Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. LockBit Ransomware Operation Shut Down; Criminals Arrested; Decryption Keys Released – The Hacker News
LockBit ransomware was taken offline by a global law enforcement operation as of February 20, 2024. The National Crime Agency of the UK led the operation, obtaining LockBit’s source code, arresting two members of the ransomware gang, and freezing 200 cryptocurrency accounts related to LockBit operations. Read full article.
The FBI have seized four domains connected to the Warzone RAT, a commodity malware which offered a number of features including UAC bypass, hidden remote desktop, cookie and password stealing, keylogging, webcam recording and remote shell among others. They also arrested, in conjunction with Malta Police, an individual they said was behind the RAT as well as an individual based in Nigeria.
The individual based in Malta was also reported to have sold the Pegasus RAT for the Skynet corporation. Read article.
3. Bumblebee Malware Buzzes Back on the Scene After 4-Month Hiatus – Dark Reading
Bumblebee is a malware loader which is believed to have been developed by Conti and Trickbot groups. Recent reporting indicates that is has been used to target thousands of organizations in the US in phishing campaigns. According to security researchers the malware is commonly distributed in phishing campaigns to drop additional payloads for initial network access and to conduct ransomware attacks. The use of the malware has not yet been attributed to a specific group. Article here.
4. Russian Hackers Target Ukraine with Disinformation and Credential-Harvesting Attacks – The Hacker News
Two years after the Russian invasion of Ukraine, cyber activity remains a crucial part of Russian warfare. While no specific Russian actor has been identified, the latest operation, occurring between November and December 2023, involved spear-phishing emails sent to harvest Microsoft login credentials. Content included in the campaign now includes PDF attachments related to food and supply shortages, heating issues, and other war/conflict disinformation. Article here.
5. Chinese Hackers Exploited FortiGate Flaw to Breach Dutch Military Network – The Hacker News
Continuing their world-wide efforts to infiltrate government, military, and key sources of intel, China exploited an extant Fortinet vulnerability (CVE-2022-42475) to deploy a backdoor named COATHANGER and gain access to a network used by the Dutch military. This is the first time the Dutch have publicly attributed a cyber incident to Chinese actors. Read article.
6. ‘ResumeLooters’ Attackers Steal Millions of Career Records – Dark Reading
Using legitimate, open-source pen-testing tools combined with XSS and SQL injection techniques, a threat actor group stole millions of email addresses, phone numbers, and other pieces of personal data and put them up for sale throughout several Chinese-speaking Telegram channels. The specifically targeted sector was retail, along with multiple general employment websites. Read full article.
7. Johnson Controls says ransomware attack cost $27 million, data stolen – Bleeping Computer
Industrial control systems and security equipment giant Johnson Controls was the victim of a ransomware attack with a detrimental cost of $27 million dollars. The offices located throughout Asia were the entry point for the malicious actors, who then spread through their entire corporate network; this event did negatively impact customer facing systems, in addition to the loss of 27 TB of corporate information. Article here.
8. New Report Reveals North Korean Hackers Targeting Defense Firms Worldwide – The Hacker News
North Korean actors are conducting a cyber espionage campaign gaining access to defense technologies. Actors create fake profiles on LinkedIn and build trust with contacts, and then offer possible job opportunities and exercises which are documents containing malware. Additionally, supply chain attacks play a large part in these operations as well, with North Korean actors deploying remote control malware. Read full article here.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
Ransomware attacks continue to rise with many victims being reported every day. Last week one of the most prolific and successful groups, LockBit, became a target themselves with law enforcement (LE) action taking down their leak site and confirmation of sanctions against some of their affiliates. In this blog, we dig into what happened and what has happened since.
Who are LockBit?
LockBit are a ransomware gang that originally emerged in September of 2019. They offer ransomware-as-a-service (RaaS), which means that they allow affiliates to use their ransomware to attack victims in exchange for a monetary fee. In 2023, LockBit were reported to be one of the most prolific ransomware groups with 44% of ransomware attacks reported globally being attributed to them. The groups have had several iterations, LockBit 2.0 first emerged in 2021, and targeted many high value victims throughout that year and into 2022. In June 2022, they released a new iteration of their malware, LockBit 3.0. As part of their release, they also announced a bug bounty encouraging security professionals to test their malware and offered rewards from $1000 to $1 million. There were rumors that in early 2024 LockBit 4.0 was coming soon. DarkOwl analysts will continue to monitor any developments on this front.
LockBit Takedown by Law Enforcement
On February 19, changes were made to the LockBit leak site, which made it clear that it was now under control of Law Enforcement. In recent years, law enforcement have successfully seized several dark web sites, such as Breach Forums and Raid Forms and have put a notice on the site indicating that it has been seized. However, with LockBit the message stated that the leak site was now under the control of law enforcement.
Figure 1: DDOS protection on LockBit site seized by Law Enforcement
Utilizing the same technology that LockBit used for Distributed Denial of Service (DDOS) protection, the site, after a period of time, directed you to the LockBit Blog post, the usual cryptocurrency icons were replaced with the flags of the countries of the involved law enforcement. A DDOS attack is a malicious attack on a network that is executed by flooding a server with useless network traffic, which exploits the limits of TCP/IP (transmission control/internet protocol) protocols and renders the network inaccessible. Although it looked the same has it had when under the control of LockBit, instead of displaying victim names and details, the site now included information about the group themselves. Law enforcement was even using the same countdown technology LockBit used to shame victims to pay ransom. Announcing that new information would be leaked.
Figure 2: LockBit blog containing information about the group posted by LE
Law enforcement announced several types of action that they had taken against the operators of LockBit. They provided a blog with details of Op Cronos and what operations they had taken. The statement indicated that a task force of Law Enforcement agencies from 10 different countries had come together to take down the group. The takedown was led by the UK National Crime Agency (NCA). The statement stated:
“The months-long operation has resulted in the compromise of LockBit’s primary platform and other critical infrastructure that enabled their criminal enterprise. This includes the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom.
In addition, two LockBit actors have been arrested in Poland and Ukraine at the request of the French judicial authorities. Three international arrest warrants and five indictments have also been issued by the French and U.S. judicial authorities.”
UK National Crime Agency (NCA)
Although it is notable that the task force did arrest two individuals and indict two others, it appears that these individuals were affiliates of the group rather than those who operate the LockBit infrastructure. Leaving some ambiguity about the impact this takedown would have.
As well as providing details of the operation the NCA also released images of the backend of LockBit’s system. This included the admin panel showing the victim posts and the countdown.
Figure 3: LockBit back end leaked by LE
Law Enforcement also claimed that they had access to some decryptor keys for the malware, and that victims should contact them to see if they are able to help with releasing the data that had been stolen by LockBit.
Law enforcement indicated that they had identified 30,000 bitcoin addresses associated to the group, 500 of which are currently active on the blockchain and have received over $125 million. A lot of these funds came from a 20% fee from the affiliate groups implying that the ransomware amounts paid by victims is actually a lot higher. $110 million of this was still unspent on the blockchain.
LockBit’s POV
Soon after the announcement of the takedown, a letter started circulating online which appeared to be a message from the group to their affiliates alerting them to the fact that a security incident had occurred. It is unclear if this indeed did come from the group and DarkOwl analysts have not been able to authenticate it. The letter was written in the style of a security incident where personal information had been shared. Similar to that which would be shared by the group’s victims.
Figure 4: Unverified notification from LockBit
As of February 22, one of the onion mirrors for the leak site appeared to be a backup albeit with limited functionality. There were files which appeared to be named for the victims and the files included file trees and samples of data which had been stolen from victims. None of the other links on the page were working and the usual format was not maintained.
Figure 5: LockBit site back up after LE action
On February 24 a note was circulated which was signed with PGP keys to prove authenticity which provided an explanation of what activity had taken place from LockBit’s perspective. The note started by stating that LE had been successful because the controller had become lazy in his security due to all the money they had made.
Figure 6: Message from LockBit
The message also included a list of onion mirrors which the threat actor claimed were still in operation and had not been affected by the law enforcement action. They also claimed that they still had access to victim data and would continue to release this if the ransom was not paid. In response to the Law Enforcement claim that they had decryption keys, the threat actor stated that they had only been able to secure a small number of these and the majority of the data could not be decrypted.
They also stated that they would continue to operate and while the law enforcement action had disabled their infrastructure for 4 days, that was because they had to update the source code. They continued to operate. Furthermore, the site indicated that they had an FBI leak and seemed to indicate they would respond to the action.
Figure 7: LockBit blog page ack up with FBI listed as a victim
DarkOwl Analysis
The law enforcement action which took months to coordinate appeared to only take LockBit offline for four days. Although the action will likely have some reputational impact, with affiliate groups possibly wary about working with the group knowing they are a target of law enforcement, most groups probably knew this was the case for one of the most prolific RaaS providers out there.
It is also likely that the group will adopt more secure operations going forward, as they themselves admitted that they had been complacent in their operations due to the amount of funds they had amassed and how long they had been able to operate without issue. They will likely not make that mistake again.
It is a constant conundrum for law enforcement to decide when they should take disruptive action against a group and when they should continue to watch them for intelligence purposes. Law enforcement had come under pressure to take action against LockBit due to their success and the number of victims that had been targeted, and disruption does send a message to the wider community. However, the disruption was short lived and likely angers the threat group to be more active and target more vulnerable areas that encouraging them to stop their activities.
This was highlighted by the takedown of the BlackCat/ALPV ransomware group in late 2023, although the site was seized this did not last for long with the group managing to take the site back in a matter of days, they also lifted their ban on targeting victims such as hospitals. This highlights that while the seizure of a site can cause issues, if the individuals behind the group are not removed this is only a short-term solution. The fact that the NCA and the FBI continue to offer a reward for information regarding the individuals behind the group highlights that they still don’t know who they are.
One could argue that it would be more profitable for law enforcement to maintain access to the threat actors’ servers and leak sites in order to find information that can help victims such as encryption keys or the data that has been stolen and view the group from within to find more information about them. This, after all, is the tactic that most threat actors use, maintaining persistence and lurking on systems to find the most damaging information. But Law Enforcement would have considered this and factored the risks before going public with their operation. Only time will tell the true impact this had on LockBit’s activities.
On January 21, Cyber News published an article stating that they had identified the “Mother of All Breaches” (MOAB) which revealed 26 billion records. The article stated that the data had been identified by cyber security researches on an open instance, meaning the data was not secured and easily accessible by anyone who came across it.
The 12 TB of data was said to include records from previously reported leaks such as LinkedIn, Twitter, Weibo and others but it was also claimed that there was new data held within this dataset that had not been seen before. Although it was not clear what this claim was based on. At the time the article was published it was not clear who owned this data – was it a threat actor who had amalgamated all this data, was it from a marketplace where this data was stored, or was there another entity altogether that had this data?
The Dark Web Reacts
Almost immediately chatter began on dark web forums discussing this leak – where it might have come from, who the data belonged to, and how they could get access to the information. A post on popular dark web forum BreachForums garnered 37 replies and over 4,000 views.
The reaction to the data was mixed. Some of the users were eager to get their hands on the data asking for confirmation of where it was available to download and actors commenting that they would need to purchase more hard drives to store the massive amount of data.
Others felt the information was old, that it had previously been exposed and there was nothing new to be found. Their view was that this was simply being used to generate press, with some suggesting the data had been planted for marketing purposes.
Another actor felt that this data must have been the collection of convicted site admin Pompompurin (Connor Fitzpatrick) as he stated it included leaks that had only been posted to Breach Forums.
Although many actors showed skepticism, most showed an interest in obtaining the data and were discussing how it would be shared – torrent being the preferred solution – and when it would become available. But the Mother of All Breaches did not materialize.
Cyber Security Companies Make Mistakes Too….
On January 23, two days after the initial article was published, the company Leak-Lookup posted on X (Twitter) taking responsibility for the leak, claiming that a firewall misconfiguration was responsible for the data being exposed.
