Despite claiming a mostly isolated status for the past four decades since the 1979 revolution, Iran manages to send personnel and/or weapons to many major conflicts around the Middle East region, quietly participating in and shaping world events while also giving themselves the plausible deniability of doing so. Additionally, their cyber capabilities have quickly grown and improved, meaning they are able to also act in the digital realm, yet obfuscate these activities as well. As Iran trains guerrilla fighters, trains and funds militias that actively attack western military bases and personnel in the Middle East region, and couples their physical activities with digital aggression, they must be closely monitored and observed to properly understand their growing capabilities and levels of involvement in various conflicts.
Iranian ground activity in Iraq was observed at the beginning of the US invasion in 2003, where coalition forces routinely encountered Iranian influence and weapons. Despite the formal end of coalition efforts in Iraq, Iran has had and maintains a proxy-presence in multiple Middle East conflicts, including active foot soldiers in Yemen, Syria, Lebanon, and other Middle Eastern states and present-day conflicts. Iran has recently sent fighters and weapons to Belarus to support Russian aggression in Ukraine, expanding their operations and support to a European conflict.
Iran’s activity supporting various militant groups with weapons, funds, cyber operations and personnel in and outside conflict is nothing new for them, which is why analysts are exploring their role, if any, in the current conflict between Israel and Hamas. Dating back to the Lebanese civil war in the 1970’s, Iran saw an opportunity to simultaneously support fellow Shiites and oppose Israel. Iran funded the Shiites and offered formal training to the guerilla groups, which cemented themselves as Hezbollah. Iran continued to fund, train, and arm Hezbollah throughout conflicts in the 1980s, such as the Southern Lebanon War; the 1990s, facilitating various kidnappings, suicide bombing attacks, and direct military battles along the Israeli border. In the 2000s, Hezbollah established Unit 3800 to target coalition forces in Iraq. During the 2010s, Hezbollah and IRGC forces protected and supported dictator Bashar al-Assad in Syria.
Possible support methods will vary in this latest conflict depending on other major military powers’ possible involvement, drone and other remote weapons use, and digital augmentation of physical attacks, including possible cyber warfare. This blog explores Iran’s recent activity, security posture, and response to the conflict between Hamas and Israel.
For many years Iran has consistently publicized controversial opinions to further its authoritarian views and leadership in the world using its state-controlled media:
Anti-Western ideas are advertised with galvanizing calls for participants to rise and join forces to remove Western ideology, culture, and personnel from the Middle East region. The current conflict is no different, hybrid physical and cyber components are being utilized that Iran hypes up and pushes to maintain activity to further its goals of regaining international status on the world stage and coming back to global-power status, versus the isolated stance it has sustained since the 1979 revolution.
Prior to the October 7, 2023, attack on Israel, multiple news outlets claimed contingents of Hamas fighters trained at Iranian facilities in September 2023. Considering that Hamas went notably quiet in the months leading up to the attack, with reduced Telegram/online activity, and leading Intelligence agencies reportedly lacking insight into the coming attacks, these claims are difficult to substantiate, but merit observation.
Hezbollah
Lebanese based Hezbollah, which means “the party of Allah,” is a Shiite political party and militant group. The group took advantage of the Lebanese civil war to position themselves in power in the area.
Political party: حزب
Allah: الله
Hezbollah is anti-Western influence and anti-Israel:
The Iranian theocracy took to supporting Hezbollah in the 1980s, nurturing them from a low-level, poorly organized militia into the regional powerhouse they are today with a healthy annual budget. While the exact amount is unknown, estimates from global governments put the operating budget in the hundreds of millions of dollars. The size of Hezbollah is also a rough estimate at 30,000 people, but this is impossible to confirm. They vow to expel western influence from the Middle East region, and use improvised explosive devices (IEDs), guerrilla tactics, and other asymmetric warfare in their physical operations. Hezbollah also provides Iran with plausible cover to deny their involvement in any operations Iran doesn’t want to publicly claim.
Considering the ties to Iran, it is no surprise that as Iranian cyber capabilities grew, so too did Hezbollah’s. Like so many other groups during times of conflict, Hezbollah also adopted cyber capabilities to augment their physical and psychological operations. Dating back to 2006, Hezbollah launched cyber-attacks against multiple countries who supported Israel during the 34-day war. In 2015, Hezbollah conducted operation “Volatile Cedar” which targeted Israeli defense sector websites and assets.
Currently, they have numerous Telegram channels in various languages which promulgate Iranian and Syrian state narratives and propaganda:
In this current conflict, Hezbollah has physically attacked Israeli defenses and equipment on the Israel/Lebanon border. They have also established Telegram channels specifically for this conflict to show war videos, events, and document them as events unfold, which DarkOwl are actively monitoring:
Kata’ib Hezbollah
Kata’ib Hezbollah, or “The Brigades” of Hezbollah, is the branch of Hezbollah that specifically operates in Iraq, with limited activity also observed in Syria. They are funded, supported, and trained by Iran as well as Lebanese Hezbollah. They have involved themselves in the Israel-Hamas conflict by declaring war on U.S. entities in Iraq and attacking them as retribution for U.S. support to Israel:
Badr Organization
The Badr Organization, a Shiite entity also funded and trained by Iran, is another group active in Iraq. Much like Kata’ib Hezbollah, they entered the public threats realm by criticizing US support for Israel, and threatened US entities in the region:
Houthis
Ansarullah, “Partisans of Allah” are better known as the Houthis, the name of the tribe from which they emerged in Yemen:
Partisans/supporters: أَنْصَار
Allah: الله
Both the Government of Iran and militant group Hezbollah are arms, training, and financial providers/supporters of the Houthis, a Shiite party of fighters who target western forces, Jewish residents of the Middle East, and other Middle Eastern nation states, such as Saudi Arabia and the United Arab Emirates.
Iran’s Houthi support is measurably less than the support it provides to Hezbollah. Much like Iran, the Houthis rely on irregular, guerrilla warfare tactics to remain elusive and unpredictable, yet effective. The Houthis are based in Yemen and have furthered proxy efforts, launching attacks against Saudi Arabia and other Gulf states from war-torn Yemen. These proxy groups are also involved in the latest Middle East conflict, both physically with weapons, claiming drone and missile attacks as well as digitally, galvanizing support for Palestine and Islam on Telegram and other chat platforms:
Telegram channels that follow the conflict have also recounted training, drills, and other Houthi activity, bringing the group into the media of war coverage:
A Yemeni political figure demonstrates how the Houthis also turned to Telegram, and are engaging international parties in the current Middle East conflict:
In addition to the more infamous Iranian proxy groups, other splinter supporters and lesser-known groups have emerged in both the digital/physical realms and espoused their support for Hezbollah, Hamas, and/or general pro-Palestinian efforts. Accessibility and connectivity make it easy for anyone with a device and connection anywhere in the world to jump into the fray of conflict and espouse their opinions. As this conflict rages on, more groups are expected to emerge. Their actual ties to bodies like the Governments of Iran, Syria, and other groups with an interest in the Middle East region will require diligent research and vetting.
Conclusion
Despite its self-described global isolation, which Iran claims is the fault of the US and the UK, Iran constantly involves itself in regional events in the Middle East, whether by funding/training/arming its many proxy groups, conducting offensive cyber attacks, or both. Considering its decades long history of involvement, Iran will stay enmeshed in the current Israel-Hamas conflict by arming Hezbollah and Hamas with drones and missiles to use, and propagating pro-Islamic, anti-Western and anti-Israeli messages on Telegram and other social media platforms, and bolstering support for eradicating the Middle East region of western influence in general.
