This year, International Peace Day comes amidst a global cyberwar that arguably began (but has determinably escalated) with the Russian invasion of Ukraine. When considering the notion of peace, especially during this time of heightened combativeness, we turned to one of our darknet analysts. In return, they offered their first-hand perspective and candid thoughts on the notion of a peaceful cyberspace.
Peace in the Midst of a Cyberwar: Perspectives from a Darknet Analyst
In my opinion, the concept of a ‘peaceful darknet’ is a complete oxymoron. There have been brief moments when I’ve experienced something close to peace on the darknet, such as when I connect with various underground communities and established trust groups. I login to the community, check the channel nicks to see who else is online, and direct message or send a quick jabber message to the online “friends” I’ve established after years of moving in and out of these communities. There are moments of contentment after a friend shares an update on their dad’s recovery from a recent surgery, and we relate about videos we’ve both watched on YouTube.
But, is it peaceful? Hardly. There’s a cloud of anxiety. At any point in time, the server our community connects to might be hit with a heavy DDoS attack from ‘skids’ or a rival darknet community. You never know when a guest account will connect and immediately flood fill the chat with hateful and explicit messages.
I look at the clock. Around this time most nights, a former member and now banned user connects to the server and there’s immediate drama between them and the chat’s moderators and staff. The user claims he’s got proof that one of the staff is a pedophile. They’re kicked out and the channel/room is locked. Another member posts a funny meme. Another asks for help using Mimikatz. Just another typical night in the darknet.
Before Ukrainian Invasion: Brewings of a Cyberwar
Months before the Russians physically invaded Ukraine resulting in the formation of the IT Army of Ukraine and the hacking collective Anonymous’ launched their infamous cyber campaign #opRussia against Putin and Russia-aligned threat actors, members of the elite GRU were busy covertly carrying out many a pre-invasion operational cyber campaign by probing networks and accessing sensitive Ukrainian networks.
Millions of Ukraine’s citizens’ personal data had already surfaced and were in circulation across the darknet. Russian trolls on darknet forums and Telegram channels taunted the West and Ukraine, with posts about everything from Hunter Biden’s laptop to a weak NATO; some hinted at how quickly Kyiv would collapse after an invasion. Western news media started reporting of troop build-ups along Ukraine’s borders in Belarus and Russia.
Then, the Kremlin announced their recognition of the Luhansk and Donestk People’s Republic (LPR/DPR). Less than a week later Putin ordered commencement of his “special military operation.”
After February 24th 2022, everything changed: both in real life and virtually. Darknet dynamics completely shifted. Cybercriminal groups and ransomware gangs split down the middle – those supporting Ukraine and those supporting the Kremlin. Many Ukrainian-based darknet users, including an online ‘friend’ prominent in the darknet carding community, disappeared after deploying with the military to fight for their country’s freedom. Hundreds of Russian and Ukrainian Telegram channels emerged with videos from the front lines. Social media channels post videos of cruise missiles hitting centuries old buildings in Kharkiv. Apartments and residential buildings were completely decimated along with the people and memories in them.
War Launches a Frenzy of Darknet Activity
Every few hours I discover another leak URL that has emerged from a victim in Ukraine or Russia. I annotate the details to a database of Ukraine-Russian cyberwar leaks I started within the first 36 hours of the invasion. I proliferate the IP addresses of new targets issued by the Minister of Digital Transformation of Ukraine and load another Tor URL that has mysteriously disappeared.
A DarkOwl Vision monitor I created for a client – months before the invasion – alerts me that the company’s web domain has been mentioned by Russian threat actors on Telegram. Attacks against US companies and NATO entities start to mix into the now daily exhaustive list of on-going cyber activity. New threat actor groups announce their formation every other day. ATW? nb65?! KILLNET…. I begin to ponder how this cyber chaos can possibly result in any form of success for Ukraine. Members of Anonymous and various ‘collectives’ around the globe invariably clash attacking the same digital targets.
My sleep in those early weeks consisted of brief 2-hour naps only after caffeine was no longer effective and I could barely keep my eyes open. My dreams haunted by the sound of the sirens I had heard repeatedly in videos coming out of Kyiv on Telegram and the images of decaying soldiers’ bodies on a channel dedicated to helping survivors identify their lost loved ones. I’m millions of miles from the epicenter; yet, I’m still affected by what I’ve virtually witnessed.
Fast Forward Seven Months
The IT Army of Ukraine has grown to a force of nearly half a million hacktivists. The cyberwar leaks database is terabytes in size. The CONTI ransomware gang passes the ransomware baton to LockBit, shifting from ransomware to nation-state operations. A ransomware group seem to surface every week announcing dozens of global commercial victims – many that are small businesses that struggle to survive such an attack.
Zero days and exploits used against Russian government and commercial entities have become increasingly sophisticated with attacks against critical infrastructure becoming the standard. Anonymous’ operational cyber cells are now run with shocking efficiency and effectiveness and the cyber battlefield is either less chaotic or I’ve become more tolerant and accepting of the chaos.
Pro-Russian disinformation networks across social media and the digital underground are operating at full capacity. On the surface, the Ukrainian military has successfully pushed the Russians back over 6,000 square kilometers in eastern Ukraine, liberated dozens of towns, and villages with their counteroffensive against Russia, and another Russian oil executive has mysteriously fallen out of a window in Moscow. It’s nearing the end of summer. I visit a local farmer’s market all to overhear a random 60-something-year-old woman at a stall arrogantly declare, “President Putin is simply trying to dismantle the global cabal and de-nazify Ukraine”. I take a deep breath and slowly walk back to my car, suddenly no longer interested in buying any local produce.
I return to my home office to find a request for technical information related to recent cyber-attacks in China and Taiwan in my inbox. I suddenly realize that this is never going to end. China could very well invade the island of Taiwan by the end of the year and trigger yet another round of global cyber initiatives and operational campaigns.
The cyberwar is no longer simply between those who support Ukraine and those who do not. The cyberwar is simply a virtual reflection of the pure lack of peace we have within ourselves as individuals, societies, and nations. Peace in Ukraine will in no way result in peace on the darknet nor stop your neighbor down the street from spewing the propaganda they’ve been fed and now believes in their heart.
I disconnect the wi-fi, shut off my computer, crawl into bed in the middle of a Saturday afternoon, and for the first time in seven months, sleep peacefully.
The above account came from one of our DarkOwl Analysts, who are trained to routinely immerse themselves in the darknet space. Their efforts support our product collections efforts, and also support our clients to understand data and intelligence on the darknet. For more questions about how analysts support our customers, thought leadership, and data collection efforts, contact us.
Earlier this month, DarkOwl participated in the well-regarded law enforcement conference: ISS World Asia. The annual, training-oriented event describes itself as “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence.”
Representing DarkOwl was David Alley, CEO of DarkOwl FZE based in Dubai, and Richard Hancock, Darknet Intelligence Analyst based out of DarkOwl’s headquarters in Denver.
“We find ISS World events to be incredibly helpful in bridging the gap between national security agencies and the OSINT vendor community,” shared David. He also noted a common thread in his conversations with investigators: the need for safe, effective, ethical, and high-quality dark web OSINT tools.
While at ISSW in Singapore, the DarkOwl team hosted a seminar on Darknet Intelligence Discovery and Collection. The goal of this session was to further educate the international intelligence community on how threat actors on the darknet are evolving in their use of new tools and methodologies.
Later in the week, David Alley of DarkOwl FZE delivered a presentation with representatives from Social Links, one of DarkOwl’s partners and leading provider of OSINT technologies.
The session, Countering Illegal Trade on Darknet Marketplaces, was offered as part of one of ISS World Asia’s closed track programs, available only to Law Enforcement, Public Safety and Government Intelligence Community Attendees.
The collaborative presentation focused on what the current dark web marketplace landscape looks like, and explored methods for counteracting illegal cyber trading. The discussion was further supported with demonstrations on how investigators can expose criminal and terrorist cryptocurrency activity on the darknet by using a platform that has been enriched with DarkOwl data.
Per our partners Social Links, this session showed how “through advanced data extraction and analysis, investigators can break through the perceived anonymity of the Dark Web and crypto transactions to identify criminal actors.”
DarkOwl looks forward to continuing their presence at ISS World events as part of our ongoing initiative to support the global law enforcement community in their efforts to police illegal and nefarious activity on the darknet.
Upcoming research from DarkOwl displays an alarming number of threats on the darknet and deep web that could effectively target and compromise Critical Infrastructure.
For the past several months, DarkOwl analysts have been monitoring for and documenting instances on the darknet that could be threatening to Industrial Control Systems (ICS) and their adjacent Operational Technologies (OT). These two critical systems govern most everything societies rely on in the modern age. They include critical infrastructure such as manufacturing facilities, water treatment plants, mass transportation, electrical grids, gas, and oil refineries… all rely on some aspect of ICS/OT incorporated in their industrial processes.
In doing so, DarkOwl’s analysts found a significant number of instances in which attacks or attack vectors that could directly effect these critical industries were being actively discussed or circulated on the darknet. The research will be published an upcoming whitepaper, Industrial Control Systems (ICS) & Operational Technology (OT) Threats on the Darknet.
The full extent of this research will be published Tuesday, September 13 and will cover how critical infrastructure is being targeted on the digital underground.
Abstract
Industrial Control Systems (ICS) & Operational Technology (OT) Threats on the Darknet
In recent years, especially in the world of ransomware and extortion-as-a-service crime – which is highly prevalent on the darknet – the information security community and major security operations centers have been centrally focused on securing sensitive organizational ‘data’ and intellectual property with concerted attempts to mitigate network attacks and remediate the effects of one leak after another leak emerging on the darknet and across underground criminal communities.
ICS/OT security involves protecting critical ‘processes’ needed in critical infrastructure and manufacturing facilities and is less concerned about data loss. The effects of ICS/OT attacks, especially against those that involve targeted unencrypted, serial communication protocols, are not manifested as simple domain network and email connectivity issues. A successful ICS-OT attack transcends the cyber realm and can result in the physical destruction of devices, kinetic explosions, and even risks the potential loss of human life.
In this darknet research investigation, the analysts at DarkOwl review the threats discussed and circulated on the darknet related to ICS/OT and exploits designed to compromise Supervisory Control And Data Acquisition (SCADA) panels. The research highlights initial points of compromise and data brokers in unauthorized network access, the reconnaissance utilities employed by threat actors to surface critical infrastructure system vulnerabilities, and the real dangers presented by the industry’s reliance on insecure IEC protocols.
To receive a copy of this research as soon as it goes live on September 13, drop your email below:
DarkOwl CEO Mark Turnage and Symbol Security Co-Founder and President Craig Sandman discuss the darknet, key elements of cyber surveillance utilizing darknet intelligence, their partnership, and why darknet data is an essential part of Cybersecurity programs in the SMB market.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Mark: Let me talk a little bit about DarkOwl. We’re a company that’s about five years old based in Denver, Colorado. We specialize in collecting, aggregating, indexing, and supplying data from the darknet. And we’re very specialized and focused just on the darknet. There are other companies, there are other threat intelligence companies that provide other types of data. But our specific expertise is simply in the darknet. We’re very proud of the fact that we have more female employees in the business than most tech companies do, I think we’re just under 30% right now. In the past, we’ve been as high as 40%, and we’re very proud of that fact.
But to the point of darknet we have built over the 4 or 5 years of the company’s existence, we built what we believe is the largest darknet database in the world. And let’s just talk a bit about what I call definitional ambiguities. What is the darknet? What is the deep web? The surface web is what everybody sees as the top of that iceberg on the right. That’s where we spend all our time. It’s accessible by Google. You can get information and that’s where the vast majority of the world spends most of its time on the web. The deep web are authenticated websites. So, for example, your bank account information – Mark Turnage cannot get to your bank account information from my browser. I might be able to get to your bank’s sign in page, but I can’t get to your information because I lack the authentication and the credentials to get there. Ironically, that’s where the bulk of all the data that is held on the internet is actually stored.
Where we specialize is in the darknet. These are anonymized networks that reside below the level of the surface sites, surface web and the deep web. And they generally require specialized browsers to get access to. And it generally requires some type of specialized knowledge, although not in all cases. If you look at this slide, what we’re talking about is at the bottom of that slide, Tor i2p, Zeronet, other new darknets that have been created, these are darknets where DarkOwl is on a daily basis collecting data and supplying that data to our partners and now including Symbol. And that data is full of information that is relevant to measuring the risk of organizations and understanding the risk and addressing that risk.
We also do collect data and supply it from certain high risk surface websites, pay sites, and some discussion boards, as well as some deep websites, some underground criminal forums and so on. All of that we describe as the darknet database. And again, we’re collecting it so that organizations can understand what data of theirs is in the darknet, what exposure they have in the darknet.
Kathy: Mark, real quick – a couple of questions have come in on that last slide that you just shared. The first one is “How big is the darknet?”
Mark: That is a really good question and nobody particularly knows the answer. When we started collecting data from the darknet, the darknet was Tor, the Tor network. There are now probably half a dozen darknets that exist and we collect data, as this slide shows from it, and Zeronet. We’re moving into other darknets as well. But there is no easy way to measure the darknet. And the simple reason for that is that the darknet is generally distributed around the world. The Tor network is a network of between 15,000 and 20,000 servers around the world that serve that. There’s no easy way to measure it. But to give you a sense, DarkOwl collects data from somewhere between 25,000 and 30,000 darknet sites a day. That’s before you get to the high-risk surface websites and the deep websites. So that’s a lot of data. These darknets are growing and usage on these darknets is growing great.
Kathy: And there’s also a question as to “How do you know when a company is being targeted on the dark web?”
Mark: Well, generally indicators of the fact that a company is being targeted in the darknet show up. Either the company is mentioned by name or their IP range, it shows up in a targeting website, let’s say a hacker forum where somebody says, here are some IP ranges where I’ve discovered certain vulnerabilities, or I’m selling access to this company’s server network. Or you will see things like credentials and passwords for sale for individual companies that allow hackers or ransomware actors or other actors to drive straight into the network and be inside the network. So there are lots of indicators of risk of companies that show up in the darknet. Using our database and using Symbols database, you can search for those indicators of risk that may exist with respect to your individual organization.
Mark: I’m going to finish on this slide I mentioned earlier. We’ve built what we think is the world’s largest database of darknet content. This gives you a sense of some of the locations that we collect from Telegram, ITP, Tour, zero net, pay sites, and so on. And it will give you a sense of just what we’ve indexed in the last 24 hours. The slide shows 8.4 million documents have been indexed into our database in the last 24 hours. If you look along the bottom, it will give you a sense of what we have collected over the years of our existence. We have somewhere north of 8 billion email addresses in our database. We have somewhere north of a billion IP addresses, 9 million credit cards, 236,000,000 crypto addresses. That gives you a scale and sense of the scale of what exists in the darknet and exists by virtue of having access to our platform.
We provide that data a number of different ways and are delighted to partner with Symbol and now I’m going to turn it over to Craig.
Craig: Great. Thanks, Mark. Appreciate it. Great job. Mark did a great overview of darknet, deep web and the surface web. Certainly it’s a squirrel space and a big space. So let me tell you a little bit about Symbol Security and we’ll kind of pull into this how we managed to get together with DarkOwl and deliver some of these darknet cyber surveillance services to the SMB market.
Symbol Security is a provider of predominantly security awareness training services. As you probably know, security awareness training is something that’s been hot in terms of a way to address and mitigate the attacks of cybercrime and it’s also in regulated environments. And we’re talking now close to 800-850 regulations, laws and other statutes that require businesses show evidence of security awareness training. So it’s becoming a nonstarter for businesses, even if you didn’t feel like it was a good use of your time or argued the fact that it made your company safer or not. Independent of that, it’s a requirement in so many regulations, it’s becoming a nonstarter.
One of the things we do a little bit differently than most companies is we deliver a managed program. So a lot of the security training services and the implementation falls down in just that, in the implementation of it. So they may buy the software, but do they actually properly implement or even get to implement the service? We know how things go in the small to mid-size business. Everybody’s 150% subscribed in terms of their time and it’s difficult to execute on everything you have to do. So things fall to the bottom of the list. One of the things that typically will fall to the bottom of the list is security awareness training. We look at security awareness training and security awareness as targeting human risk. So how do we identify human risk and how do we mitigate human risk? Through education. We do more than just training videos and phishing stimulations. We look at email and domain threats. So email threats would be breach alerts and things like that. Is your email address compromised in any way? Domain threats look at the potential of doppleganger and lookalike domains being manipulated and used potentially against you, just helping give access and visibility to your thread envelope.
From a training perspective, we have really great trainings, very good simulations, and we make things quite easy because we’re typically focusing on the SMB market and through SMB distribution points like managed service providers and managed security service providers. And we’ve added cyber threat surveillance now to this platform into the bundle. And I’ll talk about why in a moment, but it plays into the extension of threat awareness for the individual and for the small business that’s how and why we’ve tied it in.
And we’ll talk now about what cyber threat surveillance is to us and to the SMB market space. So essentially, as Mark indicated, there’s a lot of different things that you can pick up on the darknet and on the deep web that are very valuable in terms of being proactive in your cyber awareness strategy. So reactive would be we’ve seen a breach alert for a particular email address. Now we go in and change username and password so it can’t be further manipulated, but the breach has already happened. We’re reacting in that case and there’s other instances where we’re simply reacting to things that have already happened.
We’re flipping a script here and allowing for darknet visibility and deep web visibility to provide proactive awareness. So when might things begin to look strange or suspicious that we need to act on, rather than we already know there’s a problem? We’ve probably already been hacked or attempted to have been hacked, and now we’re going to mitigate post that event. The concept of brand protection falls in there if there’s potential issues in and around your brand or people are slandering your brand or lining up your brand for an attack or any kind of negative event. VIP email monitoring we talk about a lot as well. So if you have individuals that are perhaps tightly associated with your brand, obviously any kind of reputational damage, there could be a cyber issue or a damaging issue for your organization. And then monitoring chat rooms. And just as part of the entirety of the deep and dark web chat room, visibility is included in there, as well as looking over products and domains. So those are also places where organizations want to protect their assets. What we’ve done here is taken a service and a feed that is typically consumed by government entities, large agencies and Fortune 100 companies, and we boiled it down to a simplified package so that the SMB can consume it.
That’s what was missing before. Right. We have incredible service provider in DarkOwl and some really great layers around that the entities in the market use in order to consume this data. But when it gets to the SMB, it’s too complicated and or too expensive for most budgets. So that’s really what we need when we say SMB packaged. And as part of that, we’ve broken it down into really keyword and email monitoring and we’ve integrated it into our cyber awareness reporting for the small to medium business.
Kathy: “Don’t threat actors only come after large companies? And what is the top cybercrime for small businesses of under 50 employees?”
Craig: First question, definitely a misnomer in that cybercrime happens most often with large businesses. It’s equally prevalent in small businesses. Obviously, big businesses might offer a bigger return from a cybercrime business perspective. But at the same time, the small businesses are generally less able to defend themselves and so they become quick hits. And if cybercriminals can get a 10,000, 20,000, 50,000 dollar return on investment for a crime, they’ll do it. And so there’s case after case after case of small businesses getting swindled out of 10,000, 50,000, $100,000 at a time through direct targeted cybercriminal attempts.
The second question was what is the top cybercrime that small businesses under 50 employees face. Cybercrime can be broken into many different buckets, probably not too surprising. The execution is typically ransomware that finds its way into all business sizes. How it gets in there is sometimes varied. So we focus a lot on fishing training and sort of mimicking phishing attacks. We can teach users to at least recognize and for that entry point for ransomware. But obviously ransomware can be delivered a number of different ways. That is the most prevalent situation. We do see wire fraud work its way into small businesses as well. That might be some kind of action sometimes from a phishing email that says something along the lines of, hey, please wire funds from this account to that account, where the secondary account isn’t something that’s owned by the small business. But certainly locking up files and then extortion from a ransomware perspective is, I’d say, the most common across probably most business segments.
Mark: Let me add something to Craig’s good answer to your first question of our SMBs targeted. To the same degree that large companies are targeted, we have found that oftentimes SMBs are targeted in favor instead of larger companies. Larger companies have a lot of money they can spend on hardening their defenses. SMBs oftentimes are softer targets for hackers and for malicious actors. So we have found that in some cases they go deliberately after SMBs versus going after larger actors. But that’s exactly right, Craig. I mean, I think the types of attacks that you’re seeing amongst your client base, it mirrors exactly what we see as well.
Craig: Absolutely.
Craig: And so from a cyber threat surveillance perspective, we’re not going to get into a demo today, just kind of short on time, but I wanted to give you at least a screenshot so I can talk through how this operationalizes itself into our platform.