Leak-Lookup is an organization which collects data leaks in order to allow consumers to check their information and see if they have been exposed. They claim to be a “Data Breach search engine” allowing their users to proactively protect themselves against possible exposure. This is an open source service, however they do also charge for some searches.
The company went on to state that “Initial access was gained sometime around the start of December, due to a misconfigured server allowing IPv6 access to our “hot” cluster.” Highlighting that cyber security companies are not immune to cyber incidents, whether this be an attack or a technical issue. Fortunately, it did not appear that any of their registered users’ information had been compromised, the data that was identified is publicly available through their search. The misconfiguration was also quickly addressed to ensure no others could access this data.
DarkOwl Assessment
Given that the MOAB was actually a database of leaks curated by a breach aggregator, it is very unlikely that any new data was included in this breach. Just as with DarkOwl, Leak-Lookup will only collect leaks which are already publicly available on the dark web. Although they may sometimes get tipped some leaks which have not been widely shared, the volume of these is likely to be low.
DarkOwl continued to monitor dark web chatter relating to this breach and did not identify any threat actor claiming that they had access to this data. Given that the database is now secure it is unlikely that anyone obtained the data during this period of time given the size. However, as the database did contain previously leaked data, the information is still out there. As always, DarkOwl recommends using good password hygiene on all your accounts and highly recommends a password manager. Security is important for all organizations and all data should be strongly protected.
Valentine’s Day is a great time to celebrate love whether you are in a relationship or single – most people celebrate the day in some way be it with date night or a girls or guys night out. Like most things, there can even be a dark side to Valentine’s Day – while many celebrate romance, others are taking advantage of those wanting to feel loved or special by someone. The FBI’s Internet Complaint Center (IC3) reported in 2022 there were 19,000 complaints relating to Romance Scams with reported losses of at least $739 Million. The Federal Trade Commission reports even more staggering numbers. According to the FTC, nearly 70,000 people reported a romance scam in 2022, totaling $1.3 billion in losses – a median reported loss of $4,400.
A Romance scam, also known as confidence scams or pig butchering, is the targeting of an individual, usually through a fake online profile on a dating site or social media, convincing them to believe they are in a relationship. The goal of the actor is to steal money from the target. According to the FBI “most commonly, the perpetrators are men targeting women over 40 who are divorced, widowed, elderly, or disabled. The scam usually starts with an “innocent” contact online and builds from there. Romance scammers often use well-rehearsed scripts which have been previously used successfully.” Last year, DarkOwl analysts highlighted some of these scripts found on the darknet being circulated by romance scammers.
Romance scammers are no different than other scammers – they don’t miss a beat and get to know their victim before taking full advantage of them. According to the FTC, there are frequent sayings and stories that these scammers use and follow to garner the most sympathy and make a seemingly genuine connection with their victim.
Just two days ago, DarkOwl analysts observed users of a Discord channel discussing the potential of romance scams, claiming that this scam is likely more popular around the holiday. Thankfully, romance scams have garnered more attention in recent years and law enforcement and news sources are highlighting the potential threat.
Romance scams are commonly discussed on the dark web. Last year, we explored this topic for the first time and it continues to be one of our top blogs. This year, we make researching romance scams a yearly tradition around Valentine’s Day as we explore some of the recent activities relating to these scams.
Romance Scams on the Darknet
Leading up to this year’s Valentine’s Day, DarkOwl analysts observed the popular darknet forum Exploit being used to discuss the best way to target individuals through dating apps. The user claimed to have over 3,000 contacts over the age of 20 and wanted to know how he could best exploit this. The majority of responses to this post recommend that the original poster conduct romance scams in order to make money by pretending to be romantically interested and asking for money. They also recommend specific sites to get the best outcome as well as ways to receive the cash.
People also seek data relating to individuals who have been a victim of these scams, although it is unclear what it will be used for – possibly to re-victimize as they have been deemed easy targets at least once prior.
The Flip Side
However, the dark web also highlights the impact that these scams can have on individuals. A forum which is used for communications between individuals with suicidal thoughts was used by one victim to highlight the impact a romance scam had had on them.
In a Discord channel, a victim shares how they were a victim of romance scam that lead to her giving her scammer money and how she was able to go to the Internet Crime Complaint Center and file a report in order to get her money back – and it was recovered! She also claims that when looking for other recovery services, many offered help for a fee. Great warning that when filing any sort of scam or fraud complaint, to always work with the IC3.
Victims Fight Back!
In the screenshots below, perpetrators are targeted – victims who took offense to the scams conducted by these individuals shared all of their information through a dox. A dox (also doxx) is a detailed public record of someone’s identity. To ‘dox’ someone is to publish private information about that person – as a form of public shame and generated to enact revenge on the company or person for some perceived wrongdoing.
Another example shows an angry victim of ewhoring releasing the information of their scammer after finding out that she was also cheating on him. He leaks information including basic demographic information and calls others to “spam her with pics” to her Snapchat and Discord, which they have provided as well.
E-Whoring
An emerging extension of romance scams has been E-Whoring, this is the practice of trading and selling nude images of other people. The intent is to sell the images to make money or impersonate the women in the images to conduct other attacks.
As we know, threat actors take great pride in proving themselves by sharing their knowledge, tips and tricks with others as a way to build up their reputation and standing out within the threat actor community. DarkOwl analysts observed many sharing, some for free and some for sale, guides and ebooks covering how to get involved in e-whoring and romance scams.
The example below is a posting on a darknet forum where the threat actor is selling his ebook in which he claims to teach how to “easily make up to $800+ a week” and to “master the method explained in no time.” He claims to be a “superb eWhore” and be a professional social engineer.
The ebook table of contents shows just how in-depth the author goes – covering everything from the very basics to the detailed specifics of how to really make a full business out of e-whoring. This is a very detailed guide and shows the steps that some of these more dedicated threat actors take to e-whore – setting up a website, making a fake ID, etc. These activities also clearly overlap with other crime that we see on the darknet and in illicit marketplaces.
Further on in the ebook guide, the author even shares some tips and tricks on how to act with their victims and what a woman would say versus a man when texting or communicating, teaching his trainees how to be believable.
Here we see another example of a guide to go from “beginner to pro” for e-whoring.
In addition, perpetrators will use the dark web in order to sell “nude packs.” Telegram is also a popular vector to sell this data with packs being sold for as little as 15 Euros.
In Conclusion
As long as the romance scam industry is profitable, darknet actors will continue to innovate, and we will see scammers taking advantage of innocents looking for someone special – especially around Valentine’s Day. As with conducting any activity on the internet, it is always important to remain vigilant to scams, whether that be romance scams or not.
When finding love online, always make sure a friend or family members knows you are talking to someone, always require seeing that person face to face, in person is always better (in a public place!), and never give someone money unless you are 100% positive they are who they say they are have verified their story. Be wary of anyone that makes excuses as to why they cannot meet in person or video chat, and always reverse-search images from their dating or social media profile – most romance scammers will be using someone else’s photos from online. As AI continues to make its way into everyday life, it will be interesting to see how romance scams evolve for next year’s research!
We wish all our readers a very happy Valentine’s Day!
Curious how darknet data applies to your use case? Contact us.
Due to the layer of anonymity the darknet provides, it is often a hub for illegal activity. The technology DarkOwl leverages to collect and index, 24/7/365 in near real time, hidden digital undergrounds is key in obtaining crucial data and situational awareness for intelligence and government agencies, and law enforcement.
DarkOwl, the leading provider of darknet data, reviews how darknet can be used to:
Track illicit sales of drugs, human trafficking, and cyber weapons
Detect potential threats and monitor persons of interest
Stay one step ahead of foreign Nation-State adversarial activity and attacks
Learn the latest tactics, techniques, and procedures of threat actors to better prevent future cyberattacks on critical infrastructure
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Alison: Thank you Carahsoft for putting this together. Thank you all for logging on. I’m going to jump right in. I have a lot of content to cover. And as Erin mentioned, we will field some questions at the end.
So I’m going to go over a little DarkOwl history, specifically dig into why this data set is so crucial for so many areas of the US government and other government partners. We’re going to look at some data examples off of the darknet. It’s always fun to do. So I’m then going to end with the current events that have recently elevated the darknet data set just in a more global way. And then if there’s time, we’ll walk through an interesting data leak that we uncovered. Before I launch in, I did want to mention that DarkOwl will be at the AFCEA West conference, which is in San Diego next week. I would love meet anyone going there.
So history on DarkOWl. We’re based out here in Denver, Colorado. We have been doing darknet collection for over ten years. Essentially we 24 – 7 coverage of collecting data, pulling it off the darknet, parking it in our database, and then we give our clients access to that. Obviously, there’s a bunch of different formats that that can take. We have a user interface, there’s a bunch of different API endpoints. And like everything, the devil’s in the details. And I think the one thing I want all of you to walk away with today is, when we think about darknet collection, by definition, if you were to go out and take a look at, you know, a handful of Tor pages a couple times a month and store those in a database, you are, in fact, a darknet collector. That said, I would argue that DarkOwl’s strength is in how we define the darknet and what our collection efforts are focused on. And I think we do a really good job of walking the line of both automation. You can’t get the scale of data that’s going to be valuable if you’re trying to do this entirely manually. That said, if you’re doing it entirely automated, you’re not going to get into the hard to find sites or be able to maintain personas and get into forums and marketplaces. So we use both those techniques. If you’re looking at this slide here, I know this is a little noisy.
Everything in red is our data sources that we collect from. DarkOwl obviously we’ve been collecting from Tor forever, that’s been our bread and butter. We have really focused in the last year or so on a lot of the peer to peer networks. I’m getting so many questions from law enforcement, government, commercial on telegram collections. So we’re going to go into that a little bit further on. But you can see here telegram, discord, I2P, ZeroNet. Our collection team is always trying to figure out what the next platform is – where can we start to collect? And all these take different efforts from a collection standpoint. A lot of skill behind the behind the scenes here in navigating all of these, regardless of where we get it, it’s all parked in our database. And then you’re able to access it as a DarkOwl client.
So this slides this is just kind of a visualization of how the data flows through.
So as I mentioned, we’re doing all the collection. We park it in our database. And then as we bring that data in, we’re trying to tokenize and add as much structure and value as we can to make the searching and finding from all of your end a more streamlined process. We we will tokenize information such as email addresses, IPS, crypto wallets, credit cards, usernames. And then depending on what that tokenization looks like, the bottom line here is the product set that we, DarkOwl, spit out of that data. So on the far left hand side is our user interface. So that’s going to be an analyst dashboard. And then we have a lot of different API endpoints ranging from you know Scores which we call DarkSonar, which is a relative risk measurement of an organization or an agency or a government group’s presence on the dark web just numerically represented all the way down to DataFeeds, where we are just pushing data every couple of minutes to clients. So it runs the gamut. But the important takeaway here is that the collections is done by us. We do the tokenization, and then we let you search and filter that depending on what information you’re specifically looking for.
On the left hand side – these are our these are our sources. And as you can see by the numbers, we’re really trying to scale at all times. These numbers were just updated – 28 million records from telegram channels. All of these documents are coming in, being tokenized, and then and then accessible. And, you know, at the end of the day, I feel like we’re solving two problems. Number one, there is no reason any of you can’t go out and do this on your own. You can download Tor, you can have a burner device. It’s just extremely inefficient. Right? It’s going to take time for you to do that. Collection sites go up and down. So it’s an efficiency play. And then number two, especially in looking at the attendee list here, I know most of you are US government. There’s a real safety feature here in that DarkOwl has done the collection. You are only playing in the DarkOwl data set so you don’t run the risk of exposing your own organization or burning a persona. We’re doing all of that in the backend, so it’s efficiency and safety at the end of the day.
So thinking about the the darknet in regards to US government use cases.
