Read on for highlights from DarkOwl’s Product Team for Q1, including new exciting product features. The team is starting the new year off strong and looks forward to an exciting 2024!
Enhanced Forum Structuring
The team made upgrades to forum structuring within the platform, empowering users with unparalleled insights into darknet forums. This latest development enables users to navigate darknet conversations in a structured manner, presenting discussions in chronological order for accurate and effortless reconstruction. The upgraded search capabilities further empower users to pinpoint relevant information swiftly, facilitating comprehensive analysis.
Access to forum data in a structured format is particularly crucial for organizations seeking to bolster their cybersecurity defenses and proactively address emerging threats.
Figures 1 and 2 (left to right): Previous view of a thread versus new enhanced view
Last month, the DarkOwl Marketing team sat down with DarkOwl’s Director of Client Engagement, Caryn Farino and Product Manager, Josh Berman to learn more. You can read that interview here.
Access the Darknet Safely and Securely Directly from DarkOwl Vision
This quarter the team released “Direct to Darknet” within Vision UI in partnership with Authentic8, a leading provider of cloud-based secure browsing solutions. This feature allows users to further investigate Vision UI search results on forums, marketplaces, and other Onion sites. This can be helpful for an investigation to view the original website, view images or advertisements that may be on the sites, take a screenshot for reporting, and more. By combining DarkOwl’s comprehensive darknet database and monitoring capabilities with Authentic8’s Silo cloud browser, which is known for its secure browsing environment, organizations will gain unprecedented visibility and protection against cyber threats surfacing on the darknet.
Figures 3 and 4 (left to right): Vision UI result and associated darknet result for guns in Miami
Context and Enrichments
The team has significantly increased context information for leaks, actors, ransomware, and has added features to make doing research easier than ever.
On the new Leak Explorepage, customers can see information about our leak dataset and get information about an individual leak. Customers can look for a leak that we have in our system, see if it’s relevant to them, pivot to the filetree or original posting, and look at the underlying data. We highlight some of leaks we collected this quarter in the next section – all of the information highlighted below is taken directly from this feature.
Tox ID search and Compare features (Tools/CVEs) have been added to Actor Explore profiles. The compare feature on the Tools and CVEs page allows users to see commonalities between actor groups, including timelines and any commonalities between actor groups.
Site Context on Ransomware search results provide site names, relevant dates, cipher information, and pivoting options to Actor Explore or further research, all provided by the DarkOwl analyst team.
The DarkOwl analyst team has added several new Search Blocktranslations in Arabic, Russian, and Chinese languages.
More Vision UI Updates
Multi-Factor Authentication login option for customers
Alert section enhancements to delete single alerts and display Category in the main table. This makes alerts easier to use and more functional. “Category” has been added as a new column on the Alerts page to more effectively use these tags to organize alerts. One way to use these tags is to classify alerts by organization or category such as “Credentials,” to view related alerts from multiple monitors together.
Collection Stats
This quarter showed tremendous growth in data collection. The team had 5% growth quarter over quarter in added Tor documents, 27% growth in I2P documents, 31% growth in ZeroNet documents, 15% growth in records from Telegram, to highlight a few.
Highlights
Chat platform collection continues to grow as darknet threat actors migrate to darknet adjacent sites. Currently, the platform has coverage of more than 22,000 channels across multiple chat platforms.
The team added 117 data leaks this quarter alone, many of which were requests from customers, which the team always prioritizes. A select few of those are highlighted in the next section – all gathered from the DarkOwl analyst team.
Actor Explore continues to grow – with a total of 307 actor profiles able to searched, compared, and researched within the platform.
Leaks of Interest Collected
As mentioned, the descriptions below are all available in our Leak Context product feature.
Naz.api
The naz.api leak was made available on BreachForums, on January 15, 2024. According to the post, it is a 35 GB collection of public URLs, usernames and passwords. The post also notes that it was originally on xkey.info but was taken down for allegedly not being the real naz.api leak. naz.api is one of the largest credential stuffing lists originally posted in September 9, 2023 by 0x64. According to that post, the database was created by extracting data from stealer logs, and contains over 1 billion unique records of saved logins and passwords in users’ browsers. The post also notes that the original naz.api dataset was donated to 0t.rocks. Infostealer logs are files produced when a trojan is installed on a system that collects information from the infected system. Depending on the infostealer malware, the extracted data can include system information and browser session data (including autofills, credentials, financial information, cookies, browser history, etc.). Some malware will also capture stored local files and install keylogging on the system to exfiltrate data outside of the browser sessions.
USA 500K SSN
Data purported to be of US Social Security numbers was posted on LeakBase, a hacking forum, on September 11, 2023. Data exposed includes full names, dates of birth, social security numbers, and physical addresses. Analyst Note: Three leaks with “500K SSN” included in the leak name were identified during a recent review, with each leak containing the same data format. These leaks may have been parsed from a larger historical leak and reposted in several parts. For this data leak, DarkOwl noted references to the same sample data dating back to December 2021, supporting this leak contains older content. Notwithstanding, given the presence of social security numbers, the recirculation of this data is of concern.
DC Health Link
Data purported to be from DC Health Link was posted on BreachForums, a hacking forum, on July 22, 2023. According to the post, this breach occurred in March 2023. Data exposed includes member names and IDs, policy information, social security numbers, full names, dates of birth, e-mail addresses, phone numbers, physical addresses, employment information, genders, medical records, and other personal identifiers such as ethnicity and citizenship status. Analyst Note: Review of the original post on Breach Forums on March 9, 2023, indicates the original leaker was thekilob. This is further supported by commentary in the Telegram Channel, BreachForums Chat, where they indicate thekilob was removed as a reference from the original post. Analyst Note 2: DC Health Link made a public statement about the breach on their website on March 14, 2023, detailing information about the breach.
AT&T
Data purported to be from AT&T was posted on BreachForums, a hacking forum, on March 17, 2024. According to the post, AT&T’s database was hacked by ShinyHunters in 2021 and contains 70 million lines. Data exposed includes names, e-mail addresses, phone numbers, physical addresses, social security numbers, and dates of birth. Analyst Note: According to the information provided in the post, in order to link the SSN and DOB for each record, one will need to grep and replace the encrypted values for these fields in the master file with unencrypted value of these fields provided in a separate file. Analyst Note 2: DarkOwl notes to replicate this connection in the raw indexed files, a search will need to be run using the encrypted value in quotes as the keyword to locate both documents in the leak (i.e. “1lpxFgIp7MlY” would result in both the document that contains the full record with the SSN encrypted value and the file which contains the decrypted SSN value). Analyst Note 3: A high level review of the data indicates the data is from customers in the United States. Analyst Note 4: Research in DarkOwl Vision indicates the data was initially posted for auction on August 22, 2021, for $80,000.
Curious how these features can make your job easier? Get in touch!
A new Middle East conflict emerged on October 7, 2023, when Hamas launched an attack on Israel. It rages on to the present day, resulting in physical, digital, and hybrid events that threaten both Israel and Palestine and their borders with multiple surrounding countries. Regional stability is extremely low as actors supporting all sides of the conflict take stances and attack their self-defined opponents on the ground, at sea, and with cyber capabilities. Most recently, Hamas rejected an Israeli offer for a ceasefire on 25 March 2024, ensuring that this conflict continues for an undetermined amount of time.
In the past six months, some of the trending issues the world has witnessed include drastic upticks in maritime and ground-centered activity against Iranian-supported actors, such as the Houthis and Hezbollah. Air attacks and maritime incidents against the Houthis continue all over the Middle East region, impacting civilian vessels in various bodies of water and civilian shipping routes. Telegram remains a vital part of the conflict, with propaganda emerging from Iranian, Arabic, and Israeli Telegram channels, as well as sympathizers and opponents from all sides of the conflict taking a public stance and offering to attack on behalf of their beliefs. A sampling of these activities over the past six months since the start of the conflict is covered in this blog.
Telegram and Choosing Sides
As was previously mentioned and covered extensively in a previous blog, a trend that emerged almost immediately and continues six months later to today, was actors choosing sides in the conflict. No matter what side is supported, whether an entity is pro-Israel or pro-Hamas, supporters publicly emerge and then are targeted by opponents.
Figure 1: Killnet posting their intention to target the Israeli government on Telegram
Figure 2: Anonymous Sudan posting their intention to target the Israeli government on Telegram
Figure 3: The group Garuna Ops made a number of posts on Telegram in support of Israel and stated as well as attacking Palestine they would attack any other countries that supported them
The end of 2023 witnessed a few key events, ensuring the conflict would continue into the new year of 2024. The list below is not exhaustive, and is only meant to provide high-level examples:
Navitas Petroleum, based in Israel, was purportedly hit by BlackBasta ransomware (December, 2023)
However, as of the time of this writing, Navitas had no entry on the BlackBasta ransomware victim blog. It is possible this event was fabricated, or that the impacted entity struck a deal of some kind with the BlackBasta actors to have their data removed from the ransomware website. Either way, the threat of malicious actors coming after an organization because of their country or other allegiance is a continuing trend.
Predatory Sparrow hacking group attacked 70% of Iranian gas stations (December, 2023):
Figure 4: Predatory Sparrow group publicizes their attack of Iranian fuel stations in December, 2023; Source: DarkOwl Vision
Iran issued a statement that the October 07 attack against Israel was in retaliation for the January 2020 assassination of IRGC commander Qassem Soleimani (December, 2023)
Hamas leaders publicly rejected this claim.
In 2024, some incidents included (the list below is not exhaustive, and is only meant to provide high-level examples):
Anonymous Sudan claims to have hit Israel’s telecom company Pelephone (January, 2024):
Figure 5: Anonymous Sudan uses their Telegram channel to advertise the January 2024 attack against Israeli Telecom Pelephone; Source: DarkOwl Vision
Lulzsec group targeted Israeli red-rocket alert system:
Figure 6: Lulzsec hacking group advertises their mid-January 2024 efforts against the Israeli rocket alert system on Telegram
Anonymous Sudan claims to have hit Israel’s Bazan group:
Figure 7: Hacking collective Anonymous Sudan uses their Telegram channel to publicize an attack on Israeli Bazan Group in January, 2024; Source: DarkOwl Vision
Anonymous Sudan also claimed it conducted a cyberattack targeting “critical parts” of healthcare infrastructure in Israel, and adds “more than a thousand devices are completely disconnected.”
Terminator Security hacking group claims to have taken down Israeli Air Force servers.
As of mid-March 2024, Raytheon was again targeted, this time by the Anonymous group due to their supplying weapons to Israel. However, Raytheon and other US defense contractors are frequently targeted by Russian groups, such as this Snatch Ransomware group observation which also came in March 2024:
Figure 8: Snatch ransomware group details attacks against US government contractor Raytheon, which is frequently targeted due to its weapons supplied to Ukraine; Source: DarkOwl Vision
Maritime Activity
Underwater mining conducted by the Houthis and other attacks against maritime vessels continued as recently as mid-March, with this physical element of conflict having cyber implications:
Underwater sea telecom cables that transit approximately 17% of international data were damaged as maritime conflict continued in the Red Sea. Some media outlets blamed Houthi militants, while other experts state the cables were damaged by ships sinking and hitting them, as they are in shallow waters.