Essentially, we provide we provide daily updates on darknet findings that are pertinent to your organization. And we’ve really structured the input so that it’s simple. We’re looking for keywords and potentially VIP emails we can also as mark alluded to. We can enter things like credit card information or IP addresses as well. From an advertise level, we really focus on keywords, which would be a business name, a product name, a brand name, an affiliate name, and then we are also looking at what we call VIP email protection as well. But again, we can pivot to incorporate some of those other items as well. We integrate the results directly into reporting and a dashboard. So as you saw on the last screen, briefly we’ll intake the findings. If your keyword or your VIP email is found, we’re going to give you plenty of surrounding context. It may be thousands of characters of additional data around the keyword that we found. You’ll get full context of not only the fact that this VIP email or keyword, maybe your brand name, your company name was found on the darknet, but you’ll see the entirety of the discussion around it in addition to the location that it occurred on. You’ll also get email alerts when these things happen. So administrators are going to get notified.
There’s a nice portal to allow you to track and categorize these incidents. You can categorize them as urgent, you can categorize them as resolved or just leave them in a pending state. Also of interest too is we provide some sentiment tracking as well. So based on what we see, we’re going to give an analysis of sentiment or negativity around a particular finding. So if it may be benign, there’s plenty of benign information on the dark web that’s really not pertinent, not meaningful, certainly not hurtful. You’ll see those results, but we’ll prioritize and we’ll flag as urgent results that hit a high negativity level. So we kind of take care of some of the analysis for you, although response remediation planning around what to do if you do find something is really up to you as an organization or perhaps a security provider that you’re partnered with.
Average price – so we will talk about price here for our service falls 4,000 to 15,000 dollars per year. It’s obviously a large range, but it really just depends on how much you want us to monitor for you. So I wanted to give that too because the average price point, entry level price point for the service is generally three to four times the high end that I’ve referenced there. And so in those cases, the access to this data typically outstretches an SMB budget. We fit it squarely in a range where SMBs can afford this service and most times we’re addressing clients that also have other needs around security awareness, training, password management services. We’re able to bundle those elements together and give them a nice SMB cybersecurity suite. As I mentioned, we will sell these services through managed security service providers as well. So we have a portfolio of managed service providers that will deliver many more services bundled together. Additionally, we can deliver these as a single suite and more of a point solution to organizations as well. All right, any other questions that we want to get to before we close it out here?
Kathy: Yes, we have had a couple more come in. “Can you please give an example for a small business where information from the dark web could help protect the brand reputation?”
Craig: Yeah, I can. Mark, I’m sure you probably can as well. But one of the things that comes to mind is a couple of things really I address this earlier in the conversation when I start talking about executives that are really tied to the brand of the company. And in some cases, if either those executives are being targeted or perhaps they are involved in some nefarious activity and that gets picked up, it’s not going to be a good ending. But at least an organization has time to prepare and plan and take action before an event has occurred. And that might be public relations type planning or perhaps getting out in front of any potential negative activity. Additionally, if there is some really slanderous and hateful discussions about a particular organization, that would be a cause of concern and you can use your imagination on what those things might be, these will get picked up if they’re happening on the dark web and on the darknet. So those are two situations that are certainly ones that the surveillance will help identify, which if you had typical reactive cybersecurity services, you’re not going to see those things until an event is inbound or incoming. Mark, I don’t know if you have anything to add to that.
Mark: That’s an exceptionally good answer. I would just add that in addition to VIP information slanderous activity, I would start by saying there is almost no mention of your organization in the darknet that couldn’t potentially affect your brand. So if you’re breached in a ransomware attack, if you’re being targeted in addition to the slanderous statements that are being made, ultimately that’s going to affect your brand negatively. Everybody knows about what happened to large companies that have been breached and their brand being tarnished as a result. The same is true for SMBs. And so all of the categories that Symbol monitors on behalf of its clients, all of them have some capacity or some capability to damage the brand.
Kathy: “So Symbol covers what is on the darknet, but what about other cyber risks?”
Craig: Yeah, that’s a great question. I mentioned some of our partner organizations. Obviously, the landscape of cyber risk is significant. These services that we provide, provide great coverage across the things that we’re specialists in, which should be training and some visibility around potential cyber threats that cross the dark web and potentially into domain names and breached email addresses and things like that. Of course there’s many more things to cover and we highly recommend, especially in the SMB space, security consultants, virtual CISOs. If you don’t have a CISO on board or maybe can’t afford one, those kind of fractional consultants are great and we have a number of really good managed security service providers that can provide a large breadth of cybersecurity type services from a single organization. Best of breed. Best practices and things of that nature. So we can certainly sit as a point of reference for helping you find those things and for the pieces that we cover today, we’re happy to deliver those directly as well. But yeah, there’s a lot more to it for sure.
Thank you so much for joining us today.
About Symbol Security: Symbol Security’s SaaS platform helps customers reduce their cyber risk, and adhere to industry compliance requirements. Through authentic simulated phishing exercises, interactive training content, and awareness of risk data across domain registries, and the dark web, Symbol helps companies identify and act on potential points of cyber risk. Symbol can be operated by company administrators with ease or leveraged by Managed Security Service Providers as part of their security offerings. Visit their website: https://symbolsecurity.com/
About DarkOwl DarkOwl uses machine learning to automatically, continuously, and anonymously collect, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. Our platform collects and stores data in near realtime, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself. DarkOwl offers a variety of options to access their data.
In this blog, DarkOwl analysts outline top use cases for intelligence agencies, law enforcement, and government, where darknet data often plays a critical role. These examples of DarkOwl’s software-as-a-service (SaaS) darknet data platform help identify and describe how key data sources in the criminal underground can be leveraged to facilitate analysis and reporting required across intelligence agencies entities’ security departments.
Cyber Investigations
DarkOwl’s darknet data can significantly augment cybercriminal investigations by providing key additive informational components – often in conjunction with other OSINT like social media activity. Data from the darknet often creates a more comprehensive picture of the case itself, the criminal’s behavior, and psychological intentions. The resulting darknet intelligence (or DARKINT) fills in critical intelligence gaps that solidify evidence such that indictments and subsequent legal action may be executed.
Using DarkOwl in conjunction with other open sources and utilities, an investigator can easily identify and a track threat actor’s digital fingerprints and subsequent virtual breadcrumbs, such as social media accounts, usernames, aliases, avatars, email addresses, PGP keys, and cryptocurrency wallet identifiers.
The snapshot example below details how DarkOwl identified and tracked a Portuguese-speaking threat actor involved in mobile device malware development. The lower third of the graphic, consisting of evidence collected from the darknet and DarkOwl Vision – confirmed the suspect’s activities across various underground communities in the darknet and a leaked IP address provided a potential physical location of João Pessoa, Brazil.
Figure 1: Source DarkOwl Analyst, July 2020
Situational Awareness
Russia’s late February military invasion of Ukraine and on-going offensive operation was preceded by numerous opportunities for geopolitical situational awareness prior to the invasion, and subsequent monitoring of the conditions is available with a surge of new Telegram channels documenting live events ‘on-the-ground’ and conversations between users that have unique perspectives of the conflict.
DarkOwl detected members of popular deep web hacking forums sharing and discussing the leak of large databases containing sensitive Ukrainian citizen data weeks prior to the actual kinetic military activity. Further analysis revealed state-sponsored threat actors from Russia had performed extensive covert cyber campaigns against Ukraine prior to any official military operation, troop or vehicle movement across the border.
Figures 2 and 3: Source DarkOwl Vision
Figure 4: Source DarkOwl Vision
[TRANSLATION OF FIGURE]note: the following contains some explicit language
2022-06-13T19:03:11 user_5290424434 IvanVik32 Ivan wrote: So tear your ass off the soft chair and show me how to fight, and fuck like You know a lot of people.
2022-06-13T19:03:11 user_108696280 minihetman Eugene wrote: What the fuck do you want? Russian dogs have been oculating the Tatar guy’s homeland. What kind of attitude did you expect to downs with automatic machines?
2022-06-13T19:03:14 user_5447249506 Maxim Shaporev wrote: I’ll say it again. I propose to shoot all 2,500 thousand soldiers of the Armed Forces of Ukraine and the Azov battalion who left the Azvostali. Shoot them right on the square in Donetsk.
2022-06-13T19:03:16 user_5121165572 Aristarkh Govnozhuyev wrote: Maybe now is the time to strike at decision-making centers? Gentlemen of the military – how long can this lawlessness be tolerated? Let’s already hit the bank, the rada, the narco-clown palace.
2022-06-13T19:03:17 user_1959717279 DomBaryay Barya Domansky wrote: Zelensky speaks beautifully, so they put him in the presidential post, pouring everything that the United States considers true
2022-06-13T19:03:17 user_5159148675 14415 wrote: The latest reports are just reading how the Donbass is being hammered. Yes, fuck already in Kiev so that everyone shits there
2022-06-13T19:03:18 user_5187443018 My Lord wrote: Well, it’s understandable, but if he’s been yelling for 8 years that he will cut Russians. Well, I’m a Russian. To destroy him, for his words. And I will do it, let it be sure. Their rotten mouth is to blame for everything.
2022-06-13T19:03:21 user_5214651354 Kprr wrote: Just topal asking
2022-06-13T19:03:22 user_1557547863 Miff Junior wrote: Wipe the creatures of the ukrokhokhlyatsky off the face of the earth
Counterterrorism
While the darknet is less active with concerted terrorist related recruitment, propaganda distribution, and activity from groups like ISIS, there are an increasing volume of lesser-known terrorist cells using the darknet and adjacent platforms like Telegram to communicate and coordinate their attacks. DarkOwl supports collecting content in over 52 languages and raw data is indexed in the original language of the author as in-platform translation services might corrupt nuances of the original language. The Vision app user interface and API endpoints support in-language search queries and non-English characters.
For example, DarkOwl uncovered documents related to an anti-Israel terrorist group located in Palestine discussing how they and members of Hamas were planning to target military personnel from the Israeli Defense Force (ISF) for digital blackmail and extortion. The group also listed an email address for direct contact and a Bitcoin address for donations to support the group’s cause. (Source: DarkOwl Vision)
Similarly, DarkOwl has also detected online discussions regarding terrorist activity from international groups of concern and their public statements about their involvement in attacks against specific geopolitical targets.
Figure 5: Source DarkOwl Vision
Counternarcotics
DarkOwl’s aggregated darknet data and near-decades long historical darknet archives are instrumental in supporting law enforcement drug-related investigations. DarkOwl has identified numerous darknet drug vendors selling illicit drugs, such as opioids, fentanyl, and cocaine, in bulk volumes for resellers on decentralized marketplaces and darknet vendor shops.
We have also identified a recent trend where many of the drug vendors advertise on discussion forums and marketplaces bulletin boards how to contact them on alternative platforms to complete their transactions, e.g. WickR, Whatsapp, and Telegram, for increased security and identity protection.
Figure 6: Source DarkOwl Vision
Targeting
DarkOwl’s near-decades long collection of historical darknet archives enables investigators to successfully uncover the identity of suspects involved in various segments of illicit crime. This includes human-trafficking, child exploitation, drug dealing, weapons proliferation, etc.
DarkOwl analysts regularly observe criminals identified by name by other darknet users and security researchers out of revenge or to disrupt the person’s online activities on popular deep web sites like doxbin[.]org. For example, shortly after the invasion of Ukraine, over two dozen members of the Russia-aligned ransomware group Conti/Ryuk – and its closely associated Trickbot malware development partners – were all doxxed.
Figures 7 and 8: Source DarkOwl Vision
Cyber Espionage
Data captured by DarkOwl Vision database is often used to detect existing cyber espionage activity and be potentially leveraged by nation states and intelligence agencies for future cyber espionage campaigns.
In the fallout of the global cyberwar between Ukraine and Russia, hundreds of corporations and government organizations in Russia were targeted and/or compromised by an international army of cyber hacktivists supporting Ukraine . Data leaks from ‘ministerial’ organizations of Russia, e.g. Ministry of Finance, Ministry of Foreign Affairs, etc.; academic and research institutions, such as, the Joint Institute of Nuclear Research (JINR) and the Russian Federal Institute of Science, were among the groups targeted. Also included was data from critical infrastructure suppliers of energy, water, and transportation, which can be utilized for future cyber espionage purposes. Key individuals from those organizations and their personal data have also been released providing opportunities for targeted social engineering attacks to recruit and/or exploit for political and technical intelligence espionage and critical diplomatic initiatives.
Figure 9: Source DarkOwl Vision
The graphic below contains some of the names of Russian organizations that appeared in leaks released on the darknet from hacktivists supporting Ukraine in the war. You can find the full infographic here.
Figures 10: Source DarkOwl Vision
Domestic Extremism
In recent years the United States has experienced an unprecedented rise in domestic extremism, with members of alt-right paramilitary groups like the Oath Keepers and Proud Boys indicting leading the insurrection against the US Capitol in attempt to keep President Trump in office. Many of these groups congregate and collaborate in darknet forums, chatrooms, and Telegram channels. It is well known that deep web’s imageboards like 8kun are a sanctuary for right-wing conspiracy groups like Qanon to congregate and flourish.
DarkOwl’s darknet data platform allows investigators to monitor for activities from these groups and assist investigations by correlating a suspect’s engagement on social media and anonymous networks. Users of imageboards regularly discuss emotionally charged and controversial topics like assault weapon bans and “replacement theory.”
Figures 11 and 12: Source DarkOwl Vision
Figure 13: Source DarkOwl Vision
Critical Infrastructure Protection
DarkOwl’s darknet data can be utilized for monitoring mentions of the development of malware to target critical infrastructure. This includes tracking the activity of threat actors who specialize in attacks against industrial control systems (ICS). It also can be used to monitor for mentions of specific critical infrastructure targets that threat actors, terrorist groups, and nation-state sponsored actors are intent on conducting cyberattacks against.
DarkOwl detected an offensive cyber group known as the “Jerusalem Electronic Army” (JEA) targeting agricultural water and heating systems in the northern area of “Negev” or the “Gaza Envelope” near Lakish using ICS/Supervisory Control and Data Acquisition (SCADA)-based attacks to poison the region’s water supply.
Another Telegram channel that advertises support for attacks against Israel – and associated with Team Majhidoon (فريق_مجاهدون) and Team AES (فريق_A-E-S) declared campaigns to penetrate Israel’s solar energy systems in Tel al-Rabiya were successful.
Lakish, which is the occupied area of the northern Negev or “the Gaza Envelope”
Target:
Agricultural water and heating systems
The Details:
The high command has published and revealed the degree to which we have penetrated the water and agricultural system. The water temperature increased as did the amount of sodium acid, which can pollute and poison the water and can destroy all agriculture.
DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.
Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself.
To learn more about darknet use cases and how to apply them to your business, contact us.
Risk is a word regularly used across information security circles and CISO agendas. Companies are aggressively attempting to identify and mitigate any cybersecurity risk that could lead to potentially extensive financial and reputation damage, especially from a high-profile cybersecurity attack or data breach. Meanwhile, individual persons also struggle to know how concerned they should be in mitigating their own personal risk to when, not if, their sensitive personal information appears on the deep web and darknet.
In this blog, DarkOwl analysts revisit and review the domain of risk, taking a closer look at the threats corporations and individuals face and how risk is calculated and mitigated. Underground digital communities within hidden and anonymous networks are an integral role in identifying the threats at play, and DarkOwl works alongside its partners to help provide the critical monitoring of potential markers of risk using its darknet search platform.
Darknet 101
The darknet is a layer of the internet that was designed specifically for anonymity. It is more difficult to access than the surface web, and is accessible with only via special tools and software – specifically browsers and other protocols.
You cannot access the darknet by simply typing a dark web address into your web browser. There are also darknet-adjacent networks, such as instant messaging platforms like Telegram, the deep web, some high-risk surface websites.
What is Risk and What is the Darknet’s Role in Risk Calculations?
Risk is traditionally thought of as a multiplier of likelihood and severity, or consequence of outcome; however, in cybersecurity the definition is expanded for consideration of intention or threat.
For example, in a personal risk scenario, one’s leaked credentials (e.g. usernames, e-mail addresses and passwords) might appear in commercial data breach leaks, which poses one degree of risk, but the minute those same credentials appear in conjunction with direct malicious intent to cause financial or direct harm, their personal risk increases dramatically.
Quick definitions:
darknet: Also referred to as the “dark web.” A layer of the internet that cannot be accessed by traditional browsers, but requires anonymous proxy networks or infrastructure for access. Tor is the most common.
deep web: Online content that is not indexed by search engines, such as authentication required protected and paste sites and can be best described as any content with a surface web site that requires authentication.
high-risk surface web: consists of areas of the surface web (or “regular” internet) that have a high degree of overlap with the darknet community. This includes some chan-type imageboards, paste sites, and other select forums.
For a full list of darknet terms, check out our Glossary.
DarkOwl has observed similar specific targeting frequently in the darknet. The same would be true for the intention of an attack against a corporation or government organization, but this is understandably much harder to quantify.
The U.S. Department of Homeland Security (DHS) defines risk as the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences” such that: likelihood is defined as “the chance of something happening, whether defined, measured or estimated objectively or subjectively, or in terms of general descriptors (such as rare, unlikely, likely, almost certain), frequencies, or probabilities” and consequence is given as “the effect of an event, incident, or occurrence, including human consequence, economic consequence, mission consequence, psychological consequence.”
The DHS risk assessment model is more simply defined as a function of three variables: threat, vulnerability, and consequences with full recognition. In organizational risk calculations, threat includes anything that can cause harm to the organization and that could expand to include threats from natural disaster (wildfire, hurricanes, and earthquakes) or even a significant hardware / backup failure that triggers a disruption in services or production and not necessarily exclusive to cybersecurity attacks by external malicious entities.
There are numerous interpretations, philosophies, and variations on this formula and luckily organizations are given extreme flexibility in conducting internal risk assessments by applying risk models of varying degrees of detail and complexity of threat identification and vulnerabilities – of which cybersecurity has become increasingly critical.
Threat calculations are often tied to scenarios with likelihoods of occurrence that involve an adversary’s intent, capability, and targeting. When we look at the darknet’s role in risk and threat vectors, especially when considering the risk to a company’s brand or stakeholders, malicious threat actors who conduct operations in the underground (e.g. cybercriminal organizations, nation state actors and proxies, and cyber opportunists) proactively hunt for and attempt to exploit sensitive data for personal financial gain by whatever means possible, often manipulating unpatched vulnerabilities and crafting new exploits in the wild.
DarkOwl analysts also regularly witness critical corporate and personal information actively shared across various underground digital communities in the darknet and deep web and have categorized the types of vulnerable data at risk accordingly, delineating corporate and individual personal risk, with careful consideration that these two are intricately interrelated due to the fact humans are one of many risks corporate organizations must consider when calculating their cybersecurity risk. The region where corporate and individual risk overlap is of most critical consideration as well as the extent and volume of readily available information for threat actors to launch their attacks.
Likewise, the more accumulated data a threat actor has access to for an individual or a corporation increases the risk accordingly.
Figure 1: Visualizing the Threat to Corporations and Individuals
Corporate Risk and The Darknet
The possibility of a cybersecurity attack against a corporation feeds a number of different corporate risk calculations: the loss of customer data presents a significant risk to a company’s brand, reputation and stakeholders; there’s moderate risk for loss of sales due to counterfeit goods offered on the darknet and direct reputational attacks on discussion forums and social media; there is direct risk via the executives and key leadership of an organization for business e-mail compromise (BEC) phishing attacks or financial extortion through physical threat to executive’s family; and, there is risk to attack via third (and fourth) party vendors and suppliers.
The consequences of an attack against a corporation can include:
Unauthorized access to a corporate network
Misuse of information by an authorized user
Loss of access to corporate data (via deletion or encryption)
Disruption of service or productivity
Reputational loss and damage to brand or corporate image
The Risk of Unintentional Data Compromise
While large commercial data leaks receive press coverage, with phrases like “millions of records of user data exposed” there is an unknown number of organizations that have likely secretly dealt with a critical cybersecurity incident without ever disclosing the breach to their customers or users due to the consequences of reduced consumer confidence.
Extortion-as-a-service is an increasingly successful sector of the underground criminal ecosystem and involves stealing sensitive personal or corporate information and then leveraging unauthorized access to this information to force the victim to pay, essentially blackmailing the victim, in exchange for quasi protection of their data. Threat actors utilize hacking forums and discussion boards across the deep web and darknet to explore potential vulnerabilities, sometimes expressing interest in specific industries, companies, and individuals, then finally sharing or selling the sensitive information they have stolen – resulting in significant reputational and/or financial loss for the victim organization.