And I kind of boiled it down to three here. I’m sure all of you can can come up with more, but the first one I think of is just the force protection side – looking out for our own exposure, monitoring for email exposure, looking for PII of prominent folks and alerting them and making sure that we have an understanding as a government of what potential vulnerabilities are out there. And that could run the gamut from exposed PII for someone in a senior position to military part numbers being sold or darknet forums discussing ways to penetrate organizations.
The middle one here – identity management. So I think of that as the investigation side of it – really using the data set to conduct research, to look into identities. How are people talking about this? What can we find? What can we correlate? Who can we associate with this? A lot of red team activities.
And then on the right hand side here, targeting and thinking about what can this data set tell us about nation states and other folks, threat actors, what’s trending, ransomware, there’s so much content out there that is powerful to be in the know on how that’s being talked about and presented.
So without further ado, let’s jump into some data data examples. And again, I highlighted before we do that, why is this data set so challenging to get your hands on. Part of it is just the time and effort that it takes to do this, these sites go up and down all the time, they move locations. Access to these forums and marketplaces – it’s not as simple as just signing in and you can’t scrape page one, scrape page two and park it in a database. You need to be very strategic about how you do that. So these are some of the skills that we possess and have been doing for a long time. CAPTCHAs. And I’m not going to do a live demo today, but I do continue to fail CAPTCHAs on the darknet. They are extremely hard. I’m always laughing at that piece. So we’re doing these collection efforts in the background and basically taking that time suck and that risk off of all of you. Then the evolution of where people are moving to, I mentioned these peer to peer networks. You know, we’ve seen such popularity there, especially with the start of the Russia conflict breaking out in Russia and Ukraine. Following those trends is something that we’re always staying on top of as well.
Alright. Darknet data. What’s out there? Um, I just pulled together some slides of examples that I thought might be compelling for some of you on the phone, and to just give you a sense for what we’re looking for. So, no surprise, a ton of PII, all sorts of banking and transaction data, credit cards for sale, exploit kits, malware. And remember, by definition, the reason to be on the darknet is to remain anonymous. So anyone trying to sell or transact or trade in any illegal goods or services is going to be attracted to that. So there’s forums and marketplaces on how to do these things. It’s a it’s a colorful space.
The next bunch of slides are going to be screenshots from our platform, which we call Vision. And I’ll highlight just some of the findings here.
So I know it’s a little small on the background here, but if you look up at the top in caps it says DHS traders home addresses. So this is a hacker that’s uncovered some PII and is posting it out there, maybe in anger, unclear. And they’ve listed everything from title, home address, phone numbers. This is just someone posting this on a Tor page and we were able to capture that. And then this is a result right out of DarkOwl Vision.
Here’s another one. This is someone who is promoting their skills around making custom IDs, utility bills, bank statements and other documents, passports for sale. You can see the price here in in Bitcoin. This is this is very, very common – people trying to gain business and sell IDs and everything you can think of.
So here’s one that, um, I thought would be good for today.
This is a counterfeit item. They’re selling DOD ID cards and editable templates. You can even choose your own name and picture.
Alright, moving along – event and personnel protection. I looked at the registration list and I think some of you are tasked with some of these directives.
These are screenshots here of folks that, this one in the middle is actually a telegram group. You can see there’s 32,893 members in it. It’s entitled the Ultra Patriot Voice. You can see some words down here at the bottom. So these may be channels that would be worth monitoring. We’re collecting from them on an ongoing basis. We’re able to identify what users are are in those telegram channels, what their ID is, what their username is. And then, given some of our other sources, we can oftentimes back that into an actual person.
It wouldn’t be a good darknet presentation without the talk of ransomware. This is such a such a prominent thing for all of us.
Our commercial clients are are always very concerned about this. This is a screenshot of what we would see on the darknet side. So this is not what the victim would see on their own network. It’s important to understand here that the ransomware actors are hosting this content and they call them shame sites. So they’re posting this and saying, hey, and in this case, it was actually a, um, this is actually a grocery chain. And they were saying, you know, here’s the information we have. But why this is so critical is because this is where we can assess and figure out what actual data has been exposed. So monitoring these sites and being able to be there in real time is important.
This is a fun slide.
This was actually an investigation that DarkOwl had done where we identified and tracked a Portuguese speaking threat actor. They were involved in a mobile device malware issue. If you look kind of towards the bottom here, we were able to confirm that the suspect’s activities were in a bunch of these communities and the black part at the bottom here where it says steam, where you can see where it’s grayed out there. That was actually a leaked IP address that we were able to get a potential physical location for this gentleman that was in the Brazil area. I like to highlight this one because I think the first thought a lot of folks have in regards to the darknet is that there’s no geographical location because everyone has obfuscated their identity and their location. That said, there’s enough breadcrumbs in there that you can often back into it. So this was a case where we were able to do so.
Insider threats. So we see a lot of posts in regards to this. This is actually someone who’s looking to recruit insiders. You can see that this site toggles back and forth between English and Russian on the right hand side here towards the bottom – they talk about my team will lock, exfiltrate and pivot with your access keys and with your access, and you’ll keep a percentage of the money for giving access. So they’re recruiting folks to try and get in. This could be government related, commercial related and or both. So insider threat, no surprise there.
Drug and gun sales on the darknet isvery prominent. We see it all the time. There’s marketplaces dedicated to it.
I think there’s some folks on the on the phone from the DEA. Kudos to you guys. It is an uphill battle. And I know you’re fighting this daily. There’s so much and we’ve improved. One of the things we’ve done at DarkOwl very recently, is going into a lot of these forums and marketplaces and really dissecting how the chats are happening. So what I mean by that is looking at timestamps and who’s talking to who and trying to build out these networks so we can try and get to the bottom of some of these. There have been some really great use cases where our clients were able to use this data to solve a case.
One question we get often is what do we do with images, right? There is a lot of content on the darknet that none of us want to have eyes on. And so what we do at DarkOwl is we ingest all of the text into our database.
So on the left hand side here, you see a screenshot from Vision. That’s our platform. And I simply ran a search and said, I think my specific search was “glock”, and then the word “sale”, and I think I put in “Miami” as well, because I was talking to some folks in Florida and this page came up. So you can see we list where it came from, you can see the dot onion and then all of the text here. So if you’re sitting in the DarkOwl platform, you do not need to be concerned about coming across any child exploitation photos or anything in that regard. That said, sometimes the images that are captured can be quite compelling. So we have recently added what we are calling Direct to Darknet. You can see in the middle of the screen, there’s a little light blue bubble there. So if you click that button within the DarkOwl tool, it opens a new window. You’re in a safe, secure sandbox environment. I do it all the time off my DarkOwl laptop. This is not a burner device or anything. And up comes the actual page. And in this case, I’ve taken a screenshot off of the page, and you can see that the bracelet this person’s wearing, to me would help maybe frame the persona of who’s using this. We also have, if you see in the original text, they’ve provided a telegram handle here. So, you know, starting to gather a couple pieces of information that I think could be pretty compelling for an investigation here. So, again, the images won’t be pulled directly into the DarkOwl database intentionally, but you can go back out and capture those if needed.
Alright, I’m going to switch gears a little bit. A lot of the examples I’ve provided are ones that folks are pretty aware of – trading, selling, transacting in illegal goods and services is and has been what the darknet has been used for forever. What’s been interesting in the last year or two is really the political climate and how there’s been such an increase in real time chat applications and encrypted communication platforms for people to collaborate both for good and evil. We’ve seen a huge growth in telegram use and therefore the request for telegram data. There’s a lot of these invite only and pay to play architecture that’s been spun up. It’s just such an evolving space. So it’s been really interesting to follow that evolution and start to do some of our collection from these peer to peer networks. So there’s a lot changing. And I would say that one of the catalysts for that was absolutely the Ukraine Russian war. I think our actual data database, so just DarkOwl’s data went up by maybe 10% to 20% just within the first couple months of that. Half a million hacktivists and gray hats were taking on Russia and their allies. We saw just a huge influx of data and communication. It’s been really compelling and interesting to see that evolution in the modern warfare today. In a similar vein, if we think about the Israel-Hamas conflict, very much the same, there’s been a lot of data leaked on both sides.
These images here on the right, the bottom one is, is an attempt to map some of the hacktivist groups that are working together. These top ones are actually images that were shared on a telegram channel. This is this is a whole new way to engage and it’s been just eye opening for us to see the amount of data that’s coming onto the darknet in regards to these conflicts and wars.
Telegram is coming up again and again. There’s so much information being passed through that. We had a concerted effort, right when the conflict broke out, to try and join a lot of these groups, we were able to get 320 of them into our collection efforts that were specific to the conflict. And we actually have a really awesome blog on our website – it’s worth the read.
Russians on the darknet. Interestingly, the second most represented language in our database is Russian. Their ransomware groups are very prominent, very sophisticated. There’s a lot of content that that we have found. I’m actually going to show a couple examples in the next couple slides.
In regards to this was an interesting leak where there was Bushehr nuclear power plant, sometimes referred to as the NPPD leak, came out on a telegram channel. This was a hacktivist group that had come out after the death of that woman and they had posted all of these, download the entire email server and posted a lot of these pictures on a telegram channel. We, DarkOwl, were able to go in and capture some of those. It was posted in a bunch of different parts, but the compelling piece here for you to take away is we were able to go in, we were able to grab these images and, and capture this. And this is the kind of stuff that, given the line of work that you all are in, can be pretty compelling to help with investigations. So these were some internal photos. You can see all of the metadata is captured there as well. Historically this has been a plant that I don’t think folks have had eyes, or at least, you know, we in the US, on the inside.
These were a bunch of passports. So everyone that came in and out of that plant had to submit a passport. All of that was being passed through email communications. And because they had downloaded or had taken down that whole email server, every single itinerary of people that had been in and out of that plant in the last couple of years was captured. So again compelling for anyone that was needing to do research in this area or learn more about what was going on here.
You can see the flag here in the over on the right. This is obviously a Russian aircraft, some equipment, being delivered to this plant. So, again, just compelling information that would not have been able or clearly was not meant to be out into the public had been exposed on this telegram channel, and we were able to capture it and bring it into our data set.
So I’m going to pause there and wanted to take a couple questions.
Knowing that you folks cover Telegram and Discord channels/servers. What are the types of servers and channels that you usually collect from? E.g., are they solely reach groups, criminal groups, or a mixture?
Alison: Great question. So DarkOwl serves both a commercial client base and a government client base. So right now, our telegram and discord collection is focused on what our specific client use cases are. For instance, we had a client join a couple months ago that was concerned about some financial fraud that they were combating, so we joined a bunch of telegram channels on their behalf. So the short answer is it depends on our client’s use case, but I would say the ones that you referenced are all a part of our collection. We also love to do collection by demand. So what I mean is, as we bring on new clients, we always sit down during that onboarding and say, you know what’s of interest to you? What telegram groups can we join on your behalf? What is your use case? So a lot of that collection is customized to what our clients are looking for.
GEOs from the IP. Are you getting IP registration goes through a service like Maxmind or is it a GPS geo from a device using that IP.
Alison: So if you’re referencing the slide where I was talking about that actual investigation, we pulled the the actual IP address off of a post that we saw and then that we couldn’t we weren’t geo locating that within our tool so that that would have to be done outside of the Vision tool.
If Tor sites are always going up and down, how do you track this and find the news sites/markets?
Alison: I talked about this early in the presentation. It’s a combination of both manual and automated. So if we’re on a Tor site and crawling that and we see that there’s links to other pages, we will immediately spider and go to those pages and start collection there. Sometimes we’ll use one of our analysts to find a forum or marketplace. And oftentimes if those forums or marketplaces go down, they’ll post, hey, we’re moving it to this, or this has been taken down by law enforcement, we’re going to stand it up here. So it’s a combination of both spidering within the pages we collect and following those links, and then also our analysts just knowing the space and navigating to new forums and marketplaces. And the nice thing is, once we’ve captured the information, it’s retained in our data set. So if we were on a marketplace last week and we pulled down all the listings for, Glocks for sale in Miami, and then that site were to go down today, if you went into DarkOwl Vision, it would still be there. So there’s a nice lookback feature here because we don’t age off any data. So that’s, that’s where the capturing and looking back can be helpful.
