Industrial control systems (ICS) and their adjacent operational technologies (OT) govern most everything societies rely on in the modern age. Manufacturing facilities, water treatment plants, mass transportation, electrical grids, gas, and oil refineries… all include some degree of ICS/OT incorporated in their industrial processes. Cyberattacks against these are on the rise and the challenge to protect industrial control systems persists. Recent research from DarkOwl analysts specifically identifies an alarming number of threats on the darknet and deep web that could effectively target and compromise critical infrastructure.
DarkOwl is not the only one taking note of these trends and associated challenges. Hybrid CoE, the European Centre of Excellence for Countering Hybrid Threats, has published a Working Paper entitled Defending critical infrastructure: The challenge of securing industrial control systems, diving into the topic of cyber threats affecting industrial control systems, the downstream affects and what can be done from a policy perspective.
Last week, DarkOwl CEO Mark Turnage participated in a webinar, “Defending Critical Infrastructure: The Challenge of Securing Industrial Control Systems” hosted by Hybrid CoE, with speakers from The United States Army College, the Internal Society of Automation (ISA), and the National Institute for Strategic Studies, Ukraine.
The panelists discussed DarkOwl’s recent research in detail, covering topics such as cyber incidents affecting the vulnerabilities of industrial operations, recent examples from Russia’s war against Ukraine, specific OCS/OT threats on the darknet, and potential ways to develop more effective policies.
The slides that Mark Turnage shared during the webinar can be found here:
Curious to learn more about how darknet data can tailor your threat intelligence or provide insight into the threats your face? Contact us.
DarkOwl analysts took note of an increased amount of darknet activity surrounding the current geopolitical tensions between China and Taiwan.
Using darknet, deep web, and high-risk surface web data, this report endeavors to shed light on the digital underground’s reaction to the countries’ political tensions stemming from China’s “One-China Principle” and its refusal to recognize Taiwan’s independence.
This report will also demonstrate how recent cyberattacks in August augment political criticism of Taiwan. Of particular note is the on-going barrage of leaks surfacing as a result of attacks against key organizations in both countries, and discusses the general darknet sentiment regarding China’s global reputation and their potential invasion of Taiwan.
Questions? Curious to learn how darknet data applies to your use case specifically? Contact us.
In DarkOwl’s Darknet Marketplace Snapshot blog series, our researchers provide short-form insight into a variety of darknet marketplaces: looking for trends, exploring new marketplaces, examining admin and vendor activities, and offering a host of insights into this transient and often criminal corner of the internet. This edition features Exchange Market.
For this marketplace snapshot, our analysts selected a darknet marketplace hosted on Tor called Exchange Market. Exchange marketplace content is predominantly Chinese Mandarin and features illicit goods traditionally offered on a typical criminal marketplace – including weapons. The market does not appear to emphasize drugs for purchase in variety and volume as is common with other decentralized markets on the darknet.
Since early 2019, DarkOwl has observed activity from Exchange Market with a comprehensive offering of physical and virtual goods and services for sale; including advertisements that are supportive and worthwhile to darknet and underground criminal communities. The market’s onion service is advertised as though it is based in China, uses mostly Chinese Mandarin language, and references popular technology and applications exclusive to China culture. The market is not widely advertised across the darknet in typical marketplace discussion boards and link lists.
Like most decentralized markets, account registration and user authentication are required before accessing Exchange market’s listings. The market also requires the user solve an English-character-based CAPTCHA before access is granted.
Exchange Market Login Screen, Source: Tor Browser
Once authenticated, the banner includes the English phrase:
“Exchange, Trade Privately. Against Tracking and surveillance.”
The top banner includes three sections translated to English as:
“Real-time manual penetration data for acquisition of first-hand online loans by overseas teams”; “Receive download site traffic”; and “Integrity buys and sells first-hand data on men and women.”
Exchange Market, Post-Authentication, Source: Tor Browser
A Closer Look at Exchange Market’s Goods & Services
Exchange market is divided into different sections with each advertising a different category of items for sale. Sections at the very top offer paid advertising materials as is common with other darknet marketplaces and forums. For example, some paid advertisements listed include recruitment and data brokerage offerings:
“High salary looking for 3 to 4 Java architects front end engineer jobs in Thailand”;
“A large number of financial investment data in the currency circle of Japan, South Korea, Europe and the United States stock and foreign exchange exchanges are collected”; and
“Looking for a hacker that can provide cvv sync fish.”
Below the Paid Advertising section, there are different categories listed with dozens of individual advertisements each. The advertisements listed are updated frequently.
data resources
service businesses
virtual items
physical items
technical skills
video pornography
other categories
basic knowledge
private shop
Three Categories of Goods & Services Advertised: Data Resources, Services, and Virtual Items, Source: Tor Browser
[TRANSLATED FIGURE BELOW – Source: Google Translate]
Data Resource [see more]
Service Business [see more]
Virtual item [see more]
1 15W pieces of the latest national college student data in July 2021 suitable for online loans
1 11 detective business inquiry 11 high quality and lowest price on the whole network 11 recruiting agents 11
1 In 2022, the whole network will launch Android remote control stealing u
2 470,000 pieces of data on the wehkamp shopping station in the Netherlands
2 In 2022, the latest PAYPAL binding foreign credit card fraud core technology
6 500,000 shopping data in Spain_Automatic delivery
6 thug private detective
6 1434 sets of US driver’s license front and back hand-held driver’s license
7 57W National Physician and Physician Registration Examination Database Package is of great value for money
7 Dead and Remnant Order Customized Order
7 37 sets of Japanese driver’s license plus hand-held driver’s license japan driver’s license
8 Taiwan personal data 730,000 names, phone numbers, email addresses, birth dates
8 Anti-drinking tea network security Anonymous anti-tracking evades the investigation of the Internet police to deal with national security tea-drinking security money laundering technology
8 TRCERC’s latest release of the coin withdrawal interface source code is fully open source, there are two sets
9 870,000 names and email addresses of real estate agents in the United States
9 All kinds of inquiries of detectives
9 In 2021, the latest bitcoin money laundering technology is very safe in the black production circle
10 US Wolf Eye Clinic patient data 630,000 phone and mailbox SSN
10 24-hour stable query business
10 11 teach you how to date a girl in junior high, high school and college 11 by no means a cold reading pua tutorial
11 elitemate US online dating site data 1.04 million
11 Check cars, check people, check all
11 AliExpress eBay Amazon Alibaba Taobao and other e-commerce seller data
12 7.73 million Robinhood stock and cryptocurrency investing sites
12 Query ID card activity track
12 Latest National Official Contact Information Official Position
13 570,000 users of btce cryptocurrency platform
13 Detective_Check_Online second message
13 CC attack tutorial and software
14 24,970 US users of bitmain bitcoin mining machine
14 High-quality file inspection on the whole network
14 Naked chat fraud to obtain address book source code Naked chat software codeless video voice changing software photographed and shipped automatically
15 Hacker QQ number stealing tutorial with software
16 bitcoinnetworks bitcoin contract website 5237
16 Monero Money Laundering 2021 The Safest Way to Launder Money Original
16 The full technical information of the hacker is here
Translated Table of Exchange Market Listings for data resources, business services, and virtual items
Data Resources
This section of the market has listings focused the brokerage of personally identifiable information (PII) and digital identity theft crime including: selling PII exfiltrated from shopping data, college students’ data, phone numbers, social security numbers (SSNs), addresses, and users of bitcoin services. The personal data offered appears to be primarily sourced from individuals located in the Netherlands, India, Brazil, Spain, the United States, and Taiwan.
The Unites States is targeted the most frequently in this category with personal data available stolen from US real estate agents, a US optometrist’s patient data, and data from a US online dating service. A newer advertisement, shared this week, titled, “3.26 million in 22 years in the United States_Detailed personal information of US citizens” claims that the data is US personal identity data from 2021 and that 2022 and includes names, addresses, phone numbers, and work associations, and industries.
Data Resources Section of Exchange Market, Source: Tor Browser
Another listing, titled “Taiwan personal data 730,000 names, phone numbers, email addresses, birth dates,” is notable given tensions between the China and Taiwan and likely a result of recent cyberattacks against the country. Each database offered appears to be legitimate and links to real data.
