In honor of National Non-Profit Day, we are excited to highlight a couple of our non-commercial organizational partners that we are extremely proud to support: the National Child Protection Task Force and the International Justice Mission. In preparation of this blog, the content team sat down with key members of the NCPTF organization and ICM to get a glimpse into the work that they do on a day-to-day basis and how DarkOwl contributes. In order to maintain their operational security, we have intentionally not disclosed the names of any of the investigators or specialists we spoke with from either organization.
Reports from Federal Agencies indicate that the volume of children being trafficked and exploited in the United States is a national crisis. According to the FBI’s National Crime Information Center (NCIC), in 2021, there were 337,195 NCIC entries for missing children. A mechanism for child cyber exploitation that, ran by the National Center for Missing & Exploited Children (NCMEC), received 29,397,681 million reports in 2021, up from 21.7 million reports in 2020 – a near 9% growth. Using their web portal, DarkOwl regularly sends NCMEC the URLs for domains containing child sexual abuse material (CSAM) content discovered during collection. We have discovered thousands of domains across Tor and Zeronet active with proliferating such material.
The National Child Protection Task Force, or NCPTF, is comprised of a network of law enforcement and technology professionals that provide law enforcement agencies a rapid-response team and investigative support, resources of which are often underfunded or completely unavailable to law enforcement agencies, to support cases of human trafficking, child exploitation, and missing persons. Their team of child and exploitation case specialists is supported by experts ranging from former intelligence officials and military officers, volunteer open-source intelligence (OSINT) researchers, and others.
“While OSINT is our primary method of getting after what we need to from an investigation standpoint, we also have experts, including current and former law enforcement, that provide support from a technology standpoint, with regard to legal processes,” said NCPTF’s Head of Intelligence. They went on to explain that NCPTF investigators rely on tools like DarkOwl to not only close cases by identifying perpetrators, but to also see those criminals put behind bars.
“It takes a very specialized tool or a very skilled researcher to do dark web investigations,” continued the NCPTF team. “We never want to put our people or their systems at risk during these investigations and rely on tools like DarkOwl to safely procure information for us that we can leverage.”
The International Justice Mission, or IJM, is charged with the mission to protect people in poverty from violence by rescuing victims, bringing criminals to justice, restoring survivors to safety and strength, and helping local law enforcement build a safe future that lasts. Like NCPTF, IJM’s investigations also involve tracking human trafficking and missing persons cases and technology incorporated into their Global Fusion Center, an analytics hub based out of IJM’s global office, helps them monitor red flags, track a predator’s virtual footprint and prevent abuse before it begins. Recent international refugee crises out of Afghanistan and Ukraine have resulted in an inordinate surge in human trafficking around the globe.
For members of the IJM, DarkOwl Vision is one way to keep their researchers safe. It allows their team to search the darknet without going on to browsers such as Tor directly and enables them to have access to historical content that can help break open a case, “we have fully integrated the platform into our workflows and it greatly enhances our ability to safely and effectively identify potential lead information,” stated a Criminal Intelligence Specialist from IJM’s Global Fusion Center.
NCPTF investigators recalled an case where the suspect had a known online alias or username. They needed to find out more info about this user, and some other OSINT services that they were using failed to produce any leads. After running that same username through the DarkOwl Vision database, investigators were able to uncover a new username belonging to the person of interest that was older than the one they were aware of. NCPTF revealed, “As us forensic cyber investigators know, threat actors get more advanced over time. So, by identifying the old username, it opened the investigation up for us – which no other tool was able to do.”
This real-life example shows the power of historical data that no other darknet tool on the commercial market has as wide of coverage on.
DarkOwl is proud to partner with NCPTF and IJM and many other non-profit organizations focused on making the world a better place. Hearing these stories and how our work behind the scenes is making a difference, makes the day-to-day tasks so much more worth it. We look forward to continuing this partnership and extend a thank you to all our other NGO partners and all NGOs today that are making a difference. Happy National Non-Profit Day!
More on NCPTF
The National Child Protection Task Force, a registered 501(c)(3), was founded to provide detectives, analysts and officers access to investigative expertise and resources that are unavailable or under-funded in most law enforcement organizations. The members of our Task Force volunteer their time to any agency — small or large, international, or local — on important, time-sensitive cases focusing on human trafficking, child exploitation and missing persons cases.
The International Justice Mission (IJM) is a non-partisan, non-governmental, 501(c)(3) organization. They operate with governmental approval and acknowledgment and depend on the partnership of local government and NGO partners. International Justice Mission is a global organization that protects people in poverty from violence. IJM partners with local authorities in 24 program offices in 14 countries to combat trafficking and slavery, violence against women and children, and police abuse of power.
In our previous post, Policing the Darknet: Leading Cybercrime Agencies Go Dark, we took a high-level look at some of the most active law enforcement and intelligence agencies across the globe who police the darknet through targeted cyber operations.
Now, we’re taking a look at which key darknet-related cases these agencies have participated in throughout the years. It is important to note that many other organizations – such as local and regional task forces – have been key to supporting the investigative and tactical efforts in most of these operations. In fact, the coordination between these groups, which often occurs on a global scale, has proven to be key to successfully policing the darknet.
Timeline: Key Darknet Cyber Policing Operations
In recent years, there have been several elaborate ‘operations’ carried out by multi-agency international task forces, resulting in the ‘take-downs’ and seizures of prominent darknet marketplaces, forums, and criminal enterprises. Many of the operations shift the landscape, with hundreds of domains knocked offline. Others have sparked a community-wide state of panic where key threat actors go quiet or shift into even more shadowy corners of the dark web. This timeline reviews some of the key operations with the most significant impact.
This timeline is interactive. To navigate, use arrows to move right or left, pinch to zoom. Use the key at the bottom to organize by specific law enforcement groups from our chart (below). Click on any event to see more details.
As the darknet continues to be a haven for criminal activity, the importance of these intelligence and policing efforts remain critical. Many agencies conduct their investigative efforts by relying on tools such as DarkOwl Vision to search and monitor the darknet for evidence to build their cases, without having to access the darknet directly.
In recent months, DarkOwl analysts discovered multiple escrow-enabled decentralized marketplaces on the dark web that claim to be affiliated with the Sinaloa Cartel.
One such marketplace called “Cartel de Sinaloa” is reportedly directly associated with the Sinaloa Cartel and Los Chapitos. Their marketplace uses the same logo – a red and black skull with “Cartel de Sinaloa” written underneath it – as the avatar of a Facebook group page operating with the same name. Another marketplace calling itself “The Sinaloa Cartel Marketplace” focuses on offering hitman for hire style services. Both services require authentication for user access, which forces visitors to create a username and password to view the marketplace past the login screen and adds protection from bots and crawlers.
Upon looking closer at these alleged cartel-tied darknet operations, our analysts found that there are Tor services for numerous other criminal cartels, in addition to the Sinaloa Cartel including: Los Urabenos from Colombia, Cártel de Jalisco Nueva Generación, Cartel Darknet Shop, Gulf Cartel Texas, and a non-specified cartel market simply titled, “DW drugs cartel.” We also found several darknet drug vendor services such as Ausline that advertise possible associations with prominent cartels.
Cartel Marketplaces
Here are some of the noteworthy dark web marketplaces that either claim to be or appear to be (based on our analysis) associated with cartels.
Cartel de Sinaloa (C.D.S. Market)
The C.D.S. Market is hosted on Tor and includes market escrow with the finalize early (FE) option. The market lists the following goods and services categories: Barbiturates, Software & Malware, Hire Services, Prescription, Opioid Antagonists, Money Laundering, Human Trafficking, Disassociates, Weapons, Steroids, Counterfeit, Human Organs, Benzodiazepine, Stimulants, Ecstasy, Fraud, Drugs Paraphernalia, Research Chemicals, Weight Loss, and more. Many of these categories are found on traditional darknet marketplaces, but this market includes the option to purchase human organs and services for hire. Despite these specific illicit goods categories and the fact that the Cartel de Sinaloa market has been active for months, there are zero product listings offered or advertised for sale under any of the categories described. This suggests the marketplace could be a front for other criminal activities or a law-enforcement sponsored honeypot.
The discovery of this marketplace prompted further investigation into similar “cartel-centric” documents in DarkOwl Vision, where we discovered an additional marketplace advertised on Tor as being associated with the Sinaloa Cartel on the darknet.
Figure 1: Login Landing Page for Cartel de Sinaloa Marketplace on Tor
Figure 2: Cartel de Sinaloa Marketplace (post-authentication) on Tor
The second site, The Sinaloa CartelMarketplace, advertises a variety of products including drugs and hitmen for hire. However, the only option under “shop” is to submit a job request with options such as “shot and get away,” “stabbing,” “kidnapping,” “accidental murder” and more. The most expensive service offered is a sniper job, going for $10,000. The prices on the form included the USD currency and supports payment via Bitcoin.
Figure 3: Job Request Form Fill with Prices Listed per Job Type for the Sinaloa Cartel Marketplace on Tor
After a quick reverse image search across open-sources, we found the same image from the Sinaloa Cartel Marketplace on Tor is also listed with an offer to purchase the “El Chapo” t-shirt on a surface web e-commerce site specializing in anarchist screen printed clothing, called Rancid Nation.
Figure 4: Sinaloa Cartel Marketplace on Tor
Cartel Gulf Texas
Another alleged indirectly Sinaloa cartel-affiliated darknet market is called “Gulf Cartel Texas” and claims they ship drugs across the world via the US Postal Service (USPS) out of Laredo, Texas. There have been ongoing reports of cartel-gang violence in Laredo after the March 2022 arrest of the leader of Cartel del Noreste, Juan Gerardo Trevino-Chavez (a.ka. The Egg “El Huevo”), 39, of Laredo, Texas.
The Gulf Cartel Texas Tor service has been online since 2020 and its design is not as sophisticated as the other services we discovered using our Vision UI product but advertises different drugs in bulk available for purchase, including, coincidentally, “very high quality heroin from the mountains straight from the Sinaloa cartel.” The Gulf Cartel Texas – Straight from the Border – includes a disclaimer reading: “warning scammers are active posing us we will never email or threaten you in bad english.”
The site does not appear to have been recently maintained and includes proof pictures of the products dated 2020.