Our unit’s focus is the commercial exploitation of children in the US, specifically California. How is your coverage of that topic?
Alison: We should talk because we actually have a partnership with a couple nonprofits that are in a similar line of work as you. We’re collecting this information at scale. So I guarantee we are going to have some sites of interest for you. The piece that would be important for you is that direct to darknet piece, where you would probably have to go out and actually capture some images there. I would want you to sit with our product team and walk through what that looks like. But my guess is we do have content that would help you with your work.
If we are looking for a particular chat, such as those including child exploitation, will your company actively search topics or is it only the data that has already been pulled available?
Alison: No, we will actively search sites if for some reason there’s a site that we are not already collecting from, whether that be a telegram group of discord server, a dot onion. We will go out and collect from it, per your request, as long as we’re able to do so.
What data sources are considered dark web?
Alison: It depends on your definition. I feel like everyone’s definition of dark web is a little different. We at DarkOwl consider that to be, Tor, I2P, ZeroNet. And then, as I mentioned, we collect from a lot of these dark web adjacent peer to peer networks. So telegram, discord, and some others. But the short answer is I think the definition of dark web can vary depending on who you ask. Ours is fairly broad, and we try and collect from a lot of adjacent sites as well.
How do you legally collect all this information? Is it Osint?
I’ll answer the first part – legally everything that we collect at DarkOwl is considered Osint, so open source we are able to do so with the right skill set. Any of you could go and find this information. A couple lines we will not cross. We will not purchase data. We won’t go behind firewalls. We follow very strictly the Department of Justice guidelines around data. Everything is done ethically. And again, we’re not purchasing data and or going behind firewalls. So we’re able to collect it because it’s open source information.
Can we search the data you collect by name, date of birth, etc.? Can you show how the application works live?
I can absolutely show how the application works live, not on this webinar because they’re recording it and going to be sending it out. I’d be happy to give you a demo outside of this webinar to answer the first part of your question. You can search for anything in our data set. Think of it as the Google of the darknet. So there’s a big search bar you can type in a term, an email address, a phrase, and hit search. And we’re going to show you all the results that are relevant to that, that have come out of all these varied collection sources. So yes, you can search for a date of birth, you can search for Social Security number, a phrase, whatever you want.
What are upcoming trends security practitioners should be looking out for?
I’m definitely not the best person to answer that question, but I would tell you that our collection team is always trying to stay ahead of what’s coming up next. And a lot of these forums and groups are talking about what the next technique is. I think the best we can do is all come together. Those of us that are on the the right side of the coin here and share what we’re seeing and hope that by sharing those practices and sharing what each of us is coming up against, we can make some headway. But I feel like I’m not the best one at DarkOwl to to field that question.
Do you have a newsletter, an email of examples of cases which were sought and closed and how they were investigated and the outcome?
Absolutely. We have a extremely comprehensive blog that we put out and there are white papers. I will tell you that if this topic is of interest in any capacity, any of the slides I showed, whether it’s in regards to some of the recent conflicts or very specific drug sales. Our blog is incredible. There’s so much information in there. All of those pieces were months and months of research.
Would you be able to say if any departments in new Jersey are currently using Dark Owl? I just want to see if this is something that would be beneficial to our detectives.
Off the top of my head, I don’t I don’t think we have any New Jersey specific clients, but I will tell you that we absolutely have state agencies and state departments that are using this. We have both federal clients and a lot of SLEDs. So I’m happy to make a referral to another state that is using it and see if that would be helpful to talk to them and learn more about their use case.
Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.
According to a 2022 report from the National Cyber Security Centre, “70% of sports organizations experience at least one cyberattack per year. This is a considerable increase over general businesses, of which just 32% reported dealing with cyber incidents or harmful cyber activity.” According from a 2023 report, Microsoft warned of growing cyber-threats to sporting events.
One of the driving factors of increased cyber-attacks around major sporting events is due to the increasing digitization of sensitive information and 3rd party technology vendors. According to the Business Research Company, with the global sports market expected to reach $623.6 billion by 2027, cyber criminals are expected to increasingly target this industry. Cyber threats surrounding large-scale events like the Super Bowl are much more complex. Well before fans, performers, media teams and vendors arrive at the stadium on Sunday, there will have been numerous betting transactions made, sponsorship payments delivered, and accounts for fantasy apps created. All these digital touch points offer threat actors the opportunity for exploitation and theft.
Last year DarkOwl analysts examined the Super Bowl’s cyber threat landscape looking at how exposed technology vendors involved in the Super Bowl appear on the darknet. Given the popularity of last year’s blog, we wanted to do an update and examine new trends. This includes exposed credentials and chatter around malware that can allow hackers access to key vendor technologies, such as ticket payment systems.
Darknet Risks to the Super Bowl: Key Vendors Pose Supply Chain Risk
Gambling & Online Sports Betting Apps
Super Bowl sweep stakes are very popular with others choosing to bet direct at this time more than any other. Gambling and sports betting apps continue to be highly attractive targets for hackers because of how popular these apps and websites are. It is common to see product listings for gambling application site accounts alongside listings for banks (Wells Fargo, Chase), online payment companies (PayPal, CashApp), streaming platforms (Netflix, Hulu), and really any other companies that have a large global mobile application user base.
These types of services are also typically connected to a payment system, allowing users to make bets and access their transaction with minimal effort. From a threat actor perspective, that makes digital sports gambling apps one of the most likely targets for phishing campaigns and potential account takeover by leveraging digital fraud techniques.
Bet365
Bet365 is a British based gambling company that has become one of the most popular gambling companies in the United States. DarkOwl analysts discovered various ways Bet365 was exposed on the darknet. The below example from DarkOwl Vision shows a detailed listing for Bet365 accounts containing active balances from various countries on a popular deep web forum primarily known for its corporate leaked databases called Amunet.
Figure 1: Post on a deepnet forum soliciting advertising Bet365 accounts with active balances; Screenshot: DarkOwl Vision, Original Source: Amunet.io
This user also includes their Telegram contact info. Telegram accounts are often listed on Deep and Darknet listings because threat actors prefer this chat application to verify a user and complete a transaction.
Telegram is also a popular place for threat actors to sell information belonging to gambling companies. The below Telegram post displays a user selling Bet365 accounts. It is important to note all the additional vendors mentioned on the same product listing from other gambling companies like BetMGM, payment transfer companies like CashApp, as well as large banks like Barclays.
Figure 2: Telegram post listing accounts for sale
DraftKings
DraftKings is another popular betting app, below is an example a DraftKings account appearing in the naz.API database with a plaintext password. This could be used by threat actors to access the account and steal funds.
What is naz.API? A version of the naz.api leak was made available on BreachForums, on January 15, 2024. According to the post, it is a 35 GB collection of public URLs, usernames, and passwords. The post also notes that it was originally on xkey.info but was taken down for allegedly not being the real naz.api leak. Naz.api is reported to be one of the largest credential stuffing lists released, originally posted on September 9, 2023, by 0x64. According to that post, the database was created by extracting data from stealer logs and contains over 1 billion unique records of saved logins and passwords in users’ browsers. The post also notes that the original naz.api dataset was donated to 0t. rocks.
Infostealer logs are files produced when a trojan is installed on a system that collects information from the infected system. Depending on the infostealer malware, the extracted data can include system information and browser session data (including autofills, credentials, financial information, cookies, browser history, etc.). Some malwares will also capture stored local files and install keylogging on the system to exfiltrate data outside of the browser sessions.
Hackers can also gain access to existing DraftKing accounts using more traditional methods like credential stuffing and exchanging combolists to exploit exposed account login information.
In the image below, a user on the darknet forum, FSS Squad, is allegedly selling DraftKings accounts with actual balances. Listings for stolen DraftKing accounts on Telegram are more explicit, with some offering accounts that come with pre-existing balances, as well as methods to bypass multi-factor authentication.
Figure 4: DraftKings accounts with balances being sold on the Deepnet forum, FS Squad; Source: DarkOwl Vision
Methods around stealing DraftKings accounts is a common topic discussed on Telegram fraudster channels like “Big Fat Chat” or “Bazaar Lounge”. The below is an example of a user the sale over 800,000 DraftKings logs on the Deepnet carding site Bazaar Lounge.
Figure 5: Telegram user selling DraftKings stealer logs on a carding site
Banking Systems
Truist
In January 2021, the bank Truist signed a multi-year deal to be the official retail bank of the NFL. As a result of this agreement, Truist is now the exclusive financial service provider for all facets and personnel within the NFL, including player contracts. Below are several examples of actors on the darknet and deep web actively targeting Truist Bank.
Truist card numbers, bank account numbers, and other account information is readily available on all major carding forums like WWH Club, AS Carding, Card Villa, as well as across thousands of Telegram fraudster channels. The below example is from WWH Club, where users are discussing how to target Truist Bank. The user in the screenshot says in Russian, “Бро а не знаешь номера у труиста пробиваются? или нет”, which translates to “Bro do you have Truist numbers” … referring to bank account numbers for Truist bank members.
Figure 6: WWHClub user soliciting Truist bank account numbers
Truist logs and accounts are regularly sold across hundreds – thousands of Telegram fraudster channels. In below screenshot this user is advertising Truist accounts for sale on a deep web carding market, but also claims to sell PayPal, Coinbase, Wells Fargo, Cloned Cards, Bank Logs, and more.
Figure 7: Truist.com accounts advertisement on a Telegram fraudster channel
It is likely that the Truist accounts are being targeted due to general financial fraud, however their links to the NFL highlight how access can be used to target other organizations in a supply chain.
Ticket Payment Systems
StubHub
As the official ticket payment system of the Super Bowl, DarkOwl analysts found numerous instances of official Super Bowl ticket vendor StubHub data on the darknet.
Figure 8: Source DarkOwl Vision
The above is a listing to a Stubhub accounts being sold on the popular Russian language credit card fraud forum known as WWH Club. In this instance, a threat actor has uploaded 163 Stubhub accounts to sell on the forum.
Below, users on Telegram discuss various options for bypassing multi factor authentication on Stubhub and Ticket Master.
Figure 9: Users on Telegram sell stolen StubHub accounts
Streaming Services
Sunday Ticket + YouTube TV
Since the NFL Sunday Ticket and YouTube TV showing NFL games launched, DarkOwl analysts have observed cyber criminals advertise accounts for sale as well as solicit accounts on Telegram and darknet forums.
Telegram fraudsters have targeted YouTube TV more since the merger with NFL Sunday Ticket and RedZone. The below post a Telegram user is selling access to YouTube TV, NFL Sunday Ticket, YouTube premium, HBO Max, and other apps for $150 USD.
Figure 9: Telegram listing for NFL Sunday Ticket + YouTube TV
Our analysts identified the below result of a Nulled user soliciting access to YouTube TV accounts so they can watch “any NFL game”, an obvious reference to NFL Sunday Ticket. Another responds and asks the prospective buyer to contact them privately on TG. Again, DarkOwl analysts are increasingly seeing vendors on various darknet forums and marketplaces asking buyers to contact them privately on Telegram.
Figure 10: Nulled user soliciting YouTube TV accounts
Cyber Risks to the Super Bowl: The Bigger Picture
While the dispersed and perhaps seemingly small-scale nature of these vendors’ darknet footprints may make them seem inconsequential, it is important to consider the bigger picture. In the last year threat actors have increasingly targeted technology vendors involved with major sporting events like the Super Bowl, World Cup, and Olympics. DarkOwl analysts agree with the assessments of Microsoft and the National Cyber Security Centre that cyber threat actors will increasingly target major sporting events as these events increasingly rely on technology vendors for infrastructure, payment, advertising, etc, and make a lot of money.