DarkOwl plans to cover Iranian cyber and physical efforts, including Telegram and dark web activities, Government of Iran domestic and civilian targeting during recent civic strife, using technology to track Iranian dissidents, the state of Iran’s cyber program, state sponsored and criminal, and more in-depth Iranian material in 2024. Make sure to register for our weekly newsletter to get the latest.
Curious how darknet data applies to your use case? Contact us.
Mark Turnage, CEO and Co-Founder of DarkOwl, and Wasim Khaled, CEO and Co-Founder of Blackbird.AI, sat down for a fireside chat to discuss emerging trends with darknet adjacent sites, such as Telegram and Discord, and narrative attacks. Their interview is transcribed below.
Today, Blackbird.AI, the leader in AI-driven Narrative and Risk Intelligence announced a partnership with DarkOwl, the leading provider of Darknet Data, to enable organizations to identify narrative attacks across the dark web. This expands Blackbird.AI’s comprehensive visibility of narrative attacks that today include social media, news, forums, podcasts, and more. The full press release can be found here.
Interview with Mark and Wasim
Mainstream apps like Discord and Telegram are gaining popularity among hackers. Why do you think they are migrating away from the dark web?
Wasim: Narrative attacks are now part of many cyberattacks. Mainstream apps like Discord and Telegram are gaining popularity among hackers because increased law enforcement monitoring has pressured dark web hacker forums. These apps make it easier for hackers to coordinate because apps like Discord and Telegram offer more moderate anonymity but increased accessibility compared to the difficulty of accessing the dark web. It’s also effortless for narratives to proliferate across channels and groups with little friction.
Mark: As Wasim said, there has been a considerable uptick in recent years of marketplaces and forums being “disrupted” and taken down by law enforcement activities on the dark web. For example, Breached Forums, Monopoly Market, and Genesis were taken down just this year. This has led to a lot of mistrust by users on these forums who believe that they are being watched or that their infrastructure is unsafe. So they are looking for other means of communication. Platforms like Telegram are utilized for marketplaces and forums like the dark web, using public channels but also allowing users to have private messaging, giving them more security and anonymity. Platforms like Telegram are much more accessible to users, easily accessed from your phone, and for some users, this is better than configuring your TOR browser, etc. Telegram also traditionally has not cooperated with law enforcement. Using dark web adjacent sites can also give the appearance of legitimacy, as legitimate users can often use these. Groups like left and right-wing extremists use these channels and surface web forums. Also, groups like the Taliban are active on these sites.
The dark web allowed anonymity but was difficult to access. How do Telegram and Discord offer hackers more moderate anonymity but increased accessibility?
Wasim: The dark web allowed anonymity but was difficult to access. Telegram and Discord offer hackers more moderate anonymity, but the improved accessibility of mainstream apps makes them attractive alternatives.
Mark: While the dark web continues to be an area where criminals congregate to sell goods and discuss illicit activities, we are seeing other platforms emerge as also being used by these groups. Many of these chat platforms and networks include legitimate channels and communities and could even be casually considered a form of ‘social media.’ Despite this, DarkOwl refers to chat platforms such as IRC, Telegram, and qTox that have considerable use by darknet cyber criminals as ‘darknet adjacent’ for their role in persisting illicit goods trade, fraudulent activities, and cybercrime.
What are some examples of narrative attacks and disinformation that can spread about companies?
Wasim: Examples of narrative attacks and disinformation aimed at companies include spreading misleading or outright false information about harmful products, leadership misconduct, unethical business practices, or other damaging claims.
Mark: Regarding nation-state examples, with the emergence of the Russian invasion of Ukraine, messaging apps have become an essential means of communication between militant groups and sharing information/disinformation with wider groups of people. Wagner, the Russian PMC group, also uses Telegram. These sites have a much larger reach than the traditional dark web sites.
How can narrative attacks and disinformation about a company’s products be harmful?
Wasim: False claims about product defects, safety issues, or performance can erode consumer trust. This may discourage purchases. Correcting false claims is difficult if disinformation has spread widely online or in the media. Lost revenue and reputational damage can result. Narrative attacks and disinformation targeting a company’s products can inflict significant harm by eroding consumer trust and tarnishing brand reputation. Misleading or polarizing information quickly goes viral in today’s hyper-connected world, leading to a cascade of negative effects such as plummeting sales, increased customer churn, and even regulatory scrutiny. The long-term impact can be even more damaging because once a narrative takes hold, it can be tough to change, causing lasting harm to market share and growth prospects. In the worst-case scenario, a successful disinformation campaign can trigger a crisis of confidence among stakeholders, ranging from customers and employees to investors, severely undermining the company’s competitive standing and even jeopardizing its existence.
Mark: I would add that due to all those examples, disinformation can even lead to legal action against a company in some cases. On the darknet, we see disinformation-as-a-service frequently. It is definitely on the rise. Threat actors trade social media accounts and their influencers – accounts sold in bulk that could be easily leveraged for disinformation or misinformation campaigns by a foreign government or agency with malicious intentions. There are several examples the DarkOwl team has found where a threat actor group offers for a fee to erase news, website pages, results from search engines, YouTube videos, and negative comments on forums and create posts, reviews, and news to positively or negatively affect a company.
How do narrative attacks target politicians, thought leaders, and company leadership?
Wasim: Conspiracy theories and false and inaccurate narratives about executives can undermine their credibility and leadership. False claims about illegal or unethical actions by leaders can also trigger costly investigations or lawsuits, while share prices may fall due to uncertainty. The company may have to spend significant resources defending and communicating the truth.
Mark: The darknet is a known playground for disinformation campaigns, and its users are wise to detect disinformation, especially across anonymous image boards where several controversial groups like QAnon participate. The team wrote a blog a while back where one anonymous user on endchan advised, “Don’t be fooled by disinformation. They almost always use truth but wrap it in disinformation,” noting the prevalence of outrageous conspiracy theories historically across the internet.
This interview continues diving into narrative attacks on the Blackbird blog here.
About BlackBird.AI
Blackbird.AI helps organizations detect and respond to threats that cause reputational and financial harm. Powered by their AI-Driven Narrative & Risk Intelligence Constellation Platform, organizations can proactively understand risks and threats to their reputation in real-time. Blackbird.AI was founded by a team of experts from artificial intelligence, and national security, with a mission to defend authenticity and fight narrative manipulation. Recognized by Forrester as a “Top Threat Intelligence Company,” Blackbird.AI’s technology is used by many of the world’s largest organizations for strategic decision-making.
Introducing DarkOwl’s new addition to our Vision UI platform, Actor Explore
November 08, 2023
Introduction
In today’s digitally driven world, the landscape of cyber threats is ever-evolving and increasingly sophisticated. As businesses and individuals become more dependent on technology, the need to protect sensitive data and critical infrastructure from cyber attacks has never been more critical.
One effective approach to enhancing cybersecurity is to track and monitor cyber threat actors. The actors that are responsible for conducting attacks; individuals or groups with malicious intent, often targeting organizations, governments, or individuals. Understanding why they are operating, what they hope to achieve and what methodologies they are using can assist analysts in protecting infrastructure and predicting future activities.
Why Are Threat Actors Important
Motivations for conducting these attacks can vary greatly from financially motivated to espionage threats to geo-political events, just to name a few. It is important to understand the motivation of threat actors as this can help identify what they are trying to achieve and what threats they might pose to certain organizations, industries or even countries.