Maritime activity in the Red Sea also involved the United States conducting a cyberattack on an Iranian ship that had been gathering intelligence on cargo vessels in the region. This was intended to prevent the ship from sharing intelligence with Houthi members in Yemen, who have been frequently targeting civilian vessels. DarkOwl analysts have observed multiple platforms, including Discord, onion websites, and 8kun, sharing information regarding the hostile situation in the Red Sea:
Figure 9: Users discuss and share videos of Iranian activity in the Red Sea between January to March 2024; Source: DarkOwl Vision
Figure 10: Users discuss and share videos of Iranian activity in the Red Sea between January to March 2024; Source: DarkOwl Vision
Figure 11: Users discuss and share videos of Iranian activity in the Red Sea between January to March 2024; Source: DarkOwl Vision
Hybrid Incidents
Hybrid events, comprised of both digital and physical efforts to have a real-world impact, have also grown. In mid-February 2024, international media reported on an attempt to reroute an Israeli El Al airliner. The original flight path was from Bangkok, Thailand, and Tel Aviv, Israel. However, during the flight, the crew were provided with instructions that derailed them from their set route. These instructions were discarded, and the crew remained on their original flight path, once they contacted other air traffic controllers and compared flight data, and realized actors were trying to intentionally mislead them.
The incident occurred over Somali airspace, and Israeli sources revealed a certain frequency that was consistently trying to change flight paths, indicating a constant attempt to disrupt air activity. Using technology to attempt to derail a plane or any other means of transportation that carries humans who could be used as leverage in a geopolitical situation, or harmed, brings a new level of urgency towards vetting online information tied to any world event, especially a conflict.
Conclusion
As is confirmed by the events above, conflict these days has a new paradigm using technology to influence and increase physical air, ground, and maritime events, such as using a certain frequency to communicate with planes while trying to pull them from a planned, safe route. Global infrastructure such as underwater cables are either accidentally damaged by water mining or intentionally cut, in some cases, to interfere with regional internet access and connectivity. These physical threats to infrastructure and personnel are separate to the propaganda that is quickly spun and shared among all sides via messaging platforms and social media.
Malicious actors use technology to go after petroleum and water supplies, or even put services for human life, such as healthcare, at risk during geopolitical incidents. Even weapons supplies are in danger, as actors try to prevent weapons delivery or jeopardize the providers of the weapons. The technological component to conflict is here to stay, and actors will undoubtedly use any platform they feel is safe – Telegram, social media, or private messaging, or an online collection of supporters who can contribute to research, and disseminating propaganda to try and influence the public to see issues from a certain perspective.
Disclaimer: This blog seeks to illuminate the practices used by threat actors that involve the nefarious application of artificial intelligence (AI) technologies. While the instances discussed herein do not imply that chatbots and similar tools are intrinsically hazardous, they serve to demonstrate the potential for their misuse by cybercriminals. None of the examples generated should be used.
Introduction
Cyberattacks are becoming more and more commonplace, with no one immune from attacks, whether it be corporations suffering from ransomware attacks or individuals falling victim to romance scams. But as people become more educated about the risks of cyberattacks and scams, cyber attackers must change their methods to ensure success.
Last April Fool’s Day, we looked how cyber actors trick us with phishing emails. This April Fool’s Day, we explore some of the ways that cyber actors could use new technology such as AI to fool their victims into allowing them access to their systems or finances.
Phishing
A phishing email is a deceptive email designed to trick the recipient into believing it’s from a trustworthy source, with the aim of stealing sensitive information, such as login credentials, financial details, or personal data. These emails often mimic the appearance and tone of official communications from well-known companies, banks, or government agencies. The emails will often request personal information, include suspicious links or attachments and generic information.
Most people these days are aware that they should not click on links in emails from people they don’t recognize and emails that appear to have spelling or grammar mistakes in them. But phishing emails are becoming more sophisticated, and AI can be used to generate emails that are more believable.
We asked an AI platform to write us an email:
This is the response we got:
This took seconds to generate and could be used to fool people.
Smishing
Smishing is a type of phishing scam conducted through SMS (Short Message Service) text messages. It involves sending deceptive text messages that aim to trick recipients into revealing personal information, clicking on malicious links, or performing actions that compromise their security. These messages often impersonate legitimate companies, organizations, or even acquaintances, creating a sense of urgency or fear to prompt immediate action from the victim.
Smishing campaigns are often used by threat actors to entice people as part of a romance scam or pretending to be customer support asking a user to share a password or click on a push notification. They can take many forms pretending to reward you with a prize or tell you that you missed a package delivery. They are becoming increasingly sophisticated and take many forms. Below we show a sample of these.
Social Engineering
Social engineering is a manipulation technique that exploits people to gain unauthorized access to information, systems, or buildings. Unlike traditional hacking, which often relies on technical vulnerabilities, social engineering targets the human element of security systems. The goal is to trick or deceive people into doing what the attacker wants them to do, whether that be access to systems or obtaining financial reward.
Social engineering can take many forms, from generating a phishing email based on specific information found on social media to make it more targeted to the victim to creating fake social media profiles to target individuals whether on a dating app or networking app to entice people to communicate with them.
We had an AI tool generate us a dating profile:
But we also need a picture to go with the profile to make it more believable, so we asked AI to generate us one of those as well.
These prompts could be tailored in order to create a profile that is more likely to appeal to the desired victim. Research can be conducted, and all of that information can be inputted into an AI generator to create the perfect profile for the job.
Vishing
Vishing, short for “voice phishing,” is a form of social engineering attack where fraudsters use telephone services to scam individuals into disclosing sensitive personal information, such as bank account numbers, credit card details, personal identification numbers (PINs), and passwords. Unlike traditional phishing attacks, which typically occur through email or malicious websites, vishing specifically involves voice or telephone communication.
While threat actors previously had to conduct these calls themselves it is now possible to generate voices using AI. While it is difficult to use this for an actual conversation it can be used to create prompts of voicemails. Using AI, it is also possible to emulate someone’s voice meaning that you could receive a voicemail from someone who sounds just like your boss asking you to send funds or resent a password that sounds really believable. There have also been reported instances of people appearing on video conferencing calls where their image and voice have been manipulated to provide the message the threat actor wants to give.
Using AI, we are able create a voice message. You can select the type of voice you want to hear, the tone of the message, how to pronounce certain words and where to pause in the conversation. Leading to a believable message.
Conclusions
It is worth noting that most AI providers have tried to implement security features and guardrails to prevent threat actors from utilizing their platforms for nefarious purposes. However, systems can be jailbroken and threat actors are also able to use the technology to create their own LLM (large language model) to generate the kinds of responses that they want. There are already dark web AI tools that have been developed such as WormGPT and FraudGPT. AI does not create new scams or ways of working. As it does with all of us, it simply speeds up and improves the activities the prompter is seeking to conduct. In fact, some of the descriptions in this blog were generated using AI highlighting legitimate uses.
There are lots of ways that cyber criminals can trick us into providing information we don’t want to, falling for scams, providing funds or access to profiles. However, this is nothing new and we should continue to be vigilant in the same way we always have been, while understanding that as technology develops, cyber actors are also developing the tools and techniques they use to try and fool us.
Curious how DarkOwl can help with your use case? Contact Us!
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. LockBit ransomware re-emerges after law enforcement takedown – The Hacker News
Proving resilient, LockBit ransomware came back into operation using new infrastructure just days after a global law enforcement operation took them offline. The actors debuted a new onion address and already had 12 new victims in their post-takedown operations. Additionally, the actors themselves authored a long note explaining what happened from their perspective. Read full article.
2. ALPHV/BlackCat ransomware group exit scams – The Hacker News
One of the most active ransomware groups of the past few years, ALPHV/BlackCat, shut down their onion site after their latest big victim, UnitedHealth’s Change Healthcare unit, purportedly paid their $22 million ransom. Actors believed to be a part of the gang engaged in conversation on Russian forum RAMP. Read article.
3. US government agencies are impersonated in business email compromise attacks – SC Media
US government agencies have been impersonated in business email compromise (BEC) attacks. The Department of Transportation, Department of Agriculture, and the Small Business Administration have all faced QR codes circulating in PDF documents. The QR codes send victims to phishing sites mimicking portals for the aforementioned agencies. All PDF’s had the same metadata, which indicated creation in Nigeria. Article here.
4. Iranian actors observed targeting aerospace and aviation industries in the Middle East – The Hacker News
Malicious Iranian cyber activity was observed targeting various industries using cloud infrastructure for their command and control (C2) along with social engineering tactics to deliver two backdoors named Minibike and Minibus. Targeting these industries allows for strategic information to be procured and sent back to the Iranian government. Article here.
5. Darknet marketplace Nemesis Market seized by German police – Bleeping Computer
German authorities, using intelligence from Lithuanian and American agencies and partners, captured infrastructure in both Germany and Lithuania, resulting in the take down of popular dark web Nemesis Market. Authorities seized $100,000 in cash as well as digital infrastructure that supported the illicit goods market. No information was provided regarding the status of the platform’s operators being arrested or contacted as of the time of this writing; DarkOwl will continue to monitor for updates. Read article.
6. Cybercrime gangs join forces to launch double extortion ransomware attacks – The Hacker News
GhostSec and Stormous ransomware groups have combined their operations to conduct ransomware attacks against technology, education, government, and many more verticals. Both groups are part of “The Five Families.” In August of 2023, cybercrime conglomerate SiegedSec announced the formation of “The Five Families” to attempt to offer structure to the digital criminal underground on August 28. They named ThreatSec, GhostSec, Stormous, Blackforums, and themselves as the five participants. Read full article.
7. China’s “Earth Krahang” infiltrates organizations throughout 45 countries – Bleeping Computer
Government organizations worldwide were the target of a two-year, Chinese state-sponsored campaign. Spear-phishing is employed to deploy backdoors while exposed internet-facing servers are also attacked, leading to a multi-pronged attack. The group uses open-sourced tools to build VPN servers and then brute-forces email accounts to procure passwords, focusing on compromised Outlook accounts. Article here.
8. Microsoft source code accessed by Russian actors Cozy Bear – CyberScoop
As of January 2024, Russian state-sponsored actors Cozy Bear (who are believed to be part of Russia’s SVR intelligence branch) accessed Microsoft source code and company systems. The actors were able to read the emails of senior Microsoft executives. While the exact nature of this infiltration is still under investigation, Microsoft offered that they do not believe customer-facing systems were accessed/impacted. Read full article here.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
The government, along with Law Enforcement, is heavily impacted by ever-evolving technology and there is a multitude of malicious actors conducting espionage, stealing data, attempting to infiltrate, and shut down systems critical to everyday life.
These malicious actors with a proven state-sponsored tie are often called Advanced Persistent Threats (APTs). The digital realm is heavily involved in geopolitical conflict, and its role and that of adversarial actors must be explored.
In this session, we will dive into the big 4 cyber adversaries:
Explain how cyber experts are trained
Explore the use of front companies and technology to online activities
Examine ties to their governments
Cover common offensive and defensive capabilities
Glimpse into the possible future with AI used in operations
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Mark: My name is Mark Turnage, I’m the CEO and Co-Founder of DarkOwl and with me, I have Erin Brown, who’s our Director of Intelligence. We’re pleased that you joined us here this morning. I’m just going to make some introductory remarks, and we’re going to conduct this webinar as a sort of fireside chat between me and Erin and talk about four cyber countries – powerful cyber countries: Iran, North Korea, China, and Russia.
Just a couple of introductory remarks from me, we live in very interesting times. It’s a very famous Chinese curse and I think it’s fair to say that over the last several years, the world has become considerably more uncertain and more unstable. We have wars being waged in Ukraine, in the Middle East, we have a considerable amount of tension in East Asia, between China and Taiwan, and against that backdrop, there are a number of elections taking place this year around the world, including here in the United States, our presidential election. All that means that the cyber sphere has become even more important and more deserving of our attention as we think about that instability and how to better manage that instability. And against that background, four countries are continually mentioned: Iran, Russia, China, North Korea. Interestingly enough, two of those, China and Russia, are quite large countries and powerful in their own right. Two of them, North Korea and Iran, are cyber superpowers, in spite of being relatively small and in the case certainly of North Korea, having quite a small economy. So, we thought it would be useful to talk, to have a conversation about those four countries and talk about their cyber capabilities and how they use the cyber sphere, both for their own purposes and to sow instability and discord. So, with that, I’m going to just start asking Erin some questions.
