Hackers hack victims who have been hacked by other hackers

Ordinary Internet users and businesses are not the only victims of malicious hackers. Sometimes, hackers themselves get hacked.

That’s what happened in an unusual hacking campaign, in which an unknown group of hackers targeted systems that had already been compromised by a prolific cybercrime group known as TeamPCP. Once the hackers broke into those systems, they immediately kicked out the TeamPCP hackers and removed their tools, according to a new report from cybersecurity firm SentinelOne.

From there, hackers use their access to deploy code designed to replicate across different cloud infrastructure like a self-propagating worm, steal different types of credentials, and finally send the stolen data back to their own infrastructure.

TeamPCP is a cybercriminal group that has been making headlines in the past few weeks, thanks to a series of high-profile hacks attributed to the group. These breaches included a breach of the European Commission’s cloud infrastructure, and a large-scale cyberattack against the widely used vulnerability scanning tool Trivvy, which affected any company relying on it, including LiteLLM and AI recruiting firm Mercor, among others.

Alex Delamotte, senior researcher at SentinelOne, who discovered the new hacking campaign and dubbed it “PCPJack,” told TechCrunch that it is not clear who is behind it. At this point, Delamotte said her three theories are that the hackers are either disgruntled former members of TeamPCP, part of a rival group, or a third party who “chose to model their attack tools directly on previous TeamPCP campaigns,” many of which targeted cloud infrastructure.

“The services targeted by PCPJack closely resemble the TeamPCP campaigns from December to January, prior to the alleged change in group membership that occurred in February and March,” Delamotte said.

Delamotte also noted that hackers are not only targeting systems compromised by TeamPCP, but are also scanning the Internet for exposed services such as the Docker virtual machine cloud platform, databases running MongoDB, and others. But SentinelOne said the group appeared to be largely focused on targeting TeamPCP.

According to the report, private hacker tools keep a tally of the number of compromised targets where they successfully evict TeamPCP by sending this information back to its infrastructure.

The PCPJack hackers’ goals appear to be purely financial, as they steal credentials with an eye toward monetizing them. Hackers do this by reselling them, selling access to compromised systems to so-called raw access brokers – hackers who break into systems and then allow customers to pay to compromised devices, or by blackmailing victims directly.

However, hackers do not attempt to install cryptocurrency mining software on compromised systems, likely because this strategy requires more time to reap rewards, according to Delamotte.

As part of some of their attacks, hackers use domains that indicate they are phishing for password manager credentials and use fake help desk sites, according to Delamotte.