Figure 5: Gulf Cartel Texas Landing Page on Tor
Los Urabenos
The Los Urabenos Cartel – a power criminal and neo-paramilitary group from Colombia – offers their services for hire on Tor and specializes in the sale of high-quality pure cocaine on their marketplace. The landing page has a volcano in the background, and the site is designed to be user friendly with traditional navigation links like: “home”, “about us”, “services”, and “contact us” sections. The market offers a handful of products for sale with tagged photos including, Fishscale Colombian cocaine 90%+ and Dutch MDMA champagne crystals 84%, and stated they used to trade on Darkfox and DarkMarket prior to the decentralized marketplaces’ seizure. They have very strict rules for their orders, including no direct or in-person meet-ups and advertises they have completed over 750 orders with 400 clients.
Figure 6: Landing Page for Los Urabenos Cartel Marketplace
Figure 7: Rules for Transacting with Los Urabenos Cartel
The contact information for the Los Urabenos marketplace references an encrypted chat application account for CDG cartel, which likely refers to the cartel’s more recent designation, Clan del Golfo (Gulf Cartel).
According to open-sources, nearly 200 members of the CDG cartel were arrested by international police and government forces in a multi-national law enforcement operation in 2021 including their leader, Dairo Antonio Úsuga (a.k.a. “Otoniel”).
Cartel Jalisco Nuevo Generation (CJNG)
Another darknet service we found is allegedly associated with the Mexico-based Cártel de Jalisco Nueva Generación (CJNG) and describes themselves as the “most trusted bulk cocaine seller in the world” with anonymous dead drops via sea and air cargo. They advertise that they have had thousands of sales since Empire Market and accept payments via Bitcoin. The site also claims that: “A portion of all sales to go non-profits and organizations that support online freedom.” CJNGis believed to be one of the largest fentanyl suppliers to the US and as recently as late June posted videos to social media with over 60 militarized cartel members proudly flexing a wide array of protective gear, weapons, and vehicles at their disposal for continuous operations.
Figure 8: Landing Page for CJNG Tor Site
The products offered on the CJNG marketplace include a limited selection of drugs such as cocaine, marijuana, and amphetamine crystal shards. The News section for the site is not up to date, with the last post shared in March 2020; the site administrator included Wickr and Jabber encrypted chat accounts and secure email address (with PGP key) for direct messaging and purchase. Some images of their products, such as bricks of cocaine, included an insignia carved into the top.
Figure 9: CJNG Market emphasizes their support of privacy and digital freedom
Figure 10: Product offerings from CJNG Market
Ausline
Earlier this year, another prominent darknet drug vendor, Ausline, recently established their own vendor shop offering drugs for purchase and shipments in Australia and New Zealand. They specialize in deals “in bulk” and advertise they are procured directly from producers in Afghanistan, Colombia, and the Netherlands. Their bulk Fishcale Colombian Cocaine Flakes 90% is allegedly sourced from the “Scorpion cartel.”
Figure 11: Source DarkOwl Vision
There’s little to no open-source information about any “Scorpion” cartel in Colombia, but internationally there is a Red Scorpion Gang in Canada and another known simply as the Scorpion Gang in Haiti are mentioned in news articles. In Mexico, a group called the Escorpiones (Scorpions) were founded after the fallout between two CDG leaders, and were the guards for Antonio Ezequiel Cárdenas Guillén and last reported to be allied with the cyclones after his death.
Henry Loaiza Ceballos (a.ka The Scorpion “El Alacrán”) was a well-known drug trafficker in Colombia and member of the Cali Cartel in the early 1990s. In 2019, he was ‘recaptured’ and is highly regarded across many drug cartels in LATAM. Intriguingly, the symbol of a black scorpion is believed to the “calling card” of the Sinaloa Cartel as pictured by a social media post by John McAfee in 2019.
Figure 12: Image of 2,000 pounds of Cocaine with the Sinaloa Cartel “brand”
Cartel Darknet Shop
The Cartel Darknet Shop is user-friendly, resembling any standard e-commerce site on the surface web. There are options displayed at the bottom of pages, like Amazon, with suggestions for other products customers might “also like.” Still, the products offered appear to either be professionally photographed or taken from stock images from the internet. Many of the product’s prices, such as the CBD oil, are higher than what the same products sell for legally. The site does not indicate or state any direct association with a drug cartel.
Figure 13: CBD Oil offered for sale on Cartel Darknet Shop
Regionally-Based Advertisement of Products
During earlier marketplace research we observed that regions known for their drug exports such as Colombia, Peru, Bolivia, and Mexico are often advertised with product listings on darknet marketplaces to prove the quality or the purity of the product and to legitimize the vendor. Advertised geographical indicators can provide potential associations of the products offered with a particular cartel, such as the Sinaloa region and the Sinaloa cartel being famous for their high-quality cocaine. Regions that are famous for their drug trade have also been seen listed in the product title and description, e.g. “Sinaloa Kush.”
It in unsurprising that the most popularly advertised region is Sinaloa, is this is also home to and the name of one of the strongest drug cartels in Mexico at present.
Figure 14: Source DarkOwl Vision
Are Darknet Cartel Markets Scams?
Several of the “Sinaloa-adjacent” darknet marketplaces on Tor featured hitman for hire services in addition to drugs. Hitmen services offered on the darknet are not a new phenomenon. Most “hitman-for-hire” services, especially those attached to prominent criminal groups and mafias, have been determined to be elaborate scams established to steal victim’s money without following through with the murder. There are limited reports of “kill list” victims ending up dead, but no confirmation the murder was carried out via the darknet website and impossible to track. Most chatter in the darknet is dismissive of any violence-centric or hitman-style services advertised.
“99.999999999999999999999999999999999% of all the ‘contract killers’ you see on here are one of two things A. Feds or B. Scammers.” – Darknet post dismissing any hitman services as law enforcement or scammers
Given that attribution on the darknet is difficult, the cartel sites listed above could very easily be scams. There is a history of such hitman-for-hire site turning out to be scams or well-placed honey pots by law enforcement. However, it is likely that organized drug cartels would be one of the few criminal groups capable of offering real hitmen services. Given the extreme and often gruesome violence many of the cartels are known for, the hitmen services advertised could be very real, if they really are the organizations behind the darknet sites as advertised.
We did not perform an in-depth analysis of the extent prominent drug cartels are active as vendors on traditional decentralized marketplaces like AlphaBay. The Los Urabenos Cartel’s affiliated site claims they previously traded on Empire, Darkfox and DarkMarket prior to the decentralized marketplaces’ seizure or exit scams. According to open-sources, DarkMarket was taken down by international law enforcement agencies. Empire went offline due to unknown circumstances. DarkFox was feared at to be exit scamming but has since returned and is active again.
The emergence of dedicated separate marketplaces linked to cartels could point to a broader trend of vendors moving away from traditional drug-focused decentralized marketplaces. After over two years of watching cartels on the darknet we have found fewer marketplaces advertise drugs by their origin/regional name and there are generally fewer marketplaces that sell large quantities of drugs, typically for resale in the case of cartel-based drug distributors. Vendors known for selling drugs on darknet marketplaces in large quantities could have decided that it is not worth the risk given the extent markets are targeted by law enforcement.
For example, in 2019, we identified a well-established darknet drug vendor, UKWhite who sold drugs in high volume – likely affiliated with cartels – across multiple marketplaces was arrested in October 2021 in Barcelona, Spain. They are facing and contesting extradition to the US.
Another drug vendor we observed in 2019 who is still active now almost exclusively engages in ‘direct dealing’ as a seller. These sellers will advertise themselves on discussion forums and appear limitedly on marketplaces only to establish alternative secure communication methods.
Regardless if cartel-affiliated marketplaces and vendor shops like the ones discussed in this research are merely scams or elaborate law enforcement operations, we anticipate a continuance of cartel-affiliated marketplaces and vendor shops in the darknet and a darknet-wide trend of vendors transacting with their buyers and drug network distributors via one to one communication and/or encrypted communication chat platforms for enhanced security and privacy.
Interested in learning how darknet data applies to your use-case? Contact us!
On the 24th of February, after months of failed diplomacy, war broke out between Ukraine and Russia. While the war was being fought in the physical realm, Ukraine’s Ministry of Digital Transformation turned to the digital realm for assistance. Within days of the invasion, a call across underground forums and chatrooms was placed and hundreds of thousands of hacktivist volunteers answered.
Ukraine’s call for help sparked off the first ever global cyberwar which for the first time in history has been waged between two countries simultaneously with a land war. This webinar looks at what we have learned from the cyberwar to date.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Kathy: Hi, everyone. Thank you for joining today’s webinar, “What a Real Cyberwar Looks Like.” My name is Kathy. Dustin and I will be your hosts for today’s webinar…. and now I’d like to turn it over to our speaker for today, Mark Turnage, our CEO here at DarkOwl, to introduce himself and begin.
Mark: Thank you very much… it’s a lot more fun for me as a presenter to answer questions as we go along, and so I would very much love it if you have questions, put them in the chat and Kathy or Dustin will interrupt me and we can have a conversation instead of a one way webinar.
We at DarkOwl have covered the Ukraine-Russia conflict extensively since it began in February, and even a little bit before that. Many of you may have seen our posts and our blog covering the war. We thought it would be useful to circle back and give an update and some of our observations on the impact of the war on cyberwarfare theory and practice.
There are just four areas of this webinar that I want to cover today. One is I want to talk a little bit about what the competing theories of cyberwarfare are, because those competing theories inform some of our observations on how the actual war, which is the first war between two nation-states, first extended cyberwar between two nation-states, has unfolded. And then I want to talk about some of the impacts on the internet and on the concept of modern warfare. And then we’ll make some concluding remarks. So, roughly, the slides that I’m going to walk through and hopefully the conversation we’re going to have follows this agenda.
One of the problems with cyberwarfare in general is that it suffers from pretty significant definitional ambiguity, by which I mean, if you talk to people, people have very different views on what cyberwarfare actually is, and if you look at these three overlapping circles, the top being physical disruption, the lower left being misinformation and disinformation, and the lower right being sort of communications disruption and espionage, cyberwarfare actually touches on all three of those.
