Our Red Team: The Cyber Legion
Spyglass Group's Notional 360° Threat Model
Who is the Cyber Legion?
The Cyber Legion is a notional threat model used by our
Red Team to emulate real-world cyber and security threats.
The Cyber Legion is an amorphous and decentralized collective of hackers and hacktivists operating world-wide. The group began as an association of elite mercenary hackers-for-hire, motivated primarily by profit, but has since evolved into global movement of actors with differing capabilities and motivations.
The Threat Actors
The evolution of the Cyber Legion since its inception in 2007 has greatly complicated the predictability and attribution of related cyber activities. As of 2015, the activities, capabilities, and motivations of Cyber Legionnaires encompassed the entire spectrum of today's cyber threats.
The Cyber Legion began to draw public attention circa 2007, after a serious of vigilante-style cyberattacks against cyber-criminals and hacktivists groups. What drew initial media attention was a serious of publicized "tips" to the FBI and Interpol. The unknown sources of these tips provided the identities, technical data, and computer files of the alleged hackers of recent high-profile cybercrime and cyberattacks. The primary targets of these early tips were alleged members of the well-known hacktivist collective Anonymous.
Starting December 2008, "tips" to law enforcement agencies were being received, "courtesy of the Cyber Legion". As more incidents came to light, it became more clear that the Cyber Legion was an emerging threat. Whereas groups like Anonymous relied heavily on public support and volunteers (such as for distributed denial of service, DDoS, attacks), Cyber Legion lacked any apparent public outreach. Also unlike Anonymous, Cyber Legion did not leverage publicity or social media for threats, warnings or post-incident propaganda. Media outlets initially labeled the group as vigilantes and criminals because of its use of illegal methods to "hack back" against hactivists and criminals. Various media outlets began to speculate that the group was fully or partly controlled by the hidden hand of the US or a foreign government.
In mid-2009, the Cyber Legion began to evolve. Short-lived Twitter accounts began to appear, noting the successes of the Cyber Legion and its increasing frustration with a lack of perceived law enforcement response to their tips. Cyber Legion public messaging began to increase, seeking to spread ideology and "out" targeted hackers and hactivists.
By 2010, the self-proclaimed membership of the Cyber Legion (or at least its ideology) became so wide spread and varied that it now considered more as a global movement than a centralized organization. The sole exception remains the ever elusive COG cadre, operating from within the shadows.
Whatever the Cyber Legion is or is not, it continues to demonstrate that it is a persistent and full-spectrum threat.
Cyber Ops/Actions Group