The "EC2 Grouper" threat actor is a prolific group frequently detected in cloud environments. They are known for using consistent user agents and a specific security group naming convention (e.g., ec2group, ec2group12345) during attacks, making them easier to identify. However, relying on these specific indicators for detection is unreliable due to their transient nature.
The EC2 Grouper group is characterized by its use of AWS PowerShell tools with distinct user agents. Recently, these user agents were updated to include unusual characters, likely as a detection evasion measure. Another consistent tactic involves the creation of security groups with predictable naming conventions, such as ec2group and its sequential variations (ec2group12345), using the CreateSecurityGroup API.
Their attack sequence typically starts with reconnaissance calls like DescribeInstanceTypes, DescribeRegions, and DescribeVpcs. This is followed by exploitation attempts using CreateSecurityGroup, RunInstances, and DescribeInstances. Occasionally, infrastructure setup activities include calls to CreateInternetGateway and CreateVpc. These activities appear highly automated, with little observed manual escalation or goal-driven actions. Although resource hijacking is suspected to be their primary objective, this remains unconfirmed.