Counterfeiting Risk is Brand Risk
The darknet is home to a lesser-known segment of corporate brand risk with offers of counterfeit goods on darknet markets. The sale of counterfeit physical goods is a persistent and viable market in the underground economy. DarkOwl’s SaaS product suite can be utilized to protect corporate brand reputation and value through automated monitoring and alerting for various forms of brand mentions. In this blog, we discuss this extensively.
Executives and Key Leaderships are Critical Targets
Some criminals utilize traditional open-source intelligence (OSINT) techniques to uncover the names, e-mail addresses and family relationships of an organization’s executives and key leadership to conduct pointed phishing campaigns via e-mail, SMS or traditional in-person and telephone-based social engineering to gain malicious access to a corporate victim’s network.
Vendors and Other Third Parties Increase Risk
Nation-state actors and cybercriminals are increasingly sophisticated and opportunistic seeking to exploit third and fourth party suppliers and vendors to cause harm against the victim organization. Third parties include any unit an organization works with including but not limited to vendors, such as suppliers and manufacturers, partners, affiliates, distributors, resellers, and agents. Third parties may have access to information such as: corporate sensitive data, financial data, contract terms and pricing, strategic planning data, intellectual property, credential data, personally identifiable information (PII) of customers and employees and protected health information (PHI) and can unknowingly contribute to a threat actor gaining unauthorized access to a corporate network.
While it is not always overtly clear who or what organization a threat actor may be intending as their next target, monitoring the darknet and deep web for mentions of a company’s name, along with names of its executives and key leadership, and network information such as domains, e-mail and IP addresses can be a helpful marker for quantifying the potential threat or intent of harm against an organization. DarkOwl’s Score API are one of many potential quantifiable metrics a corporation can use to measure and understand a company’s business risk. Scores can also be utilized for self-risk assessments, as well as brand monitoring and vendor risk management.
Individual Risk and the Darknet
DarkOwl has observed several criminals specialize in trade of other critical PII such as national identification numbers, mailing and billing addresses, dates of birth, social media profiles, and even more concerning financial data like bank account numbers and credit and debit card numbers along with their card verification values (CVVs), expiration dates and security personal pin codes.
Individuals are at Risk of Social Engineering
Personal individual risk increases with the extent of the information exposed, where and how it has been distributed. Cybercriminals are increasingly creative in their techniques to gain access to this illicit information with astute social engineering and mass phishing campaigns. Criminals actively seek to obtain an individual’s sensitive personal information necessary for a financial institution’s security verification process such as one’s mother’s maiden name, historical personal residence and billing addresses and answers to key security questions, sometimes obtained through links to phishing website or “fake” copies of popular commercial websites with username and password login form fields, sent through “SMS bomb” or spam e-mail phishing attacks. A popular technique — both discussed openly with methods traded in underground forums — is sending out fake mobile phone notifications. Spammers text delivery notices via SMS with a link to a phishing URL (often a shortened URL, e.g. “bit.ly”) for companies like DHL or UPS that are designed to harvest the victim’s mobile IP address, IMEI number, mobile phone model and software version along with sensitive personal information input by the victim in search for the non-existent package.
The Risk of Password Reuse and Credential Stuffing
Credential stuffing is a widespread technique utilized by cybercriminals to test if historically exposed e-mail addresses and password combinations are valid logins across multiple commercial websites. Opportunistic cyber criminals automate the testing of large ‘combo lists’ containing compromised e-mail addresses and passwords against commercial websites and once a successful authentication occurs readily steals the PII and financial information, often saved, on the e-commerce shopping platform’s user profile.
Circling back to the overlap between individual and corporate risk, credential stuffing using malicious software and botnets affects not only the individuals but also the commercial organizations whose user accounts are surreptitiously accessed, as many immediately assume access was achieved due to vulnerabilities with the commercial service provider’s technical configuration instead of a simple credential stuffing technique conducted en masse. The uncertainty potentially erodes consumer and stakeholder confidence warranting that commercial agencies consider credential stuffing in their internal security frameworks and corporate risk assessments as well.
The Risk of Identity Theft and Financial Fraud
While a personal e-mail address or password leak is easily mitigated by using complex passwords and password managers, the greatest threat to an individual is financial fraud and/or personal identity theft. When credit card numbers are leaked in association with this type of account information, it can easily be leveraged to create new illicit accounts or to commit bank fraud. This risk his heightened even further when associated billing formation is included, such as a mailing address or the credit card’s CVV number.
Individual Risk Calculations
Ultimately, what does the fact any of your personally identifiable information is on the darknet really mean? Your level of concern is directly correlated to your individual risk and calculating individual risk using information exposed on the darknet is measured by not only the location of and volume of credentials and PII exposed, but also a factor of time – that is, how long the information has been available and the likelihood of exploitation by a malicious actor. Of course, this likelihood of occurrence increases immediately once there is direct intent and targeting of the person either individually or in conjunction with a campaign against a corporation, regardless of what types or volume of personal data is already accessible.
E-mail address and password leaks: Individual risk increases slightly with the website where the credentials have been used, i.e. banking application or health portal. Individuals can mitigate risk by using unique, complex passwords and password managers.
Personal financial data like credit and debit cards: Individual risk is higher if the card is still in use. Most banks have fraud prevention and do not hold the cardholder responsible for illegal purchases with stolen credit and debit card data.
Identity verification information: Individual risk increases with the more sensitive data accessible to a threat actor. For example, if a bank account number along with the full name of the account holder, their physical residential addresses, and other key identity verification information such as their mother’s maiden name, the name of their first dog, and secondary school mascot is obtained, then a threat actor has enough information to impersonate them and take control of the account. Compromise can be mitigated by visiting the bank in person with a form of identification (passport or driver’s license), closing down the compromised account, and opening a new one.
Only an individual can ascertain the degree of personal cybersecurity risk they are comfortable with, given the types of information they have shared publicly and the value they place on their personal information, their individual brand, and digital reputation. In a hyper-connected society that is increasingly reliant on networked digital information systems to function, everyone’s exposure and subsequent risk is increasing to some extent. For some individuals, this risk is gradual and others exponential.
It’s Risky Business Regardless
Threats posed to individuals and corporations from the darknet where sensitive corporate or personal information is leaked by cybercriminals is diverse. Criminals employ increasingly sophisticated social engineering and technical attack vectors to pilfer information that could lead to full identity theft for an individual or corporate extortion with multi-billion ransom demands.
While the science of cyber risk calculations is still relatively nascent, the factors and data points outlined above can offer those in charge of assessing and underwriting risk contextual information as it pertains to the deep and dark web. By better understanding how threats manifest in these underground communities, individuals and corporations will be able to more accurately identify indicators of compromise and assess the security posture of their digital footprint. The deep web, anonymous networks, and various chat platforms will continue to be home for trading these commodities of data and DarkOwl will continue to assist its clients and partners to help provide the most comprehensive darknet database necessary for critical monitoring of potential markers of cybersecurity risk to corporations and individuals.
Download this report as a PDF
To understand the role darknet data plays in your corporation’s risk posture, contact us.
Interview with DarkOwl’s Sarah Prime and Alison Halland
August 26, 2022
In honor of Women’s Equality Day this August 26th, DarkOwl looks at workforce equality efforts within the cybersecurity industry and in our company by interviewing our Chief Business Officer, Alison Halland, and Director of Product Technology, Sarah Prime. DarkOwl is committed to building a balanced workforce which informs our efforts to create the most effective and talented team possible.
Background and Statistics: Women in Technology
Efforts to change the makeup of cybersecurity which traditionally has been male dominated have been embraced across the industry. Companies, organizations, and the government have taken notice. Organizations such as CISA (Cybersecurity and Infrastructure Agency), headed by Jen Easterly, are making efforts not just to hire women but also to highlight and empower them. Women will play an important role in supporting the demands of the industry – which is in dire need of more human resources. In fact, it has been estimated that just this year, the industry would need to grow by 65% effectively to defend organizations’ critical assets.
Despite impressive efforts underway by all types of institutions such as Women in Cybersecurity (WiCys), there is still a gap. “It’s not just women, but it’s all types of diversity. Whether that’s neuro diversity, diversity of gender identity, of sexual orientation, of race, of national origin,” Easterly said.
A 2021 article published by the US census bureau reported that although women make up around half of the U.S. workforce, they comprise only about 27% of STEM workers. However, this is not to say that women are not earning degrees in STEM. A report published in April 2022 claimed that while women earned almost half of the bachelor’s degrees in STEM, there is a large disparity across fields. Women earn the majority of bachelor’s STEM degrees in life sciences, psychology, and the social sciences. But, they made up only a little over a quarter in math-intensive fields. However, women holding STEM bachelor’s degrees may be a poor indicator of how many women will end up working in STEM-related industries because the ISC2 2021 Cybersecurity Workforce report finds that pathways to cybersecurity are changing.
While an IT background is the most common route, a little over half of cybersecurity professionals started outside of IT. 17% transitioned from unrelated career fields, 15% gained access through cybersecurity education, and 15% explored cybersecurity concepts on their own. [Source]
Figure 1: Participants Pathways to Cybersecurity Careers [Source]
Interview: Thoughts on Being a Women in Cybersecurity from Two Members of DarkOwl’s Leadership Team
To commemorate Women’s Equality Day, DarkOwl’s Junior Darknet Analyst and Marketing Contributor Molly Bocock sat down with Sarah Prime, Director of Product Technology and Alison Halland, Chief Business Officer for a candid interview about working in the cybersecurity industry.
Editors Note: Some content has been edited for length and clarity.
The ISC2 2021 Cybersecurity Workforce report finds that pathways to cybersecurity are changing. An IT background is the most common route, but around more than half of cybersecurity professionals started outside of IT. 17% transitioned from unrelated career fields, 15% gained access through cybersecurity education, and 15% explored cybersecurity concepts on their own.
Molly: Tell me about your background and your journey to where you are now – did you know you always wanted to be in cyber?
Sarah: The short answer is no, I had no idea I wanted to be in cyber. I didn’t know what the darknet was when I started working at DarkOwl. I actually started my career in the educational publishing industry. I started developing simulation and e-learning products and found that I really liked it. In my next job I transitioned to developing software products full-time.
Then I moved out to Denver and joined a start-up that was literally working out of a garage and that company had a very innovative idea and needed help building a product that would help their really talented cybersecurity analyst team do more and better work. And ultimately that company became DarkOwl.
That’s how I got here today. 8 years later I feel like my mission in this world is to help expose what is happening on the darknet so criminals don’t have a place to hide, and preserving what the darknet is in terms of privacy for people who need it. I do find it a very rewarding industry to be in because it feels like you are contributing in a small way to making the world a better place.
Alison: Like Sarah, I did not think that I was going to end up in cyber. I started my career in finance and was working in Boston for a company that grew exponentially and ended up going public and then the financial crisis hit, so I went back and got my MBA at Dartmouth. After that, I knew I wanted to make an industry change, but I just couldn’t put my finger exactly on what industry I wanted to go to and was conflicted about it. So, I made a geographical change and moved to Denver with the hopes of figuring it out when I got here.
After staying in the financial sector for my first role out here, I then found myself working independently and consulting for security companies with cyber angles. I was really intrigued by the industry, specifically how innovative it was, how fast it was moving, and the different personalities it attracted. I had come from the very traditional finance industry in New England where everyone looked the same and acted the same, and there was a piece of edginess and this “as long as you could cut the mustard” attitude in the cyber space that I thought was really interesting. Lo and behold I ended up at DarkOwl and have now been in cybersecurity for 6 years.
The same study from ISC2 reported that fewer women (38%) came from an IT background than men (50%). Women have higher rates of entry from self-learning than men (20% vs. 14%) and pursuing cybersecurity education to land a job (20% vs. 13%).
Has working in this field dispelled any misconceptions you had about your own abilities or interests?
Alison: I don’t think so. One thing you learn as you progress in your career is that there is an appetite for all skill sets across almost all industries. My exact skill set definitely doesn’t scream “cyber” in the traditional sense; however, I have been dedicated to learning the space and there is always the need for clear communication about our technology, defining the strategic directions, contract negotiations, understanding specific client’s use cases, and the list goes on.
Sarah: Yes – there’s the “hacker in the hoodie” contingent of cyber but there are also so many other opportunities. I am not a hacker in a hoodie. Cyber needs product people, cyber needs marketing people, cyber needs business people, and it’s a really interesting cross-section of backgrounds and I found that community to be really welcoming of different perspectives and ideas and innovation.
Alison: I also think there is this altruistic angle in cyber that feels really good to be a part of, and I don’t know that all industries can say that. Cyber has an appeal and a reputation that is well-deserved in many regards to the innovativeness and by having these incredible products that, like Sarah attests to, can keep us all safer and make sure that we’re doing right by both our clients and our company.
Sarah: It’s less so about what gender you are and more so about what ideas do you bring to the table, and are you doing a cool thing and let me hear about it. I found that to be really supportive and encouraging.
An earlier study by ISC2 found that women in cybersecurity tended to be younger, were more likely to hold post-graduate degrees, and were more motivated to earn certifications and degrees in the field. It also reported that that 17% of women said they earned U.S. $50,000 to $99,999, which is 12 percentage points less than men at 29%. They are closer in representation in the $100,000+ range (16% vs. 20% of men). [Source] The more recent study from 2021 noted that participants who had earned at least one cybersecurity certification made about $33,000 more in annual salary than those that hold none.
Can you talk about your professional development? What courses or certifications would you recommend? What advice would you give to a woman who is at the entry-level in the cybersecurity industry?
Sarah: I think that there are a lot of different opportunities within the industry as we were talking about. Some of my professional development has been around product development, product strategy. I recently completed a course out of Northwestern University around product strategy. Some of the certifications that are more traditional cyber-security focused that have been really impactful to members of my team have been the Certified Ethical Hacker as well as the OSCP.
Alison: My advice to anyone early in their career would be to ensure that they are thinking about the path they are headed down and to realize that any learning you do in a specific role, whether its technical knowledge or business sense, are learnings that you can take with you wherever you go. No one can take that learning away from you, and will only make you stronger as you progress within your career. Lastly, I would remind them that no one cares about your professional development more than yourself – so don’t lose sight of that and ask for what you need/want.
The data from the 2021 Cybersecurity Workforce study from ISC2 suggests that a reliable estimate of women in the cybersecurity workforce globally remains at 25%.
What is it like as a woman working in the cybersecurity industry? Are there any challenges or advantages to working in a male-dominated industry?
Alison: My experience in the cyber industry has been pretty heavily concentrated at DarkOwl. That being said, I feel empowered and enabled here. I think we have a unique scenario where we not only have a lot of females on the payroll, but have females with tenure and historical knowledge which is invaluable to DarkOwl. I’m really proud of that and I love working internally with everyone male and female alike. Its very much a norm at DarkOwl — to see females across all departments —but I don’t want to sugar-coat the fact that it’s not like that in the industry at large.
Sarah: I echo that 100 thousand percent. I find myself very fortunate to work at DarkOwl, we work with a lot of smart women, and we have an above-average number of women on staff. Our goal is to have gender equality in terms of our workforce and we’ve hovered somewhere between 35 and 40 percent. We want to increase it. But absolutely, you see traditional mindsets across this industry, you could see it in larger companies, and you certainly see it in the make-up of executive teams and boards where its very male dominated. Sometimes it is very obvious being the only woman in the room.
Alison: Speaking of being the only woman in the room, I was just reminiscing about this year’s Blackhat Conference, which I just returned from. For DarkOwl it entailed three days of back-to-back meetings in our executive suite and I was the only female in every meeting both on the DarkOwl side, and on the client side.
The good news is that I didn’t feel marginalized in any way but it does emphasizes the reality that there are not a lot of females at the executive level within the cybersecurity industry. So, its apparent to me that there is still a huge gap and a lot of work to be done.
Sarah: I had a meeting at a big company in Silicon Valley several years ago when DarkOwl was first starting. I was presenting with our CEO, and we had 20 people in that meeting from the client side. 15 of them were men and they were seated at the front of the room and the 5 women were in the back. The client introduced all of the 15 men by name and then said “and there’s the rest of the staff back there” who were all women.
In some ways experiences like these inspire me to be better, to achieve more, and to work harder because I want to pull someone up. I want to be a model for someone else — that’s really important to me personally. Bringing up people behind me, to reach your hand down and pull someone up. I think that the world is trending in the right direction. It is a great time to be a woman in the cybersecurity industry. Companies want to hire women; companies want to close that gap. There’s immense opportunity in this industry. The industry is focused on it, and there are groups like Women in Cyber doing amazing work to close that gap.
The 2021 study by ISC2 had fewer female participants, because “this year our response base included higher participation of professionals holding formal cybersecurity roles, which are more frequently held by men than women.” Chadra McMahon, who in March 2022 was the only woman to serve as the CISO among the top 10 largest companies nationwide, has said that “Cybersecurity is not well understood as a career or as an opportunity.” Therefore, it seems that how “cybersecurity” is defined can influence how many women are reported to be working in the cybersecurity workforce.
What do we not understand about cybersecurity as a field and its job opportunities? What does cybersecurity mean to you?
Sarah: I think a lot of people think cybersecurity is about pen testing and forensics, and I would say that there are so many more opportunities. There are research and intelligence tracts, there are OSINT tracts, there are darknet tracts, there are social engineering tracts, and there are a lot of different specializations. You can do all of them, you can do any of them. There’s a lot of data science and software and programming work in cybersecurity. It’s a very innovative field and there are a lot of opportunities. Again, its not just a hacker in a hoodie in a basement somewhere.
Alison: People sometimes think of “cybersecurity” as something very abstract and high-tech, but I actually think of it as something really familiar that we interact with every day. Cybersecurity impacts every single individual in every single company. There is no one that is above it or beyond it in the modernized world. I think its pervasive in a good way. Every company has to think about it. The industry is huge, and its experiencing explosive growth in a thousand different directions, so jump on it and find your path!
Sarah: There are so many different paths you can take within cybersecurity. It’s really exciting and from that standpoint really cool. What does cybersecurity mean to me? It’s helping secure the modern world. The way that everyone does business, the way that everyone communicates— all of that is digital, all of that is through computers. For example, the three of us are in different spaces right now. There’s a new way of working and being in the world and cybersecurity is making that connected, safe, secure, and just helping people to live safely.
Alison: Like Sarah said, there’s so many different avenues you can go in cyber. Whether you’re at a company that is trying to solve a specific cybersecurity gap across multiple industries, or one that provides innovative solutions for the cybersecurity industry itself. Cybersecurity technologies are only going to continue to be more and more necessary, and from that necessity comes innovation – which often attracts great talent.
Figure 2: The Most Important Qualifications for Cybersecurity Profressionals (Non-technical Skills and Attributes) [Source]
Alison: Molly, I would ask a question of you. When I was in college, we didn’t even talk about cybersecurity as an industry. What do people think of it coming out of college now? Do they think of cybersecurity in the stereotypical sense, i.e. as a very narrow highly technical field, or do people think of it more broadly, like I do?
Molly: It’s a mix of both. People who are less familiar with STEM in general, I’m thinking of the people who tried to avoid it like the plague since they were young and thought “I hate math I’m never going there.” They think of cybersecurity as very “hacker in a hoodie.” People who are in business have a broader perspective. They realize the business opportunity; they know that every business has to have different departments like HR, marketing, and sales — they understand that. Younger people are seeing cyber as an opportunity to move into but they’re still hesitant. People think “oh, I’m not good enough, I’m not there, I don’t have what I need, I’m going to fail there because I didn’t study computer science when I was in undergrad so I don’t have the hard skills they want.”
Sarah: Yes, and I hope we can change that. As Alison said earlier it’s going to take work to change some things, but I hope we can. I find the most successful people in this industry are multi-disciplinary. They have a lot of skill sets and they have a lot of soft skills. There’s no way you can think like an attacker if you are too narrowly focused. You need critical thinking skills and you need collaboration skills.
Alison: I think that cybersecurity, more so than other industries, is forward-thinking in accepting non-traditional employees. I think the appetite for openness in the cybersecurity industry, and this is just anecdotally, is a little bit wider than in other industries.
Sarah: Attackers work in groups. They are not one person. These big nation-state entities, these big APTs, are collectives. They have multiple skill sets. So the good guys also need to work in teams, to be able to work with other people, and to bring different skills to the table. And those skills are not just math or hard tech skills. It is really about collaborating. The best people are able to work in very out-of-the-box ways.
To bring this back to the point of the interview, I think women have a lot of those traits, culturally. I think that women bring a unique voice to this and can bring their tech skills and some of the other really critical skills like collaboration, like communication, like critical thinking, to the table and be really successful in this field. As long as you are doing good work, there’s room for you in this industry.
Alison: Right, exactly.