Neither advertisement includes a price for the databases.
“Service Business” Offerings
Listings under the service business category include social engineering, penetration testing, fraud technologies, private detectives, internet tracking avoidance and privacy, and methods for money laundering.
One listing appears to offer one-on-one guidance for the “private customization for telemarketing SMS” – which is likely a customized SMS hijacking service.
Virtual Items
The “virtual items” features malware, trojans, and viruses for conducting cybercrime. Our analysts noted several RATs (Remote Access Trojans), PII for social engineering and fraud, hacking tutorials and associated software, video and voice changing software, and Bitcoin laundering technology.
Interestingly, most of the PII offered here originated from citizens in Spain, Italy, the United Kingdom, Japan, the United States, and Poland – suggesting that either Chinese-based threat actors are directly targeting these countries or non-China based data brokers are reselling exfiltrated databases on this market. Other databases for sale included e-commerce websites such as Amazon, AliExpress, eBay, Alibaba, and Taobao.
Physical Items
Instead of offering a wide selection of drugs for sale as a ‘physical good’ for sale, this section of the market features counterfeited documents and items (e.g. cigarettes), weapons, and a limited supply of LSD tabs and prescription drugs. Clonazepam and LSD tabs are allegedly shipped from Europe, a handgun offered for $10,200 USD, and fake tax certificates and bank cards were advertised from various international government and financial institutions.
Of note, the handgun’s advertisement description, “Glock19 customer customized list” does not correlate to the model of the handgun pictured. The picture is a G17 Glock instead and includes the inscription “Austria” on the weapon. Despite the discrepancy in what is advertisement and the picture, there are other automatic and semi-automatic weapons included in the Glock19 advertisement.
[TRANSLATED ADVERTISEMENT – Source Google Translate]
“New glock 19 gen4 price ($10,200)
Shipping time is about a month
No refunds will be accepted after payment, as the goods will not be returned once dispatched, Because of their own problems, the mobile phone number is not answered, the goods are not received, and refunds are not accepted. If you do not receive the goods or do not meet the requirements can be refunded. Please release the money after receiving the goods without any problems, for the sake of long-term cooperation in the future
Save time for those who really need it, don’t bother.
AR15 AR-24K beretta PX4 MAC 11 Russian-made Markov is cheap
Customer-made list, if you need anything else, you can send a private message, don’t waste everyone’s time thank you [If you want to order, please make a sincere consultation for $10, send a private message on the site, or leave a telegram or encrypted email
Only connect with the big boss, you can also come if you think you have the strength. Don’t waste your time consulting if you are bored
I finally want to say that cheap people deserve to be deceived. . . Stop believing those in some groups. . All liars can’t see it.”
Handgun offered for sale on the darknet marketplace, Source: Tor Browser
Technical Skills
The Technical Skills section cover numerous skills required for fraud and hacking technologies. Some technical skills advertisements include antivirus software by-pass techniques, methods to register Google voice account with US phone numbers, online credit card loans, DDoS attacks, and scraping information from WeChat chat records real-time. There are also some unexpected socially specific skills on offer like: “Tricks to Control Women” and “The Manson Method to Get Women Addicted to You.”
Video Pornography
This section of the market includes what one would expect with subscriptions and pornographic content available for purchase and download. There are also mentions of CSAM content.
Other Categories
This section includes uncategorized listings for a variety of products, much of which is similar to the ones already described above. Our analysts noted offers for ransomware, international passports, hacking toolkits and tutorials, and unrelated listings, such as “The most complete network of CCP princelings.”
Basic Knowledge
The Basic Knowledge section of the marketplace is a mixture of offerings and discussions on topics such as earning passive income, fraud and hacking tutorials, and practical dating skills.
More Exchange Market Listings, Source: Tor Browser
This section of the market appears to also include an option to add comments to posts, although additional marketplace approvals and/or Bitcoin payment may be required.
Exchange Market: DarkOwl Analyst’s Observations
Exchange Marketplace restricts any personalization of buyer or vendor accounts. There are no custom usernames or avatars associated with either type of account.
Vendors are provided a “seller account number” that appears with their product listings and there is no obvious vouching for a vendor’s legitimacy with reviews and creditability from other marketplaces or sources.
Similarly, buyers are issued a random string of numbers that serve as the account’s username, further obfuscating the identities of all parties involved in a marketplace transaction.
A limited number of vendors include links to potentially associated Telegram channels and/or include English text in their advertisements.
Products on the marketplace are tailored towards Chinese online services, e.g. ransomware to target Taobao, Xianyu, WeChat, and Weibo.
To transact with a vendor on Exchange, the onion service requires the buyer generate a separate transaction password.
The marketplace serves as ‘escrow’ with a ‘pay-to-play’ mentality, requiring Bitcoin deposit for an account to be fully activated.
Conclusions
With longevity and network persistence offering illegal goods and services since 2019, DarkOwl assesses that Exchange Market is a comprehensive darknet marketplace that sells goods and services to support the full spectrum of potential cybercrime. In addition to databases and exploits to conduct financial and identity fraud, scamming, hacking, ransomware campaigns, and more, the market appears to also support a solid recruitment and hacker-for-hire segment of the Chinese-malware community.
Unlike other decentralized markets, Exchange Market demonstrates higher concern for anonymity by providing random numbers to users rather than personalized aliases. While the language barrier might limit access for large swaths of darknet users – who are predominantly English and Russian speakers – Exchange Market’s popularity is consistent despite limited out of market advertising and is still flourishing on its own.
Subscribe to email to receive the latest research directly into your inbox every Thursday and don’t miss our next Darknet Marketplace Spotlight.
The year 2022 has been one of heightened global tensions and geopolitical military conflicts. Russia’s three-day “special military operation” against Ukraine has turned in months of heated battlefield bloodshed, cruise missile attacks, and sparked a global cyberwar touching hundreds of other non-Ukrainian nor Russian entities. Elsewhere, open sources estimate that over 100 people have died in a border conflict between the former Soviet states of Kyrgyzstan and Tajikistan, both of which share a border with China. Meanwhile, a fragile ceasefire agreement between Armenia and Azerbaijan failed to stop fighting that resulted in a couple hundred deaths in an Armenia enclave of the Nagorno-Karabakh region of Azerbaijan just last month.
Amongst these hostilities are escalating, volatile tensions between China and Taiwan that stem from China’s “One-China Principle” and its refusal to recognize Taiwan’s sovereign independence.
In DarkOwl’s upcoming research investigation, our analysts take a closer look at how recent political tensions between China and Taiwan spill into the darknet, deep web, and greater cyber space.
Recent political tensions between China and Taiwan spill into the darknet and cybersphere.
In this paper, we will look at how numerous data leaks and cyberattacks have occurred in both the U.S. and Taiwan – prompted by a controversial political visit from US Speaker of the House, Nancy Pelosi in August, and the subsequent approval from the Biden administration to deliver $1.1 Billion dollars in US weapons to Taiwan.
The new research piece will also shed light on the darknet’s response to concerted information operations and political escalations between the two countries, including chatter related to a potential military invasion of Taiwan, China’s role in Russia and across the globe, and general anti-China sentiment across several darknet discussion services. We also uncover some of the critical government and organization data leaks that have surfaced for both Taiwan and China and are in circulation in the darknet.
To receive a copy of this research as soon as it goes live on October 5, drop your email below:
This year, International Peace Day comes amidst a global cyberwar that arguably began (but has determinably escalated) with the Russian invasion of Ukraine. When considering the notion of peace, especially during this time of heightened combativeness, we turned to one of our darknet analysts. In return, they offered their first-hand perspective and candid thoughts on the notion of a peaceful cyberspace.
Peace in the Midst of a Cyberwar: Perspectives from a Darknet Analyst
In my opinion, the concept of a ‘peaceful darknet’ is a complete oxymoron. There have been brief moments when I’ve experienced something close to peace on the darknet, such as when I connect with various underground communities and established trust groups. I login to the community, check the channel nicks to see who else is online, and direct message or send a quick jabber message to the online “friends” I’ve established after years of moving in and out of these communities. There are moments of contentment after a friend shares an update on their dad’s recovery from a recent surgery, and we relate about videos we’ve both watched on YouTube.
