Spyglass Group LLC  

Our Red Team:   The Cyber Legion

Spyglass Group's Notional 360° Threat Model

Cyber Operations Group (COG), aka Groupe d'Actions Cyber (CAG)

Cyber Legion

Who is the Cyber Legion?

The Cyber Legion is a notional threat model used by our

Red Team to emulate real-world cyber and security threats.  

The Cyber Legion is an amorphous and decentralized collective of hackers and hacktivists operating world-wide.  The group began as an association of elite mercenary hackers-for-hire, motivated primarily by profit, but has since evolved into global movement of actors with differing capabilities and motivations.

The Threat Actors

The evolution of the Cyber Legion since its inception in 2007 has greatly complicated the predictability and attribution of related cyber activities.  As of 2015, the activities, capabilities, and motivations of Cyber Legionnaires encompassed the entire spectrum of today's cyber threats.

  • Insider Threats:  Lone actors employed in corporations and government organizations have conducted industrial espionage and committed unauthorized disclosures for what they believe (or claim) to be a necessary "good".  They have either cited the ideology of the Cyber Legion as a source of their motivation or outright claimed to be members of the movement.

  • Foreign Governments and Intelligence Services:  The atypical characteristics of Cyber Legion activities have long drawn speculation of foreign government involvement.  Reasonably, some members of the Cyber Legion may be wittingly (as hackers-for-hire) or unwittingly (victims of false-flag recruitment) working on behalf of foreign governments.  It is also believed that in some cases, foreign governments have attempted to complicate attribution by falsely presenting their cyber activities as that of Cyber Legion actors.

  • Cyber-Mercenaries:  The core cadre of the original Cyber Legion, known as Cyber Legionnaires (aka Cyber Legion Operations Group (COG), Groupe d'Actions Cyber (CAG)) remain fully operational and continue to work in the shadows.  These are the group's most capable hackers.  COG leverages reverse-engineered foreign government cyber tools, commercial exploits and tools (such as those leaked from the Italy-based cyber business 'Hacking Team'), and even internally-developed 0-day exploits.  To date, attacks conducted by COG remain largely vigilante in nature against hacktivists, cyber-criminals, and foreign government cyber actors.

  • Hacktivists and Watchdog Groups:  These Cyber Legion actors are most often self-proclaimed members who have taken on the rogue-actor mystique of Cyber Legions' ideology.  Although using the movement's name, they are more akin to a splinter group/cause.  Their cyber activities are largely anti-governmental but are on occasion conducted against large corporations.  Their tactics primarily rely on hacking social media and webmail accounts (Hotmail, etc.) through spearphishing, wateringhole attacks, andsocial engineering.  Cyber Legion hacktivists periodically attempt DDoS attacks similar to Anonymous (using tools like LOIC), but with much less success and notoriety.  A small number of hacktivists in this category are highly capable and mirror the operations of COG members. 

  • Close-Access -- An Emerging Threat:  Since 2013, a small number of activities associated with Cyber Legion actors indicated close access or proximity to their target's locations in the United States and Europe.  Specifically, attack-related social media postings included photographs and wireless packet captures of target locations.


The Cyber Legion began to draw public attention circa 2007, after a serious of vigilante-style cyberattacks against cyber-criminals and hacktivists groups.  What drew initial media attention was a serious of publicized "tips" to the FBI and Interpol. The unknown sources of these tips provided the identities, technical data, and computer files of the alleged hackers of recent high-profile cybercrime and cyberattacks.  The primary targets of these early tips were alleged members of the well-known hacktivist collective Anonymous. 

Starting December 2008, "tips" to law enforcement agencies were being received, "courtesy of the Cyber Legion".  As more incidents came to light, it became more clear that the Cyber Legion was an emerging threat.  Whereas groups like Anonymous relied heavily on public support and volunteers (such as for distributed denial of service, DDoS, attacks), Cyber Legion lacked any apparent public outreach.  Also unlike Anonymous, Cyber Legion did not leverage publicity or social media for threats, warnings or post-incident propaganda.  Media outlets initially labeled the group as vigilantes and criminals because of its use of illegal methods to "hack back" against hactivists and criminals.  Various media outlets began to speculate that the group was fully or partly controlled by the hidden hand of the US or a foreign government.  

In mid-2009, the Cyber Legion began to evolve.  Short-lived Twitter accounts began to appear, noting the successes of the Cyber Legion and its increasing frustration with a lack of perceived law enforcement response to their tips.  Cyber Legion public messaging began to increase, seeking to spread ideology and "out" targeted hackers and hactivists. 

By 2010, the self-proclaimed membership of the Cyber Legion (or at least its ideology) became so wide spread and varied that it now considered more as a global movement than a centralized organization. The sole exception remains the ever elusive COG cadre, operating from within the shadows.

Whatever the Cyber Legion is or is not, it continues to demonstrate that it is a persistent and full-spectrum threat.

Cyber Ops/Actions Group

Cyber Legion