Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. Evasive Meduza Stealer Targets 19 Password Managers and 76 Crypto Wallets – The Hacker News
Cybercrime and cybercriminals continue to evolve and get more creative. Early July, researchers found a newly created Windows-based information stealer going by the name of Meduza Stealer that is designed to evade detection by software solutions. Read full article.
2. Beware of Big Head Ransomware: Spreading Through Fake Windows Updates – The Hacker News
One new developing piece of malware, Big Head, is being used to trick Windows users into installing an update while encrypting files on the victim’s computer. The majority of victims have been in the U.S., Spain, France, and Turkey. It deploys three encrypted binaries, with the “archive[.]exe” binary allowing for communications over Telegram. Read more.
The ransomware group “BlackCat” (aka ALPHV), has been found running malvertising campaigns. They try to get their victims to click into fake pages that look nearly identical to the real WinSCP file-transfer application for Windows and then push their malware. Their goal is to get IT professionals and admins to be their victims so they can then get access to corporate networks. Learn more.
4. Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX – The Hacker News
In early July, a chinese nation-state group was found targeting European Foreign Affairs ministries and embassies with HTML smuggling techniques (given the name SmugX). Their goal was to deliver the PlugX remote access trojan on compromised systems. Read full article.
5. Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware – The Hacker News
The China-linked nation-state actor, APT41 (aka Axiom, Blackfly, Brass Typhoon, Bronze Atlas, HOODOO, Wicked Panda, and Winnti) is known for their strains of Android spyware called WrymSpy and DragonEgg. They have been active since 2007 and are known to conduct intellectual property theft. Read more.
6. Deutsche Bank confirms provider breach exposed customer data – Bleeping Computer
On July 11, Deutsche Bank confirmed that one of their services providers had experienced a data breach that exposed customers’ data – likely a MOVEit Transfer data-theft attack, related to CL0P’s ransomware wave of MOVEit attacks. Read full article.
7. HCA confirms breach after hacker steals data of 11 million patients – Bleeping Computer
HCA Healthcare stated that they experienced a data breach which affected 11 million patients. A threat actor leaked samples of the stolen data on a hacking forum and began selling the data of patient records that had been created between 2001 and 2003. Read more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
The internet is a vast realm that extends far beyond the surface web we commonly explore. Beneath the surface lies the darknet, a hidden network that poses significant challenges but also holds immense potential for open-source intelligence (OSINT) investigations. In this blog post, we will delve into the importance of darknet data in OSINT investigations and how it expands the scope of information available to researchers and analysts.
OSINT 101
OSINT allows access to a vast amount of openly available information from diverse sources such as social media platforms, news articles, blogs, public records, academic publications, and more. This wealth of information provides investigators, researchers, and analysts with a comprehensive understanding of a particular subject, individual, or organization. By harnessing OSINT techniques, one can obtain valuable insights, uncover patterns, and make connections that might have otherwise remained hidden. DarkOwl analysts are able to combine the power of traditional OSINT investigations with darknet intelligence providing organizations with a more robust picture to help them protect themselves in the cyber landscape.
Darknet 101
The darknet, also referred to as the dark web, is a layer of the internet designed specifically for anonymity. It is more difficult to access than the surface web or the deep and is accessible only via using specialized software or network proxies – specifically browsers supporting special protocols. Users cannot access the darknet by simply typing a dark web address into a web browser. Adjacent to the darknet are other networks, such as instant messaging platforms like Telegram and the deep web (non-public web).
Due to its inherently anonymous and privacy-centric nature, the darknet facilitates a complex ecosystem of cybercrime and illicit goods and services trade. The dark web is a thriving ecosystem within the global internet infrastructure that many organizations struggle to incorporate into security posture. Still, it is an increasingly vital component for organizations with forward-thinking strategies.
Why Incorporate Darknet Data into OSINT Investigations?
As stated, the darknet serves as a sanctuary for illicit activities, providing a veil of anonymity for cybercriminals, hackers, and individuals seeking to engage in nefarious endeavors. OSINT investigations that incorporate darknet data can unveil hidden information, shed light on illicit operations, and expose criminal networks. By venturing into the darknet, investigators can access forums, marketplaces, and communication channels used by cybercriminals. This enables the collection of valuable intelligence related to cyberattacks, data breaches, drug trafficking, human trafficking, money laundering, and other illicit activities.
However, investigators need to have access to the right sites, with many requiring high levels of authentication and the need to interact with threat actors. Navigating the darknet(s) can be frustrating and challenging for any OSINT or darknet investigator. DarkOwl analysts have extensive experience working within the darknet, collecting data and can leverage this to assist with darknet and OSINT investigations across a broad spectrum of areas.
The darknet is a breeding ground for emerging threats, providing insights into evolving techniques, vulnerabilities, and attack vectors. Integrating darknet data into OSINT investigations helps enhance threat intelligence capabilities and enables proactive risk assessment. By monitoring darknet forums and marketplaces, analysts can identify discussions surrounding new hacking tools, zero-day vulnerabilities, exploit kits, and malware. This information is invaluable for cybersecurity professionals seeking to fortify their defenses, mitigate potential risks, and stay one step ahead of cybercriminals but don’t always have access to that data themselves. Darknet data empowers organizations to better understand the tactics and strategies employed by threat actors, ultimately strengthening their security posture.
Real-World Examples
Identity theft and fraud have become pervasive in the digital age, causing significant financial and reputational damage to individuals and organizations. Darknet data plays a crucial role in unmasking stolen personal information, fraudulent activities, and the sale of compromised data.
Below we see an example of threat actors on the popular Russian forum XSS discussing the use of TinyNuke malware and ways to solve issues.
Figure 1: Users on XSS forum discuss malware tools; Source: DarkOwl Vision
OSINT investigations involving the darknet allow researchers to monitor underground marketplaces where stolen credentials, credit card information, and personal data are bought and sold. By obtaining and analyzing this data, investigators can identify compromised accounts, detect patterns of fraudulent activity, and alert affected individuals or organizations. This proactive approach assists in mitigating the impact of identity theft and fraud, protecting individuals’ privacy and preserving the integrity of businesses.
Law enforcement agencies and intelligence organizations rely on darknet data to augment their investigative capabilities and dismantle criminal networks. OSINT investigations that encompass the Darknet provide critical leads, actionable intelligence, and evidence.
Below we see threat actors sharing Fullz information for sale on the darknet, this is darknet slang for all identifying information. This can be used by others to conduct identity theft and fraud.
Figure 2: Identifying information being sold on Darknet which can be used for identity theft; Source: DarkOwl Vision
Darknet data assists in identifying key individuals involved in cybercriminal activities, tracking their digital footprints, and uncovering connections to other criminal acts. This information aids in the apprehension of criminals, the disruption of illicit operations, and the prevention of future crimes. Darknet data is a valuable asset in combating terrorism, organized crime, human trafficking, and other serious offenses.
Below we see an example of real-world information being released on the darknet relating to a threat actor. This individual was the administrator of RaidForums, a popular site selling people’s personal data. His true identity was revealed and he was later arrested by law enforcement.
Figure 3: Identifying information about threat actor on RaidForums; Source: DarkOwl Vision
Final Thoughts
As the digital landscape expands, the inclusion of darknet data in OSINT investigations becomes increasingly important. The darknet acts as a hidden realm where cybercriminals thrive, but it also offers a wealth of information that can be harnessed for the greater good. By venturing into this enigmatic realm, researchers and analysts can uncover hidden activities, enhance threat intelligence, unmask identity theft and fraud, and support law enforcement and intelligence operations.
Integrating darknet data into OSINT investigations strengthens our ability to combat cybercrime, protect individuals and organizations, and maintain a safer digital ecosystem.
However, it is important to note that accessing and navigating the Darknet comes with legal and ethical considerations, and it should only be done by trained professionals and in compliance with applicable laws and regulations. DarkOwl analysts are able to navigate this area providing added resources to teams, expert knowledge and compliance.
Contact us to learn how to put our darknet expertise to your use.
While ransomware attacks have continued to grow in 2023, the recent attacks leveraged by CL0P against the MOVEit file transfer software have garnered much publicity. Additionally, the zero-day exploit against the MOVEit software has led to huge data theft and extortion attacks.
On June 7th, CL0P began posting the names of the victims they had successfully targeted. By July 11th, they had listed 140 companies which had been compromised. These companies were from a variety of industries as illustrated in Figure 1. These attacks highlight the risk posed to organizations through third parties who have access to sensitive information relating to some of their clients.