But, is it peaceful? Hardly. There’s a cloud of anxiety. At any point in time, the server our community connects to might be hit with a heavy DDoS attack from ‘skids’ or a rival darknet community. You never know when a guest account will connect and immediately flood fill the chat with hateful and explicit messages.
I look at the clock. Around this time most nights, a former member and now banned user connects to the server and there’s immediate drama between them and the chat’s moderators and staff. The user claims he’s got proof that one of the staff is a pedophile. They’re kicked out and the channel/room is locked. Another member posts a funny meme. Another asks for help using Mimikatz. Just another typical night in the darknet.
Before Ukrainian Invasion: Brewings of a Cyberwar
Months before the Russians physically invaded Ukraine resulting in the formation of the IT Army of Ukraine and the hacking collective Anonymous’ launched their infamous cyber campaign #opRussia against Putin and Russia-aligned threat actors, members of the elite GRU were busy covertly carrying out many a pre-invasion operational cyber campaign by probing networks and accessing sensitive Ukrainian networks.
Millions of Ukraine’s citizens’ personal data had already surfaced and were in circulation across the darknet. Russian trolls on darknet forums and Telegram channels taunted the West and Ukraine, with posts about everything from Hunter Biden’s laptop to a weak NATO; some hinted at how quickly Kyiv would collapse after an invasion. Western news media started reporting of troop build-ups along Ukraine’s borders in Belarus and Russia.
Then, the Kremlin announced their recognition of the Luhansk and Donestk People’s Republic (LPR/DPR). Less than a week later Putin ordered commencement of his “special military operation.”
After February 24th 2022, everything changed: both in real life and virtually. Darknet dynamics completely shifted. Cybercriminal groups and ransomware gangs split down the middle – those supporting Ukraine and those supporting the Kremlin. Many Ukrainian-based darknet users, including an online ‘friend’ prominent in the darknet carding community, disappeared after deploying with the military to fight for their country’s freedom. Hundreds of Russian and Ukrainian Telegram channels emerged with videos from the front lines. Social media channels post videos of cruise missiles hitting centuries old buildings in Kharkiv. Apartments and residential buildings were completely decimated along with the people and memories in them.
War Launches a Frenzy of Darknet Activity
Every few hours I discover another leak URL that has emerged from a victim in Ukraine or Russia. I annotate the details to a database of Ukraine-Russian cyberwar leaks I started within the first 36 hours of the invasion. I proliferate the IP addresses of new targets issued by the Minister of Digital Transformation of Ukraine and load another Tor URL that has mysteriously disappeared.
A DarkOwl Vision monitor I created for a client – months before the invasion – alerts me that the company’s web domain has been mentioned by Russian threat actors on Telegram. Attacks against US companies and NATO entities start to mix into the now daily exhaustive list of on-going cyber activity. New threat actor groups announce their formation every other day. ATW? nb65?! KILLNET…. I begin to ponder how this cyber chaos can possibly result in any form of success for Ukraine. Members of Anonymous and various ‘collectives’ around the globe invariably clash attacking the same digital targets.
My sleep in those early weeks consisted of brief 2-hour naps only after caffeine was no longer effective and I could barely keep my eyes open. My dreams haunted by the sound of the sirens I had heard repeatedly in videos coming out of Kyiv on Telegram and the images of decaying soldiers’ bodies on a channel dedicated to helping survivors identify their lost loved ones. I’m millions of miles from the epicenter; yet, I’m still affected by what I’ve virtually witnessed.
Fast Forward Seven Months
The IT Army of Ukraine has grown to a force of nearly half a million hacktivists. The cyberwar leaks database is terabytes in size. The CONTI ransomware gang passes the ransomware baton to LockBit, shifting from ransomware to nation-state operations. A ransomware group seem to surface every week announcing dozens of global commercial victims – many that are small businesses that struggle to survive such an attack.
Zero days and exploits used against Russian government and commercial entities have become increasingly sophisticated with attacks against critical infrastructure becoming the standard. Anonymous’ operational cyber cells are now run with shocking efficiency and effectiveness and the cyber battlefield is either less chaotic or I’ve become more tolerant and accepting of the chaos.
Pro-Russian disinformation networks across social media and the digital underground are operating at full capacity. On the surface, the Ukrainian military has successfully pushed the Russians back over 6,000 square kilometers in eastern Ukraine, liberated dozens of towns, and villages with their counteroffensive against Russia, and another Russian oil executive has mysteriously fallen out of a window in Moscow. It’s nearing the end of summer. I visit a local farmer’s market all to overhear a random 60-something-year-old woman at a stall arrogantly declare, “President Putin is simply trying to dismantle the global cabal and de-nazify Ukraine”. I take a deep breath and slowly walk back to my car, suddenly no longer interested in buying any local produce.
I return to my home office to find a request for technical information related to recent cyber-attacks in China and Taiwan in my inbox. I suddenly realize that this is never going to end. China could very well invade the island of Taiwan by the end of the year and trigger yet another round of global cyber initiatives and operational campaigns.
The cyberwar is no longer simply between those who support Ukraine and those who do not. The cyberwar is simply a virtual reflection of the pure lack of peace we have within ourselves as individuals, societies, and nations. Peace in Ukraine will in no way result in peace on the darknet nor stop your neighbor down the street from spewing the propaganda they’ve been fed and now believes in their heart.
I disconnect the wi-fi, shut off my computer, crawl into bed in the middle of a Saturday afternoon, and for the first time in seven months, sleep peacefully.
The above account came from one of our DarkOwl Analysts, who are trained to routinely immerse themselves in the darknet space. Their efforts support our product collections efforts, and also support our clients to understand data and intelligence on the darknet. For more questions about how analysts support our customers, thought leadership, and data collection efforts, contact us.
Earlier this month, DarkOwl participated in the well-regarded law enforcement conference: ISS World Asia. The annual, training-oriented event describes itself as “the world’s largest gathering of Regional Law Enforcement, Intelligence and Homeland Security Analysts, Telecoms as well as Financial Crime Investigators responsible for Cyber Crime Investigation, Electronic Surveillance and Intelligence.”
Representing DarkOwl was David Alley, CEO of DarkOwl FZE based in Dubai, and Richard Hancock, Darknet Intelligence Analyst based out of DarkOwl’s headquarters in Denver.
“We find ISS World events to be incredibly helpful in bridging the gap between national security agencies and the OSINT vendor community,” shared David. He also noted a common thread in his conversations with investigators: the need for safe, effective, ethical, and high-quality dark web OSINT tools.
While at ISSW in Singapore, the DarkOwl team hosted a seminar on Darknet Intelligence Discovery and Collection. The goal of this session was to further educate the international intelligence community on how threat actors on the darknet are evolving in their use of new tools and methodologies.
Later in the week, David Alley of DarkOwl FZE delivered a presentation with representatives from Social Links, one of DarkOwl’s partners and leading provider of OSINT technologies.
The session, Countering Illegal Trade on Darknet Marketplaces, was offered as part of one of ISS World Asia’s closed track programs, available only to Law Enforcement, Public Safety and Government Intelligence Community Attendees.
The collaborative presentation focused on what the current dark web marketplace landscape looks like, and explored methods for counteracting illegal cyber trading. The discussion was further supported with demonstrations on how investigators can expose criminal and terrorist cryptocurrency activity on the darknet by using a platform that has been enriched with DarkOwl data.
Per our partners Social Links, this session showed how “through advanced data extraction and analysis, investigators can break through the perceived anonymity of the Dark Web and crypto transactions to identify criminal actors.”
DarkOwl looks forward to continuing their presence at ISS World events as part of our ongoing initiative to support the global law enforcement community in their efforts to police illegal and nefarious activity on the darknet.
Upcoming research from DarkOwl displays an alarming number of threats on the darknet and deep web that could effectively target and compromise Critical Infrastructure.
