Interview with DarkOwl’s Sarah Prime and Alison Halland
August 26, 2022
In honor of Women’s Equality Day this August 26th, DarkOwl looks at workforce equality efforts within the cybersecurity industry and in our company by interviewing our Chief Business Officer, Alison Halland, and Director of Product Technology, Sarah Prime. DarkOwl is committed to building a balanced workforce which informs our efforts to create the most effective and talented team possible.
Background and Statistics: Women in Technology
Efforts to change the makeup of cybersecurity which traditionally has been male dominated have been embraced across the industry. Companies, organizations, and the government have taken notice. Organizations such as CISA (Cybersecurity and Infrastructure Agency), headed by Jen Easterly, are making efforts not just to hire women but also to highlight and empower them. Women will play an important role in supporting the demands of the industry – which is in dire need of more human resources. In fact, it has been estimated that just this year, the industry would need to grow by 65% effectively to defend organizations’ critical assets.
Despite impressive efforts underway by all types of institutions such as Women in Cybersecurity (WiCys), there is still a gap. “It’s not just women, but it’s all types of diversity. Whether that’s neuro diversity, diversity of gender identity, of sexual orientation, of race, of national origin,” Easterly said.
A 2021 article published by the US census bureau reported that although women make up around half of the U.S. workforce, they comprise only about 27% of STEM workers. However, this is not to say that women are not earning degrees in STEM. A report published in April 2022 claimed that while women earned almost half of the bachelor’s degrees in STEM, there is a large disparity across fields. Women earn the majority of bachelor’s STEM degrees in life sciences, psychology, and the social sciences. But, they made up only a little over a quarter in math-intensive fields. However, women holding STEM bachelor’s degrees may be a poor indicator of how many women will end up working in STEM-related industries because the ISC2 2021 Cybersecurity Workforce report finds that pathways to cybersecurity are changing.
While an IT background is the most common route, a little over half of cybersecurity professionals started outside of IT. 17% transitioned from unrelated career fields, 15% gained access through cybersecurity education, and 15% explored cybersecurity concepts on their own. [Source]
Figure 1: Participants Pathways to Cybersecurity Careers [Source]
Interview: Thoughts on Being a Women in Cybersecurity from Two Members of DarkOwl’s Leadership Team
To commemorate Women’s Equality Day, DarkOwl’s Junior Darknet Analyst and Marketing Contributor Molly Bocock sat down with Sarah Prime, Director of Product Technology and Alison Halland, Chief Business Officer for a candid interview about working in the cybersecurity industry.
Editors Note: Some content has been edited for length and clarity.
The ISC2 2021 Cybersecurity Workforce report finds that pathways to cybersecurity are changing. An IT background is the most common route, but around more than half of cybersecurity professionals started outside of IT. 17% transitioned from unrelated career fields, 15% gained access through cybersecurity education, and 15% explored cybersecurity concepts on their own.
Molly: Tell me about your background and your journey to where you are now – did you know you always wanted to be in cyber?
Sarah: The short answer is no, I had no idea I wanted to be in cyber. I didn’t know what the darknet was when I started working at DarkOwl. I actually started my career in the educational publishing industry. I started developing simulation and e-learning products and found that I really liked it. In my next job I transitioned to developing software products full-time.
Then I moved out to Denver and joined a start-up that was literally working out of a garage and that company had a very innovative idea and needed help building a product that would help their really talented cybersecurity analyst team do more and better work. And ultimately that company became DarkOwl.
That’s how I got here today. 8 years later I feel like my mission in this world is to help expose what is happening on the darknet so criminals don’t have a place to hide, and preserving what the darknet is in terms of privacy for people who need it. I do find it a very rewarding industry to be in because it feels like you are contributing in a small way to making the world a better place.
Alison: Like Sarah, I did not think that I was going to end up in cyber. I started my career in finance and was working in Boston for a company that grew exponentially and ended up going public and then the financial crisis hit, so I went back and got my MBA at Dartmouth. After that, I knew I wanted to make an industry change, but I just couldn’t put my finger exactly on what industry I wanted to go to and was conflicted about it. So, I made a geographical change and moved to Denver with the hopes of figuring it out when I got here.
After staying in the financial sector for my first role out here, I then found myself working independently and consulting for security companies with cyber angles. I was really intrigued by the industry, specifically how innovative it was, how fast it was moving, and the different personalities it attracted. I had come from the very traditional finance industry in New England where everyone looked the same and acted the same, and there was a piece of edginess and this “as long as you could cut the mustard” attitude in the cyber space that I thought was really interesting. Lo and behold I ended up at DarkOwl and have now been in cybersecurity for 6 years.
The same study from ISC2 reported that fewer women (38%) came from an IT background than men (50%). Women have higher rates of entry from self-learning than men (20% vs. 14%) and pursuing cybersecurity education to land a job (20% vs. 13%).
Has working in this field dispelled any misconceptions you had about your own abilities or interests?
Alison: I don’t think so. One thing you learn as you progress in your career is that there is an appetite for all skill sets across almost all industries. My exact skill set definitely doesn’t scream “cyber” in the traditional sense; however, I have been dedicated to learning the space and there is always the need for clear communication about our technology, defining the strategic directions, contract negotiations, understanding specific client’s use cases, and the list goes on.
Sarah: Yes – there’s the “hacker in the hoodie” contingent of cyber but there are also so many other opportunities. I am not a hacker in a hoodie. Cyber needs product people, cyber needs marketing people, cyber needs business people, and it’s a really interesting cross-section of backgrounds and I found that community to be really welcoming of different perspectives and ideas and innovation.
Alison: I also think there is this altruistic angle in cyber that feels really good to be a part of, and I don’t know that all industries can say that. Cyber has an appeal and a reputation that is well-deserved in many regards to the innovativeness and by having these incredible products that, like Sarah attests to, can keep us all safer and make sure that we’re doing right by both our clients and our company.
Sarah: It’s less so about what gender you are and more so about what ideas do you bring to the table, and are you doing a cool thing and let me hear about it. I found that to be really supportive and encouraging.
An earlier study by ISC2 found that women in cybersecurity tended to be younger, were more likely to hold post-graduate degrees, and were more motivated to earn certifications and degrees in the field. It also reported that that 17% of women said they earned U.S. $50,000 to $99,999, which is 12 percentage points less than men at 29%. They are closer in representation in the $100,000+ range (16% vs. 20% of men). [Source] The more recent study from 2021 noted that participants who had earned at least one cybersecurity certification made about $33,000 more in annual salary than those that hold none.
Can you talk about your professional development? What courses or certifications would you recommend? What advice would you give to a woman who is at the entry-level in the cybersecurity industry?
Sarah: I think that there are a lot of different opportunities within the industry as we were talking about. Some of my professional development has been around product development, product strategy. I recently completed a course out of Northwestern University around product strategy. Some of the certifications that are more traditional cyber-security focused that have been really impactful to members of my team have been the Certified Ethical Hacker as well as the OSCP.
Alison: My advice to anyone early in their career would be to ensure that they are thinking about the path they are headed down and to realize that any learning you do in a specific role, whether its technical knowledge or business sense, are learnings that you can take with you wherever you go. No one can take that learning away from you, and will only make you stronger as you progress within your career. Lastly, I would remind them that no one cares about your professional development more than yourself – so don’t lose sight of that and ask for what you need/want.
The data from the 2021 Cybersecurity Workforce study from ISC2 suggests that a reliable estimate of women in the cybersecurity workforce globally remains at 25%.
What is it like as a woman working in the cybersecurity industry? Are there any challenges or advantages to working in a male-dominated industry?
Alison: My experience in the cyber industry has been pretty heavily concentrated at DarkOwl. That being said, I feel empowered and enabled here. I think we have a unique scenario where we not only have a lot of females on the payroll, but have females with tenure and historical knowledge which is invaluable to DarkOwl. I’m really proud of that and I love working internally with everyone male and female alike. Its very much a norm at DarkOwl — to see females across all departments —but I don’t want to sugar-coat the fact that it’s not like that in the industry at large.
Sarah: I echo that 100 thousand percent. I find myself very fortunate to work at DarkOwl, we work with a lot of smart women, and we have an above-average number of women on staff. Our goal is to have gender equality in terms of our workforce and we’ve hovered somewhere between 35 and 40 percent. We want to increase it. But absolutely, you see traditional mindsets across this industry, you could see it in larger companies, and you certainly see it in the make-up of executive teams and boards where its very male dominated. Sometimes it is very obvious being the only woman in the room.
Alison: Speaking of being the only woman in the room, I was just reminiscing about this year’s Blackhat Conference, which I just returned from. For DarkOwl it entailed three days of back-to-back meetings in our executive suite and I was the only female in every meeting both on the DarkOwl side, and on the client side.
The good news is that I didn’t feel marginalized in any way but it does emphasizes the reality that there are not a lot of females at the executive level within the cybersecurity industry. So, its apparent to me that there is still a huge gap and a lot of work to be done.
Sarah: I had a meeting at a big company in Silicon Valley several years ago when DarkOwl was first starting. I was presenting with our CEO, and we had 20 people in that meeting from the client side. 15 of them were men and they were seated at the front of the room and the 5 women were in the back. The client introduced all of the 15 men by name and then said “and there’s the rest of the staff back there” who were all women.
In some ways experiences like these inspire me to be better, to achieve more, and to work harder because I want to pull someone up. I want to be a model for someone else — that’s really important to me personally. Bringing up people behind me, to reach your hand down and pull someone up. I think that the world is trending in the right direction. It is a great time to be a woman in the cybersecurity industry. Companies want to hire women; companies want to close that gap. There’s immense opportunity in this industry. The industry is focused on it, and there are groups like Women in Cyber doing amazing work to close that gap.
The 2021 study by ISC2 had fewer female participants, because “this year our response base included higher participation of professionals holding formal cybersecurity roles, which are more frequently held by men than women.” Chadra McMahon, who in March 2022 was the only woman to serve as the CISO among the top 10 largest companies nationwide, has said that “Cybersecurity is not well understood as a career or as an opportunity.” Therefore, it seems that how “cybersecurity” is defined can influence how many women are reported to be working in the cybersecurity workforce.
What do we not understand about cybersecurity as a field and its job opportunities? What does cybersecurity mean to you?
Sarah: I think a lot of people think cybersecurity is about pen testing and forensics, and I would say that there are so many more opportunities. There are research and intelligence tracts, there are OSINT tracts, there are darknet tracts, there are social engineering tracts, and there are a lot of different specializations. You can do all of them, you can do any of them. There’s a lot of data science and software and programming work in cybersecurity. It’s a very innovative field and there are a lot of opportunities. Again, its not just a hacker in a hoodie in a basement somewhere.
Alison: People sometimes think of “cybersecurity” as something very abstract and high-tech, but I actually think of it as something really familiar that we interact with every day. Cybersecurity impacts every single individual in every single company. There is no one that is above it or beyond it in the modernized world. I think its pervasive in a good way. Every company has to think about it. The industry is huge, and its experiencing explosive growth in a thousand different directions, so jump on it and find your path!
Sarah: There are so many different paths you can take within cybersecurity. It’s really exciting and from that standpoint really cool. What does cybersecurity mean to me? It’s helping secure the modern world. The way that everyone does business, the way that everyone communicates— all of that is digital, all of that is through computers. For example, the three of us are in different spaces right now. There’s a new way of working and being in the world and cybersecurity is making that connected, safe, secure, and just helping people to live safely.
Alison: Like Sarah said, there’s so many different avenues you can go in cyber. Whether you’re at a company that is trying to solve a specific cybersecurity gap across multiple industries, or one that provides innovative solutions for the cybersecurity industry itself. Cybersecurity technologies are only going to continue to be more and more necessary, and from that necessity comes innovation – which often attracts great talent.
Figure 2: The Most Important Qualifications for Cybersecurity Profressionals (Non-technical Skills and Attributes) [Source]
Alison: Molly, I would ask a question of you. When I was in college, we didn’t even talk about cybersecurity as an industry. What do people think of it coming out of college now? Do they think of cybersecurity in the stereotypical sense, i.e. as a very narrow highly technical field, or do people think of it more broadly, like I do?
Molly: It’s a mix of both. People who are less familiar with STEM in general, I’m thinking of the people who tried to avoid it like the plague since they were young and thought “I hate math I’m never going there.” They think of cybersecurity as very “hacker in a hoodie.” People who are in business have a broader perspective. They realize the business opportunity; they know that every business has to have different departments like HR, marketing, and sales — they understand that. Younger people are seeing cyber as an opportunity to move into but they’re still hesitant. People think “oh, I’m not good enough, I’m not there, I don’t have what I need, I’m going to fail there because I didn’t study computer science when I was in undergrad so I don’t have the hard skills they want.”
Sarah: Yes, and I hope we can change that. As Alison said earlier it’s going to take work to change some things, but I hope we can. I find the most successful people in this industry are multi-disciplinary. They have a lot of skill sets and they have a lot of soft skills. There’s no way you can think like an attacker if you are too narrowly focused. You need critical thinking skills and you need collaboration skills.
Alison: I think that cybersecurity, more so than other industries, is forward-thinking in accepting non-traditional employees. I think the appetite for openness in the cybersecurity industry, and this is just anecdotally, is a little bit wider than in other industries.
Sarah: Attackers work in groups. They are not one person. These big nation-state entities, these big APTs, are collectives. They have multiple skill sets. So the good guys also need to work in teams, to be able to work with other people, and to bring different skills to the table. And those skills are not just math or hard tech skills. It is really about collaborating. The best people are able to work in very out-of-the-box ways.
To bring this back to the point of the interview, I think women have a lot of those traits, culturally. I think that women bring a unique voice to this and can bring their tech skills and some of the other really critical skills like collaboration, like communication, like critical thinking, to the table and be really successful in this field. As long as you are doing good work, there’s room for you in this industry.
Alison: Right, exactly.
Key takeaways from Alison and Sarah’s perspectives:
Anyone who is interested in the cybersecurity industry has a strong chance of being able to find a role that suits them. While companies and institutions are putting more resources towards addressing the gender and representation gaps in cyber, those gaps still exist. Therefore, the company makeup of where you work can have a very real impact on your experience in the field, especially if you are in the minority of the workforce.
As an industry, cybersecurity is forced to embrace change given the nature of the field. Cybersecurity’s welcomeness to innovation makes it more open to changes, such as seeing more women in the field, than perhaps other industries are. In the experiences of Alison and Sarah, people are accepted based on the quality of their work and there is an open invitation to explore new projects and ideas – which are also necessary to evolve with the sophisticated threat actors we face. Individuals should not discount themselves from working in cyber. A wide variety of skillsets are needed to address present and future threats; Multi-disciplinary workers have an advantage, and learning opportunities and professional development can always be cultivated – especially when you partner with organizations that prioritize the employees growth.
The DarkOwl team are actively tracking the fallout from Russia’s invasion of Ukraine. The effects of the kinetic military operation are causing ripples acrossthe global cyber space including critical underground ecosystems across the deep and darknet.
18 April 2022 – 01:12 UTC
DDoSecrets Leaks 222GB of Data from Gazregion Collected by Anonymous Hacktivists
Three different hacktivist groups (Anonymous, nb65, and DepaixPorteur) submitted archives consisting of emails and sensitive corporate files from Gazregion, a Russian supplier specializing in gas pipelines construction with direct support to Gazprom.
There have been numerous claims of attacks against Gazprom since invasion of Ukraine by Anonymous and other cyber offensive groups. nb65 posted to social media they compromised SSK Gazregion on April 3rd with their version of CONTI ransomware.
18 April 2022 – 01:12 UTC
nb65 Claims Attack Against Russian JSC Bank PSCB with CONTI Ransomware
The Hacktivist group, Network Battalion 65 had claimed they successfully attacked JSC Bank PSCB in Russia and successfully encrypted their network with their version of CONTI ransomware.
The group stated they managed to exfiltrated over 1TB of data including financial statements, tokens, tax forms, client information, and sensitive databases before deleting all backups to prevent data and functionality restoration.
The hacktivists further taunted the bank stating how grateful they were the stored so many credentials in Chrome – a browser for which several emergency security patches have been recently released.
We’re very thankful that you store so many credentials in Chrome. Well done. It’s obvious that incident response has started. Good luck getting your data back without us.
15 April 2022 – 21:59 UTC
GhostSec Leaks Data from domain[.]ru Hosting Provider
The Hacktivist group, GhostSec claimed to target Russian internet domain registration provider, domain[.]ru in a cyberattack. The group managed to exfiltrate over 100MB of data including screenshots of sensitive files and excel spreadsheet data.
According to the README file in the data leak, during the breach, GhostSec identified over 4TB of SQL databases, but in all the excitement the team’s presence was caught by the company’s intrusion detection systems and kicked off the network before the SQL data could be harvested.
15 April 2022 – 17:52 UTC
nb65 Confirms Attack on Continent Express; DDoSecrets Leaks 400 GB of Russian Travel Agency’s Data
The attack on a Russian travel agency occurred several days ago and was shortly after confirmed by the organization. DDoSecrets assisted nb65 in leaking over 400GB of sensitive files and databases from the travel agency. The details of the leak have not been confirmed.
15 April 2022 – 14:32 UTC
Anonymous Takes Over Pro-Russian Discord Accounts
Hacktivists from the Anonymous Collective have successfully taken control of several pro-Russian accounts on the chat platform, Discord, and are now using these accounts to circulate pro-Ukrainian messaging. An Anonymous member @v0g3lsec – who has been extremely active in the #opRussia campaign – shared an image of a hacked account where they posted links and information about the information operations group, squad303 to share truths about the invasion via SMS, WhatsApp, and email with random Russian citizens.
14 April 2022 – 20:02 UTC
DDoSecrets Leaks Unprecedented Amount of Email Data from Russian Organizations
In the last three days, DDoSecrets uploaded archives for five (5) different organizations across Russia totaling 1.97 Million emails and 2 TBs of data.
230,000 emails from the Blagoveshchensk City Administration (Благове́щенск) – 150GB
230,000 emails from the Ministry of Culture of the Russian Federation (Министерство культуры Российской Федерации) responsible for state policy regarding art, cinematography, archives, copyright, cultural heritage, and censorship – 446 GB
250,000 emails from the Deptartment of Education of the Strezhevoy (Стрежево́й) City District Administration – 221GB
495,000 emails from the Russian firm Technotec, which has provided oil and gas field services along with chemical reagents used in oil production and transportation – 440GB
768,000 emails from Gazprom Linde Engineering, which specializes in designing gas and petrochemical processing facilities and oil refineries – 728GB
13 April 2022 – 17:09 UTC
CISA Issues Alert About Destructive Malware Targeting US Critical Infrastructure
A joint advisory issued by the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) details how nation state actors (likely sponsored by the Russian government) have demonstrated the capability to gain full system access to multiple industrial control system (ICS) and affiliated supervisory control and data acquisition (SCADA) devices. The critical alert indicated there is an immediate HIGH cybersecurity risk to critical infrastructure around the US. The devices include:
Schneider Electric programmable logic controllers (PLCs);
OMRON Sysmac NEX PLCs; and
Open Platform Communications Unified Architecture (OPC UA) servers.
ATW | Blue Hornet Announces That They are a “State-Sponsored” Group
The “GOD” account representing AgainstTheWest (APT49) on the new BreachedForums (with many users from the now officially seized RaidForums) announced moments ago that they are indeed a “state-sponsored” cyber group with “direct instructions to infiltrate, attack and leak the country of China, Russia, Iran, North Korea & Belarus.” The group’s Twitter account was also blocked by Russia’s Kremlin account earlier this week and the notification of this block was included in the post.
There is no way to verify the accuracy of the statement posted and it’s unclear whether or not the group will continue their operations in support of Ukraine.
11 April 2022 – TIME UNKNOWN
CONTI Claims Responsibility for Cyberattack Against German Wind Turbine Company
On the 31st of March, Nordex wind turbine manufacturing company in Germany suffered a significant cyberattack. CONTI has claimed responsibility for the attack (over 10 days later) posting the company’s name to their public-facing Tor service of victims. We anticipate that sensitive corporate data will be leaked by the RaaS gang shortly.
11 April 2022 – 20:58 UTC
Anonymous Compromises Regional Government of Tver, Russia; Leaks 130,000 Emails from Governor’s Mail Server
Hacktivists from the Anonymous Collective using the monikers DepaixPorteur and wh1t3sh4d0w0x90 have compromised the domain tverreg[.]ru believed to be associated with the Regional Government of Tver, Russia. Tver is located 110 miles (180km) northwest of Moscow on the banks of the Volga River. The archive is over 116GB in size and consists of over 130,000 emails exfiltrated from Governor Igor Rudenya’s email system dating from 2016 through 2022. The governor was appointed by President Putin in 2016.
Anonymous shared a leak consisting of Russian regional governors on the darknet on 23 March 2022.
11 April 2022 – 14:35 UTC
Finland Suffers Cyberattack; Announces They Will Expedite Application for NATO Membership
On April 8th, the Finnish government confirmed many of its military, defense, and foreign affairs webservers experienced unsophisticated, yet concerted DDoS attacks likely originating from Russian threat actors. The cyberattacks coincidentally occurred just as Ukraine President Zelenskyy started to address the Finnish Parliament on the status of the war in Ukraine around 10:30 GMT.
On the same day, the Finnish Minstry of Defense confirmed, hours earlier, Russia state-owned aircraft also breached Finland’s airspace off Porvoo in the Gulf of Finland – the first time in over 2 years. The aircraft, an Ilyushin IL-96-300 cargo transport airplane, was traveling east to west and landed in Berlin.
Both Finland and Sweden have signaled they will be submitting applications to join NATO. According to open-source reporting, Finland will likely finalize their application during the month of May in time for a NATO summit scheduled in Madrid, Spain in June.
Kremlin spokesman, Dmitry Peskov stated that Russia would have to “rebalance the situation ” with its own measures should Sweden and Finland choose to join NATO.
09 April 2022 – 03:39 UTC
ATW | BH Group Leaks Data Stolen from Russian Temporary Work Agency and Recruitment Firm: Rabotut
AgainstTheWest (Blue Hornet) announced on their Telegram channel they have successfully targeted the domain (rabotut[.]ru) for Rabotut, a “federal scale service” supplier in Russia. According to the threat actor, the archive includes the organization’s entire backend and front end source code, API keys, and SSL keys. According to open-sources, Rabotut is a temporary workers agency and provides contract employees to a number of critical government and corporate businesses around the country.
Contents of leak are in the process of verification by Darkowl analysts.
08 April 2022 – 21:41 UTC
KelvinSecurity Team Targets Russian Cryotcurrency Scam Website: alfa-finrase
KelvinSec released data reportedly from the domain (alfa-finrase[.]com) known for trading in fraud data, e.g. passports, driver’s license, and other sensitve PII. The group claims to have exploited the website, shutdown a cryptocurrency scam, deleted 400GB from the site’s server, and exposed 1.4GB of customer data from the deep web store.