Figure 1: Breakdown of industries targeted by CL0P
DarkOwl’s DarkSonar risk signal can be used to forecast cyber threats to an organization by measuring the relative risk rating for an individual domain. Additionally, organizations can measure the risk of third parties who have access to sensitive data. An elevated signal is a cause for concern as it shows a dramatic increase in relative risk, providing warnings of potential threats. We tracked DarkSonar in the weeks and months leading up to the attack for all 140 company domains to see if there was an elevated signal. The results are shown in Table 1. Of the companies attacked, 10% had no email exposure. Of the remaining companies, we found an elevated signal (≥1) within the 4 months leading up to an attack for 67% of the organizations. In addition, 94% of organizations had a signal that was trending upwards.
Elevated Signal (≥1)
Signal Trending Upwards
All Attacks
60%
84%
All Attacks for Domains w/ Email Exposure
67%
94%
Table 1: True Positive rates (positive accuracy) for elevated signals and upward trending DarkSonar signals
A prior independent third-party analysis of DarkSonar showed that a trending upward signal is also a significant indicator of risk. Thus, we explored not only an elevated signal prior to the attack, but also an upward trending signal. We calculated the trend line in the 4 months leading up to the attacks to determine the number of upward trending signals. For the companies with an elevated signal or an upward trending signal, we saw a true positive rates between 84% and 94%.
Breaking down the results across the industries with the most attacks, we see the positive accuracies shown in Figure 2. While this requires further analysis, it does point to some industries where DarkSonar may have the potential to be a higher indicator of risk.
Figure 2: Positive accuracy across the main industries
To learn more about how DarkSonar may predict future attacks on your organization, contact us.
Review of CL0P’s Zero-Day Exploit Against MOVEit
Original Post: July 25, 2023
Ransomware attacks continue to grow in 2023, with the number of attacks taking place this year surpassing those at the same stage last year. One of the most successful groups this year has been CL0P which leveraged a zero-day exploit against MOVEit, a managed file transfer software which has led to huge data theft and extortion attacks.
Figure 1: Initial vendor alert on the newly discovered MOVEit vulnerability; Source: Community Progress
CL0P have been active since early 2019 conducting both ransomware and extortion attacks, highlighting the fact that they are financially motivated. They have been known to make large scale demands to release data, in 2020 they became one of the first ransomware groups to demand over $20 million. While law enforcement activity has identified some members of the group, they continue to be active.
DarkOwl analysts have been actively monitoring CL0P, and the leak site to which they post victim data. On June 6th, 2023, they claimed responsibility for the use of the privilege escalation vulnerability in the MOVEit Transfer. In their post they threatened to post the stolen data if victims did not pay an extortion fee and also provided instructions for how to make payments. Security researchers have indicated that CL0P are likely to raise $75 million from their extortion attacks.
Figure 2: Instructions on making payment; Source: CL0P blog
On June 7th, they began posting the names of the victims they had successfully targeted. As of July 24th, they have added 187 victims’ names, however a number of other organizations have indicated that they are also victims of the attack. The group appears to be slowly releasing names, holding back those which could be considered more high profile. It is not currently clear how many organizations they were successfully able to compromise. The group have been teasing new victims and also what data will be included in the document leaks.
Figure 3: Teasing data threatened to be released; Source: CL0P blog
As of July 24th, only 11 victims have been removed from the leak site, which would suggest that they paid the extortion fee or are currently in negotiations with the threat actor. Full data has been provided for 21 victims and partial data has been released for a further 65. DarkOwl’s assessment of the victims indicates that the industry most impacted by this attack is finance.
Although some government and law enforcement agencies have self-reported as victims of the MOVEit campaign, no victim data has been provided. CL0P issued a notice on their website indicating that although they have successfully targeted government and law enforcement sites they will not be releasing this information as their intentions are purely financial in nature.
Figure 4: CL0P’s notice that they are not interested in government data; Source: CL0P blog
However, it does seem that CL0P may have fallen victim to too much success. Their leak site appears to have been overwhelmed by the amount of media attention they have received. The site has regularly gone down, there is often a queue to enter the site, and the download of data is very slow, offering an advantage to the victims that means it is not easy for people to download the information which has been stolen. It could be argued that it is not worth paying the extortion fee if no one can access the data. This could be why so few victims have been removed from the site.
Figure 5: Waiting page; Source: CL0P blog
Perhaps as a result of this issue on their darknet site, coupled with known slowness on TOR, the group have started releasing some of the data on clear websites. It is not yet clear if that will make the victim data more readily available.
The MOVEit attack has also highlighted the risk posed to organizations through third-parties, high profile consultancy companies have been included in the CL0P leaks, which are likely to contain information relating to some of their clients. Some of the reported victims, which have not yet appeared on the list use vendors that are known or have been reported to be breached.
Below is an example of a media item discussing a vendor breach that affected other organizations:
DarkOwl collects data released by ransomware groups in order to identify what information has been released, what victim data has been present and what risk it may pose to the organization. As well as the named victims, this data can also include large amounts of third-party data. It is therefore important to access this to enable searches for mentions of all organizations. DarkOwl can help your organization be alerted if their information appears in any of the data that we collect and further, how to turn that data into actionable threat intelligence.
The DarkOwl team had a busy week all over the world last week, from the Washington DC area to India. Alison Halland, Chief Business Officer of DarkOwl, kicked off the week with our first ever hands-on training of DarkOwl Vision and ended the week by attending AFCEA/INSA Intelligence and National Security Summit in National Harbor, MD. Meanwhile, Mark Turnage, CEO of DarkOwl, attended the G-20 Conference on the “Crime and Security in the Age of NFTs, AI, and Metaverse” under the G20 in Gurugram, Haryana, India. This blog highlights those events and key takeaways and summarises each.
On Wednesday, Alison hosted “Explore the Darknet with DarkOwl” at the Carahsoft headquarters in Reston, VA. Attendees got access to DarkOwl Vision and got to conduct hands-on searches during a Scavenger Hunt. DarkOwl’s industry leading Vision UI provides access to the largest commercially available database of darknet content in the world, without having to access the darknet directly, so you can take action to prevent potentially devastating cybersecurity incidents. After an afternoon of learning about the darknet and diving into it, attendees enjoyed networking during happy hour. The team is excited to do more of these intimate in-person trainings, make sure you don’t miss the invite to our next one!
The Intelligence and National Security Summit
Alison and Steph Shample represented the DarkOwl team at the Intelligence and National Security Summit on Thursday and Friday. The event describes themselves as “the nation’s premiere conference for unclassified dialogue between U.S. Government intelligence agencies and their industry and academic partners,” and was celebrating their 10 year anniversary this year. In addition to the exhibit hall, attendees could participate in a number of speaking session and breakout sessions. During the plenary sessions, top agency and military intelligence leaders discussed strategic intelligence challenges, military intelligence priorities, and the state of the community, and during the breakout sessions, senior executives, technology experts, and thought leaders explored some of the most pressing issues facing the community. Speakers included leaders from the Federal Bureau of Investigation, the Defense Intelligence Agency, Defense Innovation Unit, US Navy, U.S. Space Force and many more.
Due to the layer of anonymity it provides, the darknet is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next. The technology DarkOwl leverages to scrape and index hidden digital undergrounds are key to the mission of obtaining proactive situational awareness for protection of the nation’s security initiatives. DarkOwl Vision UI provides a user-friendly interface with powerful querying capabilities to search, monitor, and create alerts for critical information. DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence/fusion centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making it the perfect tool for this audience to be able to dive into.
The DarkOwl team was able to meet with several clients at the event, including Siren and OSINT Combine. You can read about our partnerships here. Being able to connect with current clients is always a huge plus when attending events and hearing feedback, brainstorming new ideas, and connecting with new members in person is invaluable.
G-20 Summit: Crime and Security in the Age of NFTs, AI, and Metaverse
The group of 20 (G-20) is comprised of 19 countries (Argentina, Australia, Brazil, Canada, China, France, Germany, India, Indonesia, Italy, Japan, Republic of Korea, Mexico, Russia, Saudi Arabia, South Africa, Turkey, United Kingdom, and the United States) and the European Union. Together these countries represent 85% of the global GDP and about 66% of the global population.
On Friday, Mark Turnage, CEO and Co-Founder of DarkOwl, presented on “Connecting the Dots on the Darknet: Darknet and Cryptocurrency.” This presentation covers the use of cryptocurrency (crypto) as it is used on the deep and dark web (DDW), as well as nascent efforts to regulate the cryptocurrency markets and transactions. On dark web marketplaces and forums, which sell everything from drugs and weapons to the latest malware and data leaks, the currency of choice for transactions — due to what cyber actors espouse is the provided anonymity — is crypto. Most common is Bitcoin, but DDW markets are accepting more currencies such as Ethereum, Monero, Litecoin, and Zcash, among others. Cyber actors generally feel that Bitcoin has become less anonymous as global entities move to regulate Bitcoin and follow financial transactions and state this as the reason they are using other cryptocurrencies. Regulatory efforts towards cryptocurrencies vary greatly by nation, but standard Know Your Customer (KYC) and Anti-Money Laundering (AML) policies are common, agnostic of country or entity efforts to regulate crypto transactions. Efforts to change from crypto into more traditional cash, known as “fiat”, are also analyzed from a regulatory standpoint.
