It’s a rare occurrence when an active hacking group continues its operation without detection for years. However, once that happens, it hints at something large — possibly a cyber espionage campaign led by big players in the cybersecurity sector.
During its investigation, a team of cybersecurity researchers at SentinelOne’s SentinelLabs discovered a unique Threat Actor (TA) that uses advanced techniques to hinder detection. According to the report by the security company, there are around ten such hacking groups collectively, and they have links to China and Iran.
Though multiple groups might be working at their own pace to target different organizations within a sector, there are cases where threat actors collaborate to target a single company, government, nation, or individual. According to SentinelOne, the unknown group is believed to operate in alignment and seems to be working towards a nation-state interest.
The Metador group
According to Cyberscoop, the unknown cyber threat group is dubbed “Metador” and deconstructed as “I am meta”. Additionally, the researchers stated that the threat actor might have its command-and-control servers in Spain because of the linguistic responses collected from the malware code.
As per the research, the group has been actively initiating cyberattacks for the last two years and is backed by extensive power and resources to maintain its daily operation. As for its nature, the hacker collective uses two Windows malware platforms to deploy into the victim’s devices and an additional Linux implant, further expanding its capability to rapidly adapt to modern threat detection systems.
The hacker group reportedly targeted telecom networks, internet service providers, universities in the Middle East and Africa, among other international regions. However, the security experts could only tap into a tiny bit of its massive network due to the group’s advanced hindering techniques that limit researchers from connecting one victim to another. This style of cyberattacks can be achieved through multiple IP addresses and different patterns of attacks that diminish any possibility of linking incidents.
Researchers analyze the sample malware
The researchers at SentinelOne said that a “reliable attribution wasn’t possible” because the malware developers were fluent in English — especially internet slang with words like LOL, smiling faces, emoji, and others.
Moreover, the code also had some Spanish words — which hypothetically confirmed that the group might be operating internationally with a link to Spanish-speaking individuals and groups. The source of some of the samples collected by the researchers had pop culture references, including lyrics from the 90s song called “Ribbons’ ‘ by British pop punk band The Sisters of Mercy.
Metador has successfully targeted its victims and maintained a streak of working covertly without description or glorifying its feats. The researchers and cybersecurity specialists are yet to determine the full extent of the group, how it operates, and who or what is behind it.