What are the main cyber threats posed by these four countries?
Erin: There are a lot of different threats that they’re posing, and it really depends on what they’re trying to achieve. We see them conducting cyber espionage, we see intellectual property theft, attacks on infrastructure. It really depends on what their motivations are and they have many groups within their countries that are conducting these types of attacks – but most of them, all four of them, I would say, have a joint desire to advance their global influence. They all want to be the superpower of the world and they want to do that in both the digital and the physical world. We’re seeing that overlap, as you just mentioned in your introduction, as there’s more and more real-world conflicts happening. We’re seeing a huge cyber element to that. But then they do have their own distinct motivations as well in terms of what operations they’re conducting. North Korea, for example, we’ve seen them conducting a lot of attacks that lead to financial gain because they’re using those funds to finance other operations that they’re doing and things that they’re doing within the country. So, they all pose a huge amount of risk to both countries and organizations in terms of what they’re trying to achieve to advance their global power, basically.
And is it fair to say that of those four, North Korea is the most quote unquote, financially oriented in terms of their cyber activities? Or is the same true, say, of Russia?
I would say so. I think we know North Korea from a government perspective, is doing that financial motivation and gain. I think with Russia, especially and Iran, to a certain extent as well, we see that overlap and bleeding between who is the state-sanctioned, state-sponsored groups, and those actors that maybe the state is allowing them to operate. So obviously, you know, the ransomware gangs in Russia are making a huge amount of money off of corporations worldwide and there are suggestions that they’re at least allowed to conduct their activities by the Russian government. One could infer from that that the Russian government may be getting kickbacks from them and from that type of activity, but we don’t see necessarily the state-sponsored groups that are the military groups necessarily having that financial motivation and other countries. But Iran and Russia certainly have that criminal overlap.
Which brings us to the question of how these countries actually organize their cyber operations. You mentioned that some of them may or may not incorporate private actors in those operations, and others are more official. So, how do they organize their operations?
It’s quite a complex makeup across all the different countries and they all do it slightly differently. You do get those differences between what is state-sponsored, what is state-sanctioned, what is state-allowed. So, there are all of these distinctions within how you group them, but primarily, we see that the countries have military and civilian intelligence services. So, they’ll have military operators that are part of their armed forces that are going out and conducting these cyberattacks, and then you’ll also have intelligence agencies. So similar to how we have the CIA in the US, they have their equivalents that will also be conducting cyber operations on their behalf as well and depending on who’s conducting the attack, you’ll see different types of attacks and different victims as well in terms of what they’re trying to achieve.
But then we do also see civilians that are somewhat separated from the government being utilized. So, we do see a lot of front companies being used by these countries. This will be a seemingly legitimate company that is set up in country that has government backing behind it. That’s not necessarily obvious, so that they can have that air of conducting activity and not being linked to the government, even though they are. Then also we do see, as we just mentioned, with the financial motivation, we do see in especially North Korea, around countries that don’t have as much stability and financial security. We’ll see these actors that are doing a day job with the government and then in the evening, they’ll be using those skills that they’ve learned with the government to conduct cyber activities and criminal activities. So, it’s a murky infrastructure in terms of how these are set up but I would say is all of these countries do have set up groups and organizations that are there to conduct cyber espionage and cyberattacks on other countries.
Mark: This odd mixture of official and unofficial criminal gangs must make attribution really difficult when you’re looking at an activity, trying to attribute who the actor is who is behind the actual action.
Erin: Yeah, it’s incredibly difficult. And I would say it’s probably more difficult for people like ourselves that are outside of the government remit to identify that information because it’s very noisy in terms of what’s being conducted, who’s doing what attacks, and then things like the malware that they use. A lot of countries will use off the shelf malware, but lots of other groups use that as well. So, just because a malware is being used doesn’t mean that it’s attributed to one particular group. Even if that group invented it. For instance, Stuxnet is a good example of that – it was developed by the US and the Israelis, but it has been utilized far and wide by other nation-states, and by criminal actors since then. So, it’s really difficult to know who is conducting these activities and mistakes are made in terms of these attributions as well between different groups. Whenever we’re looking at this attribution, whenever we’re looking at this activity, the attacks that are happening, we’ll make assumptions about what we think that’s connected to you don’t really know unless you’re in those groups and being able to see that. So attribution is incredibly difficult and when we’re talking about APTs and we’re talking about nation-states, we’re talking about probably the most sophisticated cyber actors that are out there, that most of the time are trying very hard to obfuscate their activities and obfuscate who they are and who is conducting them. It’s a very tricky thing to be able to attribute that activity. So, one of the things I would say about it is it’s more about knowing what the techniques are than knowing who is doing it so that you can protect yourself from those techniques and those vulnerabilities within your organization. I guess some might say it doesn’t really matter who’s doing it when it comes down to attribution, it just matters that you stop it. So, it’s an interesting balance.
Mark: Yeah. Although, if you’re a foreign leader, say, the president of the United States, the Prime Minister of Great Britain, the President of France, and your country is in some fashion attacked by a cyber operator, attribution becomes important in terms of how you respond. So that’s a challenge I’m sure that many leaders face.
Let me switch gears a little bit and talk specifically about China. The Great Firewall of China – what’s the impact of that on both their capabilities and on the ability of outsiders to see what’s happening in China?
Erin: For those who don’t know, I’m sure most people do, but the Great Firewall is what we refer to as the operations that China put in place to silo their internet from the rest of the world. So, it means that most of their citizens aren’t able to access the internet in the same way that we do and they’re not allowed to access certain things. So, it means that the government can really lock down the messaging and the news that citizens are being able to access. And as part of that, they do also have their own apps and search engines and things like that. A lot of social media like Facebook and Instagram and WhatsApp can’t be accessed in China. Instead, they have WeChat and WeChen and Weibo and other ways that they’re, doing that. It always from the outside is seen as a way of controlling the citizens and the messaging that they’re getting and what they’re able to do, but it does also highlight the sophistication that the Chinese government have in terms of cyber activities, in terms of how they’re able to monitor their own citizens and lock down that information and how sophisticated their surveillance and censorship is. So, it really highlights some of the skills that they have. It’s the same cyber operators influencing the Great Firewall as conducting some of these attacks that are happening, and it shows how they want to have their world order and what some of their motivations are in terms of the cyber operations that they’re targeting.
It’s worth mentioning that they aren’t the only country that’s doing that. Russia has Runet – they are expanding and trying to lock down what their citizens are able to see. And Iran and North Korea have very similar methodologies in place. I would say with North Korea, we know even less about that, just because of the isolationist way that North Korea operates. It’s very hard to know how that functions but I think it just demonstrates the sophistication that they have and the abilities that they have of surveillance and censorship that they utilize outside of the firewall as well as inside it.
Mark: So, from an adversarial perspective, we’re in an environment where these four countries have unencumbered access to the world’s internet. It’s open. We’ve made it open deliberately, but we have very limited access, on a variable basis to their internal country networks and I would put, you would put China at the top of that at the top of that list.
Erin: Yeah, definitely. So, it’s very hard as analysts. Going back to that attribution point as well, to know what’s going on inside of that firewall because they’re locking down that information. What messages are they sharing? What is it that they’re putting out about adversaries when there is a campaign that is publicly reported or Chinese actors are indicted, which has happened several times? What is the messaging that they’re putting inside internally? And I think, with Russia, we’ve seen this with the Ukraine war and the messaging that they’ve put forward about Ukraine to their citizens in terms of “they’re saving the country, it’s not a war, it’s a defensive position,” like very different to what we’re seeing outside of, of that realm. So, it definitely impacts on that attribution and what we’re able to understand about what they’re doing. One thing I would mention, just as well, because we’re a dark web company, but this is one of the ways that Tor can be used in a very legitimate way. I think we tend to focus on the dark web being a bad thing for criminal activities, but it’s a way that a lot of citizens are in these countries that have lockdown internet, are able to access Western and outside media and this is the reason that a lot of social media companies will have mirrors on the dark web. X, formerly Twitter, has it, Facebook has it, some governments have websites on the dark web. So, people are able to access that information. It’s a useful way for people to be able to get that outside information as well.
Can you talk about some of the notable cyber campaigns that have been conducted by these four countries?
Sure. There are a lot, and as we’ve already covered attribution is tricky in terms of how we associate particular campaigns that we’re seeing to particular countries and the groups within them. China has had some very significant operations in recent years targeting a lot of countries in their region. We’ve seen them spying on Cambodia, the Philippines, South Korea, and they do this using phishing techniques to gain access. So, you know, they are using some of the same techniques that we’re seeing criminals using that we’re all warned about at our companies in terms of “don’t click on a link.” Those sophisticated users are using those methodologies as well and we have seen things like when they recently targeted Japan’s space agency and one of the things that China is well known for is targeting companies in stealing intellectual property, and then taking that information back and using it to develop their own technologies and issue patents on their technologies. So, that is a thing that they continue to do in terms of expanding their power and what they have access to. That’s something that we’ve seen China doing a lot of recently.
With Russia, probably the most significant one that is fairly recent was that they targeted Microsoft’s corporate systems. They targeted the executives and I believe the legal team and were able to access some emails and documents, and they did this again with fairly simple methodology. It was a password spray attack. So basically, they just took lots of different ways that people might use a password and put it across all of their systems. This really highlights why you need to have good password hygiene across your corporation, and governments everywhere because that is a way, not just with nation-states, but across the whole adversarial cyber field that we’re seeing people get access is through credentials. So, it’s a really important thing to identify. And then I think you can’t talk about Russia’s activities without mentioning the war in Ukraine, because there definitely is a cyber war going on as well as the on the ground war. One of the things we’ve seen fairly recently was they hacked into webcams in Kiev, so that they could look at what air defenses were being used in the city and they did that ahead of a missile attack. They wanted to see where their missiles would be defended and where they wouldn’t. That is a real-world example of how the cyber and the real world are linked together and they’re utilizing cyber tools to help them with military campaigns.
In terms of Iran, there is a group known as, Mint Sandstorm. So again, using phishing techniques, but social engineering as well. This is something we see a lot with Iranian actors – utilizing social media and fake social media accounts to lure people into giving them what they want. We saw them on a large recruitment and job networking sites that were creating these accounts, creating several levels of personas that knew each other to make them look as, as real as possible and then we’re using that to identify people that they wanted to target as part of the Israel-Gaza conflict. They were using this as an espionage dash intelligence gathering campaign. With these campaigns, it’s not just about disruptive action or getting access, sometimes it’s just understanding things that are going on to help them with other areas.
Then North Korea, again, is a trickier one just because of their isolationism and the groups that we see. Probably the most prominent group that’s been mentioned in recent years, and they have been around for a long time now is Lazarus. They have been involved in significant financial thefts as well as espionage. So, a lot of cryptocurrency, ransomware attacks, etc. They were responsible for the Sony hack way back when, I believe it was 2016, but as recently as this year, they’re still operating. They were seen conducting cyber espionage campaigns, targeting defense technologies, again creating fake social media profiles, and then deploying malware once they’ve got access to individuals. So, you know, there’s a range of activities that are going on and that very much is a high-level overview of some of the activities. There’s probably a lot more going on that we don’t know about, and a lot more going on that we do know about, but it hopefully gives you a sense of the types of campaigns that they’re conducting and also the variety of people that they’re targeting. I think you said earlier about governments obviously care about attribution, and they should, and their governments hopefully are better at attribution, but I think there’s an old world view that nation-states and spying and espionage is a thing between governments and these days with cyber, it just isn’t like everyone is vulnerable to attacks. Everyone has information worth stealing, so everyone has to be vigilant.