Identifying and monitoring the tactics, techniques, and procedures (TTPs) of cyber threat actors, is also an important step to gain insights into actor’s strategies. This information can be invaluable in understanding how attacks are executed and identifying potential vulnerabilities in an organization’s defense.
Attribution is the process of determining who is the real individuals behind an attack. Knowing who is responsible for an attack not only helps with law enforcement efforts but also serves as a deterrent. When malicious actors know that they can be identified and held accountable for their actions, they may think twice before engaging in criminal activities. However true attribution is not always needed, knowing what activities a group are conducting and who their victims are can help us to understand what will happen next and learn for future attacks.
Actor Explore
Today, DarkOwl has launched Actor Explore, which will allow users to review analyst curated insights into active threat actor groups on the darknet and wider. We explore the motivations behind the groups, the tools they have used and searchable attributes to pivot on within DarkOwl Vision. Here we explore three of these groups available in Actor Explore and the motivations, methodologies and TTPs that the groups use.
Anonymous Sudan
Anonymous Sudan are a hacktivist group who are very active on Telegram, running their own channel which regularly publishes details of the attacks that they are undertaking and re-posting information from affiliated groups such as Killnet.
They appear to be politically and religiously motivated, targeting countries or organizations they perceive to be anti-Muslim or pro-western. However, security researchers have hypothesized that they group is backed by Russia given their links to pro-Russian groups their way of operating and the financial backing they appear to have.
Figure 1: DarkOwl Actor Explore result for Anonymous Sudan
The group emerged in early 2023, when they began to conduct Denial of Service (DDOS) attacks against organizations in Sweden and Denmark. DDOS appears to be the main method of attack that they have adopted, often evidencing their success by posting images of the downtime of their victims’ websites.
The group’s current Telegram channel was created in September 2023, when they claimed that their original channel had been banned by Telegram. In response to this they attacked the Telegram website and caused issues and downtime for Telegram users. The attacks appeared to continue throughout the month.
Later that month the group targeted a number of US companies, including Netflix and Hulu which it stated was a response to US interference in Sudanese internal affairs.
Figure 2: Anonymous Sudan Telegram channel
In response to the Hamas incursion into Israel, Anonymous Sudan pledged their support to Palestine and announced that they were attacking “some critical endpoints in the alert systems of Israel, which may affect the Iron Dome.” The post was made in English and Arabic, previously several posts have been in English and Russian. The group went on to target the Jerusalem Post, as well as “western” news outlets who it claimed were sharing fake news such as the New York Post, the Washington Post, and the Daily Mail. At the time of writing the attacks have predominantly been aimed at US corporations.
Figure 3: Anonymous Sudan Telegram channel
This group has shown capabilities that allow them to take high profile websites offline for varying periods of time. While they appear to be politically motivated and claim to be from Sudan, researchers have cast doubt on this highlighting why it is important to understand the motivations of a group, what activities they are conducting and how they are operating and who with. DarkOwl continues to track the activities of this group.
0XCee
Figure 4: Telegram ID for 0xCee
0XCee is an Initial access broker (IAB) who is active on Telegram. They use a bot on the Telegram channel in order to verify a user who wishes to join their channel is not a bot. This is a level of sophistication that most Telegram channel administrators do not exhibit.
The user is active on several telegram channels where they have participated in chats and shared information. DarkOwl analysts have been able to identify the user profile for the individual as well as their private channel used for selling access, building identifying information allows analysts to monitor the activity of threat actors.
Some of these channels have been used to advertise the access that the actors have, they provide specifics about the pricing as well as details of how many times they are willing to sell the access.
DarkOwl analysts have seen other Telegram users claim that some of the data that was purchased was old data and that they were not happy that they did not have the access that was advertised. 0xCee refused to provide any refunds on the data and insisted that it was used incorrectly. Reputation is very important in darknet markets, as most purchases are made on faith. Therefore, understanding these interactions can help analysts to make an assessment about the risk posed when an IAB advertises access to an organization.
APT Groups
Advances persistent threats (APT) are considered to be highly sophisticated threat actors, who usually operate over a prolonged period of time. The motivations of an APT can often dictate how they operate, with those committed to espionage trying to hide their activities, while those that are seeking to obtain intellectual property may be less concerned and those which are financially motived may publicize their activities through ransomware attacks such as the Lazarus group which was widely reported to be responsible for the WannaCry ransomware attacks in 2017.
While APT groups are difficult to track, generally identified via the TTPs they use rather than communications on darknet forums or platforms such as Telegram, it is possible to identify common signatures that they adopt which can assist with attribution. Identifying commonalities among victims can also assist analysts in identifying the origin of an APT as well as what their possible motivations are, this can also be assessed by reviewing what information has been accessed or exfiltrated.
DarkOwl analysts track the tools utilized by APT groups as well as details of victims and CVE’s and the dark web footprint of actors. Using open-source intelligence as well as our darknet collections details relating to these groups are tracked to assist analysts with their attribution efforts.
Figure 5: Screenshot of APT10 Threat Actor Group Profile in Actor Explore
Conclusion
True attribution is very difficult to achieve, and some Cyber Threat Intelligence Analysts would argue that it is not important. However, tracking available information about threat actors such as their motivations, TTPs, victims and activities can provide valuable intelligence which allows analysts to predict behavior and take proactive steps to protect their organizations.
DarkOwl sees the benefit of this information and have therefore created Actor Explore to provide our users with intelligence relating to threat actors active on the darknet, and the wider threat actor community. This latest feature is designed to empower security professionals, researchers, and organizations with analyst curated information about threat actors, enhancing their ability to understand and combat cybersecurity threats effectively.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. North Korea Poses as Meta to Deploy Complex Backdoor at Aerospace Org – Dark Reading
Threat actor group Lazarus has crafted a new backdoor used in operations targeting the aerospace industry. “Lightless Can” is a RAT, and Lazarus members are spreading it by impersonating Meta recruiters on LinkedIn. The actors pass “coding challenges” which are “for a job interview”, so victims download to both their company and personal devices, spreading the malware. Read full article.
2. Magecart Campaign Hijacks 404 Pages to Steal Data – Dark Reading
Magecart is inserting malicious code into HTML pages of various websites, with a focus on food and retail industries. Magecart is an umbrella term; the collective is comprised of several different criminal actor groups who employ skimming and custom malware to steal PII and financial information form ecommerce websites. One of Magecart’s skimmers, Kritec, successfully impersonated third party vendors like Google Tag in the spring of 2023. Article here.
3. US energy firm shares how Akira ransomware hacked its systems – Bleeping Computer
Akira actors first used stolen VPN credentials from a third-party contractor’s account to access internal BHI networks. This same account was used to conduct continued recon of the internal network. It took the actors just over a week (nine days) to take 767,000 files/690 GB of data. Exposed data included full names, SSNs, DOBs, and more PII of BHI customers. Read more.
The Ukrainian Cyber Alliance (UCA) used CVE-2023-22515, which involves Confluence, to escalate privileges and access Trigona’s confluence server. They gained insight into the infrastructure and published Trigona’s support documents, exfilled the developer environment and information pertaining to Trigona’s crypto payments, as well as the back-end of Trigona’s chat service and blog/leak site details. After collecting all the information, UCA defaced and deleted Trigona’s site. Read here.
Israeli hacking collective Predatory Sparrow recently reemerged after taking time off from digital operations. This group, who has historically targeted Iran, posted in Persian in their Telegram channel on Monday, October 16, asking if their followers were “…following what is happening in Gaza.” They also shared a link to Iranian Mehr News Agency, which was down at the time. Learn more.