07 April 2022 – 19:30 UTC
DDoSecrets Leaks Over 400,000 Russian Organization Emails Exfiltrated by Anonymous Operations
The leak site, DDoSecrets once again assists Anonymous hactivist collective in distributing sensitive data exfiltrated from companies and organizations in Russia. Three archives were leaked – within minutes of each other – for three organizations: Petrofort, Aerogas, and Forest. The data from these corporate email archives date back over decades of commercial activitiy.
Petrofort: 244GB archive consisting of over 300,000 emails between employees and clients. Petrofort is one of the largest office spaces and business centers in Saint Petersburg.
Aerogas: 145GB archive consisting of over 100,000 emails between employees and clients. Aerogas is an engineering company supporting Russia’s critical oil and gas infrastructure and supports such as: Rosneft, NOVATEK, Volgagaz and Purneft.
Forest (Форест): 35GB archive consisting of over 37,000 emails between employees and clients. Forest is a Russian logging and wood manufacturing company associated with many high-valued construction projects across the company.
A representative from DDoSecrets earlier shared thoughts about the extraordinary volume of leak data coming out of Russia earlier this week in a social media post.
06 April 2022 – 21:42 UTC
Anonymous Claims to Attack Russian MAUK Cinema, Mirkino Belebey
Members of Anonymous using the aliases ShadowS3c and Anonfearless3c have allegedly targeted servers for the Russian cinema and movie theatre, Mirkino Belebey (domain:mirkino-belebey[.]ru). The Mirkino theatre is also known as the MAUK Cinema a.k.a. “World of cinema” in the Belebeevsky District of Russia.
The hacktivists have leaked screenshots with credential data from the breached database containing hundreds of usernames, email adresses, and passwords.
This entry will be updated if/when the leak contents can be confirmed.
06 April 2022 – 20:42 UTC
Hajun Project Identifies Russian Soldiers Who Sent Parcels from Belarus Back to Russia
On April 3rd, the Hajun Project published three hours of surveillance camera footage from a CDEK delivery service located in Mazyr, Belarus. The video shows several soldiers from the Russian Armed Forces sending, among other things, items stolen from Ukrainians, during their “special military operation.”
Using leaked personal data available across the darknet and deepweb, the Hajun Project further confirmed the identities of the Russian military consignors and have released the names and phone numbers for at least 50 of the servicemen that sent parcels around the same time as the published camera video.
The Hajun Project maintains a Telegram channel and Twitter account monitoring and tracking the movement of military land and air assets in Belarus.
05 April 2022 – 16:22 UTC
Ukraine’s Defense Intelligence Agency (GURMO) Conduct SCADA Attacks on Gazprom
Due to the sensitivities of on-going military operations, there is limited detail available on the nature of the attack, but it appears that offensive cyber units under the direction of Main Director of Intelligence for the Ministry of Defense of Ukraine conducted SCADA cyberattacks against Gazprom pipelines. The attacks began within 48 hours of a fire at an oil depot in Russia’s Belgorod region last Friday, that western media reported was the first time Ukrainian helicopters had been spotted going across the border.
The cyberattacks likely triggered an underground gas leak from a highly pressurized gas pipeline in the village of Verkhnevilyuysk; the leak was reported in Russian open sources. Shortly after this, an explosion occurred in a main gas pipeline “Urengoy-Center-2” that civilians captured on Russian social media platform, VK as a large fire occurred in the Lysvensky district of the Kama region near the village of Matveevo.
Over pressurizing gas lines through disrupting infrastructure industrial control systems (ICS) is a documented method for using cyber to cause kinetic damage to pipeline critical infrastructure. The Congressional Research Services detailed such security risks to ICS in their 2021 report.
05 April 2022 – 14:21 UTC
Anonymous Leaks Data from Russian Rations Supplier, Korolevskiy
The company, Korolevskiy (korolevskiy[.].ru) appears to supply Russian companies and organizations with grain, nuts, and confectionaries in addition to rations for the military. This cyberattack could impact the availability of some food ingredient supplies, such as sugar, which is already in short supply and skyrocketing in price across the country due to sanctions.
The data leak includes an 82GB archive containing thousands of emails exfiltrated from the company’s mail servers.
05 April 2022 – 12:29 UTC
nb65 Claims to Hack Civilian Travel Service in Retaliation for Bucha Massacre
Anonymous and hacktivists around the world step up their offensive against Russia after images of Russian soldiers’ war crimes and atrocities against civlians in Bucha emerged on Monday.
Network Battalion 65 (nb65) reportedly targeted Continent Express (continent[.]ru), a Russia-based travel and supply company, with Conti’s ransomware variant in retaliation for the crimes.
Continent Express is one of the largest agencies for travel in Russia and helps arrange tickets and accomodations. As of time of writing the public facing website for continent[.] is operational.
Details of the group’s threatening message posted to social media called out the company’s CEO Stanislav Kostyashkinis in the image below.
“Why, you ask? The answer is simple. We read and watched the coverage of Bucha with horror. The utter lack of humanity in the way Russian soldiers have treated the civilian population of Ukraine left us all in tears. The world has pleased with your country to put an end to this madness drive by the mind of a cowardly tyrant: your president.”
(Update 6 April 2022) Earlier today, Continent Express posted to their news section of the website acknowledging the cyberattack but stated that important data and booking systems were not affected.
04 April 2022 – 12:29 UTC
DDoSecrets Distributes Data Exfiltrated by nb65 From Russian Broadcasting Company
Earlier in the campaign, nb65 leaked a sample of files and emails from All-Russia’s State Television and Broadcasting Company (VGTRK / ВГТРК). The Russian state-owned broadcaster operates five national TV stations, two international networks, five radio stations, and over 80 regional TV and radio networks and has been heralded as essential for the “security of the state.”
According to former VGTRK employees, Kremlin officials have dictated how the news should be covered, and provided incendiary phrases meant to discredit Ukraine. According to the former employees, editors normally have freedom to make decisions, but “where big politics are concerned, war and peace, he has no freedom.”
The 786 GB archive contains over 900,000 emails and 4,000 files spanning 20 years of operations at the broadcaster.
04 April 2022 – 06:24 UTC
Anonymous Leaks List of Russian Soldiers Deployed in Bucha
Anonymous shared a PDF file containing the identities of the members Russia’s 64 Motor Rifle Brigade that was positioned in the Kyiv suburb of Bucha. Since Russia’s withdrawl from the village, the atrocities and war crimes carried out by members of the Brigade have come to light.
The PDF consists of 87 pages detailing the identities of over 1,600 members of the Bridage, including their full name, date of birth, and passport number.
The file most likely originated from the Ukrainian government or intelligence services.
03 April 2022 – 06:16 UTC
Anonymous Shares Data Leaked from Russian Federal Agency for State Property Management
Anonymous shared a single PostGreSQL database, presumably from the domain: rosim.gov.ru, containing over 785MB of logged domain Internet activity available via the domain user: kluser. Much of the data is several years old, including IP addresses, domains, user agents of site vistors. Without further analysis, the value of leaking this data other than psychological operations and information warfare is unclear.
03 April 2022 – 05:07 UTC
nb65 Claims to Compromise Russian Gas Pipeline Supplier: SSK Gazregion
nb65 shared on social media that they have successfully hacked SSK Gazregion LLC (domain: ssk-gaz.ru) – a prominent natural gas pipeline construction company – with an ‘improved’ version of Conti’s ransomware. They taunted the company’s IT department, claiming that they also deleted all backups and restoring services would be an issue for the department.
They also claim to have exfiltrated 110GB of sensitive files, emails, and company data during the operation and trolled the company further stating it took forever to steal the data with the “chincy ass soviet connection” they were using for Internet connectivity.
“Federal Government: This will stop as soon as you cease all activity in Ukraine. Until then, fuck you. Your Preisdent is a coward who sends Russian sons away to die for his own ego. War in Ukraine will gain your country nothing but death and more sanctions. none of your internet facing tech is off limits to us.”
“We won’t stop until you stop.”
03 April 2022 – 04:24 UTC
ATW Release Dox of KILLNET Member
Similar to the personal details shared for various APT cyber groups in China, Russia, and North Korea, ATW targeted the pro-Russian cyber group, KILLNET. They released a dox containing the Russian national’s personal information, his social media, contact information, and familial associations.
KILLNET claimed to launch cyberattacks against Polish government and financial networks in support of Putin’s invasion in Ukraine. Last week, KILLNET also reportedly conducted DDoS attacks against the International Cyber Police agency, CYBERPOL and hacked the ticketing system at Bradley International Airport in Connecticut.
02 April 2022 – 17:28 UTC
Darknet Threat Actor, spectre123 Releases Sensitive Databases for the Indian Government and Military
The threat actor is well-known for targeting governments and defence contractors and has been circulating sensitive government databases for some time. This weekend, they released a “mega leak” of Indian government data for the PM Modi adminsitration’s “turning a blind eye to the humanitarian crisis…. in Ukraine.”
Over 40 GB of data is included in 11 different archived files and includes classified (up to TOP SECRET) and Confidential government documents from the following sectors: ALISDA, DGAQA, MSQAA, DRDO, DDP, Joint Defence Secretary India, BSF, MOD and the Indian Navy.
“The Indian government has a remarkably twisted propensity towards turning a blind eye to the humanitarian crisis in their own nation and now as well in Ukraine. It continues to do business with Russia and refuses to speak on the war, all in an effort to maintain their shallow political interests. These documents have been released to show that there are consequences for taking such foolish decisions.”
02 April 2022 – 06:13 UTC
ATW | BH Claims to Leak Personal Details of Members of Nation State APT Cyber Groups: ATP3, APT40, APT38, & APT28
The AgainstTheWest group continued their offensive against Chinese, North Korean, and Russian nation state cyber groups. Releasing a dox-style text file on Telegram and the deep web forum, breached.co, the ATW group included the names, email addresses, socials and Github accounts, credit card data, front companies, and other identifying information about the group’s participants along with other shocking revelations. Some include:
APT38: China and North Korea have collaboratively had a mole inside the United States Congress since 2011.
APT3: Threat actors are closely aligned with employees from Tencent – the Chinese technological giant behind WeChat and QQ.
APT38/APT3: The alias “ph4nt0m” appears in information for both groups and is believed to be affiliated with APT17 from China.
APT40: Threat actors are randomly connected to employees of ByteDance, the parent company for TikTok.
We are unfortunately unable to corroberate the veracity of the information shared by ATW (Blue Hornet).
Anonymous shared another large archive of data stolen from a prominent Russian defense manufacturing facility. The archive is nearly 27GB total and consists of company emails and sensitive documents.
Russia’s “Lipetsk Mechanical Plant” produces several defense products for the Russian military and industrial defense complex. Today, the plant is one of the leading and main manufacturers of modernized self-propelled tractors for S-300V4 anti-aircraft missile systems in Russia. The S-300 is one of Russia’s premier air-defense platforms.
01 April 2022 – 16:00 UTC
Anonymous Leaks Multiple Data Archives From Critical Moscow-Based Organizations
Coordinating today through DDoSecrets on distribution, Anonymous shared several highly significant archives, consisting of over 500GB total of emails, files, and databases from critical Russian organizations with close ties to the Russian government.
Department for Church Charity and Social Service of the Russian Orthodox Church: Database containing 57,500 emails from the Russian Orthodox Church’s charitable wing.
Capital Legal Services: 200,000 emails exfiltrated from a prominent Russian law firm includes an additional 89,000 emails are located in a “Purges” mailbox, consisting largely of bounced email notifications, cron jobs and other server notifications.
Mosekspertiza: Three archives consisting of a) 150,000 emails b) 8,200 files and c) multiple databases totally over 400GB of data. Mosekspertiza is a state-owned company setup by the Moscow Chamber of Commerce to provide expert services and consultations to Russian businesses.
1 April 2022 – 08:56 UTC
GhostSec Wreaks Additional Havoc on Alibaba
After ATW attacked Alibaba Cloud days before, Ghost Security has allegedly hacked and deleted Alibaba’s UAE branch’s ElasticSearch service database. They included a leak to the database extracted from the company on their Telegram channel.
We have also deleted everything and even cleared the backups so there is no recovery, and we left a little celebration from us <3
31 March 2022 – TIME UNKNOWN
German Wind Turbine Company Impacted by Cyberattack
A German-based wind turbine – Nordex – with over $6 billion dollars in global sales faced a cyberattack that incident responders caught “in the early stages.” It’s likely the attack is retaliation for Germany pausing on the Nord Stream 2 natural gas pipeline deal with Russia.
“Customers, employees, and other stakeholders may be affected by the shutdown of several IT systems. The Nordex Group will provide further updates when more information is available.”
In the early days of the cyberwar, a cyberattack on the satellite communications company Viasat caused 5,800 Enercon wind turbines in Germany to malfunction.
31 March 2022 – 19:43 UTC
Anonymous Leaks 62,000 Emails from Moscow-Based Marathon Group
Anonymous again targets associates of those closest to Putin launching recent cyberattacks against Marathon Group. The Marathon Group is an investment firm owned by Alexander Vinokurov. Vinokurov is the son-in-law of Russian Foreign Minister Sergei Larov and is under heavy sanctions by the EU for providing financial support to Russia. The leaked archive is over 51GB in size and is being distributed via DDoSecrets.
31 March 2022 – 14:31 UTC
Ukraine Government Sets Up Website for Whistleblower Reporting
The Ukrainian Prosecutor General’s Office in coordination with the National Agency on Corruption Prevention and Task Force Ukraine deployed the Whistleblower Portal on the Assets of Persons Involved in the Russian Aggression against Ukraine. The website is setup to provide a secure and anonymous method for the submission of tips and evidence of corruption any activities causing national harm. The website will ideally help in the “tracing, freezing, and confisicating of assets of those involved in Russia’s War Crimes.”
Many OSINT sleuths have identified Russian oligarchs’ and government officials’ assets, like super yachets parked in international ports and submitted photographs via posts on social media. This website could be used to officially report supporting information leading to the seizure of those assets or other correlative intelligence obtained through leaks shared by Anonymous.
30 March 2022 – 22:09 UTC
Database Containing the PII of 56 Million Ukrainian Citizens Leaked on Deep Web
A user on the forum breached.co leaked an arhive containing the personal identification information for over 56 Million citizens of Ukraine. The database includes the full name, dates of birth, and address for the individuals. Its unclear the origins of the data. Members of the forum stated it was the Ukrainian Tax Service and could be dated back to 2018.
30 March 2022 – 21:53 UTC
ATW Continues Offensive Against China, Leaks Alibaba Cloud & Ministry of Justice of PRC Data
The AgainstTheWest/Blue Hornet group have ramped up their attacks against Chinese targets and leaked the largest archive they have exfiltrated to date. ATW successfully breached the e-commerce company Alibaba and have dropped a 30GB archive consisting of Alibaba’s cloud endpoint environment, source code, and customer data. They also released a smaller database obtained from the Ministry of Justice of the People’s Republic of China. Both were shared to the deep web forum, breached.co.
30 March 2022 – 19:49 UTC
Anonymous Continues to Encourage SCADA Attacks; Leaks Default Credentials for COTS Hardware Suppliers
Members of the Anonymous Collective circulate spreadsheets and websites containing the default factory credentials for most commercial-off-the-shelf (COTS) vendor hardware. Hardware, that in turn, is often affiliated with and successfully exploited via SCADA-based industrial control system (ICS) cyberattacks.
One list includes 138 unique products including manufacturers such as Emerson, General Electric, Hirshmann, and Schneider Electric accompanied with default factory settings such as username: admin and password:default. Another resource is a surface web website (intentionally not included but available upon request) which lists 531 vendors and over 2,100 passwords deployed with hardware from the factory.
Sadly, most companies will rely on the default passwords upon installaton and do not bother with updating to a more robust credential security standard.
30 March 2022 – 18:19 UTC
Anonymous Leaks 5,500 Emails Stolen from Thozis Corporation
Anonymous successfully attacked Thozis Corporation – a Russian investment firm with links to Zakhar Smushkin of St. Petersburg. According to the Panama Papers, the company is registered in the British Virgin Islands. The firm is allegedly involved in one of the largest development projects in Russia, including a project to build a satellite city within St. Petersburg.
The trove of leaked emails likely include sensitive documents and agreements between the Russian government, its societal elite, and other international entites.
DDoSecrets assisted in the publication of the 5.9GB archive obtained by Anonymous.
30 March 2022 – 17:55 UTC
GhostSec Leaks Shambala Casino Network Data
GhostSec claimed a few days ago they had successfully attacked a prominent casino operator in Russia, known as Shambala.
The hacktivist group targeted the casino as they believed members of the Russian government used Russian casinos to move cash into different currencies besides the Ruble. At least 27 computers were reportedly compromised, data exfiltrated, systems locked, and files erased.
29 March 2022 – 06:12 UTC
Russian Aviation Sector Suffer Additional IT Operational Impacts
A post shared on the Russian Telegram channel, Авиаторщина, indicates that the aviation industry of Russia will have additional impacts to their IT support with the withdrawl of the Swiss-based company, SITA as of 29 March.
According to the Telegram post, SITA shutting down their operations will impact numerous systems utilized by the aviation industry and airlines across Russia.
[translated]
“Products for pilots such as AIRCOM Datalink, AIRCOM FlightMessenger, AIRCOM FlightTracker, and AIRCOM Flight Planning services will no longer be available. Such software is utilized by airlines and flight crews to plan, perform aeronautical calculations and track flights, and more accurately calculate remaining fuel, flight time, etc.”
The company – choosing to withdrawl from operating in Russia due to Putin’s invasion – suffered a significant cyberattack on 24 February, the same day as the invasion of Ukraine, resulting in the compromise of passenger data stored on their SITA Passenger Service System (US) Inc. servers. SITA supports numerous international air carriers.
This annoucement comes within days of the cyberattack against Rosaviatsiya (see below), Russia’s Federal Air Transport Authority.
(Update 30 March – 23:42 UTC) No alias associated with Anonymous has claimed credit for the 28 March cyberattacks against Rosaviatsiyawhich resulted in 65TB of lost agency data.Interestingly, new Anonymous groups have only recently joined the campaign, including RedCult, increasingly the likelihood that widespread industry sector attacks will continue across Russia.
28 March 2022 – 18:23 UTC
nb65 Claims to Hack JSC Mosexpertiza; Steals 450GB of Sensitive Data
In a social media post, nb65 hacktivist group claims they compromised Joint Stock Company (JSC) Mosexpertiza, Moscow’s independent center for expertise and certifications, via the domain mosekspertiza.ru.
They claim they also infected the domain with, none other than Conti’s “crypto-locking ransomware variant” – released earlier this month in the opRussia campaign. In the process of hacking the network nb65 also exfiltrated 450GB of emails, internal documents, and financial data.
28 March 2022 – 17:07 UTC
Anonymous Leaks 140,000 Emails from Russian Oil & Gas Company, MashOil
Distributed via DDoSecrets, the Anonymous hacktivist collective recently targeted MashOil, releasing over 140,000 sensitive corporate emails from the company.
Moscow-based, MashOil manufacturers equipment for hydraulic fracturing and enhanced oil recovery (EOR); injection, nitrogen and cementing equipment; top drive mobile drilling rigs; directional drilling equipment; and, ejector well clean-up.
Anonymous continues to target companies in Russia and any companies that continue to contribute to economic and financial viability for the Russian Federation.
28 March 2022 – 12:41 UTC
Anonymous Leaks Russian Document Ordering Propaganda Video Development
Knowing propaganda is widely circulated by both Ukrainian and Russian affiliated organizations, Anonymous has leaked an official Russian document, titled “On holding informational events on the Internet”, dated 21 March 2022, stating this was an official “order issued” by the Russian government to develop videos to discredit the Ukrainian military and their treatment of prisoners of war (POWs). The order was signed by the “Temporary Minister of Defense of the Russian Federation”, Dmitry Bulgakov and decrees:
Develop and distribute a series of video materials demonstrating the inhuman behavior of the military personnel of the Armed Forces of Ukraine and nationalist formations on the territory of Ukraine in relatinos to prisoners who showed a voluntary desire to surrender
Develop and distribute sermographic materials, evidence of the use of briefings by captured military personnel of the Armed Forces of the Russian Federation during the filming
Provide informational support for materials in the comments, the main argument is the violation of the Geneva Convention on the Treatment of Prisoners
To impose control over the implmtnation of this order on the head of the Information Warfare and Disguise Department of the Ministry of Defense of the Russian Federation
(UPDATE 29 March 2022 – 20:56 UTC)DarkOwl advises that recent open source intelligence research suggests this letter could be fake and disseminated as part of an information operations campaign. Researchers caught signature mismatches of the Russian official, Bulgakov. Such data is a reality in the the fog of asymmetric warfare.
The Ukrainian Military Intelligence Agency of the Ministry of Defence of Ukraine, known simily as Defence Intelligence of Ukraine or GUR, has leaked the identities of over 600 Russian FSB spies. The database includes the agents’ full names, dates of birth, passport numbers, passport dates of issue, registration addresses as well as other identifying markers for the FSB employees.
Many of these agents may be conducting covert operations around the world and leaking their identities may compromise the success of their operations.
28 March 2022 – 11:05 UTC
ATW (BH) Targets Chinese Companys and Government Organizations
After a brief vacation announced on 23 March, the AgainstTheWest (Blue_Hornet) group returns with concerted attacks against a number of Chinese companies and government organizations. The group claims they successfully attacked the following:
The group also referenced a supply-chain software dependency attack, via a poisoned burgeon-r3 NPM package.
Shortly after the announcement and initial round of leaks, the group also released source code affiliated with China Guangfa Bank, along with associated Maven releases. The group also claims to have breached the Chinese social messaging platform, weChat.
We are still evaluating the data and determining the specific types of data compromised and released.
28 March 2022 – 03:22 UTC
Russian Federal Air Transport Agency, Rosaviatsiya Confirms CyberAttack; 65TB of Data Erased
The civil aviation agency Rosaviatsiyan responsible for air cargo transportation confirmed with a letter shared on the Russian Telegram channel, Авиаторщина that their website domain favt.ru was offline since Saturday due to a significant cyber attack. The attacks had severely impacted their ability to plan and conduct flight operations and the agency had resorted to pen-and-paper-based operations in the interim.
The notice stated that over 65TB of emails, files and critical documents had been allegedly erased along with the registry of aircraft and aviation personnel. There were no systems backups to restore from because according to the agency spokesperson, the Ministry of Finance had not allocated funds to purchase backups.
“All incoming and outgoing emails for 1.5 years have been lost. We don’t know how to work…”
“The attack occurred due to poor-quality performance of contractual obligations on the part of the company LLC ‘InfAvia’, which carries out the operation of the IT infrastructure of the Federal Air Transport Agency.”