And so somewhere in the overlap between those three circles are the various definitions of cyberwarfare. And perhaps the best definition that I personally like is the one on the lower left in a cyber school called the Revolutionist: actions by a nation-state to penetrate another nation’s computer or networks for the person’s purpose of causing damage or disruption. Pretty straightforward. It speaks to a variety of degrees. It speaks to each of those three circles. But again, the point here is that there is no one definition of cyberwarfare. We can’t talk about cyberwarfare without understanding some of the complexities and some of the significant differences between cyberwarfare and physical warfare. And so, I want to spend a little bit of time on this slide because I think it’s fairly important as we talk about how the cyberwar between Russia and the Ukraine has unfolded.
One of the key differences between cyber and physical warfare is that geographical proximity is not necessarily launch and maintain an attack. Hypothetically, two countries on opposite sides of the globe could fight a cyberwar between the two of them and it could be quite a fierce war with significant collateral damage, and they wouldn’t be anywhere near each other. Another key difference is that the weapons that are used in cyberwarfare are largely one and done. Once you mount an attack on an electrical grid and it’s understood by the opponent how you’ve mounted that attack, they can patch that vulnerability or they can close that door that you walked through and you will not be able to walk through it again.
And so, one of the key differences here is that you can only use those weapons one time and that actually has an impact on how this particular war has been waged. One of the benefits of a cyberwar is that you can more precisely target cyber weapons. Anyone who’s followed the news can see that when either the party shell the other side and oftentimes civilians are killed because they’re in the neighborhood or they’re in the physical proximity of military weapons and there has been significant loss of life in this warfare. Cyber weapons have the ability to be more precisely targeted. It does not mean that there won’t be a civilian loss of life.
We’re going to talk about some explosions that have occurred in Russian oil and gas facilities that have in fact caused civilian loss of life. But the theory here, and it would appear to be born out by reality, is that civilian loss of life is nowhere near as much as in a physical war. A fourth key difference is that attribution of who did it is a major problem and it has really severe implications for escalation. If you don’t know who it is that has attacked your electrical grid or taken your internet offline and you can’t actually be certain of it, a potential retaliation against your enemy or against the enemy you’re fighting at the time might have an escalatory implication that isn’t deserved. So attribution in non-cyberwar times is difficult… in cyberwar that is even more complex because it has this escalatory component to it.
Private actors can cloud the attribution question. And the question is if a private actor jumps on board, for example, on behalf of the Ukraine and attacks Russia or tax targets in Russia, are they acting on the behalf of the Ukrainian government or are they acting as private actors who may be just hostile to Russia, and vice versa? Same thing for the Russian side. And that really clouds the question of who’s in control of this particular part of the war. So those first five bullet points, I think, are critical components to be considered in any evaluation of what cyberwar looks like and how it could be waged in the future.
There are a couple of other points I want to make which are quite interesting in the context of thinking about a cyberwar between two countries. Several years back we estimated that a nation-state could attain superpower status for less than the cost of an F16 jet on an annual basis, considerably less than the cost of an F16. So, the cost of entry to become a cyber superpower in today’s world are orders of magnitude lower than other types of military expenditures. And we’ll come onto a slide here that talks about who are the superpowers, but there are countries that punch well above their weight because they’ve made that investment in becoming either a superpower or near superpower.
One odd inversion of the international order, the more technologically advanced a country is, the more susceptible it is to a cyberattack. It goes without saying that North Korea, which is not heavily industrialized, not heavily complex from a technological perspective, oddly, is aspiring to cyber superpower status, is probably one of the least susceptible countries in the world to a cyberattack because it’s not connected. The grids are not connected. The level of complexity through the society is very low. On the other hand, both Russia and the United States and the Ukraine are heavily connected societies and are very susceptible to cyberattacks. The point I want to make is that there are some very significant differences between how cyberwar is waged and can be waged and what the implications of that are to how it’s waged, how physical warfare is waged.
I started off by talking about how there are many definitional ambiguities in cyberwar. This is how the popular press thinks about cyberwarfare. If you listen to CNN or Fox News or any of the cable TV stations, this largely captures how people think about a cyberwar; “With a nation in the dark, shivering in the cold, unable to get food at the market or cash at the ATM, with parts of our military suddenly impotent and the original flashpoint that started it all going badly, what will the Commander in Chief do?” (Clarke and Knake, 2012). That is the popular theory of cyberwar that once a cyberwar is launched, people will go back to the Stone Age. And that theory still permeates popular culture.
I want to just talk briefly about some of the competing academic theories of cyberwarfare.
Both of these boxes, the top and the bottom basically parallel each other, and they move from left to right. So on the left of each of the two boxes, the top is sort of a state of the art in 2013, the bottom is state of the art in 2021, and they basically parallel each other on the left. The revolutionists or the alarmists believe that cyberwarfare can change how we fight wars in general. They think it is a fundamental step change in how wars will be fought today and in the future. In the middle are the skeptics or the traditionalists who think it could be significant, but don’t think it will change how international order operates. And on the right, the environmentalists or the realists don’t really believe that it’s going to have a significant effect.
The problem with the competing academic theories of cyberwarfare is that none of these theories, at the time that they were formulated and articles were written about them, could reference a real, sustained cyberwar between two nation-states. These were theories, and they were based on the few historical antecedents prior to 2022. And in each of these historical antecedents… Estonia suffered a sustained multi-month attack by Russia in 2007, during a quick two month war in 2008 between Georgia and Russia, there was a cyberwar rage primarily from Russia to Georgia. China from 2009 onwards had a very significant global espionage effort underway. Iran, 2010, where the United States and Israel attacked the nuclear centrifuge facility in Frodos with the Stuxnet virus. In 2014, the North Koreans attacked Sony. In 2012, Saudi Arabia was attacked by Aramco, was attacked by Iran.
I would define all of these as largely skirmishes. Now, they were relatively limited. In effect, they were not sustained over a long period of time. But there was clear attribution to nation-state actors in each of the cases. The parties involved or the aggressor involved was a nation-state, and attribution was very clear. And in the Ukraine, from 2014 through through 2021, there was simultaneous with the armed conflict in the eastern side of the Ukraine, there were what I would call cyber skirmishes between Russia and the Ukraine. But in none of these cases did we see a sustained cyber hostility between two nation-states for longer than a couple of months. So the theories that I referenced on the prior slide had only these as the antecedents leading up to the current conflict between Russia and the Ukraine.
Dustin: I’m going to interrupt you there. We’ve had a couple of questions come in. The first one is: “Were all of these state to state attacks?”
Mark: Not all of these were state to state. In the case of the North Korean attack on Sony, that was a state on a private entity in the United States, it’s on the slide because we were able to make attribution to the aggressor, in this case North Korea being a nation-state. There are other examples. For example, it’s widely believed that the Russians hacked the International Anti-Doping Association and doxed a number of athletes in retaliation for Russian athletes. This is in the lead up to the Rio de Janeiro Olympic Games. That’s in response to Russian athletes being barred from representing Russia as a state in the Olympic Games. So that was another example of an attack on a private entity. But in all these other cases, these were state to state conflicts.
Dustin: “What impact did the CIA and NSA leaks of tools have on this?”
Mark: We at DarkOwl have written extensively about this. As recently as of three or four years ago, we published a paper on nation-state warfare in the darknet. Just by way of background, both the CIA and the NSA in the last four or five years have suffered significant leaks of their offensive weapons into the darknet and into the public. And our theory in looking at those leaks was that the widespread availability of the tools that were among the best tools that the NSA and the CIA had leveled the field in many respects between nation-states because a relatively small nation-state could go pick up those weapons and start to wage warfare against other countries and it didn’t necessarily elevate them to cyber superpower status. But it did have an effect. We don’t know whether any of these particular cyber skirmishes or cyberwars that took place or battles that took place used those weapons. Most of those I think both the CIA and the NSA leak took place after 2015. So only really the Russia-Ukraine war will probably have seen the use of any of those weapons, if at all.
I wanted to throw this up because I talked about it just in lead up to our discussion, but the Belfast Center at the Harvard Kennedy School came up with a CyberPower index algorithm which is at the bottom of the page there and they rank the top five global cyberpowers as the US, China, UK, Russia and the Netherlands.
And perhaps there’s no surprise in that listing. The Netherlands are relatively small but a highly sophisticated country and they have made cybersecurity a significant part of their defense structure. I note here honorable mentions and I’ve talked about them before. North Korea, perhaps one of the lesser developed countries in Asia, is certainly a near cyber superpower, Israel, there’s a lot been written about Iran. None of them are particularly large countries. I think Iran’s population is verging on 60 million and is probably the largest, but the fact that they are able to achieve near superpower status is an indication that this is an area that they have significantly focused on.
So let’s talk about the Ukraine-Russia war and some of the observations that we have seen in the lead up to the Ukraine invasion in February, and by invasion I mean the invasion of the Russian troops, physical troops into Ukraine. We saw a significant amount of cyberattacks actually going back into the fall, but in mid-January there were significant cyberattacks against Ukrainian government services, government web-based services, there were a number of false flag operations attempting to implicate Poland in those attacks, which was interesting and we started to see wiper malware deployed in a variety of these attacks there were widespread leaks of Ukrainian citizen data there were a number of DDoS attacks that were mounted across Ukraine – there were a number of attacks on the Ukrainian financial sector.
Perhaps the most interesting thing in the lead up to the actual invasion was that there were six strains of wiper malware that were deployed and what we saw was a transition from traditional sources of attacks to wiper malware in the final weeks before the campaign and again many of these tried to implicate Poland as the source of the attacks but in reality Microsoft has done a pretty good robust study and identified six unique strains of wiper malware that were used and again.
Wiper malware goes onto a computer and wipes it – you don’t have any retrieval capability of the data that is kept on that. There was clearly a significant amount of cyberattacks that were waged in the months leading up to the actual war. We saw on the 24th of February the physical war started, Russia entered from the north, the south and the east into Ukraine and launched missiles at targets in the first 36 hours.
We’re now roughly six months out from the launch of that war so we’re now at a point where we can make some observations about what we have seen and start to make some hypotheses about how this war has been waged. A lot has been written about this but one of the most interesting and unanticipated things that we’ve seen in this war is that literally on day one the Ukrainian government requested help from the activists, the international activist community.
