Into the Darknet

Russians on the Darknet Part I

International media recently highlighted the perils of Russian government sponsored cyber espionage operations against US elections in 2016, and the potential risks to the upcoming US midterm election this week.

With increasing concern over the validity of the US election process, DarkOwl analysts decided a review of Russia’s footprint across the darknet could provide insight on how operations on this scale are conducted.

By the Numbers

Russia-based anonymous websites comprise over 36% of the DARKINT™ collected by DarkOwl. DarkOwl has successfully indexed over 300 million pages across anonymous and deep web networks in the Eastern Slavic language of Russian. Russian hacking and carding forums accessible from the surface web account for 92% of the deep web content in DarkOwl’s Vision. 

There are significantly more Russian hidden services in Tor than sites on i2p or Zeronet, suggesting Russian darknet users prefer Tor over i2p. Russian-language eepsites account for only 10% of the i2p content archived in DarkOwl Vision. Russian activity on the anonymous network, Zeronet is negligible.

What we know the Russians have been involved in…

Enter “Russian hacking” into any surface web search engine and you will undoubtedly receive millions of results about Russia’s malicious cyber operations ranging to undermining the US democratic election process through to targeting of the US utility grid. Most recent indictments highlighted charges against seven Russian intelligence officers with hacking anti-doping agencies who used sophisticated equipment to target the organizations’ wireless (wi-fi) network. (Source)

Target Technique
2014-2016 Hacks Against US Utilities (Link) Compromised Network Credentials via Simply Email Phishing
2016 Election DNC (Guccifer) (Link) Vulnerability with DNC’s Software Provider, NGP VAN
US State Voter Registration (Link) Structured Query Language (SQL) Injection
World Anti-Doping Agencies (WADA) (Link) Wireless Network Sniffing
US Thinktanks (Hudson Institute/ International Republican Institute) (Link) Domain Phishing

When you dig into the shadows of forums and chatrooms accessible only via the darknet, only security researchers and law enforcement are actively chatting and posting about vulnerabilities to critical US systems and infrastructure. In order to discover clues about what the Russians might be up to, one would need the keywords associated with the technical specifics of the tools and techniques required to carry out such sophisticated operations.  

Reports regarding the recent Word Anti-Doping Agencies (WADA) hacks stated the Russians employed a wireless network sniffing device installed in the back of the operatives’s car for access to the WADA networks . The hackers also used a mixture of malware including Gamefish, X-tunnel, and Chopstick code, the majority of which have been seen before and used on other Russian-linked cyberattacks. (Source)

 
Figure 1:    Russian GRU mobile Wi-Fi attack (Courtesy of Dutch Ministry of Defense)

Figure 1: Russian GRU mobile Wi-Fi attack (Courtesy of Dutch Ministry of Defense)

 
 
Figure 2:    Russian forum discusses how to use such a device to intercept passwords for wi-fi networks    (DarkOwl Vision Doc ID: 536bb1af90f7d52b28430510685c1b51)

Figure 2: Russian forum discusses how to use such a device to intercept passwords for wi-fi networks

(DarkOwl Vision Doc ID: 536bb1af90f7d52b28430510685c1b51)

 

As evident by recent attacks against US thinktanks, the Hudson Institute and the International Republican Institute, the Russians are well known for their employment of targeted spear-phishing campaigns based upon a thorough reconnaissance and well-orchestrated intelligence collection operation prior to any network subversion. Spear-phishing is a type of hacking based on social engineering, similar to email phishing, but directed towards a specific individual or entity within a network or organization. A leaked NSA document revealed how offensive cyber officers from Russia in 2016 sent election officials emails with a MS Word attachment that was infected with a trojan of a Visual Basic script that would launch a program opening communications back to the hackers’ IP address.

 
Figure 3   : Detailed Tactics, Techniques and Procedures Used by the Russians to Target US Election Officials in 2016 (courtesy of The Intercept) (   Read more   )

Figure 3: Detailed Tactics, Techniques and Procedures Used by the Russians to Target US Election Officials in 2016 (courtesy of The Intercept) (Read more)

 

The sheer volume of compromised email credentials posted for sale in Russian marketplaces and shared on authenticated hacking forums is alarming. 103 .gov email results in DarkOwl Vision contain the phrase “election” in their domain address (*@election*.gov) and could provide a valid starting point for any of the specific state election servers.