27 March 2022 – 20:44 UTC
Anonymous Leaks 2.4GB of Emails from Russian Construction Company, RostProekt
Over the weekend, DDoSecrets helped Anonymous distribute over 2 gigabytes of sensitive company emails exfiltrated by breaching a prominent Russian construction company, RostProekt (in Russian: РостПроект). The company primarily operates in Russia, with the head office in Moscow Oblast. RostProekt is a primary contributor to Russia’s lumber and other construction materials merchant wholesalers sector. The breach may impact construction projects in the country.
As of time of writing, the website for the company is online.
25 March 2022 – 20:36 UTC
nb65 Leaks Sample Internal Data from the All-Russian State Television and Radio Broadcasting Company (VGTRK)
The nb65 hacktivist team targeted and released data affiliated with a state-sponsored propaganda broadcasting company of the Russian Federation, VGTRK. The All-Russia State Television and Radio Broadcasting Company, also known as Russian Television and Radio (native: Всероссийская государственная телевизионная и радиовещательная компания) owns and operates five national television stations, two international networks, five radio stations, and over 80 regional TV and radio networks. It also runs the information agency Rossiya Segodnya.
nb65 claims they have successfully compromised the organization’s network and exfiltrated over 750GB of data, much of which consists of employee email (.pst) files from the company’s email network. The group claims to be ‘watching’ for their ‘eventual incident response.’
The group continued to troll the organization…
“Your blue team kinda sucks. Hard to find good IT help when all your techies are fleeing the country, eh?”
25 March 2022 – 18:36 UTC
Anonymous Releases Files Exfiltrated from the Central Bank of Russia
Anonymous has released data the hacktivists collected while conducting attacks against the Central Bank of Russia. The archive, broken up into 10 separate parts consists of over 25GB of archived data consisting of over 35,000 files of sensitive bank data. Earlier in the campaign, we observed several posts containing targeting information, e.g. domains, IP addresses, etc for the bank on the deep web.
24 March 2022 – 20:49 UTC
GNG Claims to Hack Russian Mail Server, mail.ru
Georgia’s Society of Hackers (GNG) announced today they successfully attacked Russia’s equivalent to Gmail, mail.ru, including their maps.mail.ru subdomain. The hacktivist group is in process of exfiltrating the data and will provide the detailed data dump in the next few days.
As of time of writing this, the maps.mail.ru website is online and operational.
24 March 2022 – 14:11 UTC
Anonymous Shares Proof of Hacked ATMs in Russia
Earlier today, users at what appears to be a Sberbank ATM reportedly located in Russia experienced technical errors when selecting the Russian language on the screen. Upon selection, the ATM monitor quickly flashes to the Ukrainian flag and the words Glory to Ukraine (Слава Україні!). See the video captured video here.
ATM malware is widely circulated on the darknet and used extensively in the fraud and financial crime communities.
24 March 2022 – 10:43 UTC
Pro-Russian Killnet Launches Anonymous-Style Campaign Against Ukraine – Targets Poland and NATO
The pro-Russian cyber threat actor group, Killnet have been conducting attacks against Ukraine for several weeks and have stepped up their demands and threats against Ukraine and western Europe. Today, they released a video on social media, mirroring the ominous messaging of an Anonymous-style video with the Russian flag in the background. During the video, the group stated they would attack targets in Poland for their assistance to the Ukrainian government during the invasion. They recently also posted specific targeting information for the National Bank of Poland on their Telegram channel.
“…together with the Russian cyber army, we disabled 57 state websites of the Kiev regime, 19 websites of nationalist parties…”
The group also referred to the Colonial Pipeline attack in the US from May 2021.
[translated] “Let’s remember American gas company attack, which resulted in 40% paralyzed infrastructure of America for few days.”
23 March 2022 – 16:45 UTC
AnonGhost Claims to Hack Russian Street Lighting System and Drops Proofs of Access to Moxa Industrial Wireless Networking Infrastructure
AnonGhost known for their attacks against industrial control systems, continued their campaign against Russia by targeting МонтажРегионСтрой г. Рязань street light control system. They stated they successfully shutoff the street lights at 19:35 Moscow time and it was a “gorgeous show.”
Shortly before announcing the breach of the lighting contol panel, AnonGhost also provided proof of access to Moxa (moxa.com) industrial networking devices. They leaked proof of access to router information for a industrial wireless Moxa device, its associated OnCell specifications, along with defacement of the device’s name, description, and login message.
In addition to the proofs they linked to a pastebin file containing over 100 Russian Moxa IP addresses for additional targeting.
It’s unclear where the Moxa device compromise is physically located or whether the Moxa compromise provides direct access to the streetlight control system.
23 March 2022 – 02:44 UTC
BeeHive Cybersecurity Claims They Are Running Ransomware Campaigns Against Russian Targets
When one thought they only hijacked Discord users and trolled pro-Russian ‘hackers’ like @a_lead_1, BeeHive Cybersecurity claims they have been quiet because they are running ransomware operations against targets across Russia.
Oh, in case you guys were curious why we’ve been so quiet. May or may not have a new #ransomware operation running in Ru right now. Alas, we find allies quicker than Putin finds ways to invade Ukraine. We’ll have more details soon but…consider this the public disclosure.
This would not be the first Russia-specific ransomware variant to emerge. According to Trend Micro, RURansom was detected targeting Russian-specific devices with AES-CBC encryption and hard coded salt. Another ransomware variant recently detected, known as “Antiwar” appends the file extension, “putinwillburninhell” to encrypted files.
22 March 2022 – 19:14 UTC
ATW (Blue Hornet) Compromises Russia’s Hydrometeorology and Environmental Monitoring Service with Bitbucket
The AgainstTheWest / Blue Hornet team has recently leaked several internal documents from Russia’s Hydrometeorology and Environmental Monitoring service (spelled by the threat actors as ROSHYDRO). According to open sources, the monitoring service is hosted on the meteorf.ru domain. The data leaks consists of 45 PDF files containing historical software change descriptions and feature requests from the company’s internal software development tracking system. ATW refers to a superadmin account for the GIS FEB RAS Team on Bitbucket in the leak.
21 March 2022 – 22:44 UTC
ATW Returns to Campaign with Attacks Against Almaz-Antey
After a disruption in the ATW team’s cyber activities due to personal issues, the ATW/Blue Hornet team returns leaking a 9GB archive of data allegedly exfiltrated by breaching Almaz-Antey’s corporate networks. The data leak includes employee login data, multiple documents containing PII, confidential and classified intellectual property, schematics, and SQL database files.
Almaz-Antey (Russian: ОАО “Концерн ВКО “Алмаз-Антей”) is one of Russia’s largest defense and arms enterprises, known for the development of Russian anti-aircraft defense systems, cruise missiles, radar systems, artillery shells, and UAVs.
Hacktivists from the Anonymous collective have leaked data exfiltrated from Naumen, a software vendor and cloud services provider in Moscow. The company markets itself as “world class IT solutions fully adapted to the Russian market” and lists several prominent international companies as partners. The leaked data consists of an SQL database containing thousands of usernames, email addresses, hashed passwords, and associated PII. The specific purpose and origins of the database from inside Naumen is unclear, but partner companies could experience supply chain / vendor risk issues.
21 March 2022 – 03:27 UTC
KelvinSec Targets Nestle for Continued Commercial Operations in Russia
The KelvinSec ‘hacking’ team have reportedly compromised Nestle in retaliation for continuing to operate and distribute their products in Russia. The group leaked multiple databases from Nestle consisting of customer entity data, orders, payment information, and passwords (10GB total). The group insisted its a “partial” database leak and more data may be released in the future.
Nestle defended its business decision after President Zelenskyy called the company out to protestors on Saturday night in Bern, Switzerland.
(Update 3/22 – 01:48 UTC) Anonymous issues warning and gives a number of US companies 48 hours notice to pull out of Russia or become targets of the #opRussia cyber offensive campaign. Example corporations include: Subway, Chevron, General Mills, Burger King, citrix, and CloudFlare.
20 March 2022 – 23:33 UTC
Anonymous Compromises Russian Social Media VK to Send Message to Millions
Anonymous accesses VK’s messaging platform and sends direct messages to over 12 million Russian users of the social media app. The message, written in Russian, speaks to the realities of the war in Ukraine, the demise of the Russian economy, and threatens that users using the Russian “Z” insignia on as their profile avatar will be targeted by international authorities.
VK users have shared proofs of the message received to confirm the campaign in VK occurred.
20 March 2022 – 15:32 UTC
GhostSec Leaks Military Asset Monitoring System and More from Russian Networks
The leak includes data exfiltrated from a military operational readiness monitoring website (orf-monitor.com), including inventory tracking of key Russian military assets; a leak of a Russian investment company that includes recent Chinese contract data; and lastly, technical data leaks from Russian Defense Contractor Kronshtadt, that includes computational specifications related to their UAVs, along with military operational doctrine, etc.
GhostSec teased on their Telegram channel they had more data coming and this archive they were sharing was a sample of a much bigger dataset.
20 March 2022 – 13:40 UTC
Honest Railworkers in Belarus Help Stop Lines Going to Ukraine
According to open source reporting and the hacktivist group known as Cyber Partisans, the railways going out of Belarus into Ukraine have stopped. Earlier in the campaign, Cyber Partisans disrupted rail operations in Belarus using cyber attacks against ticketing systems and switching systems; however, others report that the rails are inoperable due to “honest railworkers” who do not want to see Belarus military equipment transported into Ukraine for use in this war. (Source)
“I recently appealed to Belarusian railway workers not to carry out criminal orders and not transport Russian military forces in the direction of Ukraine. At the present moment, I can say that there is no railway connection between Ukraine and Belarus. I cannot discuss details, but I am grateful to Belarus’s railway workers for what they are doing” – Oleksandr Kamyshin, director of the Ukrzaliznytsya state railroad
20 March 2022 – 10:28 UTC
Arvin Club Takes Down STORMOUS Ransomware’s Tor Onion Service
Shortly after STORMOUS ransomware gang setup a Tor onion service, the Arvin Club ransomware group compromised their site and leaked SQL databases, information, and performance schemas. It’s unclear whether or not this attack occurred out of STORMOUS’s Russian allegiance or if Arvin merely wanted to teach the cyber criminals a lesson in setting up secure sites on the darknet.
The STORMOUS ransomware group had previously operated only on Telegram.
(UPDATE) As of 3/22 the Tor service is still offline.
20 March 2022 – 02:18 UTC
Anonymous Leaks Database from Russian Aerospace Company Utair
Hacktivists from the Anonymous collective have released the customer database for Russia’s Utair airlines. (Russian: ОАО «Авиакомпания «ЮТэйр»). The JSON database appears to have been collected long before the 2022 #opRussia campaign, as the MongoDB is dated 2019. There are records containing personal data for over 530,000 clients using Utair’s services.
18 March 2022 – 21:29 UTC
nB65 Leaks Data from Russian Space Agency
After a disappointing trolling exercise against Kaspersky, the nb65 hacktivist group returns with data leaks from Russia’s Space Agency, Roscosmos. The group claims they still have persistent access to the agency’s vehicle management system and leaked the IP of the compromised network to prove their access. The leaked data archive consists of over 360MB of user and operations manual, along with solar observatory logs.
Hours earlier, the group also claims to have compromised tensor.ru and leaked 1.6GB of compromised emails for a corporate mailbox for the Russian digital signature company.
18 March 2022 – 15:39 UTC
Russia Targets Ukraine Red Cross Website in Cyber Attack
The Ukrainian Red Cross reported their Internet web servers have been hacked, likely by Pro-Russian cyber threat actors. The website domain – redcross.org.ua – is currently offline with the statement “account disabled by administrator.”
The social media account for the Ukrainian Red Cross stated that no personal data of beneficiaries stored on the website were compromised by the cyber attack.
The Ukrainian RedCross staff and volunteers are busy and actively providing medical aid and support to vulnerable and wounded Ukrainian civilians across the country as Russian military continue their barrage of cruise missile strikes.
17 March 2022 – 11:43 UTC
AnonGhost Leaks Screenshots of GNSS Satellite Hacks Along with IP Addresses
AnonGhost shared several screenshots as proof of attacks they conducted against Russia’s Trimble GNSS satellite interface. They claimed on social media that other “fake Anonymous” accounts had taken credit for the operation. They also leaked 48 unique IP addresses associated with the GNSS satellite systems. The group did not specify the nature of the attacks against the Russian assets.
17 March 2022 – 09:23 UTC
Anonymous Claims to Have Located Putin’s Bunker
Using OSINT analysis involving satellite imagery and topography and landmark comparisons like rivers and powerplants, the Anonymous community claims they have detected President Putin’s bunker. There no means to verify the accuracy of these assertions.
cred: @paaja6 & @IamMrGrey2
17 March 2022 – 03:58 UTC
Anonymous Leaks 79 GBs of Emails from R&D Department of Transneft – OMEGA
DDoSecrets released the data on behalf of Anonymous hackers operating in cyber campaigns against Russia. Anonymous compromised email inboxes of OMEGA Company, the R&D arm of Russia’s state-controlled pipeline company known as Transneft [Транснефть]. Transneft is the world’s largest oil pipeline company with over 70,000 kilometres (43,000 miles) of trunk pipelines and transports an estimated 80% of oil and 30% of oil products produced in Russia. The emails cover the accounts’ most recent activity, including after the introduction of US sanctions on February 25, 2022. Some of the emails reflect some of the effects of those sanctions.
16 March 2022 – 10:47 UTC
Russian Foreign Intelligence Service (SVR) Requests Information via Tor
Russia’s external intelligence agency has issued instructions on how to establish secure communcations via their Virutal Reception System (VRS) to relay any threats to the Russian Federation. The call for leads, found on svr.gov.ru, details how to install the Tor anonymous network, details the v3 .onion address of their secure communications system, and advises the informant using PGP in order to further encrypt the details of any messages provided.
“If you are outside Russia and have important information regarding urgent threats to the security of the Russian Federation, you can safely and anonymously share it with us via the virtual reception system (VRS) of the SVR over the TOR network.”
If you are in hostile environment and/or have reasons to worry about your security, do not use a device (smartphone, computer) registered to you or associated in any way with you or people from your personal settings for network access. Relate the importance of information you want to send us with the security measures you are taking to protect yourself!
15 March 2022 – 11:48 UTC
Pro-Russian Group Xaknet Threatens to Attack Critical Infrastructure Information Centers
“We cannot endlessly give you ‘lessons of politeness.’ We demand the cessation of hacker attacks against Russian infrastructures, we demand the cessation of the activities of information centers for the dissemination of fakes.
In case of refusal, we will be forced to use the most sophisticated methods, and reserve the right to act as the enemy does. Critical information infrastructure facilities will become a priority target for the group. All work will be aimed at the complete destablization of the activities of the aforementioned CIIs.”
It’s unclear from the threats what specific websites or services the cyber threat group considers critical infrastructure information services. The IT Army of Ukraine’s extensive information operations spread across most all social media platforms and information communication mediums across Russia.
15 March 2022 – 07:19 UTC
User on Telegram Leaks New Letter from FSB
A user on pro-Ukrainian Telegram channel (name redacted) has released a new letter, reportedly from an FSB agent, translated into English.
The temperature has really risen here, it’s hot and uncomfortable. I won’t be able to communicate for some time here in the future. I hope we can chat normally again in a few days. There are a lot of things that I have to share with you… The questions are raised by the FSO (Federal Protective Service of the Russian Federation, aka Putin’s Praetorian Guard) and the DKVR (Russian Military Counterintelligence Department). It is precisely the DKVR that is mounted on horseback and is looking for “moles” and traitors here (FSB) and in the Genstaff (General Staff of the Armed Forces of the Russian Federation) regarding leaks of Russian column movements in Ukraine. Now the task of each structure is to transfer the fault to others and to make the guilt of others more visible. Almost all members of the FSB are busy with this task at the moment.
The focus is on us more than others at the moment, due to the hellish circumstances regarding the intra-political situation in Ukraine: We (the FSB) have released reports that at least 2,000 trained civilians in every major city of Ukraine were ready to overthrow Zelensky (President of Ukraine). And that at least 5,000 civilians were ready to come out with flags against Zelensky at the call of Russia. You want to laugh ? We (FSB) were supposed to be the judges to crown Ukrainian politicians who were supposed to start tearing each other apart arguing for the right to be called “Russia’s allies.” We even set criteria on how to select the brightest of the most competent (among Ukrainian politicians). Of course, some concerns have been raised about the possibility that we may not be able to attract a large number of people (Ukrainian politicians) to Western Ukraine, to small towns and to Lvov itself. What do we actually have? Berdyansk, Kherson, Mariupol, Kharkiv are the most populated pro-Russian areas (and there is no support for Russia even there). A plan can fall apart, a plan can be wrong. A plan can give a result of 90%, even 50%, or 10%. And that would be a total failure. Here it is 0.0%.
There is also a question: “How did this happen?” This question is actually a (misleading) trap. Because 0.0% is an estimate derived from many years of work by very serious (high-ranking) officials. And now it turns out that they are either agents of the enemy or simply incomprehensible (according to the FSO / DKVR who are now looking for “moles” within the FSB).
But the question does not end there. If they are so bad, then who appointed them and who controlled their work? It turns out that they are people of the same quality but of a higher rank. And where does this pyramid of responsibilities stop? At the boss (Putin). And this is where the evil games begin: Our dear Александр Васильевич (Alexander Vasilyevich Bortnikov – Director of the whole FSB) cannot fail to understand how badly he got caught. (Bortnikov realizes the deep mess he is in now)
And our evil spirits from the GRU (Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation) and the SVR (Foreign Intelligence Service – equivalent to the CIA) understand everything [and not only from these two organizations]. The situation is so bad that there are no limits to the possible variations (of events that will happen), but something extraordinary is going to happen.”
Shortly after a first letter from an FSB whistleblower surfaced around 5 March, Putin quietly placed his FSB chief, Sergei Beseda and his deputy on house arrest last Sunday. While telling the public he arrested them for embezzlement charges, according to open-source reports, the “real reason is unreliable, incomplete, and partially false information about the political situation in Ukraine” and Putin is holding them responsible for the Ukrainians’ success in the invasion thus far.
14 March 2022 – 12:00 UTC
Russian State Duma of the Federal Assembly Confirms Censorship of VPNs
Citing it was “a difficult task” Alexander Khinshtein, chairman of the State Duma Committee on Information Policy, commented that Russia’s media and propaganda agency, Roskomnadzor has been tasked with blocking over two dozen VPNs [virtual private networks] across Russia. (Source)
We anticipate that number to increase as Putin continues to crack down on Russian citizens’ media consumption.
VPNs have been targeted by Russian authorities since 2017, when an initial VPN law was passed. In 2019 many of the VPN providers across Russia received compliance demands from Roskomnadzor representatives via email – captured in the image below.
The demand for VPNs in the country has reportedly increased by over 2,000% in the last month. Users on Telegram encourage widespread use of anonymity tools like VPNs and Tor, and share links to VPN services still in operation and accessible in the region. Many of the VPNs are available via Telegram directly and offer free trial subscriptions to Russian users.
14 March 2022
Russian Cyber Actors Setup IT Army of Russia Group
The collective of cyber threat actors self identifies as the “IT Army of Russia”, mirroring the IT Army of Ukraine Telegram initiative, and claims it has targeted critical Ukrainian cyber services with DDoS attacks. The group has less than a 100 subscribers and many of the members are affiliated with the Killnet forum.
The group recently posted a detailed dox containing personal information for President Volodymyr Zelenskyy [in Ukrainian: Володимир Олександрович Зеленський]. The dossier contains specific information such as his date of birth, passport number, car registration details, and familial associations.
13 March 2022 – 09:31 UTC
Anonymous Germany Exfiltrates Data from Russian Rosneft Operations in Germany
An Anonymous hacktivist group from Germany, referring to themselves as “AnonLeaks” had access to the networks of Russia’s Rosneft subsidiary in Deutchland for almost two weeks and exfiltrated over 20 terrabytes of corporate data. According to a preliminary review, the data consists of laptop backups, virtual disk images, excel files, work instructions, and other operational information for the refinery.
Anonymous Germany emphasizes they did not have access to critical infrastructure in Germany, nor was the intent of their operation to access critical infrastructure for the refinery or compromise it in any way.
Rosneft is Germany’s third largest petroleum refinery company, processing roughly 12.5 million tons of crude oil per year.
(Update) Details of the leaked data has appeared on a dedicated Tor darknet service setup by the hacktivists.
13 March 2022 – 07:19 UTC
nB65 Claims to Be Jonathan Scott, a US-based Malware Researcher
Since the invasion, a social media account reportedly affiliated with the group nB65 was extremely active in sharing their leaks and targets across Russian networks – including claims of accessing Roscomos Space Agency. Most recently, they stated they had access to Kaspersky’s source code, with many teasers in the hours leading up to a what amassed to a disappointing dump of publicly available code from the Russian antivirus software developer. The group essentially trolled Kaspersky and received heavy criticism from members of the information security research community.
The owner of the group’s Twitter account claimed today they were in real life, Jonathan Scott, a US-based Computer Science PhD student researching mobile spyware and IoT malware. Shortly after, the Twitter account for the group was deleted.
11 March 2022 – 06:25 UTC
GhostSec Claims to Access, Shutdown, and Deface Control Panel of Russian ICS via SCADA Attack
GhostSec continues their offensive against Russian critical infrastructure with attacks affecting industrial controls systems. Today, they claimed they successfully accessed an unknown Russian industrial control system, deface the control panel, and shut the system down. They also stated they deleted the backups to make restoring services more challenging.
They included the screenshot below which appears to correlate to a typical ICS system. The name or location of the network was not identified.
11 March 2022 – 01:34 UTC
BeeHive Cybersecurity Enters Campaign and Targets Pro-Russian Discord Users
A pro-Ukrainian group, known as “BeeHive Cybersecurity” claims to have attacked over 2,700 pro-Russian Discord users, compromising their accounts and defacing their profiles with statements about the realities in Ukraine posted in English, Ukrainian, and Russian.
The group insinuates that they “CnC [command and control] the platforms of the ignorant” and use compromised devices to help combat disinformation.
10 March 2022 – 12:30 UTC
KelvinSec Leaks Private Chats from Darknet Tor Service: Database Market
KelvinSec, a pro-Ukrainian cyber threat actor on the darknet, has leaked 3,178 files containing the private chats from DATABASE Market. DATABSE is a relatively newly-launched service on Tor, where carding and fraud cyber-criminals congregate and transact.
The service is allegedly hosted by IT Resheniya on the IP address 45.155.204.178. KelvinSec reported they infilitrated the market via an insecure direct object reference vulnerability, commonly called “IDOR” which gives an attacker access to the website’s hidden information.