With threat attack vectors becoming ever more sophisticated, large events like the Super Bowl – which bring together humans and technology at such a high magnitude during such a concentrated period – offer a unique opportunity to threat actors. By maintaining visibility into threat actor activity on the darknet, NFL fans, vendors, and corporate decision makers can position themselves in the best way possible to be ahead of and respond to cyber incidents.
Whoever you support we hope you enjoy the game!
Interested in learning how darknet data applies to your use case? Contact us.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. China claims it cracked Apple’s AirDrop to find numbers, email addresses – BleepingComputer
China claims to have decrypted device logs for Airdrop, the apple tech that allows for proximity sharing of pictures, files, etc. China’s constant effort to control its population means they’ve blocked many popular messaging apps, as well as used their internet controls to block many popular websites within China. Many Chinese citizens moved to Airdrop as it doesn’t need cell service. This use included the 2019 protests where Chinese citizens used Airdrop to share protest information and anti-Chinese government material. The Chinese government claims they can see the phone numbers, emails, and other metadata from devices who partook in this activity. Read full article.
2. 29-Year-Old Ukrainian Cryptojacking Kingpin Arrested for Exploiting Cloud Services – The Hacker News
A 29-year-old male was arrested in Mykolaiv, Ukraine after making over two million dollars in profits running cryptojacking schemes. The arrest was the result of collaboration between Europol and a top cloud service provider. The attacker most likely used compromised credentials to install miners without the victim’s knowledge. Read article.
3. SMTP Smuggling: New Flaw Lets Attackers Bypass Security and Spoof Emails – The Hacker News
SMTP smuggling has emerged as a way to conduct targeted phishing operations. SMTP is a common protocol used to send email. A protocol is simply a system of rules and guidelines used to communicate data. For email, a connection is established between the sender and recipient, and this connection sends the email content using the established rules (the protocol). In this new smuggling process, actors are using inconsistencies between the sender and receiver, which allows for spoofing domains. An actor could send an illegitimate email with a malicious attachment, and it would go through due to some inconsistencies between sending and receiving servers processing methods. Read full article.
4. DDoS Attacks on the Environmental Services Industry Surge by 61,839% in 2023 – The Hacker News
Distributed denial of services (DDoS) attacks had a record increase in 2023, targeting the environmental sector. This pattern solidifies the growing trend of cyber issues impacting real world, environmental matters and causing disturbances/interruptions in the sector which impact the day-to-day lives of average citizens. Several firms in the industry detailed how DDoS trends indicate more sophisticated attacks targeting multiple vectors, lasting longer, and focusing on multiple IP destinations in the same event. Article here.
5. Malware Using Google MultiLogin Exploit to Maintain Access Despite Password Reset – The Hacker News
A Google endpoint exploit is allowing for hijacked sessions and continuous access to Google services by extracting tokens and account IDs. Having this information then allows for the regeneration of Google authentication cookies, which enables threat actors to input them and remain in access to user accounts. Read article.
6. Ransomware victims targeted by fake hack-back offers – BleepingComputer
An actor claiming to be a security researcher has recently contacted several victims of ransomware gangs and offered revenge services against members of Royal and Akira ransomware. The individual offered victims the chance for them to delete the stolen data located on the servers of Akira and Royal for the cost of five Bitcoin. The handles used by the actor are “Ethical Side Group” and “xanonymoux”. Read full article here.
7. Majorca city Calvià extorted for $11M in ransomware attack – BleepingComputer
Majorca city announced it was hit by a ransomware attack that negatively impacted municipal services, suspending deadlines and other offerings for personnel until January 31, 2024. A task force of IT specialists is helping the city recover from the incident, with city officials reminding the population that phone and in-person services are all available and unaffected. Read article.
8. BreachForums Founder Sentenced to 20 Years of Supervised Release, No Jail Time – The Hacker News
Conor Brian Fitzpatrick, aka pompompurin, the founder of cybercrime hotspot BreachForums, was sentenced to supervised house release for his illicit online activities. 21-year-old Fitzpatrick also operated Leaks Market and sold data bases with social security numbers, passwords, and other PII to use in criminal operations. In addition to GPS monitored house arrest, he must register as a sex offender. The full dollar amount he will have to pay to the numerous victims is still being determined by courts of law. Article here.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
Iran continues to quickly gain sophistication in Cyber. Its state sponsored (military and civilian) and cybercriminal operations have worldwide impact and deserve attention. Iran’s relationships with other adversaries like China and Russia will continue to strengthen its cyber capabilities, but also its general position in world conflict, including its efforts in hybrid warfare. These are already witnessed in Ukraine, Belarus, Israel, Syria, Yemen, and other high-conflict areas.
In this webinar, we covered:
Evolution of the Iranian cyber program and it’s current state
Iranian state sponsored activities
Cybercrime activities that occur on the dark web and adjacent platforms
Geopolitical events and relationships that influence Iranian cyber actors
Why Iran needs to be taken seriously as a digital threat
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Steph: Welcome to everybody and thank you all for joining. I am a 20 year Iran follower, I speak Farsi, I am former military and former Department of Defense, and Iran and Afghanistan has been my target area for the past two decades, if not more. I am thrilled to speak about them today. I’m always thrilled to speak about them. I’ve done this talk publicly for probably five years and there’s always so much to learn. There’s always something new to cover and track, and I’m really excited to do this for you today, so let’s dive in with that.
So let’s address the elephant in the room, which is Iran’s physical activities and proxy activities all over the Middle East. The point of today, especially because we have limited time, is their cyber program. Past, present and future – is how I like to organize it. But we cannot go without addressing, especially after last night’s drone attack, the obvious physical attacks and the incidents and the tension that is definitely increasing day to day on the ground. I wanted to give this audience some way to empower all of you to research and take a look at yourselves, because I have followed more of the cyber activity versus the physical and the Iranian military. So please, I invite you to familiarize yourself. Go to Centcom directly – centcom.mil has a ton of wonderful blogs. Their analysts are top notch. Get the information from there yourself. Centcom Central Command, located in Tampa, Florida, controls the entire US military activity in all of the Middle East, Iran and everything surfacing. All of the borders, all of the bases. Anything that’s of interest, you will get your answers from there.
The other two sources I’d really love to highlight for you are think tanks and just wonderful CTI research firms. Overall, Atlantic Council has an amazing, amazing body of literature on all of Iran to include present day conflict and Sibylline, a UK firm is also absolutely amazing. So lots of attacks going on. We are going to show and demonstrate how the cyber gets into the physical attacks and how this lends itself to working together, as well as an emerging trend which is hybrid attacks. That is where, you know, maybe Iran has something going on, maybe they’re conducting a DDoS or ransomware attack or any kind of online activity to distract people in one corner and then in another area of the world, let’s say, you know, there’s a drone attack on a supply chain and along the border of Lebanon and Syria, or there’s a physical incident against a US base in Iraq or anywhere else in the region, right, Bahrain or anywhere else. So please do take the time, if you are interested, to look at these sources that really focus on physical contact.
And with that, let’s get into the cyber of Iran. I like to do a timeline. For the past 20 years, Iran has always been kind of floating in the background. A lot of people attribute Russia to being more sophisticated and our major adversary in cyber. A lot of people look to China, who’s also incredibly sophisticated and very powerful as a Western adversary. Iran is not to be discounted. And I think that, unfortunately, this current conflict in the Middle East is probably showing just how strong they are.
I’d like to go back to 2009, which is when the major Iranian cyber activity started in the way that the outside world could observe it. Right? Iran is a lockdown isolated country. They fault the West for that. Prior to 2009, they had cyber entities. They were doing defacements, they were doing hacking, hacktivism, just putting political messages. But it wasn’t anything sophisticated. Cut to the internal Green Revolution, which is where the Iranian population stood up and one of the first times they really tried to go against the Ayatollahs and the regime to change it, as we all know, the authoritarian theocracy that Iran is absolutely will not tolerate that. So the Ayatollahs and the government and the IRGC and the MO
MOIS, which we will also get into, started monitoring their population with their own apps, their own GPS, all of the cyber and technical tools that kind of reveal locations today. The Green Revolution brought that about internally.
I likely don’t have to tell anybody on this webinar about the 2010 Stuxnet response. When Iran understood that their nuclear program had been compromised, they understood that they needed a wide, wide, wide defense to protect their internal infrastructure networks and etc.. So the Stuxnet response really prompted them to have an offensive and defensive cyber capability. And if you go from 2012 up to right now, 2024, look at these activities that they’ve all done, right. Posing as LinkedIn researchers, they’ve had several successful ransomware campaigns, espionage and IP theft is a very constant activity for Iran as well. Election interference, not just the US. They’ve also meddled in European ones in 2020. This is every threat actor, right? As the pandemic raged and everybody worked from home or remote, VPN exploitation and spreading malware was of course, extremely common and rampant. Iran participated in targeting industrial control systems. I’m sure that you’ve seen if you follow cyber or any Iranian news, they go after the PLCs, programable logic controllers. They are going after anything SCADA ICS any fear of disruption to the daily life that the Western world takes for granted.
I can’t highlight this enough, and you’ll see it in this presentation that Iran really wants to disrupt water supplies, power supplies, banking, the financial systems, because they know that fear is a powerful motivator. They also know that they can’t physically do these things. It’s much more difficult. Restricted travel – Iranians are not welcome in a lot of places in the world, so they go after it digitally, and that’s one way that they can definitely get to the psyche of American and European politicians, leaders, government. Then let’s go to, of course, more cyber espionage. Muddy water was extremely active in 2022, and in 23 and 24 we saw front company involvements, which we’re going to get into detail. Of course, the Ukraine and Mena conflict. Iran has personnel on the ground in Belarus. They’ve conducted disruptive cyber attacks on behalf of Russia, targeting anyone who’s sympathetic or encouraging to Ukraine. And 2024, we are just about a month in. We have global conflicts everywhere, right? We have the latest in the Middle East. We have global elections. A lot, a lot of countries are going to the polls this year, and Iran is one of those countries. So they have domestic elections guaranteed that they will continue spying on their population. The Iranian president is a placeholder, not an actual person of power. So I highlight all of this to say that in, you know, 12, 15 years, Iran has strongly emerged, bettered and improved and made some really key allies such as Russia and China, to only better and improve their technology and their cyber programs. It’s very important to realize that.
What are their motivations? Why are they doing this? First and foremost? Again, I’ve mentioned that Iran is isolated. They want to become a recognized global power. They feel that teaming up with Russia and China will do that, because they fault the West, Europe and the United States for having isolated them since 1979 sanctions, keeping them out of important world meetings and world organizations. They’re extremely bitter about the isolation that they faced. Revenge for Qassem Soleimani is still a tagline. While experts tried to claim that part of the October 7th, 2023 attack was for Qassem Soleimani, Iran put that message out. That has been disputed. But all of their other actions in cyberspace, as well as physically, they’re extremely upset about Soleimani espionage.
Iran cannot partake in normal business operations due to the aforementioned sanctions. So how do they get their information? They take a page from China’s book and conduct IP theft, espionage, get all of the information, whether that’s to improve their age, fleet of weapons, planes, cars, anything, you name it. They just want to take all of the information and better themselves. And this new this last one is kind of a newly emerging one that they’ve publicly spoke about eradicating Western influence throughout the Middle East, creating that new world order. They’ve wanted this for a long time. But now that tensions with China and the US are increasing as well as globally with Russia now, they really feel that this is the time to move forward, use their cyber, use their strength to eradicate the Western influence. They’re going to start in the Middle East and try to keep going, to keep expanding.
The cyber bodies of Iran, their organization, it’s really not that different from anything you might be familiar with.
