On February 16, 2024, a new ransomware actor emerged on the threat landscape; it goes by the name "Trisec." The actor listed a single victim in Ireland. Provided available intelligence is very limited, the group's leak site is quite interesting and offers leads to understand the actor's background and agenda.
Linkage To Tunisia?
The first aspect that stands out is an unusual introduction. Trisec claims to a cybercrime group pursuing both financial gain and state-sponsored activities, which is not the typical introduction for threat actors that are actually state-sponsored. The latter may want to maintain that affiliation as hidden as possible.
The actor's logo displays the Tanit symbol with a Tunisian flag in the background; Tanit is a goddess of fertility in the ancient Carthage, in modern day Tunisia. The flag and the introduction above may suggest a linkage to Tunisia. However, the very presence of this flag casts even further doubts on an actual state affiliation; it seems definitely unusual that a state-sponsored group would make its affiliation so clearly identifiable.
A reference to Tunisia is also provided with a separate page of the website, where images of the famous cartoon character "Sailor Moon" hide what appears to be a riddle. If so, it remains to be solved.
Reference To TA505?
If there is any state affiliation, the identification of that state may not come from the flag. The rest of the website presents different characters, closer to the European culture rather than the North African one.
The leak site introduces an "operation" the actor claims to be involved in. The operation is named "Pied Piper of Hamelin," by the famous German 16th century legend. A "secret message" link leads to a separate page where there is a quotation from the German tale.
The reference to the "Pied Piper of Hamelin" appears to be rather metaphorical and suggests the notion of "phishing" - attracting, luring targets to fall into a trap. However, there may be a deeper meaning; interestingly enough, in 2018, Morphisec uncovered a TA505 campaign which was dubbed "Pied Piper;" the Trisec campaign may be a reference to that campaign, suggesting the group may not be Tunisian but rather Russia-linked, like TA505. This hypothesis appears plausible, also considering a similar affiliation between Anonymous Sudan and Russian cyber threat actors. However, such a connection is currently unproven and could be hinted at by Trisec as an intentional misdirection or as an attempt to bolster their mystique.
The Name Trisec
The very name "Trisec" is interesting. Based on the group's Telegram handle "Trise_vision" and the name variation "Trisec vision" provided on the "secret message" page, the name "trisec" appears to reference the notion of "trisection" as in dividing in three parts. Trisection may be a reference to the Tanit symbol which, in a stylized form, is comprised of three geometrical shapes.
An alternative interpretation may regard the very modus operandi of the group; the "Pied Piper of Hamelin" operation may be comprised of three parts. The "trisection" may describe the way the actor runs its cybercrime operation. At report time, Trisec listed only one victim but its site shows two more spots - a section of three.
We will keep monitoring this group and share new updates as they become available.