. After their swift rise among hackers in RaidForums, they have declared a name for their operations in China: Operation Renminbi. 

Operation Renminbi 

In Operation Renminbi, AgainstTheWest has mainly targeted corporations in China or nearby countries. SOCRadar has detected more than 50 posts in Operation Renminbi, including the leaks of major companies known worldwide, such as WeChat or Alibaba Cloud, and several posts, including data leaks from the Chinese government. The frequency of the posts was really high compared to other leak groups.

A sample Operation Renminbi post taken from SOCRadar’s DarkMirror 
A sample Operation Renminbi post taken from SOCRadar’s DarkMirror 

After they had leaked sensitive data of many corporations and government agencies of China, they changed their main target and started a new operation in November 2021, which is Operation Ruble. In Operation Ruble, AgainstTheWest has mainly targeted Russia’s corporations (and government agencies).

An important thing to note is that the group did not abandon China completely after starting a new operation. They have continued posting leaks in Operation Renminbi, but the posts were not as expected, and their main focus of interest was Russia. 

Operation Ruble 

In Operation Ruble, the group mainly targeted Russian corporations and government agencies. Operation Ruble was not as “fruitful” compared to Operation Renminbi. Operation Ruble posts were not as frequent. Below, you can see an example Operation Ruble post taken from SOCRadar’s DarkMirror.

A sample Operation Ruble post taken from SOCRadar’s DarkMirror 
A sample Operation Ruble post taken from SOCRadar’s DarkMirror 

After several data leaks were posted under Operation Ruble, the group declared another operation, Operation Rial.

Operation Rial 

The group’s main country of interest was Iran in this operation. Like Operation Ruble, the posts were not as frequent as Operation Renminbi. The operation started in February 2022. Below, you can see an example Operation Rial post taken from SOCRadar’s DarkMirror.

A sample AgainstTheWest's Operation Rial post taken from SOCRadar’s DarkMirror 
A sample AgainstTheWest’s Operation Rial post taken from SOCRadar’s DarkMirror 

AgainstTheWest mainly focuses on Chinese companies and government agencies as three of their operations continue. More than half of their posts belong to Operation Renminbi. 

What do We Know About AgainstTheWest itself? 

As of April 2022, we do not know much about AgainstTheWest. There’s a possibility that initially, the group has only consisted of a single person, and then the group grows in number as more threat actors join AgainstTheWest. They have stated that the group consists of five people.

AgainstTheWest’s page description
AgainstTheWest’s page description 

After some time in RaidForums, they have updated their name to “AgainstTheWest/BlueHornet.” After the name change, they acted as two different subgroups joined under a single team, which is AgainstTheWest/BlueHornet. We have seen various posts from different viewpoints, signaling that two subgroups may exist under ATW/BlueHornet.

A funny thing is that even though their name is AgainstTheWest, they have been actively targeting Eastern countries such as China and Russia.

A Failed Attempt: ATW Leak Forums 

As they have attracted the attention of many people in RaidForums, they have decided to open a private leak forum with a monthly fee. They started actively advertising the new forum in RaidForums, stating that they would post their leaks in the new forum. However, things did not go as planned, not many people have joined the new forum, so they had to abandon the idea. 

After the failed private forum attempt and fading interest, ATW/BlueHornet decided to shut their operations down and turn their eyes to new horizons, declaring a post on their RaidForums page. However, they did not disband the group and have decided to continue after new opportunities have risen with two critical events: the shutdown of RaidForums on the 25th of February and the RussiaUkraine crisis starting on the 24th. 

To be continued: “Part 2: The aftermath of the Russia – Ukraine Crisis.”

Discover SOCRadar® Free Edition

With SOCRadar® Free Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Get free access.