They, of course have a civilian and a military component. The MOIS is their civilian component. It’s the Ministry of Intelligence. These are the civilians that have long standing careers working for the Iranian government. And then the IRGC is the Iranian Revolutionary Guard Corps. The besieged special forces are subordinate to the IRGC, as is the Iran Cyber Army. And I also have some university GIS that are down below. So Iran has mandatory conscription. You can fulfill that mandatory 18 months to two years as a cyber actor. You don’t have to do anything physical. You don’t have to do infantry or artillery or anything like that. You can truly go through any of the controlled universities which are listed below, and learn and get your initial skills fulfilling your conscription. And then you can do a couple of things. You can stay in the IRGC, you can serve there. You can transfer over to the MOIS and go from a military personnel to a civilian. The important thing is, and what Iran wants to do is control all of their cyber power and their cyber training and their curriculum to keep that talent. Those people that they train internal too often they’ve seen in the past, especially even sons and daughters of government officials, will go to Western universities in Europe or in the United States and then choose to not come back to Iran. Iran has made a concentrated effort, the MOIS and the IRGC to keep that cyber talent within the country because they know how absolutely essential it is, not only right now, but for their future.
So let’s get into a little bit more of the MOIS versus the IRGC. It is extremely important to note this for the concept of attribution in cyber. I personally, as a researcher of 20 years and having been military and government and now fully private civilian, as well as doing a couple of years at a think tank in academia, I do not believe there is anyone that should be doing attribution in cyber unless it’s a government, European, American or anything. There are too many obfuscation tactics. There are too many ways to hide actual parties, hands on the keyboard. Can you say that traffic comes from Iran? Can you say that it’s definitely linked to a pattern of Iranian influence? Can you evaluate source code of Iranian tools and malware? Absolutely. Can you determine who is doing it? I, MOIS versus IRGC, know why they have a long standing competition and hierarchy. So both of these bodies are very cyber capable, have active, active campaigns going on right now. The MOIS is thought to be a little bit more sophisticated because of the lifelong training and techniques and polishing of their employees. They’re very, very good. They’re very sophisticated. They’re very well trained. The IRGC is thought to be a little bit more sloppy. They have accidentally left hallmarks of Iranian work in their source code and they’ve left artifacts open. This is different from when they want that to happen. There are times that Iran, both the IRGC and the MOIS, purposefully leaves comments and source code. They will taunt Saudi Arabia, they will taunt companies and say, you know how we’ve infiltrated your systems. But the IRGC has also made multiple mistakes and did not intend to reveal that they were behind it. And so you have to consider that as well.
Another active competition that goes on for them right now, not just in cyber but worldwide. So the MOIS only recently came to be the favored organization when the Ayatollahs took over in 79 and all throughout the 80s. Do you see? Iran is an authoritarian theocratic state. The military controls everything citizens activities, online activities. So the IRGC was favored and was always sought after for online cyber operations. In 2009, Rouhani came to power as the Iranian president and for whatever reason, changed and started to favor the MOIS and use them for operations, consult with them, use them for intelligence and especially a cyber program. So right now, the MOIS remains in favor from 2009. And what that means and what I have seen over and over, and anybody in the community has, is they will pit and intimidate one another. So the MOIS might say, I don’t know who that activity was. It wasn’t us. You should probably talk to the IRGC and vice versa, right? So they pit one another against each other. They try to cover their tracks by framing one another. There absolutely have been operations hands on the keyboard, where it’s MOIS actors who pose as IRGC actors and impersonate and again, vice versa. So it’s important to recognize that, yes, we can track activity coming from Iran, we can track VPNs and all of the obvious obfuscation techniques, but I don’t think we can get as granular as saying this is an MOIS officer versus an IRGC, especially with all the tools that cyber has.
So just keeping that in mind moving forward, as you evaluate campaigns and malicious activity, it’s incredibly important to note the MOIS and IRGC rivalry impersonation and how they move forward, especially in digital operations.
We’ll get into the APTs and cover them quickly, so APTs have been around for a long time. It’s advanced persistent threat. These are generally actors who are financed, sponsored and supported by a government. These are fully government attributed actors. Iran has right now 32 active APT groups, of course, with varying levels of sophistication and skill. So we will cover them. But I think it’s too important, especially right now. And we’re going to see why with front companies, with ransomware and with cybercrime. And that is what DarkOwl specializes in. You have to look at the other groups. It’s no longer only apts out there, public acting and attacking, right and APT actors, as well as governments of our adversaries have caught on to, oh, I can blur activities or I can, you know, have plausible cover if I use a cybercriminal group or if I employ somebody or pay them to do that. So APT is still very active.
APT is absolutely on the dark web, absolutely using Telegram. But they’re not the only force to be reckoned with. And I think that’s an important change as we move forward, especially as global conflicts erupt and people take sides, criminal actors are going to come more into play. Really important to note. So 33 and 34 I want to highlight, you know, they have their own malware. They have their own ttps for APT 34 is thought to be more sophisticated technically, while 33 and 35, as you’ll see, are more of the social engineering. So APT 33 is going to impersonate people – reach out as a researcher, a journalist, an academic, send invites for conferences or for paperwork, and use social engineering to get information or espionage. Whereas APT 34 and some of the other more well known Iranian groups, custom malware that they improve upon test in the Middle East and then use elsewhere. Why? I’ve highlighted Mimikatz for all of these, and this is a good opportunity to go to the next one.
APT 35 and 39. You will also see Mimikatz still highlighted. Credentials and data are everything right? That is what we see on the dark web. Selling credentials, selling passwords, hashes, emails with accompanying data or solo. Iran uses Mimikatz in almost every single operation, and that’s APT as well as cybercriminals. And this is really important to note, because the hallmark of cyber actors is, you know, they can do bad with good things. So Mimikatz is an open source tool that you can just get and use, which they do in their operations. It’s similar with GitHub. Everybody uses GitHub, keeps their repositories there. And malicious actors have pivoted to trying to crack GitHub and take open source tools there and improve and use for malicious purposes. So Mimikatz has been a constant on the APTs for Iran for over 15 years, and we’re seeing a lot of credential use and theft by Iranian cyber criminals. We’re seeing the chatter, the sales on telegram, we’re seeing them talk to one another.
So this is just another line blurring between cyber criminals and Iranian state sponsored, government sponsored actors. And I think that’s really important to note. In addition to custom malware, custom backdoors, and all of the other ways that they go after anyone or anything online, there are some other groups as well. Of course, anyone following Iran knows that the the kittens is what they’re called rampant kitten, pioneer kitten, and static. I’ve highlighted them because they are some of the most active and more recently active. At once, so these are important to note. In addition to the apts of the 30 series, for instance Rampant Kitten, I would like to highlight that they actually breached Keepass, the password keeper a two years ago. So it’s just important to note that that was a sophisticated impact. A lot of a lot of change came after they hit Keepass. They’re talking about all of this online as well. Sharing https in telegram, sharing how they get in, what’s the best VPN to use to do their operations? They often share that information among the Apts and the cybercriminals. And it’s also important to note that Iran is very active in ransomware, which we will get into later as well. Go into more detail. I’m going to pause there because that kind of completes the apt part of it.
Okay, let’s talk about malware. For the more technically sophisticated in this audience, Iran is is very talented with creating their own custom malware and using them in operations. I have highlighted some of the older ones because it’s important to note their evolution and the overlap and source code. So we go back to Shamoon. Shamoon was was very, very prevalent, especially after Stuxnet. Iran really came onto the scene with Shamoon hardcore. My observations of 20 years is and this was true with Shamoon, both versions one and two. And this was also true with Zerocleare. Iran uses countries like Saudi Arabia and Bahrain almost as a testing ground. Shamoon went very, very heavily into the Saudi Aramco systems in the years that it was active. Then Shamoon two did the same thing. You’ll see, Saudi Arabia was a repeat victim. Shamoon two was, of course, updated from its first version, namely that there were no pre-programed credentials needed to operate. Shamoon two. That’s just an interesting thing to note, because I just talked about Mimikatz and how Iran does rely on credentials so much, but they evolve the second version of their malware to actually not use credentials. Again, just demonstrating a change in TTPs and that they are able to work both ways. Zerocleare has a lot of resemblance to Shamoon. If you look at the source code, again, lots of overlap, very, very clear. But it is a separate malware. And I do invite you to please use VirusTotal, AlienVault, Shodan any of your online tools that you choose Misp. You know, please go and look these up and look for yourself if you have those capabilities. Iran does offer sophisticated malware and still uses them after they test in places like Saudi Arabia as well as Bahrain, and they fix what they need to fix or tweak anything that they feel enables better operations, they then expand and use this malware in their campaigns in Europe, North and South America or in Asia. So important to note that they keep track of their malware, use it internally. And by internally I mean within the Middle East region, Saudi is a favorite. And then they go bigger, they go harder and they go to external telecom.
SCADA again, all of those companies that they want to use, they go external after they’ve tested it inside the Middle East region. The 2024 update for malware, oil check and Oil Booster have evolved and are using cloud providers for their command and control their C2, as well as some email based C2 abilities. And that’s using Microsoft, which I think is very important to highlight. We need to be aware of this malware in 2024, especially with all of the elections that I mentioned. And this is being used by APT 34 as well. But there are samples of both oil check and oil booster in the wild that have been used by non Iranian government cyber groups. So definitely confirm that this malware is in use and we need to keep an eye on it. As 2024 progresses, both elections, the global conflicts, targeting everything, everything and anything that is going on this year with malware and especially what new malware will they create. Because it’s very early in this year, will we see maybe hallmarks of a Juiceman 2.0? Will new malware surface? It’s important to be aware of what they’re currently using, the cloud and email based providers, versus what they have in the past, so that we can measure what they’re going to look like this year moving forward.
Where is Iran going to go? We are now in the present day of this slide. So terrorism and fringe group operations, I do not need to tell anybody on this audience that Hezbollah, Hamas, and, you know, everything going on in the Middle East, they are very clearly being supported by Iran. Again, this has been a pattern for two decades. The only difference now is that more and more people are paying attention, and it is more public. We can trace the blockchain for cryptocurrency transactions that are conducted by Hamas or Hezbollah or Houthi officials or actors, notable partnerships. I always talked about and highlighted how that new axis of evil on the digital realm was coming to play. So Iran and China had signed a 25 year agreement for cooperation. In the first two years, there was no actual tangible activity. It seemed just like a lot of news conferences and opportunities that has since changed. Um, China is helping Iran with some oil production. They are giving them some improvement in flight technologies to improve their aviation. There is now some more tangible results that we’re seeing come from the China and Iran Partnership, Russia and Iran. I want to note that it’s difficult to monitor their communications. While there are plenty of Russians and Chinese and Iranian actors and officials open and speaking on telegram and dark web forums, there’s obviously a part that the open world is missing.
We saw that with the Hamas attack on October 7th, they are using more old school technology, phone calls, in-person meetings, to keep hard core operations that are very sensitive underground and prevent them from being discovered. This is true in the digital realm as well. Russia and Iran and China also all have their own equivalents of, say, Facebook, Twitter and messaging platforms. All of their governments have created their very own applications and tried to draw their citizens to using those for a multitude of reasons. One it is government protection, right? If you’re Russia, Iran or China and have plans, you don’t want those leaking out because somebody has an ego on telegram or somebody is using WhatsApp and sharing it, right. And second, it’s just easier to monitor your own citizens if you have your own applications as well. Right? So it’s a it’s a win win for them. They monitor their own citizens. They keep their own information close hold. And again we’re seeing more and more of this. So it’s a balance between observing public information on messaging apps such as telegram and WhatsApp. Discerning what’s true. You know, is this real? Is this a false flag operation? And then we also have to talk about cryptocurrency and crypto mining, which leads to front companies, which we will get into because this is very important. So Hamas and Hezbollah and the Houthis all have cryptocurrency. There’s an underground infrastructure of it. It’s not just, uh, cyber operations that fuel their cryptocurrency profits. It’s selling drugs, it’s selling weapons. It’s human trafficking. All of these activities that happen in the physical world are then converted to using cryptocurrency again for obfuscation, for privacy.
