Internet users and companies are not the only targets of malicious hackers. At times, hackers themselves fall victim to hacks.
This occurred in an unusual hacking campaign where an unknown hacker group targeted systems already compromised by TeamPCP, a known cybercrime group. Upon gaining access, the hackers expelled TeamPCP and removed their tools, as reported by cybersecurity firm SentinelOne.
The hackers then used their access to deploy code that spreads across cloud infrastructures like a worm, stealing various credentials and sending the stolen data back to their infrastructure.
TeamPCP has been in the news for high-profile hacks, including a breach of the European Commission’s cloud and an attack on the vulnerability scanner Trivvy, affecting companies like LiteLLM and Mercor.
SentinelOne’s senior researcher, Alex Delamotte, who discovered the campaign termed “PCPJack,” told TechCrunch that the perpetrators are unknown. Delamotte speculated they could be former TeamPCP members, rival hackers, or a third party emulating TeamPCP’s past campaigns, which often targeted cloud infrastructure.
Delamotte noted the hackers don’t only attack systems compromised by TeamPCP but also search the internet for exposed services like Docker and MongoDB. However, their focus remains on targeting TeamPCP.
According to the report, the group’s tools track the number of successful instances where TeamPCP was evicted, reporting back to its infrastructure.
PCPJack hackers appear financially motivated, stealing and monetizing credentials through resale, selling system access as initial access brokers, or extortion. They don’t install crypto-mining software on hacked systems as the strategy requires more time for a payoff, Delamotte said.
In some attacks, the hackers use domains that hint at phishing for password manager credentials and employ fake help desk sites.