 
Figure 4   : Advertisement of database with 458 Million Emails and Passwords for Sale in DarkOwl Vision

Figure 4: Advertisement of database with 458 Million Emails and Passwords for Sale in DarkOwl Vision

 

In the voter registration system hack in 2016, threat actors utilized simple whitehat vulnerability tools such as Acunetix, network discovery and exploitation kits like DirBuster, SQLMap, and SQLSentinel. Russian speaking hacker, Rasputin, infamously employed a proprietary-developed SQL injection exploit to successfully breach and harvest credentials from U.S. Election Assistance Commission (EAC) servers including accounts with administrative privileges. (Source)

 
Figure 5   : Acunetix Web Vulnerability Scanner in Action

Figure 5: Acunetix Web Vulnerability Scanner in Action

 
 
Figure 6   : Discussion of how to use SQLMap against a target network on a Russian forum    (DarkOwl Vision Doc ID: 53e19c5fbe5c7d9c6e625e668d660617)

Figure 6: Discussion of how to use SQLMap against a target network on a Russian forum

(DarkOwl Vision Doc ID: 53e19c5fbe5c7d9c6e625e668d660617)

 

For the past few years, millions of US voter registration data with full names, address, and voting data have appeared on offer for sale on darknet hacking forums and marketplaces. DarkOwl has observed data from over 30 states ranging from $250 to $5000 USD per state including: Colorado, Ohio, Connecticut, Florida, Michigan, North Carolina, New York, Pennsylvania, Rhode Island, Washington, Kansas, Wyoming, Oklahoma, Maryland, Arkansas, Nevada, Montana, Louisiana, Delaware, Iowa, Utah, Oregon, South Carolina, Wisconsin, Georgia, New Mexico, Minnesota, Kentucky, Idaho, Tennessee, South Dakota, Mississippi, West Virginia, Alabama, Alaska, and Texas.

 
Figure 7   : Deep Web Forum post with Content of Arkansas's Voter Registration Database    (DarkOwl Vision Doc ID: 6e235a3bab7e4e3f293fb2f0f57c6cae)

Figure 7: Deep Web Forum post with Content of Arkansas's Voter Registration Database

(DarkOwl Vision Doc ID: 6e235a3bab7e4e3f293fb2f0f57c6cae)

 

Many of the posted state databases are older, i.e. Alabama and Alaska’s voter registration information is from 2015; however, many of these databases were on offer back on the infamous Alphabay darknet marketplace in 2016 as well.

 
Figure 8   : A recent offer for several US State’s Voter Lists for sale as archived by DarkOwl Vision    (DarkOwl Vision Doc ID: cfae62df845b99fc173c42bd3b529303)

Figure 8: A recent offer for several US State’s Voter Lists for sale as archived by DarkOwl Vision

(DarkOwl Vision Doc ID: cfae62df845b99fc173c42bd3b529303)

 

In recent weeks, comments from the vendor suggests that the voting records hacker has setup persistent access to the states’ databases, posting, “Besides data is refreshed each Monday of every week, once you request the data from me you will receive the freshest possible data from that state.” The fact this data is on the darknet is no surprise, as it is publicly available, open source information. It is a surprise anyone would actually pay for access to the information they could easily obtain themselves. Links to some of the state’s databases have appeared on some darknet forums as is, without any access payment required.  

The hacker on the forum identifies themselves as a white male software engineer from the United Kingdom and “apathetic human-being” with other information that could be easily pivoted to the surface web. There is no indication he is affiliated with Russian government sponsored hackers.

Russia-affiliated threat actors and hackers, whether lone wolf or operatives of a major government-led cyber offensive, have more than sufficient tools and resources across the deep web and darknet to successfully exploit and profit from network and/or server vulnerabilities. Utilizing commercially available penetration testing resources and exploits circulated and sold on the darknet, hackers regularly infiltrate networks while completely evading detection or knowledge of the system’s administrators. Next time we will review some of the Russia-specific marketplaces and forums where these attack techniques are planned and coordinated.


Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.

Into the Darknet: Expanded Glossary Part II

At DarkOwl Cybersecurity, we believe in the importance of educating everyone on the darknet. Much of the terminology we use to discuss darknet related content is common to those familiar with computer networking and information security, but like a foreign language to the general reader.

Below is the second update to our blog series covering key terms and definitions that we hope you will find helpful as you continue to learn about the darknet. Check out the new terms in the post below, or find them in the full glossary of Darknet 101 Terms in our resources section. 

Botnet:  A network of computers, or other IoT devices, infected with malware and being used (often unknowingly by device owner(s)) to send spam or support DDoS or other attacks.

Brute Force Attack: The trial-and-error entry of passwords and/or passphrases until the correct one is guessed and entry is gained.

Dark Web: Another way of referring to the darknet. 

Encryption: The process of converting data to an unrecognizable or "encrypted" form. It is commonly used to protect sensitive information, including files, storage devices, and data transfers, so that only authorized parties can view it.

Grey Hat: Refers to a hacker who might utilize black hat hacking methods with an ethical, or "white hat," intent. 

Malware: Malicious software designed to access a system and perform unwanted actions on behalf of a third party.

Metadata: Refers to data that provides information about a certain item's content. For example, an image may include information that describes how large the picture is or when the image was created, while a text document may contain information about the author of the document, or the IP address of the document's author, and so on.

Open Source:  Open source refers to any program or software that is freely available to the public. Unlike commercial software, open source programs can be modified and distributed by anyone and are often developed as a community.

OPSEC:  Standing for "Operations Security," OPSEC is a term that originated from military jargon and has since become popular with the information security industry. In general, OPSEC refers to the standards by which a person or organization should function to ensure that a security breach (of any nature) does not occur. For example, leaving the pin code to a company's entrance key pad written on a sticky note where roaming eyes can see it might be considered negligence of company OPSEC. 

Payload: Data being carried or transmitted, typically the functional piece of a computer virus.

PhaaS:  A new term that refers to a phishing package that is offered in SaaS format. These packages are sold on the darknet and provide everything a novice hacker might need to run a phishing scam, including templates, tech support and tutorials.

Sandbox: An isolated, controlled environment within which potentially dangerous programs are run. In a Sandbox, one can install, open and examine computer applications, potential phishing emails or infected documents without threatening the safety of the rest of the computer (or any place outside of the sandboxed environment). 

Social Engineering: Psychological manipulation of people into performing actions or divulging confidential information.

VPN: A Virtual Private Network (VPN) is a means of re-routing a connection to the internet through privacy enhanced "tunnels," providing the subsequent internet traffic with an added layer of security and anonymity.

Zero-day: A security gap or vulnerability in a piece of software or a system that is not yet known to the software or system vendor. Once discovered, it may be exploited by attackers using a zero-day exploit.


Into the Darknet: An Expanded Glossary of Terms

At DarkOwl Cybersecurity, we believe in the importance of educating everyone on the darknet. Much of the terminology we use to discuss darknet related content is common to those familiar with computer networking and information security, but like a foreign language to the general reader. Below are the first of a series of posts covering key terms and definitions you will find helpful as you continue to learn about the darknet and how it can affect both you and your business. Keep an eye on our Blog, as well as our continually-growing Darknet 101 Terms page, as we will continue to add to our list of terms over time.


Bitcoin: One of the most popular cryptocurrencies in use today. As of publication date (3/24/17), 1 Bitcoin = 984.35 U.S. dollars. 

Blockchain: Essentially a distributed database. Information within a blockchain is publicly shared across all participating users or machines. With regards to Bitcoin, the Bitcoin blockchain is a public record of all Bitcoin transactions which helps to verify transactions and prevent double spending.

Carding: The practice of stealing and selling credit card information.

Clearnet: The "regular" internet (non-Tor), often referred to as the surface web. 

Cryptocurrency: Virtual currency that employs cryptography for security purposes.