Mark: It’s notable that in your answer, in talking about the various cyber campaigns conducted by these countries that many, if not most of them, are using basic password access, phishing, social engineering, as opposed to, Zero-day exploits that they have access to on an exclusive basis. That’s quite notable.
Erin: Zero-day exploits are really hard to develop and they’re really expensive to develop. If you don’t need them, because you can get in by a weak link of a person clicking on a link or believing a phishing email, then then why waste your time and infrastructure? I would say they still definitely do utilize those Zero-day attacks and that is something that’s developed, especially Russia and China, but those are the ones that it’s harder to hear about, right? Those are the ones that they don’t want people to know what that capability is and who they’re targeting. And they would save that for their most important victims.
Mark: We, in the cyber security industry, live in evolving times. There’s a lot of changes in technologies and I would include in that, by the way, artificial intelligence, the rise of artificial intelligence. How does that affect how these four countries are both organizing themselves and conducting their cyber operations?
Erin: I think in the same way that the rest of us are, right, they’re still learning. They’re still coming to grips with these new technologies and how they can utilize them and how they’re going to work, but they definitely are. I think they definitely want to utilize them and there is a growing sophistication. We have seen particular countries trying to target AI companies. I think there was an article, a month or two ago about OpenAI reporting, I think it was 4 or 5 specific APT actors that they had kicked off of their site and they were using AI to do the things that a lot of other people are doing, like help them with their work, but also create phishing emails and ask it questions to do research for them about the capabilities that other countries and their victims have. So, we know that they’re using AI, we know that that’s happening.
There are also, I believe it was China, I’m trying to remember – it was either China or North Korea, but they’re actually investing in companies that are developing AI in certain areas of the world so that they can own that technology for themselves as well. What I would say with AI and those technologies is the US and Europe and the likes of OpenAI, oh, I can’t their name is escaping me. But, you know, the prominent AI providers at the moment, they are far and above, ahead of Russia, and China at the moment. But I was actually at a talk with someone from those companies a couple of weeks ago, and they were saying, we’re only a couple of months ahead and they are going to catch up, like it is going to happen. So, it’s something that everyone needs to be aware of and needs to be vigilant about. I think the takeaway point from that is that they are using it. They are keeping an eye on emerging technologies. They themselves as well have to constantly evolve to remain relevant and successful because people’s defense gets better all the time. So, you need to constantly evolve to get around those defenses and those ways of operating. It’s definitely something that they focus on.
Mark: You mentioned earlier, by the way we’re a darknet company and we cover the darknets, and we cover darknet adjacent sites. You mentioned earlier in one of your answers the use of the darknet by citizens in countries which are behind firewalls or where they have limited access to the outside internet. But how do the countries themselves use darknet and these other online platforms in their own operations?
Erin: Yeah, that’s a difficult one and it’s a bit murky. Again, going back to that attribution problem and especially on the dark web where everyone is trying to stay as anonymous as possible to know who is doing what. We know that they definitely do utilize it. We know that there are probably actors on there that are sowing disinformation and details on the dark web and sharing them. But, you know, one of the things that we’ve seen more in recent years and is a bit more obvious is hacktivist groups and criminal groups that are associated or in somewhat sanctioned by governments. So, we’ve seen this with Killnet in Russia and a handful of other groups that came out in support of Russia when the invasion of Ukraine happened, and they are very active on things like Telegram. They will say who they’re targeting. They will say why they’re targeting them. They’re often going after NATO participants. They will show evidence of defacements or DDoS attacks. So, they’re very vocal and they want people to know what they’re doing, and they do have those links or at least a nationalist fervor that is very clear. And we see that other groups linked to North Korea and Iran also have telegram channels and other channels that are very vocal. One of the interesting things that we’ve seen, though, that is less how they’re operating but gives us more insight into how they’re operating, is we have seen a lot of data leaks relating to some of these countries and their governments. Everyone’s falling victim to data leaks in recent years. It’s big business on the dark web – selling that data, but there’s been a huge increase in the last probably 6 to 9 months, especially for China in terms of government data being leaked. There was a huge leak of the Shanghai police late last year that was assessed to be one of the biggest breaches ever, data breaches ever, and it had a huge amount of information about their law enforcement, but also their tools that they were using to target their citizens. So, it gave security analysts insight into what they’re doing that the governments wouldn’t necessarily want them to have and there was another recent one as well on a GitHub repository. So slightly not the dark web, but where it was one of the front companies that was conducting cyberattacks on behalf of China. All of their information was released, and we’ve seen large scale releases of Russian data, Israeli data as well, talking about those conflicts. There is information like that and while we’re all looking at that dark web data and saying, oh, this is giving us insights into these countries that we don’t know as much about. You can believe that they are also doing the same. So, when there are leaks of US, UK, European data, those countries are definitely going to have individuals that are on those dark websites collecting that data and reviewing it as well.
What do we do about this? It’s not like these four countries are going to wake up tomorrow and become parliamentary democracies and decide to conform to rules of international law. So, what do we do? What do we do about this?
Erin: I think it’s points we’ve already mentioned. You just have to be vigilant, and you have to have as much security as possible. I think there’s education that needs to happen to people about how you should operate, as you said, like these phishing techniques, password spray attacks, things like that. They’re fairly simple and they’re things that we can educate people about and I think we’ve been too focused in recent years on; okay, people know that if you get a bad email that you shouldn’t click on it, hopefully most of the time, but we’re seeing more and more smishing attacks, so text messaging and with the advent of AI, you can develop someone’s voice and get them to say anything you want them to say. So, you can get like a voicemail from your boss telling you to send you money or to click on a link. Things are becoming way more sophisticated in terms of how attacks can be conducted and therefore, our education to people about how to combat those attacks needs to be more sophisticated and I think it’s just staying up to date with what these threat actors are doing and this isn’t just the nation-states, it’s across the board, like what tools and techniques are being utilized, and are your systems set up to protect against those vulnerabilities? So I think it’s trying to be as proactive as possible and not just reacting when attacks happen.
Ransomware continues to be a threat globally. While it is difficult to track complete ransomware statistics because criminals cannot be counted as a reputable reporting source, 2023 was the year that broke several records in ransomware according to what attacks were reported by both ransomware actor blog sites and publicly reported incidents.
According to the cyber threat intelligence industry and government metrics made publicly available, the United States remained the top targeted nation, with 55% of ransomware incidents targeting the country. In the majority of months, the number of monthly attacks soared, with November 2023 clocking in at 89 reported attacks, the record set for reported incidents within a month. But the number of incidents is not the only significant increase – ransomware data exfiltration rates exploded, with notable data exfiltration to China. Likely due to the increase in the use of the double extortion technique, payments also increased, with traceable payments exceeding one billion dollars for the first time. In this blog, we review the key ransomware trends of 2023 as well as the notable events.
2023 Ransomware Trends
Commonly observed ransomware trends throughout 2023 included:
Ransomware actors intentionally use two different ransomware variants in the same attack on the same victim, which often results in data destruction at various, close-together time periods.
Double extortion, where threat actors demand a payment or threaten to release data, has been a trend for years; this new trend of a different ransomware variant entering an already-compromised network results in significantly more financial loss, reputational damage, data loss, and exfiltration, making recovery even more difficult.
Extortion increased
Multiple layers of extortion, including triple and quadruple, became part of regular ransomware operations instead of only sporadically included in ransomware campaigns.
Encryption Decreased
Intermittent encryption became more common than complete encryption to reduce the time needed for successful operations. Encryption is a time-consuming process. Partially encrypting data allows for less time needed in malicious operations, and less time for possibly exposing malicious actor presence in a network. By reducing the amount and frequency of encryption, actors can exfil data more quickly and then exit the network.
PII continues to appear on data leak and ransomware victim Leak sites, and a increase in other documents being shared has also been observed.
Ransomware actors are increasingly targeting Critical Infrastructure/Key Resources (CI/KR) blueprints and documents to move towards damaging physical structures and sectors needed for everyday life services, such as water, power, electric, food supplies, and more.
Most Active Groups
LockBit ransomware gang were the top actors of 2023, with BlackCat/ALPHV coming in second as most active. The latter was temporarily taken offline by law enforcement operations in December 2023, while the former was also temporarily taken offline in February 2024. Both groups, however, came back online almost as quickly as they were removed, resuming operations under new infrastructure.
Summer of Ransomware
Originally observed in 2019, Cl0p ransomware gang began their use of the MOVEit vulnerability to target victims in May 2023, and continued this campaign all summer long. Also known as TA505, the ransomware group exploited SQL injection vulnerability CVE-2023-34362, the MOVEit transfer; MOVEit is used to manage file transfer operations in thousands of organizations. Cl0p’s use of this vulnerability impacted many big-name brands and firms and received a high level of media attention. One of the final estimates is that about 2,000 installations of the MOVEit vulnerability were installed impacting ~60 million individuals globally. Numbers will remain uncertain due to unreported incidents and entities trying to cover up the impact of a network intrusion (Figure 1). However, experts estimated that the group could receive $100 million in payments from exploiting this vulnerability.
Figure 1: Cl0p actors communicate with the public via one of their many messages on their leaks site, from summer 2023
ALPHV/Blackcat ransomware group were one of the most active ransomware groups throughout 2023. In September 2023 they claimed responsibility for the MGM cybersecurity incident that occurred through a post on their leak site. Down slot machines, non-functioning key cards, and more services were interrupted at MGM resorts and hotels nationwide. News articles broke Wednesday, 13 September, that ALPHV/Blackcat ransomware gang was responsible. On 14 September, new rumors emerged that “Scattered Spider” was also involved in the incident. Scattered Spider is assessed to be an English-speaking cybercrime group which is an affiliate of ALPHV. Additionally, Scattered Spider reportedly hit Caesars Entertainment on 7 September 2023. Caesars paid tens of millions to remain operational and did not experience an outage. Actors addressed the MGM outage on the ALPHV blog (Figure 2):
Figure 2: Actors discuss the summer 2023 MGM incident, for which Scattered Spider, an ALPHV affiliate, took responsibility; Source: DarkOwl Vision
Most Targeted Sectors
Healthcare
The healthcare sector was the most targeted sector of 2023. The healthcare industry is a valuable target, and in the words of cyber professionals is a “Target rich, security poor” industry, which is why some malicious actors so frequently target it. While some ransomware gangs swear off medical/healthcare industry entities, others actively go after this industry and view it as an easy target. Examples are not exhaustive and are only meant to provide a high level of observed trends:
Rhysida ransomware, a group that emerged in August 2023, targeted Prospect Medical Holdings (PMH) in early August 2023, and recently released the claim that they procured upwards of 500,000 corporate documents and patient information, including social security numbers.
This incident established Rhysida as a serious ransomware gang, as this is a notable target and the data procured is quite sensitive.
AlphV/BlackCat ransomware attacked Henry Schein Healthcare for the second consecutive month. The first incident was in October 2023, and in November 2023, they remained a victim. Henry Schein declined to speak to reporters about the multiple incidents but did acknowledge (after each incident, and after each appearance on the ransomware blog) that they were working quickly to reestablish the customer-facing services which were impacted.
30 hospitals in the Ardent Health Services system were successfully targeted by a ransomware attack in November 2023 by an unknown group, resulting in all emergency services being redirected. While Ardent is headquartered in Tennessee, the impact has been felt throughout six states. Ardent Health issued a public statement about their “around the clock” efforts to restore services. For the initial three days after the incident, ambulances were re-routed to other providers and Ardent Health also advised patients to call their providers directly for any help. In January 2024, they began mailing letters directly to impacted patients.