6. KillNet Claims DDoS Attack Against Royal Family Website – Dark Reading
KillNet caused the UK Royal Family’s website to be unavailable for 90 minutes on Sunday, October 1. KillMilk, the leader of KillNet, called the incident “an attack on pedophiles” – a reference to Prince Andrew’s ongoing scandal. Fueling the fire, Britain’s King Charles had recently condemned the Russian invasion of Ukraine in a public speech, and KillNet attempts to exact retribution on those who speak out against Russian actions. Read full article.
7. ALPHV ransomware gang claims attack on Florida circuit court – Bleeping Computer
ALPHV ransomware gang claimed responsibility for an early October attack against northwestern Florida courts. The attack possibly revealed social security numbers and other personal information of the court employees, as well as judges themselves. ALPHV also claims to have a network map of the court’s online systems, which likely includes credentials, leading to further network infiltration and possible lateral movement. Read full article.
8. BianLian extortion group claims recent Air Canada breach – Bleeping Computer
Ransomware group BianLian successfully breached Air Canada with their ransomware, claiming 210 GB of data. Air Canada acknowledged an incident in September 2023, but said that the stolen information was limited. BianLian shared screenshots on their ransomware page indicating that the employee data was only a part of what they stole, and that they also had technical information, such as an SQL database. Learn more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
As the digital landscape continues to evolve, so do the threats that target it. Staying ahead of cyber adversaries requires a deep understanding of the latest trends and innovations in the cybersecurity space.
In this webinar, DarkOwl CEO, Mark Turnage and Socialgist CRO, Justin Wyman explore a variety of critical topics shaping the cybersecurity landscape:
Key VC Raises in Cybersecurity: Capturing Industry Attention
Understanding the Major Players: Who’s Raising the Stakes
Harnessing Security Solutions: How Organizations Protect Their Assets
Addressing the Talent Gap: Scaling with Data Aggregators and Services
Pioneering the Use of AI: How do LLMs and AI Come into Play
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Kathy: Thank you for joining us for today’s webinar exploring emerging trends in cybersecurity. Before we get our topics, begin our topics today, I’d like to turn it over briefly to Mark and Justin to give a brief introduction of themselves and their companies.
Justin: Hi, guys. Nice to meet you. Wyman, Socialgist is the name of my company. I’m the Chief Revenue Officer. We are a provider of open source intelligence. We’ve been doing so for the last 22 years, and I’m excited to be here.
Mark: Hi, I’m Mark Turnage. I’m the CEO and Co-Founder of DarkOwl. We are a company that specializes in the darknet, and specifically in extracting data from the darknet and providing it to our clients and working with partners like Socialgist to provide a broad view of open source intelligence, including that of the darknet.
Kathy: Great. Thank you both. Prior to diving into our topics today, Justin and Mark wanted to take a moment to comment on the Israeli and Hamas conflict happening presently.
Mark: I’m happy to comment. You know, when the conflict broke out on October the 7th, we immediately started looking at content in DarkOwl’s database that was relevant to the conflict, either pro-Israeli, pro-Palestinian, pro-Hamas, and we pretty rapidly triangulated on about 400 Telegram channels that are actively covering the conflict. And we’ve been monitoring those channels throughout, directly ourselves and generating some content which is available on our website, and also supplying that to our clients. And it gives them a different perspective than what you see on the front page of many of the newspapers. I will comment, we published a blog very early in the conflict that noticed that amongst the most prominent Pro-Hamas Telegram channels, they went quiet for several weeks before the attack. Unusually quiet. We don’t have an explanation other than they were distracted, they were planning, they were getting ready, or they had been told to go offline. But we did detect that in the lead up to the attack, there was considerably less activity on those Telegram channels than was normally the case.
Justin: I would say when you see such a horrible thing, it’s really hard to process, especially because in the space that Mark and I occupy, Israel is a big component of it. Technology companies and cybersecurity are founded in Israel all the time. Some of the leaders in the space. So it gave an extra personal feel, if that’s even possible. When you see these types of things, when you know the people that are directly impacted by it at a different level. And then I thought it was it was comforting to see that we could in some way help with our information, help the helpers, essentially. And Mark, I got to say, I thought the Dark Owl content was fantastic. To help show examples of how OSINT intelligence can help prepare for these types of things and deal with them frankly.
Kathy: Thank you both. Now we will begin with our first topic.
Key Raises in Cybersecurity: Capturing Industry Attention
Justin: So let me talk at a high level. What is happening? If you look at VC and cybersecurity over the last couple of years, it’s declining, which normally I think would be a bad thing if you didn’t realize it was declining from a peak bubble that happened during the pandemic. So you can say things are down 30% from last year, which is down another 30% from last year. It really, honestly, to me just seems to be returned back to normal. You see a lot of companies having some very specific raises, we’ll get into and you’ll see some combinations, you’ll see some coverage. But I think that the cybersecurity industry should feel that there’s been a correction that was due because you’re in a bubble. But now we are in a place where things are normally operating. The space is growing and investment is happening as well.
Mark: Yeah, I’ll just echo Justin. The investment into the cyberspace, go back say three years was just red hot. It was at levels that I didn’t think were sustainable. And oftentimes at evaluations that I didn’t think were justified. What has happened as the economy has gone through a fair amount of turmoil over the last year and a half is that those valuations have reset, and the level of investment is what I would normally expect in a pretty healthy sector that is still growing. Overall funding is down. I think it’s down 30% year on year. Valuations are down. The interesting thing is that companies that are still growing and companies that are profitable are still getting healthy inbound investment. Just yesterday, by the way, Censys announced a $50 million dollars raise, a small company out of Israel raised $4 million. I mean the raises come in regularly. They’re not at the valuations that we saw, say 2 or 3 years ago, but they are still happening. And they are particularly happening with very healthy companies.
The other trend, by the way that I’ll mention is any time you have an economic reset, which is what we’re experiencing right now, it forces consolidation in the market. You know, scale matters, size matters, sophistication matters. Go-to-market strategies and the ability to reach your market matters. So whereas before a small startup could have raised successive rounds of value, of money, of capital at ever increasing valuations against, you know, maybe skinny performance – those days are gone and they’re likely to be an acquisition candidate for for another company. And we’re seeing this – large companies are pretty active in the M&A market right now as a result.
Kathy: Based on that, a question has come in. What changes do you foresee over the next coming year?
Justin: Let me start with one of the public markets because that leads things. So in the public markets, you’ll see a lot of leading cybersecurity companies up double digits this year, more than the S&P 500. CrowdStrike is a good example. They’re up 70% year to date. As an example, Tesla is only up 80%. Apple’s only up 36%. So that’s not market forces. That’s industry forces of the problem with cybersecurity is growing so rapidly. The things I think you’ll see over the next year would be companies that have a growth plan, getting more funding and moving into new markets. I saw that already with OSINT Combine. There’s a company with a very good Australian presence going to the North American market. Full disclosure, they’re friends of my company and DarkOwl – so maybe we’re a bit biased there.
You’ll see some people getting acquired by PE firms, which is an idea of, again, operational excellence that might be a different component than things, say, in a bubble where instead of doing a PE acquisition, you would raise a bunch of money and see if you could sell and market your way out of it. The other thing I’ve noticed that I think will come is more legitimacy and standardization. Frost and Sullivan has created industry coverage for the first time on a lot of these companies. You’ll see certification tracks coming out of industry organizations like Osmosis. So I see it as a big step forward in the maturity of this space. There’s always startups, there’s always guys in the middle, and there’s always the big guys, and you want to have enough of them to create an ecosystem where you can ultimately meet the consumer need.