DARKINT: Short for darknet intelligence, DARKINT encompasses actionable data from the darknet and other interconnected sources, including Tor, IRC channels, hacker forums, FTP servers, paste sites, high-risk surface internet and more.

Darknet Market: A marketplace website hosted on a darknet (such as Tor), setup to provide the sale of goods and services while maintaining anonymity of vendors and buyers; also known as a cryptomarket.

Dox: The act of posting or publicizing an individual's personally identifiable information (PII), commonly done to expose said individual's true identity or for other, typically malicious, purposes.

Exit Scam: A scam in which a darknet market admin or vendor shuts down operation while stealing as much money as possible from their users and/or buyers in the process.

Hidden Service: Another term for a .onion (Tor) site.

Honey Pot: A website or hidden service setup by law enforcement in an attempt to attract and identify individuals who participate in illegal activity.

IP Address (aka Internet Protocol): A unique string of numbers separated by periods that identifies a computer connected to the internet, e.g. 192.168.10.2 (iPv4).

Mirror site: A site with the same content as another site but a different domain.

Pastebin: A surface net site used to publicly post and store text for a certain, often short, period of time. Pastebin ties closely with the darknet as it is an easy way to anonymously share information without the need for a specialty based browser, such as Tor.

Protocol: Refers to the scheme in which internet content is retrieved and displayed to a browser. Tor and the darknet leverage “non-standard communication protocol” which refers to the complex set of onion proxy methods to obscure the identity of the requestor and the content server.  Protocol can also refer to a method of financial transaction, e.g. bitcoin.

Relay (aka node): Within Tor there are over 7,000 relays, mostly internal. When a request to access a particular hidden service is made, the browser calculates the optimal route through a series of relays, exchanging cryptographic keys between nodes, to display the content without disclosing the IP address of the request originator.

Tor (aka The Onion Router): A free web browser designed for anonymous internet browsing and protection against network traffic analysis; the most commonly used tool for accessing and browsing the darknet.

Tumble: A method of scrambling or anonymizing the source of one’s bitcoins.

Wiki: Like the surface net site Wikipedia, a darknet wiki is a website that allows registered users to collaboratively write and edit content directly from their browser. Example: The Hidden Wiki.

Into the Darknet: A Beginner's Glossary of Terms

At DarkOwl Cybersecurity, we believe in the importance of educating everyone on the darknet. Much of the terminology we use to discuss darknet related content is common to those familiar with computer networking and information security, but like a foreign language to the general reader. Below are the first of a series of posts covering key terms and definitions you will find helpful as you continue to learn about the darknet and how it can affect both you and your business. Keep an eye on our Blog, as well as our continually-growing Darknet 101 Terms page, as we will continue to add to our list of terms over time.


Alias: A screen name intended to conceal a user's identity, with little to no ties to the user's actual personal information.

Darknet: The darknet is a network, built on top of the internet, that is purposefully hidden; it has been designed specifically for anonymity. Unlike the deep web, the darknet is only accessible with special tools and software - browsers and other protocol beyond direct links or credentials.

Denial of Service (DoS): A malicious attack on a network that is executed by flooding a server with useless network traffic, exploiting the limits of TCP/IP protocols and thus rendering the network inaccessible.

Domain Name Server (DNS): The internet’s equivalent to a phonebook. On the surface web, this consists of a routing table, translating a character based domain name (ending in *.com, *.net, etc.) to the server’s IPv4 32-bit IP address. In the darknet, a special set of Tor DNS servers correlate the *.onion sites to the source, usually through a series of proxies to obscure the server’s identity.

Firewall: Hardware and/or software that is specifically designed to protect a network or system from unauthorized access through employing specific rules to control and direct incoming and outgoing network traffic.

Forum: A digital environment where ideas and topics can be discussed freely among users. Members of forums generally log in with a screen name or alias to post and comment on content. Forums differ from real-time internet messaging and chat rooms in that the topics and information are not intended to be discussed real-time but instead posted for all users to see over a more extended period of time.

Hacking: The process of identifying targeted computer information systems of interest and employing a computer program to gain unauthorized access to the target system.