The impact on healthcare as a whole was so large, CISA authored guidelines specifically for the health sector to improve cybersecurity practices and reduce the chances of becoming a victim.
Defense
While healthcare was the most targeted sector, the defense industrial base was not far behind as a ransomware target. Many large incidents involved governments as well as defense contractors who provide weapons and technology for world governments. As the Ukraine-Russia conflict continued, and then a new Middle East conflict emerged, in October 2023, the defense sector remains at an elevated risk for cyber-meddling and incidents. Examples are not exhaustive and are only meant to provide a high level of trends observed:
UK-based Zaun Ltd, which specializes in physical and perimeter security, revealed on 1 September 2023 they were a victim of LockBit ransomware.
LockBit further claimed to have infiltrated Boeing’s systems using a zero-day. Boeing appeared on the LockBit leak site at the end of October 2023, but they offered no proof of data or material belonging to Boeing.
Australia-based Austal USA, a shipbuilding company, revealed it was the victim of a cyberattack as of December 6, 2023. Austal USA itself is a subsidiary of Austal and has contracts and multiple programs working with the US Navy. Ransomware gang Hunters International group claimed responsibility for the incident.
Going Offline: Ransomware Operations that Shut Down Throughout 2023, Early 2024
Whether to preserve their operations and profits, or because law enforcement finally caught up to them, several high-profile ransomware groups went offline throughout 2023, and this trend continued into the first part of 2024 (Table 1):
Date Observed Offline
LE Involvement?
Intentional Rebrand?
Sold Source Code?
Reestablished Operations?
Hive
Jan 2023
Y
N
Y
Y, as “Hunters Int’l“
Royal
Fall 2023
N
Y
Unconfirmed if code was sold, but the overlap between Royal and Black Suit is publicly documented
Y, as “Black Suit”
RansomedVC
Oct 2023
N
Y
Y
Y, as “Raznatovic“
Ragnar Locker
Oct 2023
Y
N
N
N
BlackByte
Dec 2023
ALPHV/BlackCat
Dec 2023
Y
N
N
Y
LockBit
Feb 2024
Y
N
N
Y
Knight
Feb 2024
N
N
Y
TBD, as the post selling the code has been taken down, but no purchase or rebranding has yet been announced.
ALPHV/BlackCat
Mar 2024
N
N
TBD, affiliates could have access to what infrastructure was used post law enforcement takedown. If they aren’t paid part of their profits, they could expose what information they have for profit, revenge, or both.
No, exit scammed.
In March 2024, ALPHV/BlackCat continued to make news when they shut down their onion site after their latest big victim, UnitedHealth’s Change Healthcare unit, purportedly paid their $22 million ransom (Figure 3):
Figure 3: ALPHV affiliates discuss the shutdown of BlackCat/ALPHV operations; Source: DarkOwl Vision
More of the groups who shut down of their own volition issued public statements or sentiment on various platforms (Figures 4 and 5). RansomedVC announced their source code sale on Telegram after pulling out of the project for “…personal reasons” while Knight ransomware group offered their source code for sale on RAMP forums:
Figure 5: Knight ransomware source code is offered for sale on RAMP forum. The post remained available for under 24 hours, and then was taken down. It is unknown if the source code was purchased.
Newly Emerged: Ransomware Forums and Tactics
In October 2023, DarkOwl analysts identified a new darkweb ransomware forum when the admin of Ramp posted an in-depth advertisement and endorsement for Ransomed Forums. This forum advertises topics related to ransomware, such as RaaS offerings and more, advertised in Figures 6 and 7 below. DarkOwl analysts additionally identified Ransomed Forums chatter on other platforms has increased during the fall of 2023, so anticipation from the wider threat actor community is likely high as this forum gains users and momentum online.
Figures 6 and 7: Ransomed forums, a new ransomware focused online community, emerged in October 2023 and had an advertisement on similar forum Ramp.
New websites and forum offerings such as these will give alternatives to the traditional onion websites used to advertise victims as well as data for sale. Actors have espoused, on multiple platforms, that onion websites may no longer be safe, and that certain forums or online communities are better options for malicious operations. These include direct messaging platforms, such as Tox or Jabber (Figure 8).
Figure 8: An actor discusses not using onion websites for certain kinds of hacking activities; Source: DarkOwl Vision.
Figure 9: Actors discuss Tox being a safe chatting option on the DDW; Source: DarkOwl Vision
Copycat Operations
When the notorious ransomware group Conti ceased operations in 2022 and one of their disgruntled affiliates leaked internal documents and chats, the CTI community gained important insight into ransomware processes and operations. Their setup as a business with recruitment operations was confirmed; they had penetration testers and coders, as well as financial incentives for their employees.
In a similar vein, LockBit 3.0’s ransomware builder leaked in 2022 but 2023 was the year that cybercrime groups and threat actors alike put hundreds of new variants out using the builder. Variants were sold to other cybercriminals and used against multiple victims. This new version was more evasive, able to escape detection tools, than its predecessors. The CTI community noticed that it also shared overlap with BlackCat source code.
After these series of events, the community was able to take a few observed incidents and confirm them as trends moving forward:
Tox was confirmed as the preferred method of contact versus DDW forums, even the messaging options contained in those forums.
Ransomware actors appear to want to sell their ransomware operations to other actors for financial gain and are less willing to carry out operations themselves due to law enforcement actions and the possibility of unhappy affiliates leaking sensitive information or turning in the primary operators of ransomware.
Other groups reusing complete or partial source code of famous ransomware operations will likely continue. They can take source code and improve it on their own, adding language exceptions, tool evasion techniques, and more personalized instructions to improve speed and efficiency of ransomware campaigns instead of starting from scratch coding their own operations.
A new group, NATIONAL HAZARD AGENCY(NHA), debuted using a new kind of ransom note, a Tox ID and an email address (Figure 10). As National Hazard Agency continues to define their operations and TTPs, the community will inevitably monitor and learn more about preferred communication methods and platforms, and best operational practices for newly formed ransomware groups who have ties to older groups no longer operating:
Figure 10: Purported aliases of a LockBit ransomware actor are discussed online, as are the links between LockBit and newly formed National Hazard Agency; Source: DarkOwl Vision
Conclusion
While 2023 witnessed several high-profile ransomware gangs shutdown operations, the context and intelligence gained from these events better informs future possibilities and trends surrounding ransomware activities. Based on observed conversations on DDW forums and DDW adjacent chat platforms such as Telegram, the criminal underground wants to continue to capitalize on the fear caused by ransomware. Actors know that financial opportunities abound by going after large companies and organizations, and they are especially encouraged by large payments. Furthermore, geopolitical conflicts allow hacktivist groups to choose sides and further their beliefs and values by targeting their opponents; so, ransomware leads to both fruitful financial opportunities as well as fame and attention for hacktivism.
After reviewing online discussions and exchanges between malicious cyber actors, analysts expect continued reuse and repurposing of ransomware source code from older groups that is purchased or stolen, with actors making their own tweaks to said code to both personalize and capitalize on their operations and campaigns. On platforms such as Telegram, actors have been openly discussing reuse of groups’ source code who are no longer active, the pricing that this code should have, and generally sharing ideas about gaining entry to desired sectors such as healthcare, tech, and supply chains of weapons providers as well as the global defense industrial base.
Ransomware remains an efficient criminal operation yielding high profits. Even with increased disruption of ransomware groups, throughout 2023 and into 2024, the criminal actors stay informed and move infrastructure to protect their profits and operations. Critical infrastructure, academic, technology, and government sectors must all raise awareness and assist in protection from ongoing ransomware campaigns. With the advent of AI, ransomware operations will become even more robust due to the automation of spear phishing templates and emails being able to reach several thousand, versus several hundred, of possible entry points into organizations. Continuous monitoring allows for identifying events like ransomware attacks earlier. By detecting your brand, employee name, intellectual property, or other material on a leak site before the actors auction it off to the highest bidder or make it publicly available, you can reduce the reputational damage and avoid the degradation of trust that occurs during cyber incidents.
DarkOwl Vision allows organizations to monitor these ransomware groups on the darknet, to identify more information about their tactics, techniques, and procedures and the sectors they are targeting. DarkOwl analysts continuously monitor the darknet to identify emerging new groups and who the most recent victims are to best track and predict potential attacks.
DarkOwl analysts regularly follow threat actors on the darknet who openly discuss cyberattacks and disseminate stolen information such as critical corporate or personal data. Such analysis helps DarkOwl’s collection team direct crawlers and technical resources to potentially actionable and high-value content for the Vision platform and its clients.
Introduction
In the digital age there are many groups of threat actors that operate in the cyber realm targeting different industries, countries and have different motivations. It is important to monitor these groups in order to identify who they are likely to target, what methods they are using and how they are operating. In this blog, we explore one such group known as SCATTERED SPIDER (SS) by security researchers.
Who is SCATTERED SPIDER?
SCATTERED SPIDER are assessed by cyber security researchers to be a cybercriminal group who have been known to target large companies and their supply chain. Reporting indicates that they have largely engaged in data theft, which they have then used for extortion purposes and have also been known to use ransomware which is associated with BlackCat/ALPHV. Although, cyber security researchers assess this activity to be attributed to several groups. All of these groups are part of a larger group known as the Com. In addition to conducting cyber attacks, SCATTERED SPIDER are also reported to be involved in violent activity, Doxing and Swatting.
Although the group appear to have been active since 2022, it is unclear who the individuals behind the activities are, how many individuals are involved, or how they select their victims. However, their motivations do appear to be for financial gain. There have been some indications that some of the individuals in the group may be based in the USA or the UK, but this has not yet been confirmed. The group have recently become the focus of US law enforcement investigations due to their high-profile activities.
Tactics, Techniques and Procedures (TTPs)
By analyzing TTPs, cybersecurity professionals can attribute attacks to specific threat actors or groups. Understanding the tactics used by these adversaries can provide insights into their motivations, capabilities, and potential targets. This information can be invaluable in understanding how attacks are executed and identifying potential vulnerabilities in an organization’s defense.
According to a threat alert from CISA, the group are known to use social engineering techniques including phishing, push bombing, and SIM swap attacks, which they use to obtain credentials, install remote access tools (RAT) and bypass multi-factor authentication (MFA).
Social engineering is a very effective way for threat actors to conduct attacks – they use information that is available through social media and other open sources in order to create attacks that look legitimate. They can also be used outside of the cyber realm to convince individuals to take an action. SCATTERED SPIDER have successfully posed as IT/helpdesk staff to convince employees to share credentials with them or to run RATs to enable initial access and share one-time passwords (OTP) to bypass MFA.
CISA reports that broad phishing attacks have been observed using domains associated with the target. They will then use SIM swapping against those individuals who respond to the phishing attack. Then, they will utilize this to conduct an account takeover.
SCATTERED SPIDER are also known to conduct Living off the Land (LotL) attacks. LotL attacks refer to a strategy employed by cyber attackers to carry out malicious activities using legitimate tools and resources already present on a compromised system, rather than relying on traditional malware. This approach makes LotL attacks harder to detect by security tools since they leverage trusted processes and utilities, blending in with normal system behavior. Researchers report that the group have adopted tools such as PowerShell to conduct reconnaissance as well as exploiting identity providers and modifying security systems to conduct their malicious activities.
According to CISA and FBI investigations the following legitimate tools have been used by the group to conduct malicious activities and the malware types.
Tool
Intended Use
Fleetdeck.io
Enables remote monitoring and management of systems.
Level.io
Enables remote monitoring and management of systems.
Mimikatz
Extracts credentials from a system.
Ngrok
Enables remote access to a local web server by tunneling over the internet.
Pulseway
Enables remote monitoring and management of systems.
Screenconnect
Enables remote connections to network devices for management.
