Menu
Browse

Cyber Threat Actor: Cybercriminals

Actor Type Location Known Incidents
 Icon
Criminal
Japan
2 incidents
Profile

The threat actor is publicly referenced underthe alias “Cybercriminals” and has been linked to operations originating from Japan, as indicated by the location attribute in the available reporting. The actor’s activity appears to be characterized by the compromise of third‑party services and the reuse of credentials obtained elsewhere, rather than the development or deployment of proprietary malware. No public attribution to a state sponsor or a specific criminal consortium has been made in the sources examined, and the actor’s internal structure, size, or funding remains unspecified.

Targeting observed in the documented incidents spans the insurance and energy sectors, with victims located in Japan and the Netherlands. In the Zurich Insurance case, the actor gained unauthorized access to an external service provider’s systems, resulting in the exposure of personal data belonging to hundreds of thousands of Japanese policyholders. The Dutch energy supplier incident involved credential stuffing, where login details stolen from other websites were used to access customer accounts in the supplier’s online portal. These patterns suggest a focus on exploiting weak authentication controls and third‑party relationships to obtain personal information, though any broader strategic aim beyond data acquisition is not stated in the material.

The actor’s notable tactics include leveraging compromised credentials from unrelated sites to conduct account takeover attempts and exploiting vulnerabilities or insufficient protections in external service providers to pivot into target networks. No specific malware families, exploit kits, or custom tooling are mentioned in the reports, indicating that the actor’s tooling relies largely on readily available credential databases and standard web‑based attack techniques. The two campaigns highlighted—the 2023 Zurich Insurance breach and the 2021 Dutch energy supplier breach—serve as representative examples of the actor’s observed behavior, demonstrating repeated use of credential‑based initial access and third‑party service abuse to achieve data exfiltration. No further details about affiliations, sponsorship, or subsequent operations are publicly available in the supplied sources.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
0 sources