Key takeaways from Alison and Sarah’s perspectives:
Anyone who is interested in the cybersecurity industry has a strong chance of being able to find a role that suits them. While companies and institutions are putting more resources towards addressing the gender and representation gaps in cyber, those gaps still exist. Therefore, the company makeup of where you work can have a very real impact on your experience in the field, especially if you are in the minority of the workforce.
As an industry, cybersecurity is forced to embrace change given the nature of the field. Cybersecurity’s welcomeness to innovation makes it more open to changes, such as seeing more women in the field, than perhaps other industries are. In the experiences of Alison and Sarah, people are accepted based on the quality of their work and there is an open invitation to explore new projects and ideas – which are also necessary to evolve with the sophisticated threat actors we face. Individuals should not discount themselves from working in cyber. A wide variety of skillsets are needed to address present and future threats; Multi-disciplinary workers have an advantage, and learning opportunities and professional development can always be cultivated – especially when you partner with organizations that prioritize the employees growth.
The DarkOwl team are actively tracking the fallout from Russia’s invasion of Ukraine. The effects of the kinetic military operation are causing ripples acrossthe global cyber space including critical underground ecosystems across the deep and darknet.
18 April 2022 – 01:12 UTC
DDoSecrets Leaks 222GB of Data from Gazregion Collected by Anonymous Hacktivists
Three different hacktivist groups (Anonymous, nb65, and DepaixPorteur) submitted archives consisting of emails and sensitive corporate files from Gazregion, a Russian supplier specializing in gas pipelines construction with direct support to Gazprom.
There have been numerous claims of attacks against Gazprom since invasion of Ukraine by Anonymous and other cyber offensive groups. nb65 posted to social media they compromised SSK Gazregion on April 3rd with their version of CONTI ransomware.
18 April 2022 – 01:12 UTC
nb65 Claims Attack Against Russian JSC Bank PSCB with CONTI Ransomware
The Hacktivist group, Network Battalion 65 had claimed they successfully attacked JSC Bank PSCB in Russia and successfully encrypted their network with their version of CONTI ransomware.
The group stated they managed to exfiltrated over 1TB of data including financial statements, tokens, tax forms, client information, and sensitive databases before deleting all backups to prevent data and functionality restoration.
The hacktivists further taunted the bank stating how grateful they were the stored so many credentials in Chrome – a browser for which several emergency security patches have been recently released.
We’re very thankful that you store so many credentials in Chrome. Well done. It’s obvious that incident response has started. Good luck getting your data back without us.
15 April 2022 – 21:59 UTC
GhostSec Leaks Data from domain[.]ru Hosting Provider
The Hacktivist group, GhostSec claimed to target Russian internet domain registration provider, domain[.]ru in a cyberattack. The group managed to exfiltrate over 100MB of data including screenshots of sensitive files and excel spreadsheet data.
According to the README file in the data leak, during the breach, GhostSec identified over 4TB of SQL databases, but in all the excitement the team’s presence was caught by the company’s intrusion detection systems and kicked off the network before the SQL data could be harvested.
15 April 2022 – 17:52 UTC
nb65 Confirms Attack on Continent Express; DDoSecrets Leaks 400 GB of Russian Travel Agency’s Data
The attack on a Russian travel agency occurred several days ago and was shortly after confirmed by the organization. DDoSecrets assisted nb65 in leaking over 400GB of sensitive files and databases from the travel agency. The details of the leak have not been confirmed.
15 April 2022 – 14:32 UTC
Anonymous Takes Over Pro-Russian Discord Accounts
Hacktivists from the Anonymous Collective have successfully taken control of several pro-Russian accounts on the chat platform, Discord, and are now using these accounts to circulate pro-Ukrainian messaging. An Anonymous member @v0g3lsec – who has been extremely active in the #opRussia campaign – shared an image of a hacked account where they posted links and information about the information operations group, squad303 to share truths about the invasion via SMS, WhatsApp, and email with random Russian citizens.
14 April 2022 – 20:02 UTC
DDoSecrets Leaks Unprecedented Amount of Email Data from Russian Organizations
In the last three days, DDoSecrets uploaded archives for five (5) different organizations across Russia totaling 1.97 Million emails and 2 TBs of data.
230,000 emails from the Blagoveshchensk City Administration (Благове́щенск) – 150GB
230,000 emails from the Ministry of Culture of the Russian Federation (Министерство культуры Российской Федерации) responsible for state policy regarding art, cinematography, archives, copyright, cultural heritage, and censorship – 446 GB
250,000 emails from the Deptartment of Education of the Strezhevoy (Стрежево́й) City District Administration – 221GB
495,000 emails from the Russian firm Technotec, which has provided oil and gas field services along with chemical reagents used in oil production and transportation – 440GB
768,000 emails from Gazprom Linde Engineering, which specializes in designing gas and petrochemical processing facilities and oil refineries – 728GB
13 April 2022 – 17:09 UTC
CISA Issues Alert About Destructive Malware Targeting US Critical Infrastructure
A joint advisory issued by the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) details how nation state actors (likely sponsored by the Russian government) have demonstrated the capability to gain full system access to multiple industrial control system (ICS) and affiliated supervisory control and data acquisition (SCADA) devices. The critical alert indicated there is an immediate HIGH cybersecurity risk to critical infrastructure around the US. The devices include:
Schneider Electric programmable logic controllers (PLCs);
OMRON Sysmac NEX PLCs; and
Open Platform Communications Unified Architecture (OPC UA) servers.
ATW | Blue Hornet Announces That They are a “State-Sponsored” Group
The “GOD” account representing AgainstTheWest (APT49) on the new BreachedForums (with many users from the now officially seized RaidForums) announced moments ago that they are indeed a “state-sponsored” cyber group with “direct instructions to infiltrate, attack and leak the country of China, Russia, Iran, North Korea & Belarus.” The group’s Twitter account was also blocked by Russia’s Kremlin account earlier this week and the notification of this block was included in the post.
There is no way to verify the accuracy of the statement posted and it’s unclear whether or not the group will continue their operations in support of Ukraine.
11 April 2022 – TIME UNKNOWN
CONTI Claims Responsibility for Cyberattack Against German Wind Turbine Company
On the 31st of March, Nordex wind turbine manufacturing company in Germany suffered a significant cyberattack. CONTI has claimed responsibility for the attack (over 10 days later) posting the company’s name to their public-facing Tor service of victims. We anticipate that sensitive corporate data will be leaked by the RaaS gang shortly.
11 April 2022 – 20:58 UTC
Anonymous Compromises Regional Government of Tver, Russia; Leaks 130,000 Emails from Governor’s Mail Server
Hacktivists from the Anonymous Collective using the monikers DepaixPorteur and wh1t3sh4d0w0x90 have compromised the domain tverreg[.]ru believed to be associated with the Regional Government of Tver, Russia. Tver is located 110 miles (180km) northwest of Moscow on the banks of the Volga River. The archive is over 116GB in size and consists of over 130,000 emails exfiltrated from Governor Igor Rudenya’s email system dating from 2016 through 2022. The governor was appointed by President Putin in 2016.
Anonymous shared a leak consisting of Russian regional governors on the darknet on 23 March 2022.
11 April 2022 – 14:35 UTC
Finland Suffers Cyberattack; Announces They Will Expedite Application for NATO Membership
On April 8th, the Finnish government confirmed many of its military, defense, and foreign affairs webservers experienced unsophisticated, yet concerted DDoS attacks likely originating from Russian threat actors. The cyberattacks coincidentally occurred just as Ukraine President Zelenskyy started to address the Finnish Parliament on the status of the war in Ukraine around 10:30 GMT.
On the same day, the Finnish Minstry of Defense confirmed, hours earlier, Russia state-owned aircraft also breached Finland’s airspace off Porvoo in the Gulf of Finland – the first time in over 2 years. The aircraft, an Ilyushin IL-96-300 cargo transport airplane, was traveling east to west and landed in Berlin.
Both Finland and Sweden have signaled they will be submitting applications to join NATO. According to open-source reporting, Finland will likely finalize their application during the month of May in time for a NATO summit scheduled in Madrid, Spain in June.
Kremlin spokesman, Dmitry Peskov stated that Russia would have to “rebalance the situation ” with its own measures should Sweden and Finland choose to join NATO.
09 April 2022 – 03:39 UTC
ATW | BH Group Leaks Data Stolen from Russian Temporary Work Agency and Recruitment Firm: Rabotut
AgainstTheWest (Blue Hornet) announced on their Telegram channel they have successfully targeted the domain (rabotut[.]ru) for Rabotut, a “federal scale service” supplier in Russia. According to the threat actor, the archive includes the organization’s entire backend and front end source code, API keys, and SSL keys. According to open-sources, Rabotut is a temporary workers agency and provides contract employees to a number of critical government and corporate businesses around the country.
Contents of leak are in the process of verification by Darkowl analysts.
08 April 2022 – 21:41 UTC
KelvinSecurity Team Targets Russian Cryotcurrency Scam Website: alfa-finrase
KelvinSec released data reportedly from the domain (alfa-finrase[.]com) known for trading in fraud data, e.g. passports, driver’s license, and other sensitve PII. The group claims to have exploited the website, shutdown a cryptocurrency scam, deleted 400GB from the site’s server, and exposed 1.4GB of customer data from the deep web store.
07 April 2022 – 19:30 UTC
DDoSecrets Leaks Over 400,000 Russian Organization Emails Exfiltrated by Anonymous Operations
The leak site, DDoSecrets once again assists Anonymous hactivist collective in distributing sensitive data exfiltrated from companies and organizations in Russia. Three archives were leaked – within minutes of each other – for three organizations: Petrofort, Aerogas, and Forest. The data from these corporate email archives date back over decades of commercial activitiy.
Petrofort: 244GB archive consisting of over 300,000 emails between employees and clients. Petrofort is one of the largest office spaces and business centers in Saint Petersburg.
Aerogas: 145GB archive consisting of over 100,000 emails between employees and clients. Aerogas is an engineering company supporting Russia’s critical oil and gas infrastructure and supports such as: Rosneft, NOVATEK, Volgagaz and Purneft.
Forest (Форест): 35GB archive consisting of over 37,000 emails between employees and clients. Forest is a Russian logging and wood manufacturing company associated with many high-valued construction projects across the company.
A representative from DDoSecrets earlier shared thoughts about the extraordinary volume of leak data coming out of Russia earlier this week in a social media post.
06 April 2022 – 21:42 UTC
Anonymous Claims to Attack Russian MAUK Cinema, Mirkino Belebey
Members of Anonymous using the aliases ShadowS3c and Anonfearless3c have allegedly targeted servers for the Russian cinema and movie theatre, Mirkino Belebey (domain:mirkino-belebey[.]ru). The Mirkino theatre is also known as the MAUK Cinema a.k.a. “World of cinema” in the Belebeevsky District of Russia.
The hacktivists have leaked screenshots with credential data from the breached database containing hundreds of usernames, email adresses, and passwords.
This entry will be updated if/when the leak contents can be confirmed.
06 April 2022 – 20:42 UTC
Hajun Project Identifies Russian Soldiers Who Sent Parcels from Belarus Back to Russia
On April 3rd, the Hajun Project published three hours of surveillance camera footage from a CDEK delivery service located in Mazyr, Belarus. The video shows several soldiers from the Russian Armed Forces sending, among other things, items stolen from Ukrainians, during their “special military operation.”
Using leaked personal data available across the darknet and deepweb, the Hajun Project further confirmed the identities of the Russian military consignors and have released the names and phone numbers for at least 50 of the servicemen that sent parcels around the same time as the published camera video.
The Hajun Project maintains a Telegram channel and Twitter account monitoring and tracking the movement of military land and air assets in Belarus.
05 April 2022 – 16:22 UTC
Ukraine’s Defense Intelligence Agency (GURMO) Conduct SCADA Attacks on Gazprom
Due to the sensitivities of on-going military operations, there is limited detail available on the nature of the attack, but it appears that offensive cyber units under the direction of Main Director of Intelligence for the Ministry of Defense of Ukraine conducted SCADA cyberattacks against Gazprom pipelines. The attacks began within 48 hours of a fire at an oil depot in Russia’s Belgorod region last Friday, that western media reported was the first time Ukrainian helicopters had been spotted going across the border.
The cyberattacks likely triggered an underground gas leak from a highly pressurized gas pipeline in the village of Verkhnevilyuysk; the leak was reported in Russian open sources. Shortly after this, an explosion occurred in a main gas pipeline “Urengoy-Center-2” that civilians captured on Russian social media platform, VK as a large fire occurred in the Lysvensky district of the Kama region near the village of Matveevo.
Over pressurizing gas lines through disrupting infrastructure industrial control systems (ICS) is a documented method for using cyber to cause kinetic damage to pipeline critical infrastructure. The Congressional Research Services detailed such security risks to ICS in their 2021 report.
05 April 2022 – 14:21 UTC
Anonymous Leaks Data from Russian Rations Supplier, Korolevskiy
The company, Korolevskiy (korolevskiy[.].ru) appears to supply Russian companies and organizations with grain, nuts, and confectionaries in addition to rations for the military. This cyberattack could impact the availability of some food ingredient supplies, such as sugar, which is already in short supply and skyrocketing in price across the country due to sanctions.
The data leak includes an 82GB archive containing thousands of emails exfiltrated from the company’s mail servers.
05 April 2022 – 12:29 UTC
nb65 Claims to Hack Civilian Travel Service in Retaliation for Bucha Massacre
Anonymous and hacktivists around the world step up their offensive against Russia after images of Russian soldiers’ war crimes and atrocities against civlians in Bucha emerged on Monday.
Network Battalion 65 (nb65) reportedly targeted Continent Express (continent[.]ru), a Russia-based travel and supply company, with Conti’s ransomware variant in retaliation for the crimes.
Continent Express is one of the largest agencies for travel in Russia and helps arrange tickets and accomodations. As of time of writing the public facing website for continent[.] is operational.
Details of the group’s threatening message posted to social media called out the company’s CEO Stanislav Kostyashkinis in the image below.
“Why, you ask? The answer is simple. We read and watched the coverage of Bucha with horror. The utter lack of humanity in the way Russian soldiers have treated the civilian population of Ukraine left us all in tears. The world has pleased with your country to put an end to this madness drive by the mind of a cowardly tyrant: your president.”
(Update 6 April 2022) Earlier today, Continent Express posted to their news section of the website acknowledging the cyberattack but stated that important data and booking systems were not affected.
04 April 2022 – 12:29 UTC
DDoSecrets Distributes Data Exfiltrated by nb65 From Russian Broadcasting Company
Earlier in the campaign, nb65 leaked a sample of files and emails from All-Russia’s State Television and Broadcasting Company (VGTRK / ВГТРК). The Russian state-owned broadcaster operates five national TV stations, two international networks, five radio stations, and over 80 regional TV and radio networks and has been heralded as essential for the “security of the state.”
According to former VGTRK employees, Kremlin officials have dictated how the news should be covered, and provided incendiary phrases meant to discredit Ukraine. According to the former employees, editors normally have freedom to make decisions, but “where big politics are concerned, war and peace, he has no freedom.”
The 786 GB archive contains over 900,000 emails and 4,000 files spanning 20 years of operations at the broadcaster.
04 April 2022 – 06:24 UTC
Anonymous Leaks List of Russian Soldiers Deployed in Bucha
Anonymous shared a PDF file containing the identities of the members Russia’s 64 Motor Rifle Brigade that was positioned in the Kyiv suburb of Bucha. Since Russia’s withdrawl from the village, the atrocities and war crimes carried out by members of the Brigade have come to light.
The PDF consists of 87 pages detailing the identities of over 1,600 members of the Bridage, including their full name, date of birth, and passport number.
The file most likely originated from the Ukrainian government or intelligence services.
03 April 2022 – 06:16 UTC
Anonymous Shares Data Leaked from Russian Federal Agency for State Property Management
Anonymous shared a single PostGreSQL database, presumably from the domain: rosim.gov.ru, containing over 785MB of logged domain Internet activity available via the domain user: kluser. Much of the data is several years old, including IP addresses, domains, user agents of site vistors. Without further analysis, the value of leaking this data other than psychological operations and information warfare is unclear.
03 April 2022 – 05:07 UTC
nb65 Claims to Compromise Russian Gas Pipeline Supplier: SSK Gazregion
nb65 shared on social media that they have successfully hacked SSK Gazregion LLC (domain: ssk-gaz.ru) – a prominent natural gas pipeline construction company – with an ‘improved’ version of Conti’s ransomware. They taunted the company’s IT department, claiming that they also deleted all backups and restoring services would be an issue for the department.
They also claim to have exfiltrated 110GB of sensitive files, emails, and company data during the operation and trolled the company further stating it took forever to steal the data with the “chincy ass soviet connection” they were using for Internet connectivity.
“Federal Government: This will stop as soon as you cease all activity in Ukraine. Until then, fuck you. Your Preisdent is a coward who sends Russian sons away to die for his own ego. War in Ukraine will gain your country nothing but death and more sanctions. none of your internet facing tech is off limits to us.”
“We won’t stop until you stop.”
03 April 2022 – 04:24 UTC
ATW Release Dox of KILLNET Member
Similar to the personal details shared for various APT cyber groups in China, Russia, and North Korea, ATW targeted the pro-Russian cyber group, KILLNET. They released a dox containing the Russian national’s personal information, his social media, contact information, and familial associations.
KILLNET claimed to launch cyberattacks against Polish government and financial networks in support of Putin’s invasion in Ukraine. Last week, KILLNET also reportedly conducted DDoS attacks against the International Cyber Police agency, CYBERPOL and hacked the ticketing system at Bradley International Airport in Connecticut.
02 April 2022 – 17:28 UTC
Darknet Threat Actor, spectre123 Releases Sensitive Databases for the Indian Government and Military
The threat actor is well-known for targeting governments and defence contractors and has been circulating sensitive government databases for some time. This weekend, they released a “mega leak” of Indian government data for the PM Modi adminsitration’s “turning a blind eye to the humanitarian crisis…. in Ukraine.”
Over 40 GB of data is included in 11 different archived files and includes classified (up to TOP SECRET) and Confidential government documents from the following sectors: ALISDA, DGAQA, MSQAA, DRDO, DDP, Joint Defence Secretary India, BSF, MOD and the Indian Navy.
“The Indian government has a remarkably twisted propensity towards turning a blind eye to the humanitarian crisis in their own nation and now as well in Ukraine. It continues to do business with Russia and refuses to speak on the war, all in an effort to maintain their shallow political interests. These documents have been released to show that there are consequences for taking such foolish decisions.”
02 April 2022 – 06:13 UTC
ATW | BH Claims to Leak Personal Details of Members of Nation State APT Cyber Groups: ATP3, APT40, APT38, & APT28
The AgainstTheWest group continued their offensive against Chinese, North Korean, and Russian nation state cyber groups. Releasing a dox-style text file on Telegram and the deep web forum, breached.co, the ATW group included the names, email addresses, socials and Github accounts, credit card data, front companies, and other identifying information about the group’s participants along with other shocking revelations. Some include:
APT38: China and North Korea have collaboratively had a mole inside the United States Congress since 2011.
APT3: Threat actors are closely aligned with employees from Tencent – the Chinese technological giant behind WeChat and QQ.
APT38/APT3: The alias “ph4nt0m” appears in information for both groups and is believed to be affiliated with APT17 from China.
APT40: Threat actors are randomly connected to employees of ByteDance, the parent company for TikTok.
We are unfortunately unable to corroberate the veracity of the information shared by ATW (Blue Hornet).
Anonymous shared another large archive of data stolen from a prominent Russian defense manufacturing facility. The archive is nearly 27GB total and consists of company emails and sensitive documents.
Russia’s “Lipetsk Mechanical Plant” produces several defense products for the Russian military and industrial defense complex. Today, the plant is one of the leading and main manufacturers of modernized self-propelled tractors for S-300V4 anti-aircraft missile systems in Russia. The S-300 is one of Russia’s premier air-defense platforms.
01 April 2022 – 16:00 UTC
Anonymous Leaks Multiple Data Archives From Critical Moscow-Based Organizations
Coordinating today through DDoSecrets on distribution, Anonymous shared several highly significant archives, consisting of over 500GB total of emails, files, and databases from critical Russian organizations with close ties to the Russian government.
Department for Church Charity and Social Service of the Russian Orthodox Church: Database containing 57,500 emails from the Russian Orthodox Church’s charitable wing.
Capital Legal Services: 200,000 emails exfiltrated from a prominent Russian law firm includes an additional 89,000 emails are located in a “Purges” mailbox, consisting largely of bounced email notifications, cron jobs and other server notifications.