It’s important to note that Iran used Bitcoin in their older operations. I would say anywhere between 2010 and 2016 or 17. And then they made a market change and decided that their cyber actors, and they have openly talked about this on telegram and other internal Iranian apps. Iran feels that Bitcoin is no longer safe. They feel that there are too many law enforcement and global policing officials using Bitcoin. So Iran has changed to light cash, Zcash and a couple of other lower popularity cryptocurrencies believing that they’re safer. This means that Russia and China also kind of use those as well. When doing business with Iran. Again, we’re hiding communications, we’re hiding funding, we’re hiding money. So it’s important to just note how this works as an overall infrastructure empowering these actors.
Let’s talk about the big three. Hezbollah, Houthis and Hamas, supported by Iran again, have been for two decades, mainly Hezbollah. I mean, Iran basically created them. Iran has trained, empowered them, financed them, given weapons, given time, given everything. Open, secret, actually just open. Not a secret. The Houthis as well. I’ve seen Iran also support the Houthis, especially when they took over Yemen. Iran has lent the how to control your population and how to control what the outside world sees using social media and distributing propaganda. Right? Iranian government controls everything in the country. So do the Houthis in Yemen. So there are definitely playbooks overlapping there, using social media to spread the message of success in every conflict of their capabilities, of how their drones are taking out. You know, last night’s unfortunate incident was was three US soldiers, Kia. And they might inflate these numbers when it doesn’t make news just to keep their populations supporting them. You know, instead of three members, Iranian or Houthi, Hamas, Hezbollah propaganda might say, we killed eight, we killed ten, we killed 20 right there. Very, very good at inflating numbers and statistics and always have been. So it’s really important to note that even when these groups are blocked from Facebook or their Instagram and TikTok accounts are deactivated, a couple things happen. One, they move platforms. They’re going to go to Q talks chat, right. Because if they’re doing digital operations, talks is viewed still as safe and more private. They’re going to go to telegram because an openly Iran has stated that they would rather the Russian government understand and see what the Iranians are doing versus the US government. Telegram is a Russian platform. This is why they feel that it’s safer to use being that Russia is an ally of Iran. So just because they’re banned and and removed from the major social media platforms, it doesn’t stop them. They just change. I think that’s really important to talk about. They plan or discuss, you know, the outcomes and the positive of operations on their to keep people encouraged for recruitment efforts to grow the forces. They put out false stats to keep their population contained and say that they’re winning. And, you know, again, these things can be harder to monitor. Direct messages on telegram. Direct messages on WhatsApp. They’re not as easy to intercept. You can’t see them. And so there is a gap there for cyber officials and for a lot of other entities. And so they use those to bolster their operations, bolster their supplies, and just put out what they feel they need to put out, paint the picture, take over the narrative using social media and continuing with propaganda. I mentioned telegram because and I want to show more. I am a Farsi speaker. I am not an Arabic speaker. There are tons of Arabic language channels. You can see them. But what I did was just take some an example.
Small example of some of the Hezbollah, Houthi and Hamas telegram channels that have emerged since this conflict. This was true in Russia as well. I think that telegram really came on the map with the Russia and Ukraine conflict, and it is still there, and Russia is leading the way using telegram, whether it’s false information, real information, selling data, selling malware every malicious actor and again apt. I stand by in cyber criminals. They’re on telegram in addition to other platforms. It is incredible how much information that some of these actors will reveal once you fact check something and say, oh, this, this actually checks out. So they are sharing information again. They recruit, they are discussing the outcome of physical and cyber operations. They’re fundraising. We are unfortunately seeing them pose as you know, charities who are supporting charities who are supporting Ukraine, charities who are supporting Palestinians or Israelis. Right. They are making up that they are affiliated with a charity soliciting donations in cryptocurrency and using that platform to expand operations. Of course, that money goes directly to their war and physical attack efforts. They are not actually charities. There are all kinds of ways that they take advantage of of populations on telegram as well as other messaging platforms. Really important to note that they’re going to continue to use these in their operations as they move forward, not just go, not just the global conflict and the actual physical wars. But this is a very, very ingrained part of all of their operations infiltrating think tanks, academia, attempted government infiltration. Right. You can pose as anybody online, and it’s harder to validate on platforms like telegram and some of the other ones that they’ve moved to. So it is incredibly crucial to continue to monitor this, monitor the talking and see how this shapes up as these conflicts continue and as anybody can pose as anyone else online.
Something to really think about and really keep in mind as you research and as you form your opinions and form your interest in cyber. I’d like to talk about front companies too. This is absolutely essential.
So Iran has perfected the front company game, establishing something as a legitimate entity, registering it, making an LLC, filling out the business paperwork, you name it. They have really, really perfected their game with this. One of the earlier, um, examples of this was the Magnet Institute. This was a 2018 event. It was about nine people that were active, and Mapna was supposedly a think tank, an Iranian think tank that was anti the government of Iran wanted to work with the Western world, wanted to be linked with them. And what they were actually doing was intellectual property theft from over 200 US and European and Australian universities. So very successful. We’re talking terabytes of information stolen. Again, all of this information was used for weapons improvement, technology improvement, updating their fleet of airplanes.
Rana is another one. Rana is on the right screen here. This was APT 39. It was linked to them. So that’s really interesting. And this was just another campaign that targeted Iranian dissidents, that targeted journalists internationally. And just a bunch of companies worldwide who were anti the Iranian government. So they posed as tech professionals, pose as journalists and got in and got a lot of information about entities that were anti the Iranian government before it was tied to the Iranian government itself, which was clearly using this information to take out dissidents, suppress dissent and not allow the opinion of being anti-iran anti the ayatollahs to go any more public than it had to be.
This is the latest one. Our company, DarkOwl did it did a write up on the front companies clouds surfaced in 2023 and I want to shout out Halcyon. I have to recognize them for they’re calling this out. Halcyon broke the news that Cloudzy was masquerading as a as a network hosting company in New York, and in reality, it was headquartered in Tehran and run by 6 or 7 different Iranians who had created fake biographies, a completely fake everything on Iranian internet, on the Iranian media, which then spread to the US media.
This is their actual page, which is still very live up and running. I checked it as of yesterday. Cloudzy did not respond to takedown requests, and not only was clouds supporting the ransomware operations of all of our adversaries the big four China, Iran, North Korea and Russia, but we had Vietnamese actors, Indian actors, cyber criminal conglomerates. This infrastructure was being abused for years by all of the malicious actors. And again, it’s still up and running. And even after the Halcyon Report, Cloudzy issued no statements. You can see that they have a blog section up top called the issued nothing they didn’t write about. They didn’t refute any claims. They just kind of continued on with business as usual since the news broke in August of 2023. Interestingly enough, “the executives”, I say in air quotes, of Cloudzy and their their biographies, they were taken down and their LinkedIn pages changed. Iran loves to abuse LinkedIn, which we’re going to get into as well. But this is just yet another front company that was facilitating bad actors and ignoring requests, ignoring abuse, and is still functioning. So it’s very, very interesting that this continues. And Iran is not alone in this. Russia does it, China does it. A lot of adversaries do it. But Iran has definitely had some very, very successful varying operations. IP theft to hosting ransomware. Extremely interesting. And it’s the full spectrum of operations.
Iran is a heavy ransomware actor. So you’re going to see at the at the end of this webinar, we do have a deeper one coming up on the big four actors that’s going to be in March of this year, and we’re going to go more in depth on Iran in their current ransomware operations, but highlighting how powerful Iran is and how they use telegram, as well as the dark web for their ops. Iran has a history of ransomware, and we do not expect that to stop. Samsam was one of their biggest campaigns. The actors made $6 million, which is no small feat in the Iranian economy. Dharma was another Iranian ransomware activated one. It was unsophisticated. You can see that again using those OSINT tools, right? Those open source tools that anybody can procure and use. And it was delivered via RDP. Again, very typical delivery operation delivery mechanism. And then BitLocker was 2020 to 2022. BitLocker is Decryptor Key has been released. I do not believe they are still active, but we’re going to see what Iran does with ransomware this year. Again, I think if I had to to hazard a guess right now, their ransomware operations are not as active because they are so involved with global conflicts, again, posing as journalists or aid workers for Palestine, Israel, Ukraine, trying to get information that relates to global conflicts, as well as managing the proxy events in Syria, Lebanon, etc.. But I do expect as this year proceeds and as really important, crucial global elections happen, we are going to see a lot more Iranian ransomware campaigns as well as their custom malware. So look forward to that in March when we have our next deep dive on the big four actors.
It is essential to talk about cryptocurrency as well anywhere in cyber right now. So Iran is a big crypto user in a country where the economy is essentially ground level, right? It’s been terrible for years. A lot of poverty. The only people who are profiting are, of course, those higher up in the government, Iranians who could circumvent the Iranian government’s internet controls have turned to cryptocurrency. You can make money with it. You can start a side hustle and it’s harder for them to track. So cryptocurrency is extremely popular in Iran and always has been. In 2019, the Iranian government banned crypto mining, which is also a way that Iran works with China. So crypto mining to be very, very short about it. You need a lot of network power, but you also have to control weather and temperature. For obvious reasons, the Caspian Sea region in Iran is extremely valuable for crypto mining. So China helped Iran set up crypto mining farms in the Caspian Sea region. The public caught on to this because again, it’s a small population. Word travels and they you know, if they’re watching anti-government or if they are anti Iranian government, they want to know what’s going on. So the Iranian government banned crypto mining for personal individuals. Right. You could not have a personal individual conducting crypto mining operations. Then they reverse that ban in July of 2022, implemented a paid license that the personal individual had to get from the Iranian government. So they turned it into moneymaking. So Iranian government’s making money personal individuals, non-government affiliated or crypto mining. China’s helped in this. And voila, we have Iranian crypto. I’ve mentioned that they’ve shied away from Bitcoin, that a lot of them still won’t use it, thinking that internationally it can be traced. And one example of where they’re shifting as well, in the latest conflict between Gaza and and Israel, they are using Tron, which is a decentralized blockchain. It’s a different blockchain, but they’re openly talking about Tron on social media as well as telegram, because it is not as common in the West, and they don’t feel that it has been infiltrated by Interpol, Europol or other Western government officials. I also want to highlight, and this is dark out data we see constantly. So Hezbollah, in addition to laundering money, spreading money around and, you know, using it for weapons and drugs and etc., Hezbollah has also run a very successful counterfeit campaign. You can see an example right there of the $100 bill of the United States. They’ve done it for euros. They’ve done it for other Middle Eastern countries as well. So cryptocurrency is a booming operation not only for the Iranian government, but also for their proxies like Hezbollah, the Houthis and Hamas as well.
That takes me to the end of this. I am very happy to share any IOCs. Everything I’ve talked about today is a is a preview. There’s obviously always more. There’s granular details. Please reach out to [email protected] with any questions or updates. Always happy to share more sources. Always happy to hear of an update that maybe I missed. These I really feel are wonderful sources and references that I refer back to and constantly use and update.
Don’t miss our next webinar on Big 4 Cyber Adversaries > Register here.
Like the years before it, 2023 was busy in cyber security and the dark web with many attacks, emerging threats, and law enforcement activity. As technology becomes more and more entwined with our daily lives, the vectors for attack and the threats in the cyber realm increase, whether on a personal or corporate level everyone needs to be aware of emerging threats and how they can best protect themselves. As we enter 2024 it is important to be aware of what we are likely to face.
In this blog, DarkOwl analysts take a look at what we saw emerge in 2023 and review the most persistent threats which are likely to continue, grow in sophistication and make an impact in 2024.
Dark Web Activity
During 2023 on the dark web several marketplaces were taken down by law enforcement action and several threat actors arrested. However, new markets and actors emerged to take their place. When BreachForum was seized, and its administrator arrested, a Telegram channel and shortly after, a new site quickly took its place.
Figure 1 – BreachForums Shout Box
The dark web continues to be a place where threat actors can buy and sell illicit goods, discuss hacking activities, and share data and information to enhance their nefarious activities. This is not going to change in 2024.
