On the last day of May, one of my inboxes began receiving emails, purportedly from one of the owners of the yoga studio I visit. It concerned a message I sent in January through the studio’s website that had been resolved the following day in an email sent by the co-owner. Now, here she was, four months later, emailing me again.
“Listed below the documents we chatted regarding last week,” the email author wrote. “Contact me if you’ve got any queries about the attached files.” There was a password-protected zip file attached. Below the body of the message was the response the co-owner sent me in January. These emails started coming once or twice daily for the next couple of weeks, each from a different address. The files and passwords were often changed, but the basic format, including the January email thread, remained consistent.
With the help of researchers at security firm Proofpoint, I now know that the emails are the work of a crime group they call TA578. TA578 is what’s known in the security industry as an initial access broker. That means it compromises end-user devices en masse in an opportunistic fashion, spamming as many addresses as possible with malicious files. The gang then sells access to the machines it compromises to other threat actors, for use in ransomware, cryptojacking, and other types of campaigns.