Threat Profiling: CarthageRocket

Executive Summary

CarthageRocket is a professional access broker and credential theft specialist, with a reputation for targeting employee credentials using techniques such as phishing, credential stuffing, and brute-force attacks. Known for selling compromised databases on underground forums, CarthageRocket has gained prominence through their affiliation with the Lapsus$ group, which has expanded the scale and impact of their operations.

This post examines their operations, tactics, and affiliations to shed light on the risks posed by this threat actor.

CarthageRocket: Overview

  • Role: Initial Access Broker
  • Active Since: September 21, 2021
  • Affiliation: Lapsus$ Threat Group (Joined September 28, 2024)
  • Alternate Handle: unit221b
  • Key TTPs: Phishing, Credential Stuffing, Brute-Force Attacks
  • Victims: Financial and Government Sectors
  • Infrastructure: Kali Linux, Telegram

Key Timeline

  1. September 21, 2021: Registered as “CarthageRocket” on a dark web forum, beginning their operations.
  2. December 26, 2021: Started interacting in database leak threads to build credibility.
  3. July 6, 2022: Published their first data breach (Zengo Wallet database).
  4. February 22, 2022: Deleted their first database leak after meeting their credits goal.
  5. September 28, 2024: Joined the Lapsus$ group and became an administrator for their Telegram channel.

Tactics, Techniques, and Procedures (TTPs)

CarthageRocket employs a range of sophisticated techniques to gain initial access and exploit stolen credentials. Their operations typically follow these stages:

  1. Initial Access:

    • Phishing Campaigns: Executes targeted phishing campaigns to harvest login credentials.
    • Credential Stuffing: Leverages credentials from past breaches to access accounts using weak or reused passwords.
    • Brute-Force Attacks: Uses automated tools to guess passwords when other methods fail.

  2. Credential Exploitation:

    • Data Monetization: Sells stolen credentials on underground forums.
    • Network Infiltration: Uses credentials to access networks, stealing sensitive data for financial gain.

  3. Collaboration with Lapsus$:

    • Joining Lapsus$ likely expanded the scale of their attacks, focusing on high-profile breaches.

  4. Underground Sales:

    • Actively sells stolen credentials and data, maintaining a wide network within the cybercriminal ecosystem.

Victims and Attribution

CarthageRocket’s operations have primarily targeted the financial and government sectors, with victims located in the United States and Australia. Attribution remains uncertain, with evidence suggesting a possible U.S. origin, but the actor has not confirmed their identity.

Conclusion

CarthageRocket represents a persistent threat due to their technical proficiency, extensive underground connections, and recent affiliation with Lapsus$. Organizations should remain vigilant against phishing campaigns and implement strong password policies to mitigate risks associated with credential theft.

Metadata

NameCarthageRocket
Active Since2021
MotivationCredential Theft, Cybercrime, Data Monetization
Associated GroupsLapsus$
Threat Actor  CarthageRocket  Cybercrime  Credential Theft  Lapsus$  Threat Profiling 

See also