For the past several months, DarkOwl analysts have been monitoring for and documenting instances on the darknet that could be threatening to Industrial Control Systems (ICS) and their adjacent Operational Technologies (OT). These two critical systems govern most everything societies rely on in the modern age. They include critical infrastructure such as manufacturing facilities, water treatment plants, mass transportation, electrical grids, gas, and oil refineries… all rely on some aspect of ICS/OT incorporated in their industrial processes.
In doing so, DarkOwl’s analysts found a significant number of instances in which attacks or attack vectors that could directly effect these critical industries were being actively discussed or circulated on the darknet. The research will be published an upcoming whitepaper, Industrial Control Systems (ICS) & Operational Technology (OT) Threats on the Darknet.
The full extent of this research will be published Tuesday, September 13 and will cover how critical infrastructure is being targeted on the digital underground.
Abstract
Industrial Control Systems (ICS) & Operational Technology (OT) Threats on the Darknet
In recent years, especially in the world of ransomware and extortion-as-a-service crime – which is highly prevalent on the darknet – the information security community and major security operations centers have been centrally focused on securing sensitive organizational ‘data’ and intellectual property with concerted attempts to mitigate network attacks and remediate the effects of one leak after another leak emerging on the darknet and across underground criminal communities.
ICS/OT security involves protecting critical ‘processes’ needed in critical infrastructure and manufacturing facilities and is less concerned about data loss. The effects of ICS/OT attacks, especially against those that involve targeted unencrypted, serial communication protocols, are not manifested as simple domain network and email connectivity issues. A successful ICS-OT attack transcends the cyber realm and can result in the physical destruction of devices, kinetic explosions, and even risks the potential loss of human life.
In this darknet research investigation, the analysts at DarkOwl review the threats discussed and circulated on the darknet related to ICS/OT and exploits designed to compromise Supervisory Control And Data Acquisition (SCADA) panels. The research highlights initial points of compromise and data brokers in unauthorized network access, the reconnaissance utilities employed by threat actors to surface critical infrastructure system vulnerabilities, and the real dangers presented by the industry’s reliance on insecure IEC protocols.
To receive a copy of this research as soon as it goes live on September 13, drop your email below:
DarkOwl CEO Mark Turnage and Symbol Security Co-Founder and President Craig Sandman discuss the darknet, key elements of cyber surveillance utilizing darknet intelligence, their partnership, and why darknet data is an essential part of Cybersecurity programs in the SMB market.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Mark: Let me talk a little bit about DarkOwl. We’re a company that’s about five years old based in Denver, Colorado. We specialize in collecting, aggregating, indexing, and supplying data from the darknet. And we’re very specialized and focused just on the darknet. There are other companies, there are other threat intelligence companies that provide other types of data. But our specific expertise is simply in the darknet. We’re very proud of the fact that we have more female employees in the business than most tech companies do, I think we’re just under 30% right now. In the past, we’ve been as high as 40%, and we’re very proud of that fact.
But to the point of darknet we have built over the 4 or 5 years of the company’s existence, we built what we believe is the largest darknet database in the world. And let’s just talk a bit about what I call definitional ambiguities. What is the darknet? What is the deep web? The surface web is what everybody sees as the top of that iceberg on the right. That’s where we spend all our time. It’s accessible by Google. You can get information and that’s where the vast majority of the world spends most of its time on the web. The deep web are authenticated websites. So, for example, your bank account information – Mark Turnage cannot get to your bank account information from my browser. I might be able to get to your bank’s sign in page, but I can’t get to your information because I lack the authentication and the credentials to get there. Ironically, that’s where the bulk of all the data that is held on the internet is actually stored.
Where we specialize is in the darknet. These are anonymized networks that reside below the level of the surface sites, surface web and the deep web. And they generally require specialized browsers to get access to. And it generally requires some type of specialized knowledge, although not in all cases. If you look at this slide, what we’re talking about is at the bottom of that slide, Tor i2p, Zeronet, other new darknets that have been created, these are darknets where DarkOwl is on a daily basis collecting data and supplying that data to our partners and now including Symbol. And that data is full of information that is relevant to measuring the risk of organizations and understanding the risk and addressing that risk.
We also do collect data and supply it from certain high risk surface websites, pay sites, and some discussion boards, as well as some deep websites, some underground criminal forums and so on. All of that we describe as the darknet database. And again, we’re collecting it so that organizations can understand what data of theirs is in the darknet, what exposure they have in the darknet.
Kathy: Mark, real quick – a couple of questions have come in on that last slide that you just shared. The first one is “How big is the darknet?”
Mark: That is a really good question and nobody particularly knows the answer. When we started collecting data from the darknet, the darknet was Tor, the Tor network. There are now probably half a dozen darknets that exist and we collect data, as this slide shows from it, and Zeronet. We’re moving into other darknets as well. But there is no easy way to measure the darknet. And the simple reason for that is that the darknet is generally distributed around the world. The Tor network is a network of between 15,000 and 20,000 servers around the world that serve that. There’s no easy way to measure it. But to give you a sense, DarkOwl collects data from somewhere between 25,000 and 30,000 darknet sites a day. That’s before you get to the high-risk surface websites and the deep websites. So that’s a lot of data. These darknets are growing and usage on these darknets is growing great.
Kathy: And there’s also a question as to “How do you know when a company is being targeted on the dark web?”
Mark: Well, generally indicators of the fact that a company is being targeted in the darknet show up. Either the company is mentioned by name or their IP range, it shows up in a targeting website, let’s say a hacker forum where somebody says, here are some IP ranges where I’ve discovered certain vulnerabilities, or I’m selling access to this company’s server network. Or you will see things like credentials and passwords for sale for individual companies that allow hackers or ransomware actors or other actors to drive straight into the network and be inside the network. So there are lots of indicators of risk of companies that show up in the darknet. Using our database and using Symbols database, you can search for those indicators of risk that may exist with respect to your individual organization.
Mark: I’m going to finish on this slide I mentioned earlier. We’ve built what we think is the world’s largest database of darknet content. This gives you a sense of some of the locations that we collect from Telegram, ITP, Tour, zero net, pay sites, and so on. And it will give you a sense of just what we’ve indexed in the last 24 hours. The slide shows 8.4 million documents have been indexed into our database in the last 24 hours. If you look along the bottom, it will give you a sense of what we have collected over the years of our existence. We have somewhere north of 8 billion email addresses in our database. We have somewhere north of a billion IP addresses, 9 million credit cards, 236,000,000 crypto addresses. That gives you a scale and sense of the scale of what exists in the darknet and exists by virtue of having access to our platform.
We provide that data a number of different ways and are delighted to partner with Symbol and now I’m going to turn it over to Craig.
Craig: Great. Thanks, Mark. Appreciate it. Great job. Mark did a great overview of darknet, deep web and the surface web. Certainly it’s a squirrel space and a big space. So let me tell you a little bit about Symbol Security and we’ll kind of pull into this how we managed to get together with DarkOwl and deliver some of these darknet cyber surveillance services to the SMB market.
Symbol Security is a provider of predominantly security awareness training services. As you probably know, security awareness training is something that’s been hot in terms of a way to address and mitigate the attacks of cybercrime and it’s also in regulated environments. And we’re talking now close to 800-850 regulations, laws and other statutes that require businesses show evidence of security awareness training. So it’s becoming a nonstarter for businesses, even if you didn’t feel like it was a good use of your time or argued the fact that it made your company safer or not. Independent of that, it’s a requirement in so many regulations, it’s becoming a nonstarter.
One of the things we do a little bit differently than most companies is we deliver a managed program. So a lot of the security training services and the implementation falls down in just that, in the implementation of it. So they may buy the software, but do they actually properly implement or even get to implement the service? We know how things go in the small to mid-size business. Everybody’s 150% subscribed in terms of their time and it’s difficult to execute on everything you have to do. So things fall to the bottom of the list. One of the things that typically will fall to the bottom of the list is security awareness training. We look at security awareness training and security awareness as targeting human risk. So how do we identify human risk and how do we mitigate human risk? Through education. We do more than just training videos and phishing stimulations. We look at email and domain threats. So email threats would be breach alerts and things like that. Is your email address compromised in any way? Domain threats look at the potential of doppleganger and lookalike domains being manipulated and used potentially against you, just helping give access and visibility to your thread envelope.