Mark: I couldn’t agree more. The way I would have described the cyber security industry two years ago was an awkward teenager. And it’s moving to young adulthood. It’s maturing. It’s growing up. It’s actually starting to understand what its own limitations are and what it can and cannot do. And I would just echo Justin and say, over the next year, we’re going to continue to see consolidation – more and more mergers, more acquisitions. It has always amazed me, just as an aside, that the largest cybersecurity companies in the world still only measure their revenues in single digit billion dollars. Those are the largest. And then it falls off pretty quickly from there. And given the size and importance of the problem, this is an industry that is ripe for what you just identified, Justin, which is growing up, consolidating, becoming more professional, working against known certifications and known standards. And by the way, known regulations because the regulators have arrived.
Justin: Mark, that McKinsey report we’re referencing before about just how breaches are supposed to go up 300% from 2015 to 2025 also noted that to your point about revenue, that the vendors in the space right now make up a 10th of what they think the overall revenue is going to be in the next ten years. So yeah, teenager growing up is a great analogy, meaning there’s just so much. There’s some stability being built in, but there’s still so much more to grow up.
Understanding the Major Players: Who’s Raising the Stakes
Mark: Well, I think in the world of threat intelligence broadly, there are a couple of very large players – Recorded Future comes to mind, Flashpoint comes to mind, Intel 471. There are a bunch of these players. Interestingly enough, every single one of those has been acquired over the last 3, 4 or 5 years by large private equity firms that have, as a strategy, explicitly what Justin was talking about, grow these companies up, make them larger, make them professionalize their operations, give them global scale and global reach. And then below that you’ve got a whole range of companies and these are small- to mid-size. Some of them are just start-ups who are looking at problems from a different angle. And there has been a lot of activity, both in terms of fundraising into those companies as well as acquisition. I mean, one that comes to mind is Maltego. Maltego was acquired by a private equity firm at the beginning of this year, and that’s a well known, well established platform that is used across the industry by a number of different companies and users. And in my view, that was a really smart purchase by the private equity firm. What else is going on Justin that you’re seeing?
Justin: A company I recently became familiar with at a conference was Fivecast. They raised 20 million. They were an Australian based company looking to really expand their sales and marketing into North America. They feel their perception, not mine or based on conversations, that they feel they have their product completeness to the point where it’s time to go see if they can compete against the bigger guys in the space. Now Cobwebs, another huge player in the space, just joined Chainlink. Those are other things I’m seeing.
Another one we were talking about, Mark, is Palo Alto Networks buying Dig this morning as a sign of just a major player adding in a feature capability. So, you know, this is following the the classic playbook – where you watch Oracle and Salesforce go after each other and then add on competing bolts. Again, another idea that you have a very well established market that you can operate. If you have operational excellence, you can really succeed.
Mark: Another example of that, by the way, is Proofpoint yesterday announced the purchase of Tessian and we’ll come on to it. Tessian is an AI provider that will significantly enhance Proofpoint’s products. And so you’re starting to see that happen at a pace that I have long predicted. But really I think this economic climate has accelerated.
Harnessing Security Solutions: How Organizations Protect Their Assets
Justin: I’ll start as I always do, with a little bit of data. Fraud is still massive. The biggest issue that every organization is dealing with – it’s coming from social media, it’s coming from internally. I talked a little about this McKinsey report, but again, I’ll say it again because it’s such a massive number. They think that breaches damage is going to increase 300% by 2025. The other one that I looked at was a survey of mid-sized companies suggests that threat volumes will almost double from 2021 to 2022. So that’s 100% growth in one year.
What they’re doing to protect their assets – my concern is with their employees. So I’d love to hear your thought on this, Mark.
Mark: Just a small data point from DarkOwl – we track where visitors to our site go and what pages they dwell on. The most common feature across our website is our fraud webpage and content on fraud. That speaks to the nature of the problem.
I’ll just say two things. One is we are all excited as an industry about AI. We’re excited about new tools, about new capabilities that exist. So are the threat actors. They’re using all of the same tools, all of the same capabilities to actually scale and professionalize their own operations. But, you know, going back to your point, Justin, the biggest threat to many companies is their own employees continues to be their own employees, whether that’s actual outright fraud or just mistakes that employees make that open up the company to potential potential attack and fraudulent attacks.
Justin: I believe that was the logic behind the Tessian acquisition is just the amount of people that have exposed their companies by literally emailing the wrong person. That seems to be a problem that should be quickly solved through some proper technology application.
Mark: I mean, I’m amazed. I’m actually amazed. Look, I mean, CEOs are are susceptible to this as well. And in fact, I mean, go to any OSINT training seminar and they’ll tell you the most vulnerable people or the easiest to attack are the C-suite, because they’re the ones who are the sloppiest or the least attentive to to security. That continues to be the case, but it permeates the entire organization.
Justin: The other thing I’ve heard is that key figures, usually execs, because there’s so much information, that they’re much more easy to manipulate. Voice manipulation takes a lot of samples of data. So the bigger the sample, the easier it is to manipulate the voice is the other thing I would talk about. And then the last one I noticed was people just kind of really trying to do the best they can to understand their supply chains. If employees are people accidentally sending information out. Supply chains are people sending information in, and these are business partners that you rely on your suppliers. So it’s very easy. Those are very weak points in a system to kind of create havoc if you’re not prepared.
Mark: There’s absolutely no question. The pandemic taught us that supply chains matter and supply chain vulnerability is mission critical. And to to Kathy’s question of how organizations protect their assets, it’s not only protecting your own assets, but protecting those critical assets of your vendors who are critical to the provision of your product or your services as an organization, which is why you’re starting to see these third party and vendor risk management companies come into their own in terms of their level of maturity, because especially very large, complex organizations need to pay attention to their supply chains.
Addressing the Talent Gap: Scaling with Data Aggregators and Services
Mark: The interesting thing about the talent gap is that the cybersecurity industry for years has complained about lack of talent. I think the statistic I continually hear is something like half a million unfilled cybersecurity jobs worldwide. And that number has held pretty steady for the last number of years. We’re in an environment, though, where many of the companies in our sector are actually laying people off. So how do you square those two contradictory statistics? Well, one way to square them is exactly what Justin said earlier, which is many of the companies that are laying people off were hiring at a clip that was unsustainable just as recently as 2 or 3 years ago. So you’re coming back to a sort of a more normal track. My sense is that there is still plenty of demand in the marketplace for people who have cybersecurity experience, whether it’s developers or product people or otherwise. But yes, there is a gap and I think AI is going to help fill that gap. What do you think about that, Justin?
Justin: I absolutely do. Let’s talk about the two things like data aggregators and services. Start with services because Mark and I have a data aggregation stake in this fight. But on the services component, when I work in the space, what is interesting to me is the people come from all different backgrounds military, private, etcetera. There’s no “you don’t go to school to become a cybersecurity expert.” So that’s a very big problem. But it’s a problem that is being solved, I think. When we were all at OsmosisCon, which is a association of these professionals, they’re creating certifications. They’ve created a conference so people can come and share tips and tricks. And that’s just one of many. So I think it’ll get easier and easier to bring people into the space and give them the certifications that show them that they’re qualified, because right now it really is due to the nature of the sensitivity of the issues and how people come. It’s like, who do you know that you can trust? Which makes sense in the beginning. But over time, you have to figure out how to scale your business. So I see a lot of services being created to help with that.