The compromised Tor service is still active as of time of writing.
10 March 2022 – 11:24 UTC
DDoSecrets Leaks Over 800GB of Data from Russian Media Censor, Roskomnadzor
The whistleblower leak site, DDoSecrets has obtained 360,000 files from Роскомнадзор (Roskomnadzor) via hacktivists from the Anonymous campaign against Russia. Roskomnadzor is a Russian state-controlled agency responsible for monitoring, controlling and censoring Russian mass media. The agency is responsible for the recent crackdowns on digital bans of Facebook, Twitter, and YouTube. The two part dataset totals over 800 GB including files, emails, and information critical about their operations.
10 March 2022 – 08:35 UTC
GhostSec Hits Hundreds of Printers Across Russia
GhostSec reportedly hacks hundreds of printers across Russia to spread the message about realities in Ukraine. They tagged on to the announcement an obscure 4chan meme, “Hey Russia do you liek mudkipz?” on their Telegram channel. The stated they are targeting Russian government and military networks for the printer exploit.
9 March 2022 – 20:05 UTC
Pro-Russian Group, devilix-EU Joins Campaign Against Ukraine and the US
Late last week, a new Pro-Russian persona appeared on social media and began sharing pro-Russia propaganda, Pro-Trump rhetoric, and counter #opRussia Anonymous content. Over the last five days, they’ve ramped up their attacks claiming to have compromised AWS instances, Microsoft IIS sysstems, and performed BGP hijacking with mentions of several US-based IP addresses.
The group makes further claims that they’re named after their own custom ransomware, “DEVILIX shark.”
DEVILIX named as me is one of the strongest viruses on the world DEVILIX shark is ransomware which can do anything we can create BotNet. where we want. Just a Simple but it’s not.
They most recently shared their thoughts about the cyber war in Russian, declaring that this was not about Ukraine and Russia, but the US and NATO and their intent to keep Russia and Ukraine divided.
Я вижу, что речь идет о двух сторонах, России и Украине. Почему мы разделены из-за политики? Разве вы не видите, что здесь делает Запад и хочет, чтобы мы были разделены. НАТО избежало конфликтов, и теперь привет! Слава России
[Google Translate]
I see that we are talking about two sides, Russia and Ukraine. Why are we divided because of politics? Don’t you see what the West is doing here and wants us to be divided. NATO has avoided conflicts, and now hello! Glory to Russia
8 March 2022 – 21:05 UTC
Anonymous Hacks Hundreds of Russian Security Cameras, Many Affiliated with Russian Government Ministries
Hacktivists from the Anonymous Collective successfully tapped the security camera feeds of hundreds of retail businesses, restaurants, schools, and government installations across Russia. They setup a website to share the leaked camera feeds — all to discover some where critical security offices. Anonymous also defaced security camera displays with the message:
Putin is killing children 352 Ukrainian civilians dead Russia lied to 200rf.com Slava Ukraini! Hacked by Anonymous
8 March 2022 – 18:34 UTC
nb65 Group Claims to Have Acquired Kaspersky’s Source Code
After keeping quiet for several days, the group sent out mysterious posts across social media claiming to have accessed Kaspersky source code and found “interesting relationships” in this code.
They also claimed it was “sloppier than Putin’s invasion.”
7 March 2022 – 17:31 UTC
22nd Member of Notorious TrickBot Gang Doxxed
The pro-Ukrainian affiliate of the Trickbot cybercriminal empire has leaked the personal identity of 22 key members of the gang along with private chats between group members. Since the 4th of March, DarkOwl has seen the following aliases mentioned: baget, strix, fire, liam, mushroom, manuel, verto, weldon, zulas, naned, angelo, basil, hector, frog, core, rocco, allen, cypher, flip, dar, and gabr.
7 March 2022 – 13:01 UTC
Digital Cobra Gang Claims 49 “A-Groups” Led by Conti and Cobra Are Attacking America Cyberspace
The Pro-Russian group entered the campaign shortly after Anonymous started #opRussia (28 Feb) with the statement:
“DIGITAL COBRA GANG DCG has officially declared cyber war on hackers who attacking Russia as well and to protect justice”
They’ve given little indication of success, other than inflated claims they have acquired over 92Tb data from US’s military personnel files but no proof has been published.
Earlier today, they posted that members of Conti were helping and 49 “A-team” groups were hacking Amera.
(9 March 2022) – US AWS and Azure cloud platforms have experienced higher than normal traffic on the network but no major disruptions.
7 March 2022 – 06:44 UTC
RedBanditsRU Leaks Russian Electrical Grid Source Code Data
The pro-Russian group, originally assembled to counter-hack Anonymous and cyber actors targeting Russian organizations, posted today that they are leaking the source code Rosseti Centre’s [mrsk-1[.]ru] electrical grid networking infrastructure. Rosseti Centre provides reliable electricity for more than 13 million people in the subjects of the Central Federal District of the Russian Federation.
The group is sharing this information because they believe Putin and his supporters are “leading this country to an apocalypse state.”
DarkOwl warns security researchers opening these archives should always use isolated sandbox environments in the event there is malware and viruses included in the leak.
7 March 2022 – 04:55 UTC
AgainstTheWest (ATW) Returns to the Fight and Drops Multiple Leaks of Russian Corporate Data
In the last 24 hours, ATW dropped URLs for at least 7 leaks corresponding to various Russian technical companies and organizations, reportedly breached by the cybercriminal group. ATW’s participation in the campaign has been controversial as they have had multiple dramatic departures and returns to the campaign and reports of “health issues” of some of the team’s members.
Security researchers reviewing the information from dataleaks last week calls into question the veracity of the information ATW is sharing. Checkpoint released analysis stating that after, “checking their claims deeper reveals that for many of the claims there are no solid proofs apart of very generic screenshots that are allegedly from the breached organizations.”
(Update 7 March 2022 – 18:36 UTC) The group also posted to their Telegram channel that they had successfully breached a Russian cybersecurity company that has been “hording” US-based government data, exposure of multiple SonarQube instances and requested someone get in touch with them immediately. It’s unclear if this is legitimate or just further ego inflation.
6 March 2022
Free Civilian Tor Service Leaks Entire DIIA Contents
Recently, the administrator of Free Civilian shared a post on their Tor service containing the entire Ukraine’s DIIA database of users. They stated the buyer of the database consented to the release, with the understanding some records were deleted. The downloads consist of 60+ archives containing gigabytes of data. The download links have been unstable since DarkOwl discovered them.
The administrator also expressed desire to have the ban on their “Vaticano” Raid Forums account lifted, claiming this leak proved the legitimacy of the information they shared back in January.
Recently, screenshots of an indictment for the alleged seizure of Raid Forums on VeriSign has been in circulation, after users spoke of rifts between pro-Ukrainian users and Russian hackers, potential FBI seizures, and the alleged hijacking the alias of former admin Omnipotent on Darknet World. Prominent users from the forum have setup RF2 and advised any old working Raidforums links are likely phishing logins for the FBI.
6 March 2022 – 18:43 UTC
Anonymous Continues Information Warfare Against Russian Media; Video Services Wink and ivi Stream Anti-War Messaging
After Putin’s overt authoritarian take on media sharing the realities of the war in Ukraine, Anonymous managed to hack Russian video services Wink and ivi to stream pro-Ukrainian messages and video of the conflict.
This weekend, Putin’s parliament passed a “fake-news” law imposing prison sentences for media using the words “war” or “invasion” prompting numerous western outlets to pull their journalists and suspend operation.
6 March 2022 – 15:39 UTC
AnonGhost Enters Campaign and Claims SCADA Attacks Against Multiple Russian Infrastructure Targets
This weekend, AnonGhost entered Anonymous’ #opRussia campaign with a vengence, and claims today they have hacked multiple Russian infrastructure control systems via SCADA attacks and “shut it down.”
They list the following targets:
Волховский РПУ> Volkhov RPU
Бокситогорский РПУ> Boksitogorsk RPU
Лужский РПУ> Luga RPU
Сланцевский РПУ> Slantsevsky RPU
Тихвинский РПУ> Tikhvinsky RPU
Выборгское РПУ> Vyborg RPU
This is after they leaked data from 9 Russian commercial servers hours earlier.
azovkomeks[.]ru
vserver24[.]ru
dvpt[.]ru
ach[.]gov[.]ru
itmo[.]ru
vpmt[.]ru
pvlt[.]ru
hwcompany[.]ru
corbina[.]ru
DarkOwl is in the process of pulling in this data to review and assess the contents of all of the databases.
The AnonGhost group is reportedly one of the more senior anonymous hacktivist teams in the underground, with reporting of the group going back to the early 2010s. According to open-source reporting, AnonGhost was led by Mauritania Attacker. In an online interview with a hacker’s blog in 2013, Mauritania Attacker claimed to be a 25 year old male from Mauritania who started hacking at a young age by joining TeaMp0isoN and ZCompany Hacking Crew (ZHC), two hacking groups known for their attacks of high-profile targets such as NATO, NASA, the UN, and Facebook. (Source)
For those who remember Stuxnet, SCADA type attacks are controversial as there is a fine line between disruption and destruction. Services knocked offline but able to be restored is disruptive and inconvient, causing delays in operation and psychological concern over the safety of such services. However, disruptions that lead to destructive events, e.g. hard disks wiped and unrecoverable, de-railed trains, power plant overheating resulting in explosions, & satellites falling out of the sky are considered serious and may be interpreted as an act of war and result in severe retaliation.
GhostSec Returns with Leaks from Russia’s Joint Institute for Nuclear Research (JINR) and Department of Information (DOI) FTP Server Data
Hours ago, an archive consisting of several gigabyte emerged from GhostSec reportedly containing information from Russia’s nuclear research and disinformation activities. GhostSec has been silent for most the last week, perhaps busy with this activity.
According to their website (jinr.ru), the Joint Institute for Nuclear Research is an international intergovernmental organization established through the Convention signed on 26 March 1956 by eleven founding States and registered with the United Nations on 1 February 1957.
As of time of writing, the public facing website is online.
6 March 2022 – 12:34 UTC
Anonymous Dumps Leak of 139 Million Russian Email Addresses
An archive of over 139 Million email addresses, broken up into 15 separate files with mail_ru at the beginning of each file, lists the email addresses for presumed account holders for mail_ru services. VK (VKontakte) assimilated mail.ru email services into its internet services conglomerate in the fall of 2021.
The files included two additional HTML files with ominous warnings – possibly shared on the servers from which these leaks were obtained.
[image translation]
Russian soldiers! If you think that you are going to an exercise, in fact you are being sent to Ukraine to DIE.
DarkOwl has not determined the veracity of this data, nor confirmed how these emails were obtained; some combolists of this nature are created as an aggregation of other leaked data.
As of time of writing, mail.ru’s public facing website is still online and operational.
5 March 2022 – 20:41 UTC
Anonymous Targets Russian FSB; Letter Appears from Possible FSB Whistleblower
The Federal Security Service (FSB) of the Russian Federation [Федеральная служба безопасности (ФСБ)] is the principal security and intelligence agency of Russia and the main successor agency to the Soviet Union’s KGB.
Earlier today, Anonymous hacktivists targeted the FSB (at the direction of the IT Army Ukraine) and managed to take the external facing website offline. Rumors on social media and chatrooms suggested Anonymous managed to “breach” the FSB’s server.
Shortly after the announcement of the website’s offline status (e.g. #TangoDown) a deep web paste emerged containing a list of 62 subdomains for the fsb.ru domain. This could be for additional targeting and exploitation.
The stability and alliances of members of the FSB are in question by threat intelligence and security researchers across the community. Last night, an alleged FSB whistle-blower letter surfaced (via the founder of http://gulagu.net) that damned Russia’s military performance in Ukraine and predicted a disaster for the RU in the next weeks and months. An English translation of the letter has appeared in the deep web (excerpt below).
To be honest, the Pandora’s box is open – a real global horror will begin by the summer – global famine is inevitable (Russia and Ukraine were the main suppliers of grain in the world, this year’s harvest will be smaller, and logistical problems will bring the catastrophe to a peak point). I can’t tell you what guided those at the top when deciding on the operation, but now they are methodically lowering all the dogs on us (the Service).
We are scolded for analytics – this is very in my profile, so I will explain what is wrong. Recently, we have been increasingly pressed to customize reports to the requirements of management – I once touched on this topic. All these political consultants, politicians and their retinue, influence teams – all this created chaos. Strong. Most importantly, no one knew that there would be such a war, they hid it from everyone.
And here’s an example for you: you are asked (conditionally) to calculate the possibility of human rights protection in different conditions, including the attack of prisons by meteorites. You specify about meteorites, they tell you – this is so, reinsurance for calculations, nothing like this will happen. You understand that the report will be just for show, but you need to write in a victorious style so that there are no questions, they say, why do you have so many problems, did you really work badly. In general, a report is being written that when a meteorite falls, we have everything to eliminate the consequences, we are great, everything is fine.
And you concentrate on tasks that are real – we don’t have enough strength anyway. And then suddenly they really throw meteorites and expect that everything will be according to your analytics, which was written from the bulldozer.
That is why we have a total piz_ets – I don’t even want to pick another word.
5 March 2022 – 16:37 UTC
Anonymous Claims to Breach Yandex (Russia’s Mail and Search Service); Leaks Account Credentials
DarkOwl discovered two leaks shared through the Anonymous hacktivist collective network consisting of over 5.2 Million user accounts’ email addresses and password combinations. We are in the process of analyzing this data leak to determine the veracity of its contents. 1.1 Million Yandex accounts were previously dumped in 2014. Many hackers are using #opRussia to opportunistically claim clout for breaches that did not occur, when in reality they are circulating old previously dumped data and/or verifying accounts by credential stuffing.
5 March 2022 – 15:23 UTC
Paypal Suspends Service in Russia
Paypal announced on LinkedIn they would be halting its operations in Russia; a statement released days after suspending signing up new users on the payment platform on Tuesday. Dan Schulman, CEO wrote:
We remain steadfast in our commitment to bring our unique capabilities and resources to bear to support humanitarian relief to those suffering in Ukraine who desperately need assistance. We will also continue to care for each other as a global employee community during this difficult and consequential time.
On Wednesday, 3 March, the IT Army of Ukraine launched a petition calling for all supporters to sign a petition on change.org:
[TRANSLATION]
While Ukraine protects its people and places, and Russia faces the radical consequences of its war crimes, the most popular payment service via PayPal is still available to the aggressor. This means that it also helps finance the bloody war against Ukraine through PayPal.
We are absolutely sure that modern technologies are a powerful response to tanks, grads and missiles. We call on the company to block its services in Russia via PayPal and launch them in Ukraine, as well as provide an opportunity to raise funds to restore justice and peace in our country and the world.
5 March 2022 – 15:03 UTC
Anonymous Leaks Private RocketChat Conversations from Russian Government Officials
Anonymous is targeting Russia by any means possible and managed to collect private chats between Russian officials on the messaging service, rocket.chat. After review, these chats are different from the ones dropped by @contileaks last week.
The chat includes the network ID, username, and “real name” of 14 members of the chat group. The domain associated with the leak corresponds to the official website of the Russian government and the Governor of the Moscow region.
5 March 2022 – 06:04 UTC
squad303 Sets Up SMS Messaging System to Text Random Russian Citizen Phone Numbers
With the lack of Russian media coverage of the invasion of Ukraine and the intentional misinformation spread by Putin’s disinformation agencies, a pro-Ukraine hacktivist collective, known as squad303 setup an SMS messaging system for citizens around the globe to use to randomly text Russian citizens a scripted message about the nature of world events.
The squad303 team also setup an API for more advanced users.
Update: As of 8AM UTC, 6 March 2022, the service had been used to send over 2 Million texts Russian mobile phone numbers.
The team also reports of suffering from heavy DDoS attacks from pro-Russian cyber actors.
5 March 2022 – 02:34 UTC
Anonymous Hackers Claim to Have Accessed Communication Data for a Russian Military Satellite
After nb65’s reported success accessing Roscosmos earlier this week, it appears that members of the Anonymous collective under the campaign #opRussia have ventured into breaching the communications of Russian military satellite for data collection. The satellite – designated COSMOS 2492 (aka glonass132) is likely active in geospatial intelligence collection over Ukraine for Russia. (note: the original indication of the connection occurred 4 March 2022 @ 09:35 by Anonymous collective member, @shadow_xor.)
DarkOwl also uncovered a leak shared by LulzSec member @shadow_xor titled, “Leak_RUSAT_shadow_xor.zip” which contains significant geopositioning data since the satellite’s launch in 2014.The hacker stated they could not change the coordinates of the satellite, but did capture orbital, passage, and communications data.
Our original reporting on this suggested the hackers were Russian-based, but further analysis only indicated that a number of Russian-based hackers supported the attack on COSMOS 2492.
4 March 2022 – 18:16 UTC
Putin Officially Bans Facebook in Russia
In order to combat the information operations campaign against them online, Putin ordered for ISPs to block Facebook servers and websites across Russia. Security researchers also note an uptick in Russian trolls on social media with bot accounts promoting Putin’s military operations in Ukraine.
Putin’s parliament also passed a law imposing prison terms of up to 15 years for individuals spreading intentionally “fake news” about the military. The terms “invasion” and “war” are no longer allowed in press and media coverage.
Several foreign and Western media outlets, including BBC, CNN, and Bloomberg, have temporarily suspended reporting on the war from Russia.
4 March 2022 – 09:44 UTC
NB65 Teases Information Security Community with Riddles on their Activities
NB65 – the pro-Ukrainian group who claimed responsibility for accessing and shutting down Russia’s spy satellites via SCADA vulnerabilities – teased the information security community that they been quiet cause they were parsing and analyzing numerous vulnerabilities in Russian cyber targets.
If we seem quiet, it’s because we have an olympic sized swimming pool worth of data and vulnerabilities. But here’s some fun that you can participate in…
DarkOwl discovered a post matching the target hidden in the riddle and the content suggests the group has access to RUNNET: Russia’s UNiversity Network.
4 March 2022
IT Army of Ukraine Calls for Volunteers to Support the Internet Forces of Ukraine
Ukraine’s Ministry of Digital Transformation steps up its information warfare against Putin’s propaganda by forming the Internet Forces of Ukraine (ITU). Forming a separate Telegram channel at the start of the month, the channel is dedicated to posting instructions and guidance for citizens around the world that want to aid Ukraine and lack an IT/cybersecurity background.
Друзі, наш ворог, окрім наявної війни у наших містах та селах, веде також інформаційну війну. Не вірте фейкам, не вірте брехні пропаганди путіна – ніякої капітуляції України НЕ БУДЕ!!! У нас потужна армія, ми сильні духом і нас підтримує весь світ! Тому, не ведіться на провокації і вірте в Україну. Поширюйте це серед рідних та близьких у соціальних мережах, щоб вони також не велись на нісенітниці кремля. Ми разом і ми переможемо!!🇺🇦
Friends, our enemy, in addition to the existing war in our cities and villages, is also waging an information war. Do not believe fakes, do not believe the lies of Putin’s propaganda – there will be no capitulation of Ukraine!!! We have a powerful army, we are strong in spirit and we are supported by the whole world! Therefore, do not be fooled by provocations and believe in Ukraine. Spread this to your family and friends on social networks, so that they also do not fall for the Kremlin’s nonsense. We are together and we will win!! 🇺🇦
4 March 2022 – 01:46 UTC
Trickbot Gang Members Doxxed and Links to FSB Confirmed
At 15:00 UTC, before DarkOwl could even finish analyzing the ContiLeaks, a Ukrainian-aligned underground account leaked details of key members of the infamous TrickBot gang. Over the course of the day at a cadence of every 2 hours, dossiers for the individuals appeared on social media. Private chats between members of the gang were included with each of the leaks. 7 male members and their aliases identified: baget, fire, strix, mushroom, manuel, verto, and liam. Twitter has since suspended the account.
3 March 2022 – 20:54 UTC
Russian-Aligned Hackers Target Anonymous Hacktivists in Canada
A pro-Russian cyber group using the name Digital Cobras, claims to have been targeting #opRussia hackers from the Anonymous collective across the US, UK, Greece, and Canada. Earlier today, they posted several names of individuals along with pictures of some of the alleged members of Anonymous.
They also claimed to have “hacked Anonymous’ servers” and downloaded over 260gb of their files and tools. They also claimed to have full access of the administration of Tor Project, including their crypto accounts.
Anonymous does not possess servers or centrally locate their information or tools as it is an organic decentralized collective of hacktivists around the world. Similarly, the Tor Project is run by a network of volunteers.
It is very likely this group is designed to spread disinformation and FUD.
3 March 2022
Size of Zeronet Anonymous Network Increases Since Invasion
In the week since the Putin launched an invasion against the Ukrainian people, DarkOwl has noticed an increase of 385 Zeronet domains in the last week and a near 20% increase in the network’s activity. Zeronet has been historically most heavily used by Chinese threat actors. The trend in “new domain” activity appears to have started on or about February 27th, within hours after the IT Army of Ukraine rallied the underground.
The Tor Project has reported significant increases in the number of unique addresses on Tor on the same day.
DarkOwl Zeronet ReportingTor Project data on onion address surge
3 March 2022 – 17:10 UTC
Anonymous Leaks Database Containing Bank Account Holders Information
bkdr – member of the Anonymous hacktivist collective – released an Excel spreadsheet containing the personal information of over 8,700 business bank account holders in Russia. Full names, passport, DoBs, account standing, etc are included in the file.
3 March 2022 – 15:40 UTC
Pro-Russian Cyber Team, Killnet Claims To Hack Vodafone Services in Ukraine
Killnet, a Pro-Russian organized threat actor has claimed they were successful in attacking Vodafone’s telecommunications services across Ukraine. The group shared links to the vodafone.ua website (as offline) and network graphs proving the website suffered an outage.
The group also claims to have attacked “Anonymous” networks directly, prompting criticism as the Anonymous hacktivist has no central severs or repositories.
[Google Translate]
Cellular communication services under the Vodafone trademark on the territory of Ukraine are provided by the partner of Vodafone Group plc, PRO “VF Ukraine”
⚠ OUR ATTACK WAS REPELLED [REFLECTED] AFTER 4 HOURS.
3 March 2022 – 05:22 UTC
Anonymous Breaches Private Server in Roscosmos and Defaces Website
v0g3lSec – member of the Anonymous hacktivist collective – claims to have infiltrated private servers at the Russian Space Agency, Roscosmos and exfiltrated files from their Luna-Glob moon exploration missions. The archive consists of over 700 MBs. Many of the files are drawings, executables, and technical documents dating back to 2011. A scientific review of the content would be needed to assess the value of the information collected.
In addition the website for the Space Research Institute (IKI) Russian Academy of Sciences (RAN) was also defaced by the same group.