Mosekspertiza: Three archives consisting of a) 150,000 emails b) 8,200 files and c) multiple databases totally over 400GB of data. Mosekspertiza is a state-owned company setup by the Moscow Chamber of Commerce to provide expert services and consultations to Russian businesses.
1 April 2022 – 08:56 UTC
GhostSec Wreaks Additional Havoc on Alibaba
After ATW attacked Alibaba Cloud days before, Ghost Security has allegedly hacked and deleted Alibaba’s UAE branch’s ElasticSearch service database. They included a leak to the database extracted from the company on their Telegram channel.
We have also deleted everything and even cleared the backups so there is no recovery, and we left a little celebration from us <3
31 March 2022 – TIME UNKNOWN
German Wind Turbine Company Impacted by Cyberattack
A German-based wind turbine – Nordex – with over $6 billion dollars in global sales faced a cyberattack that incident responders caught “in the early stages.” It’s likely the attack is retaliation for Germany pausing on the Nord Stream 2 natural gas pipeline deal with Russia.
“Customers, employees, and other stakeholders may be affected by the shutdown of several IT systems. The Nordex Group will provide further updates when more information is available.”
In the early days of the cyberwar, a cyberattack on the satellite communications company Viasat caused 5,800 Enercon wind turbines in Germany to malfunction.
31 March 2022 – 19:43 UTC
Anonymous Leaks 62,000 Emails from Moscow-Based Marathon Group
Anonymous again targets associates of those closest to Putin launching recent cyberattacks against Marathon Group. The Marathon Group is an investment firm owned by Alexander Vinokurov. Vinokurov is the son-in-law of Russian Foreign Minister Sergei Larov and is under heavy sanctions by the EU for providing financial support to Russia. The leaked archive is over 51GB in size and is being distributed via DDoSecrets.
31 March 2022 – 14:31 UTC
Ukraine Government Sets Up Website for Whistleblower Reporting
The Ukrainian Prosecutor General’s Office in coordination with the National Agency on Corruption Prevention and Task Force Ukraine deployed the Whistleblower Portal on the Assets of Persons Involved in the Russian Aggression against Ukraine. The website is setup to provide a secure and anonymous method for the submission of tips and evidence of corruption any activities causing national harm. The website will ideally help in the “tracing, freezing, and confisicating of assets of those involved in Russia’s War Crimes.”
Many OSINT sleuths have identified Russian oligarchs’ and government officials’ assets, like super yachets parked in international ports and submitted photographs via posts on social media. This website could be used to officially report supporting information leading to the seizure of those assets or other correlative intelligence obtained through leaks shared by Anonymous.
30 March 2022 – 22:09 UTC
Database Containing the PII of 56 Million Ukrainian Citizens Leaked on Deep Web
A user on the forum breached.co leaked an arhive containing the personal identification information for over 56 Million citizens of Ukraine. The database includes the full name, dates of birth, and address for the individuals. Its unclear the origins of the data. Members of the forum stated it was the Ukrainian Tax Service and could be dated back to 2018.
30 March 2022 – 21:53 UTC
ATW Continues Offensive Against China, Leaks Alibaba Cloud & Ministry of Justice of PRC Data
The AgainstTheWest/Blue Hornet group have ramped up their attacks against Chinese targets and leaked the largest archive they have exfiltrated to date. ATW successfully breached the e-commerce company Alibaba and have dropped a 30GB archive consisting of Alibaba’s cloud endpoint environment, source code, and customer data. They also released a smaller database obtained from the Ministry of Justice of the People’s Republic of China. Both were shared to the deep web forum, breached.co.
30 March 2022 – 19:49 UTC
Anonymous Continues to Encourage SCADA Attacks; Leaks Default Credentials for COTS Hardware Suppliers
Members of the Anonymous Collective circulate spreadsheets and websites containing the default factory credentials for most commercial-off-the-shelf (COTS) vendor hardware. Hardware, that in turn, is often affiliated with and successfully exploited via SCADA-based industrial control system (ICS) cyberattacks.
One list includes 138 unique products including manufacturers such as Emerson, General Electric, Hirshmann, and Schneider Electric accompanied with default factory settings such as username: admin and password:default. Another resource is a surface web website (intentionally not included but available upon request) which lists 531 vendors and over 2,100 passwords deployed with hardware from the factory.
Sadly, most companies will rely on the default passwords upon installaton and do not bother with updating to a more robust credential security standard.
30 March 2022 – 18:19 UTC
Anonymous Leaks 5,500 Emails Stolen from Thozis Corporation
Anonymous successfully attacked Thozis Corporation – a Russian investment firm with links to Zakhar Smushkin of St. Petersburg. According to the Panama Papers, the company is registered in the British Virgin Islands. The firm is allegedly involved in one of the largest development projects in Russia, including a project to build a satellite city within St. Petersburg.
The trove of leaked emails likely include sensitive documents and agreements between the Russian government, its societal elite, and other international entites.
DDoSecrets assisted in the publication of the 5.9GB archive obtained by Anonymous.
30 March 2022 – 17:55 UTC
GhostSec Leaks Shambala Casino Network Data
GhostSec claimed a few days ago they had successfully attacked a prominent casino operator in Russia, known as Shambala.
The hacktivist group targeted the casino as they believed members of the Russian government used Russian casinos to move cash into different currencies besides the Ruble. At least 27 computers were reportedly compromised, data exfiltrated, systems locked, and files erased.
29 March 2022 – 06:12 UTC
Russian Aviation Sector Suffer Additional IT Operational Impacts
A post shared on the Russian Telegram channel, Авиаторщина, indicates that the aviation industry of Russia will have additional impacts to their IT support with the withdrawl of the Swiss-based company, SITA as of 29 March.
According to the Telegram post, SITA shutting down their operations will impact numerous systems utilized by the aviation industry and airlines across Russia.
[translated]
“Products for pilots such as AIRCOM Datalink, AIRCOM FlightMessenger, AIRCOM FlightTracker, and AIRCOM Flight Planning services will no longer be available. Such software is utilized by airlines and flight crews to plan, perform aeronautical calculations and track flights, and more accurately calculate remaining fuel, flight time, etc.”
The company – choosing to withdrawl from operating in Russia due to Putin’s invasion – suffered a significant cyberattack on 24 February, the same day as the invasion of Ukraine, resulting in the compromise of passenger data stored on their SITA Passenger Service System (US) Inc. servers. SITA supports numerous international air carriers.
This annoucement comes within days of the cyberattack against Rosaviatsiya (see below), Russia’s Federal Air Transport Authority.
(Update 30 March – 23:42 UTC) No alias associated with Anonymous has claimed credit for the 28 March cyberattacks against Rosaviatsiyawhich resulted in 65TB of lost agency data.Interestingly, new Anonymous groups have only recently joined the campaign, including RedCult, increasingly the likelihood that widespread industry sector attacks will continue across Russia.
28 March 2022 – 18:23 UTC
nb65 Claims to Hack JSC Mosexpertiza; Steals 450GB of Sensitive Data
In a social media post, nb65 hacktivist group claims they compromised Joint Stock Company (JSC) Mosexpertiza, Moscow’s independent center for expertise and certifications, via the domain mosekspertiza.ru.
They claim they also infected the domain with, none other than Conti’s “crypto-locking ransomware variant” – released earlier this month in the opRussia campaign. In the process of hacking the network nb65 also exfiltrated 450GB of emails, internal documents, and financial data.
28 March 2022 – 17:07 UTC
Anonymous Leaks 140,000 Emails from Russian Oil & Gas Company, MashOil
Distributed via DDoSecrets, the Anonymous hacktivist collective recently targeted MashOil, releasing over 140,000 sensitive corporate emails from the company.
Moscow-based, MashOil manufacturers equipment for hydraulic fracturing and enhanced oil recovery (EOR); injection, nitrogen and cementing equipment; top drive mobile drilling rigs; directional drilling equipment; and, ejector well clean-up.
Anonymous continues to target companies in Russia and any companies that continue to contribute to economic and financial viability for the Russian Federation.
28 March 2022 – 12:41 UTC
Anonymous Leaks Russian Document Ordering Propaganda Video Development
Knowing propaganda is widely circulated by both Ukrainian and Russian affiliated organizations, Anonymous has leaked an official Russian document, titled “On holding informational events on the Internet”, dated 21 March 2022, stating this was an official “order issued” by the Russian government to develop videos to discredit the Ukrainian military and their treatment of prisoners of war (POWs). The order was signed by the “Temporary Minister of Defense of the Russian Federation”, Dmitry Bulgakov and decrees:
Develop and distribute a series of video materials demonstrating the inhuman behavior of the military personnel of the Armed Forces of Ukraine and nationalist formations on the territory of Ukraine in relatinos to prisoners who showed a voluntary desire to surrender
Develop and distribute sermographic materials, evidence of the use of briefings by captured military personnel of the Armed Forces of the Russian Federation during the filming
Provide informational support for materials in the comments, the main argument is the violation of the Geneva Convention on the Treatment of Prisoners
To impose control over the implmtnation of this order on the head of the Information Warfare and Disguise Department of the Ministry of Defense of the Russian Federation
(UPDATE 29 March 2022 – 20:56 UTC)DarkOwl advises that recent open source intelligence research suggests this letter could be fake and disseminated as part of an information operations campaign. Researchers caught signature mismatches of the Russian official, Bulgakov. Such data is a reality in the the fog of asymmetric warfare.
The Ukrainian Military Intelligence Agency of the Ministry of Defence of Ukraine, known simily as Defence Intelligence of Ukraine or GUR, has leaked the identities of over 600 Russian FSB spies. The database includes the agents’ full names, dates of birth, passport numbers, passport dates of issue, registration addresses as well as other identifying markers for the FSB employees.
Many of these agents may be conducting covert operations around the world and leaking their identities may compromise the success of their operations.
28 March 2022 – 11:05 UTC
ATW (BH) Targets Chinese Companys and Government Organizations
After a brief vacation announced on 23 March, the AgainstTheWest (Blue_Hornet) group returns with concerted attacks against a number of Chinese companies and government organizations. The group claims they successfully attacked the following:
The group also referenced a supply-chain software dependency attack, via a poisoned burgeon-r3 NPM package.
Shortly after the announcement and initial round of leaks, the group also released source code affiliated with China Guangfa Bank, along with associated Maven releases. The group also claims to have breached the Chinese social messaging platform, weChat.
We are still evaluating the data and determining the specific types of data compromised and released.
28 March 2022 – 03:22 UTC
Russian Federal Air Transport Agency, Rosaviatsiya Confirms CyberAttack; 65TB of Data Erased
The civil aviation agency Rosaviatsiyan responsible for air cargo transportation confirmed with a letter shared on the Russian Telegram channel, Авиаторщина that their website domain favt.ru was offline since Saturday due to a significant cyber attack. The attacks had severely impacted their ability to plan and conduct flight operations and the agency had resorted to pen-and-paper-based operations in the interim.
The notice stated that over 65TB of emails, files and critical documents had been allegedly erased along with the registry of aircraft and aviation personnel. There were no systems backups to restore from because according to the agency spokesperson, the Ministry of Finance had not allocated funds to purchase backups.
“All incoming and outgoing emails for 1.5 years have been lost. We don’t know how to work…”
“The attack occurred due to poor-quality performance of contractual obligations on the part of the company LLC ‘InfAvia’, which carries out the operation of the IT infrastructure of the Federal Air Transport Agency.”
27 March 2022 – 20:44 UTC
Anonymous Leaks 2.4GB of Emails from Russian Construction Company, RostProekt
Over the weekend, DDoSecrets helped Anonymous distribute over 2 gigabytes of sensitive company emails exfiltrated by breaching a prominent Russian construction company, RostProekt (in Russian: РостПроект). The company primarily operates in Russia, with the head office in Moscow Oblast. RostProekt is a primary contributor to Russia’s lumber and other construction materials merchant wholesalers sector. The breach may impact construction projects in the country.
As of time of writing, the website for the company is online.
25 March 2022 – 20:36 UTC
nb65 Leaks Sample Internal Data from the All-Russian State Television and Radio Broadcasting Company (VGTRK)
The nb65 hacktivist team targeted and released data affiliated with a state-sponsored propaganda broadcasting company of the Russian Federation, VGTRK. The All-Russia State Television and Radio Broadcasting Company, also known as Russian Television and Radio (native: Всероссийская государственная телевизионная и радиовещательная компания) owns and operates five national television stations, two international networks, five radio stations, and over 80 regional TV and radio networks. It also runs the information agency Rossiya Segodnya.
nb65 claims they have successfully compromised the organization’s network and exfiltrated over 750GB of data, much of which consists of employee email (.pst) files from the company’s email network. The group claims to be ‘watching’ for their ‘eventual incident response.’
The group continued to troll the organization…
“Your blue team kinda sucks. Hard to find good IT help when all your techies are fleeing the country, eh?”
25 March 2022 – 18:36 UTC
Anonymous Releases Files Exfiltrated from the Central Bank of Russia
Anonymous has released data the hacktivists collected while conducting attacks against the Central Bank of Russia. The archive, broken up into 10 separate parts consists of over 25GB of archived data consisting of over 35,000 files of sensitive bank data. Earlier in the campaign, we observed several posts containing targeting information, e.g. domains, IP addresses, etc for the bank on the deep web.
24 March 2022 – 20:49 UTC
GNG Claims to Hack Russian Mail Server, mail.ru
Georgia’s Society of Hackers (GNG) announced today they successfully attacked Russia’s equivalent to Gmail, mail.ru, including their maps.mail.ru subdomain. The hacktivist group is in process of exfiltrating the data and will provide the detailed data dump in the next few days.
As of time of writing this, the maps.mail.ru website is online and operational.
24 March 2022 – 14:11 UTC
Anonymous Shares Proof of Hacked ATMs in Russia
Earlier today, users at what appears to be a Sberbank ATM reportedly located in Russia experienced technical errors when selecting the Russian language on the screen. Upon selection, the ATM monitor quickly flashes to the Ukrainian flag and the words Glory to Ukraine (Слава Україні!). See the video captured video here.
ATM malware is widely circulated on the darknet and used extensively in the fraud and financial crime communities.
24 March 2022 – 10:43 UTC
Pro-Russian Killnet Launches Anonymous-Style Campaign Against Ukraine – Targets Poland and NATO
The pro-Russian cyber threat actor group, Killnet have been conducting attacks against Ukraine for several weeks and have stepped up their demands and threats against Ukraine and western Europe. Today, they released a video on social media, mirroring the ominous messaging of an Anonymous-style video with the Russian flag in the background. During the video, the group stated they would attack targets in Poland for their assistance to the Ukrainian government during the invasion. They recently also posted specific targeting information for the National Bank of Poland on their Telegram channel.
“…together with the Russian cyber army, we disabled 57 state websites of the Kiev regime, 19 websites of nationalist parties…”
The group also referred to the Colonial Pipeline attack in the US from May 2021.
[translated] “Let’s remember American gas company attack, which resulted in 40% paralyzed infrastructure of America for few days.”
23 March 2022 – 16:45 UTC
AnonGhost Claims to Hack Russian Street Lighting System and Drops Proofs of Access to Moxa Industrial Wireless Networking Infrastructure
AnonGhost known for their attacks against industrial control systems, continued their campaign against Russia by targeting МонтажРегионСтрой г. Рязань street light control system. They stated they successfully shutoff the street lights at 19:35 Moscow time and it was a “gorgeous show.”
Shortly before announcing the breach of the lighting contol panel, AnonGhost also provided proof of access to Moxa (moxa.com) industrial networking devices. They leaked proof of access to router information for a industrial wireless Moxa device, its associated OnCell specifications, along with defacement of the device’s name, description, and login message.
In addition to the proofs they linked to a pastebin file containing over 100 Russian Moxa IP addresses for additional targeting.
It’s unclear where the Moxa device compromise is physically located or whether the Moxa compromise provides direct access to the streetlight control system.
23 March 2022 – 02:44 UTC
BeeHive Cybersecurity Claims They Are Running Ransomware Campaigns Against Russian Targets
When one thought they only hijacked Discord users and trolled pro-Russian ‘hackers’ like @a_lead_1, BeeHive Cybersecurity claims they have been quiet because they are running ransomware operations against targets across Russia.
Oh, in case you guys were curious why we’ve been so quiet. May or may not have a new #ransomware operation running in Ru right now. Alas, we find allies quicker than Putin finds ways to invade Ukraine. We’ll have more details soon but…consider this the public disclosure.
This would not be the first Russia-specific ransomware variant to emerge. According to Trend Micro, RURansom was detected targeting Russian-specific devices with AES-CBC encryption and hard coded salt. Another ransomware variant recently detected, known as “Antiwar” appends the file extension, “putinwillburninhell” to encrypted files.
22 March 2022 – 19:14 UTC
ATW (Blue Hornet) Compromises Russia’s Hydrometeorology and Environmental Monitoring Service with Bitbucket
The AgainstTheWest / Blue Hornet team has recently leaked several internal documents from Russia’s Hydrometeorology and Environmental Monitoring service (spelled by the threat actors as ROSHYDRO). According to open sources, the monitoring service is hosted on the meteorf.ru domain. The data leaks consists of 45 PDF files containing historical software change descriptions and feature requests from the company’s internal software development tracking system. ATW refers to a superadmin account for the GIS FEB RAS Team on Bitbucket in the leak.
21 March 2022 – 22:44 UTC
ATW Returns to Campaign with Attacks Against Almaz-Antey
After a disruption in the ATW team’s cyber activities due to personal issues, the ATW/Blue Hornet team returns leaking a 9GB archive of data allegedly exfiltrated by breaching Almaz-Antey’s corporate networks. The data leak includes employee login data, multiple documents containing PII, confidential and classified intellectual property, schematics, and SQL database files.
Almaz-Antey (Russian: ОАО “Концерн ВКО “Алмаз-Антей”) is one of Russia’s largest defense and arms enterprises, known for the development of Russian anti-aircraft defense systems, cruise missiles, radar systems, artillery shells, and UAVs.
Hacktivists from the Anonymous collective have leaked data exfiltrated from Naumen, a software vendor and cloud services provider in Moscow. The company markets itself as “world class IT solutions fully adapted to the Russian market” and lists several prominent international companies as partners. The leaked data consists of an SQL database containing thousands of usernames, email addresses, hashed passwords, and associated PII. The specific purpose and origins of the database from inside Naumen is unclear, but partner companies could experience supply chain / vendor risk issues.
21 March 2022 – 03:27 UTC
KelvinSec Targets Nestle for Continued Commercial Operations in Russia
The KelvinSec ‘hacking’ team have reportedly compromised Nestle in retaliation for continuing to operate and distribute their products in Russia. The group leaked multiple databases from Nestle consisting of customer entity data, orders, payment information, and passwords (10GB total). The group insisted its a “partial” database leak and more data may be released in the future.
Nestle defended its business decision after President Zelenskyy called the company out to protestors on Saturday night in Bern, Switzerland.
(Update 3/22 – 01:48 UTC) Anonymous issues warning and gives a number of US companies 48 hours notice to pull out of Russia or become targets of the #opRussia cyber offensive campaign. Example corporations include: Subway, Chevron, General Mills, Burger King, citrix, and CloudFlare.
20 March 2022 – 23:33 UTC
Anonymous Compromises Russian Social Media VK to Send Message to Millions
Anonymous accesses VK’s messaging platform and sends direct messages to over 12 million Russian users of the social media app. The message, written in Russian, speaks to the realities of the war in Ukraine, the demise of the Russian economy, and threatens that users using the Russian “Z” insignia on as their profile avatar will be targeted by international authorities.
VK users have shared proofs of the message received to confirm the campaign in VK occurred.
20 March 2022 – 15:32 UTC
GhostSec Leaks Military Asset Monitoring System and More from Russian Networks
The leak includes data exfiltrated from a military operational readiness monitoring website (orf-monitor.com), including inventory tracking of key Russian military assets; a leak of a Russian investment company that includes recent Chinese contract data; and lastly, technical data leaks from Russian Defense Contractor Kronshtadt, that includes computational specifications related to their UAVs, along with military operational doctrine, etc.
GhostSec teased on their Telegram channel they had more data coming and this archive they were sharing was a sample of a much bigger dataset.