Other speakers covered topics such as internet governance, security digital public infrastructure, the Metaverse and digital ownership, challenges of AI, and information and communication technologies. An official overview of the conference can be found in the Chair’s Summary.
Interested in meeting with the DarkOwl team? See where we are around the world the rest of the year here.
Read on for highlights from DarkOwl’s Product Team for Q2, including new product features and collection stat updates!
Data and Product Updates
DarkSonar Launch and Updated Features
In April, DarkOwl announced the release of a new product, DarkSonar API, to help organizations better assess and track their potential cyber risk based on the nature of their exposure on the darknet.
Built on DarkOwl’s proprietary Entity dataset, DarkSonar generates a risk rating that is unique to each company. The algorithm used to generate these signals takes into account key quantitative and qualitative factors over time of organizational exposure of email addresses with associated passwords, and weights each signal accordingly. The result is a quantifiable risk indicator that can help companies and organizations monitor and potentially predict cyberattacks.
In testing internally and with beta partners in the insurtech and third-party risk industries, DarkOwl found an elevated DarkSonar score in the months before a cyberattack in nearly 75% of the cases where a company publicly acknowledged a breach.
Date Input Option
This recently added feature allows users to input the date of a known event or breach, to get DarkSonar signals and trending for the months leading up to that date. This update is particularly important for customers with known historical incidents (reminder – DarkOwl never captures API queries in the system!).
Resources
In case you missed it and want to learn more about DarkSonar and the importance of forecasting cyber threats, there are several resources available to check out:
Report: Forecasting Cyber Threats: This report outlines DarkOwl’s new metric based on email and credential volume to measure an organization’s exposure. We tested our metric against 237 public cyberattacks occurring in 2021 and 2022 and found our signal was elevated within the last four months prior to an attack for 74% of the organizations.
DarkSonar API Document: Signals to inform threat modeling, third party risk management, and cyber insurance, that potentially predict the likelihood of attacks.
Search Tabs
The product team has added Search Tabs into the Research section of the UI, thanks to customer feedback! With Search Tabs, a user can have up to four search inquiries open at the same time. This will help users pivot while still retaining results from another search. To start a new search, simply click on the “+” icon next to the current result tab. With this new feature, the quick filter menu has also been adjusted to be more streamlined.
Enhanced Forum Presentation
The product team is most excited about improvements to forum presentation in our UI and Search API. A user will be able to easily distinguish thread Titles, number of posts on the time of collection, Users, Post Dates, and Posts. The numbers of forums available in the new format is growing every day, as of early July, there are 60 available. The below screenshot demonstrates the new formatting.
Decode/Encode Buttons
The Decode URL feature allows users to see the original (non-encoded) URL. Users need the encoded version to search in URL in our system. If a URL has been encoded, there will be a new Decode URL button below the URL in the search result.
Example of improved forum presentation and Decode URL
User-Selected Default Search Settings
The team has also added more personalization to the UI so that users can select their own Default search options for sorting, seeing duplicates, or seeing empty bodies. Ease of use for customers is always top of mind when implementing new changes and features.
Alternate Telegram Usernames
Telegram channels have become increasingly popular with threat actors as a means of advertising illicit goods and communicating with each other. Although Telegram users can change their display name as often as they want, when registering they are assigned a user ID which cannot be changed.
This quarter the team added a feature which allows the user to search on the User ID with the click of a button to see all the posts made by that user regardless of their username saving the analyst time and making it easy to focus in on posts. The screenshot below from Vision UI shows exactly when someone has changed their name in a channel, what their old name was and what they have changed it to. As mentioned above, their user ID is not changed.
Lexicon Updates
DarkOwl Vision’s DARKINT Search Lexicon is an easy-to-use tool intended to help users find interesting content within our database. This quarter a huge audit took place updating and adding hundreds of Lexicon entries for Forums, Markets, and Ransomware Sites. Clients can always submit content for us to add. Curious what DarkOwl means by “DarkInt?” Check out our full write up.
Collection Stats and Initiatives
The collections efforts and team continue to grow as advances are made in crawling technology and focus on emerging areas of activity continues. Below stats show tremendous areas of growth over Q1, 2023.
Highlights
This quarter 386 new chat channels and groups and 56 unique data leaks, totaling 900,000 new documents, were added. The team was able to obtain and index most channels and data leaks requested by customers within 24 hours of the incoming request. Some of the most notable include Shell.com, Viva Air, and Eye4Fraud.
Entity Numbers
As of the beginning of Q3 this year, DarkOwl Vision has captured the below number of critical entities and the database is growing every day.
Notable Leaks added in Q1:
Shell.com
Russian ransomware gang Cl0p, mainly oriented around double extortion ransomware, successfully exploited a zero-day vulnerability in the MOVEit file transfer tool in June 2023 which has led to the exposure of over 150 victims. The group listed Shell.com as one of their victims and released files including names, email addresses, phone numbers, social security numbers, physical addresses and more of customers and employees as well as internal documents. DarkOwl analysts are seeing their activity continue into July, with more victims being added and more files released. Learn more about the Shell Data Breach.
File structure in DarkOwl Vision from Shell breach indicating what victim information is available.
Throughout June, the actors were highly active using the nascent MOVEit zero-day vulnerability. They have shared details of their victims on their leak site which now contains over 150 organizations with information relating to 15 million individuals. Stay tuned as we release more in-depth analysis of MOVEit and their recent activities.
Viva Air
Viva Air, a budget airline based in Colombia, was allegedly hacked in March 2023 by Ransomexx ransomware. According to the original posting, shown in the DarkOwl Vision screenshot below, on BreachForums, 26.5 million records containing clients names, dates of birth, passport numbers, phones, and emails were leaked with a total size of 18.25GB. The posting also provided a sample of the data showing the personally identifiable information leaked. Processing this alone added nearly 450,000 documents into the DarkOwl darknet database. DarkOwl analysts also found listings and conversations about the leaked data re-posted for sale on several other forums and marketplaces as well as Telegram.
Eye4Fraud
In March 2023, Eye4Fraud, a global fraud detection firm, publicly announced that they fell victim to a data breach that resulted in the compromise of over 16 million unique email addresses, as well as full names, phone numbers, physical addresses from businesses that use their services. The company provides services to help protect against fraudulent orders for eCommerce companies and received criticism for their slow response to notify customer about the breach.
In today’s world, the internet is an integral part of everyone’s personal life and even more so of every organization. Over the past several years, social media platforms have come to play a big part of an organization’s strategy and digital footprint as people connect, share information, and express themselves. In addition, the darknet and darknet adjacent platforms have grown in popularity – characterized by anonymity and illicit activities.
In this webinar, DarkOwl CEO, Mark Turnage and Socialgist CRO, Justin Wyman explore how the two interconnect and dive into the topics of:
Data collection and enhanced insights
Online identities and connections
Social engineering and phishing attacks
Reputational risk
Ethical concerns and legal challenges
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Kathy: I would like now to introduce Justin Wyman, the CRO for Socialgist, and Mark Turnage, the CEO for DarkOwl. I’m going to turn it over to them to do some introductions and introduce their companies and then we’ll get started. Justin.
Justin: Thank you, Kathy. I really appreciate you putting this together. And thank you, Mark, for joining me in this webinar.
I feel like our two companies are kind of different sides of the same coin in the sense that we both scour the internet looking for online conversation. Socialgist really specializes in what I would call public conversation, people talking on blogs, message boards, forums and social networks about everything under the sun, including brands, political issues, etcetera. We’ve been doing this since 2001. Our goal is to take all the information on the left, package it in that blue box in the middle, and then distribute it to analytics platforms on the right.
We call this DOS or data as a service. Our core values provide high quality global datasets of the world’s online conversations. The key strengths are important for this webinar. It’s very broad, right? 30 plus languages. We provide a lot of context. That means history. And then we really focus on high quality, low spam data collection. A lot of this is looking for a needle in the haystack, and if you don’t have accurate data, then you’ll get a lot of false needles.
This is just a sample of our data sources. The things to understand are there are many different parts of the internet to potentially mine for insights, blogs. Journaling news is where you watch things spread from social media to online media. Videos like YouTube are obviously important forums or threaded conversations or where you see really hobbyist conversations. And then there’s review sites and social networks reviews being people trying to fish in this example, looking for selling competitive products in social networks, being a parlor, true social, those types of things.
Kathy: Mark, would you like to introduce DarkOwl?