They formed the IT Army of the Ukraine on Telegram and put out a call for activists around the world to join them in attacking Russia from a cyber perspective. And the last time I checked, there were 300,000 or 400,000 followers on the IT Army of the Ukraine. By the way, that channel on Telegram is still very active on a daily and weekly basis. It provides targeting information to the activist community. As recently as yesterday, we saw new targeting information go up, targeting, I believe, Russian Financial targets in Russia. So what the Ukrainians were able to do, which I don’t think anyone anticipated, was suddenly galvanize an army of probably tens of thousands of activists around the world to start to attack Russian targets. And against the backdrop of a Ukrainian cyber armed, uniformed cyber force of probably hundreds or low single digit thousands, suddenly there were tens of thousands of people fighting on behalf of the Ukraine.
Day three of the war, Anonymous launched a campaign to attack Russia and the Belarus. And actually, Anonymous has since been joined by a number of other private actors who have stood up efforts to join the attacks in Russia. And by day five, we started to see a significant amount of data leak into the darknet from Russian targets, both civilian and military targets. In this case, we saw a leak of 60,000 government email addresses. There were immediately attacks on critical infrastructure suppliers: Gasprom, Foreigner, Gas, Mash Oil. A lot of them were hacked. In the first days of the war, it was very difficult as a Russian to get access to any government website and to get access to your bank. We saw tax of Russian state TV military communication leaks. We then started to see leaks of private information of Russian soldiers who were fighting in the Ukrainian battlefield, and they were doxed. And as I mentioned earlier, financial institutions were targeted. We continue to see daily DDoS campaigns. We’ve spoken to a couple of commercial entities in eastern Europe who are effectively offline from a commercial perspective because they’ve turned over their entire network to DDoSing Russian targets. So, you get a sense that overnight this was unanticipated. The Ukrainians were successful at galvanizing the international activist community to fight on their behalf, their offensive cyber capabilities increased by orders of magnitude.
Anonymous messages to Russia
Quickly talking about some of the creative attack methods that were used, GhostSec carried out a printer hack. It turns out that Russian government printers are networked, and within a few weeks at the beginning of the war, GhostSec hacked that printer network and started spewing out inside Russian government facilities propaganda on behalf of the Ukrainians streetlight control systems were hacked. There were a variety of hacks of messaging systems used widely in Russia. We saw electrical vehicle charging stations hacked. We saw, both at the military and the civilian level, short band radio interception and direct trolling. And it turned out that the Russian military was using short band radio in the early stages of the war, and it didn’t take very long for that to be hacked as well. As I mentioned earlier, ATMs were hacked, radio and television channels were hacked. Flights were disrupted, food deliveries were dusted. So these were disruptions that occurred at the civilian level and at the military level in Russia in the early days of the war, but they were they were largely addressed by the Russians within hours.
And by the way, on the other opposite side, the same thing happened in the Ukraine. There were Russian attacks on Ukrainian ISPs, banks, government websites as well. But these don’t rise to the level of that definition that I gave you earlier in the webinar, which is Russia didn’t go dark and cold and stay that way.
Dustin: “Is the IT Army of Ukraine still active?”
Mark: Yes, it is. And I think I mentioned we actually monitor on a daily basis – it’s found in the darknet database yesterday. When I looked at it, I believe they were putting out targeting information for Russian financial targets. They’re still very active.
Dustin: “What are the long term implications of the IT Army for future cyberwarfare?”
Mark: Oh, that’s a great question. So the Director of the FBI has testified in front of Congress that the implications of something like the IT Army for future cyberwarfare are unknown, but they’re not positive. I think the words he used in his testimony were that if you green light 50,000 civilians around the world to attack another nation-state, it’s well within possibility that they could also attack the United States at some future date. And I think that in a lot of the cyberwarfare, that must have occurred at the federal government, at the military level in the United States, we may have anticipated five or ten or 20,000 Chinese or Russian soldiers cyber warriors attacking us. Once you start to increase that number by orders of magnitude, it changes the equation. So the long term implications are probably alarming and are poorly understood. But clearly, it’s a major issue for any country, by the way, not just the United States, any country that could face the wrath of people who have successfully attacked a nation-state in the past and know that they have the tools to do that.
Dustin: “Obviously, Russia must be monitoring these channels. Are some of these meant as deception or distraction efforts, while more specialized secret targets are addressed by specialized, more capable actors to take advantage of the chaos?”
Mark: Yes and yes. Clearly, Russia’s monitoring these channels, and my guess is, as soon as they see a bank and an IP range targeted, they’re trying to take whatever precautions they can. I don’t think it could be a deception effort by the Ukrainians to distract them from targets that are elsewhere. The reality, though, is that, especially in the context of a DDoS attack, the number of people participating matters. So even if they are deception efforts, they’re working. The actual attacks are working from what we can see. But that’s a great question as well. And I have no doubt, by the way, that the Ukrainians are not publicizing all of the attacks or all of the targets that they’re targeting.
These are some screenshots of some of the hacks of the electrical systems.
On the left is the EV electrical vehicle charging station, where the actual screen read obscenities about Putin. On the right are hacked ATMs. You’ll see the Ukrainian flag coming across the ATM on the right. One of the really concerning things, obviously, about cyberwarfare in general is the potential to attack critical infrastructure. And we have seen that in this war. We’ve seen a number of vulnerabilities. Exploited water and electricity facilities have been targeted. We haven’t seen a large scale shutdown of water and electrical facilities. They’ve been fairly narrowly time delimited. We have seen attacks on oil and gas refinement distribution centers, particularly near the Russia Ukraine border, and there have been a number of explosions. We don’t have direct attribution that those are caused by cyberattacks. We suspect they are. And in some of those cases, there were civilian casualties. Those have been perhaps the highest profile critical infrastructure attacks that we suspect were carried out by cyber warriors. We’ve seen satellites targeted. By the way, not only have the Russian satellites been targeted, but the Russians also targeted European satellites in the early stages of the war. We saw the Joint Institute for Nuclear Research was shut down for a number of days as a result of a DDoS attack. And then we’ve seen ISPs and other telecommunications providers. So again, we’ve seen these attacks occur.
We have seen some consequences, we suspect, from these attacks. What we have not seen is a sustained shutdown of any of these facilities as a result of these attacks. One of the real surprises for us was the ability of the Ukrainians to galvanize the international activist community and with unknown implications for the future of cyberwarfare. Another interesting and unanticipated consequence of this war has been that the criminals have fallen out with eachother.
Now, in the lead up to the war, we long suspected that many of the ransomware gangs and some of the other bad actors on the darknet were a combination of Russian and Ukrainians working together. And what we have seen since the beginning of the war is a very clear fallout between the Russians and the Ukrainians in the darknet, some of these gangs have split apart. Some of these gangs have clashed with each other. Where gangs had both Ukrainians and Russians in the gang and they split apart. Each side is leaking secrets into the darknet about the other side. And we’ve seen an unprecedented amount of data leaked into the darknet about the ransomware gangs, about their tactics, about the tools that they were using and how they were actually going about what they were doing. I mean, it’s been a treasure trove of information for us and for the industry to give people a sense of how much data has been leaked into the darknet. Both this type of data as well as just leaks as a result of a tax.
DarkOwl has been in existence just under five years. We’ve been collecting data continuously during that time. Since February of this year, the net size of our database and we archive all that data the net size of our database has increased by 20% in six months because so much data has been spilled out into the darknet. Some of these names may not mean anything to you, but these are among the major ransomware gangs leading up to the onset of the war. And what we have seen is that they have stayed split. They are still battling with each other. They’re still spilling eachother’s secrets into the darknet.
Dustin: “Have any of these attacks resulted in any significant physical damage?”
Mark: The only one that we’re aware of is, and we suspect because we can’t make direct attribution to a specific attack, are some of the explosions that have occurred in oil and gas distribution and refining facilities near the Ukraine Russia border. There doesn’t appear to be a physical reason for those explosions, which leaves cyber. And the Ukrainians, I think, in one or two cases, have taken credit for those explosions and credited their cyberattacks on that as well.
Dustin: “What is your assessment around why we have not seen sustained attacks against critical infrastructure?”
Mark: I’ll come on to that in the next couple of slides. Many of you will know that Belarus was used as a staging ground for the invasion of Ukraine from the north. In other words, Russian troops were in Belarus and moved from Belarus into the Ukraine, which then caused Belarus to become a target for the Ukrainians. And there were a number of attacks as well into the Ukraine. It was difficult, if not impossible, to buy a train ticket, and it severely disrupted the train system in Belarus in the early weeks of the war because such a successful cyberattack occurred. There were a number of attacks against banks, transportation, legal, military contractors. We saw a massive leak of data coming from the largest defense contractor in Belarus. There have been and again in the world, of criminal gangs fighting criminal gangs. GhostSec attacked a group called ghost rider who were aligned with the Russians. And GhostRider has remarkably retaliated with a really sophisticated phishing campaign. And their phishing campaign has targeted civilians in combat zones in the Ukraine with emails that come from Ukrainian government email addresses asking them to leave the area they’re in and congregate because of the war that’s being waged around them, and congregate in areas that have been subsequently been hit by shelling. That’s about as sophisticated phishing campaign as you can imagine. You’re geolocating the recipients, you’re sending them very official looking Ukrainian government emails. You’re sending them those emails at a time when they are hearing shelling or experiencing shelling in their neighborhood, and you’re moving them to areas that are more vulnerable. So that’s where the overlap occurs, between relatively harmless, between warfare that may or may not affect civilians to very directly affecting civilians. And it’s incredibly sophisticated what we’re seeing in terms of that unfolding.
And I’m going to come on to the question of why we’re not seeing more Russian attacks on critical infrastructure impact the US and western countries and companies in the region. So obviously Russia, the Ukraine, and Belarus are pretty well offline for any normal commercial activity and pretty well likely to be so for the indefinite future. We’ve seen that subsidiary and vendor risk in those countries and in the region, more broadly in the eastern European, risk has become extraordinarily high. And we have seen this among our own client base. We have seen vendors and contractors and subsidiaries for our own clients and their clients directly attacked, directly targeted, and in some cases compromised as a result of this cyberwar. So from an American or a western commercial perspective, you absolutely need to pay attention to any exposure that your organization may have in the region.