3 March 2022 – 01:11 UTC
Anonymous Leaks Data from Rosatom, Russia’s State Atomic Energy Corporation
According to DarkOwl’s preliminary review of the 74 files, the leak appears to be a mixture of budget data, conference materials, powerpoint presentations, and technical files dating back to 2013. There is random mixture of information included that it is unclear whether this was obtained directly from a breach of the corporation’s servers, an employee at the organization, or collected via OSINT and compiled for use in #opRussia.
“There is no place for dictators in this world. You can’t touch the innocent, Putin. No secret is safe. State Atomic Energy Corporation Rosatom has been hacked!”
2 March 2022 – 19:55 UTC
ATW Quits Campaign – Cites Conflict with Anonymous, Attribution, and Twitter Suspension
Drama in the group started yesterday with AgainstTheWest claiming Anonymous was taking credit for their successes in the cyber war against Russia. They briefly turned their attention to China announcing several new victims, including the Chinese Science, Technology and Industry for National Defence organization. After their suspension from Twitter earlier today, they announced retirement claiming they had no means for communicating with the public. (Analysts note rebrand to BlueHornet occurred shortly after their announcement)
2 March 2022 – 19:09 UTC
Conti Leak Source Code, Panel, Builder, Decrypter Appear on Darknet Forum
Less than 48 hours after a pro-Ukrainian leaked the infrastructure of the CONTI gang’s operation, including botnet IP addresses and source code executables, users begin circulating the ransomware gang’s critical data across popular darknet forums and discussion boards.
2 March 2022 – 16:35 UTC
Leak Documents Surface Proving War Against Ukraine was Approved on 18 January
Anonymous hackers released photographs of captured documents from Russian troops titled, “WORKING MAP”, and authored by the commander of Russia’s Bomb Battery of the Black Sea Fleet. The maps and documents affirm to the public that the invasion of Ukraine was approved on January 18th with intention to seize the country sometime between 20 February and 06 March 2022. Liveuamap, under intermittent DDoS since this started, confirmed the data.
2 March 2022 – 13:52 UTC
XSS Admin Reports XMPP Jabber Service Ransomed and Heavy DDoS Attacks
A darknet forum popular with the Russian-speaking community has been experiencing technical issues, suffering from Jabber service outages and heavy DDoS attacks. The forum is well known in the darknet for malware discussions and coordination of attacks. The admin shared a post that the jabber service was hit with ransomware and the contents of the chats wiped from the services. They nonchalently suggested users register and continue using the service.
[Translated]
The server didn’t work yesterday. Because of ransom (which, by the way, is prohibited here) we were listed in a spamhouse. Instead of reporting the violation, the “brilliant” spamhouse immediately leafed through us. In principle, for many years I got used to their “adequacy”. I’m not surprised at anything. We have more than 21,000 users, and no one is able to check everyone. To do this, in fact, they came up with feedback contacts (xmpp, e-mail), they are listed everywhere.
Why, I wonder, they don’t block gmail.com ? So many, so to speak, violators of law and order use it, and nothing, for some reason they are not immediately listed.
In parallel with this, a powerful DDoS attack was conducted on us.
Our XMPP project is not commercial, completely free and subsidized. I’ve never understood the point of attacking toads.
At the moment, the functionality has been restored.
An unpleasant moment. Backups according to the law of meanness turned out to be broken. The last one alive was a week ago. Suddenly someone has lost contacts or a toad has disappeared, re-register.
2 March 2022 – 10:33 UTC
Leak Appears with Russian Air Force Officer’s Information
Anonymous leaked another database containing the personal information for over 300,000 of Russia’s military personnel and civilian citizens. The archive, titled “Translated Base Database” contains 35 separate database files containing personal details of the individuals. Information includes: full name, date of birth, age, passport number, address, occupation, etc.
1 March 2022 – 20:46 UTC
Russian Criminal Gang TheRedBanditsRU Recruits on Social Media – Offers Payments for Affiliates
The RedBandits openly recruit “affiliates for certain jobs” stating they did not want white hats, but that they want to “speak to exploit Devloplers, Spammers (phishing skills, vishing etc), Pentesters. We’re building an army!” They incentivize skilled hackers to join their cause for monetary gain, claiming partners would be paid well and to apply directly via qTox.
Earlier today, the group claimed that they did not agree with Putin as a leader nor of his invasion of Ukraine, but will protect him as a citizen of Russia.
“War is good for no one, come, take my hand, make money help your family”
1 March 2022 – 12:57 UTC
STORMOUS Ransomware Group Aligns With Russia
The STORMOUS ransomware group, which has been targeting international victims with their ransomware strain for months, claimed their alliance with the Russian government and threatens greater attacks against Ukraine.
The STORMOUS team has officially announced its support for the Russian governments. And if any party in different parts of the world decides to organize a cyber-attack or cyber-attacks against Russia, we will be in the right direction and will make all our efforts to abandon the supplication of the West, especially the infrastructure. Perhaps the hacking operation that our team carried out for the government of Ukraine and a Ukrainian airline was just a simple operation but what is coming will be bigger.
1 March 2022 – 09:26 UTC
Ukrainian Paper Leaks Personal Data for 120,000 Russian Military Personnel
In an effort to target the Russian soldiers invading Ukraine, the Centre for Defence Strategies in Ukraine has acquired the names and personal data of 120,000 servicemen who are fighting in Ukraine. Ukrainian newspaper, Ukrayinska Pravda has leaked the details of the soldiers which could be one of the biggest information warfare campaigns using doxing mid-military conflict, ever seen.
The doxxed soldiers are likely to face increased engagement on social media and direct phishing attacks.
1 Mar 2022 – 00:38 UTC
NB65 Takes on Russia’s Satellite Technology
nB65 claims that they successfully accessed Russia’s Roscosmos Space Agency and deleted the WS02, ‘rotated’ the credentials and shut down the server. They did not provide any leaks with the social media announcement.
The Russian Space Agency sure does love their satellite imaging. Better yet they sure do love their Vehicle Monitoring System.
Network Battalion isn’t going to give you the IP, that would be too easy, now wouldn’t it? Have a nice Monday fixing your spying tech. Glory to Ukraine.
28 February 2022 – 23:54 UTC
ATW Targets Russia’s Electrical Grid
AgainstTheWest Leaks Information from Russia’s PromEngineering corporation. Archives of corporate emails between employees, clients, vendors, as well as blueprints and engineering documentation for power stations around Russia are included in the leak.
28 February 2022 – 22:00 UTC
CONTI’s Entire Infrastructure Leaked
Does this signal the end of CONTI’s reign as leading RaaS?
Ukrainian aligned affiliate decides to destroy CONTI ransomware gang’s operation by exfiltrating and sharing 141 additional JSON data files of private Jabber chats from 2020, details of their server architecture, their sendmail phishing campaign data information, command and control botnet architecture, and ransomware executables (password protected). Analysis confirms that the gang uses BazarLoader backdoor for installing persistent malware on infected machines.
DarkOwl analysts also noted from leaked Jabber messages that RaaS affiliates were persistent at determining how to evade AV/EDR protection systems like Sophos and Carbon Black. Stating that they had setup sales calls and demos with Carbon Black and Sophos AV providers’ sales teams using proxy companies to gain more information, test the product and attempt to find specifics of the product’s AV/EDR bypass mechanisms.
This reminds us all the importance of vetting and verifying all commercial in-bounds for requests for demos and sales information, especially when it might present an opportunity to learn critical corporate intelligence.
The affiliate leaking the details wrote how this war against their people and Ukraine was breaking their heart.
My comments are coming from the bottom of my heart which is breaking over my dear Ukraine and my people. Looking of what is happening to it breaks my heart and sometimes my heart wants to scream.
28 February 2022 – 21:41 UTC
STORMOUS Ransomware Hits Ministry of Foreign Affairs of Ukraine
The Pro-Russian STORMOUS ransomware gang claims to have attacked Ukraine’s Ministry of Foreign Affairs, mfa.gov.ua using their custom ransomware. The group posts victims’ information on their Telegram channel, posting in both English and Arabic. The group stated the Ukraine government network “fragile” and called for DDoS attacks them.
Their network is fragile – their various data has been stolen and distributed according to their phone numbers, email, accounts and national card numbers with an internal network hacked and access to most essential files. This is with placing denial attacks on their main site !
28 February 2022 – 18:00 UTC
China’s Huawei Steps in to Assist Russia with ISP Network Instability
According to Chinese deep web forums, Huawei is reportedly building a mobile broadband in Russia to help with internet outages. As of 26 February, at least 50,000 technical experts will be trained in networking and securty in Russia’s R&D centers.
28 February 2022 – 12:00 UTC
Russian Gas Station Pumps Hacked
Video of disabled electric vehicle (EV) charging stations in Russia surface, displaying error status and the following warning:
”Putin is a dick”, “Glory to Ukraine”, ”Glory to our heroes”,” death to our enemies”
27 February 2022 – 23:06 UTC
Anonymous for Ukraine Leaks Customer Data from Sberbank Russia
While Anonymous leaked the files, the credit for the hack goes to Hacktivist group, Georgia Hackers Society. The two text files (bygng.txt & bankmatbygng.txt) appear to be personal data from the financial institution with the bankmat file containing 4,568 records.
27 February 2022 – 21:00 UTC
CONTI RaaS Suffers for Professing Their Allegiance to the Russian Federation
DarkOwl just discovered 393 JSON files containing private Jabber chats from the ransomware group since January 2021 leaked online. Many of CONTI’s affiliates were displeased with the group’s alliance with Russia.
27 February 2022 – 19:00 UTC
ATW Claims to Take Down CoomingProject Ransomware Group
AgainstTheWest assesses “CoomingProject are actually one of the dumbest “threat” groups online.” AgainstTheWest statement on Twitter:
“RIP CoomingProject. All data on them is being passed to relevant authorities in France.”
27 February 2022 – 16:54 UTC
Cyberpartisans Take Belarusian Railway’s Data-Processing Network Offline
The hacktivist group of cyber specialists located in Belarus managed to force the railway switches to manual control mode, to significantly slow down the movement of trains. The webservers for the railway’s domains (pass.rw.by, portal.rw.by, rw.by) are also offline.
The rail services are being essentially held hostage until Russian troops leave Belarus and there is peace in Ukraine.
27 February 2022 – 11:00 UTC
AgainstTheWest Ransomware Gang Enters the Campaign
AgainstTheWest (ATW) claims to have attacked Russia’s Department of Digital Development and Communications of the Administration of the Pskov Region with their own custom “wiper” malware. All data has been reportedly saved and deleted.
27 February 2022 – 09:00 UTC
Anonymous Attacks Russian Critical Infrastructure
Tvingo Telecom offers fiber-optic networking, internet and satellite services. Tvingo Telecom is a major provider to Russian clients.
27 February 2022 – 00:00 UTC
GhostSec Leaks More Data and Claims Attacks Against Belarusian Cybercriminals, GhostWriter
GhostSec is active in the Anonymous cyber war against Russia and released a sample of databases stolen from additional government and municipality sites across Russia (economy.gov.ru and sudak.rk.gov.ru).
They state on their Telegram channel they have been conducting attacks against “Russian hackers” and the “hacker group GhostWriter” (a.k.a. UNC1151).
26 February 2022 – 18:00 UTC
IT ARMY of Ukraine Now Active on Telegram
A Telegram Channel titled “IT ARMY of Ukraine” appeared earlier today to help coordinate cyber activities against Russia. The channel has already accumulated over 96K followers. Posts are shared in Ukrainian and English containing target server IP addresses and media for mass distribution on social media.
Videos of what events are really happening across Ukraine have appeared on intercepted Russian State Television channels.
В найближчу годину буде одне із найголовніших завдань!
26 February 2022 – 16:00 UTC
Anonymous Hackers Interrupt Russian State Television
Multiple reports across underground chatrooms suggest Russian television was allegedly briefly interrupted to play Ukrainian music and display national images. (Source)
Ukraine’s telecommunications’ agency also announced that Russia’s media regulator’s site was down as well.
26 February 2022 – 09:00 UTC
Russia Restricts Facebook and Twitter to Control Information
Open source internet monitoring reporting organizations discovered Twitter has been blocked by multiple ISPs across Russia. Ukraine’s government is regularly posting on social media to show the Russian people they are still fighting in the invasion. Cybercriminals and hacktivist campaigns also disrupt Russia’s information operations by calling out disinformation bots and taking critical communications sites offline. Twitter has reportedly blocked account registrations from IPs originating in the Russian Federation.
Russia’s state-controlled television station, RT, is still offline.
26 February 2022 – 01:00 UTC
Hackers Leak Data from Belarusian Weapons Manufacturer Tetraedr on the Darknet
Anonymous Liberland and the Pwn-Bär Hack Team announce the start of #OpCyberBullyPutin and leak a two-part archive (200GB total) of confidential employee correspondences from prominent defense contractor and radar manufacturer, Tetraedr in Belarus. The first part is the most recent 1,000 emails from each employee inbox, in .EML format. The second part is a complete archive of each inbox in .PST format.
The hacktivists stated they successfully attacked the company through an unpatched ProxyLogon security vulnerability.
25 February 2022 – 23:30 UTC
Russian Military Radio Frequencies Hijacked
Ukrainian radio frequency (RF) hackers intercepted Russian military numbers stations UVB-76, frequency 4625KHz, and trolled Russia communications by playing Swedish pop group Caramella Girls’ Caramelldansen on top of the radio waves.
The group also successfully intercepted frequencies utilized by Russian strategic bomber planes.
25 February 2022
CoomingProject Ransomware Group Announces Support for Russia
Another ransomware gang sides with Russia officially declaring war against anyone conducting cyber attacks against the Russian government on their Telegram channel.
“Hello everyone this is a message we will help the Russian government if cyber attacks and conduct against Russia”
25 February 2022 – 21:00 UTC
Russia’s Gasprom Energy Corporation Knocked Offline
Headquartered in St. Petersburg, Gasprom (ПАО “Газпром”) is the largest natural gas transmission company in Eastern Russia. The company is mostly owned by the Russian government even though the shares are traded publicly.
The Anonymous hacktivist collective, operating their campaign against Russia via the hashtag #OpRussia, has claimed responsibility.
25 February 2022 – 20:00 UTC
Anonymous Hackers Leak Database for Russia’s Ministry of Defense (MoD)
Russia’s gov.ru and mil.ru website server authentication data, including hundreds of government email addresses and credentials, surface on transient deep web paste sites and Telegram channels. Another leak consisting of 60,000 Russian government email addresses is also now in circulation.
GhostSec, also participating in Anonymous’s cyberwar against Russia, #OpRussia, claimed all subdomains for Russia’s military webservers were offline hours earlier as of 11:00 UTC.
Over around 100+ subdomains for the russian military were hosted on this IP (you may check DNSdumpster for validation) now all downed. In Support of the people in Ukraine WE STAND BY YOU!
25 February 2022
CONTI’s decision to side with Russia has dire consequences for the RaaS Gang
The ransomware-as-a-service (RaaS) gang CONTI (a.k.a. CONTI News) has officially sided with the Russian Federation against “Western warmongers” in the conflict.
Many of their affiliate partners are reportedly in disagreement – siding with Ukraine – which became evident once certain private chats were leaked on their internal affiliate platform on social media. It’s uncertain how these political divisions will impact the effectiveness of the ransomware gang’s campaigns. Conti revised their WARNING statement claiming they do “not ally with any government and we condemn the ongoing war.”
25 February 2022 – 16:30 UTC
Hundreds of Russian IP Addresses Appear on Deep Web for Targeting
Over 600 IP addresses correlating to key Russian web services emerge on transient paste sites and underground hacker forums. (Source DarkOwl Vision)
25 February 2022 – 05:00 UTC
Anonymous Threatens to Take Russian Industrial Control Systems Hostage
The hacker group known as Anonymous stepped up its participation in defending Ukrainians through its cyber war with Russia. In an ominous video posted to Twitter, the group called for UN to establish a “neutral security belt” between NATO and Russia to ease tensions. They elevated their influence by threatening to “take hostage industrial control systems” against Russia. Expect Us. We do not forgive. We do not forget.
“If tensions continue to worsen in Ukraine, then we can take hostage… industrial control systems.” Expect us. Operation #Russia Engaged
24 February 2022 – 19:00 UTC
Free Civilian Tor Service Announces 54 New Ukrainian Government Database Leaks
The administrator of the Free Civilian Tor Service – who DarkOwl analysts believe is the Raid Forums threat actor, Vaticano – updated their database leaks service, stating they had confidential data for dozens of Ukrainian government services. DarkOwl analyzed these databases closely and confirmed the threat actor likely exfiltrated the data in December 2021. (Source)
24 February 2022 – 17:00 UTC
Russia’s FSB Warns of Potential Attacks against Critical Infrastructure as a result of Ukraine Operations
The National Coordination Center for Computer Incidents (NCSCI) released an official statement warning citizens of Russia of imminent cyber attacks and for the country to brace for the disruption of important digital information resources and services in response to the on-going special military operation in Ukraine.
“Attacks can be aimed at disrupting the functioning of important information resources and services, causing reputational damage, including for political purposes” – NCSCI
24 February 2022 – 05:00 UTC
Cryptocurrency Markets Crash in Wake of Invasion
Bitcoin cryptocurrency fell below $35,000 USD for the first time since January in reaction to the Russian troops crossing over the Ukraine border. Ethereum fell more than 12% in the last 24 hours.
According to open-source reporting, the collective cryptocurrency market has plummeted over $150 billion dollars in value since the tensions began.
Using DarkOwl Vision, our darknet search engine, investigators are able to collect intelligence about persons or subjects of interest, including usernames, aliases, chatroom activity and other potentially incriminating information, and use that data to compile evidence and solve complex crimes.
Earlier this summer we researched the cyber insurance industry and the darknetand reviewed basic policies, first- and third-party coverage and looked at a sample of the type of data insurers might want to monitor the darknet for. We discovered there is an increasingly complex interrelationship between data from the darknet and the organizations involved in issuing cyber liability insurance policies and managing claims.
Cyber Insurance is not a Substitute for Cyber Defense
Surprisingly, we also discovered that most cybersecurity liability insurance policies exclude incidents caused by human error or negligence and events easily preventable by a stable and secure IT defense posture – proving that security professionals cannot become lackadaisical about their security posture simply because they have procured a comprehensive cyber insurance policy.
Organizations should not be fooled into thinking that cyber insurance is a substitute for robust cybersecurity defense and response.
Some popular exclusions of cyber liability insurance include:
Lack of security processes (or poorly developed): Having detailed security policies and a comprehensive incident response plan is necessary for insurance underwriting;
Prior breaches: Data leaks or incidents that occurred before the organization purchased their policy;
Lost mobile IT devices: Most cyber liability insurance policies do not cover lost or stolen personal mobile devices, for example, company CEO leaves mobile phone on an airplane or in an Uber;
Human error: Any cyberattack triggered by basic human error of an organization’s employee;
Insider attacks: The loss or theft of data due to an ‘insider attack’ –an employee initiating the cyberattack from within the organization or using their authorized organizational access to launch the attack;
Pre-existing vulnerabilities: Like a pre-existing medical condition, if there are documented evidence of previously determined network vulnerabilities and the company fails to remediate, then the resulting cybersecurity incident is not covered;
IT infrastructure security improvements: Any costs related to improving the security of information technology systems, e.g. hardening applications and networks;
Criminal litigation: Claims brought as result of grand-jury proceeding or criminal investigation or action;
Acts of War: Traditional insurance policies do not typically cover property damaged during war-time, often referred to as the ‘hostile act exclusion.’ The same is true for nation-state sponsored cyberattacks against businesses.
Given we are in a time of the first ever global cyberwaras the result of Russia’s invasion of Ukraine and CISA has advised an increased security posture for all critical industry sectors, CISOs and security professionals should never speculate on their coverage and review their cyber insurance policies carefully.
Cyber insurance policies should augment organizational security processes, not replace them. Insurance carriers must carefully analyze all potential policy holders’ security posture and insist on robust security position prior to issuing the policy. Cyber insurance underwriters should carefully consider the security posture of policy applications through thorough pre-policy questionnaires and employee interviews, evidence of robust and regular employee security training, domain network scanning, darknet monitoring and exposure analysis.
Evidence of a policy holder’s prior breaches, organization credential exposures, and and the risk of insider attacks can be evaluated using a robust darknet database, like DarkOwl Vision.
Insider Risk Increasing & Not Covered by Cyber Liability Insurance Policies
DarkOwl has observed numerous darknet threat actors actively recruiting disgruntled employees a.ka. ‘insiders’ to help carry out their attacks and shorten the attack timeline; notably in the ransomware/extortion-as-a-service model of the criminal underground. Banking and financial fraud specialists have advertised they were seeking banking insiders and cyber criminals have offered $500 – $1,000 USD to AT&T and other mobile carrier providers who can assist with sim-swapping. Some recruitment offer payment on swap or a percentage commission on the value of the fraud conducted.
On Telegram, LAPSUS$ openly recruited insiders to help with their attacks calling for employees at telecommunications, software and gaming corporations, call centers, and web/server hosting organizations. They specifically asked for the employees to have remote access via VPN, Citrix or anydesk applications.
Figure 1: LAPSUS$ Criminal Gang’s Recruitment of Insiders to provide VPN or Citrix Network Access
Government, healthcare, and Insurance carriers are also targeted for insider recruitment in a recent deep web post captured by DarkOwl (below).
Figure 2: Source DarkOwl Vision
In early July, in an unusual insider-threat example, a HackerOne employeeexploited their internal access to bug reports to duplicate the reports and gain financial payment for the bug bounty program. In this scenario, the fraudulent payments could not be recovered by their cyber liability insurance, unless specifically stated in their policy.
Prior Breaches & Organizational Exposures
In addition to monitoring for mentions of organizational credential data, like email addresses, hashed and cleartext passwords, and authentication data like session tokens and API keys, DarkOwl Vision can also provide indication of prior breaches and leaked data.
Cyber criminals regularly offer to sell or share organizational information they obtained on the darknet. Such data could indicate a potential prior breach occurred at the organization. In August 2020, a post on Telegram indicated a cybercriminal had obtained significant confidential data from the Intel Corporation. The leak allegedly included over 20GB of documents and product roadmaps for multiple technology programs in Intel for only $ 200 USD.
Figure 3: Source DarkOwl Vision
In the middle of an attack or immediately thereafter, threat actors often openly shame the victim and their associated IT security departments for haphazard network security, ‘poor digital hygiene,’ and private information protection. We recently captured a threat actor sharing proofs of exfiltrated victim data – in an apparent ransomware attack – and simultaneously stated this was not the first time they had been targeted and the personal data of clients compromised.
The threat actor even alleged they had tried to reach out to the company and provide recommendations on how to secure their corporate network.