From a training perspective, we have really great trainings, very good simulations, and we make things quite easy because we’re typically focusing on the SMB market and through SMB distribution points like managed service providers and managed security service providers. And we’ve added cyber threat surveillance now to this platform into the bundle. And I’ll talk about why in a moment, but it plays into the extension of threat awareness for the individual and for the small business that’s how and why we’ve tied it in.
And we’ll talk now about what cyber threat surveillance is to us and to the SMB market space. So essentially, as Mark indicated, there’s a lot of different things that you can pick up on the darknet and on the deep web that are very valuable in terms of being proactive in your cyber awareness strategy. So reactive would be we’ve seen a breach alert for a particular email address. Now we go in and change username and password so it can’t be further manipulated, but the breach has already happened. We’re reacting in that case and there’s other instances where we’re simply reacting to things that have already happened.
We’re flipping a script here and allowing for darknet visibility and deep web visibility to provide proactive awareness. So when might things begin to look strange or suspicious that we need to act on, rather than we already know there’s a problem? We’ve probably already been hacked or attempted to have been hacked, and now we’re going to mitigate post that event. The concept of brand protection falls in there if there’s potential issues in and around your brand or people are slandering your brand or lining up your brand for an attack or any kind of negative event. VIP email monitoring we talk about a lot as well. So if you have individuals that are perhaps tightly associated with your brand, obviously any kind of reputational damage, there could be a cyber issue or a damaging issue for your organization. And then monitoring chat rooms. And just as part of the entirety of the deep and dark web chat room, visibility is included in there, as well as looking over products and domains. So those are also places where organizations want to protect their assets. What we’ve done here is taken a service and a feed that is typically consumed by government entities, large agencies and Fortune 100 companies, and we boiled it down to a simplified package so that the SMB can consume it.
That’s what was missing before. Right. We have incredible service provider in DarkOwl and some really great layers around that the entities in the market use in order to consume this data. But when it gets to the SMB, it’s too complicated and or too expensive for most budgets. So that’s really what we need when we say SMB packaged. And as part of that, we’ve broken it down into really keyword and email monitoring and we’ve integrated it into our cyber awareness reporting for the small to medium business.
Kathy: “Don’t threat actors only come after large companies? And what is the top cybercrime for small businesses of under 50 employees?”
Craig: First question, definitely a misnomer in that cybercrime happens most often with large businesses. It’s equally prevalent in small businesses. Obviously, big businesses might offer a bigger return from a cybercrime business perspective. But at the same time, the small businesses are generally less able to defend themselves and so they become quick hits. And if cybercriminals can get a 10,000, 20,000, 50,000 dollar return on investment for a crime, they’ll do it. And so there’s case after case after case of small businesses getting swindled out of 10,000, 50,000, $100,000 at a time through direct targeted cybercriminal attempts.
The second question was what is the top cybercrime that small businesses under 50 employees face. Cybercrime can be broken into many different buckets, probably not too surprising. The execution is typically ransomware that finds its way into all business sizes. How it gets in there is sometimes varied. So we focus a lot on fishing training and sort of mimicking phishing attacks. We can teach users to at least recognize and for that entry point for ransomware. But obviously ransomware can be delivered a number of different ways. That is the most prevalent situation. We do see wire fraud work its way into small businesses as well. That might be some kind of action sometimes from a phishing email that says something along the lines of, hey, please wire funds from this account to that account, where the secondary account isn’t something that’s owned by the small business. But certainly locking up files and then extortion from a ransomware perspective is, I’d say, the most common across probably most business segments.
Mark: Let me add something to Craig’s good answer to your first question of our SMBs targeted. To the same degree that large companies are targeted, we have found that oftentimes SMBs are targeted in favor instead of larger companies. Larger companies have a lot of money they can spend on hardening their defenses. SMBs oftentimes are softer targets for hackers and for malicious actors. So we have found that in some cases they go deliberately after SMBs versus going after larger actors. But that’s exactly right, Craig. I mean, I think the types of attacks that you’re seeing amongst your client base, it mirrors exactly what we see as well.
Craig: Absolutely.
Craig: And so from a cyber threat surveillance perspective, we’re not going to get into a demo today, just kind of short on time, but I wanted to give you at least a screenshot so I can talk through how this operationalizes itself into our platform.
Essentially, we provide we provide daily updates on darknet findings that are pertinent to your organization. And we’ve really structured the input so that it’s simple. We’re looking for keywords and potentially VIP emails we can also as mark alluded to. We can enter things like credit card information or IP addresses as well. From an advertise level, we really focus on keywords, which would be a business name, a product name, a brand name, an affiliate name, and then we are also looking at what we call VIP email protection as well. But again, we can pivot to incorporate some of those other items as well. We integrate the results directly into reporting and a dashboard. So as you saw on the last screen, briefly we’ll intake the findings. If your keyword or your VIP email is found, we’re going to give you plenty of surrounding context. It may be thousands of characters of additional data around the keyword that we found. You’ll get full context of not only the fact that this VIP email or keyword, maybe your brand name, your company name was found on the darknet, but you’ll see the entirety of the discussion around it in addition to the location that it occurred on. You’ll also get email alerts when these things happen. So administrators are going to get notified.
There’s a nice portal to allow you to track and categorize these incidents. You can categorize them as urgent, you can categorize them as resolved or just leave them in a pending state. Also of interest too is we provide some sentiment tracking as well. So based on what we see, we’re going to give an analysis of sentiment or negativity around a particular finding. So if it may be benign, there’s plenty of benign information on the dark web that’s really not pertinent, not meaningful, certainly not hurtful. You’ll see those results, but we’ll prioritize and we’ll flag as urgent results that hit a high negativity level. So we kind of take care of some of the analysis for you, although response remediation planning around what to do if you do find something is really up to you as an organization or perhaps a security provider that you’re partnered with.
Average price – so we will talk about price here for our service falls 4,000 to 15,000 dollars per year. It’s obviously a large range, but it really just depends on how much you want us to monitor for you. So I wanted to give that too because the average price point, entry level price point for the service is generally three to four times the high end that I’ve referenced there. And so in those cases, the access to this data typically outstretches an SMB budget. We fit it squarely in a range where SMBs can afford this service and most times we’re addressing clients that also have other needs around security awareness, training, password management services. We’re able to bundle those elements together and give them a nice SMB cybersecurity suite. As I mentioned, we will sell these services through managed security service providers as well. So we have a portfolio of managed service providers that will deliver many more services bundled together. Additionally, we can deliver these as a single suite and more of a point solution to organizations as well. All right, any other questions that we want to get to before we close it out here?
Kathy: Yes, we have had a couple more come in. “Can you please give an example for a small business where information from the dark web could help protect the brand reputation?”
Craig: Yeah, I can. Mark, I’m sure you probably can as well. But one of the things that comes to mind is a couple of things really I address this earlier in the conversation when I start talking about executives that are really tied to the brand of the company. And in some cases, if either those executives are being targeted or perhaps they are involved in some nefarious activity and that gets picked up, it’s not going to be a good ending. But at least an organization has time to prepare and plan and take action before an event has occurred. And that might be public relations type planning or perhaps getting out in front of any potential negative activity. Additionally, if there is some really slanderous and hateful discussions about a particular organization, that would be a cause of concern and you can use your imagination on what those things might be, these will get picked up if they’re happening on the dark web and on the darknet. So those are two situations that are certainly ones that the surveillance will help identify, which if you had typical reactive cybersecurity services, you’re not going to see those things until an event is inbound or incoming. Mark, I don’t know if you have anything to add to that.
Mark: That’s an exceptionally good answer. I would just add that in addition to VIP information slanderous activity, I would start by saying there is almost no mention of your organization in the darknet that couldn’t potentially affect your brand. So if you’re breached in a ransomware attack, if you’re being targeted in addition to the slanderous statements that are being made, ultimately that’s going to affect your brand negatively. Everybody knows about what happened to large companies that have been breached and their brand being tarnished as a result. The same is true for SMBs. And so all of the categories that Symbol monitors on behalf of its clients, all of them have some capacity or some capability to damage the brand.