Then on the data aggregation side. As a data provider technology provider in this space, it’s amazing to me how big the problem is, right? These people are searching for needles in haystacks and the haystacks are growing, and so the only way you can solve them is through aggregation. And that’s basically at any point in the value chain. So if you’re creating a piece of software that allows analysts to hunt for threat actors, well, you’re probably going to use data from many different sources because the haystack is too big for you to do it yourself. Then if you’re actually looking and searching and doing the analysis on top of the data, these tools will allow you to search more efficiently. If you go back to Mark’s Telegram example about things going silent before an attack, as these technologies get better, you know you won’t have to go, “Huh? Why are these silent?” These things will go, hey, there’s an interesting activity here. The volume of these things has really dropped off. Why? And that’s a way that people will be able to not only look in the haystack more broadly, but faster, have things suggested to them. So I think ultimately the space will be fine. Again, I can’t stress this enough, we are coming off a bubble, and that generally means people aren’t behaving how they should behave. And so to correct that, you have to lay some people off. But now that we’ve had this baseline, people go back to building their businesses most based off of the value they provide in the market. And as we’ve shown, the value is only growing, meaning the threats are only increasing dramatically.
Kathy: Based on that, we’ve had a question come in: We have seen a lot of layoffs in the space recently. And can you address how this does affect the talent gap?
Justin: Positive half glass full spin would be – when you have layoffs in an industry where it’s growing, it’s because those people are in a place where they weren’t effective. They weren’t doing the things that needed to be done to keep the business on its goals. So when you take an experienced person and you separate them from a business that no longer needs them in a growing space, they should be deployed in a better space where they are more impactful. Right. This is the efficiency of markets happening. So I think these gaps will take the people that were places where they weren’t as useful and put them in places where they will be much more useful and create a world where they’ll be, again, more coverage.
Mark: Not to disregard the dislocation that necessarily occurs when that when that happens, if you’re the individual who’s affected, it can be quite difficult. But I agree with Justin that on aggregate we’re not seeing employment in the cyberspace decline. It still continues to increase.
Pioneering the Use of AI: How do LLMs and AI Come into Play
Mark: The big issue that both Justin and I have discussed in the past is anytime you bring an end to a problem, it needs a data set to sit on, to learn, to learn that problem in order to be effective. And so what becomes the most critical in that is the data we aggregate – darknet data. Socialgist aggregates open source data across a variety of different platforms. Those data sets become extremely valuable and extremely important in the application of an LLM to address or learn about a specific problem. And you know, in the case of DarkOwl, I can speak to that, our data set has been aggregated over 5 or 6 years. That’s not something that you can just recreate overnight. If you’re a new company coming into this space or somebody looking to utilize AI, the same I’m sure is true for Socialgist. So it’s a very interesting insight into the power of the underlying data that that any organization can has in terms of addressing the problem via an LLM.
Justin: And I totally agree with everything Mark just said. I think the other thing to think about is, how much easier it is to get things out of the data value, out of the data with LLMs, and how in general, the biggest thing you’re going to see in the software world, the biggest constraint is going to be software engineering capacity. Every company in the world wishes they had more software engineers because it’s hard to do things like connect a data set into an analytics platform. It’s a very technical work. These engineers now are doing work 40% faster, so it’ll be easier to make progress and solve problems when you put these types of applications together. What that should mean is that you should have in the long run, and again, marginal like dislocation is hard and things need to change and we have to cross the chasm and all these sayings, but what we’re really talking about is in the long run, things should get cheaper with technology and things should also get better. So the data sets that we ship to our clients that are working very hard to get incredible data out, get incredible insights out of it, should be able to get insights out of it faster and better and cheaper because they need less engineers. And then the tools to analyze these data sets should only get more powerful as well. I really see there will be an area where, you know, there’s different segments in our space, right? There’s the people that are at these big companies, and they have all the budgets in the world, and they have the fanciest tools, and there’s people below that, and there’s people literally using their cell phones to track people doing medical research. Those people should get increasingly better tools that will make them much more effective. So we’re talking about the capability of people with less budget getting much more effective, which I think really creates a much better world.
With the caveat that the other guys have it too. So there’s always a push and pull, but I see a lot of positive headwinds in the in the long run with AI.
Mark: I mean look, you know it’s going to increase, as Justin said, productivity per worker significantly. And the comment that I heard recently in a conference was, you know, AI will be tremendously dislocating of many types of employees and many types of groups, but the world’s going to divide itself into to two camps. Those people who know how to use AI to make themselves more productive and those who don’t. And that’s the digital divide that we’re actually hurtling towards. I’m deeply optimistic, personally, about what I can do across multiple different fields, but starting with our own field in cybersecurity – I’m very optimistic about it.
Kathy: We’ve had another question come in and an attendee is interested to know “Will DarkOwl and its peers sell their data sets to companies?”
Mark: Good question. We’ve been approached by a couple of companies, and we’ve done our own early work on putting an LLM onto our own dataset. I suppose I should put on my businessman’s hat and say it depends on the price. Yes, it depends on the price. But it’s not something that we’re going to do loosely or without a lot of thought. Because once that data is out there under somebody else’s LLM, obviously the data is available to whoever has access to that platform.
Justin: It depends, I think is a good answer. I think the thing to understand about perhaps my company, Mark’s company, is like, you know, our mission is to extract information from the world’s online conversations and if you can help us with that mission, because we’re very serious about it for the reasons we’ve discussed throughout this whole thing, we’re seriously going to talk about it. Now, there’s sometimes choices that make decisions. There’s sometimes choices that make that not the case. And there’s always a lot of nuance. But at a high level, if you help us with our mission and the business makes sense, then that would seem something that should happen. But also, Mark, you touched on a really interesting point of, you know, I do think data companies like ourselves are also going to explore training with our own LLMs too. to have the full picture. So I think the key is as long as LLMs capability is used on these data sets to make the world a better place, we’re for it. The machinations, I don’t know. There could be a world where two data providers do one together, etcetera, but the technology should make the data more useful, and that is our goal.
Mark: I will point out we’re in discussion right now with our first client who wants to put in on a subset of our data. It’s exciting.
Disclaimer: DarkOwl analysts do not endorse any of these marketplaces or offerings and have not confirmed legitimacy of any of these sites. This information is provided for awareness only and has not been independently verified.
Introduction
This Halloween season, DarkOwl analysts decided to delve into some of the scary things that are available for purchase on the dark web. The dark web is well known for dealing in illicit goods such as drugs, counterfeit goods, and hacking tools as well as leaked data. But there are also sites out there which claim to be selling goods that are a bit more gruesome and creepy…
This blog explores some of the weird and scary things we have found being sold on the dark web.
Warning: This blog contains images some may find distressing.
Organs For Sale
A number of sites have been identified on the dark web that claim to be selling human organs. DarkOwl analysts have seen both stand-alone sites selling these as well as individual postings on marketplaces. In the image below, we can see a stand-alone site which offers organs for transplant and claims to provide shipping worldwide.
The image below is an example of the items that are being offered for sale. Ranging from hearts, kidneys, and livers. They claim that the organs remain viable for one year – which is scientifically impossible. There is no indication from this site on how the organs are transported, or how the purchaser is expected to transplant the organs, as no medical help is provided. The do provide a money back guarantee however.
The cryptocurrency address associated with this site has received a total of 0.61955435 BTC, which equates to around $34,000 depending on the conversion rate. Although the address currently has a balance of 0. Most of the transactions that have taken place have been for $100-200 which is far below the asking price on the website. So, it is unlikely that they have actually sold the items they are advertising or at least not at the prices shown above.
It is doubtful if this is a legitimate offering, DarkOwl analysts have observed the same images being used on multiple sites which may indicate that they are using stock images and that this is a scam. The fact that they claim the organs will survive a year is also suspicious.