Thank you. And it’s a delight to be here. Thanks for hosting, Kathy, and thanks to Justin. We’ve been looking forward to this webinar. DarkOwl, as Justin said, we’re two sides of the same coin. In fact, the presentation that Justin gave, if you just substituted darknet data for all the data sources that he and Socialgist collect, you would get to DarkOwl. We have been collecting data now for well over a decade. We supply that data to our customers. And we, and just for the for the sake of clarity, we only specialize in darknet and related deep web and surface web sites that repost data from the darknet. And we supply that data through our Vision UI or through a range of APIs and data feeds.
This gives you a sense of what we’re talking about. The bottom of that slide is the traditional definition of a darknet, by which I mean our traditional definition is it usually requires a specialized browser to get to. And once you are in those darknets, your user identity is obfuscated and oftentimes the traffic is encrypted. So the beginnings of the darknet traditionally trace back to the Tor network. As you can see, a range of other darknets have arisen for a variety of different reasons. For example, the third one in called ZeroNet is very popular in China. It’s a blockchain based darknet so that the conversations that occur on ZeroNet are actually distributed around a blockchain. And in order to collect data from ZeroNet, you have to actually continually crawl the entirety of the blockchain to recreate a single conversation. And perhaps unsurprisingly, darknets are popular among the criminal groups because of user obfuscation. And with the rise of cryptocurrency, a relatively anonymous currency, it’s the perfect place to do crimes, the deep web and the surface web we also collect from, but we don’t collect from generally from social media and from the sites that Socialgist collects from, which makes us ideal partners. We collect from authenticated websites and the deep web and then some high-risk surface sites, direct messaging platforms, Discord, Telegram, IRC are new platforms for us where we collect data and increasingly a lot of criminal activity is moving to these direct messaging platforms. And I think the topic we want to discuss here today is how does how does the data that DarkOwl collects, how does it fit in in a cyber investigation and in an analytical context, how does it fit with what Socialgist is doing?
Just very briefly, this gives you a sense of the volume of data that is coming out of the darknet that we collect on a daily, weekly, monthly basis. And you can see some of the types of data that we that we collect as well.
Kathy: Thank you for the introductions to both of your our companies. Today we would like to start off with the first talking point of data collection.
Data Collection
Socialgist specializes in collecting and aggregating social media data while DarkOwl focuses on collecting dark web data. Can you both talk to how these two are connected?
Justin: I will start. I think what’s important to understand is that in an increasingly interconnected world, you have what’s called a butterfly effect, which is where small things can snowball very quickly. And if you see the sources that Mark presented on his slide versus mine, you can see a very interconnected world. Now, the thing that Mark and I have spoken a lot about in our partnership together is how often things that are damaging to brands or cyber investigations start in the dark. That’s where they get organized. But you cannot tell if it’s going to have an impact, especially when the intention of the criminals is to battle perception or brand awareness until it bubbles up into the public net. So it’s smart to look at. Have a wide net across dark and public to see what issues are emerging in the darknet and then going into public and going traditional news. Would you agree with that, Mark?
Mark: Absolutely would agree with that. In fact, we find that threat actors regularly use social media to bubble up threats, to bubble up data that they’ve stolen, to bubble up information to the surface web. We also find, by the way, that in terms of identifying threat actors, most threat actors are very, very active on social media. Whether they do that personally or in their professional, quote unquote, capacity as criminals. And we find that it’s very easy to pivot back and forth between the two in trying to identify who they are. And oftentimes we are able to identify them by virtue of their use of social media and the commonality of what they’re doing in social media with what they’re doing in the darknet. And I have some examples we can talk about later on.
Data Insights
What kind of data can come from social media that helps investigators or threat intelligence teams? And what about from the darknet?
Justin: Any person in crisis communications or PR will kind of have two principles. It’s how fast do you get the insight? And how accurate is the insight? What social media does is take that accuracy component and really helps you understand what’s happening. Or accuracy might be another word for validity. So when you see issues that are very important to you bubbling up in social media, then you know that it has momentum. That snowball is building that butterfly effect. So when I think about how the darknet and social web thing work together, it’s about when it pops up into social media or the public web, that is a very big sign of validity or accuracy. So that’s how you can use that to justify what threats are real or not. Because as somebody that’s in cyber investigations, you’ll have a list of 10, 20, 100 issues and you’re constantly trying to see which ones are real or not. And social media data gives you that validity or accuracy. Okay. This is something we need to pay attention to, especially in information warfare.
Mark: The range of data that is available in the darknet that is of interest to analysts and investigators is very broad. The darknet is a primary repository of threat data. It can be data that’s been hacked or stolen from organizations. It can be vulnerabilities that are being bought and sold or discussed in the darknet as a way to get entry into organizations. It can be a wide range of PII that’s available on the darknet for executives and companies. To Justin’s point, there are disinformation specialists who offer services in the darknet. And so I equate the darknet to the sort of 2 or 3 city blocks in every town where all the crimes occur, and we see ourselves as a primary policeman for those types of activities that occur in the darknet. And obviously, the darknet is growing. It’s a growing phenomenon. That chart I showed earlier shows that what started out as the Tor network is now a number of distributed networks. We, as an example, extract data from 25 to 30,000 darknet sites a day into our platform. But to Justin’s point, when you start to see data bubble up into social media or into the surface web from the darknet or from actors who are very active in the darknet, you know that something has happened. You know they’re bubbling it up for a reason. Usually it’s to draw attention to the fact that they have committed an act or extracted data from an organization or are in the middle of a ransomware attack. And you can easily see that when they when it when it bubbles up to the social media level.
Justin: I thought an important point you brought up on your slides was the ZeroNet Chinese aspect of this. We’ve watched us together, as you know, these 2 or 3 blocks as a great analogy, but those blocks are growing. They’re getting more organized and they’re getting more effective. And ZeroNet in China is a great example of how we watch them organize in the dark web, go up into Chinese forums, then go to more of the US public web. And so the question is, at what point in time are you going to be aware of that? Do you want to be aware of it by the time it hits the public web in the US, that’s probably not the speed you want. If you’re a crisis communications person, you probably want to understand that threat in the ZeroNet so you can prepare for it long in advance. You want to understand that threat as early in that kill chain as possible. And that’s the reason why our two platforms work so very well together.
Mark: And by the way, Justin, the example you cited with respect to ZeroNet also applies to the use of Telegram in the Ukraine Russia conflict and the various spiders that have arisen from the primary use of telegram by threat actors on both the Russian side and the Ukrainian side in spilling and leaking data and attacking each other. It then spreads through a broader social media environment and it has changed, frankly, the landscape of how we think about threats and how we pivot, how we see pivoting by threat actors between social media and the darknet. It is amazing to think about. The lag between traditional news and what we know, what’s happening online when it comes to the Ukraine war, the surprise when certain things happen are not nearly surprising to you and I, because we’ve been watching it for a while. We don’t you know, we obviously can’t predict the future, but we can anticipate it better by using that kill chain, as you described.
There’s no question about that. And it is interesting to me. I think if we were executives in traditional social and traditional media companies how to incorporate the speed with which news travels, particularly in social media, would be a real challenge. I know for, for example, that I go to social media when I hear something is late breaking or newly breaking. I go to social media as a first instance. It beats all the mainstream media sources in terms of speed, there’s no question. And, you know, I’m not unusual in relying on that. I think, you know, certainly the younger generation relies on that almost to the exclusion of any other sources.
Justin: Traditional media no longer breaks news. It’s supposed to analyze news and it always struggles when it tries to do the other thing.
Kathy: We’ve had a question come in and someone would like to know, how do you know when a company is being targeted on the dark web?
Mark: That’s a great question. My first part of that answer is oftentimes they’re named in the darknet. We are attacking XYZ company or we have a back door into XYZ company, and here’s some data we’ve always already exfiltrated. So shockingly, the first thing is look in our platform and see what companies are being named as targets. Secondly, threat actors oftentimes will post IP data of targets that they’re targeting. And if you know your IP range, you can see that you’re being actively targeted. But the most common way to know it is threat. Actors will oftentimes extract data out of a company, post it in the surface web, on surface web sites or in social media and say, we have attacked XYZ company and here’s proof of that, and they will put out some embarrassing documents and they will simultaneously, ransomware operators will simultaneously be discussing talking to the company directly and saying, we have a lot more of this data and we’re going to leak it unless you pay us a ransom. And so, you know, this is a case where seeing what’s happening in the darknet and seeing what’s happening in the surface net go hand in hand. And as Justin said earlier, you don’t want to be on the receiving end of that. You don’t want to see your company’s most confidential data already posted or in whole or in part on social on surface web sites. At that point, you’re way behind. Your response is way behind where it should be. So, you know, it’s pretty easy to see what companies are being targeted in the darknet.