Kathy: “So Symbol covers what is on the darknet, but what about other cyber risks?”
Craig: Yeah, that’s a great question. I mentioned some of our partner organizations. Obviously, the landscape of cyber risk is significant. These services that we provide, provide great coverage across the things that we’re specialists in, which should be training and some visibility around potential cyber threats that cross the dark web and potentially into domain names and breached email addresses and things like that. Of course there’s many more things to cover and we highly recommend, especially in the SMB space, security consultants, virtual CISOs. If you don’t have a CISO on board or maybe can’t afford one, those kind of fractional consultants are great and we have a number of really good managed security service providers that can provide a large breadth of cybersecurity type services from a single organization. Best of breed. Best practices and things of that nature. So we can certainly sit as a point of reference for helping you find those things and for the pieces that we cover today, we’re happy to deliver those directly as well. But yeah, there’s a lot more to it for sure.
Thank you so much for joining us today.
About Symbol Security: Symbol Security’s SaaS platform helps customers reduce their cyber risk, and adhere to industry compliance requirements. Through authentic simulated phishing exercises, interactive training content, and awareness of risk data across domain registries, and the dark web, Symbol helps companies identify and act on potential points of cyber risk. Symbol can be operated by company administrators with ease or leveraged by Managed Security Service Providers as part of their security offerings. Visit their website: https://symbolsecurity.com/
About DarkOwl DarkOwl uses machine learning to automatically, continuously, and anonymously collect, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. Our platform collects and stores data in near realtime, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself. DarkOwl offers a variety of options to access their data.
In this blog, DarkOwl analysts outline top use cases for intelligence agencies, law enforcement, and government, where darknet data often plays a critical role. These examples of DarkOwl’s software-as-a-service (SaaS) darknet data platform help identify and describe how key data sources in the criminal underground can be leveraged to facilitate analysis and reporting required across intelligence agencies entities’ security departments.
Cyber Investigations
DarkOwl’s darknet data can significantly augment cybercriminal investigations by providing key additive informational components – often in conjunction with other OSINT like social media activity. Data from the darknet often creates a more comprehensive picture of the case itself, the criminal’s behavior, and psychological intentions. The resulting darknet intelligence (or DARKINT) fills in critical intelligence gaps that solidify evidence such that indictments and subsequent legal action may be executed.
Using DarkOwl in conjunction with other open sources and utilities, an investigator can easily identify and a track threat actor’s digital fingerprints and subsequent virtual breadcrumbs, such as social media accounts, usernames, aliases, avatars, email addresses, PGP keys, and cryptocurrency wallet identifiers.
The snapshot example below details how DarkOwl identified and tracked a Portuguese-speaking threat actor involved in mobile device malware development. The lower third of the graphic, consisting of evidence collected from the darknet and DarkOwl Vision – confirmed the suspect’s activities across various underground communities in the darknet and a leaked IP address provided a potential physical location of João Pessoa, Brazil.
Figure 1: Source DarkOwl Analyst, July 2020
Situational Awareness
Russia’s late February military invasion of Ukraine and on-going offensive operation was preceded by numerous opportunities for geopolitical situational awareness prior to the invasion, and subsequent monitoring of the conditions is available with a surge of new Telegram channels documenting live events ‘on-the-ground’ and conversations between users that have unique perspectives of the conflict.
DarkOwl detected members of popular deep web hacking forums sharing and discussing the leak of large databases containing sensitive Ukrainian citizen data weeks prior to the actual kinetic military activity. Further analysis revealed state-sponsored threat actors from Russia had performed extensive covert cyber campaigns against Ukraine prior to any official military operation, troop or vehicle movement across the border.
Figures 2 and 3: Source DarkOwl Vision
Figure 4: Source DarkOwl Vision
[TRANSLATION OF FIGURE]note: the following contains some explicit language
2022-06-13T19:03:11 user_5290424434 IvanVik32 Ivan wrote: So tear your ass off the soft chair and show me how to fight, and fuck like You know a lot of people.
2022-06-13T19:03:11 user_108696280 minihetman Eugene wrote: What the fuck do you want? Russian dogs have been oculating the Tatar guy’s homeland. What kind of attitude did you expect to downs with automatic machines?
2022-06-13T19:03:14 user_5447249506 Maxim Shaporev wrote: I’ll say it again. I propose to shoot all 2,500 thousand soldiers of the Armed Forces of Ukraine and the Azov battalion who left the Azvostali. Shoot them right on the square in Donetsk.
2022-06-13T19:03:16 user_5121165572 Aristarkh Govnozhuyev wrote: Maybe now is the time to strike at decision-making centers? Gentlemen of the military – how long can this lawlessness be tolerated? Let’s already hit the bank, the rada, the narco-clown palace.
2022-06-13T19:03:17 user_1959717279 DomBaryay Barya Domansky wrote: Zelensky speaks beautifully, so they put him in the presidential post, pouring everything that the United States considers true
2022-06-13T19:03:17 user_5159148675 14415 wrote: The latest reports are just reading how the Donbass is being hammered. Yes, fuck already in Kiev so that everyone shits there
2022-06-13T19:03:18 user_5187443018 My Lord wrote: Well, it’s understandable, but if he’s been yelling for 8 years that he will cut Russians. Well, I’m a Russian. To destroy him, for his words. And I will do it, let it be sure. Their rotten mouth is to blame for everything.
2022-06-13T19:03:21 user_5214651354 Kprr wrote: Just topal asking
2022-06-13T19:03:22 user_1557547863 Miff Junior wrote: Wipe the creatures of the ukrokhokhlyatsky off the face of the earth
Counterterrorism
While the darknet is less active with concerted terrorist related recruitment, propaganda distribution, and activity from groups like ISIS, there are an increasing volume of lesser-known terrorist cells using the darknet and adjacent platforms like Telegram to communicate and coordinate their attacks. DarkOwl supports collecting content in over 52 languages and raw data is indexed in the original language of the author as in-platform translation services might corrupt nuances of the original language. The Vision app user interface and API endpoints support in-language search queries and non-English characters.
For example, DarkOwl uncovered documents related to an anti-Israel terrorist group located in Palestine discussing how they and members of Hamas were planning to target military personnel from the Israeli Defense Force (ISF) for digital blackmail and extortion. The group also listed an email address for direct contact and a Bitcoin address for donations to support the group’s cause. (Source: DarkOwl Vision)
Similarly, DarkOwl has also detected online discussions regarding terrorist activity from international groups of concern and their public statements about their involvement in attacks against specific geopolitical targets.
Figure 5: Source DarkOwl Vision
Counternarcotics
DarkOwl’s aggregated darknet data and near-decades long historical darknet archives are instrumental in supporting law enforcement drug-related investigations. DarkOwl has identified numerous darknet drug vendors selling illicit drugs, such as opioids, fentanyl, and cocaine, in bulk volumes for resellers on decentralized marketplaces and darknet vendor shops.
We have also identified a recent trend where many of the drug vendors advertise on discussion forums and marketplaces bulletin boards how to contact them on alternative platforms to complete their transactions, e.g. WickR, Whatsapp, and Telegram, for increased security and identity protection.
Figure 6: Source DarkOwl Vision
Targeting
DarkOwl’s near-decades long collection of historical darknet archives enables investigators to successfully uncover the identity of suspects involved in various segments of illicit crime. This includes human-trafficking, child exploitation, drug dealing, weapons proliferation, etc.
DarkOwl analysts regularly observe criminals identified by name by other darknet users and security researchers out of revenge or to disrupt the person’s online activities on popular deep web sites like doxbin[.]org. For example, shortly after the invasion of Ukraine, over two dozen members of the Russia-aligned ransomware group Conti/Ryuk – and its closely associated Trickbot malware development partners – were all doxxed.
Figures 7 and 8: Source DarkOwl Vision
Cyber Espionage
Data captured by DarkOwl Vision database is often used to detect existing cyber espionage activity and be potentially leveraged by nation states and intelligence agencies for future cyber espionage campaigns.
