An interview with AgainstTheWest
An Eminem loving Hacktivist group waging war against the enemies of the West.
Recently AgainstTheWest (ATW), the hacktivist group mentioned in our previous post about the originals of the Log4J disclosure reached out to Cyberknow for a chat. The following is some of what was discussed and provides some insight into the group who has declared war on China and now Russia.
The screenshots in this blog are from an interview conducted on 17 January 2022 and are shared with permission. You will notice there are some significant claims in the following interview, all need to be taken with a level of healthy skepticism without hard evidence. Some of the interview has been redacted due to sensitivity of the information.
· ATW, a Western European based hacktivist group has been aggressively targeting China and now Russia since October 2021 with cyber-attacks.
· ATW appears to be well-resourced, motivated and organized.
· ATW is possibly a team of at least 6, with at least some members based in France — they all interact in real life.
· ATW claims to have received requests for specific types of data from contacts they believe to be involved with state governments.
· ATW don’t use or like ransomware, claim they will never target the West and are very confident and driven that their crusade is for a noble cause. They hope to be seen in a favorable light.
· ATW plans to target North Korea, Belarus and Iran soon.
· ATW claims to have some former intelligence operations experience.
· ATW suggests the Alibaba attack unlocked the ability to target other Chinese organizations.
· ATW arguably have some decent technical skill, they claim to be using several other undisclosed vulnerabilities now that Log4J has been widely patched.
· ATW through their actions are inadvertently contributing to a climate of increasing geopolitical tensions in cyberspace.
ATW is a team of at least 6 who operate out of western Europe, most likely France. Don’t let the name confuse you, ATW targets countries they perceive to be a threat to western society, currently they are targeting China and Russia and have plans to target North Korea, Belarus and Iran in the future. They portray an idea of noble cause in an attempt to push back against what they see as an attack on the West from China, Russia and others. They have been operating since October 2021 and have allegedly hit government and corporate networks in China and Russia to date.
ATW reached out to us for an Interview, the following is a series of insights from that chat. ‘atw@’ in the following screenshots is ATW.
When we were contacted by an ATW associate we weren’t planning on speaking with them, but from the start they were very keen to engage and declare their intentions. As you can see below ATW is hopeful that their cyber attacks on China and Russia will be seen in a positive light and make them famous.
As we continued to chat we were keen to discover if they were worried about ‘hack-back’ attacks or any significant ramifications to their actions. They then made the first of several significant claims, as you can see below — They claim that contacts from the West are seeking certain data from the Ukraine region.
As you can see below ATW believe that Western intelligence agencies and governments are pleased with their campaigns. There is a real righteous cause feeling that ATW is aiming to project.
They provided insight into the rough makeup of the team — they mention in another quote that they are 6 members, but it’s possible with the volume of alleged attacks it could be much larger. They claim to all engage in real life and they confirm that at least the member we spoke to is from France.
We then asked them more about their credentials as a hacktivist group after they asked for payment several times on Raidforums. They explained to us that most of the members had lost jobs, it is unclear if the timing of ATW starting operations and the ongoing COVID-19 pandemic has any connection. They do explain that the demand from the community has been significant.
For context ATW is now the top group on Raidforums, due in part to their significant posting load.
ATW has not been without critics from the cyber criminal community, targeting Russia will likely bring more heated attention from Eastern European operators. On Ramp, a hacking forum on the DarkWeb, there was significant disdain when ATW started a Tor site and were allegedly charging $500 for access. The consensus on Ramp was that ATW is a scam group looking for quick cash, selling garbage data and trying an exit scam.
ATW when questioned about this, claimed that the Chinese government had shutdown that site, it wasn’t due to lack of interest as was the consensus on Ramp.
Update — — 23 January 2022
ATW has re-launched a Tor site, this time it is purely for posting data — this is possibly to avoid any risks of being removed from Raidforums, they have been hit with several temporary bans.
According to ATW they will continue to leverage vulnerabilities in systems to conduct attacks and will avoid tools such as ransomware, likely trying to avoid the negative image that goes with ransomware.
The irony of writing up this interview and sharing it to the world is that this is what ATW wants. They are hoping to use social media interactions and media interests as a means to grow their notoriety. They do mention that they would not feel safe using clearnet social media to risk getting caught. They seem to have a good understanding of OPSEC.
ATW follows a set of standards and rules that guide their operations. As they mentioned straight up they avoid ransomware, they try to avoid personal information and will at all costs avoid western organizations.
We raised the question that they appeared to be well organized and if they had any military experience. They claim, as you’ll see below that they have at least one ex-intelligence member. However, this was a leading question and it would be difficult to confirm this claim. They do however seem well organized and structured.
We asked again if ATW would be motivated to shift their campaigns to western targets, they provided the following considerations — they seem to wish that the West would join them in their cyber operations.
In our previous article we discussed the possibility that ATW triggered the global response to Log4J after they allegedly used that vulnerability against Alibaba Cloud. This has been met with considerable skepticism from the cyber security community as there is no evidence for such a theory.
Below ATW provides more insight into the access they gained against Alibaba Cloud and according to them they were able to get information for further attacks due to poor security practices.
Lastly, we had to ask, why is Max headroom the mascot of ATW — the answer was surprising. It turns out it wasn’t a reference to the 1980s take over of a Chicago TV channel, instead it was because they thought Eminem's rap god video was cool.
There it is, an unplanned interview with ATW. What have we learnt from the insights provided by ATW?
They seem highly motivated and driven to wage cyber attacks on China and Russia with other countries to follow.
They arguably have some decent technical skill, they claim to be using several other undisclosed vulnerabilities now that Log4J has been widely patched.
They are keen to engage with media and seek fame and notoriety for what they perceive to be a noble crusade.
At least some of the team of 6 are from France, with the rest nearby in Western Europe.
Thanks for reading.
For further information: https://twitter.com/Cyberknow20