And let’s be clear, both Ukraine, Belarus, and Russia were all sources of relatively low cost and relatively sophisticated coding and computer science capabilities. And Ukraine in particular had tens of thousands of employees in Silicon Valley and western companies coding and working for them. Some of you may remember that in the early stages of the war, there was a terrible incident where a woman was taking her children and her husband to safety and was killed in a shelling in the street. She was the Marketing Director for a Silicon Valley company living in eastern Ukraine. That’s how close to the vein it is, particularly for the American tech sector. We did see critical infrastructure, as I’ve discussed, severely impaired. And our advice to companies that have any exposure in this region is to make an assessment and be extraordinarily cautious about how you move forward in the region.
This is the part of the answer to the question about attacks on critical systems. So, we have seen Russian attacks on western and Ukrainian critical infrastructure. The Russian attacks on Ukrainian critical infrastructure have largely received less publicity than the actual physical damage done by the war, which is occurring right there. So there hasn’t been a lot of publicity. I think there was some publicity about the fact that the main Ukrainian ISP was taken offline for a number of days by a Russian attack. It was subsequently restored. None of the power grids have gone off for more than a day. So I think those attacks have occurred. We have actually seen attacks on Western targets. The German wind turbine systems were knocked offline, there was a European satellite network that was targeted, we believe, by the Russians, Romanian gas stations were knocked offline. We’ve seen a fair level of increase in Chinese activity supporting Russia in this effort, which was a little bit of a surprise for us. And the FBI has already released indictments against Russian sponsored attacks on nuclear water facilities. We think in many respects, this is not the fullness of what Russia could do.
The retaliation by Russia against US and NATO or US and Western targets has been surprisingly ineffective. And our hypothesis is that there are a number of reasons for that. One is after Estonia and after the battles that we saw in the lead up to this war over the last decade, there has been billions of dollars invested in defensive cyber operations, and that is paid off well in this war. We also think the Russians are largely distracted by the attacks that are taking place against the targets in Russia and they’re preoccupying the cyber warriors. If you’re a Russian cyber warrior today, whether you’re a public or a private actor acting on behalf of the Russian state, right now, your predominant activity on a daily basis is going to be defensive in nature. We also have detected indication that in Russia there is a digital underground that opposes the Russian invasion of the Ukraine. And we’ve seen some targeting from inside Russia of attacks. And then there is a question of whether there is some lack of support in the Russian public. The public polls that we’ve seen indicate large spread support for the war by the Russian public. We don’t have any reason to doubt that. But as the war grinds on, and this is the same in any country, as the war grinds on and casualties mount, support tends to diminish. So I think that’s the answer. We’ve been surprised that the attacks from Russia have not been more sustained, more significant, and more serious, and that’s the best answer that we can come up with.
However, in the context of the first point that I made, which is our defensive posture, CISA early in the war, put out very specific guidance. Shields up. And here are things that you can do as a Western and American organization to better defend yourself against the prospect of a Russian attack, or any cyberattack for that matter. And these are obviously obvious to everybody who’s on this webinar. MFA, antivirus, anti-malware. Put up your spam filters, patch your software – how many times do we have to say that? And filter network traffic and monitor your logs, and knock on wood, that has had a significant effect today.
Dustin: “According to international law and the Geneva Convention rules, these private citizens attacking other nation-states organized under the Ukrainian government are legitimate military targets. What do you think will be the fallout or implications from this? If Russia has been able to successfully identify any of the members of the Ukrainian IG Army, do you think Russia or Russian aligned countries will try to arrest or conduct strikes on these people while they’re traveling?”
Mark: There’s a lot of good questions in there, and thank you for asking it. I’m not an expert on international law and the Geneva Convention, so I can’t actually address the first question about whether these are legitimate military targets. And my guess is that if Mark Turnage, sitting in Denver, Colorado, were to join the IT Army of the Ukraine and start to participate in attacks on Western on Russian targets somewhere in there, that would be a violation of US law, irrespective of the Geneva Convention or the rules of war. I may be violating US law, not that I don’t think the US is going to necessarily prosecute Mark Turnage for doing so. Certainly possible that they could do that. My guess is Interpol would not honor any international arrest warrant requests. Certainly, again, to use the example of me, if I were to travel to Russia, they could certainly arrest me and charge me with whatever they wanted. I think that one of the unknown implications of this war is the fact that we don’t know how this hacktivist army shapes up in future wars. But my guess is, to the extent that they are individual citizens and not uniform soldiers, they put themselves at some risk by participating in this. And, yes, they could be potentially arrested.
Dustin: “How does a commercial threat intel feed help me protect my organization from rogue IT armies?”
Mark: A lot of different ways. If I’m running a large Fortune 500 companies security and network and I have a robust threat intel feed I’m able to see whether my organization and its IP range is being actively discussed in targeting forums and in hacker networks that are adversarial to either my country or to my organization or these are just commercial ones so I can get a sort of pre warning on the fact that they are targeting my organization. I can get threat intel feeds on the nature of the vulnerabilities that are being used to exploit networks such as mine. So, I can draw a direct link between the software we use to protect our network and any known vulnerabilities of that particular software that are out in the darknet or out elsewhere for sale or being actively used. And for the most sophisticated of those organizations, they’re able to take some proactive steps to avoid attacking. So I would see that a dedicated, robust threat intel feed that encompasses both the darknet and social media is critical to any security posture for a large organization and if nothing else, this war has proven that very robustly.
Let’s talk about some of the observations so far in this war. As I mentioned, this war is largely not being fought by cyber soldiers but by criminals, mercenaries and activists and non-state actors who are acting at the behest of the warring parties. It’s an unknown, crazy world we’re walking into, to be honest. This was not anticipated by anybody and my guess is that in the war games that we conducted leading up to the Russia Ukraine war, this fact did not feature highly, if at all. As I’ve said, cities aren’t losing their power and water for longer than a few hours. Plenty of companies and government ministries are being taken offline, but again for days, not even weeks and there’s little evidence of sustained serious impact in Russia or the Ukraine. Again, the bulk of the focus in the Ukraine is on the physical damage that’s being done that’s being rotten on the country.
And then in answer to the question that came in earlier, the implications of war being fought by private citizens beyond the control of governments is really poorly understood. And I throw down here a couple of hypothetical questions of what happens is if a ceasefire or a peace treaty is reached between the Ukraine and Russia and the private warriors just carry on, what are the implications of that?
They’re profound, actually and this echoes the FBI director – should nation-states be worried that somewhere we don’t know if it’s 250,000 plus hackers, 50,000 hackers, but tens of thousands of hackers have successfully attacked Russia? At the bottom I put one of my early observations in the actual physical war that has been fought between Russia and the Ukraine there have been a number of deficiencies in the Russian armed forces that have been identified and they’ve been surprising, to be honest. Some of them have to do with supply chain and how the Russian armed forces support its troops in the field. Some of them have to do with the maintenance of Russian military equipment and so on. I’m wondering if there’s a similar deficiency that we’ve seen in the Russian cyber capabilities. Are they simply not the superpower we thought they are? The alternative, the flip side of that coin is they could be holding back. They could have an arsenal of cyber weapons that they’ve not deployed and not used. But it could very well be that to the extent that the Emperor has no clothes on their physical military capabilities, that the same is true in the cybersphere.
Observations on the privatization of warfare – this is another surprise and it doesn’t really address the cyberwarfare capability, the cyber implications. But this is a war where private actors on both sides are playing a significant, major role in the attacks in the war, and I mean both the cyberwar and the physical warfare. So as we’ve talked about, private hackers are waging a war on behalf of Ukraine, Russia. That’s been a real surprise. If not 100% of the military communication by the Ukrainians is done by Starlink. Early in the war the Russians were successfully took offline the Ukrainian military communication system. Within days, Elon Musk and SpaceX had launched satellites over Ukraine. And today the bulk of the communications that the Ukrainian military uses is provided by a private American enterprise. Now let that sink in. That’s a commercial enterprise that is doing that. Some of the best reporting on the war has been by OS analysts, not by US government analysts who have been using commercial satellite imagery that has been widely available since the beginning of the war. The coverage, particularly many of them have posted their analyses on Twitter have been very good.
The Western sanctions that have been imposed on Russia and its allies in connection with this war are being privately enforced by banks and companies. Those are private enforcement capabilities efforts. I would point all of you to bellingcat as a great OSINT source using open source tools that are available on the Russian side. The Wagner Group is heavily involved. It’s a private mercenary enterprise. It’s heavily involved in the war in Eastern Ukraine up to and including flying fighter jets for the Russians. And obviously there’s a fair amount of pressure on companies continuing to do business with Russia.
We have made the observation that private hackers are engaged in this war. It’s not just private hackers. Right through the war on both sides, private actors are playing a very significant role in the waging of this war. What are the implications for the post war darknet? DarkOwl is a darknet intelligence company. We gather data continuously from the darknet and we provide that to our clients around the world as a threat intel feed or as a source of information so we see a lot of this unfolding, particularly in the darknet and what I call a chaotic and often unruly environment in the darknet, just became even more chaotic and risky. When you start to see major criminal gangs in the darknet start to fight each other and leak each other’s information into the darknet. But it’s a golden source of information for us and for our clients. But it’s also just an indication of just how anarchic that capability has become. These criminals will continue to turn on each other, but that’s not going to last forever, and we don’t know how this is ultimately going to shake out. Ransomware has been a big focus of criminal activity in the darknet. We expect that there will be a shift that that will continue to be the case. But we’ll see more wiper malware deployed.
So the consequences, again, for a US Hospital that’s subject to a ransomware attack of not paying a ransom, may be even worse by not paying the ransom if they don’t have a backup and they don’t have other capabilities to restore their network. If the criminals on the other side of that effort choose to deploy wiper malware, you may lose those, particularly if you don’t have backup. You may lose those medical records forever. Again, very sophisticated malware targeting for industrial control systems that we’ve seen.
We’ve seen an increase in awareness about what the darknet is and how it can be used. Propaganda and disinformation – I’ve spent relatively little time in this presentation talking about propaganda and disinformation, primarily because most of those efforts are in social media, not so much in the darknet, although we do see it occurring in the darknet. And as I said earlier, the hacktivist movement has been unleashed.