Splashtop
Enables remote connections to network devices for management.
Tactical.RMM
Enables remote monitoring and management of systems.
Tailscale
Provides virtual private networks (VPNs) to secure network communications.
Teamviewer
Enables remote connections to network devices for management.
Table 1: Legitimate Tools Used by Scattered Spider; Source
Malware
Intended Use
AveMaria (also known as WarZone)
Enables remote access to a victim’s systems.
Raccoon Stealer
Steals information including login credentials, browser history, cookies, and other data.
VIDAR Stealer
Steals information including login credentials, browser history, cookies, and other data.
Table 2: Malware used by Scattered Spider
The group have also been reported to use extortion techniques, this is becoming a more and more popular method of attack for groups, particularly those associated with ransomware. The threat actor will steal data from the victim and then threaten to release the data if the victim does not pay a set amount of money. In the case of ransomware, the groups will often manage a “shame site” where they will publish a list of victims and sometimes provide them with a set amount of time that they have to pay the fee or the data will be released.
Researchers believe that SCATTERED SPIDER are an affiliate of the BlackCat/ALPHV ransomware group who are one of the most active groups and were subject to law enforcement action in late 2023. As an affiliate, SCATTERED SPIDER will have access to their ransomware binaries, support, negotiations, and leak site. It is worth noting that Russian ransomware-as-a-service operations do not usually allow affiliates from Western countries. The fact that they have in this case highlights the impact that this group are having and the success that they are having, meaning the ransomware group will be able to profit from their actions. It is worth noting that BlackCat/ALPHV appear to have recently conducted a exit scam. DarkOwl will continue to monitor to see if SS affiliates with another ransomware group in the wake of this.
Victims
SCATTERED SPIDER have targeted a number of different types of victims. According to MITRE, when they emerged in 2022 they targeted customer relationship management and business process outsourcing firms as well as telecommunications and technology companies. Recent activity has shown them targeting other sectors including critical infrastructure organizations.
In August 2022, the telecommunications company Twilio was a victim of SCATTERED SPIDER activities – their customer details were accessed as well as internal applications. This allowed SS to access a dashboard which gave them access to Okta authentication through SMS. It is likely that the group used this access to conduct other attacks.
In September 2023, MGM resorts in Las Vegas was the victim of a cyber attack that lead to computer shutdowns within the organization across the US. There were reports of empty casino floors and issues entering rooms and in the aftermath, MGM expected a $100 million hit to his 3rd quarter results. Soon after the attack, a post was made on the BlackCat/ALPHV leak site taking responsibility for the attack. However it was widely reported that it was actually an affiliate group that was responsible for the attacks – SCATTERED SPIDER.
Figure 1: BlackCat/ALPHV leak site statement on MGM
Cyber researchers from VX-Underground reported that SS were allegedly able to breach MGM by impersonating an employee in a phone call to the company’s helpdesk. It was also reported that they had successfully targeted Western Digital and Caesars Entertainment. In the latter case, it was reported that a $30 million ransom was paid to avoid customer data being shared. These high-profile attacks have lead the group to come under more scrutiny from law enforcement.
Online Communications
Actors assessed to be connected to this group are active on both Telegram and Discord where they interact with each other, boast about their activities, and share tools and techniques. There are many different channels and servers where these groups operate depending on who they are affiliated with and what activity they are seeking to discuss.
In an upcoming blog, we will review the activity on one of these Telegram channels and the main actors active on them. Subscribe to email to get that blog delivered straight to your inbox.
Conclusion
SCATTERED SPIDER have successfully targeted a number of high profile victims, drawing the attention of cyber security experts and law enforcement. They have secured a large sum of money from their victims and continue to adopt social engineering techniques to target their victims. The fact that they contact helpdesks highlights the need to ensure that those individuals working in these areas need to be trained on the threat. While companies often provide training around the risk of phishing emails, less attention has been paid to vishing, smishing and OTP techniques. It is imperative that this training is conducted widely.
It is also likely that the individuals perpetrating these crimes are young and Western based. While many assume that cyber criminals operate from Russia and Eastern Europe, this group shows that cybercrime in the Western world is also prevalent. However, this does leave them open to law enforcement action from the FBI or UK police. It is likely, given the attention they have recently received, that arrests will be forthcoming.
DarkOwl Sources
DarkOwl is an open-source intelligence (OSINT) platform that aggregates information from various underground sources to discern actionable and meaningful intelligence that can be utilized across multiple industry sectors including commercial applications, law enforcement, and national security initiatives.
Remembering the subtle differentiations between data, information, and intelligence, DarkOwl’s key sources of raw data are described here.
In honor of the launch of our newest product feature, our marketing team sat down with DarkOwl’s Director of Client Engagement, Caryn Farino and Product Manager, Josh Berman to learn more.
Thanks for sitting down with me today! Let’s start with some intros.
Josh: I’m Josh Berman. I’m a Product Manager here at DarkOwl. I’ve been with the company a little over five years – five and a half years. My background prior to this was in digital forensics, and before that, audio engineering. But more recently, got into cybersecurity and started here as a Product Engineer, then moved into product management, where I’ve been for a couple of years.
Caryn: My name is Caryn Farino. I’m the Director of Client Engagement here at DarkOwl and have been with the organization for just over 2.5 years. I currently manage all of our client relationships. My background is in OSINT, so I am really excited about a lot of the work that DarkOwl does to highlight darknet specific activity.
Let’s dive into our first question. What are we talking about when we talk about “forums” and “forum structuring”?
Josh: The old way of doing things was when we would collect a webpage and just scrape all the text out and give that to our clients. The advantage of that was it was more simple from a development point of view and allowed us to really focus on depth and breadth of our data. It was the first step in all of this. From a user perspective, that makes it difficult to understand what you’re looking at – there’s a lot of text on a forum page or a marketplace page or ransomware page. Pretty much anything you’re looking at that is not relevant to what you’re actually looking for. So something like following a forum thread on a document that’s a wall of text is very difficult. Not a lot of fun.
Forum structuring basically takes out the parts of the page that are irrelevant. So the actual thread, usernames, post-dates, things like that and structure them into our data store in an easier to interpret and interact with way so people can do things like sort and filter by post-date rather than just when we found it, see other activity by that user, specifically what they posted, search within a post and not just on the entire page, etc. It’s a big advantage in terms of how we’re presenting the data and how the users interact with it and how they can understand it.
Caryn: I would just add on, forums by design are discussion boards. They allow users to create topics and engage in conversations. Because there’s a lot of consistency in that layout, we want to try to replicate that experience for our users. With this revamp of our forum data, we’re allowing our clients to now navigate our data like they would on a forum to be able to look at those individual posts, reconstruct the thread, and look at what other activity might be associated to that user on that board.
Figures 1 and 2 (left to right): Previous view of a thread versus new enhanced view
Why is having access to this data important in the first place?
Caryn: There’s a lot of different types of darknet forums, so we’re going to have a variety of different use cases for our clients. Some of the more prominent boards are going to have data leaks, we’re going to have highly technical communities talking about and engaging in hacking and exploit development. We’ll also see traditional fraud use cases – threat actors focusing on banking fraud, healthcare fraud, identity theft, and so on. There’s just a lot of different activity going on on these forums. We really want to be able to expose all of this for our clients to make sure that they understand what these threats are and what information is being put out there, so that they can feed into their threat model frameworks and cyber risk programs.
Josh: I don’t think I can say much better than that. Criminal stuff happens on these forums and it’s important for not just law enforcement to be able to see these, but cyber security companies looking after their own security need to be able to see this information as well. It’s important for them to see what’s going on on these forums, what people are talking about, and what threat actors are targeting, especially if it is their own business, their employees, or clients.
What enhancements have been made on the backend to our form processing?
Josh: Basically, we are treating forum threads post by post rather than page by page. Page by page, like I said, makes it difficult to really track what’s going on. We used to treat the entire page as the same blob of text, whereas now we’re treating it as post by post so we can extract things like the usernames, the post dates, the post body, things like that. This makes it easier to search within and makes it easier to reconstruct that thread in chronological order – to interpret what’s actually going on, rather than looking at an entire page trying to figure out what page it’s related to.
Caryn: I’ll just highlight that because of that work that our product and engineering teams have done, the presentation layer now within the user interface is a much more streamlined experience for our users to be able to navigate all of that data in an easier method. This is also mirrored for our API clients, giving them the same opportunity to search and present forum data without complex queries.
Why did the team focus on these improvements?
Caryn: In working with our clients over the years, we’ve gotten a lot of feedback surrounding document post dates. So, with these improvements, we’ve added in dual capabilities, so clients have the ability not only to see when we’ve crawled that data, but when the data was posted by these forum actors. That really allows clients to look and dive into more specific timelines when they find information of concern.
What are some of the new features that you both are most excited about?
Josh: For me, it’s the thread reconstruction. So back to what I said earlier about page by page – there’s really no way to link one page to another. So, a site, a forum on the darknet, might have ten pages in a thread and you might stumble upon page three. Well, how do you find page one, page seven, etc.? There was not really a good way to do that without our thread reconstruction. We’ve now taken care of all of that for you. So regardless of what page it was posted on, if it’s part of the same thread, we can reconstruct that in chronological order. So that’s definitely a feature I’m most excited about.
Caryn: I would say, for our DarkOwl clients, I think they’re also going to be most excited about that feature as well – the simplicity to be able to navigate and reconstruct all information that was part of a specific discussion/thread. As an analyst, I would say I’m personally excited about the ability to pivot and look at what else the user has said on that forum. I think that’s an extremely valuable add-on to not only look at the posts and threads themselves but to look at what other activity that individual is involved in. We’re also extractingall of the usernames that are within the thread itself. That allows more social network analysis onthreat actors communicating on the thread or a specific topic.
Josh: The other thing I was going to mention was the post-date sorting and filtering. People don’t generally care as much about when we found something, they care when it was actually posted. So maybe we found something yesterday that was posted five years ago. Not really a big deal, but these improvements allow people to show things that were actually posted for the first time within a certain time period. So whatever time period they’re interested in, they can filter to that range. They can sort by post-date to see the most recent stuff first. So it makes it a lot easier to get fresh and relevant data.
Any other thoughts on how you both see current clients utilizing this?
Caryn: I want to start with saying that within the last few days, we’ve gotten an overwhelmingly positive response from our clients on these new features. Structured data just overall is easier to work with. But I think the biggest benefit this is going to have is that by breaking out these forum posts into individual documents, we’re going to offer our clients a more concise result set where they can guarantee that their keywords are going to appear in that post, as opposed to scattered across the thread. That’s going to save analysts time in sifting through potentially non-relevant results to find the actual data they care about. And then further, with the addition of the forum usernames to our existing user search feature, clients can now look at what else those threat actors are posting, leading to a more robust dataset to work with. So if you find your keywords in a post, you can quickly create a repository of other activity by that actor. For example, if a threat actor is discussing what organizations are vulnerable to a certain CVE, that triggers your alert, and that same user is later posting on another forum about domain admin or local admin access for sale, but doesn’t list that organization (only location or industry), you can now use that information to support a connection, where you wouldn’t have historically been able to tie those two results together by keyword alone.
Learn how this enhanced feature can save your analysts time. Contact us.
Last month, DarkOwl participated in ISS World Middle East & Africa in Dubai, UAE. ISS World Middle East & Africa describes itself as “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering,” making it the ideal event for DarkOwl to grow our international presence, build relationships in person and spread the importance of darknet data to the international intelligence and law enforcement communities.
ISS World takes pride in focusing on education and training covering the areas of law enforcement, public safety, and government and private sector intelligence communities. The first full day of ISS events are dedicated to training and in-depth sessions. Talks throughout the event cover topics ranging from geolocation, exploiting and circumnavigating masking tech, advanced techniques in tracing suspects, open-source tools, artificial intelligence, and more.