It is also unclear from the sites we have reviewed, ifthey are legitimate, where these organs are sourced from. There is the potential that this could be linked to criminal activity such as human trafficking or the black-market trade of organs.
Another site we identified is more specific about the locations that they are able to export organs to and also indicates that they will provide medical expertise to assist with the transplant. It is worth noting that this particular dark web site is not currently active.
“Human” Meat
Perhaps the “creepiest” site we found was one that advertises the sale of human “meat” for consumption – “For those with taste.”
The site states that eating human meat is not immoral as long as you haven’t killed to get it. Although they don’t directly state where the meat is sourced from, they suggest it comes from road traffic accidents and morgues.
The site also gives information about where they will export the “meat” to and suggest that everyone should taste human meat at least once. They offer a range of “cuts” as well as organs which can be sent to Europe, Asia, and Africa.
DarkOwl has no evidence to suggest if this is legitimate or not. We do not suggest trying to order.
Hitmen
It has been widely reported previously that hitmen are available for hire on the dark web. Although it is never clear if the sites are legitimate or not, there have been examples where they have been proved to be true and murders or attempted murders have taken place.
One such example of hitman services being offered was identified by DarkOwl. The Mexican Mafia claim to offer the following services in their own words:
Death by shoot and drive away
Death by making it look like accident or robbery gone wrong
Death by sniper
Beating
Arson
Guns
They offer proof that they are legitimate by posting the names of individuals they claim to have murdered in multiple jurisdictions. No further research was conducted to substantiate this claim and it is possible they could have obtained stories from the media and claimed them as their own.
Conclusion
The dark web holds many secrets, some of which can be gruesome. At this time of year, they can seem like “tricks” but we are unable to confirm if any of the things mentioned in this blog are legitimate or not but either way they are creepy for spooky season.
Disclaimer: DarkOwl is not affiliated with any of the groups mentioned in this article and do not support the actions of cybercriminals regardless of their motivations. This information is provided for informational purposes only and has not been independently verified.
Introduction
Defacement attacks, involve the unauthorized modification or vandalism of a website or web application. These attacks typically result in the alteration of the website’s content, appearance, or functionality by attackers with malicious intent. The primary goals of defacement attacks are usually to deface the targeted website, display a message or image, and often to spread a message or agenda, drawing attention to the attacker’s cause or skills.
It’s important to note that defacement attacks are just one form of cyberattacks, and they usually don’t involve data theft or damage to the website’s infrastructure. However, they can still have a significant impact on the website’s reputation and the trust of its visitors as well as voicing political messages.
As the events in Israel and Gaza have unfolded, defacements have been a common technique used by cyber actors to target opponents. Here we examine some of the groups conducting these attacks and the victims.
DragonForce Malaysia
DragonForce Malaysia is a pro-Palestinian group located in Malaysia. The group are active on social media with accounts on Telegram, Twitter and Instagram. They also have their own website and forum where they detail their activities.
Historically the group have primarily conducted distributed denial-of-service (DDOS) and defacement attacks, and this pattern is being replicated in response to the October 07 attack on Israel. However, they have also been seen to use other exploits.
Since the beginning of the conflict, DragonForce have mounted defacement attacks against approximately 125 websites with .il domains. There does not seem to be a pattern to the websites that are targeted other than their affiliation to Israel, although multiple Op names have been used on their various defacement messages. As shown below they have also used their defacements to encourage other hackers to join their cause.
Their Telegram channel has also been used to highlight other attacks that they have conducted, including a claim to have accessed the “Israel Telephone system Management,” as well as other Israeli Telcos. Samples of the data have been posted on their telegram channel. They are also sharing leaked databases as seen in the image below.
Cyb3r_Drag0nz_Team
Similarly, to DragonForce Malaysia the Cyb3r_Drag0nz_Team is a pro-Palestinian group which has been active creating defacements since the beginning of October. However, they appear to have cast a wider net in terms of who they are targeting with a number of US victims in the education space as well as in other countries, including Israel.
As well as providing details of the group in their defacement message they also supply the usernames/Aliases of individuals who have assisted in the attack as shown below. They also provide details of their Telegram and Twitter accounts.
This highlights the fact that groups which conduct defacement attacks are usually looking for notoriety and often are active on social media in order to publicize their actions. This group have conducted defacement attacks against approximately 157 websites since October 08, 2023, as of the writing of this article.
The Telegram account of this group has been used to promote the defacements it has conducted; this appears to be the main activity that they conduct although they have also released leaked information purporting to contain Israeli citizen data. This underscores that with this conflict normal citizens are being targeted as well as governments and military organizations.
X7root
This group has also conducted defacement attacks against Israeli websites, including kdh.org.il which is the Jewish Burial society, this appears to still be active. This defacement message also includes an image from the Holocaust likely to cause the most amount of offense possible. The image is not included here but the accompanying message is shown below.
Little is available about this group, but they do also have a Telegram channel which has previously been used to sell exploits and requires a $90 subscription fee. However, recent posts on the channel have been anti-Israel in nature and provide details of the websites which have been defaced. In posts made on Telegram the user states that he is Arab and shows support for individuals in Gaza. The user is using the #OpIsrael which has been used by many pro-Palestinian groups.
Conclusion
Defacement attacks are not a new technique, but they can become particularly effective in times of conflict, as they were in Russia and Ukraine, in order to share the attacker’s message. The majority of defacement attacks that we have observed have been conducted by Pro-Palestinian groups, but Pro-Israel groups are also conducting cyberattacks. Defacements are a powerful tool for hacktivist groups seeking to use their skills to share a message.
Defacements are in some ways unique in that they seek to publicize the actors behind them, their views and their activity. Therefore, they are more prominent and easier to detect than some other attacks and usually less destructive as they do not tend to affect the underlying infrastructure. As hacktivists seek to take a stand, they differ from the more traditional cyber espionage which seeks to stay in the shadows, but it is very likely those attacks will escalate in the coming months.
Last week, DarkOwl participated in OsmosisCon, an Open Source Intelligence Skills-building Conference, in New Orleans, LA. The annual, training-oriented event is comprised of workshops and classes to earn Continuing Education Credits (CEUs) lead by industry leaders focusing on the latest in OSINT and SOCMINT tools. In addition, the exhibiting companies provide real world examples of industry standard products and services, allowing attendees to either advance their own research or find a solution for their company.
The networking and consulting opportunities at OsmosisCon are incredibly valuable for anyone in the OSINT space – whether you participate in the pre-event workshops and presentations, speak during the networking events or via the virtual conference platform. Sessions this year dove into a wide range of topics including open source techniques and skills related to exposing fraud, utilizing artificial intelligence, currents and future threats, identifying unknown users, and more.
The Osmosis Institute’s mission is “to educate and train cyber intelligence investigators, researchers, reporters, and analysts on OSINT and SOCMINT techniques and best practices.” Their statement continues to say, “to that end, we seek to foster professional growth in our community. We strive to inform professionals on how to protect personal privacy data and abide by national and international laws and ethics standards.” OsmosisCon allows them to put this mission into practice and in its 9th year has continued to grow and bring hundreds of cyber intelligence analysts together.
Representing DarkOwl at OsmosisCon this year was Alison Halland, Chief Business Officer, Caryn Farino, Director of Client Engagement, and Damian Hoffman, Product Engineer and Data Analyst, based out of DarkOwl’s headquarters in Denver.