“No matter if this is a medicine company, even they do not respect professional ethics and doesn’t care about private information regarding clients, employees, medicine tests, hospital cards, drug tests and researches and any other sensitive Data. They have a lot of vulnerabilities and absolutely careless IT service. We are trying to reach them to help resolve issue and provide a recommendations about how to fix such a bugs in the corporate network. Moreover it’s not the first time they have an issue with IT security and get a breach in their network, so it’s obviously that XXX is not able to protect own Data and personal Data of clients, so everyone can be convinced soon when we will provide the access to the files from one of their servers – XXX from central office with about 5,7TB of Data (and this is just a minor part of what we were able to download). We never tell lies when we saying that we have something, unlike XXX security team, which are telling in the internal or public reports that nothing is compromised and all is in safe. As a final try we are publishing here just a little piece of proof just in the hope that someone from CEO will notice and take under control this issues.” – Source, DarkOwl Vision
Attacks Against Insurance Industry Persist
Ransomware gangs show no slowdown in targeting the insurance industry with several new attacks independent agents and family-owned insurance-affiliated businesses around the world in recent weeks. REvil’s stated intention to gain additional information about insurance policyholders for the sake of exploiting that information for future gain in negotiations and targeting is apparent. We continue to witness proofs and announcements of attacks against independent agents and family-owned insurance-affiliated businesses around the world regularly posted by some of the most active and successful ransomware gangs in operation.
Figure 4: Source DarkOwl Vision
Figure 5: Insurance Policies, Cyber Risk Assessments, and Certificates of Insurance Shared From Victim Network – Source DarkOwl Vision
Any entity that interacts with insurance companies are also at risk of cybersecurity incident or ransomware attack. We have seen ransomware gangs target business processing companies, insurance brokerage network and underwriting service providers, as well as legal firms that support the insurance industry.
DarkOwl recently observed a legal firm that focuses on representing insurance carriers in disagreements with their policy holders shamed on the LockBit ransomware blog. Earlier the same group shamed the insurance company Risk Strategies – calling their web domain out on another victim’s announcement for not paying a more significant amount for their attack against the policyholder, another legal services company.
Do not use the insurance company risk-strategies.com it will not help you in case of hacker attack, XXX were insured for 1 million dollars, and the fucking faggot insurance agent was able to offer the maximum amount of 45 thousand dollars, this is fraud in the purest form. A full-service law firm delivering consistent, successful results for more than 100 years. Among the fastest growing law firms in the southeastern United States. Our services are customized because each client’s situation is unique. XXX attorneys focus on meeting your current needs, achieving the best possible results, in a cost-effective manner. – Posted March 2022, Source LockBit Ransomware Blog on Tor
Figure 6: Source DarkOwl Vision
In this piece, we reviewed how cyber liability insurance is not a substitute for solid corporate network security protocols. We reviewed a number of cyber insurance policy exclusions such as war-time, insider threats, and prior breaches, and looked at some examples where the insurance industry itself continues to be targeted by darknet threat actors.
Learn how darknet data available in DarkOwl Vision can help drive better risk decisions in issuing policies and persistent monitoring for on-going security risks to insurance carriers, brokers, and their policy holders. Contact us to learn more.
In honor of National Non-Profit Day, we are excited to highlight a couple of our non-commercial organizational partners that we are extremely proud to support: the National Child Protection Task Force and the International Justice Mission. In preparation of this blog, the content team sat down with key members of the NCPTF organization and ICM to get a glimpse into the work that they do on a day-to-day basis and how DarkOwl contributes. In order to maintain their operational security, we have intentionally not disclosed the names of any of the investigators or specialists we spoke with from either organization.
Reports from Federal Agencies indicate that the volume of children being trafficked and exploited in the United States is a national crisis. According to the FBI’s National Crime Information Center (NCIC), in 2021, there were 337,195 NCIC entries for missing children. A mechanism for child cyber exploitation that, ran by the National Center for Missing & Exploited Children (NCMEC), received 29,397,681 million reports in 2021, up from 21.7 million reports in 2020 – a near 9% growth. Using their web portal, DarkOwl regularly sends NCMEC the URLs for domains containing child sexual abuse material (CSAM) content discovered during collection. We have discovered thousands of domains across Tor and Zeronet active with proliferating such material.
The National Child Protection Task Force, or NCPTF, is comprised of a network of law enforcement and technology professionals that provide law enforcement agencies a rapid-response team and investigative support, resources of which are often underfunded or completely unavailable to law enforcement agencies, to support cases of human trafficking, child exploitation, and missing persons. Their team of child and exploitation case specialists is supported by experts ranging from former intelligence officials and military officers, volunteer open-source intelligence (OSINT) researchers, and others.
“While OSINT is our primary method of getting after what we need to from an investigation standpoint, we also have experts, including current and former law enforcement, that provide support from a technology standpoint, with regard to legal processes,” said NCPTF’s Head of Intelligence. They went on to explain that NCPTF investigators rely on tools like DarkOwl to not only close cases by identifying perpetrators, but to also see those criminals put behind bars.
“It takes a very specialized tool or a very skilled researcher to do dark web investigations,” continued the NCPTF team. “We never want to put our people or their systems at risk during these investigations and rely on tools like DarkOwl to safely procure information for us that we can leverage.”
The International Justice Mission, or IJM, is charged with the mission to protect people in poverty from violence by rescuing victims, bringing criminals to justice, restoring survivors to safety and strength, and helping local law enforcement build a safe future that lasts. Like NCPTF, IJM’s investigations also involve tracking human trafficking and missing persons cases and technology incorporated into their Global Fusion Center, an analytics hub based out of IJM’s global office, helps them monitor red flags, track a predator’s virtual footprint and prevent abuse before it begins. Recent international refugee crises out of Afghanistan and Ukraine have resulted in an inordinate surge in human trafficking around the globe.
For members of the IJM, DarkOwl Vision is one way to keep their researchers safe. It allows their team to search the darknet without going on to browsers such as Tor directly and enables them to have access to historical content that can help break open a case, “we have fully integrated the platform into our workflows and it greatly enhances our ability to safely and effectively identify potential lead information,” stated a Criminal Intelligence Specialist from IJM’s Global Fusion Center.
NCPTF investigators recalled an case where the suspect had a known online alias or username. They needed to find out more info about this user, and some other OSINT services that they were using failed to produce any leads. After running that same username through the DarkOwl Vision database, investigators were able to uncover a new username belonging to the person of interest that was older than the one they were aware of. NCPTF revealed, “As us forensic cyber investigators know, threat actors get more advanced over time. So, by identifying the old username, it opened the investigation up for us – which no other tool was able to do.”
This real-life example shows the power of historical data that no other darknet tool on the commercial market has as wide of coverage on.
DarkOwl is proud to partner with NCPTF and IJM and many other non-profit organizations focused on making the world a better place. Hearing these stories and how our work behind the scenes is making a difference, makes the day-to-day tasks so much more worth it. We look forward to continuing this partnership and extend a thank you to all our other NGO partners and all NGOs today that are making a difference. Happy National Non-Profit Day!
More on NCPTF
The National Child Protection Task Force, a registered 501(c)(3), was founded to provide detectives, analysts and officers access to investigative expertise and resources that are unavailable or under-funded in most law enforcement organizations. The members of our Task Force volunteer their time to any agency — small or large, international, or local — on important, time-sensitive cases focusing on human trafficking, child exploitation and missing persons cases.
The International Justice Mission (IJM) is a non-partisan, non-governmental, 501(c)(3) organization. They operate with governmental approval and acknowledgment and depend on the partnership of local government and NGO partners. International Justice Mission is a global organization that protects people in poverty from violence. IJM partners with local authorities in 24 program offices in 14 countries to combat trafficking and slavery, violence against women and children, and police abuse of power.
In our previous post, Policing the Darknet: Leading Cybercrime Agencies Go Dark, we took a high-level look at some of the most active law enforcement and intelligence agencies across the globe who police the darknet through targeted cyber operations.
Now, we’re taking a look at which key darknet-related cases these agencies have participated in throughout the years. It is important to note that many other organizations – such as local and regional task forces – have been key to supporting the investigative and tactical efforts in most of these operations. In fact, the coordination between these groups, which often occurs on a global scale, has proven to be key to successfully policing the darknet.
Timeline: Key Darknet Cyber Policing Operations
In recent years, there have been several elaborate ‘operations’ carried out by multi-agency international task forces, resulting in the ‘take-downs’ and seizures of prominent darknet marketplaces, forums, and criminal enterprises. Many of the operations shift the landscape, with hundreds of domains knocked offline. Others have sparked a community-wide state of panic where key threat actors go quiet or shift into even more shadowy corners of the dark web. This timeline reviews some of the key operations with the most significant impact.
This timeline is interactive. To navigate, use arrows to move right or left, pinch to zoom. Use the key at the bottom to organize by specific law enforcement groups from our chart (below). Click on any event to see more details.
As the darknet continues to be a haven for criminal activity, the importance of these intelligence and policing efforts remain critical. Many agencies conduct their investigative efforts by relying on tools such as DarkOwl Vision to search and monitor the darknet for evidence to build their cases, without having to access the darknet directly.
In recent months, DarkOwl analysts discovered multiple escrow-enabled decentralized marketplaces on the dark web that claim to be affiliated with the Sinaloa Cartel.
One such marketplace called “Cartel de Sinaloa” is reportedly directly associated with the Sinaloa Cartel and Los Chapitos. Their marketplace uses the same logo – a red and black skull with “Cartel de Sinaloa” written underneath it – as the avatar of a Facebook group page operating with the same name. Another marketplace calling itself “The Sinaloa Cartel Marketplace” focuses on offering hitman for hire style services. Both services require authentication for user access, which forces visitors to create a username and password to view the marketplace past the login screen and adds protection from bots and crawlers.
Upon looking closer at these alleged cartel-tied darknet operations, our analysts found that there are Tor services for numerous other criminal cartels, in addition to the Sinaloa Cartel including: Los Urabenos from Colombia, Cártel de Jalisco Nueva Generación, Cartel Darknet Shop, Gulf Cartel Texas, and a non-specified cartel market simply titled, “DW drugs cartel.” We also found several darknet drug vendor services such as Ausline that advertise possible associations with prominent cartels.
Cartel Marketplaces
Here are some of the noteworthy dark web marketplaces that either claim to be or appear to be (based on our analysis) associated with cartels.
Cartel de Sinaloa (C.D.S. Market)
The C.D.S. Market is hosted on Tor and includes market escrow with the finalize early (FE) option. The market lists the following goods and services categories: Barbiturates, Software & Malware, Hire Services, Prescription, Opioid Antagonists, Money Laundering, Human Trafficking, Disassociates, Weapons, Steroids, Counterfeit, Human Organs, Benzodiazepine, Stimulants, Ecstasy, Fraud, Drugs Paraphernalia, Research Chemicals, Weight Loss, and more. Many of these categories are found on traditional darknet marketplaces, but this market includes the option to purchase human organs and services for hire. Despite these specific illicit goods categories and the fact that the Cartel de Sinaloa market has been active for months, there are zero product listings offered or advertised for sale under any of the categories described. This suggests the marketplace could be a front for other criminal activities or a law-enforcement sponsored honeypot.
The discovery of this marketplace prompted further investigation into similar “cartel-centric” documents in DarkOwl Vision, where we discovered an additional marketplace advertised on Tor as being associated with the Sinaloa Cartel on the darknet.
Figure 1: Login Landing Page for Cartel de Sinaloa Marketplace on Tor
Figure 2: Cartel de Sinaloa Marketplace (post-authentication) on Tor
The second site, The Sinaloa CartelMarketplace, advertises a variety of products including drugs and hitmen for hire. However, the only option under “shop” is to submit a job request with options such as “shot and get away,” “stabbing,” “kidnapping,” “accidental murder” and more. The most expensive service offered is a sniper job, going for $10,000. The prices on the form included the USD currency and supports payment via Bitcoin.
Figure 3: Job Request Form Fill with Prices Listed per Job Type for the Sinaloa Cartel Marketplace on Tor
After a quick reverse image search across open-sources, we found the same image from the Sinaloa Cartel Marketplace on Tor is also listed with an offer to purchase the “El Chapo” t-shirt on a surface web e-commerce site specializing in anarchist screen printed clothing, called Rancid Nation.
Figure 4: Sinaloa Cartel Marketplace on Tor
Cartel Gulf Texas
Another alleged indirectly Sinaloa cartel-affiliated darknet market is called “Gulf Cartel Texas” and claims they ship drugs across the world via the US Postal Service (USPS) out of Laredo, Texas. There have been ongoing reports of cartel-gang violence in Laredo after the March 2022 arrest of the leader of Cartel del Noreste, Juan Gerardo Trevino-Chavez (a.ka. The Egg “El Huevo”), 39, of Laredo, Texas.
The Gulf Cartel Texas Tor service has been online since 2020 and its design is not as sophisticated as the other services we discovered using our Vision UI product but advertises different drugs in bulk available for purchase, including, coincidentally, “very high quality heroin from the mountains straight from the Sinaloa cartel.” The Gulf Cartel Texas – Straight from the Border – includes a disclaimer reading: “warning scammers are active posing us we will never email or threaten you in bad english.”
The site does not appear to have been recently maintained and includes proof pictures of the products dated 2020.
Figure 5: Gulf Cartel Texas Landing Page on Tor
Los Urabenos
The Los Urabenos Cartel – a power criminal and neo-paramilitary group from Colombia – offers their services for hire on Tor and specializes in the sale of high-quality pure cocaine on their marketplace. The landing page has a volcano in the background, and the site is designed to be user friendly with traditional navigation links like: “home”, “about us”, “services”, and “contact us” sections. The market offers a handful of products for sale with tagged photos including, Fishscale Colombian cocaine 90%+ and Dutch MDMA champagne crystals 84%, and stated they used to trade on Darkfox and DarkMarket prior to the decentralized marketplaces’ seizure. They have very strict rules for their orders, including no direct or in-person meet-ups and advertises they have completed over 750 orders with 400 clients.
Figure 6: Landing Page for Los Urabenos Cartel Marketplace
Figure 7: Rules for Transacting with Los Urabenos Cartel
The contact information for the Los Urabenos marketplace references an encrypted chat application account for CDG cartel, which likely refers to the cartel’s more recent designation, Clan del Golfo (Gulf Cartel).
According to open-sources, nearly 200 members of the CDG cartel were arrested by international police and government forces in a multi-national law enforcement operation in 2021 including their leader, Dairo Antonio Úsuga (a.k.a. “Otoniel”).
Cartel Jalisco Nuevo Generation (CJNG)
Another darknet service we found is allegedly associated with the Mexico-based Cártel de Jalisco Nueva Generación (CJNG) and describes themselves as the “most trusted bulk cocaine seller in the world” with anonymous dead drops via sea and air cargo. They advertise that they have had thousands of sales since Empire Market and accept payments via Bitcoin. The site also claims that: “A portion of all sales to go non-profits and organizations that support online freedom.” CJNGis believed to be one of the largest fentanyl suppliers to the US and as recently as late June posted videos to social media with over 60 militarized cartel members proudly flexing a wide array of protective gear, weapons, and vehicles at their disposal for continuous operations.
Figure 8: Landing Page for CJNG Tor Site
The products offered on the CJNG marketplace include a limited selection of drugs such as cocaine, marijuana, and amphetamine crystal shards. The News section for the site is not up to date, with the last post shared in March 2020; the site administrator included Wickr and Jabber encrypted chat accounts and secure email address (with PGP key) for direct messaging and purchase. Some images of their products, such as bricks of cocaine, included an insignia carved into the top.
Figure 9: CJNG Market emphasizes their support of privacy and digital freedom
Figure 10: Product offerings from CJNG Market
Ausline
Earlier this year, another prominent darknet drug vendor, Ausline, recently established their own vendor shop offering drugs for purchase and shipments in Australia and New Zealand. They specialize in deals “in bulk” and advertise they are procured directly from producers in Afghanistan, Colombia, and the Netherlands. Their bulk Fishcale Colombian Cocaine Flakes 90% is allegedly sourced from the “Scorpion cartel.”
Figure 11: Source DarkOwl Vision
There’s little to no open-source information about any “Scorpion” cartel in Colombia, but internationally there is a Red Scorpion Gang in Canada and another known simply as the Scorpion Gang in Haiti are mentioned in news articles. In Mexico, a group called the Escorpiones (Scorpions) were founded after the fallout between two CDG leaders, and were the guards for Antonio Ezequiel Cárdenas Guillén and last reported to be allied with the cyclones after his death.
Henry Loaiza Ceballos (a.ka The Scorpion “El Alacrán”) was a well-known drug trafficker in Colombia and member of the Cali Cartel in the early 1990s. In 2019, he was ‘recaptured’ and is highly regarded across many drug cartels in LATAM. Intriguingly, the symbol of a black scorpion is believed to the “calling card” of the Sinaloa Cartel as pictured by a social media post by John McAfee in 2019.
Figure 12: Image of 2,000 pounds of Cocaine with the Sinaloa Cartel “brand”
Cartel Darknet Shop
The Cartel Darknet Shop is user-friendly, resembling any standard e-commerce site on the surface web. There are options displayed at the bottom of pages, like Amazon, with suggestions for other products customers might “also like.” Still, the products offered appear to either be professionally photographed or taken from stock images from the internet. Many of the product’s prices, such as the CBD oil, are higher than what the same products sell for legally. The site does not indicate or state any direct association with a drug cartel.
Figure 13: CBD Oil offered for sale on Cartel Darknet Shop
Regionally-Based Advertisement of Products
During earlier marketplace research we observed that regions known for their drug exports such as Colombia, Peru, Bolivia, and Mexico are often advertised with product listings on darknet marketplaces to prove the quality or the purity of the product and to legitimize the vendor. Advertised geographical indicators can provide potential associations of the products offered with a particular cartel, such as the Sinaloa region and the Sinaloa cartel being famous for their high-quality cocaine. Regions that are famous for their drug trade have also been seen listed in the product title and description, e.g. “Sinaloa Kush.”
It in unsurprising that the most popularly advertised region is Sinaloa, is this is also home to and the name of one of the strongest drug cartels in Mexico at present.
Figure 14: Source DarkOwl Vision
Are Darknet Cartel Markets Scams?
Several of the “Sinaloa-adjacent” darknet marketplaces on Tor featured hitman for hire services in addition to drugs. Hitmen services offered on the darknet are not a new phenomenon. Most “hitman-for-hire” services, especially those attached to prominent criminal groups and mafias, have been determined to be elaborate scams established to steal victim’s money without following through with the murder. There are limited reports of “kill list” victims ending up dead, but no confirmation the murder was carried out via the darknet website and impossible to track. Most chatter in the darknet is dismissive of any violence-centric or hitman-style services advertised.
“99.999999999999999999999999999999999% of all the ‘contract killers’ you see on here are one of two things A. Feds or B. Scammers.” – Darknet post dismissing any hitman services as law enforcement or scammers
Given that attribution on the darknet is difficult, the cartel sites listed above could very easily be scams. There is a history of such hitman-for-hire site turning out to be scams or well-placed honey pots by law enforcement. However, it is likely that organized drug cartels would be one of the few criminal groups capable of offering real hitmen services. Given the extreme and often gruesome violence many of the cartels are known for, the hitmen services advertised could be very real, if they really are the organizations behind the darknet sites as advertised.
We did not perform an in-depth analysis of the extent prominent drug cartels are active as vendors on traditional decentralized marketplaces like AlphaBay. The Los Urabenos Cartel’s affiliated site claims they previously traded on Empire, Darkfox and DarkMarket prior to the decentralized marketplaces’ seizure or exit scams. According to open-sources, DarkMarket was taken down by international law enforcement agencies. Empire went offline due to unknown circumstances. DarkFox was feared at to be exit scamming but has since returned and is active again.
The emergence of dedicated separate marketplaces linked to cartels could point to a broader trend of vendors moving away from traditional drug-focused decentralized marketplaces. After over two years of watching cartels on the darknet we have found fewer marketplaces advertise drugs by their origin/regional name and there are generally fewer marketplaces that sell large quantities of drugs, typically for resale in the case of cartel-based drug distributors. Vendors known for selling drugs on darknet marketplaces in large quantities could have decided that it is not worth the risk given the extent markets are targeted by law enforcement.
For example, in 2019, we identified a well-established darknet drug vendor, UKWhite who sold drugs in high volume – likely affiliated with cartels – across multiple marketplaces was arrested in October 2021 in Barcelona, Spain. They are facing and contesting extradition to the US.
Another drug vendor we observed in 2019 who is still active now almost exclusively engages in ‘direct dealing’ as a seller. These sellers will advertise themselves on discussion forums and appear limitedly on marketplaces only to establish alternative secure communication methods.
Regardless if cartel-affiliated marketplaces and vendor shops like the ones discussed in this research are merely scams or elaborate law enforcement operations, we anticipate a continuance of cartel-affiliated marketplaces and vendor shops in the darknet and a darknet-wide trend of vendors transacting with their buyers and drug network distributors via one to one communication and/or encrypted communication chat platforms for enhanced security and privacy.
Interested in learning how darknet data applies to your use-case? Contact us!
On the 24th of February, after months of failed diplomacy, war broke out between Ukraine and Russia. While the war was being fought in the physical realm, Ukraine’s Ministry of Digital Transformation turned to the digital realm for assistance. Within days of the invasion, a call across underground forums and chatrooms was placed and hundreds of thousands of hacktivist volunteers answered.
Ukraine’s call for help sparked off the first ever global cyberwar which for the first time in history has been waged between two countries simultaneously with a land war. This webinar looks at what we have learned from the cyberwar to date.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Kathy: Hi, everyone. Thank you for joining today’s webinar, “What a Real Cyberwar Looks Like.” My name is Kathy. Dustin and I will be your hosts for today’s webinar…. and now I’d like to turn it over to our speaker for today, Mark Turnage, our CEO here at DarkOwl, to introduce himself and begin.
Mark: Thank you very much… it’s a lot more fun for me as a presenter to answer questions as we go along, and so I would very much love it if you have questions, put them in the chat and Kathy or Dustin will interrupt me and we can have a conversation instead of a one way webinar.
We at DarkOwl have covered the Ukraine-Russia conflict extensively since it began in February, and even a little bit before that. Many of you may have seen our posts and our blog covering the war. We thought it would be useful to circle back and give an update and some of our observations on the impact of the war on cyberwarfare theory and practice.
There are just four areas of this webinar that I want to cover today. One is I want to talk a little bit about what the competing theories of cyberwarfare are, because those competing theories inform some of our observations on how the actual war, which is the first war between two nation-states, first extended cyberwar between two nation-states, has unfolded. And then I want to talk about some of the impacts on the internet and on the concept of modern warfare. And then we’ll make some concluding remarks. So, roughly, the slides that I’m going to walk through and hopefully the conversation we’re going to have follows this agenda.