Justin: To build on Mark’s point, what’s interesting about information warfare is for it to be useful, you have to at some point make it public. You have to usually increase the value of the data by saying you have the data in some sort of public way. Now, maybe that starts in the darknet or maybe it starts in the public web. But that’s one advantage I guess the good guys have is when somebody has information on you, it’s only valuable when it’s being used publicly. So eventually they will reveal themselves.
Online Identities and Connections
Using social media and darknet data can help can help paint a picture of a cybercriminal or group. How can these data sets and tools. How can you use these data sets and tools in tandem?
Mark: I’ll give you an example. And I’ve referenced this earlier. A few years ago, one of our clients was being subjected to online disinformation campaigns in Latin America that they thought might originate in Russia. And it was actually causing physical attacks on their facilities in Latin America. They asked us to look at that in the darknet and see what we could find out. And this was a threat actor who was who was actually very active on social media in making threats against our client, but also was very active in the darknet. So we started in the darknet and we were able to trace certain activity and certain identities in the darknet, and we pivoted back to social media. We noticed that in the darknet he was using a specific username that was quite unusual, and we pivoted back to social media and started to see if anyone else was using that username in social media. And we did, we found that there was a user using that username on some fairly obscure social media sites.
We then pivoted to those social media sites and as is the case with many social media sites, we were able to identify both an IP address, located in Siberia of all places, and secondly we were able to locate contact details. We then pivoted back to the darknet and said, is this email address that has been identified on this social media site in use anywhere else in the darknet? And we found that that social media site tied directly to one of the darknet accounts that he was using to launch these disinformation attacks on our client. And we pivoted back and forth and back and forth, and we actually finally came up with, believe it or not, a social media post where the actor had not only posted his picture, but we believed in the end that he was actually acting at the behest of the Russian government. Now, that’s a perfect example where identities are in both the darknet and in social media. And to be honest, he was a bit sloppy in doing so. But that’s a hallmark of many criminals is that they can be sloppy and pivoting between. We would not have been able to do that analysis simply using darknet data. We had to pivot to social media and back several times in order to get to the conclusion that this was a Russian threat actor. It was probably acting at the behest of the Russian government in targeting our client.
Justin: I think what’s interesting about this is their job is not that different from most jobs, meaning if you’re going to have an ongoing concern where you’re trying to achieve objectives, then you need to establish an identity that is known in many worlds, right? Just like I’m on LinkedIn, I’m the same person on Facebook, I’m the same person on Instagram. So while they’re a little more opaque than we would be, obviously you still have to be identifiable across these various mediums and that gives a real opportunity for forensic analysis to follow things along that kill chain.
Social Engineering and Phishing Attacks
How does social engineering differ in social media and on the darknet?
Mark: It depends on what the social engineering is being used for. Phishing attacks are usually emails targeting specific individuals or groups of individuals with a view towards attempting to get them to open a data and corrupt their computer and then get access to their network or to the data that’s on their computer. Social engineering refers to broadly identifying those individuals or those targets ahead of time so that those attacks, those phishing attacks can be much more sophisticated. And I’ll give an example. I’ve been subject to social engineering and phishing attacks and a sophisticated attack, an unsophisticated attack. Is somebody sending me an email and saying, hey, you know, click on this article, it’s of interest. It would be of interest to you. A sophisticated attack appears to come from my CFO and says Mark, attached is a file which I need you to urgently look at and call me now.
Now, to get to that latter email, they have done some research on Mark Turnage. They have to know who my CFO is. They have to then build a template that looks as if it’s coming from my CFO. All of that occurs. All of that data is available in the darknet. My email address is available on my darknet. Biographical information about Mark Turnage is available in the darknet. And for most executives, by the way, it’s also available in the surface net. You can go to the DarkOwl website and see who our management team is. It’s very common for companies to post that data. And so pivoting back and forth between the darknet and social media allows the targeting that we are talking about, targeting of executives, targeting of individuals in organizations and in companies to enable criminals to do what they do.
Justin: The thing that scares me, well, Mark, I’m sure you’ve seen this too, is like how little information you need to do social engineering these days. It’s literally like five seconds of audio and you can clone my voice, basically. And Mark and I were talking before this phone call how we have the first, I think, political campaign ever creating somebody else’s voice today for ads, having somebody literally say what they don’t want to say and publishing that on television. So, I think we’re going to live in a world where social engineering and social media is going to be very personalized. To Mark’s point, because we’re all online, we all have identities, and it’s only going to get easier to trick people with more and more realistic content.
Mark: And to use the example that Justin gave, and I think Justin posted it in social media this morning. When you have deep fakes and you can imitate somebody’s voice or somebody’s a video of somebody really well, in an almost undetectable way. The opportunities for phishing attacks grow exponentially because imagine that that example where I get an email from my CFO saying, Mark, I need you to open this file. Imagine that instead of that being an email, it’s a voicemail. It’s or it’s a voicemail attached to an email that sounds exactly like my CFO. The range of the range of potential abuse of that technology is remarkable. I was just amazed, Justin, that the first use of it was a political presidential campaign. That’s the part that was a surprise to me. Not really phishing. It was just politics.
Justin: When we thought we couldn’t go lower, we go a little bit lower.
Reputation Risk
According to a recent report by Deloitte, 87% of executives rate reputational risks as more important than other strategic initiatives. What are your thoughts on that?
Mark: I think if I had to read behind that statistic, I would say I would guess that the reason most executives are worried about reputational risk versus other strategic initiatives is that they don’t control reputational risk to a large degree. Once an attack, say, a misinformation or disinformation attack is mounted on a company and recovering from an attack, a disinformation attack is inherently more difficult than almost anything else. So to Justin’s earlier point, you want to stay ahead of any disinformation attacks. You want to have a plan in place on how to react to them if they do arise. But if you can get early warning signals from social media, from chat rooms, from forums that people are targeting your company or your organization, and it gives you the chance to stay on the front foot as opposed to be on the on the back foot. I mean, am I right about that, Justin?
Justin: I believe so. What’s interesting about that statistic when I read that was in this business, I still remain very optimistic. People are understanding the risks and how they impact their business. I mean, that’s a very impressive number it generates from the C-suite. I believe most of that responsibility was put on the CEO or CFO of the C-suite, meaning they understand that this is a thing they can’t control. The other thing that was embedded in that study that I thought was really important was consumer perception, which reputational risk is kind of like the bigger version of consumer perception. But when it comes to the world of phishing and social engineering, people are really understanding that this is a problem, probably because they’ve seen many of their peers be burned at this point in time and they’re trying to figure out what to do. The big step now is now that we understand, the problem is how do you execute on it? You know, when those people raise their hands, how do Mark and I help them get systems in place that allows them to be protected?
Ethical Concerns and Legal Challenges
What challenges do you both face?
Mark: We at DarkOwl face a set of ethical challenges every day in terms of how do we collect data from the darknet in an ethical manner and make it available to legitimate clients and while respecting the privacy of people whose data has been posted to the darknet. So as an example, we don’t participate in darknet sites where purchase of data is necessary in order to participate because we don’t want to fund the criminal ecosystem. So there are clearly darknet sites that we will not collect data from. What we’re trying to do is return stolen data to its rightful owners or alert them to the threats that are arising from the darknet. So there’s a natural inherent balancing act that we have between privacy concerns, legitimate privacy concerns on one hand and the need to be continuously monitor this environment from which from which many threats arise.
Justin: In our world, we think a lot about the town square and public conversation and how important that is. And I think that when things are in the public square, our biggest ethical concern is not actually on our side. It’s on the people that are providing the public square. So we have major social networks that are creating these environments to have misinformation spread. A lot of other information is spreading as well. But misinformation is also spreading. And I think the thing we’re seeing, the thing that’s concerning to me and my company is that. These large social networks seem to be, as an attempt to save money, get profitable, abdicating their responsibility to moderate this town square. You can’t sell gasoline to a bunch of people and then be upset when everything is on fire. So that is the big concern I’m seeing, is that moderation is going down, which is causing for a rise of disinformation because they’re filling the vacuum that previously wasn’t there.
Kathy: What are the key technological or macro developments in the space to be aware of?
Mark: I mean, you know, everybody is talking about AI, and rightly so, to be honest. If there’s anybody on this webinar who hasn’t been on ChatGPT or any of the look a likes to ChatGPT, I would I would highly encourage you to do so. AI is moving at a very rapid pace and I think critically it will allow, Justin spoke in his introduction earlier, about the noise to signal ratio and the noisiness of data. Both our companies collect so much data that parsing through that noise to get to your particular signal is oftentimes quite challenging, even with the tools that both our companies provide. AI I think will enable investigators and companies to get to that signal much faster and to monitor in a much more comprehensive way. But with all technologies, it’s also used by the criminals. So we were talking about we were talking about deepfakes, but AI can be used in a criminal context as well. So, you know, it’s going to be an interesting challenge going forward to see both how AI is used to protect companies and how AI is used to attack organizations as well.