Here are some unanswered questions and I think some of the questions that we’ve had during the course of this webinar are addressing some of these:
How do the laws of war apply to cyberwarfare both in the decision to go to war and in the decision to wage the war and how you wage that war? The implications of it are very poorly understood. The attribution error issues, frankly, scared me to death.
How does one deescalate against cyberattacks that are coming in that you think but don’t know for sure are coming from an adversary? Where’s the safety valve in all of this? In physical warfare? I can see that your planes are coming to attack my targets. I can see that you’re shelling me from behind your lines in cyberwarfare. It’s a far messier calculation and the implications of that are frankly, frightening.
What are the implications with the appearance of non-state actors on the stage? We don’t know. Will cyber become strategically decisive in a war? It has not been strategically decisive in the Ukraine Russia war, although it’s been a significant factor, but it’s not been strategically decisive. And where is the line between cyber terrorism, cyber criminal activity and cyber hacktivism on the battlefield to be determined going forward.
Thank you very much for joining us today.
Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.
In DarkOwl’s regular daily collection of content for its Vision SaaS platform, we often witness criminal communities being disrupted and dispersed by law enforcement operations. Usually, these operations are carried out covertly until enough evidence has been gathered to shut down the illicit operation. At that point, oftentimes, the law enforcement group will conduct heavy DDoS attacks (or other attack methodologies) against the marketplace or forum to shut it down, leaving a “this domain has been seized” notice on a website’s landing page.
In this piece, we decided to take a closer look at some of the key intelligence agencies, government groups, and law enforcement organizations that contribute to policing the darknet through targeted cyber operations.
The darknet – compromised of anonymous networks only accessible by special anonymous proxies and/or peer-to-peer systems – is an elaborate web of services. Based on our historical insight into this space, our analysts ascertain that the darknet is largely compromised of criminal activity ranging from the sale of drugs and illicit goods and humans to advanced malware development, data brokerage, fraud, and financial crime. Recent academic researchindicates that over half of all Tor-based onion services facilitate crime in some form or fashion.
Much of this criminal activity spills over into the deep web and chat platforms like Telegram where many of the leading administrators establishing ‘mirror’ sites and channels that replicate much of the content shared across Tor and peer-to-peer anonymous networks.
International intelligence, military, law enforcement personnel, and other cybercrime agencies are present both overtly and covertly on the darknet. Marketplace and forum discussion threads are sprinkled with users dismissing posts with derogatory name-calling like “pig” or “spook.”
In 2019, the US Central Intelligence Agency (CIA) replicated their Surface Website (cia.gov) on the Tor network, including the agency’s public announcements, the World Factbook, and careers page all available reportedly via ‘secure and anonymous’ web connections.
In early May, the CIA launched a concerted campaign to encourage Russians dissatisfied with Putin’s invasion of Ukraine to “get in touch on the darknet.” The campaign included detailed instructions in both Russian and English for downloading the Tor browser and accessing their content Tor.
There are any number of organized law enforcement operations on-going in the darknet and adjacent criminal communities. Many times, the seizures of servers hosting and facilitating cybercrime are a result of a multi-agency activity months (or years) in the making. Agents from the Federal Bureau of Investigation’s Cyber Crime Unit (FBI) and Interpol lead many of the operations that result in not only the take-down of criminal sites, but also the indictments and arrests of the criminal masterminds behind the darknet community.
With so many different groups operating in the space and most heavily rely on acronyms, we’ve compiled a list of the prominent international government, intelligence, and law enforcement organizations that we’ve seen mentioned in significant operations carried out on the darknet. The table below includes their common and formal names, as well as the countries they primarily operate in.
Federal Security Service (Federalnaya Sluzhba Bezopasnosti ФСБ)
Russia
FinCEN
Financial Crimes Enforcement Network
USA
GDCOC
General Directorate Combating Organized Crime
Bulgaria
GCHQ
Government Communications Headquarters
UK
HSI
Homeland Security Investigations
USA
IRS:CI
Internal Revenue Service, Criminal Investigation
USA
IDF
Israel Defense Force
Israel
JCODE
Joint Criminal Opioid and Darknet Enforcement (DOJ)
USA
GRU
Main Intelligence Directorate
Russia
NCA
National Crime Agency
UK
NCJITF
National Cyber Joint Investigative Task Force
USA
DNRED
National Directorate of Intelligence and Customs Investigations
France
NSA
National Security Agency
USA
NCIS
Naval Criminal Investigative Service
USA
KLPD
Netherland’s National Police
Netherlands
OFAC
Office of Foreign Assets Control
USA
PSNI
Police Service of Northern Ireland
Ireland
PF
Policia Federal
Mexico
NPB
Polisen Swedish Police
Sweden
PJ
Portuguese Judicial Police (Polícia Judiciária)
Portugal
SBU
Security Service of Ukraine (СБУ)
Ukraine
Europol
European Union Agency for Law Enforcement Cooperation
European Union
Interpol
International Criminal Police Organization
International
CBP
U.S. Customs and Border Protection
USA
ICE
U.S. Immigration and Customs Enforcement
USA
USDT
United States Department of the Treasury
USA
USPIS
United States Postal Inspection Service
USA
USSS
United States Secret Service
USA
DOD
United States Department of Defense
USA
DEA
United States Drug Enforcement Agency
USA
Stay tuned for future content where we review some of the most historically significant and disruptive darknet “operations” conducted by these organizations. Our interactive timeline is now live!
Learn how DarkOwl supports Law Enforcement & National Security investigations with darknet data tools built for analysts, cybercrime agencies and threat intelligence teams. Contact us to learn more.
Cyber insurance is an increasingly popular topic of conversation across the information security community, as the frequency of attacks against organizations has steadily increased in recent years. The probability of a successful attack, resulting in the unauthorized access of an organization’s data, applications, services, network infrastructure or devices, or worse – the theft or loss of proprietary or sensitive data – is exponentially increasing in the post-pandemic world where work-from-home and hybrid work/home office environments have been normalized challenging an organization’s cyber-defense posture.
According to Accenture, 66% of small businesses have experienced a cyberattack, with the average cost of a malware attack on a company (regardless of size) hitting $2.6 million, signaling that cyber insurance policies are now essential for an organization to prevent significant financial business impact or even bankruptcy.
Coalition’s 2022 Cyber Claims Report confirmed the attack trends with their data indicating that small businesses are consistently targeted more frequently than medium and large organizations. They also report that claims increased in severity by 54% in 2021, with the average cost approaching $360,000 USD for companies with revenues more than $100M.
What Is Cyber Liability Insurance and What Does it Cover
Cyber liability insurance is a form of insurance available for individuals and businesses to purchase to help reduce the negative financial impacts and risks of conducting day-to-day activities on the Internet. Cyber insurance is rooted in errors and omissions (E&O) insurance which generally protects against a company’s faults and defects in their products and services.
Any organization or business that operates predominantly on the Internet, collects or retains customer data such as personally identifiable information (PII) or protected health information (PHI), interfaces with the payment card industry, or stores sensitive proprietary data and digital intellectual property on a company network connected to the Internet should consider purchasing a cyber liability insurance policy.
In the event of a cyberattack, the theory of E&O coverage kicks in to support a sole proprietor or business who cannot fulfill their contractual obligations with their network and systems offline. Similarly, the coverage can help cover costs to litigate claims resulting in the failure of service performance or product delivery due to the cyber security incident.
Cyber liability insurance covers most of the financial costs associated with a cybersecurity incident and data breach. This could include:
extortion payments associated with a ransomware attack
digital forensics and incident response team costs to remediate an event or recover compromised data
paying legal fees and/or fines as a result of privacy violations
monitoring the credit for, and restoring the identities of compromised customers or employees with exposed PII
cyber terrorism attack
procuring replacement hardware or compromised computer information systems
notifying stakeholders of the security incident and breach of confidential information
Some cyberattacks include cyber espionage that doesn’t result in an overt cybersecurity incident and IT network failure. Does your cyber liability insurance policy cover your employees’ personal information showing up in the underground without the knowledge of your IT department?
cyberattacks against resources located anywhere in the world and not geographically limited
legal costs if incident results in lawsuit or regulatory investigation, e.g. includes “duty to defend” wording
offers a breach hotline available 24/7, 365 days a year
cyberattacks on your data held by vendors and other third-parties
lost income due to business interruption
crisis management and public relations
Types of Cybersecurity Insurance Coverage
Policies covering cyber incidents are generally written as either first- or third-party coverage or both. First-party coverage protects the infrastructure and data owned by the policy holder’s organization. This coverage includes data related to an organization’s employees and customers. Third-party coverage is a form of liability coverage associated with the consequences of the exposure of an organization’s customer and vendor data.
Often when a cyberattack occurs it is the sensitive customer data or employee PII that is most valuable to the threat actor where the database is quickly commoditized in the darknet and traded or sold in underground data marketplaces and forums.
Unfortunately, many organizations under protect themselves getting first-party coverage only, when third-party is more comprehensive by orders of magnitude and applicable to the modern cybersecurity use case. Furthermore, traditional E&O policies do not cover the loss of third-party data.
Insurance Carriers, Brokers, Underwriters, and Reinsurers
While cyber liability insurance is offered by most major insurance carriers, we quickly realized that those shopping for cyber liability policies can easily get confused by the different roles and responsibilities of the various insurance players. During our research on the cyber insurance industry, we encountered several different stakeholders that could have vested interest in the cybersecurity risks associated with potential insurance claims.
Insurance Carriers – also referred to as the insurance provider, an insurance company, or agency – is the financial security behind the coverage provided in an insurance policy in the event of a cybersecurity incident. The insurance carrier issues the policy, charges the premiums to the policy holder, and covers payments from claims against the policy.
Insurance carriers issuing cyber liability insurance policies must remain hyper-vigilant on the evolving security risks facing their policy holders. They will establish pre-policy issuance security risk assessment protocols, evaluation criteria, and periodic auditing of their policy holders. In the US, insurance carriers are often described as “admitted” and non-admitted insurance providers which differentiates in whether they are ‘backed by the state’financially and in compliance with regulations outlined by the policy holder’s state Department of Insurance.
Insurance Broker is an agent who sells or purchases insurance policies on behalf of another. An insurance broker specializes in the nuances and complexities of the insurance industry and knowledgeable of security risk management to advise on the type and amount of coverage required for a cyber liability insurance policy. They serve as a “consultant” and insurance representative to the insured policy holder.