One of the problems with cyberwarfare in general is that it suffers from pretty significant definitional ambiguity, by which I mean, if you talk to people, people have very different views on what cyberwarfare actually is, and if you look at these three overlapping circles, the top being physical disruption, the lower left being misinformation and disinformation, and the lower right being sort of communications disruption and espionage, cyberwarfare actually touches on all three of those.
And so somewhere in the overlap between those three circles are the various definitions of cyberwarfare. And perhaps the best definition that I personally like is the one on the lower left in a cyber school called the Revolutionist: actions by a nation-state to penetrate another nation’s computer or networks for the person’s purpose of causing damage or disruption. Pretty straightforward. It speaks to a variety of degrees. It speaks to each of those three circles. But again, the point here is that there is no one definition of cyberwarfare. We can’t talk about cyberwarfare without understanding some of the complexities and some of the significant differences between cyberwarfare and physical warfare. And so, I want to spend a little bit of time on this slide because I think it’s fairly important as we talk about how the cyberwar between Russia and the Ukraine has unfolded.
One of the key differences between cyber and physical warfare is that geographical proximity is not necessarily launch and maintain an attack. Hypothetically, two countries on opposite sides of the globe could fight a cyberwar between the two of them and it could be quite a fierce war with significant collateral damage, and they wouldn’t be anywhere near each other. Another key difference is that the weapons that are used in cyberwarfare are largely one and done. Once you mount an attack on an electrical grid and it’s understood by the opponent how you’ve mounted that attack, they can patch that vulnerability or they can close that door that you walked through and you will not be able to walk through it again.
And so, one of the key differences here is that you can only use those weapons one time and that actually has an impact on how this particular war has been waged. One of the benefits of a cyberwar is that you can more precisely target cyber weapons. Anyone who’s followed the news can see that when either the party shell the other side and oftentimes civilians are killed because they’re in the neighborhood or they’re in the physical proximity of military weapons and there has been significant loss of life in this warfare. Cyber weapons have the ability to be more precisely targeted. It does not mean that there won’t be a civilian loss of life.
We’re going to talk about some explosions that have occurred in Russian oil and gas facilities that have in fact caused civilian loss of life. But the theory here, and it would appear to be born out by reality, is that civilian loss of life is nowhere near as much as in a physical war. A fourth key difference is that attribution of who did it is a major problem and it has really severe implications for escalation. If you don’t know who it is that has attacked your electrical grid or taken your internet offline and you can’t actually be certain of it, a potential retaliation against your enemy or against the enemy you’re fighting at the time might have an escalatory implication that isn’t deserved. So attribution in non-cyberwar times is difficult… in cyberwar that is even more complex because it has this escalatory component to it.
Private actors can cloud the attribution question. And the question is if a private actor jumps on board, for example, on behalf of the Ukraine and attacks Russia or tax targets in Russia, are they acting on the behalf of the Ukrainian government or are they acting as private actors who may be just hostile to Russia, and vice versa? Same thing for the Russian side. And that really clouds the question of who’s in control of this particular part of the war. So those first five bullet points, I think, are critical components to be considered in any evaluation of what cyberwar looks like and how it could be waged in the future.
There are a couple of other points I want to make which are quite interesting in the context of thinking about a cyberwar between two countries. Several years back we estimated that a nation-state could attain superpower status for less than the cost of an F16 jet on an annual basis, considerably less than the cost of an F16. So, the cost of entry to become a cyber superpower in today’s world are orders of magnitude lower than other types of military expenditures. And we’ll come onto a slide here that talks about who are the superpowers, but there are countries that punch well above their weight because they’ve made that investment in becoming either a superpower or near superpower.
One odd inversion of the international order, the more technologically advanced a country is, the more susceptible it is to a cyberattack. It goes without saying that North Korea, which is not heavily industrialized, not heavily complex from a technological perspective, oddly, is aspiring to cyber superpower status, is probably one of the least susceptible countries in the world to a cyberattack because it’s not connected. The grids are not connected. The level of complexity through the society is very low. On the other hand, both Russia and the United States and the Ukraine are heavily connected societies and are very susceptible to cyberattacks. The point I want to make is that there are some very significant differences between how cyberwar is waged and can be waged and what the implications of that are to how it’s waged, how physical warfare is waged.
I started off by talking about how there are many definitional ambiguities in cyberwar. This is how the popular press thinks about cyberwarfare. If you listen to CNN or Fox News or any of the cable TV stations, this largely captures how people think about a cyberwar; “With a nation in the dark, shivering in the cold, unable to get food at the market or cash at the ATM, with parts of our military suddenly impotent and the original flashpoint that started it all going badly, what will the Commander in Chief do?” (Clarke and Knake, 2012). That is the popular theory of cyberwar that once a cyberwar is launched, people will go back to the Stone Age. And that theory still permeates popular culture.
I want to just talk briefly about some of the competing academic theories of cyberwarfare.
Both of these boxes, the top and the bottom basically parallel each other, and they move from left to right. So on the left of each of the two boxes, the top is sort of a state of the art in 2013, the bottom is state of the art in 2021, and they basically parallel each other on the left. The revolutionists or the alarmists believe that cyberwarfare can change how we fight wars in general. They think it is a fundamental step change in how wars will be fought today and in the future. In the middle are the skeptics or the traditionalists who think it could be significant, but don’t think it will change how international order operates. And on the right, the environmentalists or the realists don’t really believe that it’s going to have a significant effect.
The problem with the competing academic theories of cyberwarfare is that none of these theories, at the time that they were formulated and articles were written about them, could reference a real, sustained cyberwar between two nation-states. These were theories, and they were based on the few historical antecedents prior to 2022. And in each of these historical antecedents… Estonia suffered a sustained multi-month attack by Russia in 2007, during a quick two month war in 2008 between Georgia and Russia, there was a cyberwar rage primarily from Russia to Georgia. China from 2009 onwards had a very significant global espionage effort underway. Iran, 2010, where the United States and Israel attacked the nuclear centrifuge facility in Frodos with the Stuxnet virus. In 2014, the North Koreans attacked Sony. In 2012, Saudi Arabia was attacked by Aramco, was attacked by Iran.
I would define all of these as largely skirmishes. Now, they were relatively limited. In effect, they were not sustained over a long period of time. But there was clear attribution to nation-state actors in each of the cases. The parties involved or the aggressor involved was a nation-state, and attribution was very clear. And in the Ukraine, from 2014 through through 2021, there was simultaneous with the armed conflict in the eastern side of the Ukraine, there were what I would call cyber skirmishes between Russia and the Ukraine. But in none of these cases did we see a sustained cyber hostility between two nation-states for longer than a couple of months. So the theories that I referenced on the prior slide had only these as the antecedents leading up to the current conflict between Russia and the Ukraine.
Dustin: I’m going to interrupt you there. We’ve had a couple of questions come in. The first one is: “Were all of these state to state attacks?”
Mark: Not all of these were state to state. In the case of the North Korean attack on Sony, that was a state on a private entity in the United States, it’s on the slide because we were able to make attribution to the aggressor, in this case North Korea being a nation-state. There are other examples. For example, it’s widely believed that the Russians hacked the International Anti-Doping Association and doxed a number of athletes in retaliation for Russian athletes. This is in the lead up to the Rio de Janeiro Olympic Games. That’s in response to Russian athletes being barred from representing Russia as a state in the Olympic Games. So that was another example of an attack on a private entity. But in all these other cases, these were state to state conflicts.
Dustin: “What impact did the CIA and NSA leaks of tools have on this?”
Mark: We at DarkOwl have written extensively about this. As recently as of three or four years ago, we published a paper on nation-state warfare in the darknet. Just by way of background, both the CIA and the NSA in the last four or five years have suffered significant leaks of their offensive weapons into the darknet and into the public. And our theory in looking at those leaks was that the widespread availability of the tools that were among the best tools that the NSA and the CIA had leveled the field in many respects between nation-states because a relatively small nation-state could go pick up those weapons and start to wage warfare against other countries and it didn’t necessarily elevate them to cyber superpower status. But it did have an effect. We don’t know whether any of these particular cyber skirmishes or cyberwars that took place or battles that took place used those weapons. Most of those I think both the CIA and the NSA leak took place after 2015. So only really the Russia-Ukraine war will probably have seen the use of any of those weapons, if at all.
I wanted to throw this up because I talked about it just in lead up to our discussion, but the Belfast Center at the Harvard Kennedy School came up with a CyberPower index algorithm which is at the bottom of the page there and they rank the top five global cyberpowers as the US, China, UK, Russia and the Netherlands.
And perhaps there’s no surprise in that listing. The Netherlands are relatively small but a highly sophisticated country and they have made cybersecurity a significant part of their defense structure. I note here honorable mentions and I’ve talked about them before. North Korea, perhaps one of the lesser developed countries in Asia, is certainly a near cyber superpower, Israel, there’s a lot been written about Iran. None of them are particularly large countries. I think Iran’s population is verging on 60 million and is probably the largest, but the fact that they are able to achieve near superpower status is an indication that this is an area that they have significantly focused on.
So let’s talk about the Ukraine-Russia war and some of the observations that we have seen in the lead up to the Ukraine invasion in February, and by invasion I mean the invasion of the Russian troops, physical troops into Ukraine. We saw a significant amount of cyberattacks actually going back into the fall, but in mid-January there were significant cyberattacks against Ukrainian government services, government web-based services, there were a number of false flag operations attempting to implicate Poland in those attacks, which was interesting and we started to see wiper malware deployed in a variety of these attacks there were widespread leaks of Ukrainian citizen data there were a number of DDoS attacks that were mounted across Ukraine – there were a number of attacks on the Ukrainian financial sector.
Perhaps the most interesting thing in the lead up to the actual invasion was that there were six strains of wiper malware that were deployed and what we saw was a transition from traditional sources of attacks to wiper malware in the final weeks before the campaign and again many of these tried to implicate Poland as the source of the attacks but in reality Microsoft has done a pretty good robust study and identified six unique strains of wiper malware that were used and again.
Wiper malware goes onto a computer and wipes it – you don’t have any retrieval capability of the data that is kept on that. There was clearly a significant amount of cyberattacks that were waged in the months leading up to the actual war. We saw on the 24th of February the physical war started, Russia entered from the north, the south and the east into Ukraine and launched missiles at targets in the first 36 hours.
We’re now roughly six months out from the launch of that war so we’re now at a point where we can make some observations about what we have seen and start to make some hypotheses about how this war has been waged. A lot has been written about this but one of the most interesting and unanticipated things that we’ve seen in this war is that literally on day one the Ukrainian government requested help from the activists, the international activist community.
They formed the IT Army of the Ukraine on Telegram and put out a call for activists around the world to join them in attacking Russia from a cyber perspective. And the last time I checked, there were 300,000 or 400,000 followers on the IT Army of the Ukraine. By the way, that channel on Telegram is still very active on a daily and weekly basis. It provides targeting information to the activist community. As recently as yesterday, we saw new targeting information go up, targeting, I believe, Russian Financial targets in Russia. So what the Ukrainians were able to do, which I don’t think anyone anticipated, was suddenly galvanize an army of probably tens of thousands of activists around the world to start to attack Russian targets. And against the backdrop of a Ukrainian cyber armed, uniformed cyber force of probably hundreds or low single digit thousands, suddenly there were tens of thousands of people fighting on behalf of the Ukraine.
Day three of the war, Anonymous launched a campaign to attack Russia and the Belarus. And actually, Anonymous has since been joined by a number of other private actors who have stood up efforts to join the attacks in Russia. And by day five, we started to see a significant amount of data leak into the darknet from Russian targets, both civilian and military targets. In this case, we saw a leak of 60,000 government email addresses. There were immediately attacks on critical infrastructure suppliers: Gasprom, Foreigner, Gas, Mash Oil. A lot of them were hacked. In the first days of the war, it was very difficult as a Russian to get access to any government website and to get access to your bank. We saw tax of Russian state TV military communication leaks. We then started to see leaks of private information of Russian soldiers who were fighting in the Ukrainian battlefield, and they were doxed. And as I mentioned earlier, financial institutions were targeted. We continue to see daily DDoS campaigns. We’ve spoken to a couple of commercial entities in eastern Europe who are effectively offline from a commercial perspective because they’ve turned over their entire network to DDoSing Russian targets. So, you get a sense that overnight this was unanticipated. The Ukrainians were successful at galvanizing the international activist community to fight on their behalf, their offensive cyber capabilities increased by orders of magnitude.
Anonymous messages to Russia
Quickly talking about some of the creative attack methods that were used, GhostSec carried out a printer hack. It turns out that Russian government printers are networked, and within a few weeks at the beginning of the war, GhostSec hacked that printer network and started spewing out inside Russian government facilities propaganda on behalf of the Ukrainians streetlight control systems were hacked. There were a variety of hacks of messaging systems used widely in Russia. We saw electrical vehicle charging stations hacked. We saw, both at the military and the civilian level, short band radio interception and direct trolling. And it turned out that the Russian military was using short band radio in the early stages of the war, and it didn’t take very long for that to be hacked as well. As I mentioned earlier, ATMs were hacked, radio and television channels were hacked. Flights were disrupted, food deliveries were dusted. So these were disruptions that occurred at the civilian level and at the military level in Russia in the early days of the war, but they were they were largely addressed by the Russians within hours.
And by the way, on the other opposite side, the same thing happened in the Ukraine. There were Russian attacks on Ukrainian ISPs, banks, government websites as well. But these don’t rise to the level of that definition that I gave you earlier in the webinar, which is Russia didn’t go dark and cold and stay that way.
Dustin: “Is the IT Army of Ukraine still active?”
Mark: Yes, it is. And I think I mentioned we actually monitor on a daily basis – it’s found in the darknet database yesterday. When I looked at it, I believe they were putting out targeting information for Russian financial targets. They’re still very active.
Dustin: “What are the long term implications of the IT Army for future cyberwarfare?”
Mark: Oh, that’s a great question. So the Director of the FBI has testified in front of Congress that the implications of something like the IT Army for future cyberwarfare are unknown, but they’re not positive. I think the words he used in his testimony were that if you green light 50,000 civilians around the world to attack another nation-state, it’s well within possibility that they could also attack the United States at some future date. And I think that in a lot of the cyberwarfare, that must have occurred at the federal government, at the military level in the United States, we may have anticipated five or ten or 20,000 Chinese or Russian soldiers cyber warriors attacking us. Once you start to increase that number by orders of magnitude, it changes the equation. So the long term implications are probably alarming and are poorly understood. But clearly, it’s a major issue for any country, by the way, not just the United States, any country that could face the wrath of people who have successfully attacked a nation-state in the past and know that they have the tools to do that.
Dustin: “Obviously, Russia must be monitoring these channels. Are some of these meant as deception or distraction efforts, while more specialized secret targets are addressed by specialized, more capable actors to take advantage of the chaos?”
Mark: Yes and yes. Clearly, Russia’s monitoring these channels, and my guess is, as soon as they see a bank and an IP range targeted, they’re trying to take whatever precautions they can. I don’t think it could be a deception effort by the Ukrainians to distract them from targets that are elsewhere. The reality, though, is that, especially in the context of a DDoS attack, the number of people participating matters. So even if they are deception efforts, they’re working. The actual attacks are working from what we can see. But that’s a great question as well. And I have no doubt, by the way, that the Ukrainians are not publicizing all of the attacks or all of the targets that they’re targeting.
These are some screenshots of some of the hacks of the electrical systems.
On the left is the EV electrical vehicle charging station, where the actual screen read obscenities about Putin. On the right are hacked ATMs. You’ll see the Ukrainian flag coming across the ATM on the right. One of the really concerning things, obviously, about cyberwarfare in general is the potential to attack critical infrastructure. And we have seen that in this war. We’ve seen a number of vulnerabilities. Exploited water and electricity facilities have been targeted. We haven’t seen a large scale shutdown of water and electrical facilities. They’ve been fairly narrowly time delimited. We have seen attacks on oil and gas refinement distribution centers, particularly near the Russia Ukraine border, and there have been a number of explosions. We don’t have direct attribution that those are caused by cyberattacks. We suspect they are. And in some of those cases, there were civilian casualties. Those have been perhaps the highest profile critical infrastructure attacks that we suspect were carried out by cyber warriors. We’ve seen satellites targeted. By the way, not only have the Russian satellites been targeted, but the Russians also targeted European satellites in the early stages of the war. We saw the Joint Institute for Nuclear Research was shut down for a number of days as a result of a DDoS attack. And then we’ve seen ISPs and other telecommunications providers. So again, we’ve seen these attacks occur.
We have seen some consequences, we suspect, from these attacks. What we have not seen is a sustained shutdown of any of these facilities as a result of these attacks. One of the real surprises for us was the ability of the Ukrainians to galvanize the international activist community and with unknown implications for the future of cyberwarfare. Another interesting and unanticipated consequence of this war has been that the criminals have fallen out with eachother.
Now, in the lead up to the war, we long suspected that many of the ransomware gangs and some of the other bad actors on the darknet were a combination of Russian and Ukrainians working together. And what we have seen since the beginning of the war is a very clear fallout between the Russians and the Ukrainians in the darknet, some of these gangs have split apart. Some of these gangs have clashed with each other. Where gangs had both Ukrainians and Russians in the gang and they split apart. Each side is leaking secrets into the darknet about the other side. And we’ve seen an unprecedented amount of data leaked into the darknet about the ransomware gangs, about their tactics, about the tools that they were using and how they were actually going about what they were doing. I mean, it’s been a treasure trove of information for us and for the industry to give people a sense of how much data has been leaked into the darknet. Both this type of data as well as just leaks as a result of a tax.
DarkOwl has been in existence just under five years. We’ve been collecting data continuously during that time. Since February of this year, the net size of our database and we archive all that data the net size of our database has increased by 20% in six months because so much data has been spilled out into the darknet. Some of these names may not mean anything to you, but these are among the major ransomware gangs leading up to the onset of the war. And what we have seen is that they have stayed split. They are still battling with each other. They’re still spilling eachother’s secrets into the darknet.
Dustin: “Have any of these attacks resulted in any significant physical damage?”
Mark: The only one that we’re aware of is, and we suspect because we can’t make direct attribution to a specific attack, are some of the explosions that have occurred in oil and gas distribution and refining facilities near the Ukraine Russia border. There doesn’t appear to be a physical reason for those explosions, which leaves cyber. And the Ukrainians, I think, in one or two cases, have taken credit for those explosions and credited their cyberattacks on that as well.
Dustin: “What is your assessment around why we have not seen sustained attacks against critical infrastructure?”
Mark: I’ll come on to that in the next couple of slides. Many of you will know that Belarus was used as a staging ground for the invasion of Ukraine from the north. In other words, Russian troops were in Belarus and moved from Belarus into the Ukraine, which then caused Belarus to become a target for the Ukrainians. And there were a number of attacks as well into the Ukraine. It was difficult, if not impossible, to buy a train ticket, and it severely disrupted the train system in Belarus in the early weeks of the war because such a successful cyberattack occurred. There were a number of attacks against banks, transportation, legal, military contractors. We saw a massive leak of data coming from the largest defense contractor in Belarus. There have been and again in the world, of criminal gangs fighting criminal gangs. GhostSec attacked a group called ghost rider who were aligned with the Russians. And GhostRider has remarkably retaliated with a really sophisticated phishing campaign. And their phishing campaign has targeted civilians in combat zones in the Ukraine with emails that come from Ukrainian government email addresses asking them to leave the area they’re in and congregate because of the war that’s being waged around them, and congregate in areas that have been subsequently been hit by shelling. That’s about as sophisticated phishing campaign as you can imagine. You’re geolocating the recipients, you’re sending them very official looking Ukrainian government emails. You’re sending them those emails at a time when they are hearing shelling or experiencing shelling in their neighborhood, and you’re moving them to areas that are more vulnerable. So that’s where the overlap occurs, between relatively harmless, between warfare that may or may not affect civilians to very directly affecting civilians. And it’s incredibly sophisticated what we’re seeing in terms of that unfolding.
And I’m going to come on to the question of why we’re not seeing more Russian attacks on critical infrastructure impact the US and western countries and companies in the region. So obviously Russia, the Ukraine, and Belarus are pretty well offline for any normal commercial activity and pretty well likely to be so for the indefinite future. We’ve seen that subsidiary and vendor risk in those countries and in the region, more broadly in the eastern European, risk has become extraordinarily high. And we have seen this among our own client base. We have seen vendors and contractors and subsidiaries for our own clients and their clients directly attacked, directly targeted, and in some cases compromised as a result of this cyberwar. So from an American or a western commercial perspective, you absolutely need to pay attention to any exposure that your organization may have in the region.
And let’s be clear, both Ukraine, Belarus, and Russia were all sources of relatively low cost and relatively sophisticated coding and computer science capabilities. And Ukraine in particular had tens of thousands of employees in Silicon Valley and western companies coding and working for them. Some of you may remember that in the early stages of the war, there was a terrible incident where a woman was taking her children and her husband to safety and was killed in a shelling in the street. She was the Marketing Director for a Silicon Valley company living in eastern Ukraine. That’s how close to the vein it is, particularly for the American tech sector. We did see critical infrastructure, as I’ve discussed, severely impaired. And our advice to companies that have any exposure in this region is to make an assessment and be extraordinarily cautious about how you move forward in the region.
This is the part of the answer to the question about attacks on critical systems. So, we have seen Russian attacks on western and Ukrainian critical infrastructure. The Russian attacks on Ukrainian critical infrastructure have largely received less publicity than the actual physical damage done by the war, which is occurring right there. So there hasn’t been a lot of publicity. I think there was some publicity about the fact that the main Ukrainian ISP was taken offline for a number of days by a Russian attack. It was subsequently restored. None of the power grids have gone off for more than a day. So I think those attacks have occurred. We have actually seen attacks on Western targets. The German wind turbine systems were knocked offline, there was a European satellite network that was targeted, we believe, by the Russians, Romanian gas stations were knocked offline. We’ve seen a fair level of increase in Chinese activity supporting Russia in this effort, which was a little bit of a surprise for us. And the FBI has already released indictments against Russian sponsored attacks on nuclear water facilities. We think in many respects, this is not the fullness of what Russia could do.
The retaliation by Russia against US and NATO or US and Western targets has been surprisingly ineffective. And our hypothesis is that there are a number of reasons for that. One is after Estonia and after the battles that we saw in the lead up to this war over the last decade, there has been billions of dollars invested in defensive cyber operations, and that is paid off well in this war. We also think the Russians are largely distracted by the attacks that are taking place against the targets in Russia and they’re preoccupying the cyber warriors. If you’re a Russian cyber warrior today, whether you’re a public or a private actor acting on behalf of the Russian state, right now, your predominant activity on a daily basis is going to be defensive in nature. We also have detected indication that in Russia there is a digital underground that opposes the Russian invasion of the Ukraine. And we’ve seen some targeting from inside Russia of attacks. And then there is a question of whether there is some lack of support in the Russian public. The public polls that we’ve seen indicate large spread support for the war by the Russian public. We don’t have any reason to doubt that. But as the war grinds on, and this is the same in any country, as the war grinds on and casualties mount, support tends to diminish. So I think that’s the answer. We’ve been surprised that the attacks from Russia have not been more sustained, more significant, and more serious, and that’s the best answer that we can come up with.