20 March 2022 – 13:40 UTC
Honest Railworkers in Belarus Help Stop Lines Going to Ukraine
According to open source reporting and the hacktivist group known as Cyber Partisans, the railways going out of Belarus into Ukraine have stopped. Earlier in the campaign, Cyber Partisans disrupted rail operations in Belarus using cyber attacks against ticketing systems and switching systems; however, others report that the rails are inoperable due to “honest railworkers” who do not want to see Belarus military equipment transported into Ukraine for use in this war. (Source)
“I recently appealed to Belarusian railway workers not to carry out criminal orders and not transport Russian military forces in the direction of Ukraine. At the present moment, I can say that there is no railway connection between Ukraine and Belarus. I cannot discuss details, but I am grateful to Belarus’s railway workers for what they are doing” – Oleksandr Kamyshin, director of the Ukrzaliznytsya state railroad
20 March 2022 – 10:28 UTC
Arvin Club Takes Down STORMOUS Ransomware’s Tor Onion Service
Shortly after STORMOUS ransomware gang setup a Tor onion service, the Arvin Club ransomware group compromised their site and leaked SQL databases, information, and performance schemas. It’s unclear whether or not this attack occurred out of STORMOUS’s Russian allegiance or if Arvin merely wanted to teach the cyber criminals a lesson in setting up secure sites on the darknet.
The STORMOUS ransomware group had previously operated only on Telegram.
(UPDATE) As of 3/22 the Tor service is still offline.
20 March 2022 – 02:18 UTC
Anonymous Leaks Database from Russian Aerospace Company Utair
Hacktivists from the Anonymous collective have released the customer database for Russia’s Utair airlines. (Russian: ОАО «Авиакомпания «ЮТэйр»). The JSON database appears to have been collected long before the 2022 #opRussia campaign, as the MongoDB is dated 2019. There are records containing personal data for over 530,000 clients using Utair’s services.
18 March 2022 – 21:29 UTC
nB65 Leaks Data from Russian Space Agency
After a disappointing trolling exercise against Kaspersky, the nb65 hacktivist group returns with data leaks from Russia’s Space Agency, Roscosmos. The group claims they still have persistent access to the agency’s vehicle management system and leaked the IP of the compromised network to prove their access. The leaked data archive consists of over 360MB of user and operations manual, along with solar observatory logs.
Hours earlier, the group also claims to have compromised tensor.ru and leaked 1.6GB of compromised emails for a corporate mailbox for the Russian digital signature company.
18 March 2022 – 15:39 UTC
Russia Targets Ukraine Red Cross Website in Cyber Attack
The Ukrainian Red Cross reported their Internet web servers have been hacked, likely by Pro-Russian cyber threat actors. The website domain – redcross.org.ua – is currently offline with the statement “account disabled by administrator.”
The social media account for the Ukrainian Red Cross stated that no personal data of beneficiaries stored on the website were compromised by the cyber attack.
The Ukrainian RedCross staff and volunteers are busy and actively providing medical aid and support to vulnerable and wounded Ukrainian civilians across the country as Russian military continue their barrage of cruise missile strikes.
17 March 2022 – 11:43 UTC
AnonGhost Leaks Screenshots of GNSS Satellite Hacks Along with IP Addresses
AnonGhost shared several screenshots as proof of attacks they conducted against Russia’s Trimble GNSS satellite interface. They claimed on social media that other “fake Anonymous” accounts had taken credit for the operation. They also leaked 48 unique IP addresses associated with the GNSS satellite systems. The group did not specify the nature of the attacks against the Russian assets.
17 March 2022 – 09:23 UTC
Anonymous Claims to Have Located Putin’s Bunker
Using OSINT analysis involving satellite imagery and topography and landmark comparisons like rivers and powerplants, the Anonymous community claims they have detected President Putin’s bunker. There no means to verify the accuracy of these assertions.
cred: @paaja6 & @IamMrGrey2
17 March 2022 – 03:58 UTC
Anonymous Leaks 79 GBs of Emails from R&D Department of Transneft – OMEGA
DDoSecrets released the data on behalf of Anonymous hackers operating in cyber campaigns against Russia. Anonymous compromised email inboxes of OMEGA Company, the R&D arm of Russia’s state-controlled pipeline company known as Transneft [Транснефть]. Transneft is the world’s largest oil pipeline company with over 70,000 kilometres (43,000 miles) of trunk pipelines and transports an estimated 80% of oil and 30% of oil products produced in Russia. The emails cover the accounts’ most recent activity, including after the introduction of US sanctions on February 25, 2022. Some of the emails reflect some of the effects of those sanctions.
16 March 2022 – 10:47 UTC
Russian Foreign Intelligence Service (SVR) Requests Information via Tor
Russia’s external intelligence agency has issued instructions on how to establish secure communcations via their Virutal Reception System (VRS) to relay any threats to the Russian Federation. The call for leads, found on svr.gov.ru, details how to install the Tor anonymous network, details the v3 .onion address of their secure communications system, and advises the informant using PGP in order to further encrypt the details of any messages provided.
“If you are outside Russia and have important information regarding urgent threats to the security of the Russian Federation, you can safely and anonymously share it with us via the virtual reception system (VRS) of the SVR over the TOR network.”
If you are in hostile environment and/or have reasons to worry about your security, do not use a device (smartphone, computer) registered to you or associated in any way with you or people from your personal settings for network access. Relate the importance of information you want to send us with the security measures you are taking to protect yourself!
15 March 2022 – 11:48 UTC
Pro-Russian Group Xaknet Threatens to Attack Critical Infrastructure Information Centers
“We cannot endlessly give you ‘lessons of politeness.’ We demand the cessation of hacker attacks against Russian infrastructures, we demand the cessation of the activities of information centers for the dissemination of fakes.
In case of refusal, we will be forced to use the most sophisticated methods, and reserve the right to act as the enemy does. Critical information infrastructure facilities will become a priority target for the group. All work will be aimed at the complete destablization of the activities of the aforementioned CIIs.”
It’s unclear from the threats what specific websites or services the cyber threat group considers critical infrastructure information services. The IT Army of Ukraine’s extensive information operations spread across most all social media platforms and information communication mediums across Russia.
15 March 2022 – 07:19 UTC
User on Telegram Leaks New Letter from FSB
A user on pro-Ukrainian Telegram channel (name redacted) has released a new letter, reportedly from an FSB agent, translated into English.
The temperature has really risen here, it’s hot and uncomfortable. I won’t be able to communicate for some time here in the future. I hope we can chat normally again in a few days. There are a lot of things that I have to share with you… The questions are raised by the FSO (Federal Protective Service of the Russian Federation, aka Putin’s Praetorian Guard) and the DKVR (Russian Military Counterintelligence Department). It is precisely the DKVR that is mounted on horseback and is looking for “moles” and traitors here (FSB) and in the Genstaff (General Staff of the Armed Forces of the Russian Federation) regarding leaks of Russian column movements in Ukraine. Now the task of each structure is to transfer the fault to others and to make the guilt of others more visible. Almost all members of the FSB are busy with this task at the moment.
The focus is on us more than others at the moment, due to the hellish circumstances regarding the intra-political situation in Ukraine: We (the FSB) have released reports that at least 2,000 trained civilians in every major city of Ukraine were ready to overthrow Zelensky (President of Ukraine). And that at least 5,000 civilians were ready to come out with flags against Zelensky at the call of Russia. You want to laugh ? We (FSB) were supposed to be the judges to crown Ukrainian politicians who were supposed to start tearing each other apart arguing for the right to be called “Russia’s allies.” We even set criteria on how to select the brightest of the most competent (among Ukrainian politicians). Of course, some concerns have been raised about the possibility that we may not be able to attract a large number of people (Ukrainian politicians) to Western Ukraine, to small towns and to Lvov itself. What do we actually have? Berdyansk, Kherson, Mariupol, Kharkiv are the most populated pro-Russian areas (and there is no support for Russia even there). A plan can fall apart, a plan can be wrong. A plan can give a result of 90%, even 50%, or 10%. And that would be a total failure. Here it is 0.0%.
There is also a question: “How did this happen?” This question is actually a (misleading) trap. Because 0.0% is an estimate derived from many years of work by very serious (high-ranking) officials. And now it turns out that they are either agents of the enemy or simply incomprehensible (according to the FSO / DKVR who are now looking for “moles” within the FSB).
But the question does not end there. If they are so bad, then who appointed them and who controlled their work? It turns out that they are people of the same quality but of a higher rank. And where does this pyramid of responsibilities stop? At the boss (Putin). And this is where the evil games begin: Our dear Александр Васильевич (Alexander Vasilyevich Bortnikov – Director of the whole FSB) cannot fail to understand how badly he got caught. (Bortnikov realizes the deep mess he is in now)
And our evil spirits from the GRU (Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation) and the SVR (Foreign Intelligence Service – equivalent to the CIA) understand everything [and not only from these two organizations]. The situation is so bad that there are no limits to the possible variations (of events that will happen), but something extraordinary is going to happen.”
Shortly after a first letter from an FSB whistleblower surfaced around 5 March, Putin quietly placed his FSB chief, Sergei Beseda and his deputy on house arrest last Sunday. While telling the public he arrested them for embezzlement charges, according to open-source reports, the “real reason is unreliable, incomplete, and partially false information about the political situation in Ukraine” and Putin is holding them responsible for the Ukrainians’ success in the invasion thus far.
14 March 2022 – 12:00 UTC
Russian State Duma of the Federal Assembly Confirms Censorship of VPNs
Citing it was “a difficult task” Alexander Khinshtein, chairman of the State Duma Committee on Information Policy, commented that Russia’s media and propaganda agency, Roskomnadzor has been tasked with blocking over two dozen VPNs [virtual private networks] across Russia. (Source)
We anticipate that number to increase as Putin continues to crack down on Russian citizens’ media consumption.
VPNs have been targeted by Russian authorities since 2017, when an initial VPN law was passed. In 2019 many of the VPN providers across Russia received compliance demands from Roskomnadzor representatives via email – captured in the image below.
The demand for VPNs in the country has reportedly increased by over 2,000% in the last month. Users on Telegram encourage widespread use of anonymity tools like VPNs and Tor, and share links to VPN services still in operation and accessible in the region. Many of the VPNs are available via Telegram directly and offer free trial subscriptions to Russian users.
14 March 2022
Russian Cyber Actors Setup IT Army of Russia Group
The collective of cyber threat actors self identifies as the “IT Army of Russia”, mirroring the IT Army of Ukraine Telegram initiative, and claims it has targeted critical Ukrainian cyber services with DDoS attacks. The group has less than a 100 subscribers and many of the members are affiliated with the Killnet forum.
The group recently posted a detailed dox containing personal information for President Volodymyr Zelenskyy [in Ukrainian: Володимир Олександрович Зеленський]. The dossier contains specific information such as his date of birth, passport number, car registration details, and familial associations.
13 March 2022 – 09:31 UTC
Anonymous Germany Exfiltrates Data from Russian Rosneft Operations in Germany
An Anonymous hacktivist group from Germany, referring to themselves as “AnonLeaks” had access to the networks of Russia’s Rosneft subsidiary in Deutchland for almost two weeks and exfiltrated over 20 terrabytes of corporate data. According to a preliminary review, the data consists of laptop backups, virtual disk images, excel files, work instructions, and other operational information for the refinery.
Anonymous Germany emphasizes they did not have access to critical infrastructure in Germany, nor was the intent of their operation to access critical infrastructure for the refinery or compromise it in any way.
Rosneft is Germany’s third largest petroleum refinery company, processing roughly 12.5 million tons of crude oil per year.
(Update) Details of the leaked data has appeared on a dedicated Tor darknet service setup by the hacktivists.
13 March 2022 – 07:19 UTC
nB65 Claims to Be Jonathan Scott, a US-based Malware Researcher
Since the invasion, a social media account reportedly affiliated with the group nB65 was extremely active in sharing their leaks and targets across Russian networks – including claims of accessing Roscomos Space Agency. Most recently, they stated they had access to Kaspersky’s source code, with many teasers in the hours leading up to a what amassed to a disappointing dump of publicly available code from the Russian antivirus software developer. The group essentially trolled Kaspersky and received heavy criticism from members of the information security research community.
The owner of the group’s Twitter account claimed today they were in real life, Jonathan Scott, a US-based Computer Science PhD student researching mobile spyware and IoT malware. Shortly after, the Twitter account for the group was deleted.
11 March 2022 – 06:25 UTC
GhostSec Claims to Access, Shutdown, and Deface Control Panel of Russian ICS via SCADA Attack
GhostSec continues their offensive against Russian critical infrastructure with attacks affecting industrial controls systems. Today, they claimed they successfully accessed an unknown Russian industrial control system, deface the control panel, and shut the system down. They also stated they deleted the backups to make restoring services more challenging.
They included the screenshot below which appears to correlate to a typical ICS system. The name or location of the network was not identified.
11 March 2022 – 01:34 UTC
BeeHive Cybersecurity Enters Campaign and Targets Pro-Russian Discord Users
A pro-Ukrainian group, known as “BeeHive Cybersecurity” claims to have attacked over 2,700 pro-Russian Discord users, compromising their accounts and defacing their profiles with statements about the realities in Ukraine posted in English, Ukrainian, and Russian.
The group insinuates that they “CnC [command and control] the platforms of the ignorant” and use compromised devices to help combat disinformation.
10 March 2022 – 12:30 UTC
KelvinSec Leaks Private Chats from Darknet Tor Service: Database Market
KelvinSec, a pro-Ukrainian cyber threat actor on the darknet, has leaked 3,178 files containing the private chats from DATABASE Market. DATABSE is a relatively newly-launched service on Tor, where carding and fraud cyber-criminals congregate and transact.
The service is allegedly hosted by IT Resheniya on the IP address 45.155.204.178. KelvinSec reported they infilitrated the market via an insecure direct object reference vulnerability, commonly called “IDOR” which gives an attacker access to the website’s hidden information.
The compromised Tor service is still active as of time of writing.
10 March 2022 – 11:24 UTC
DDoSecrets Leaks Over 800GB of Data from Russian Media Censor, Roskomnadzor
The whistleblower leak site, DDoSecrets has obtained 360,000 files from Роскомнадзор (Roskomnadzor) via hacktivists from the Anonymous campaign against Russia. Roskomnadzor is a Russian state-controlled agency responsible for monitoring, controlling and censoring Russian mass media. The agency is responsible for the recent crackdowns on digital bans of Facebook, Twitter, and YouTube. The two part dataset totals over 800 GB including files, emails, and information critical about their operations.
10 March 2022 – 08:35 UTC
GhostSec Hits Hundreds of Printers Across Russia
GhostSec reportedly hacks hundreds of printers across Russia to spread the message about realities in Ukraine. They tagged on to the announcement an obscure 4chan meme, “Hey Russia do you liek mudkipz?” on their Telegram channel. The stated they are targeting Russian government and military networks for the printer exploit.
9 March 2022 – 20:05 UTC
Pro-Russian Group, devilix-EU Joins Campaign Against Ukraine and the US
Late last week, a new Pro-Russian persona appeared on social media and began sharing pro-Russia propaganda, Pro-Trump rhetoric, and counter #opRussia Anonymous content. Over the last five days, they’ve ramped up their attacks claiming to have compromised AWS instances, Microsoft IIS sysstems, and performed BGP hijacking with mentions of several US-based IP addresses.
The group makes further claims that they’re named after their own custom ransomware, “DEVILIX shark.”
DEVILIX named as me is one of the strongest viruses on the world DEVILIX shark is ransomware which can do anything we can create BotNet. where we want. Just a Simple but it’s not.
They most recently shared their thoughts about the cyber war in Russian, declaring that this was not about Ukraine and Russia, but the US and NATO and their intent to keep Russia and Ukraine divided.
Я вижу, что речь идет о двух сторонах, России и Украине. Почему мы разделены из-за политики? Разве вы не видите, что здесь делает Запад и хочет, чтобы мы были разделены. НАТО избежало конфликтов, и теперь привет! Слава России
[Google Translate]
I see that we are talking about two sides, Russia and Ukraine. Why are we divided because of politics? Don’t you see what the West is doing here and wants us to be divided. NATO has avoided conflicts, and now hello! Glory to Russia
8 March 2022 – 21:05 UTC
Anonymous Hacks Hundreds of Russian Security Cameras, Many Affiliated with Russian Government Ministries
Hacktivists from the Anonymous Collective successfully tapped the security camera feeds of hundreds of retail businesses, restaurants, schools, and government installations across Russia. They setup a website to share the leaked camera feeds — all to discover some where critical security offices. Anonymous also defaced security camera displays with the message:
Putin is killing children 352 Ukrainian civilians dead Russia lied to 200rf.com Slava Ukraini! Hacked by Anonymous
8 March 2022 – 18:34 UTC
nb65 Group Claims to Have Acquired Kaspersky’s Source Code
After keeping quiet for several days, the group sent out mysterious posts across social media claiming to have accessed Kaspersky source code and found “interesting relationships” in this code.
They also claimed it was “sloppier than Putin’s invasion.”
7 March 2022 – 17:31 UTC
22nd Member of Notorious TrickBot Gang Doxxed
The pro-Ukrainian affiliate of the Trickbot cybercriminal empire has leaked the personal identity of 22 key members of the gang along with private chats between group members. Since the 4th of March, DarkOwl has seen the following aliases mentioned: baget, strix, fire, liam, mushroom, manuel, verto, weldon, zulas, naned, angelo, basil, hector, frog, core, rocco, allen, cypher, flip, dar, and gabr.
7 March 2022 – 13:01 UTC
Digital Cobra Gang Claims 49 “A-Groups” Led by Conti and Cobra Are Attacking America Cyberspace
The Pro-Russian group entered the campaign shortly after Anonymous started #opRussia (28 Feb) with the statement:
“DIGITAL COBRA GANG DCG has officially declared cyber war on hackers who attacking Russia as well and to protect justice”
They’ve given little indication of success, other than inflated claims they have acquired over 92Tb data from US’s military personnel files but no proof has been published.
Earlier today, they posted that members of Conti were helping and 49 “A-team” groups were hacking Amera.
(9 March 2022) – US AWS and Azure cloud platforms have experienced higher than normal traffic on the network but no major disruptions.
7 March 2022 – 06:44 UTC
RedBanditsRU Leaks Russian Electrical Grid Source Code Data
The pro-Russian group, originally assembled to counter-hack Anonymous and cyber actors targeting Russian organizations, posted today that they are leaking the source code Rosseti Centre’s [mrsk-1[.]ru] electrical grid networking infrastructure. Rosseti Centre provides reliable electricity for more than 13 million people in the subjects of the Central Federal District of the Russian Federation.
The group is sharing this information because they believe Putin and his supporters are “leading this country to an apocalypse state.”
DarkOwl warns security researchers opening these archives should always use isolated sandbox environments in the event there is malware and viruses included in the leak.
7 March 2022 – 04:55 UTC
AgainstTheWest (ATW) Returns to the Fight and Drops Multiple Leaks of Russian Corporate Data
In the last 24 hours, ATW dropped URLs for at least 7 leaks corresponding to various Russian technical companies and organizations, reportedly breached by the cybercriminal group. ATW’s participation in the campaign has been controversial as they have had multiple dramatic departures and returns to the campaign and reports of “health issues” of some of the team’s members.
Security researchers reviewing the information from dataleaks last week calls into question the veracity of the information ATW is sharing. Checkpoint released analysis stating that after, “checking their claims deeper reveals that for many of the claims there are no solid proofs apart of very generic screenshots that are allegedly from the breached organizations.”
(Update 7 March 2022 – 18:36 UTC) The group also posted to their Telegram channel that they had successfully breached a Russian cybersecurity company that has been “hording” US-based government data, exposure of multiple SonarQube instances and requested someone get in touch with them immediately. It’s unclear if this is legitimate or just further ego inflation.
6 March 2022
Free Civilian Tor Service Leaks Entire DIIA Contents
Recently, the administrator of Free Civilian shared a post on their Tor service containing the entire Ukraine’s DIIA database of users. They stated the buyer of the database consented to the release, with the understanding some records were deleted. The downloads consist of 60+ archives containing gigabytes of data. The download links have been unstable since DarkOwl discovered them.
The administrator also expressed desire to have the ban on their “Vaticano” Raid Forums account lifted, claiming this leak proved the legitimacy of the information they shared back in January.
Recently, screenshots of an indictment for the alleged seizure of Raid Forums on VeriSign has been in circulation, after users spoke of rifts between pro-Ukrainian users and Russian hackers, potential FBI seizures, and the alleged hijacking the alias of former admin Omnipotent on Darknet World. Prominent users from the forum have setup RF2 and advised any old working Raidforums links are likely phishing logins for the FBI.
6 March 2022 – 18:43 UTC
Anonymous Continues Information Warfare Against Russian Media; Video Services Wink and ivi Stream Anti-War Messaging
After Putin’s overt authoritarian take on media sharing the realities of the war in Ukraine, Anonymous managed to hack Russian video services Wink and ivi to stream pro-Ukrainian messages and video of the conflict.
This weekend, Putin’s parliament passed a “fake-news” law imposing prison sentences for media using the words “war” or “invasion” prompting numerous western outlets to pull their journalists and suspend operation.