Justin: I was reading earlier this morning. So they did a study – they think there’s 220 websites, news websites that are just all AI generated at this point in time. So it’s up from like 73 months ago.
It’s like tools go both ways, right? You can create bad content and you can identify bad content. But if we learn the lessons from the previous versions of AI, which was recommendation engines, where the social networks keep generating more and more or surfacing more and more clickable content, which is usually conspiracy based or negative. Well, soon they’re not recommending the content. In that example, they needed a library of content or people creating content, but they’re going to be able to do that on their own in real time and test and then go, oh, this vein is working. Keep going deeper and deeper. That is a massive macro trend that I think is really going to change how we think about information and maybe in a weird way create a rise of journalism again, because we’re gonna need some validation because we can’t trust what’s in our feeds. And then the last one would be the one I just mentioned previously is as this rise of content is happening, social networks seem to be taking a step back from moderation, which again, I think is going to embolden people with ill intent.
Mark: No, I think that’s you know, I think that’s very clear, by the way. Another potential use of AI on the criminal side is if I were going to mount a disinformation campaign on a company or an organization, it can do so using generative AI could very easily generate an extremely professional sounding set of facts that are misinformation or disinformation and can be used in an offensive capability, and you can generate that almost instantly. So to your point earlier, where companies have at the C-suite level have to be cognizant of the risks they’re facing, that’s a massive risk because instead of responding to a disinformation specialist who’s putting out a rumor that your company did X, Y, Z or was involved in X, Y, Z, criminal act or bad act, you could be facing, you know, what looks like a legitimate article with legitimate sounding facts that’s been generated by AI. And then you’re up against a much steeper cliff in terms of responding. So what is interesting is most of these people are opportunistic. They’re taking a misstep and they’re amplifying it. But soon they’re going to be able to or probably today they’re going to be able to create a perceived misstep and amplify that. So you will be under attack from things that you had no connection to. But that won’t change how the consumer perceives you unless you’re very on top of that.
Have you ever heard of The Onion Router (TOR) ? Have you ever ventured onto the dark web, maybe a forum or a marketplace? Or have you heard of Open-Source Intelligence (OSINT)? Or have you ever been curious to learn more about what it is like to work in cybersecurity?
The American University of Cairo welcomed Richard Hancock from DarkOwl, an experienced cybercrime investigator, on the history and evolution of the darknet, how it is typically accessed, and how the darknet can be used in threat intelligence and cybercrime investigations.
NOTE: Some content has been edited for length and clarity.
Dr. Sherif Aly: Gives me a pleasure to introduce Richard Hancock today, who works for DarkOwl. Richard has a quite a bit of extensive experience in digital forensics and mining the dark web, if I can say. And it’s a good opportunity to hand it over to you to better introduce yourself and what you do.
Richard Hancock: Absolutely. Thanks a lot, Sherif. Thanks for having me and appreciate you guys taking time out of your day to listen to me speak about the darknet and all the cool things I see on there. So, I work for a company called DarkOwl. What we do is we have a user interface, a searchable user interface, that we give to clients that want to search on the darknet in a safe way.
Going into a little bit about my background before we go into what the darknet is and how to use it for cybercriminal investigations. So a little bit about my background. I have over 7 years experience as an open source intelligence investigator. I spent 4 years living in Amman, Jordan and Abu Dhabi as well. So some of the topics that I’ve focused on would be Arabic linguistics, counterterrorism darknet intelligence, social engineering, and cybercrime.
One of the things I focus on right now, my current job title is Darknet Intelligence Analyst and Sales Engineering Team Lead. It’s a really long title, but kind of my everyday. What my everyday looks like is, I start out my day getting onto various darknet forums in marketplaces and I direct our collections team to collect from the most high value content – usually digital fraud goods, counterfeit items that are things that would be of interest to our clients. So spending a lot of time in the darknet, and then also getting on calls and speaking to people to try to get them to pay for our platform. And I also wanted to share some of my other hobbies outside of this work because it is pretty serious work; you have to make sure that you have fun outside of work. After I lived in the Middle East for several years I returned back to Colorado, where I went to college, and I’m really big into backcountry skiing as well as DJing underground parties and house music.
What is the Darknet?
The surface net is what you guys would be most most familiar with; this would be any websites that are indexed by search engines like Google, Bing, etc. The deepnet – that’s just a layer further, it’s still the same sites that you’re accessing through those same search engines. However, you need some sort of credentials, username and password to get on to these sites. It could be Netflix. It could be social media. It could also be some criminal hacking forums that are accessible through the surface net.
The part of the Internet that we really focus on is here in the darknet. So in order to get on the darknet, it’s still technically the same Internet. But you need special software in order to access this hidden layer of the Internet, which is used for anonymous communication, selling drugs, or selling counterfeit items. This is the part of the Internet that we really focus on at DarkOwl.
You primarily access the darknet, using all of these software right here. The one that is most popular would be Tor, also known as the onion router. i2p is also popular and same as Zeronet.
The deep net, as I’ve mentioned, is still the same Internet but it’s accessible through search engines like Google and Bing and it can represent social media websites, Netflix, as well as some underground criminal forums that are not darknet specific. That would be like noel.to which is a hacking forum.
However, something that’s really increasing the last several years would be the rise of direct messaging platforms. So criminals are obviously going to be living on the darknet. They’ll be living on the deep web.
But how are they communicating with each other? Are they just using these marketplaces and forums to talk to each other? Not necessarily. An app that we’re seeing is really on the rise right now is Telegram. And that’s primarily because it’s really really easy to use. The cybercriminal ecosystem on Telegram is absolutely massive these days. Whether it’s right wing extremism, Islamic extremism activities, Russia Ukraine and the invasion, misinformation, and people selling Netflix accounts, etc.
History of the Darknet
Let’s talk a little bit about the history of the darknet. When was it created? The Tor browser was created by the Naval Intelligence Unit in the CIA in the United States, back in 2002. It was originally used as a way for agents to communicate with each other in the field, so primarily in places like Iran or Russia. It was just for military intelligence and communication. Since then it has evolved a little bit. It then evolved for agents to use the Tor browser to communicate with their family members, and then the next step was the Tor board of directors allowing public use of the Tor browser for free speech, for activism, for journalism, and then obviously cybercriminal ecosystems quickly grew on here.
So, going into this a little bit further, Bitcoin was created in 2009, and that’s what really facilitated the emergence of the marketplaces and forums, because it allowed people to buy things and make transactions. And in an anonymous way.
The first really big marketplace was the Silk Road. If you guys are familiar with this, you might know the guy, the founder, Ross Ulbricht. There’s a lot of good movies on Netflix, or documentaries that you could probably find on YouTube about this instance. If you’ve not heard of Ross Ulbricht and Silk Road, highly encourage you to check out that story. It’s quite fascinating. He ended up getting arrested by law enforcement in 2016, which marked the shutdown of the Silk Road. And I actually know some of the people who were involved in that investigation, in the arrest of that individual. As the darknet has continued, we’ve seen an increase of law enforcement presence in the rise of something called honeypots. So that’s when Russ Ulbricht, the Silk Road founder was arrested. At that point, that is when we really saw an increasing presence of law enforcement on darknet marketplaces, forums, etc. It really started with a lot of American-centric law enforcement presence but quickly expanded to other countries. And I will tell you from personal experience, one of the most savvy NATO countries in terms of darknet investigations would definitely be the German Government. The German Government is very skilled with darknet cybercrime.
2020 marked the twentieth year that the darknet has been around. The future of the darknet is really going to be interesting, because we will always see things like Tor. People will probably stick around. But as I mentioned, we’re really seeing an increasing use of chat applications which are not part of the darknet. But let’s say you’re a ransomware actor – you’re definitely going to be using Telegram just like you would those forums and marketplaces, or in the [.] onion sites where you start, where you actually are hosting corporate leaks, databases, and things like that.
Content in the Darknet
There’s a lot of different things on the darknet. Some things that are really popular in the media about the darknet would be drugs or assassins for hire, and while those things definitely exist on there, it’s not very actionable, especially for the kind of clients that we help in the kind of investigations that I am doing. The primary content that we’re seeing is hacking related. So whether that’s somebody that’s developed an exploit for a specific tool, somebody’s leaked source code for a particular company, or maybe somebody’s sharing leaked databases that contain usernames and passwords associated with like admin credentials for a company.
You know, there’s a lot of different things you can see on there: counterfeit items, passports, pilot certificates, cryptocurrency, fraud, credit card fraud is super widespread. And then, as well, as you know, drugs, weapons, there is quite a bit of child exploitation, child pornography material on the darknet as well. Unfortunately.