In the fallout of the global cyberwar between Ukraine and Russia, hundreds of corporations and government organizations in Russia were targeted and/or compromised by an international army of cyber hacktivists supporting Ukraine . Data leaks from ‘ministerial’ organizations of Russia, e.g. Ministry of Finance, Ministry of Foreign Affairs, etc.; academic and research institutions, such as, the Joint Institute of Nuclear Research (JINR) and the Russian Federal Institute of Science, were among the groups targeted. Also included was data from critical infrastructure suppliers of energy, water, and transportation, which can be utilized for future cyber espionage purposes. Key individuals from those organizations and their personal data have also been released providing opportunities for targeted social engineering attacks to recruit and/or exploit for political and technical intelligence espionage and critical diplomatic initiatives.
Figure 9: Source DarkOwl Vision
The graphic below contains some of the names of Russian organizations that appeared in leaks released on the darknet from hacktivists supporting Ukraine in the war. You can find the full infographic here.
Figures 10: Source DarkOwl Vision
Domestic Extremism
In recent years the United States has experienced an unprecedented rise in domestic extremism, with members of alt-right paramilitary groups like the Oath Keepers and Proud Boys indicting leading the insurrection against the US Capitol in attempt to keep President Trump in office. Many of these groups congregate and collaborate in darknet forums, chatrooms, and Telegram channels. It is well known that deep web’s imageboards like 8kun are a sanctuary for right-wing conspiracy groups like Qanon to congregate and flourish.
DarkOwl’s darknet data platform allows investigators to monitor for activities from these groups and assist investigations by correlating a suspect’s engagement on social media and anonymous networks. Users of imageboards regularly discuss emotionally charged and controversial topics like assault weapon bans and “replacement theory.”
Figures 11 and 12: Source DarkOwl Vision
Figure 13: Source DarkOwl Vision
Critical Infrastructure Protection
DarkOwl’s darknet data can be utilized for monitoring mentions of the development of malware to target critical infrastructure. This includes tracking the activity of threat actors who specialize in attacks against industrial control systems (ICS). It also can be used to monitor for mentions of specific critical infrastructure targets that threat actors, terrorist groups, and nation-state sponsored actors are intent on conducting cyberattacks against.
DarkOwl detected an offensive cyber group known as the “Jerusalem Electronic Army” (JEA) targeting agricultural water and heating systems in the northern area of “Negev” or the “Gaza Envelope” near Lakish using ICS/Supervisory Control and Data Acquisition (SCADA)-based attacks to poison the region’s water supply.
Another Telegram channel that advertises support for attacks against Israel – and associated with Team Majhidoon (فريق_مجاهدون) and Team AES (فريق_A-E-S) declared campaigns to penetrate Israel’s solar energy systems in Tel al-Rabiya were successful.
Lakish, which is the occupied area of the northern Negev or “the Gaza Envelope”
Target:
Agricultural water and heating systems
The Details:
The high command has published and revealed the degree to which we have penetrated the water and agricultural system. The water temperature increased as did the amount of sodium acid, which can pollute and poison the water and can destroy all agriculture.
DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.
Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself.
To learn more about darknet use cases and how to apply them to your business, contact us.
Risk is a word regularly used across information security circles and CISO agendas. Companies are aggressively attempting to identify and mitigate any cybersecurity risk that could lead to potentially extensive financial and reputation damage, especially from a high-profile cybersecurity attack or data breach. Meanwhile, individual persons also struggle to know how concerned they should be in mitigating their own personal risk to when, not if, their sensitive personal information appears on the deep web and darknet.
In this blog, DarkOwl analysts revisit and review the domain of risk, taking a closer look at the threats corporations and individuals face and how risk is calculated and mitigated. Underground digital communities within hidden and anonymous networks are an integral role in identifying the threats at play, and DarkOwl works alongside its partners to help provide the critical monitoring of potential markers of risk using its darknet search platform.
Darknet 101
The darknet is a layer of the internet that was designed specifically for anonymity. It is more difficult to access than the surface web, and is accessible with only via special tools and software – specifically browsers and other protocols.
You cannot access the darknet by simply typing a dark web address into your web browser. There are also darknet-adjacent networks, such as instant messaging platforms like Telegram, the deep web, some high-risk surface websites.
What is Risk and What is the Darknet’s Role in Risk Calculations?
Risk is traditionally thought of as a multiplier of likelihood and severity, or consequence of outcome; however, in cybersecurity the definition is expanded for consideration of intention or threat.
For example, in a personal risk scenario, one’s leaked credentials (e.g. usernames, e-mail addresses and passwords) might appear in commercial data breach leaks, which poses one degree of risk, but the minute those same credentials appear in conjunction with direct malicious intent to cause financial or direct harm, their personal risk increases dramatically.
Quick definitions:
darknet: Also referred to as the “dark web.” A layer of the internet that cannot be accessed by traditional browsers, but requires anonymous proxy networks or infrastructure for access. Tor is the most common.
deep web: Online content that is not indexed by search engines, such as authentication required protected and paste sites and can be best described as any content with a surface web site that requires authentication.
high-risk surface web: consists of areas of the surface web (or “regular” internet) that have a high degree of overlap with the darknet community. This includes some chan-type imageboards, paste sites, and other select forums.
For a full list of darknet terms, check out our Glossary.
DarkOwl has observed similar specific targeting frequently in the darknet. The same would be true for the intention of an attack against a corporation or government organization, but this is understandably much harder to quantify.
The U.S. Department of Homeland Security (DHS) defines risk as the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences” such that: likelihood is defined as “the chance of something happening, whether defined, measured or estimated objectively or subjectively, or in terms of general descriptors (such as rare, unlikely, likely, almost certain), frequencies, or probabilities” and consequence is given as “the effect of an event, incident, or occurrence, including human consequence, economic consequence, mission consequence, psychological consequence.”
The DHS risk assessment model is more simply defined as a function of three variables: threat, vulnerability, and consequences with full recognition. In organizational risk calculations, threat includes anything that can cause harm to the organization and that could expand to include threats from natural disaster (wildfire, hurricanes, and earthquakes) or even a significant hardware / backup failure that triggers a disruption in services or production and not necessarily exclusive to cybersecurity attacks by external malicious entities.
There are numerous interpretations, philosophies, and variations on this formula and luckily organizations are given extreme flexibility in conducting internal risk assessments by applying risk models of varying degrees of detail and complexity of threat identification and vulnerabilities – of which cybersecurity has become increasingly critical.
Threat calculations are often tied to scenarios with likelihoods of occurrence that involve an adversary’s intent, capability, and targeting. When we look at the darknet’s role in risk and threat vectors, especially when considering the risk to a company’s brand or stakeholders, malicious threat actors who conduct operations in the underground (e.g. cybercriminal organizations, nation state actors and proxies, and cyber opportunists) proactively hunt for and attempt to exploit sensitive data for personal financial gain by whatever means possible, often manipulating unpatched vulnerabilities and crafting new exploits in the wild.
DarkOwl analysts also regularly witness critical corporate and personal information actively shared across various underground digital communities in the darknet and deep web and have categorized the types of vulnerable data at risk accordingly, delineating corporate and individual personal risk, with careful consideration that these two are intricately interrelated due to the fact humans are one of many risks corporate organizations must consider when calculating their cybersecurity risk. The region where corporate and individual risk overlap is of most critical consideration as well as the extent and volume of readily available information for threat actors to launch their attacks.
Likewise, the more accumulated data a threat actor has access to for an individual or a corporation increases the risk accordingly.
Figure 1: Visualizing the Threat to Corporations and Individuals
Corporate Risk and The Darknet
The possibility of a cybersecurity attack against a corporation feeds a number of different corporate risk calculations: the loss of customer data presents a significant risk to a company’s brand, reputation and stakeholders; there’s moderate risk for loss of sales due to counterfeit goods offered on the darknet and direct reputational attacks on discussion forums and social media; there is direct risk via the executives and key leadership of an organization for business e-mail compromise (BEC) phishing attacks or financial extortion through physical threat to executive’s family; and, there is risk to attack via third (and fourth) party vendors and suppliers.