6 March 2022 – 15:39 UTC
AnonGhost Enters Campaign and Claims SCADA Attacks Against Multiple Russian Infrastructure Targets
This weekend, AnonGhost entered Anonymous’ #opRussia campaign with a vengence, and claims today they have hacked multiple Russian infrastructure control systems via SCADA attacks and “shut it down.”
They list the following targets:
Волховский РПУ> Volkhov RPU
Бокситогорский РПУ> Boksitogorsk RPU
Лужский РПУ> Luga RPU
Сланцевский РПУ> Slantsevsky RPU
Тихвинский РПУ> Tikhvinsky RPU
Выборгское РПУ> Vyborg RPU
This is after they leaked data from 9 Russian commercial servers hours earlier.
azovkomeks[.]ru
vserver24[.]ru
dvpt[.]ru
ach[.]gov[.]ru
itmo[.]ru
vpmt[.]ru
pvlt[.]ru
hwcompany[.]ru
corbina[.]ru
DarkOwl is in the process of pulling in this data to review and assess the contents of all of the databases.
The AnonGhost group is reportedly one of the more senior anonymous hacktivist teams in the underground, with reporting of the group going back to the early 2010s. According to open-source reporting, AnonGhost was led by Mauritania Attacker. In an online interview with a hacker’s blog in 2013, Mauritania Attacker claimed to be a 25 year old male from Mauritania who started hacking at a young age by joining TeaMp0isoN and ZCompany Hacking Crew (ZHC), two hacking groups known for their attacks of high-profile targets such as NATO, NASA, the UN, and Facebook. (Source)
For those who remember Stuxnet, SCADA type attacks are controversial as there is a fine line between disruption and destruction. Services knocked offline but able to be restored is disruptive and inconvient, causing delays in operation and psychological concern over the safety of such services. However, disruptions that lead to destructive events, e.g. hard disks wiped and unrecoverable, de-railed trains, power plant overheating resulting in explosions, & satellites falling out of the sky are considered serious and may be interpreted as an act of war and result in severe retaliation.
GhostSec Returns with Leaks from Russia’s Joint Institute for Nuclear Research (JINR) and Department of Information (DOI) FTP Server Data
Hours ago, an archive consisting of several gigabyte emerged from GhostSec reportedly containing information from Russia’s nuclear research and disinformation activities. GhostSec has been silent for most the last week, perhaps busy with this activity.
According to their website (jinr.ru), the Joint Institute for Nuclear Research is an international intergovernmental organization established through the Convention signed on 26 March 1956 by eleven founding States and registered with the United Nations on 1 February 1957.
As of time of writing, the public facing website is online.
6 March 2022 – 12:34 UTC
Anonymous Dumps Leak of 139 Million Russian Email Addresses
An archive of over 139 Million email addresses, broken up into 15 separate files with mail_ru at the beginning of each file, lists the email addresses for presumed account holders for mail_ru services. VK (VKontakte) assimilated mail.ru email services into its internet services conglomerate in the fall of 2021.
The files included two additional HTML files with ominous warnings – possibly shared on the servers from which these leaks were obtained.
[image translation]
Russian soldiers! If you think that you are going to an exercise, in fact you are being sent to Ukraine to DIE.
DarkOwl has not determined the veracity of this data, nor confirmed how these emails were obtained; some combolists of this nature are created as an aggregation of other leaked data.
As of time of writing, mail.ru’s public facing website is still online and operational.
5 March 2022 – 20:41 UTC
Anonymous Targets Russian FSB; Letter Appears from Possible FSB Whistleblower
The Federal Security Service (FSB) of the Russian Federation [Федеральная служба безопасности (ФСБ)] is the principal security and intelligence agency of Russia and the main successor agency to the Soviet Union’s KGB.
Earlier today, Anonymous hacktivists targeted the FSB (at the direction of the IT Army Ukraine) and managed to take the external facing website offline. Rumors on social media and chatrooms suggested Anonymous managed to “breach” the FSB’s server.
Shortly after the announcement of the website’s offline status (e.g. #TangoDown) a deep web paste emerged containing a list of 62 subdomains for the fsb.ru domain. This could be for additional targeting and exploitation.
The stability and alliances of members of the FSB are in question by threat intelligence and security researchers across the community. Last night, an alleged FSB whistle-blower letter surfaced (via the founder of http://gulagu.net) that damned Russia’s military performance in Ukraine and predicted a disaster for the RU in the next weeks and months. An English translation of the letter has appeared in the deep web (excerpt below).
To be honest, the Pandora’s box is open – a real global horror will begin by the summer – global famine is inevitable (Russia and Ukraine were the main suppliers of grain in the world, this year’s harvest will be smaller, and logistical problems will bring the catastrophe to a peak point). I can’t tell you what guided those at the top when deciding on the operation, but now they are methodically lowering all the dogs on us (the Service).
We are scolded for analytics – this is very in my profile, so I will explain what is wrong. Recently, we have been increasingly pressed to customize reports to the requirements of management – I once touched on this topic. All these political consultants, politicians and their retinue, influence teams – all this created chaos. Strong. Most importantly, no one knew that there would be such a war, they hid it from everyone.
And here’s an example for you: you are asked (conditionally) to calculate the possibility of human rights protection in different conditions, including the attack of prisons by meteorites. You specify about meteorites, they tell you – this is so, reinsurance for calculations, nothing like this will happen. You understand that the report will be just for show, but you need to write in a victorious style so that there are no questions, they say, why do you have so many problems, did you really work badly. In general, a report is being written that when a meteorite falls, we have everything to eliminate the consequences, we are great, everything is fine.
And you concentrate on tasks that are real – we don’t have enough strength anyway. And then suddenly they really throw meteorites and expect that everything will be according to your analytics, which was written from the bulldozer.
That is why we have a total piz_ets – I don’t even want to pick another word.
5 March 2022 – 16:37 UTC
Anonymous Claims to Breach Yandex (Russia’s Mail and Search Service); Leaks Account Credentials
DarkOwl discovered two leaks shared through the Anonymous hacktivist collective network consisting of over 5.2 Million user accounts’ email addresses and password combinations. We are in the process of analyzing this data leak to determine the veracity of its contents. 1.1 Million Yandex accounts were previously dumped in 2014. Many hackers are using #opRussia to opportunistically claim clout for breaches that did not occur, when in reality they are circulating old previously dumped data and/or verifying accounts by credential stuffing.
5 March 2022 – 15:23 UTC
Paypal Suspends Service in Russia
Paypal announced on LinkedIn they would be halting its operations in Russia; a statement released days after suspending signing up new users on the payment platform on Tuesday. Dan Schulman, CEO wrote:
We remain steadfast in our commitment to bring our unique capabilities and resources to bear to support humanitarian relief to those suffering in Ukraine who desperately need assistance. We will also continue to care for each other as a global employee community during this difficult and consequential time.
On Wednesday, 3 March, the IT Army of Ukraine launched a petition calling for all supporters to sign a petition on change.org:
[TRANSLATION]
While Ukraine protects its people and places, and Russia faces the radical consequences of its war crimes, the most popular payment service via PayPal is still available to the aggressor. This means that it also helps finance the bloody war against Ukraine through PayPal.
We are absolutely sure that modern technologies are a powerful response to tanks, grads and missiles. We call on the company to block its services in Russia via PayPal and launch them in Ukraine, as well as provide an opportunity to raise funds to restore justice and peace in our country and the world.
5 March 2022 – 15:03 UTC
Anonymous Leaks Private RocketChat Conversations from Russian Government Officials
Anonymous is targeting Russia by any means possible and managed to collect private chats between Russian officials on the messaging service, rocket.chat. After review, these chats are different from the ones dropped by @contileaks last week.
The chat includes the network ID, username, and “real name” of 14 members of the chat group. The domain associated with the leak corresponds to the official website of the Russian government and the Governor of the Moscow region.
5 March 2022 – 06:04 UTC
squad303 Sets Up SMS Messaging System to Text Random Russian Citizen Phone Numbers
With the lack of Russian media coverage of the invasion of Ukraine and the intentional misinformation spread by Putin’s disinformation agencies, a pro-Ukraine hacktivist collective, known as squad303 setup an SMS messaging system for citizens around the globe to use to randomly text Russian citizens a scripted message about the nature of world events.
The squad303 team also setup an API for more advanced users.
Update: As of 8AM UTC, 6 March 2022, the service had been used to send over 2 Million texts Russian mobile phone numbers.
The team also reports of suffering from heavy DDoS attacks from pro-Russian cyber actors.
5 March 2022 – 02:34 UTC
Anonymous Hackers Claim to Have Accessed Communication Data for a Russian Military Satellite
After nb65’s reported success accessing Roscosmos earlier this week, it appears that members of the Anonymous collective under the campaign #opRussia have ventured into breaching the communications of Russian military satellite for data collection. The satellite – designated COSMOS 2492 (aka glonass132) is likely active in geospatial intelligence collection over Ukraine for Russia. (note: the original indication of the connection occurred 4 March 2022 @ 09:35 by Anonymous collective member, @shadow_xor.)
DarkOwl also uncovered a leak shared by LulzSec member @shadow_xor titled, “Leak_RUSAT_shadow_xor.zip” which contains significant geopositioning data since the satellite’s launch in 2014.The hacker stated they could not change the coordinates of the satellite, but did capture orbital, passage, and communications data.
Our original reporting on this suggested the hackers were Russian-based, but further analysis only indicated that a number of Russian-based hackers supported the attack on COSMOS 2492.
4 March 2022 – 18:16 UTC
Putin Officially Bans Facebook in Russia
In order to combat the information operations campaign against them online, Putin ordered for ISPs to block Facebook servers and websites across Russia. Security researchers also note an uptick in Russian trolls on social media with bot accounts promoting Putin’s military operations in Ukraine.
Putin’s parliament also passed a law imposing prison terms of up to 15 years for individuals spreading intentionally “fake news” about the military. The terms “invasion” and “war” are no longer allowed in press and media coverage.
Several foreign and Western media outlets, including BBC, CNN, and Bloomberg, have temporarily suspended reporting on the war from Russia.
4 March 2022 – 09:44 UTC
NB65 Teases Information Security Community with Riddles on their Activities
NB65 – the pro-Ukrainian group who claimed responsibility for accessing and shutting down Russia’s spy satellites via SCADA vulnerabilities – teased the information security community that they been quiet cause they were parsing and analyzing numerous vulnerabilities in Russian cyber targets.
If we seem quiet, it’s because we have an olympic sized swimming pool worth of data and vulnerabilities. But here’s some fun that you can participate in…
DarkOwl discovered a post matching the target hidden in the riddle and the content suggests the group has access to RUNNET: Russia’s UNiversity Network.
4 March 2022
IT Army of Ukraine Calls for Volunteers to Support the Internet Forces of Ukraine
Ukraine’s Ministry of Digital Transformation steps up its information warfare against Putin’s propaganda by forming the Internet Forces of Ukraine (ITU). Forming a separate Telegram channel at the start of the month, the channel is dedicated to posting instructions and guidance for citizens around the world that want to aid Ukraine and lack an IT/cybersecurity background.
Друзі, наш ворог, окрім наявної війни у наших містах та селах, веде також інформаційну війну. Не вірте фейкам, не вірте брехні пропаганди путіна – ніякої капітуляції України НЕ БУДЕ!!! У нас потужна армія, ми сильні духом і нас підтримує весь світ! Тому, не ведіться на провокації і вірте в Україну. Поширюйте це серед рідних та близьких у соціальних мережах, щоб вони також не велись на нісенітниці кремля. Ми разом і ми переможемо!!🇺🇦
Friends, our enemy, in addition to the existing war in our cities and villages, is also waging an information war. Do not believe fakes, do not believe the lies of Putin’s propaganda – there will be no capitulation of Ukraine!!! We have a powerful army, we are strong in spirit and we are supported by the whole world! Therefore, do not be fooled by provocations and believe in Ukraine. Spread this to your family and friends on social networks, so that they also do not fall for the Kremlin’s nonsense. We are together and we will win!! 🇺🇦
4 March 2022 – 01:46 UTC
Trickbot Gang Members Doxxed and Links to FSB Confirmed
At 15:00 UTC, before DarkOwl could even finish analyzing the ContiLeaks, a Ukrainian-aligned underground account leaked details of key members of the infamous TrickBot gang. Over the course of the day at a cadence of every 2 hours, dossiers for the individuals appeared on social media. Private chats between members of the gang were included with each of the leaks. 7 male members and their aliases identified: baget, fire, strix, mushroom, manuel, verto, and liam. Twitter has since suspended the account.
3 March 2022 – 20:54 UTC
Russian-Aligned Hackers Target Anonymous Hacktivists in Canada
A pro-Russian cyber group using the name Digital Cobras, claims to have been targeting #opRussia hackers from the Anonymous collective across the US, UK, Greece, and Canada. Earlier today, they posted several names of individuals along with pictures of some of the alleged members of Anonymous.
They also claimed to have “hacked Anonymous’ servers” and downloaded over 260gb of their files and tools. They also claimed to have full access of the administration of Tor Project, including their crypto accounts.
Anonymous does not possess servers or centrally locate their information or tools as it is an organic decentralized collective of hacktivists around the world. Similarly, the Tor Project is run by a network of volunteers.
It is very likely this group is designed to spread disinformation and FUD.
3 March 2022
Size of Zeronet Anonymous Network Increases Since Invasion
In the week since the Putin launched an invasion against the Ukrainian people, DarkOwl has noticed an increase of 385 Zeronet domains in the last week and a near 20% increase in the network’s activity. Zeronet has been historically most heavily used by Chinese threat actors. The trend in “new domain” activity appears to have started on or about February 27th, within hours after the IT Army of Ukraine rallied the underground.
The Tor Project has reported significant increases in the number of unique addresses on Tor on the same day.
DarkOwl Zeronet ReportingTor Project data on onion address surge
3 March 2022 – 17:10 UTC
Anonymous Leaks Database Containing Bank Account Holders Information
bkdr – member of the Anonymous hacktivist collective – released an Excel spreadsheet containing the personal information of over 8,700 business bank account holders in Russia. Full names, passport, DoBs, account standing, etc are included in the file.
3 March 2022 – 15:40 UTC
Pro-Russian Cyber Team, Killnet Claims To Hack Vodafone Services in Ukraine
Killnet, a Pro-Russian organized threat actor has claimed they were successful in attacking Vodafone’s telecommunications services across Ukraine. The group shared links to the vodafone.ua website (as offline) and network graphs proving the website suffered an outage.
The group also claims to have attacked “Anonymous” networks directly, prompting criticism as the Anonymous hacktivist has no central severs or repositories.
[Google Translate]
Cellular communication services under the Vodafone trademark on the territory of Ukraine are provided by the partner of Vodafone Group plc, PRO “VF Ukraine”
⚠ OUR ATTACK WAS REPELLED [REFLECTED] AFTER 4 HOURS.
3 March 2022 – 05:22 UTC
Anonymous Breaches Private Server in Roscosmos and Defaces Website
v0g3lSec – member of the Anonymous hacktivist collective – claims to have infiltrated private servers at the Russian Space Agency, Roscosmos and exfiltrated files from their Luna-Glob moon exploration missions. The archive consists of over 700 MBs. Many of the files are drawings, executables, and technical documents dating back to 2011. A scientific review of the content would be needed to assess the value of the information collected.
In addition the website for the Space Research Institute (IKI) Russian Academy of Sciences (RAN) was also defaced by the same group.
3 March 2022 – 01:11 UTC
Anonymous Leaks Data from Rosatom, Russia’s State Atomic Energy Corporation
According to DarkOwl’s preliminary review of the 74 files, the leak appears to be a mixture of budget data, conference materials, powerpoint presentations, and technical files dating back to 2013. There is random mixture of information included that it is unclear whether this was obtained directly from a breach of the corporation’s servers, an employee at the organization, or collected via OSINT and compiled for use in #opRussia.
“There is no place for dictators in this world. You can’t touch the innocent, Putin. No secret is safe. State Atomic Energy Corporation Rosatom has been hacked!”
2 March 2022 – 19:55 UTC
ATW Quits Campaign – Cites Conflict with Anonymous, Attribution, and Twitter Suspension
Drama in the group started yesterday with AgainstTheWest claiming Anonymous was taking credit for their successes in the cyber war against Russia. They briefly turned their attention to China announcing several new victims, including the Chinese Science, Technology and Industry for National Defence organization. After their suspension from Twitter earlier today, they announced retirement claiming they had no means for communicating with the public. (Analysts note rebrand to BlueHornet occurred shortly after their announcement)
2 March 2022 – 19:09 UTC
Conti Leak Source Code, Panel, Builder, Decrypter Appear on Darknet Forum
Less than 48 hours after a pro-Ukrainian leaked the infrastructure of the CONTI gang’s operation, including botnet IP addresses and source code executables, users begin circulating the ransomware gang’s critical data across popular darknet forums and discussion boards.
2 March 2022 – 16:35 UTC
Leak Documents Surface Proving War Against Ukraine was Approved on 18 January
Anonymous hackers released photographs of captured documents from Russian troops titled, “WORKING MAP”, and authored by the commander of Russia’s Bomb Battery of the Black Sea Fleet. The maps and documents affirm to the public that the invasion of Ukraine was approved on January 18th with intention to seize the country sometime between 20 February and 06 March 2022. Liveuamap, under intermittent DDoS since this started, confirmed the data.
2 March 2022 – 13:52 UTC
XSS Admin Reports XMPP Jabber Service Ransomed and Heavy DDoS Attacks
A darknet forum popular with the Russian-speaking community has been experiencing technical issues, suffering from Jabber service outages and heavy DDoS attacks. The forum is well known in the darknet for malware discussions and coordination of attacks. The admin shared a post that the jabber service was hit with ransomware and the contents of the chats wiped from the services. They nonchalently suggested users register and continue using the service.
[Translated]
The server didn’t work yesterday. Because of ransom (which, by the way, is prohibited here) we were listed in a spamhouse. Instead of reporting the violation, the “brilliant” spamhouse immediately leafed through us. In principle, for many years I got used to their “adequacy”. I’m not surprised at anything. We have more than 21,000 users, and no one is able to check everyone. To do this, in fact, they came up with feedback contacts (xmpp, e-mail), they are listed everywhere.
Why, I wonder, they don’t block gmail.com ? So many, so to speak, violators of law and order use it, and nothing, for some reason they are not immediately listed.
In parallel with this, a powerful DDoS attack was conducted on us.
Our XMPP project is not commercial, completely free and subsidized. I’ve never understood the point of attacking toads.
At the moment, the functionality has been restored.
An unpleasant moment. Backups according to the law of meanness turned out to be broken. The last one alive was a week ago. Suddenly someone has lost contacts or a toad has disappeared, re-register.
2 March 2022 – 10:33 UTC
Leak Appears with Russian Air Force Officer’s Information
Anonymous leaked another database containing the personal information for over 300,000 of Russia’s military personnel and civilian citizens. The archive, titled “Translated Base Database” contains 35 separate database files containing personal details of the individuals. Information includes: full name, date of birth, age, passport number, address, occupation, etc.
1 March 2022 – 20:46 UTC
Russian Criminal Gang TheRedBanditsRU Recruits on Social Media – Offers Payments for Affiliates
The RedBandits openly recruit “affiliates for certain jobs” stating they did not want white hats, but that they want to “speak to exploit Devloplers, Spammers (phishing skills, vishing etc), Pentesters. We’re building an army!” They incentivize skilled hackers to join their cause for monetary gain, claiming partners would be paid well and to apply directly via qTox.
Earlier today, the group claimed that they did not agree with Putin as a leader nor of his invasion of Ukraine, but will protect him as a citizen of Russia.
“War is good for no one, come, take my hand, make money help your family”
1 March 2022 – 12:57 UTC
STORMOUS Ransomware Group Aligns With Russia
The STORMOUS ransomware group, which has been targeting international victims with their ransomware strain for months, claimed their alliance with the Russian government and threatens greater attacks against Ukraine.
The STORMOUS team has officially announced its support for the Russian governments. And if any party in different parts of the world decides to organize a cyber-attack or cyber-attacks against Russia, we will be in the right direction and will make all our efforts to abandon the supplication of the West, especially the infrastructure. Perhaps the hacking operation that our team carried out for the government of Ukraine and a Ukrainian airline was just a simple operation but what is coming will be bigger.
1 March 2022 – 09:26 UTC
Ukrainian Paper Leaks Personal Data for 120,000 Russian Military Personnel
In an effort to target the Russian soldiers invading Ukraine, the Centre for Defence Strategies in Ukraine has acquired the names and personal data of 120,000 servicemen who are fighting in Ukraine. Ukrainian newspaper, Ukrayinska Pravda has leaked the details of the soldiers which could be one of the biggest information warfare campaigns using doxing mid-military conflict, ever seen.