So pointing out some more additional examples and some of the things that we we are able to collect when we’re crawling from the darknet:
So when we’re crawling information from the darknet, we’re not scraping pictures like this [see image above]. We’re just scraping the raw text. In this specific example, we’re seeing somebody who’s hosted this information on a [.] onion site. I’m not sure how serious this threat was, but they were claiming to be targeting Donald Trump and Mike Pence for an assassination, and they actually included a QR code with a Bitcoin wallet address, and we were able to track that wallet. This is the kind of information that investigators use within our platform and our data to pull on strings and investigate individuals further, because if you’re able to identify a Bitcoin wallet with an individual on the darknet you can search upon that Bitcoin wallet and see where else they might be using it, maybe on Telegram, a marketplace or a forum. As I mentioned, there’s a lot of counterfeit documents being sold on the darknet. During Covid we saw a lot of Covid scams, tons of counterfeit, fake covid documents, vaccinations cards, as well as we see passports, drivers licenses, certificates and other things as well.
I did mention that there is extremism presence in the darknet. When ISIS was starting in 2014, they actually did have quite a big presence on an onion site. However, today we’re not seeing a very big presence of Islamic terrorists, Islamic extremist groups on the darknet itself. However, we do see quite a bit on Telegram. So this specific shot is from a group known as Jerusalem Electronic Army, which is loosely affiliated with the some Hamas cybergroups. And this is issuing out a target for a water sanitation facility in Israel. And these kinds of attacks, cyberactors targeting industrial control systems for critical infrastructure, is definitely something that’s on the rise. We’ve seen that in Russia, Ukraine. We’ve seen it within the United States, and I can tell you from a Federal government level within the United States, we’re putting a lot a lot of money and effort into building coalitions between agencies to monitor these types of things. Sometimes here at DarkOwl, we actually get agents who ask us specific questions about threats to critical infrastructure. So it’s something that’s on the minds of a lot of people these days. As I also mentioned, drugs are really big on the darknet, going back all the way to the beginning of the Silk Road. That’s what it was primarily used for. I would say, again, it’s probably not the most popular part of the darknet these days. Like I said, it’s going to be that hacking information – basically selling data on individuals and corporations.
This specific screenshot is showing AlphaBay Market, which is a really popular market that had temporarily gone offline after a law enforcement seizure, and then did come back online in 2021. This is something that we’ve seen quite a bit in the last 2 years. I know recently 2 marketplaces that have been shut down: Genesis as well as Monopoly market.
Something that a lot of people in my industry are very skeptical of is when a marketplace is offline by law enforcement seizure, whether it’s Interpol or the United Nations, Drug Enforcement, or whatever it is, if that marketplace or forum returns, at a certain point we pretty much consider that to be co-opted by law enforcement. So probably the admin of that site has been arrested, and maybe they’re using that admin for their skills and things like that. But they’re continuing the existence of that market or forum for the primary purpose of collecting information on individuals and surveillance.
I also mentioned credit card fraud, which is really widespread on the darknet. There’s just huge databases out there that people can easily pay for, that include, credit card numbers, bin numbers, as well as the personal identity, the PII, associated with the individuals bank account information. So that’s really widespread in the darknet as well as people who are selling methodologies to target specific banks. Maybe it’s check fraud, wire fraud, all different types of fraud. It’s really widespread not just to sell access to somebody’s credit card information, but actually to sell access to information, how to commit fraud against a bank or a credit card company.
Right here is an example of telecommunications fraud.
This specific example looks like spoof calling in India. This is absolutely widespread. Any company that has a large mobile application user base, eo whether that’s Coinbase, Netflix and those kind of companies are going to be targeted for fraud the most on the darknet. It’s actually, it’s pretty funny. And a lot of the investigations that we’re going through, from a government level, people are always asking about sophisticated nation state actors. But I’ll tell you, the people that I interact with the most on the darknet are really eager, like 15 to 17 year olds that are trying to become hackers. And for a long time people weren’t taking these individuals serious because they’re like, how serious can you take a teenager? Well, I can tell you that most of the fraud of those companies I just mentioned, UberEats and Netflix, etc – that type of fraud is usually perpetrated by teenagers, and it’s quite often these days when their parents aren’t home, a 15 year old, hanging out with their buddies Friday night, rather than you know, maybe 10 years ago, trying to take money from their parents purse, they’ll actually try to steal somebody’s Pizza Hut account on Telegram and get free pizza for the night. So kind of funny, the world that we’re living in today.
So different types of cryptocurrency used on the darknet.
If you want to purchase something in the darknet, be it a legal or illegal item, cryptocurrency is how you purchase that item anonymously. These 6 cryptocurrencies that are most used are: Bitcoin, Monero, ethereum, Zcash, Dash, and litecoin. There are others, for sure, and you will actually see on one of the emerging dark parts of the darknet called Loki – they’ve actually created their own cryptocurrency within their network, which is pretty sweet. Cryptocurrency is the primary vehicle for illegal transactions on the darknet, and as I mentioned, monitoring cryptocurrency and wallet address activity is a really good way to monitor cybercriminal activity. And when we’re dealing with law enforcement, this is one of the primary vectors in the primary information that they’re searching within our platform.
How do we get to the Darknet?
I had mentioned Tor, the onion router. This is this the primary way people get to the darknet and as I mentioned, it was created all the way back in 2002 – I’m sure it looked a little bit different. When you do get on the darknet, you can enter addresses above in the search bar, or you can search for DuckGo. But the thing that you guys need to understand about the darknet is this is a community and you can only find information if you become an active member of the community. So what I’m trying to say is, if you want to search in that search bar, show me the top 10 criminal marketplaces – you’re just not going to get anywhere. If you’re a new threat actor, you’ll start on one site and that’s called Dread. Dread is the reddit equivalent of the darknet. It’s a great place for young hackers to start their journey and to find links to different marketplaces and forums and basically to interact with users who might be vendors selling illegal items on those forums.
Dread is kind of the the starting point if you will. But you need to know what the URL is for, that there might be a way you can use some open source, Google dorking technique on Google to find some links for that. But it’s really a need to know. And yeah, as as you find more and more links, you get deeper and deeper into these communities.
There are other ways to get to the darknet. It is really popular, this actually re-surged in popularity, since the Russian invasion of Ukraine. So there’s a huge, heavy Russian language, cyberactor presence on this site. It’s a lot more difficult to set up than Tor. If you want to set up the Tor browser, you really just need to have pretty basic understanding of setting up virtual machines, manually configuring proxies and downloading the Tor browser, and using burner numbers and things like that. But I2P is a bit more technical in terms of setting up the server. And it’s something that I’m actually trying to learn more this year, because it’s a it’s a part of the darknet that’s been growing recently, especially with the Russian cyber threat actor community.
There are other ways to get there. There’s a lot of different ways to access the darknet. The one I primarily use is gonna always be Tor but also ZeroNet and FreeNet. What you need to know is the darknets evolving and changing constantly. I keep mentioning Loki, and that’s because it’s quite interesting, because they have their own cryptocurrency known as on oxen.
How is Darknet Data used in Cyber Investigations?
So darknet intelligence is just a one component of open source intelligence. Open source intelligence – there’s social media intelligence, there’s private intelligence. There’s a lot of different kinds of intelligence data feeds that investigators use to conduct investigations. Darknet data is really useful to add into the full spectrum of sources that you’re using. So you can make informed decisions to strategic decisions, right? So if somebody’s looking at somebody’s username on a clearnet, maybe on a social media website, maybe they’re using a similar username on a darknet forum or some other tools.
If you guys are interested in open source search techniques, Michael Basil’s book right here. This guy is awesome. He is really, really, really, knowledgeable and he’s got the most extensive book for all the different types of open source intelligence, searching techniques. If you guys are interested in this stuff, highly encourage you to check him out.
And here’s a quick example of basically what I was explaining; searching a username on Google and then eventually leading out to darknet forums. So in this specific example, we found somebody had asked us about an individual who goes by the name of Ninja Shopper. So we first search that on Google and find a YouTube page. And then we were able to find actually a Discord server where this individual has a presence as well as another alias. We found this guy and his sunglasses over here, and his long beard – looks like a pretty typical sitting behind the computer threat actor. We were then able to find a Github account, which gave us more information, which eventually led us to this male avatar for unique sunglasses, and then searching for this username, these 3 usernames, I should say we were able to find this individual’s presence on darknet forums like RaidForums. Some personal information was leaked on RaidForums. So this is just showing you that these are the kinds of investigations that we’re doing all day. Some of the other illegal activity you’ll see out there is cyber espionage, threats to public officials, child abusive materials, wildlife trafficking, domestic extremism, drug trafficking, threat against critical infrastructure, credit card fraud, telecommunications fraud, counterfeit documents, malware, and a lot more.