Representing DarkOwl at ISS World Middle East & Africa was David Alley, CEO of DarkOwl FZE based in Dubai and Damian Hoffman, Product Engineer and Data Analyst out of DarkOwl’s headquarters in Denver, CO. The same power duo from last year!
One of the great advantages of this show is the true international presence and overall turnout of attendees, Damian noted that there was “essentially non-stop traffic” to the booth all 3 days of the show. Visitors from the United Arab Emirates, Kazakhstan, Qatar, Jordan, Egypt, Iraq, Morocco, Turkey, Latvia, Lithuania, Azerbaijan, Romania, Ukraine, Pakistan, India, Bangladesh, Indonesia, Malaysia, United States, UK, Germany, Italy, Greece, Israel, Rwanda, South Africa, Namibia, Kenya, and Australia and more visited the booth and/or attended our live demo session. Getting to interact face to face with prospects, clients, and partners is invaluable – especially when trying to build up an international presence and grow relationships across seas from all corners of the globe. International shows demonstrate that cyber security is a global problem, no company and no government is immune to the potential risks associated with the world going truly digital.
Sharing Actor Explore
Common themes and topics that were brought up by attendees at the booth included: the use of Telegram by threat actors, Breachforums, and threat actor TTPs (tactics, techniques, and procedures). This gave David and Damian a chance to showcase one of our latest product features: Actor Explore. Actor Explore allows users to review analyst curated insights into active threat actor groups on the darknet and wider. We explore the motivations behind the groups, the tools they have used and searchable attributes to pivot on within DarkOwl Vision. Each actor profile in Actor Explore includes a detailed dossier, offering an in-depth overview of the threat actor. Additionally, DarkOwl analysts provide extensive information such as darknet fingerprints, targets, tools, CVEs, contact information, and more when available. To read further on why tracking and monitoring threat actors is important, check out our blog on this topic here.
DarkOwl is a regular sponsor of several ISS shows around the world, we will be attending ISS World Asia and ISS World Europe later in the year. You can see where we will be around the world here.
Live Demonstration of DarkOwl Vision: Darknet Intelligence Discovery and Collection
In addition to networking and promoting DarkOwl at the booth, David was able to give a live presentation to attendees demonstrating DarkOwl Vision: Darknet Intelligence Discovery and Collection. Vision UI is the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data. The goal of this session was to further educate the international intelligence community on how threat actors on the darknet are evolving in their use of new tools and methodologies.
Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. Vision provides a user friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience to be able to dive into.
The internet is a vast realm that extends far beyond the surface web we commonly explore. Beneath the surface lies the darknet, a hidden network that poses significant challenges but also holds immense potential for open-source intelligence (OSINT) investigations. Join DarkOwl’s Director of Intelligence to learn how the darknet expands the scope of information available to researchers and analysts.
In this 30-minute session, Erin covers how darknet data:
Strengthens our ability to combat cybercrime and protect individuals and organizations
Enhances threat intelligence and helps maintain a safer digital ecosystem
Is utilized in identity theft, fraud, compromised accounts and other real world examples
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Erin: Good morning or good afternoon, everyone. I’m going to do a quick high-level talk today of what darknet data is, why it’s important and how it can fit into your investigations. Please do ask any questions that you have throughout, and I’d be more than happy to answer those. So, what we’re going to cover today is what is the dark web? A really quick intro, what is OSINT? Again, very high level. Why is dark web important? And then what I really want to focus in on are some use cases and hopefully show you how we can integrate dark web and OSINT together to find some really interesting things in our investigations.
The obligatory who am I side… as any good analyst, I hate having any details about me on the internet, so I’m going to keep it brief, but my name is Erin. I’m the Director of Collections and Intelligence here at DarkOwl, and I’ve been an intelligence analyst for over 12 years now.
Another obligatory slide is the iceberg, you can’t really have an OSINT presentation without including an iceberg of some kind in here. This is to highlight the different areas of the internet. They’re all open-source, so they all form part of open-source investigations but obviously at DarkOwl, and me personally at the moment, focus on the darknet, but it’s always important to see the whole view and look at everything that’s going on. You want to be able to look at sources that are on the deep net and the surface net as well to make sure you’re getting as much information as possible and that you’re able to validate that information as well.
Diving into the dark web, hopefully most of you that are listening are familiar, but I’ll just give a very quick background of what the dark web is and what can be found there. I’m not going to read everything on this slide, but you can see that it’s been around since the 2000, so we’ve got about 20 years now and there’s a lot of things that have happened in terms of the access, the marketplaces that are emerging and forums, breaches starting to occur, terrorists using the information, etc. There’s been a lot of uses of the dark web, and I would like to say that it isn’t just there for illicit uses. There are a lot of legitimate uses for the dark web. I think one of the best things is allowing some individuals that might not have open access to the internet in the countries that they live in are able to access a lot of websites, social media sites, etc. using the dark web that they wouldn’t otherwise be able to access. There are legitimate purposes, but obviously a lot of nefarious actors also use it and take advantage of the anonymity that they believe exists there.
What is on the Dark Web? What can you find there?
Marketplaces, people selling goods. These are usually illicit goods, usually, hacking tools, malware, data, drugs, weapons, counterfeit goods. We see all of those being sold on a regular basis. We also see forums – people chatting and talking to each other but also usually selling some kind of information or sharing information, some of it’s not all for sale. We do also see a lot of extremists, forums, people talking about, information that’s not great, but also getting together, planning events, things like that. As I just mentioned, there are also social media sites on there. There are mirrors of Twitter or X or Facebook, Reddit. All that can be accessed from the dark web. There are cryptocurrency exchanges, mixers, other forms of things. Cryptocurrency is the currency of the dark web. Really, that’s the main way that people transact. The full ecosystem for cryptocurrency also exists on the dark web. You also get news media, news sources. A lot of the main media outlets and newspapers will also have dark web mirrors. The CIA has a dark web mirror. There are a lot of legitimate sites out there. And then of course, everyone is aware of data leaks, that is the main place that they are shared and ransomware. A lot of ransomware groups will have leak sites where they will have a shame board of all their victims, which they will put on the dark web for people to go and view. If the company doesn’t pay their ransom, then that information will be released there and can be downloaded. I should say with the leaks as well, it’s usually advertised on the dark web, but the dark web is very slow in terms of downloading information. Often a downloading service or a torrent will be used if the files are quite large.
This is just to give you kind of an idea of what the dark web looks like. These are some sites selling counterfeit goods, organs, drugs, cash apps and accounts. Then also we’ve got some of the advertisements that are shown here.
You can see the different marketplaces that exist with the different areas, we’ve got people selling Social Security numbers, malware, botnets, different types of drugs. There really is this booming commercial aspect to the dark web and a lot of different stores that have been set up either for niche things or sell a huge amount of goods. And as I said, cryptocurrency is the currency of choice. You can see in that middle image: Monero, Bitcoin, Dogecoin, Litecoin are just some of the ones that are accepted. But it is a variety of cryptocurrencies that are usually accepted these days.
There are quite a lot of challenges, though, with collecting from the dark web. I mean, the first one is you’ve got to know where to look. You don’t have the nice URLs that you would get on the surface web. You also don’t have Google to help you. There are search engines on the dark web, but the majority of sites are not indexed and therefore not easy to find. You need to know where to look, and need to be into networks where that information is being shared. You also, in most cases, need a login to access the pages. So, you need to create personas and you need to do that in a secure way. The threat actors that set up these sites and maintain these sites are very against bots. They’re very against DDoS, all of the things that they’re very familiar with but also, they don’t want people going in and crawling the data. They don’t want people to access it that aren’t there for the purposes that they’ve set it up for. I would say the dark web has some of the most sophisticated captures I have ever seen. I can spend quite a bit of my day just trying to solve math issues or see letters in squiggly lines or putting images together. It is quite difficult to get into those. There is a lot of bot traps on the dark web and a lot of human interaction that is required to get into it. It’s not easy but there is a huge amount of data and intelligence to be found once you do get into those sites.
I also just wanted to touch on before I get into some of what that data is what we call at DarkOwl dark web adjacent sites. These are things that are not necessarily on the dark web. They’re not on Tor or I2P or ZeroNet, or some of the other dark web services that are out there but they are used by the same types of people. They are used in the same kind of way. Telegram is a huge one where we do see a huge amount of marketplaces. We see a lot of fraud being conducted. We see a lot of hacking operations. There’s a lot of hacktivist channels, extremist channels, etc. That’s something that you need to be aware of as well when you’re doing these dark web and OSINT investigations. I’ve also mentioned ICQ and Jabber. But there are other things like Rocket, Tocket.io, Tox and things like that where people are communicating. We also see it on gaming apps. Discord got a lot of publicity last year with the leaks from the Pentagon leak. I believe he was just sentenced, actually, this week. In terms of leaking that information on there, but generally, a lot of threat actors are on Discord actively. It is a gaming site, but you can set up different servers and different channels. And so, we see a lot of people sharing and operating there as well. Then a lot of threat actors these days aren’t as worried about anonymity as they perhaps used to be. There’s been a lot of instances where dark web forums and marketplaces have been taken down by law enforcement action. So, some threat actors, I think, think, why should I go to all of this effort of having a Tor node and a Tor site and setting this up when I could just do it on the surface web with the same risks, almost. There are marketplaces that are vendor shops that are forums that sit on the surface web that’s still used by the same kind of actors for the same kind of use cases. We’re very much monitoring and looking at those as well.
To give you an idea of some of the things that we’re able to find from the darknet. A lot of data comes from the darknet, so we see things, huge amounts of personal data, PII. That is the currency of the dark web at the moment. I would say we see a huge amount of issues being stolen, email addresses, passwords, Social Security numbers, social media accounts, stealer logs becoming really prevalent in the last year or two. There’s cookies in there. There’s two factor authentication sign-ins. There’s key questions, etc. So, there’s a huge amount there. We also see a lot of banking information and fraud. There’s a lot of corporate data, especially with ransomware attacks which are only increasing. I’ve mentioned malware and then also risks. There’s a lot of threat actors on the dark web that are very good at what they do. There’s a lot of cyberattacks. There’s a lot of education, actually, on the dark web about how you can conduct those cyberattacks, leaks, etc. There’s a huge amount of information out there if you know where to look.
Will you be discussing during this webinar the uptick in Drainer as a service (DaaS) or explaining it to those new to dark web marketplaces?
No, that is not in the presentation, but I can definitely get to that at the end.
OSINT 101
OSINT is open-source intelligence. It’s information that’s been found from open-sources. Any information found on the dark web does count as OSINT information but obviously it’s a lot broader than that. These are just some of the sources and information that’s out there that you can use as part of OSINT to find information for whatever kind of investigation you’re trying to conduct.
I did want to highlight some tips in terms of doing OSINT. This is true of looking on social media or looking on the dark web. I created my little AI generated sock puppet. That’s what that’s supposed to be if no one can tell but always use the sock puppet. Always have a persona, always ensure that you’re doing this in a secure way – using VPN or proxies. Use a virtual machine, use burner phones. Don’t use any of your own equipment to do any of these investigations. You should never cross over your real-life persona with what you’re doing online ensuring that you’re recording all of the information you find. I mean, it really depends on if you’re doing this for law enforcement or internally. But I would say most people you need to record what you’re finding with the dates, the timestamp so you are able to validate the data is accurate as of the time that you found it. Because obviously all of these things can change, and particularly with the dark web sites go up and down all of the time. What you find today might not be there tomorrow. It might not be there an hour from now. There are a lot of open-source tools out there that can help you with doing that kind of collection. So I would recommend looking into those and if anyone has any questions, I’m more than happy to share some of the, the tools that I’m aware of that can help you with that collection. There’s lots of other OSINT tips and tricks out there. There’s a huge amount of resources, online and for anyone who’s new to the area, I would recommend having a look at those.