The doxxed soldiers are likely to face increased engagement on social media and direct phishing attacks.
1 Mar 2022 – 00:38 UTC
NB65 Takes on Russia’s Satellite Technology
nB65 claims that they successfully accessed Russia’s Roscosmos Space Agency and deleted the WS02, ‘rotated’ the credentials and shut down the server. They did not provide any leaks with the social media announcement.
The Russian Space Agency sure does love their satellite imaging. Better yet they sure do love their Vehicle Monitoring System.
Network Battalion isn’t going to give you the IP, that would be too easy, now wouldn’t it? Have a nice Monday fixing your spying tech. Glory to Ukraine.
28 February 2022 – 23:54 UTC
ATW Targets Russia’s Electrical Grid
AgainstTheWest Leaks Information from Russia’s PromEngineering corporation. Archives of corporate emails between employees, clients, vendors, as well as blueprints and engineering documentation for power stations around Russia are included in the leak.
28 February 2022 – 22:00 UTC
CONTI’s Entire Infrastructure Leaked
Does this signal the end of CONTI’s reign as leading RaaS?
Ukrainian aligned affiliate decides to destroy CONTI ransomware gang’s operation by exfiltrating and sharing 141 additional JSON data files of private Jabber chats from 2020, details of their server architecture, their sendmail phishing campaign data information, command and control botnet architecture, and ransomware executables (password protected). Analysis confirms that the gang uses BazarLoader backdoor for installing persistent malware on infected machines.
DarkOwl analysts also noted from leaked Jabber messages that RaaS affiliates were persistent at determining how to evade AV/EDR protection systems like Sophos and Carbon Black. Stating that they had setup sales calls and demos with Carbon Black and Sophos AV providers’ sales teams using proxy companies to gain more information, test the product and attempt to find specifics of the product’s AV/EDR bypass mechanisms.
This reminds us all the importance of vetting and verifying all commercial in-bounds for requests for demos and sales information, especially when it might present an opportunity to learn critical corporate intelligence.
The affiliate leaking the details wrote how this war against their people and Ukraine was breaking their heart.
My comments are coming from the bottom of my heart which is breaking over my dear Ukraine and my people. Looking of what is happening to it breaks my heart and sometimes my heart wants to scream.
28 February 2022 – 21:41 UTC
STORMOUS Ransomware Hits Ministry of Foreign Affairs of Ukraine
The Pro-Russian STORMOUS ransomware gang claims to have attacked Ukraine’s Ministry of Foreign Affairs, mfa.gov.ua using their custom ransomware. The group posts victims’ information on their Telegram channel, posting in both English and Arabic. The group stated the Ukraine government network “fragile” and called for DDoS attacks them.
Their network is fragile – their various data has been stolen and distributed according to their phone numbers, email, accounts and national card numbers with an internal network hacked and access to most essential files. This is with placing denial attacks on their main site !
28 February 2022 – 18:00 UTC
China’s Huawei Steps in to Assist Russia with ISP Network Instability
According to Chinese deep web forums, Huawei is reportedly building a mobile broadband in Russia to help with internet outages. As of 26 February, at least 50,000 technical experts will be trained in networking and securty in Russia’s R&D centers.
28 February 2022 – 12:00 UTC
Russian Gas Station Pumps Hacked
Video of disabled electric vehicle (EV) charging stations in Russia surface, displaying error status and the following warning:
”Putin is a dick”, “Glory to Ukraine”, ”Glory to our heroes”,” death to our enemies”
27 February 2022 – 23:06 UTC
Anonymous for Ukraine Leaks Customer Data from Sberbank Russia
While Anonymous leaked the files, the credit for the hack goes to Hacktivist group, Georgia Hackers Society. The two text files (bygng.txt & bankmatbygng.txt) appear to be personal data from the financial institution with the bankmat file containing 4,568 records.
27 February 2022 – 21:00 UTC
CONTI RaaS Suffers for Professing Their Allegiance to the Russian Federation
DarkOwl just discovered 393 JSON files containing private Jabber chats from the ransomware group since January 2021 leaked online. Many of CONTI’s affiliates were displeased with the group’s alliance with Russia.
27 February 2022 – 19:00 UTC
ATW Claims to Take Down CoomingProject Ransomware Group
AgainstTheWest assesses “CoomingProject are actually one of the dumbest “threat” groups online.” AgainstTheWest statement on Twitter:
“RIP CoomingProject. All data on them is being passed to relevant authorities in France.”
27 February 2022 – 16:54 UTC
Cyberpartisans Take Belarusian Railway’s Data-Processing Network Offline
The hacktivist group of cyber specialists located in Belarus managed to force the railway switches to manual control mode, to significantly slow down the movement of trains. The webservers for the railway’s domains (pass.rw.by, portal.rw.by, rw.by) are also offline.
The rail services are being essentially held hostage until Russian troops leave Belarus and there is peace in Ukraine.
27 February 2022 – 11:00 UTC
AgainstTheWest Ransomware Gang Enters the Campaign
AgainstTheWest (ATW) claims to have attacked Russia’s Department of Digital Development and Communications of the Administration of the Pskov Region with their own custom “wiper” malware. All data has been reportedly saved and deleted.
27 February 2022 – 09:00 UTC
Anonymous Attacks Russian Critical Infrastructure
Tvingo Telecom offers fiber-optic networking, internet and satellite services. Tvingo Telecom is a major provider to Russian clients.
27 February 2022 – 00:00 UTC
GhostSec Leaks More Data and Claims Attacks Against Belarusian Cybercriminals, GhostWriter
GhostSec is active in the Anonymous cyber war against Russia and released a sample of databases stolen from additional government and municipality sites across Russia (economy.gov.ru and sudak.rk.gov.ru).
They state on their Telegram channel they have been conducting attacks against “Russian hackers” and the “hacker group GhostWriter” (a.k.a. UNC1151).
26 February 2022 – 18:00 UTC
IT ARMY of Ukraine Now Active on Telegram
A Telegram Channel titled “IT ARMY of Ukraine” appeared earlier today to help coordinate cyber activities against Russia. The channel has already accumulated over 96K followers. Posts are shared in Ukrainian and English containing target server IP addresses and media for mass distribution on social media.
Videos of what events are really happening across Ukraine have appeared on intercepted Russian State Television channels.
В найближчу годину буде одне із найголовніших завдань!
26 February 2022 – 16:00 UTC
Anonymous Hackers Interrupt Russian State Television
Multiple reports across underground chatrooms suggest Russian television was allegedly briefly interrupted to play Ukrainian music and display national images. (Source)
Ukraine’s telecommunications’ agency also announced that Russia’s media regulator’s site was down as well.
26 February 2022 – 09:00 UTC
Russia Restricts Facebook and Twitter to Control Information
Open source internet monitoring reporting organizations discovered Twitter has been blocked by multiple ISPs across Russia. Ukraine’s government is regularly posting on social media to show the Russian people they are still fighting in the invasion. Cybercriminals and hacktivist campaigns also disrupt Russia’s information operations by calling out disinformation bots and taking critical communications sites offline. Twitter has reportedly blocked account registrations from IPs originating in the Russian Federation.
Russia’s state-controlled television station, RT, is still offline.
26 February 2022 – 01:00 UTC
Hackers Leak Data from Belarusian Weapons Manufacturer Tetraedr on the Darknet
Anonymous Liberland and the Pwn-Bär Hack Team announce the start of #OpCyberBullyPutin and leak a two-part archive (200GB total) of confidential employee correspondences from prominent defense contractor and radar manufacturer, Tetraedr in Belarus. The first part is the most recent 1,000 emails from each employee inbox, in .EML format. The second part is a complete archive of each inbox in .PST format.
The hacktivists stated they successfully attacked the company through an unpatched ProxyLogon security vulnerability.
25 February 2022 – 23:30 UTC
Russian Military Radio Frequencies Hijacked
Ukrainian radio frequency (RF) hackers intercepted Russian military numbers stations UVB-76, frequency 4625KHz, and trolled Russia communications by playing Swedish pop group Caramella Girls’ Caramelldansen on top of the radio waves.
The group also successfully intercepted frequencies utilized by Russian strategic bomber planes.
25 February 2022
CoomingProject Ransomware Group Announces Support for Russia
Another ransomware gang sides with Russia officially declaring war against anyone conducting cyber attacks against the Russian government on their Telegram channel.
“Hello everyone this is a message we will help the Russian government if cyber attacks and conduct against Russia”
25 February 2022 – 21:00 UTC
Russia’s Gasprom Energy Corporation Knocked Offline
Headquartered in St. Petersburg, Gasprom (ПАО “Газпром”) is the largest natural gas transmission company in Eastern Russia. The company is mostly owned by the Russian government even though the shares are traded publicly.
The Anonymous hacktivist collective, operating their campaign against Russia via the hashtag #OpRussia, has claimed responsibility.
25 February 2022 – 20:00 UTC
Anonymous Hackers Leak Database for Russia’s Ministry of Defense (MoD)
Russia’s gov.ru and mil.ru website server authentication data, including hundreds of government email addresses and credentials, surface on transient deep web paste sites and Telegram channels. Another leak consisting of 60,000 Russian government email addresses is also now in circulation.
GhostSec, also participating in Anonymous’s cyberwar against Russia, #OpRussia, claimed all subdomains for Russia’s military webservers were offline hours earlier as of 11:00 UTC.
Over around 100+ subdomains for the russian military were hosted on this IP (you may check DNSdumpster for validation) now all downed. In Support of the people in Ukraine WE STAND BY YOU!
25 February 2022
CONTI’s decision to side with Russia has dire consequences for the RaaS Gang
The ransomware-as-a-service (RaaS) gang CONTI (a.k.a. CONTI News) has officially sided with the Russian Federation against “Western warmongers” in the conflict.
Many of their affiliate partners are reportedly in disagreement – siding with Ukraine – which became evident once certain private chats were leaked on their internal affiliate platform on social media. It’s uncertain how these political divisions will impact the effectiveness of the ransomware gang’s campaigns. Conti revised their WARNING statement claiming they do “not ally with any government and we condemn the ongoing war.”
25 February 2022 – 16:30 UTC
Hundreds of Russian IP Addresses Appear on Deep Web for Targeting
Over 600 IP addresses correlating to key Russian web services emerge on transient paste sites and underground hacker forums. (Source DarkOwl Vision)
25 February 2022 – 05:00 UTC
Anonymous Threatens to Take Russian Industrial Control Systems Hostage
The hacker group known as Anonymous stepped up its participation in defending Ukrainians through its cyber war with Russia. In an ominous video posted to Twitter, the group called for UN to establish a “neutral security belt” between NATO and Russia to ease tensions. They elevated their influence by threatening to “take hostage industrial control systems” against Russia. Expect Us. We do not forgive. We do not forget.
“If tensions continue to worsen in Ukraine, then we can take hostage… industrial control systems.” Expect us. Operation #Russia Engaged
24 February 2022 – 19:00 UTC
Free Civilian Tor Service Announces 54 New Ukrainian Government Database Leaks
The administrator of the Free Civilian Tor Service – who DarkOwl analysts believe is the Raid Forums threat actor, Vaticano – updated their database leaks service, stating they had confidential data for dozens of Ukrainian government services. DarkOwl analyzed these databases closely and confirmed the threat actor likely exfiltrated the data in December 2021. (Source)
24 February 2022 – 17:00 UTC
Russia’s FSB Warns of Potential Attacks against Critical Infrastructure as a result of Ukraine Operations
The National Coordination Center for Computer Incidents (NCSCI) released an official statement warning citizens of Russia of imminent cyber attacks and for the country to brace for the disruption of important digital information resources and services in response to the on-going special military operation in Ukraine.
“Attacks can be aimed at disrupting the functioning of important information resources and services, causing reputational damage, including for political purposes” – NCSCI
24 February 2022 – 05:00 UTC
Cryptocurrency Markets Crash in Wake of Invasion
Bitcoin cryptocurrency fell below $35,000 USD for the first time since January in reaction to the Russian troops crossing over the Ukraine border. Ethereum fell more than 12% in the last 24 hours.
According to open-source reporting, the collective cryptocurrency market has plummeted over $150 billion dollars in value since the tensions began.
Using DarkOwl Vision, our darknet search engine, investigators are able to collect intelligence about persons or subjects of interest, including usernames, aliases, chatroom activity and other potentially incriminating information, and use that data to compile evidence and solve complex crimes.
Earlier this summer we researched the cyber insurance industry and the darknetand reviewed basic policies, first- and third-party coverage and looked at a sample of the type of data insurers might want to monitor the darknet for. We discovered there is an increasingly complex interrelationship between data from the darknet and the organizations involved in issuing cyber liability insurance policies and managing claims.
Cyber Insurance is not a Substitute for Cyber Defense
Surprisingly, we also discovered that most cybersecurity liability insurance policies exclude incidents caused by human error or negligence and events easily preventable by a stable and secure IT defense posture – proving that security professionals cannot become lackadaisical about their security posture simply because they have procured a comprehensive cyber insurance policy.
Organizations should not be fooled into thinking that cyber insurance is a substitute for robust cybersecurity defense and response.
Some popular exclusions of cyber liability insurance include:
Lack of security processes (or poorly developed): Having detailed security policies and a comprehensive incident response plan is necessary for insurance underwriting;
Prior breaches: Data leaks or incidents that occurred before the organization purchased their policy;
Lost mobile IT devices: Most cyber liability insurance policies do not cover lost or stolen personal mobile devices, for example, company CEO leaves mobile phone on an airplane or in an Uber;
Human error: Any cyberattack triggered by basic human error of an organization’s employee;
Insider attacks: The loss or theft of data due to an ‘insider attack’ –an employee initiating the cyberattack from within the organization or using their authorized organizational access to launch the attack;
Pre-existing vulnerabilities: Like a pre-existing medical condition, if there are documented evidence of previously determined network vulnerabilities and the company fails to remediate, then the resulting cybersecurity incident is not covered;
IT infrastructure security improvements: Any costs related to improving the security of information technology systems, e.g. hardening applications and networks;
Criminal litigation: Claims brought as result of grand-jury proceeding or criminal investigation or action;
Acts of War: Traditional insurance policies do not typically cover property damaged during war-time, often referred to as the ‘hostile act exclusion.’ The same is true for nation-state sponsored cyberattacks against businesses.
Given we are in a time of the first ever global cyberwaras the result of Russia’s invasion of Ukraine and CISA has advised an increased security posture for all critical industry sectors, CISOs and security professionals should never speculate on their coverage and review their cyber insurance policies carefully.
Cyber insurance policies should augment organizational security processes, not replace them. Insurance carriers must carefully analyze all potential policy holders’ security posture and insist on robust security position prior to issuing the policy. Cyber insurance underwriters should carefully consider the security posture of policy applications through thorough pre-policy questionnaires and employee interviews, evidence of robust and regular employee security training, domain network scanning, darknet monitoring and exposure analysis.
Evidence of a policy holder’s prior breaches, organization credential exposures, and and the risk of insider attacks can be evaluated using a robust darknet database, like DarkOwl Vision.
Insider Risk Increasing & Not Covered by Cyber Liability Insurance Policies
DarkOwl has observed numerous darknet threat actors actively recruiting disgruntled employees a.ka. ‘insiders’ to help carry out their attacks and shorten the attack timeline; notably in the ransomware/extortion-as-a-service model of the criminal underground. Banking and financial fraud specialists have advertised they were seeking banking insiders and cyber criminals have offered $500 – $1,000 USD to AT&T and other mobile carrier providers who can assist with sim-swapping. Some recruitment offer payment on swap or a percentage commission on the value of the fraud conducted.
On Telegram, LAPSUS$ openly recruited insiders to help with their attacks calling for employees at telecommunications, software and gaming corporations, call centers, and web/server hosting organizations. They specifically asked for the employees to have remote access via VPN, Citrix or anydesk applications.
Figure 1: LAPSUS$ Criminal Gang’s Recruitment of Insiders to provide VPN or Citrix Network Access
Government, healthcare, and Insurance carriers are also targeted for insider recruitment in a recent deep web post captured by DarkOwl (below).
Figure 2: Source DarkOwl Vision
In early July, in an unusual insider-threat example, a HackerOne employeeexploited their internal access to bug reports to duplicate the reports and gain financial payment for the bug bounty program. In this scenario, the fraudulent payments could not be recovered by their cyber liability insurance, unless specifically stated in their policy.
Prior Breaches & Organizational Exposures
In addition to monitoring for mentions of organizational credential data, like email addresses, hashed and cleartext passwords, and authentication data like session tokens and API keys, DarkOwl Vision can also provide indication of prior breaches and leaked data.
Cyber criminals regularly offer to sell or share organizational information they obtained on the darknet. Such data could indicate a potential prior breach occurred at the organization. In August 2020, a post on Telegram indicated a cybercriminal had obtained significant confidential data from the Intel Corporation. The leak allegedly included over 20GB of documents and product roadmaps for multiple technology programs in Intel for only $ 200 USD.
Figure 3: Source DarkOwl Vision
In the middle of an attack or immediately thereafter, threat actors often openly shame the victim and their associated IT security departments for haphazard network security, ‘poor digital hygiene,’ and private information protection. We recently captured a threat actor sharing proofs of exfiltrated victim data – in an apparent ransomware attack – and simultaneously stated this was not the first time they had been targeted and the personal data of clients compromised.
The threat actor even alleged they had tried to reach out to the company and provide recommendations on how to secure their corporate network.
“No matter if this is a medicine company, even they do not respect professional ethics and doesn’t care about private information regarding clients, employees, medicine tests, hospital cards, drug tests and researches and any other sensitive Data. They have a lot of vulnerabilities and absolutely careless IT service. We are trying to reach them to help resolve issue and provide a recommendations about how to fix such a bugs in the corporate network. Moreover it’s not the first time they have an issue with IT security and get a breach in their network, so it’s obviously that XXX is not able to protect own Data and personal Data of clients, so everyone can be convinced soon when we will provide the access to the files from one of their servers – XXX from central office with about 5,7TB of Data (and this is just a minor part of what we were able to download). We never tell lies when we saying that we have something, unlike XXX security team, which are telling in the internal or public reports that nothing is compromised and all is in safe. As a final try we are publishing here just a little piece of proof just in the hope that someone from CEO will notice and take under control this issues.” – Source, DarkOwl Vision
Attacks Against Insurance Industry Persist
Ransomware gangs show no slowdown in targeting the insurance industry with several new attacks independent agents and family-owned insurance-affiliated businesses around the world in recent weeks. REvil’s stated intention to gain additional information about insurance policyholders for the sake of exploiting that information for future gain in negotiations and targeting is apparent. We continue to witness proofs and announcements of attacks against independent agents and family-owned insurance-affiliated businesses around the world regularly posted by some of the most active and successful ransomware gangs in operation.
Figure 4: Source DarkOwl Vision
Figure 5: Insurance Policies, Cyber Risk Assessments, and Certificates of Insurance Shared From Victim Network – Source DarkOwl Vision
Any entity that interacts with insurance companies are also at risk of cybersecurity incident or ransomware attack. We have seen ransomware gangs target business processing companies, insurance brokerage network and underwriting service providers, as well as legal firms that support the insurance industry.
DarkOwl recently observed a legal firm that focuses on representing insurance carriers in disagreements with their policy holders shamed on the LockBit ransomware blog. Earlier the same group shamed the insurance company Risk Strategies – calling their web domain out on another victim’s announcement for not paying a more significant amount for their attack against the policyholder, another legal services company.
Do not use the insurance company risk-strategies.com it will not help you in case of hacker attack, XXX were insured for 1 million dollars, and the fucking faggot insurance agent was able to offer the maximum amount of 45 thousand dollars, this is fraud in the purest form. A full-service law firm delivering consistent, successful results for more than 100 years. Among the fastest growing law firms in the southeastern United States. Our services are customized because each client’s situation is unique. XXX attorneys focus on meeting your current needs, achieving the best possible results, in a cost-effective manner. – Posted March 2022, Source LockBit Ransomware Blog on Tor
Figure 6: Source DarkOwl Vision
In this piece, we reviewed how cyber liability insurance is not a substitute for solid corporate network security protocols. We reviewed a number of cyber insurance policy exclusions such as war-time, insider threats, and prior breaches, and looked at some examples where the insurance industry itself continues to be targeted by darknet threat actors.
Learn how darknet data available in DarkOwl Vision can help drive better risk decisions in issuing policies and persistent monitoring for on-going security risks to insurance carriers, brokers, and their policy holders. Contact us to learn more.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.