The consequences of an attack against a corporation can include:
Unauthorized access to a corporate network
Misuse of information by an authorized user
Loss of access to corporate data (via deletion or encryption)
Disruption of service or productivity
Reputational loss and damage to brand or corporate image
The Risk of Unintentional Data Compromise
While large commercial data leaks receive press coverage, with phrases like “millions of records of user data exposed” there is an unknown number of organizations that have likely secretly dealt with a critical cybersecurity incident without ever disclosing the breach to their customers or users due to the consequences of reduced consumer confidence.
Extortion-as-a-service is an increasingly successful sector of the underground criminal ecosystem and involves stealing sensitive personal or corporate information and then leveraging unauthorized access to this information to force the victim to pay, essentially blackmailing the victim, in exchange for quasi protection of their data. Threat actors utilize hacking forums and discussion boards across the deep web and darknet to explore potential vulnerabilities, sometimes expressing interest in specific industries, companies, and individuals, then finally sharing or selling the sensitive information they have stolen – resulting in significant reputational and/or financial loss for the victim organization.
Counterfeiting Risk is Brand Risk
The darknet is home to a lesser-known segment of corporate brand risk with offers of counterfeit goods on darknet markets. The sale of counterfeit physical goods is a persistent and viable market in the underground economy. DarkOwl’s SaaS product suite can be utilized to protect corporate brand reputation and value through automated monitoring and alerting for various forms of brand mentions. In this blog, we discuss this extensively.
Executives and Key Leaderships are Critical Targets
Some criminals utilize traditional open-source intelligence (OSINT) techniques to uncover the names, e-mail addresses and family relationships of an organization’s executives and key leadership to conduct pointed phishing campaigns via e-mail, SMS or traditional in-person and telephone-based social engineering to gain malicious access to a corporate victim’s network.
Vendors and Other Third Parties Increase Risk
Nation-state actors and cybercriminals are increasingly sophisticated and opportunistic seeking to exploit third and fourth party suppliers and vendors to cause harm against the victim organization. Third parties include any unit an organization works with including but not limited to vendors, such as suppliers and manufacturers, partners, affiliates, distributors, resellers, and agents. Third parties may have access to information such as: corporate sensitive data, financial data, contract terms and pricing, strategic planning data, intellectual property, credential data, personally identifiable information (PII) of customers and employees and protected health information (PHI) and can unknowingly contribute to a threat actor gaining unauthorized access to a corporate network.
While it is not always overtly clear who or what organization a threat actor may be intending as their next target, monitoring the darknet and deep web for mentions of a company’s name, along with names of its executives and key leadership, and network information such as domains, e-mail and IP addresses can be a helpful marker for quantifying the potential threat or intent of harm against an organization. DarkOwl’s Score API are one of many potential quantifiable metrics a corporation can use to measure and understand a company’s business risk. Scores can also be utilized for self-risk assessments, as well as brand monitoring and vendor risk management.
Individual Risk and the Darknet
DarkOwl has observed several criminals specialize in trade of other critical PII such as national identification numbers, mailing and billing addresses, dates of birth, social media profiles, and even more concerning financial data like bank account numbers and credit and debit card numbers along with their card verification values (CVVs), expiration dates and security personal pin codes.
Individuals are at Risk of Social Engineering
Personal individual risk increases with the extent of the information exposed, where and how it has been distributed. Cybercriminals are increasingly creative in their techniques to gain access to this illicit information with astute social engineering and mass phishing campaigns. Criminals actively seek to obtain an individual’s sensitive personal information necessary for a financial institution’s security verification process such as one’s mother’s maiden name, historical personal residence and billing addresses and answers to key security questions, sometimes obtained through links to phishing website or “fake” copies of popular commercial websites with username and password login form fields, sent through “SMS bomb” or spam e-mail phishing attacks. A popular technique — both discussed openly with methods traded in underground forums — is sending out fake mobile phone notifications. Spammers text delivery notices via SMS with a link to a phishing URL (often a shortened URL, e.g. “bit.ly”) for companies like DHL or UPS that are designed to harvest the victim’s mobile IP address, IMEI number, mobile phone model and software version along with sensitive personal information input by the victim in search for the non-existent package.
The Risk of Password Reuse and Credential Stuffing
Credential stuffing is a widespread technique utilized by cybercriminals to test if historically exposed e-mail addresses and password combinations are valid logins across multiple commercial websites. Opportunistic cyber criminals automate the testing of large ‘combo lists’ containing compromised e-mail addresses and passwords against commercial websites and once a successful authentication occurs readily steals the PII and financial information, often saved, on the e-commerce shopping platform’s user profile.
Circling back to the overlap between individual and corporate risk, credential stuffing using malicious software and botnets affects not only the individuals but also the commercial organizations whose user accounts are surreptitiously accessed, as many immediately assume access was achieved due to vulnerabilities with the commercial service provider’s technical configuration instead of a simple credential stuffing technique conducted en masse. The uncertainty potentially erodes consumer and stakeholder confidence warranting that commercial agencies consider credential stuffing in their internal security frameworks and corporate risk assessments as well.
The Risk of Identity Theft and Financial Fraud
While a personal e-mail address or password leak is easily mitigated by using complex passwords and password managers, the greatest threat to an individual is financial fraud and/or personal identity theft. When credit card numbers are leaked in association with this type of account information, it can easily be leveraged to create new illicit accounts or to commit bank fraud. This risk his heightened even further when associated billing formation is included, such as a mailing address or the credit card’s CVV number.
Individual Risk Calculations
Ultimately, what does the fact any of your personally identifiable information is on the darknet really mean? Your level of concern is directly correlated to your individual risk and calculating individual risk using information exposed on the darknet is measured by not only the location of and volume of credentials and PII exposed, but also a factor of time – that is, how long the information has been available and the likelihood of exploitation by a malicious actor. Of course, this likelihood of occurrence increases immediately once there is direct intent and targeting of the person either individually or in conjunction with a campaign against a corporation, regardless of what types or volume of personal data is already accessible.
E-mail address and password leaks: Individual risk increases slightly with the website where the credentials have been used, i.e. banking application or health portal. Individuals can mitigate risk by using unique, complex passwords and password managers.
Personal financial data like credit and debit cards: Individual risk is higher if the card is still in use. Most banks have fraud prevention and do not hold the cardholder responsible for illegal purchases with stolen credit and debit card data.
Identity verification information: Individual risk increases with the more sensitive data accessible to a threat actor. For example, if a bank account number along with the full name of the account holder, their physical residential addresses, and other key identity verification information such as their mother’s maiden name, the name of their first dog, and secondary school mascot is obtained, then a threat actor has enough information to impersonate them and take control of the account. Compromise can be mitigated by visiting the bank in person with a form of identification (passport or driver’s license), closing down the compromised account, and opening a new one.
Only an individual can ascertain the degree of personal cybersecurity risk they are comfortable with, given the types of information they have shared publicly and the value they place on their personal information, their individual brand, and digital reputation. In a hyper-connected society that is increasingly reliant on networked digital information systems to function, everyone’s exposure and subsequent risk is increasing to some extent. For some individuals, this risk is gradual and others exponential.
It’s Risky Business Regardless
Threats posed to individuals and corporations from the darknet where sensitive corporate or personal information is leaked by cybercriminals is diverse. Criminals employ increasingly sophisticated social engineering and technical attack vectors to pilfer information that could lead to full identity theft for an individual or corporate extortion with multi-billion ransom demands.
While the science of cyber risk calculations is still relatively nascent, the factors and data points outlined above can offer those in charge of assessing and underwriting risk contextual information as it pertains to the deep and dark web. By better understanding how threats manifest in these underground communities, individuals and corporations will be able to more accurately identify indicators of compromise and assess the security posture of their digital footprint. The deep web, anonymous networks, and various chat platforms will continue to be home for trading these commodities of data and DarkOwl will continue to assist its clients and partners to help provide the most comprehensive darknet database necessary for critical monitoring of potential markers of cybersecurity risk to corporations and individuals.
Download this report as a PDF
To understand the role darknet data plays in your corporation’s risk posture, contact us.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