Internet Relay Chat (IRC): A popular text-based chat service enabling users connected to a server to communicate with each other in real-time.

Packet: A formatted unit of data routed between its origin and a destination. Data packets are used in internet protocol (IP) transmissions to navigate the internet and darknet.

Peer-to-Peer (P2P): An ad-hoc connection of computers where information can be passed directly between the participants. In a P2P, each node of the network functions as both the server and the client.

Phishing: A data collection method used in social engineering. Phishing targets sensitive information (usernames, passwords and credit card details), often for malicious intent, by disguising itself as a trustworthy entity in an electronic communication. See spoofing below.

Router: The hardware used to forward packets of information along a network, performing the traffic directing functions of the internet.

Scraping: In the context of web scraping, this term describes the process of harvesting large sets of data from websites and storing the content in a database on a local computer or server. 

Screen Name: The name a user employs to communicate with others online.

Spoofing: The process of falsifying the origin of network communication (via the internet) in order to mislead or misdirect the recipient. Example: a fake email from your bank asking you to validate credit card or personally identifiable information.

Username: A string of characters used to log in to a computer information system.


Into the Darknet: Comparing MTV Developers + Users

This week we continue our "Into the Darknet" blog series, which aims to provide readers with a better understanding of the darknet's history, users, uses and purpose and examine other hot topics in DARKINT, cybersecurity, including malware, toolkits, viruses, cryptocurrency, marketplaces and OPSEC.

As we covered last week, Tor’s Hidden Services and the anonymous nature of the darknet make it an ideal space for the collaboration on and the dissemination of malwaretoolkits and viruses (MTV). The composition of the groups leveraging MTV varies not only in ethnicity, gender and level of creative sophistication but also in both expertise and intention.

Some malicious code is developed by individuals, but a majority of large-scale hacking campaigns utilize an organized network of hackers with varying technical and societal backgrounds. MTV is developed and deployed by several different types of groups including state sponsored cyber groups, cyber terrorists, hacktivists, hackers-for-profit security researchers and hobbyist/individual hackers.


COMPARING EXPERIENCE: MTV DEVELOPERS + USERS

While some malicious code is developed by individuals, the majority of large-scale hacking campaigns utilize an organized network of hackers with varying technical and societal backgrounds.

MTV is developed and deployed by several different types of groups, including state sponsored cyber groups, cyber terrorists, hacktivists, hackers-for-profit, security researchers and hobbyist/individual hackers. Each of these groups have varying levels of experience within specialized areas, and are motivated by different (often overlapping) incentives. 

First, we look at the typical background and experience profile for each group segment.

Key takeaways: 

1. Every type of persona using and developing MTV has a background in, and/or experience with, Systems Engineering + Network Architecture, Computer Programming or Scripting and Social Engineering. 

2. Only half of all groups have experience as Certified Security Professionals.

3. MTV users typically have experience in a variety of areas, making them well-rounded, flexible and difficult to profile. 

COMPARING MOTIVATIONS: MTV DEVELOPERS + USERS

While the above comparison indicates that there is significant overlap in the characteristics of our segmented MTV groups, the factors that drive them to utilize these tools are varied and demarcate their uniqueness.  

Key Takeaways: 

1. Hacktivists are the only type of MTV users that are not driven by some form of monetary gain. 

2. Everyone who develops, uses and/or disseminates MTV is motivated by their ego, curiosity or the desire to showcase their skill set. 

3. Security Researchers and Criminal Organizations are the only groups not driven to use MTV for reasons associated with politics or ethics. For the remaining majority, these powerful, often deeply personal causes serve as motivational forces that many view as impacting the greater good.

FINAL THOUGHTS

While some malicious code is developed by individuals, a majority of large-scale hacking campaigns utilize an organized network of hackers with varying technical and societal backgrounds and motivations, as explored above. MTV is developed and deployed by many different groups including state sponsored cyber groups, cyber terrorists, hacktivists, hackers-for-profit security researchers and hobbyist/individual hackers.

Join us next week when we take a closer look at one of the most organized MTV groups in the world: nation-state sponsored cyber organizations.