Underwriters include persons assigned and qualified to initially assess, evaluate, and assume the security risk of another party for a fee or percentage commission from the policy value. The underwriter may work directly for the insurance carrier or independently contract to the insurance issuing organization as a freelance underwriter. The most commonly relatable example is health insurance underwriters who closely evaluate an applicant’s risk posture via detailed questions of the potential policy holder’s age, health conditions, and family medical history.
In cybersecurity, an underwriter has the responsibility to perform comprehensive risk assessments of cyber liability insurance policy applications for potential security risks that are increasingly complex and challenging to predict based on traditional risk modeling methodologies.
As claims increase in value the application process for new policies is increasingly rigorous with insurance carriers requiring underwriters gather supplementary ransomware-based questionnaires and proof of business continuity plans and security incident response plans from insurance applicants.
Third-Party Administrator often called TPAs, are professional, state-licensed organizations that support the insurance carrier in administrative services related to insurance. They most often are responsible for handling claims on behalf of the carrier including the evaluation of the legitimacy of the claim, processing the claim, making financial determinations, and reporting to regulation authorities. While TPAs are historically involved in the health insurance industry, there is a growing group of cybersecurity-specific TPAs that exclusively focus on managing cyber and privacy breach claims.
Reinsurers refer to the reinsurance companies, or more simply, the insurance providers for the insurance companies. According to the Corporate Financial Institute, a primary insurer – the insurance carrier – transfers policies, or insurance liabilities – to a reinsurer through a process called cession, or “ceding”. On average, insurance carriers cede an estimated 50% of the policy premiums they collect to the reinsurance market. Reinsurers’ revenue is directly tied to the quality of the risk assessments performed for policy holders on the front end and the amount of financial capital available, either from the reinsurer or third-party capital sources.
Why Does the Darknet Matter to Cyber Insurance Professionals?
Data, information, and subsequent cyber intelligence derived from sources in the darknet, deep web, and criminal chat communities can help cyber insurance underwriters, insurance carriers, and reinsurers develop more robust and highly predictive security risk models. Higher fidelity risk models help price premiums to minimize claims payments benefiting the insurance carriers and their reinsurers accordingly.
The types of data from the darknet that might be utilized in security risk models can be as simple as the volume of policy holder’s organizational employee email addresses exposed on the darknet to more complex models which account for brand and reputational risks, mentions of executive leadership, network infrastructure like domain names and IP addresses, and exposed proprietary organizational data stolen through a pre-existing breach cyberattack.
Pre-policy evaluations can include darknet exposure data to assess the level of compromise of the applicant organization and determine whether prior breaches exist to the applicant policy holder – which is often excluded in cyber liability insurance policies. Pre-existing breach data for the pending policy holder’s vendors and supply chain can also drive security risk modeling and the potential risk must be financially compensated for.
Reinsurers also should independently monitor for darknet exposure and mentions of the insurance carriers they cover as well as their high-valued policy holders. Ransomware threat actors have actively targeted insurance carriers and exploit their policy holder information to leverage for subsequent attacks and drive negotiations with their extortion victims using their policy information as leverage for higher extortion payments.
Insurance Carriers are not Immune to Showing up in the Darknet
In 2021, Avaddon compromised a division of the global insurance carrier, Axa Group in Malaysia and reportedly exfiltrated over 3TB of claims data and medical records of their policy holders.
Figure 1: Axa Group Ransomware Announcement, Source: DarkOwl Vision
Most recently, the reincarnated “Happy Blog” restarted by REvil after Russia invaded Ukraine, targeted a family-focused insurance broker in Ohio giving the threat actors direct access to sensitive PII of their clients for subsequent fraud or digital identity theft.
Figure 2: Source REvil Blog on Tor
Victim data can emerge on the ransomware shame sites exclusively hosted on Tor in the darknet or data marketplaces, like Industrial Spy. One of the “free” offers on Industrial Spy includes a prominent Third-Party Administrator in India, MDINDIA. The proofs include a significant volume of claims carried out by the organization.
Figure 3: Source: Industrial Spy
There is an increasingly complex interrelationship between data from the darknet and the organizations involved in issuing cyber liability insurance policies and managing claims. Darknet data can help drive better risk decisions in issuing policies and persistent monitoring for on-going security risks to insurance carriers, brokers, and their policy holders. The cyber liability insurance market is evolving as result of threat actors on the darknet and increased attacks resulting in significant financial claims.
Next: stay tuned for our upcoming content that will take a closer look at some things that are excluded from cyber insurance policies.
Learn how DarkOwl enables cyber insurance carriers, reinsurers, and technology platforms to leverage darknet data to better identify, benchmark, and measure the risk associated with underwriting cyber liability. Contact us to learn more.
The NIST Data Interoperability Framework defines “Big Data” as a large amount of data in the networked, digitized, sensor-laden, information-driven world. The authors of that framework describe “Big Data” and “data science” as buzzwords that are essentially composites of many other concepts across computational mathematics and network science.
Data can appear in “structured” and “unstructured” formats. According to IBM, not all data is created equal. Structured data is often quantitative, highly organized, and easily decipherable, while unstructured data is more often qualitative, and not easily processed, and analyzed with conventional tools.
In the last decade the amount of unstructured data available to an individual has skyrocketed. Think about the amount of raw data a person consumes or generates on any given day, through mediums like SMS text messaging, watching, and/or creating YouTube videos, editing, and sharing digital photographs, interacting with dynamic web pages, and keeping up with the demands of social media. 2.5 quintillion bytes of data is produced every day, 80-90% of which is unstructured data.
Darknet 101
The darknet is a layer of the internet that was designed specifically for anonymity. It is more difficult to access than the surface web, and is accessible with only via special tools and software – specifically browsers and other protocols. You cannot access the darknet by simply typing a dark web address into your web browser. There are also darknet-adjacent networks, such as instant messaging platforms like Telegram, the deep web, some high-risk surface websites.
Data on the Darknet
The darknet and deep web are vast sources of structured, semi-structured and unstructured data that requires advanced architecture to collect, process, analyze, and distribute meaningful and targeted datasets to clients and users across diverse industry verticals. This includes FinTech, InsureTech, Identity Protection and Threat Intelligence providers. DarkOwl employs a modified model of “Big Data” often depicted by the “V’s” of Big Data.
Quick Definitions:
darknet: Also referred to as the “dark web.” A layer of the internet that cannot be accessed by traditional browsers, but requires anonymous proxy networks or infrastructure for access. Tor is the most common.
deep web: Online content that is not indexed by search engines, such as authentication required protected and paste sites and can be best described as any content with a surface web site that requires authentication.
high-risk surface web: consists of areas of the surface web (or “regular” internet) that have a high degree of overlap with the darknet community. This includes some chan-type imageboards, paste sites, and other select forums.
For a full list of darknet terms, check out our Glossary.
Volume
DarkOwl delivers petabytes of data processed in real time, with crawlers operating across different anonymous networks, deep websites, and platforms. As of this week, our Vision UI has collected and indexed over 215 million documents of darknet data across Tor, I2P, and Zeronet in the last year. Our Entity API has uncovered and archived over 8.8 billion emails, 15 billion credit card numbers, 1.8 billion IP addresses, and over 387 million cryptocurrency addresses.
Velocity
DarkOwl’s resources are designed to provide fast and frequent data updates by collecting from real-time instant messaging sources and capturing live discussions between users on darknet forums. In the last 24 hours, our system crawled and indexed over 1 million new documents of data.
Veracity
DarkOwl collects data in its original, raw-text format from legitimate and authentic sources discovered in the darknet, deep web, and high-risk surface web. DarkOwl scrapes darknet data without translation in its native language to avoid contextual loss from automated in-platform translation services.
Variety
The data DarkOwl discovers is disparate from diverse and distributed data sources such as Tor, I2P, ZeroNet, open FTP sites, and chat platforms with instant or new real-time messaging. We collect everything from darknet marketplace listings for drugs and malware to user contributions to forums and Telegram channel messages.
Value
DarkOwl delivers its data in a variety of delivery mechanisms along with our expert insights to help drive high-value business decisions for our clients and stakeholders. Darknet data in this raw format helps provides valuable evidence for qualitative investigations to quantitative risk calculations.
Voices
Darknet data centralizes around the voices of the various personas and threat actors conducting criminal operations in the underground. DarkOwl’s Lexicon helps users easily decipher and filter by marketplace, vendors, forums, threat actor pseudonyms, and ransomware-as-a-service (RaaS) operators.
Delivery Mechanisms of Scalable Data
Data Warehouse
A data warehouse consists of mostly structured data that is typically accessed via SQL. Data warehouses are traditionally based on RDBMS technologies such as Oracle, DB2, Postgres etc., and they take a ton of resources to build and maintain, hence the drop in popularity over time.
Data Lake
A data lake consists of a combination of structured AND unstructured data. Mostly unstructured data – as in medical transcriptions, court documents, audio, video, screen shots and so on. The structured data is mostly to tag and link the unstructured data. Data lakes are more popular now due to the ease of creating lakes. Data lakes are supported by cloud native vendors such as Amazon AWS, Google Cloud, Microsoft Azure, etc. DarkOwl can set up custom data lakes that contains a subset of our data, that we give customers access to.
Data Feeds
Data feeding describes the process of pushing parts of our Big Data over to the customer side. For example, we feed only credentials to some customers, or only credit cards to another, and in some cases, provide a daily snapshot of everything that a data provider has visibility into directly to the customer for their own business use case.
Figure 1: Screenshot of an API response from DarkOwl’s Entity API Credit Card Endpoint
Data Streaming
To process data rapidly, DarkOwl uses open-source technologies such as Kafka. Such services are mostly for internal use, but we could easily set up our customer as one of the subscribers to our data stream. This especially makes sense when the velocity of data is very high, which is often the case for darknet data.
Download this Report as a PDF
To learn how darknet data at-scale applies to your use case, please reach out.