Due to Law Enforcement activity, onion sites continue to increase their security and rules for participating on forums and marketplaces. The captchas have become increasingly difficult and outstrip those usually found on the surface web. They have also developed methodologies to make it more difficult to scrape the sites and require memberships. In 2024 DarkOwl expects these trends to continue as we work to ensure we can continue to provide coverage of these sites and the activity on them. It will be increasingly important moving forward to pay attention to the TTPs (tactics, techniques, and procedures) of threat actors on the darknet as their sophistication grows.
Messaging Apps
Over the last year, threat actors increased and affirmed their use of other means of communication such as Telegram and Discord. The messaging app, Telegram, has become a very popular means of communication particularly because of the company’s stance on cooperating with law enforcement, which they rarely do, and refusing to ban or removing content, with the only exception being posts which relate to Islamic extremist material.
While the use of Telegram was promoted by the Russia/Ukraine war, events such as the Hamas/Israel conflict in 2023 cemented their use, not only as a means of communication but also as a way of delivering news, both factual and not – what we call disinformation, with many using Telegram channels as a source of media. As we enter an election year in the US, and other countries, it is likely that Telegram will be extensively used to share political rhetoric from multiple sides and should be closely monitored.
Figure 2 – Telegram Channel for Mysterious Silent force a hacktivist group supporting Hamas
Cyber threat actors, particularly hacktivist groups, have also used Telegram to publicize their activities, often naming victims or proposed victims and sharing victim data for others to download. DarkOwl continues to monitor Telegram for new and emerging groups and assess that the use of Telegram for the above purposes is likely to continue.
Discord had a turbulent 2023 – it was disclosed that sensitive US military information was shared on one of their servers. In reaction, they reviewed a number of their servers and closed those. They also closed any associated accounts that they deemed to be nefarious in nature. However, the gaming platform continues to be a popular place for threat actors and other individuals conducting nefarious activity to interact. DarkOwl will continue to monitor this in 2024.
Figure 3 – Example of classified document shared on Discord
Ransomware
In 2023 Ransomware continued to be a huge threat, with 4671 attacks reported in 2023. Although some groups were disrupted, to varying degrees of success by both law enforcement and other threat actors, new groups emerged with new methodologies and techniques, and some could argue less “rules” with all organizations being “fair game” including healthcare and schools. It is expected that Ransomware attacks will increase in 2024 to unprecedented levels.
CL0P successfully utilized a zero-day vulnerability to target high profile victims, releasing their data on their dark web leak site. This provided an example of different techniques that ransomware groups can use successfully. The group were able to release data on a large volume of victims in a short amount of time, increasing their profile in the process. We assess ransomware groups (and all hackers) will continue to seek to exploit these types of vulnerabilities. Highlighting the need for a robust and secure supply chain.
Figure 4 – Header from CL0P leak site
Lockbit was by far the most active ransomware group in 2023, although they did not always receive the same coverage as other groups. The group was reported to have 1041 victims in 2023 – an increase of 304 from 2022. There is no indication that this group is slowing down, at the time of writing, the group had posted 9 new victims on their leak site – almost one for every day of the year so far. These groups will continue to be a threat into 2024 unless successful law enforcement action is taken.
Figure 5 – Lockbit 3.0 Leak site
Although BlackCat/ALPHV appeared to suffer a disruption by law enforcement at the end of 2023 they were quick to bounce back with a new leak site and victims. This event highlighted the difficulties that law enforcement has in combatting ransomware groups, although infrastructure can be removed and decryptor keys released the groups are unlikely to be fully disrupted until the individuals are arrested, something that is not always possible given their geographical location. DarkOwl expects this to be a continuing frustration for law enforcement into 2024 which adds to the prediction that Ransomware will grow and continue to be a threat.
Figure 6 – BlackHat group take back their leak site and announce a new one
A trend which emerged in 2023 was double extortion being conducted by ransomware groups. However, more and more groups are emerging which simply manage extortion sites where they threaten to share data, without encrypting the companies’ data in the first place. This is a trend that is expected to increase in 2024. As decryption keys for common ransomware groups are released it becomes more costly for groups to develop new malware, high profile cases have shown that companies are willing to pay ransoms purely to stop it from being released into the public.
Credential Theft
Although it can be seemingly simple, credential theft continues to be one of the most common and lucrative methods of attack for threat actors. Stolen credentials can cause varying degrees of damage depending on who they belong to – from the loss of streaming service accounts to identity theft to network access and ransomware attacks. If individuals continue to reuse passwords, and or companies do not implement robust password policies, this will continue to be a threat. Because of this, DarkOwl analysts assess that this will continue to be a major threat in 2024.
In order to combat this crime, DarkOwl’s team continues to collect data leaks to allow organizations to identify potential risks that they are exposed to. The fallout from the 23&Me data leak in late 2023 highlighted that the risks are not just that threat actors may be able to access data, but companies are increasingly suffering large fines from regulators and lawsuits from those whose data has been stolen – increasing the risk that organizations face from data breaches.
Figure 7 – Redline Stealer Log Header
DarkOwl also expects that the selling and trading of Stealer Log information will continue throughout 2024. These logs allow threat actors to capture credentials, cookies and user agents for victims which can be used to mount attacks and steal accounts. The close to real-time nature of these logs ensures that the credentials are usually still active, increasing the success rate the threat actor is expected to have means that they are very profitable for those selling them on the dark web. DarkOwl will continue to monitor and collect this information where available.
Islamic Extremism
Figure 8 – Inspire Magazine Header
Likely linked to the ongoing conflict in Gaza, we have begun to see an increase in material linked to Islamic Extremism. In early 2024 AQAP revived the English-Language ‘Inspire’ magazine in video format. The video stated that “it is time to avenge Gaza” and provided instructions for building a ‘Hidden Bomb’ for targeting American planes, Bill Gates, and Elon Musk. Although not strictly a cyber threat, ISIS and AQAP have previously utilized online methodologies to incite violence and attract and radicalize followers. DarkOwl assess that this will continue with tensions rising in the Middle East. Our analysts continue to monitor these groups and their activities.
A.I.
Another theme of 2023 was the rise of AI with Chat GPT and Bard, among others, being released and adopted by many. Threat actors also began to adopt this technology to assist them in their attacks. As the technology matures, we expect this to be used more extensively by threat actors in 2024.
DarkOwl have seen actors selling access to AI accounts and also providing training on how it can be used to conduct attacks such as producing more believable and sophisticated phishing emails, as well as generating images which can be used for fake IDs used to circumvent financial institutions know your customer (KYC) policies. There are likely to be many other ways in which AI can be used to conduct malicious activities. DarkOwl will continue to monitor this throughout 2024.
APT groups will always pose a threat. They tend to be well funded and sophisticated in nature and can be very hard to detect and disrupt, meaning that while they may have periods of apparent inactivity, they are unlikely to disappear, usually emerging in a slightly different configuration.
As geo-political tensions continue, with wars in the Middle East and in Ukraine, Iran and Russia are likely to be very active in 2024. Elections will also likely illicit disinformation campaigns and other attacks seeking to influence the outcome.
However, the country likely to pose the largest and most persistent threat is China. China has been attributed to a high volume of attacks with a range of sophistication and it is likely that this will continue. The Director of National Intelligence stated, “China probably currently represents the broadest, most active, and persistent cyber espionage threat to U.S. Government and private-sector networks.”This highlights the threat the US government believes China poses in the cyber realm. It is likely we will see attacks from them throughout 2024.
Conclusion
2024 is likely to be a busy year for Cyber Security professionals and Threat Intelligence Analysts.
In 2023 the world witnessed over 50 ongoing real-world conflicts, as estimated by the UN. Conflicts now inevitably include a cyber element whether that be through attacks, disinformation campaigns or recruitment campaigns and so we are likely to see activity related to these conflicts. Furthermore, many countries will be holding elections this year which are likely to be marred by disinformation and claims of election fraud which are likely to also have a cyber element.
The threats of ransomware and credential theft will also feature heavily in the 2024 landscape and companies and organizations should be prepared for the threats that they pose. Monitoring the dark web to identify these activities can help organizations to better position themselves for the threats that will emerge in 2024.
Read on for highlights from DarkOwl’s Product Team for Q4, including new exciting product features.
Actor Explore Launched
The team released a major new Explore section in our Vision UI focusing on threat actors, providing invaluable insights into cyber threat actors. This feature is designed to empower security professionals, researchers, and organizations with analyst curated information about threat actors. Our analyst team selected 298 actors in these categories:
State-sponsored
Cybercrime groups
Ransomware
Access brokers
Exploit brokers or exploit buyers
Critical infrastructure attackers
Bulletproof hosting providers
Each actor dossier includes descriptors, contact, and cryptocurrency. The Darknet Fingerprint page includes darknet operations (Telegram Channels or Websites Administered), associated data leaks within the DarkOwl Vision dataset, as well as Forums and Marketplaces on which the actor has been observed. Additional tabs include lists of known Tools and CVEsused as well. Within the Actor Explore section, you can see a Target Mapof countries, Links to Research actor aliases and attributes in the DarkOwl Vision dataset, and can compare across different actor groups to see collisions.
This wealth of data enables users to gain a profound understanding of the threat actors, their tactics, and the potential risks they pose. Actor Explore will be regularly updated with new information and actors,prioritizing client needs, ensuring that users have access to the latest intelligence to bolster their cybersecurity efforts and research.
Figure 1: DarkOwl Actor Explore result for APT37
Leak Context Additions
The team has significantly increased the information in Leak Context this quarter, after the initial release in September. All of this content is available in both the UI and Leak Context API.
We’ve added a Search for Filetree button in the UI that lets you pivot to open a new tab & see the list of all files within the leak.
We’ve added more than 7 content fields relating to the Original Post location, the Attack Type of the leak, and the Size of the leak.
Leaks of Interest Collected
23andMe
Four datasets relating to 23andMe emerged on a deep web hacking forum as well as Telegram in early October. On October 6, 23andMe confirmed that it was investigating a cyberattack that resulted in unauthorized individuals gaining access to certain customer accounts. The company said it believed that the hackers were able to access certain accounts through a credential stuffing attack, where users had recycled login credentials. Our analyst team wrote a blog covering this leak here.
INDIA – ICMR Leaks Aadhar and Passports 200K Sample
According to the post by RavishKumarOfficial on BreachForums, this is a 200K sample from the 815 million Aadhaar and passport data leak previously posted for sale by pwn0001. The data leak is purported to be a COVID testing data breach. Data exposed includes full names, phone numbers, passport numbers, Aadhaar numbers (Government of India’s 12 digit individual identification number), age, gender, and physical addresses.
Johnny Logs 11DEC23
A batch of infostealer logs were posted to the Johnny Logs Telegram channel on December 12, 2023. Data exposed includes log data from a reported 3,000 log files and varies based on data that was exfiltrated from each machine.
Vision UI & API Updates
We launched our UI Assistant to announce new features and content, including a weekly What’s Leaking update.
For Email Domains, you are now able to generate an Email Domain Report PDF, a PDF version of the information displayed on the screen.
The Authenticated Site label now appears on search results, allowing user to easily tell which search results are from these sites
Search Block translations: We added new search block keywords in Arabic, French, Russian, and Spanish, and updated the design of this page to feature our growing translation options.
Search Result Pivoting: Within search results with extracted chat users or extracted emails, cards, cryptocurrency, or IP addresses, you can select research actions under the corresponding View Switch to help you to navigate to additional results with the Research or Entity Explore sections:
Username Research (Chat Users): Identify the darknet footprint associated to a username or user ID of interest, that can lead to alternate usernames and conversations in our chat application data.
Entity Explore Results: See aggregate data on Email Addresses, Credit Cards, Cryptocurrency or IP Addresses, with the ability to filter and batch export relevant results.
Curious how these features can make your job easier? Get in touch!
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.