Interested in learning how DarkOwl can help with your darknet investigations? Contact us.
While the darknet is comprised of many different hidden networks, the The Onion Router (Tor) is by far the most popular and well recognized. In 2006, when the US Naval Research Laboratories handed over Tor to a group of volunteers at the Tor Project, the network’s purpose was to provide a decentralized, censorship resistant platform for users to communicate and share information.
The Tor platform quickly became a haven for criminal activity, facilitating anonymous communication across underground digital communities and forums, elaborate drug marketplaces, child pornography and human trafficking. Consequently, de-anonymizing onion services hosting criminal content has been a focus of many three-letter acronyms government and law-enforcement agencies around the world. Academic researchers and computer network science experts have received numerous grants and government funding to extensively study de-anonymization attack methodologies and have subsequently published numerous journals on the subject, a number of which are sited here. many journal publications exist.
Over the years, DarkOwl has witnessed successful de-anonymization through various techniques including rendezvous point circuits (a.k.a. the cookie attack), time-correlation attacks, distributed denial of service attacks, which often force a criminal onion service to a LE-controlled guard node, (a.k.a. sniper attack), and circuit fingerprinting attacks.
Editors Note: This timeline is interactive. To navigate, use arrows to move right or left, and pinch to zoom. Click on any event to see more details.
While the Tor platform was built to offer a solution to individuals trying to avoid government surveillance and censorship, Tor has also allowed for dark websites with illegal content to flourish. The availability of private browsing networks such as Tor gave rise to other dark websites, communities, and forums. In recent years, the communities who use these technologies have increasingly overlapped with users of dark web adjacent tools that more closely resemble instant messaging platforms, such as Telegram and Discord. For this reason, DarkOwl does not limit their darknet collections to onion sites, but also aggregates data from other technologies such as ZeroNet, I2P, and transient surface-web paste sites.
Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
1. Car pentesting growing in importance as autos become more connected – IT Brew
The world is becoming more and more tech-centric, and that includes the automotive industry. This shift in car technology demands that cars become more secure, in the tech and cyber sense. This article highlights the importance of penetration testing (pentesting) for electronic control units (ECUs) to secure them against hackers. Read full article.
2. Swiss government warns of ongoing DDoS attacks, data leak – BleepingComputer
On June 12, the Swiss government announced that one of their IT suppliers had been a victim of a ransomware attack and that their data may have been impacted. They then warned that they are not a target in DDoS attacks. These attacks highlight the complex third-party environments almost all organizations and government entities face. Read more.
3. EncroChat takedown led to 6,500 arrests and $979 million seized – BleepingComputer
Last week, Europol announced that they had arrested over 6,600 people and seized $979 million in illicit funds. This came after that the takedown of the EncroChat encrypted mobile communications platform. Learn more.
4. APT37 hackers deploy new FadeStealer eavesdropping malware – BleepingComputer
APT37, also known as StarCruft, Reaper, or RedEyes, is a state-sponsored North Korean hacking group who has a history of cyber espionage attacking North Korean defectors, educational institutions and EU-based organized that do not align with the North Korean government interests. They are believed to be using a new “FadeStealer” information-stealing malware which has a “wiretapping” feature. This feature allows them to listen and record from their victim’s microphones. Read full article.
5. New ‘PowerDrop’ PowerShell malware targets U.S. aerospace industry – BleepingComputer
Adlumin discovered a new PowerShell malware script named “PowerDrop.” It was discovered being used in attacks against the U.S. aerospace defense industry, when a sample of the malware was found in a U.S. defense contractor’s network. Read more.
6. Chinese Hacker Group ‘Flea’ Targets American Ministries with Graphican Backdoor – The Hacker News
A Chinese state-sponsored actor, Flea, (also known as APT15, BackdoorDiplomacy, ke3chang, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda) has been targeting foreign affair ministries in the Americas from late 2022 into early 2023. The group is linked to cyberattacks targeting governments, diplomatic missions and embassies since at least 2004. Read full article.
7. SmokeLoader Malware Adopts New Tactics, Raises Serious Security Concerns – The Cyber Express
At the beginning of June, the Computer Emergency Response Team of Ukraine (CERT-UA) uncovered a new cyberattack campaign named UAC-0006 that involved distributing SmokeLoader malware, using compromised email accounts and using multiple delivery methods. This attack is a sign of TTP changes and expansion Read more.
Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.
Using DarkOwl Vision, DarkOwl analysts have been monitoring activity related to the Killnet group and identified threats made in the past week relating to the European financial system. As part of this analysis, DarkOwl analysts have identified a link between Killnet and the group Anonymous Sudan.
The First Telegram Post
A post appeared on Telegram on June 15th from the Russian news site Mash which indicated that the threat actor groups REvil, Killnet and Anonymous Sudan were combining in order to mount an attack against European financial institutions. The Mash article was re-posted on both the Anonymous Sudan Telegram channel and the Killnet channel.
The original posts indicated that attacks against the Europe financial institutions would begin in 48 hours from the news article.
No clear indication has been provided of what the nature of the attacks would be but Killnet has historically been responsible for DDoS attacks (Distributed Denial of Service Attack), in which a malicious attack on a network that is executed by flooding a server with useless network traffic, which exploits the limits of TCP/IP protocols and renders the network inaccessible. Most of the posts that have been made have also been posted on the channels of both Killnet and Anonymous Sudan indicating that there is some collaboration behind the admins of these channels.
A new telegram channel was set up purporting to be from the group REvil. This channel welcomed Killnet and also posted a poll for followers of the channel to vote on which financial system in Europe they would like to be targeted. Other than an image of cryptocurrency nothing else has been posted on this channel to date.
Who is REvil?
REvil is a group that conducted ransomware attacks and was assessed to be based in Russia. The group was successful in targeting a number of corporate organizations including Apple, JBS and Colonial Pipeline. In 2021 the group appeared to be disbanded by joint law enforcement actions and their infrastructure was dismantled. It is unclear if the actors reported to be part of this action were previous members of the REvil group or if they are using their name due to their notoriety.
While there has been some reposting of REvil posts on the Killnet and Anonymous Sudan channels the REvil channel has not reposted anything from the other groups. Furthermore, in later posts by Killnet and Anonymous Sudan REvil is not mentioned which may indicate they are less involved in the activity.
Anonymous Sudan and Killnet Acting Together
On June 16th, both Anonymous Sudan and Killnet posted a message suggesting that there were issues with the IBAN banking system. No reporting was identified that indicated that this was the case. The below screenshot is from DarkOwl Vision.
On June 19th, Anonymous Sudan made a post which was provided in both Arabic and English that indicated an attack was imminent and that the timeframe that was reported was made by the media and that they indicated that their attacks would happen in a timeframe not that the results would be evident.
On June 19th, Killnet claimed that they had attacked the European Investment Bank. They provided a post indicating that the attack against the European banking system had begun and provided a screenshot from Wikipedia providing details of the European Investment bank. The message was signed by both Killnet and Anonymous Sudan.
The channel then provided posts which appeared to show that there was an error on a European Investment Bank page.
They then reposted another article from the Mash Telegram channel which indicated the European Investment bank was being targeted by Russian cyber criminals. This included images from the Telegraph, a UK newspaper, and a tweet by the European Investment Bank indicating that they were a victim of a cyberattack. Open-source reporting indicates that the cyberattack was affecting the availability of some of the bank’s websites.
The attack on the European Investment Bank appears to have only effected their websites and is likely a DDoS attack. This is activity both Killnet and Anonymous Sudan have conducted in the past and it is unclear if they have other capabilities that they will utilize. It is possible that the groups were utilizing the name of REvil to suggest they had further capabilities given the groups previous reputation, but there is no data to support this at this time.
Posted on June 21, Killnet made a claim that the International Finance Corporation (IFC) had been taken down.
[TRANSLATED IMAGE]
Goodbye 🤚
Unfortunately, the IFC is no longer working, we ask all partners and staff of the Bank’s organization to go #uy 🖕
The International Finance Corporation (IFC; English International Finance Corporation, English IFC) is an international financial institution that is part of the World Bank. The headquarters of the organization is located in Washington (USA, 2121 Pennsylvania Ave NW, DC 20433).
No evidence was provided to confirm this attack and no reporting has been identified to indicate that the IFC has been successfully targeted.
Other posts on the Telegram channels are targeting other organizations, reposts from other sources or requests for donations to be made.
Conclusion
While these groups have claimed that they will bring down the European financial system there is little evidence to suggest that they are following through with the threat, furthermore the capabilities that these groups have historically utilized suggest that any attacks which take place are likely to be a DDoS attack. DarkOwl will continue to monitor for any further activity.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
