Hackers hack victims who have been hacked by other hackers

Regular internet users and companies aren’t the only victims of malicious hackers. Sometimes, hackers themselves get hacked.

This happened in an unusual hacking campaign where an unknown group of hackers targeted systems that had already been breached by a prolific cyber crime group known as TeamPCP. Once the hackers broke into these systems, they immediately kicked out the TeamPCP hackers and removed their tools, according to a new report by cybersecurity firm SentinelOne.

From there, hackers use their access to deploy code designed to replicate across different cloud infrastructures, like a self-propagating worm, steal various types of credentials, and ultimately send the stolen data back to their infrastructure.

TeamPCP is a cybercriminal group that has garnered headlines in recent weeks thanks to a series of high-profile hacks attributed to the group. These hacks included a breach of the European Commission’s cloud infrastructure and a large-scale cyber attack against widely used vulnerability scanning tool Trivvywhich affected any company that relied on it, including LiteLLM and AI recruiting startup Mercor, among others.

Alex Delamotte, the senior researcher at SentinelOne who found the new hacking campaign and dubbed it “PCPJack,” told TechCrunch that it’s unclear who is behind it. At this point, Delamotte said her three theories are that the hackers are either disgruntled former TeamPCP members, part of a rival group, or a third party “that chose to directly model the attack tools on TeamPCP’s previous campaigns,” many of which targeted cloud infrastructure.

“The services targeted by PCPJack look very similar to the December-January TeamPCP campaigns, before the alleged change in team membership that occurred in February-March,” Delamotte said.

Delamotte also noted that hackers are not only targeting systems compromised by TeamPCP, but are also scanning the Internet for exposed services such as the Docker virtual machine cloud platform, databases running MongoDB, and others. However, SentinelOne said the team seemed heavily focused on targeting TeamPCP.

According to the report, the hackers’ tools themselves keep a tally of the number of hacked targets they’ve successfully pushed TeamPCP to by sending that information back to its infrastructure.

The goals of the PCPJack hackers seem to be purely financial, as they steal credentials with a focus on monetizing them. Hackers do this by reselling them, selling access to compromised systems as so-called initial access brokers – hackers who break into systems and then let paying customers on the hacked machines – or by extorting victims directly.

Hackers, however, don’t try to install crypto-mining software on hacked systems, likely because that strategy takes longer to reap rewards, according to Delamotte.

As part of some of their attacks, hackers use domains that suggest they are phishing for password manager credentials and use fake help desk websites, according to Delamotte.