Leading up the kick off of the conference, Damian presented, “Finding Actionable Intelligence in Dark Web Data for OSINT Investigations,” focused on how the dark web is an essential source of information for OSINT investigations across a wide variety of use cases. Showcasing DarkOwl Vision, his talk reviewed some of the considerations that should be taken when using dark web data, how the data can provide value for investigators, and offered DarkOwl’s perspective on the techniques and tools needed to maximize the utility of dark web data. The team was happy to report that this was a packed presentation with standing room only!
During the conference, Damian also participated in the Bits & Bytes Speed Networking Session. During these roundtable discussions, presenters and attendees were able to sit with industry specialists to discuss quick compact tips in their area of expertise and engage in discussion. Each table presenter prepared and hosted discussion on a different topic. Damian’s topic “Mental Health Strategies for OSINT Investigators” is a crowd-sourced, data driven project aimed at collecting, validating, categorizing, and distributing mental health strategies freely for the OSINT community. Researchers on this project aim to collect Strategies (specific actions, behaviors, or modifications of belief that will lessen the negative impacts of vicarious trauma when exposed to distressing content) from a wide variety of OSINT practitioners and validate their effectiveness using empirical evidence. More about the research project can be found here and you can submit your strategies here.
In addition to presenting and manning the DarkOwl tabletop, the team was able to meet with many current customers. Attending OsmosisCon is invaluable for face-to-face time to build and maintain relationships. Being able to meet with clients in person provides a great opportunity to share new product features, features in development, gather product feedback, and keep up to date with the latest trends.
DarkOwl looks forward to OsmosisCon 2024 and hope to see both familiar and new faces in Las Vegas!
One of the latest companies to be victim of a data breach, 23andMe, has had their data shared on various dark web marketplaces as well as Telegram. Interestingly, the data from this breach has partly been shared in response to the conflict in Israel and Gaza with one of the sharers of the data citing this as a reason for sharing some of this information.
23andMe is a genealogy company which as well as providing ancestry services uses DNA to identify where individuals’ ancestors are likely to have come from. They also provide details of individuals’ health and genetic predispositions. The leak purports to contain full names, year of birth, location, as well as DNA markers and locations they may have links to.
23andMe has indicated that the data was obtained as part of a credential stuffing attack, and that there has been no evidence of a security breach on their IT systems.
The First Leak is Shared
The first identified mention of a leak of 23andMe data was on the marketplace Hydra Market on August 11, 2023. The post was made by a user using the alias Dazhbog. In the post he claimed to have access to 10M DNA data that he was providing for sale. He claimed that the file size was over 300TB and that the data would only be sold once, the asking price for the data was $50 million.
The seller also indicated that they would be open to selling the data in parts, based on location and ethnicity. This was priced at $10k per 1k of data.
Although it is unclear who is behind the username Dazhbog, they did indicate that 23andMe was not allowed to operate in their country. They also gave specific instructions for how buyers in China would be able to receive the data – in hard copy. The user first registered on Hydra Market on August 10, one day before the original post was made.
The poster provides details of how the information was obtained – claiming it was obtained through an API service used by pharmaceutical companies.
As proof of the data obtained, links we provided for Sergey Brin – Co-founder of Google and Anne Wojcicki – CEO of 23andMe. Images were also shown.
A post was made by the original poster on August 14 claiming that the full data had been sold to an Iranian individual and requested that the original post be removed. The post is still active, but the original poster has made no new posts since this time. Their profile also indicates that they have not been active since this time. This would suggest that this account was created specifically to share this leak.
Parts of the Leak Emerge
Once the original leak had been shared, several other leaks emerged on the forum Breached Forum which is known for providing leaked data.
The user Golem posted on October 1, 2023, a link to data which they claimed was DNA of Celebrities. The description of the leak indicates that it will provide details of 1 million Ashkenazi Jews. The poster claims there is more data to come, and that raw data can be provided for a fee.
Although this post was not available for long, other users began to share the information – providing multiple leaks. A Telegram account was also created with the sole purpose of sharing this leak shortly after the attack on Israel on 7 October.
A further post was made on October 17 providing a leak claiming to provide details of individuals from the UK or with links to the UK. The poster, Golem stated that this information was being released in response to what they claimed was “the bombing of a hospital by the Israelis.”
Again, the leaks were not available for long, but the information was posted by other users. This also included links to German and Chinese data.
Golem also made a post, in response to 23 and Me claiming this was not a data leak, providing details of how the information was accessed. They also give examples which were provided in the original post. It is unclear if Golem has any links to Dazhbog or how they obtained this information.
Conclusion
The leak of this data provides threat actors with information relating to individuals’ personal ancestry and their DNA and could pose threats to those individuals, particularly those in the public eye. Some of the releases of this leak highlights how data leaks are being used as part of the conflict in Israel and Gaza with data being weaponized as part of the conflict. It also underlines the way that leaks are shared on the dark web, often first being made available for sale and then being shared for free. DarkOwl never pays for data from the dark web.
It is currently unclear if all the data obtained as part of this attack will be made available. DarkOwl analysts will continue to monitor for any further posts. All data that has been made freely available thus far is available via DarkOwl Vision.
Last week, DarkOwl participated in the well-regarded law enforcement conference: ISS World Latin America. The annual, training-oriented event describes itself as “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence Gathering.”
ISS World events focus on the latest in cyber tools and methodologies specifically for law enforcement, public safety, government and private sector intelligence communities. The first full day of ISS events are dedicated to training and in-depth sessions. Trainings and topics covered throughout the event include how to use cyber to combat drug trafficking, cyber money laundering, human trafficking, terrorism and other nefarious activity that occurs all across the internet.
DarkOwl is a regular sponsor of several ISS shows around the world, but this was our first year attending ISS Latin America and we were thrilled with the quality and quantity of conversations and interest. Representing DarkOwl at this year’s show was Dustin Smith, Director of Marketing, and Steph Shample, Senior Intelligence Analyst, both based out of DarkOwl’s headquarters in Denver, CO.
During the event, Steph lead a seminar on the Use of darknet for National Intelligence and Law Enforcement purposes. This session details the intelligence available on deep/dark web (DDW) platforms, as well as adjacent platforms such as Telegram and Discord, which can be enriched and used by law enforcement and government officials to reduce criminal activity and simultaneously protect national security. Types of intelligence include: tracing financial transactions to illuminate drug, weapon, human trafficking, and other supply chains that contribute to malicious activity, whether fiat or cryptocurrency transactions; hybrid incidents events that threaten both cyberspace and physical safety; and the kinds of equipment, kits, and material sold by criminal actors that contribute to digital attacks against critical infrastructure and key resources (CIKR), threatening the safety of everyday services. Those interested can find a summary of the presentation in Spanish here.
In addition to presenting, Steph and Dustin were able to connect and have several conversations with prospects as well as current clients and partners. Building these relationships face-to-face is invaluable. Visitors at the DarkOwl tabletop included those from Panama, El Salvador, Peru, Mexico, Colombia, Paraguay, Brazil, Guatemala, and Bolivia. Connecting with cybersecurity professionals from around the world and hearing the latest trends, concerns and challenges that they are facing is a huge benefit of ISS shows. Steph shared, “I was blown away by the quality of conversations we had at our table, the need for darknet intelligence is evident and being able to share search results in real time with attendees got everyone really excited.”
Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. DarkOwl Vision UI provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity.
DarkOwl looks forward to continuing our presence at ISS World events as part of our ongoing initiative to support the global law enforcement community in their efforts to police illegal and nefarious activity on the darknet.
Interested in learning how DarkOwl can help your cyber investigations? Get in touch.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