However, in the context of the first point that I made, which is our defensive posture, CISA early in the war, put out very specific guidance. Shields up. And here are things that you can do as a Western and American organization to better defend yourself against the prospect of a Russian attack, or any cyberattack for that matter. And these are obviously obvious to everybody who’s on this webinar. MFA, antivirus, anti-malware. Put up your spam filters, patch your software – how many times do we have to say that? And filter network traffic and monitor your logs, and knock on wood, that has had a significant effect today.
Dustin: “According to international law and the Geneva Convention rules, these private citizens attacking other nation-states organized under the Ukrainian government are legitimate military targets. What do you think will be the fallout or implications from this? If Russia has been able to successfully identify any of the members of the Ukrainian IG Army, do you think Russia or Russian aligned countries will try to arrest or conduct strikes on these people while they’re traveling?”
Mark: There’s a lot of good questions in there, and thank you for asking it. I’m not an expert on international law and the Geneva Convention, so I can’t actually address the first question about whether these are legitimate military targets. And my guess is that if Mark Turnage, sitting in Denver, Colorado, were to join the IT Army of the Ukraine and start to participate in attacks on Western on Russian targets somewhere in there, that would be a violation of US law, irrespective of the Geneva Convention or the rules of war. I may be violating US law, not that I don’t think the US is going to necessarily prosecute Mark Turnage for doing so. Certainly possible that they could do that. My guess is Interpol would not honor any international arrest warrant requests. Certainly, again, to use the example of me, if I were to travel to Russia, they could certainly arrest me and charge me with whatever they wanted. I think that one of the unknown implications of this war is the fact that we don’t know how this hacktivist army shapes up in future wars. But my guess is, to the extent that they are individual citizens and not uniform soldiers, they put themselves at some risk by participating in this. And, yes, they could be potentially arrested.
Dustin: “How does a commercial threat intel feed help me protect my organization from rogue IT armies?”
Mark: A lot of different ways. If I’m running a large Fortune 500 companies security and network and I have a robust threat intel feed I’m able to see whether my organization and its IP range is being actively discussed in targeting forums and in hacker networks that are adversarial to either my country or to my organization or these are just commercial ones so I can get a sort of pre warning on the fact that they are targeting my organization. I can get threat intel feeds on the nature of the vulnerabilities that are being used to exploit networks such as mine. So, I can draw a direct link between the software we use to protect our network and any known vulnerabilities of that particular software that are out in the darknet or out elsewhere for sale or being actively used. And for the most sophisticated of those organizations, they’re able to take some proactive steps to avoid attacking. So I would see that a dedicated, robust threat intel feed that encompasses both the darknet and social media is critical to any security posture for a large organization and if nothing else, this war has proven that very robustly.
Let’s talk about some of the observations so far in this war. As I mentioned, this war is largely not being fought by cyber soldiers but by criminals, mercenaries and activists and non-state actors who are acting at the behest of the warring parties. It’s an unknown, crazy world we’re walking into, to be honest. This was not anticipated by anybody and my guess is that in the war games that we conducted leading up to the Russia Ukraine war, this fact did not feature highly, if at all. As I’ve said, cities aren’t losing their power and water for longer than a few hours. Plenty of companies and government ministries are being taken offline, but again for days, not even weeks and there’s little evidence of sustained serious impact in Russia or the Ukraine. Again, the bulk of the focus in the Ukraine is on the physical damage that’s being done that’s being rotten on the country.
And then in answer to the question that came in earlier, the implications of war being fought by private citizens beyond the control of governments is really poorly understood. And I throw down here a couple of hypothetical questions of what happens is if a ceasefire or a peace treaty is reached between the Ukraine and Russia and the private warriors just carry on, what are the implications of that?
They’re profound, actually and this echoes the FBI director – should nation-states be worried that somewhere we don’t know if it’s 250,000 plus hackers, 50,000 hackers, but tens of thousands of hackers have successfully attacked Russia? At the bottom I put one of my early observations in the actual physical war that has been fought between Russia and the Ukraine there have been a number of deficiencies in the Russian armed forces that have been identified and they’ve been surprising, to be honest. Some of them have to do with supply chain and how the Russian armed forces support its troops in the field. Some of them have to do with the maintenance of Russian military equipment and so on. I’m wondering if there’s a similar deficiency that we’ve seen in the Russian cyber capabilities. Are they simply not the superpower we thought they are? The alternative, the flip side of that coin is they could be holding back. They could have an arsenal of cyber weapons that they’ve not deployed and not used. But it could very well be that to the extent that the Emperor has no clothes on their physical military capabilities, that the same is true in the cybersphere.
Observations on the privatization of warfare – this is another surprise and it doesn’t really address the cyberwarfare capability, the cyber implications. But this is a war where private actors on both sides are playing a significant, major role in the attacks in the war, and I mean both the cyberwar and the physical warfare. So as we’ve talked about, private hackers are waging a war on behalf of Ukraine, Russia. That’s been a real surprise. If not 100% of the military communication by the Ukrainians is done by Starlink. Early in the war the Russians were successfully took offline the Ukrainian military communication system. Within days, Elon Musk and SpaceX had launched satellites over Ukraine. And today the bulk of the communications that the Ukrainian military uses is provided by a private American enterprise. Now let that sink in. That’s a commercial enterprise that is doing that. Some of the best reporting on the war has been by OS analysts, not by US government analysts who have been using commercial satellite imagery that has been widely available since the beginning of the war. The coverage, particularly many of them have posted their analyses on Twitter have been very good.
The Western sanctions that have been imposed on Russia and its allies in connection with this war are being privately enforced by banks and companies. Those are private enforcement capabilities efforts. I would point all of you to bellingcat as a great OSINT source using open source tools that are available on the Russian side. The Wagner Group is heavily involved. It’s a private mercenary enterprise. It’s heavily involved in the war in Eastern Ukraine up to and including flying fighter jets for the Russians. And obviously there’s a fair amount of pressure on companies continuing to do business with Russia.
We have made the observation that private hackers are engaged in this war. It’s not just private hackers. Right through the war on both sides, private actors are playing a very significant role in the waging of this war. What are the implications for the post war darknet? DarkOwl is a darknet intelligence company. We gather data continuously from the darknet and we provide that to our clients around the world as a threat intel feed or as a source of information so we see a lot of this unfolding, particularly in the darknet and what I call a chaotic and often unruly environment in the darknet, just became even more chaotic and risky. When you start to see major criminal gangs in the darknet start to fight each other and leak each other’s information into the darknet. But it’s a golden source of information for us and for our clients. But it’s also just an indication of just how anarchic that capability has become. These criminals will continue to turn on each other, but that’s not going to last forever, and we don’t know how this is ultimately going to shake out. Ransomware has been a big focus of criminal activity in the darknet. We expect that there will be a shift that that will continue to be the case. But we’ll see more wiper malware deployed.
So the consequences, again, for a US Hospital that’s subject to a ransomware attack of not paying a ransom, may be even worse by not paying the ransom if they don’t have a backup and they don’t have other capabilities to restore their network. If the criminals on the other side of that effort choose to deploy wiper malware, you may lose those, particularly if you don’t have backup. You may lose those medical records forever. Again, very sophisticated malware targeting for industrial control systems that we’ve seen.
We’ve seen an increase in awareness about what the darknet is and how it can be used. Propaganda and disinformation – I’ve spent relatively little time in this presentation talking about propaganda and disinformation, primarily because most of those efforts are in social media, not so much in the darknet, although we do see it occurring in the darknet. And as I said earlier, the hacktivist movement has been unleashed.
Here are some unanswered questions and I think some of the questions that we’ve had during the course of this webinar are addressing some of these:
How do the laws of war apply to cyberwarfare both in the decision to go to war and in the decision to wage the war and how you wage that war? The implications of it are very poorly understood. The attribution error issues, frankly, scared me to death.
How does one deescalate against cyberattacks that are coming in that you think but don’t know for sure are coming from an adversary? Where’s the safety valve in all of this? In physical warfare? I can see that your planes are coming to attack my targets. I can see that you’re shelling me from behind your lines in cyberwarfare. It’s a far messier calculation and the implications of that are frankly, frightening.
What are the implications with the appearance of non-state actors on the stage? We don’t know. Will cyber become strategically decisive in a war? It has not been strategically decisive in the Ukraine Russia war, although it’s been a significant factor, but it’s not been strategically decisive. And where is the line between cyber terrorism, cyber criminal activity and cyber hacktivism on the battlefield to be determined going forward.
Thank you very much for joining us today.
Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.
In DarkOwl’s regular daily collection of content for its Vision SaaS platform, we often witness criminal communities being disrupted and dispersed by law enforcement operations. Usually, these operations are carried out covertly until enough evidence has been gathered to shut down the illicit operation. At that point, oftentimes, the law enforcement group will conduct heavy DDoS attacks (or other attack methodologies) against the marketplace or forum to shut it down, leaving a “this domain has been seized” notice on a website’s landing page.
In this piece, we decided to take a closer look at some of the key intelligence agencies, government groups, and law enforcement organizations that contribute to policing the darknet through targeted cyber operations.
The darknet – compromised of anonymous networks only accessible by special anonymous proxies and/or peer-to-peer systems – is an elaborate web of services. Based on our historical insight into this space, our analysts ascertain that the darknet is largely compromised of criminal activity ranging from the sale of drugs and illicit goods and humans to advanced malware development, data brokerage, fraud, and financial crime. Recent academic researchindicates that over half of all Tor-based onion services facilitate crime in some form or fashion.
Much of this criminal activity spills over into the deep web and chat platforms like Telegram where many of the leading administrators establishing ‘mirror’ sites and channels that replicate much of the content shared across Tor and peer-to-peer anonymous networks.
International intelligence, military, law enforcement personnel, and other cybercrime agencies are present both overtly and covertly on the darknet. Marketplace and forum discussion threads are sprinkled with users dismissing posts with derogatory name-calling like “pig” or “spook.”
In 2019, the US Central Intelligence Agency (CIA) replicated their Surface Website (cia.gov) on the Tor network, including the agency’s public announcements, the World Factbook, and careers page all available reportedly via ‘secure and anonymous’ web connections.
In early May, the CIA launched a concerted campaign to encourage Russians dissatisfied with Putin’s invasion of Ukraine to “get in touch on the darknet.” The campaign included detailed instructions in both Russian and English for downloading the Tor browser and accessing their content Tor.
There are any number of organized law enforcement operations on-going in the darknet and adjacent criminal communities. Many times, the seizures of servers hosting and facilitating cybercrime are a result of a multi-agency activity months (or years) in the making. Agents from the Federal Bureau of Investigation’s Cyber Crime Unit (FBI) and Interpol lead many of the operations that result in not only the take-down of criminal sites, but also the indictments and arrests of the criminal masterminds behind the darknet community.
With so many different groups operating in the space and most heavily rely on acronyms, we’ve compiled a list of the prominent international government, intelligence, and law enforcement organizations that we’ve seen mentioned in significant operations carried out on the darknet. The table below includes their common and formal names, as well as the countries they primarily operate in.
Federal Security Service (Federalnaya Sluzhba Bezopasnosti ФСБ)
Russia
FinCEN
Financial Crimes Enforcement Network
USA
GDCOC
General Directorate Combating Organized Crime
Bulgaria
GCHQ
Government Communications Headquarters
UK
HSI
Homeland Security Investigations
USA
IRS:CI
Internal Revenue Service, Criminal Investigation
USA
IDF
Israel Defense Force
Israel
JCODE
Joint Criminal Opioid and Darknet Enforcement (DOJ)
USA
GRU
Main Intelligence Directorate
Russia
NCA
National Crime Agency
UK
NCJITF
National Cyber Joint Investigative Task Force
USA
DNRED
National Directorate of Intelligence and Customs Investigations
France
NSA
National Security Agency
USA
NCIS
Naval Criminal Investigative Service
USA
KLPD
Netherland’s National Police
Netherlands
OFAC
Office of Foreign Assets Control
USA
PSNI
Police Service of Northern Ireland
Ireland
PF
Policia Federal
Mexico
NPB
Polisen Swedish Police
Sweden
PJ
Portuguese Judicial Police (Polícia Judiciária)
Portugal
SBU
Security Service of Ukraine (СБУ)
Ukraine
Europol
European Union Agency for Law Enforcement Cooperation
European Union
Interpol
International Criminal Police Organization
International
CBP
U.S. Customs and Border Protection
USA
ICE
U.S. Immigration and Customs Enforcement
USA
USDT
United States Department of the Treasury
USA
USPIS
United States Postal Inspection Service
USA
USSS
United States Secret Service
USA
DOD
United States Department of Defense
USA
DEA
United States Drug Enforcement Agency
USA
Stay tuned for future content where we review some of the most historically significant and disruptive darknet “operations” conducted by these organizations. Our interactive timeline is now live!
Learn how DarkOwl supports Law Enforcement & National Security investigations with darknet data tools built for analysts, cybercrime agencies and threat intelligence teams. Contact us to learn more.
Cyber insurance is an increasingly popular topic of conversation across the information security community, as the frequency of attacks against organizations has steadily increased in recent years. The probability of a successful attack, resulting in the unauthorized access of an organization’s data, applications, services, network infrastructure or devices, or worse – the theft or loss of proprietary or sensitive data – is exponentially increasing in the post-pandemic world where work-from-home and hybrid work/home office environments have been normalized challenging an organization’s cyber-defense posture.
According to Accenture, 66% of small businesses have experienced a cyberattack, with the average cost of a malware attack on a company (regardless of size) hitting $2.6 million, signaling that cyber insurance policies are now essential for an organization to prevent significant financial business impact or even bankruptcy.
Coalition’s 2022 Cyber Claims Report confirmed the attack trends with their data indicating that small businesses are consistently targeted more frequently than medium and large organizations. They also report that claims increased in severity by 54% in 2021, with the average cost approaching $360,000 USD for companies with revenues more than $100M.
What Is Cyber Liability Insurance and What Does it Cover
Cyber liability insurance is a form of insurance available for individuals and businesses to purchase to help reduce the negative financial impacts and risks of conducting day-to-day activities on the Internet. Cyber insurance is rooted in errors and omissions (E&O) insurance which generally protects against a company’s faults and defects in their products and services.
Any organization or business that operates predominantly on the Internet, collects or retains customer data such as personally identifiable information (PII) or protected health information (PHI), interfaces with the payment card industry, or stores sensitive proprietary data and digital intellectual property on a company network connected to the Internet should consider purchasing a cyber liability insurance policy.
In the event of a cyberattack, the theory of E&O coverage kicks in to support a sole proprietor or business who cannot fulfill their contractual obligations with their network and systems offline. Similarly, the coverage can help cover costs to litigate claims resulting in the failure of service performance or product delivery due to the cyber security incident.
Cyber liability insurance covers most of the financial costs associated with a cybersecurity incident and data breach. This could include:
extortion payments associated with a ransomware attack
digital forensics and incident response team costs to remediate an event or recover compromised data
paying legal fees and/or fines as a result of privacy violations
monitoring the credit for, and restoring the identities of compromised customers or employees with exposed PII
cyber terrorism attack
procuring replacement hardware or compromised computer information systems
notifying stakeholders of the security incident and breach of confidential information
Some cyberattacks include cyber espionage that doesn’t result in an overt cybersecurity incident and IT network failure. Does your cyber liability insurance policy cover your employees’ personal information showing up in the underground without the knowledge of your IT department?
cyberattacks against resources located anywhere in the world and not geographically limited
legal costs if incident results in lawsuit or regulatory investigation, e.g. includes “duty to defend” wording
offers a breach hotline available 24/7, 365 days a year
cyberattacks on your data held by vendors and other third-parties
lost income due to business interruption
crisis management and public relations
Types of Cybersecurity Insurance Coverage
Policies covering cyber incidents are generally written as either first- or third-party coverage or both. First-party coverage protects the infrastructure and data owned by the policy holder’s organization. This coverage includes data related to an organization’s employees and customers. Third-party coverage is a form of liability coverage associated with the consequences of the exposure of an organization’s customer and vendor data.
Often when a cyberattack occurs it is the sensitive customer data or employee PII that is most valuable to the threat actor where the database is quickly commoditized in the darknet and traded or sold in underground data marketplaces and forums.
Unfortunately, many organizations under protect themselves getting first-party coverage only, when third-party is more comprehensive by orders of magnitude and applicable to the modern cybersecurity use case. Furthermore, traditional E&O policies do not cover the loss of third-party data.
Insurance Carriers, Brokers, Underwriters, and Reinsurers
While cyber liability insurance is offered by most major insurance carriers, we quickly realized that those shopping for cyber liability policies can easily get confused by the different roles and responsibilities of the various insurance players. During our research on the cyber insurance industry, we encountered several different stakeholders that could have vested interest in the cybersecurity risks associated with potential insurance claims.
Insurance Carriers – also referred to as the insurance provider, an insurance company, or agency – is the financial security behind the coverage provided in an insurance policy in the event of a cybersecurity incident. The insurance carrier issues the policy, charges the premiums to the policy holder, and covers payments from claims against the policy.
Insurance carriers issuing cyber liability insurance policies must remain hyper-vigilant on the evolving security risks facing their policy holders. They will establish pre-policy issuance security risk assessment protocols, evaluation criteria, and periodic auditing of their policy holders. In the US, insurance carriers are often described as “admitted” and non-admitted insurance providers which differentiates in whether they are ‘backed by the state’financially and in compliance with regulations outlined by the policy holder’s state Department of Insurance.
Insurance Broker is an agent who sells or purchases insurance policies on behalf of another. An insurance broker specializes in the nuances and complexities of the insurance industry and knowledgeable of security risk management to advise on the type and amount of coverage required for a cyber liability insurance policy. They serve as a “consultant” and insurance representative to the insured policy holder.
Underwriters include persons assigned and qualified to initially assess, evaluate, and assume the security risk of another party for a fee or percentage commission from the policy value. The underwriter may work directly for the insurance carrier or independently contract to the insurance issuing organization as a freelance underwriter. The most commonly relatable example is health insurance underwriters who closely evaluate an applicant’s risk posture via detailed questions of the potential policy holder’s age, health conditions, and family medical history.
In cybersecurity, an underwriter has the responsibility to perform comprehensive risk assessments of cyber liability insurance policy applications for potential security risks that are increasingly complex and challenging to predict based on traditional risk modeling methodologies.
As claims increase in value the application process for new policies is increasingly rigorous with insurance carriers requiring underwriters gather supplementary ransomware-based questionnaires and proof of business continuity plans and security incident response plans from insurance applicants.
Third-Party Administrator often called TPAs, are professional, state-licensed organizations that support the insurance carrier in administrative services related to insurance. They most often are responsible for handling claims on behalf of the carrier including the evaluation of the legitimacy of the claim, processing the claim, making financial determinations, and reporting to regulation authorities. While TPAs are historically involved in the health insurance industry, there is a growing group of cybersecurity-specific TPAs that exclusively focus on managing cyber and privacy breach claims.
Reinsurers refer to the reinsurance companies, or more simply, the insurance providers for the insurance companies. According to the Corporate Financial Institute, a primary insurer – the insurance carrier – transfers policies, or insurance liabilities – to a reinsurer through a process called cession, or “ceding”. On average, insurance carriers cede an estimated 50% of the policy premiums they collect to the reinsurance market. Reinsurers’ revenue is directly tied to the quality of the risk assessments performed for policy holders on the front end and the amount of financial capital available, either from the reinsurer or third-party capital sources.
Why Does the Darknet Matter to Cyber Insurance Professionals?
Data, information, and subsequent cyber intelligence derived from sources in the darknet, deep web, and criminal chat communities can help cyber insurance underwriters, insurance carriers, and reinsurers develop more robust and highly predictive security risk models. Higher fidelity risk models help price premiums to minimize claims payments benefiting the insurance carriers and their reinsurers accordingly.
The types of data from the darknet that might be utilized in security risk models can be as simple as the volume of policy holder’s organizational employee email addresses exposed on the darknet to more complex models which account for brand and reputational risks, mentions of executive leadership, network infrastructure like domain names and IP addresses, and exposed proprietary organizational data stolen through a pre-existing breach cyberattack.
Pre-policy evaluations can include darknet exposure data to assess the level of compromise of the applicant organization and determine whether prior breaches exist to the applicant policy holder – which is often excluded in cyber liability insurance policies. Pre-existing breach data for the pending policy holder’s vendors and supply chain can also drive security risk modeling and the potential risk must be financially compensated for.
Reinsurers also should independently monitor for darknet exposure and mentions of the insurance carriers they cover as well as their high-valued policy holders. Ransomware threat actors have actively targeted insurance carriers and exploit their policy holder information to leverage for subsequent attacks and drive negotiations with their extortion victims using their policy information as leverage for higher extortion payments.
Insurance Carriers are not Immune to Showing up in the Darknet
In 2021, Avaddon compromised a division of the global insurance carrier, Axa Group in Malaysia and reportedly exfiltrated over 3TB of claims data and medical records of their policy holders.
Figure 1: Axa Group Ransomware Announcement, Source: DarkOwl Vision
Most recently, the reincarnated “Happy Blog” restarted by REvil after Russia invaded Ukraine, targeted a family-focused insurance broker in Ohio giving the threat actors direct access to sensitive PII of their clients for subsequent fraud or digital identity theft.
Figure 2: Source REvil Blog on Tor
Victim data can emerge on the ransomware shame sites exclusively hosted on Tor in the darknet or data marketplaces, like Industrial Spy. One of the “free” offers on Industrial Spy includes a prominent Third-Party Administrator in India, MDINDIA. The proofs include a significant volume of claims carried out by the organization.
Figure 3: Source: Industrial Spy
There is an increasingly complex interrelationship between data from the darknet and the organizations involved in issuing cyber liability insurance policies and managing claims. Darknet data can help drive better risk decisions in issuing policies and persistent monitoring for on-going security risks to insurance carriers, brokers, and their policy holders. The cyber liability insurance market is evolving as result of threat actors on the darknet and increased attacks resulting in significant financial claims.
Next: stay tuned for our upcoming content that will take a closer look at some things that are excluded from cyber insurance policies.
Learn how DarkOwl enables cyber insurance carriers, reinsurers, and technology platforms to leverage darknet data to better identify, benchmark, and measure the risk associated with underwriting cyber liability. Contact us to learn more.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.