Why is Dark Web Important to OSINT Investigations
Basically, there’s a lot of illicit information and activity that’s happening on the dark web, so it can be a really good starting point for investigations in terms of finding out what’s going on. You can see what people are discussing, you can see trends, you can see victims, you can see how things are operating. Then moving into more surface web OSINT investigations, you can sometimes expand on that and build out a really big picture. I would say they’re very complementary of each other and especially if you’re looking at fraud or extremism or drugs or weapons trafficking or human trafficking, the dark web is going to be a really valuable source for you to find information and data points to help you in your investigation.
LockBit
Now I’m hopefully going to go on to some of the interesting bits and walk you through a couple of recent case studies that we have. I’m going to start with Lockbit. Obviously, this has been in the news a lot recently. Kathy is going to share in the chat a blog that we recently did on Lockbit. I think it’s been about two weeks now, Lockbit leak site was taken down by law enforcement. Really interestingly, I thought, rather than just seizing the site as they usually do, they actually had fun with it and started posting on the leak site things about the Lockbit group themselves. One of the things that they did share was that there were two Lockbit affiliates that they had sanctioned and put indictments against. This is after the fact, but I wanted to highlight how you can get really good information from government sources and official sources about threat actors, and then use that and pivot into other data.
So here we have this individual, Ivan, I’m not going to attempt to say, but Vassalord. We’ve got all his usernames and things that he’s using here, and we can pivot in our own data. We were able to identify that he was active on a number of dark web Russian speaking forums. Here we can see him, this is in Russian, I haven’t translated it, but he is selling malware. He is giving people advice on different malware and also selling it within the group. So, through looking at this you know obviously it’s after the fact, but we can see what his activity was. We can see this dates back to 2022, but we can also see who he was interacting with. We can see kind of what tools he was operating, and we can see more information about him. You can also then take that information and put it into social media tools. This is What’s My Name app, where you can put in usernames, and it will search across social media sites and identify if an account exists. So here we can see that there’s some old Twitter accounts. There’s a telegram account which I already mentioned. The threat actors are very active on. We’ve got a Roblox account. You know, threat actors love gaming. It’s giving you these other areas to go and look and to go and research and investigate and can give you more information to build that picture about that individual.
One thing I was just going to highlight, just because I thought it was kind of funny, was that Lockbit actually put something out a few months ago, I believe it’s a few months ago. It might have been a bit longer, saying they would pay anyone who got Lockbit tattooed on them, and several people did it. And they shared that online, and we were able to see those tattoos, which they probably regret quite a lot now.
There was a second Lockbit affiliate, also that I wanted to highlight. This is just highlighting the usefulness of leaked data. We collect data breaches and leaked information and have that within our system. Here you can see there’s two separate leaks. One includes an email address with the full name of the individual. If you only knew this email address was linked to someone who was doing bad things, you could put that into a leak and see if you can get more information about them. And here we’ve got their full name in Cyrillic, which I’ve translated, and also their telephone number. And then pivoting on that telephone number, we’re able to see another leak, which I believe is linked to Yandex app for ordering food. So, you can see kind of the payments information. You can see his name again in Cyrillic as Arthur, you’ve got the phone number there. But also interestingly, you’ve got the iOS version.
So, there’s a lot of information that you can find within these leaks with information about threat actors. And then what I’ve shown below is again, using open-source tools, these are two freely available Python tools that you can use, where you can search on the email address or on the phone number, and it will go and look across social media sites to see if they appear there. And it won’t share that information with the email or the phone number holder. So, you still have OpSec, but here you can see that email address. It has a LastPass account, it has a Nike account, it has a Twitter account so you can start to see where this individual is operating.
Cryptocurrency and Extremism
Another use case I just wanted to highlight. I mentioned cryptocurrencies are used extensively on the dark web. I also wanted to highlight some of the extremist activity that we see. I’m not going to highlight any particular threads on this page because I personally don’t find them to be, I don’t agree with their point of view, but Kiwi Farms is an open forum where people share information about different things. It’s similar to a chan. It does have, some not so nice threads on it but just highlighting that with our Vision platform you’re able to find that information and then also view it through our direct to darknet feature as it would look on the site, and you can see this is their homepage. But one of the things that Kiwi Farms do is they have a donation address, so the people that maintain the account are asking individuals to provide them money to keep the site going. So I wanted to see if I could find out anything about that cryptocurrency address and how the funds are being used. I used an open-source blockchain explorer. This is called breadcrumbs; you can get a basic free account and it allows you to do some kind of network analysis. You can see we’ve got the Kiwi Farms bitcoin address right at the beginning with some of the people that are paying into that. But I was more interested in seeing where that money went and a lot of it was circling back. I have removed some of the nodes on this just to make it a little bit more visually easy to see but a lot of it was going back into Kiwi’s Farm, but then I was able to find areas where it was being cashed out; Kraken, Binance. And then Bravada, were some of the areas where we were seeing that the funds were actually being cashed out. And you can see that the site, breadcrumbs, does also give you an overview of the Bitcoin address and how much funds have gone in and out. You can see it’s quite a high volume and it’s been active for the last three years. You can also see that it plugs into bitcoin abuse. Bitcoin abuse, which I believe its name has changed now to Chain abuse, but it’s another really good source for looking at any cryptocurrency addresses you come across and seeing if they’ve previously been reported as linked to nefarious activity. One of the addresses in the Bravada exchange is actually been reported to be linked to terrorism and sponsoring groups in Russia. It’s interesting that an extremist forum, Kiwi Farms is utilizing and sending funds out that way. Obviously, I can’t say for definite that that’s what’s happening, but we can see that those funds are being trickled out that area and it’s another area for us to investigate and look into.
Israel-Hamas Conflict
The Israel-Hamas conflict has obviously been ongoing for a while now and it’s been all over telegram. So, as I mentioned, telegram is a really useful place to see a lot of hacktivism, a lot of threat groups. There’s also marketing there, but it’s also being used more and more as a new source and whether that news is factually accurate or is disinformation is always up for debate, but it’s been a really good source of being able to see what is happening on both sides of the conflict. Actually, on October 7th, it was one of the first places that anyone saw that something was happening. You can see one of the images here is them going through the wall into Israel.
This was on telegram almost immediately and anecdotally; I know that people in Israel were watching telegram for news updates because they were coming through quicker than they were on traditional media sources. But as I said, there’s also been a lot of information that’s been shared there that is probably not accurate. There were definitely videos that were being posted at the beginning of the conflict that actually came from video games and things like that but there’s also been a lot of the hacktivist groups on both sides, saying who they’re going to target or saying that they have successfully targeted someone showing evidence of DDoS attacks, showing evidence of defacement attacks, showing documents that have been stolen and leaks. A huge amount of leaks are being shared on telegram but one of the things I wanted to highlight, and I don’t necessarily have a good example here, but you definitely can do it, is taking some of these images and the videos that are being shared. Telegram, unlike Facebook, Instagram, Snapchat doesn’t always strip out the metadata on the images. There are a lot of open-source tools that can kind of help you to see what the metadata is, and if there is any Exif data that’s going to help you there but also you can get hints of where things are occurring and what’s happening by looking at the images and matching them up with satellite imagery or previous images that have been shared as well.
Scattered Spider
I’m conscious I’m running out of time, so I’m going to go quickly. Scattered spider is another group, threat actor group that we’ve been monitoring. They are a financial crime group. Scattered spider is the name that’s been given to them by one of the cyber security threat actors, but they’ve been responsible for some very high-profile attacks in recent years, including taking down Vegas with the MGM and Caesars Palace ransomware attacks. They do a lot of social engineering and phishing techniques; we expect those to probably increase in sophistication. Not that they aren’t already, but we know that AI is being used to assist with those attacks but they are very active on telegram and discord and part of what is known within the community as the comm. We’re doing some analysis on who is active in those groups, who is interacting with each other, and what information can we find out about them. So, there’s a lot you can do with the data that’s in telegram to do analysis, to do that link analysis to, to find out who the individuals are and of course the main ones you can go and look in other sources to see if they have other social media profiles or other areas that you would want to be looking into.
Conclusion and Questions
So, I ran through that really, really quickly. I’ll just leave the key takeaways up here for people to read. Hopefully, that’s what you’ve taken away from it. I think the question about the Drainer service highlights that there’s a huge amount of things that you could cover here. This is very much designed to be an initial overview and an introduction but if there’s topics and interests that people would like to know more about, please put those into the chat and we can look at providing more information on that in the future.
But with that being said I just wanted to highlight we do provide investigation services at DarkOwl for dark web and OSINT investigations so we can assist you with any investigations that you currently have. With that, I will open it up for questions.
What data sources are considered dark web?
Dark web traditionally is sites that are accessed through Tor, so the Onion router, but you also have things like I2P and ZeroNet, which are also dark web providers and there’s a few more out there, but they’re not as used as regularly, such as Magnesium. As I mentioned in the presentation, we also view things as dark web adjacent when it’s the same kind of use case and the same kind of individuals that are operating. So, we definitely consider that to be Telegram, to be Discord, ICQ and then some surface websites as well which are there. So, I think it’s open to interpretation. It depends how narrow you want to be but I think with OSINT Investigations you always need to be open to all of the information that’s out there and being able to validate it against different sources. So, the more data points that you have, the more likely that you’ll be able to do that.
How do you locate and identify new groups on Telegram or Onion sites?
Manually is the main way. So, telegram you can do searches in the global search or telegram on the desktop app. If you have a keyword or a search that you’re aware of, you can put that in and see what you would find. I would also look at the groups that you’re already tracking and monitoring and search for the links. If you click on the channel page, you can go to links and it will show you other telegram channels that have been shared. I will also sometimes look at other social media sources – people on Twitter or other forums will sometimes say, let’s take this conversation to telegram and they will share an invite link there. You can also use Google Dorking to search telegram, which is quite useful, but I would say it’s a keyword phrase. If you’ve got a particular topic you’re interested in, um, search for that. And then also if you’re looking at individuals in other countries, do you use the native language? So if you’re looking at Russian threat actors search for your turn and Cyrillic as well as in Roman characters because you’ll find more information that way. Onion sites, again, it’s similar. We are already monitoring the major forums and marketplaces, and they will share other areas that they’re accessing. There are sites out there that will track new onion sites that have been created and what they’re being used for. So we can look at those. It is kind of just kind of pulling through the different links that are being found and then reviewing them to make sure that they have actually got useful information on them.
Does DarkOwl have copies of entire sites that can be walked through. For example, could one walk through Silk Road and see the listings and users that were active back then?
Yes and no. We have our data, it goes back to 2016 in earnest. So, we do have all of that information, but we store it in documents and pages. You could search Silk Road and go through it. But one of the things that we don’t do is collect images due to legalities around CSAM material. You would be able to see the postings, you would be able to see the usernames and all of that information from any site that we’ve been collecting since 2016 but it wouldn’t be a walk through in terms of – it wouldn’t look like the site. You couldn’t click on buttons and things like that, but the data is all there.
Other than breadcrumbs and chainabuse, what are some other great sources for tracking crypto and blockchain across the deep and dark web?
I think there’s so many sources out there. Breadcrumbs is the one that I like to use just because it’s free. I mean obviously there’s paid services out there that are very, very good. I’m not aware of many others, especially not on the dark web. They’re not there for tracking purposes. I think one I heard of that I’m not familiar with but was recommended to me recently was Qlue – that is supposed to be quite good for cryptocurrency, monitoring but it really depends if you want to do a paid service or open-source.
Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