Two years after the COVID-19 pandemic forced the world into their homes for quarantine, video gaming and streaming subscription service use is at an all-time high. There are over 134 million registered monthly active users (MAUs) on the popular video gaming distribution platform, Steam; an estimated 62 million connect daily to the service. 85% of US households have at least one video streaming service and on average households subscribe to at least 4 different services. In early 2022, Netflix reported over 221.6 million global MAUs of their services. (Source)
Given the widespread use of such services across all ages, demographics, and regional and cultural backgrounds, topics related to video gaming and streaming are frequently discussed in conversations in the criminal digital underground. The video gaming industry and the darknet community also have similarities in their core user base. Many gaming enthusiasts are intelligent, young, technically savvy, thrive in online communities and navigate the controversial and psychological games of the darknet with ease.
In celebration of National Video Game Day – July 8th – our analysts decided to take a closer look at the intersections between gaming, streaming and the darknet to uncover how interrelated the online communities are.
Accounts For Sale
Video gaming and streaming accounts are regularly offered for sale on the darknet. Accounts and accessories for popular video games such as PlayerUnknown’s BattleGrounds (PUBG), Dota 2, League of Legends (LoL), and Counter Strike (CS): Global Offensive are amongst those that regularly traded.
Game accounts are offered as “premium” with bonus account perks like player outfits, custom “skins,” and additional “uc” or “unknown cash” which can be used as virtual currency on the game platform for purchasing weapons and player skills.
Figure 1: Source DarkOwl Vision
Figure 2: Offer for over 280,000 Video Game Accounts for Sale
Some video gaming accounts include “leveled up” advanced player status that includes more skills or badges, years of experiences, with extensive in-game credibility that is more valuable than a standard account on the game.
Figure 3: Source DarkOwl Vision
DarkOwl has also observed accounts for all of the mainstream video streaming services, such as, Hulu, Amazon, Disney+, Netflix, HBO Max. Some of these accounts are offered for free on Telegram channels, as proof of the legitimacy of accounts available for sale. We’ve also observed accounts for streaming services offered for sale on Telegram for $40 USD, with indications that the original account holder was completely unaware that their account had been sold and used by someone from the darknet.
Figure 4: Source DarkOwl Vision
Cracked Accounts, Cracking Tutorials & Hacks
Some of the accounts being offered or sold are simply accounts that have been curated by darknet users, which are often described as their “own personal account.” Others are created in masse by “cracking” users’ accounts at scale, i.e. stealing and reselling account credentials. Most cracked accounts are obtained by account brokers, who compile leaked credentials from compromised commercial services and perform credential stuffing, or utilize nefarious brute-force password cracking utilities like John the Ripper.
One such utility for offer on the darknet states that using their tool, users can create 10 private Counter Strike game accounts per hour. (Source: DarkOwl Vision)
We’ve seen similar offers for automatic account generator sold in conjunction with “Cracking Tool Packs” which includes crackers, stealers, email validators, and checkers for generating and validating accounts.
Many gamers of the darknet offer game hacks for increasing skills or a player’s credibility without the time in service in the game. For example, one document in Vision details the Fifa 2022 Coin Generator to acquire unlimited free FIFA 22 coins and points for one’s “Ultimate Team” and according to the offer, secure players like Gullit, Ronaldo, and Maradona on one’s team. The hack uses a series of network proxies to avoid the account getting banned or suspended.
Figure 5: Source DarkOwl Vision
Cracked Games
Many deep web forums offer “cracked” games or pirated game software that can be played without any licensing or payment. Recently users on Breached Forums shared several Surface Web sites where games are available without purchase. (Source: DarkOwl Vision)
Video games are cracked by reverse engineering the programmed copyright protection features and bypassing codes in the software that validates the games as authentic. The darknet is replete with users who abhor the idea of intellectual property and celebrate software piracy; afterall, the darknet is home to The Pirate Bay (TPB). Cracking tutorials in the darknet cover all matters of illegal “cracking” including passwords, wi-fi routers, commercial accounts, and software.
For obvious reasons, we’ll not detail any of the cracking tutorial methods that we’ve spotted across popular hacking forums and Telegram channels. In 2021, multiple video game developers were attacked by cyber criminals and source code for their projects stolen and resold on the darknet. In February 2021, cyber criminals gained access to the CD Projekt and exfiltrated the source code for Cyberpunk 2077, The Witcher 3, and Gwent. In July, the LAPSUS$ criminal group successfully exfiltrated the source code from Electronic Arts Fifa 2021 soccer game and the proprietary FrostBite game engine, which was the foundation for other popular games by the video game publisher.
The availability of such source code compilations facilitates the successful cracking of video game software applications in the future by cyber criminals profiting off selling pirated games.
One of the fundamental tools an elite video gaming and streaming service account ‘cracker’ requires is a combolist. A combolist consists of a list of leaked usernames and passwords or email addresses and passwords combinations that can be used for cracking.
In the last year alone, DarkOwl has scraped nearly 100,000 documents across the darknet and deep web for offers of “combolists” from across the US, Europe, and Latin America. Most of the combolists are advertised as “private combos”, with hundreds of thousands of credential combinations in each combolist, and available for purchase on darknet marketplaces like Nemesis for under $20 USD.
Figure 7: Marketplace Offering Combolists for Download and Purchase
The combolists are used in credential stuffing programs to validate the credential combinations work on the commercial gaming or streaming service authentication logins. With hundreds of thousands of combinations to work from, even a 1% success rate is a significant volume of accounts that a cracker could resell as a ‘cracked account’ for the platform.
Video Game Fraud, Pranks, & Scamming
The darknet is known for widespread fraud and scamming and the video gaming community is perfect for exploiting its younger and often naïve users. With online gaming environments supporting multiplayer teams – that include a socialization and sense of community with group and private chats – gamers spend hours a week with their teammates creating very real sense of community and unfortunately, a false sense of trust and confidence in their online “friends.”
Many scammers play the criminal long game, willingly infiltrate online teams and lure the game participants to share personal information such as their real name, location, age, etc that can be used for identity theft and financial fraud. Not all of this social engineering is used exclusively for fraud. Some aggressive players gain this information to formally dox the players and SWAT them for the sake of online bullying and harassment.
To SWAT someone involves calling 911 (or similar emergency services) and lying about someone committing a serious crime, e.g. hostage, kidnapping, etc, to urge dispatchers to send a team of police officers, ideally a SWAT team, to a victim’s location. This is often carried out in the middle of a game or Twitch stream where the audio and video of the SWAT team arriving can be witnessed by others. Gamers will also prank victims with large deliveries of food like pizza that requires payment upon receipt.
Figure 8: Source DarkOwl Vision
Scammers will send other players third-party links to “cheats” and “gifts” for the game that are malicious in nature and often covertly install malware on the player’s device. Some of the links are simply phishing links that trick the victim into entering personal information, or their login in attempt to hijack the player’s gaming account for “cracked account” resale.
Figure 9: Source DarkOwl Vision
We have also captured offers for physical game consoles for sale on darknet marketplaces, which are often either stolen goods or buyers are scammed, cryptocurrency on the market loss as the electronics or console is never delivered.
Some malware in circulation intentionally targets gamers for theft of personal information and fraud. According to open sources, there has been “cracking malware” like BloodyStealer, in circulation that behave like traditional information stealers, but target information specific to video game users like account logins and user tokens for Steam, Epic, VimeWorld, Discord, and EA.
Gamers Recruited for Criminal Activity and Information Operations
In recent years, chatter on darknet discussion forums and Telegram channels detail how political extremists have leveraged video gaming platforms and online communities for recruitment and socialization of political and societal ideologies. Gamers have stated both “fascists” and right-wing “Q” extremists have infiltrated popular video game group chats, spamming the chat with racial slurs and hateful rhetoric in attempt to trigger its players and evaluate how players react and respond.
Many users on the platform login to the game – not to play the game, as evidenced by their lack of skills and time actually playing – but to dialogue and post content to the game’s group and team chat for recruitment and information operations.
Open-source reporting by counter-terrorism specialists opines that some terrorist groups such as ISIS have utilized video game platforms and streaming communities like Twitch to spread their polarizing and violent political beliefs about controversial issues. The desensitization of first-person shooting games like Call of Duty and Grand Theft Auto (GTA) helps radicalization of individuals, especially teenagers between the ages of 11-17 years to carry out violent acts against marginalized groups in society.
Other young video gamers have been lured through video game communities to meet up with other users in-real-life (IRL) after establishing an online “friendship” through the game. Law enforcement have reported several of the young female gamers have ended up physically harmed, such as harvesting their organs, and even sold into sex-trafficking as a result of the in-person meet-ups.
Curious about something you read? Interested in how darknet data applies to your use case? Contact us to find out how darknet data applies to your use case.
SCOTUS members credit card information continues to be doxxed
July 1, 2022
The recent doxxing of Supreme Justices – presumably in retribution for the Roe v Wade rulings – has spread widely across social media platforms, including Twitter, Instagram, TikTok, and more.
While all members of the Supreme Court have been doxxed to some degree in the past, this latest round of public information sharing contains Credit Card information for at least four Justices.
Many posts circulating on the darknet, deep web, and paste sites include other associated PII (as pictured above), which together form a comprehensive doxx of the targeted Justices that could be exploited for social engineering attacks, fraud and more.
SIEGEDSEC Targets Pro-Life State Governments
27 June 2022
Over the weekend cyber hacktivists enraged about the SCOTUS decision, decided to direct their anger towards their keyboards and targeted the networks of pro-life state governments, e.g. Kentucky and Arkansas. The group claimed to have accessed and exfiltrated several gigabytes of sensitive data, including employee PII from state government servers. The cyber threat group, SiegedSec, who we featured earlier this month, has been recently emboldened by their involvement in the Russia-Ukraine cyber war and stated on their Telegram channel, the attacks against Kentucky and Arkansas are just the beginning with planned continued attacks against pro-life organizations and states with anti-abortion regulations.
“THE ATTACKS WILL CONTINUE!” – SiegedSec
Source: Telegram
SCOTUS Overturns Roe v. Wade
24 June 2022
On Friday morning, the U.S. Supreme Court uploaded their controversial decision on the case titled, DOBBS, STATE HEALTH OFFICER OF THE MISSISSIPPI DEPARTMENT OF HEALTH, ET AL. v. JACKSON WOMEN’S HEALTH ORGANIZATION ET AL; a decision which effectively removed one’s constitutional right to an abortion as provided by the long-standing 1973 Roe v. Wade precedent. The decision sparked widespread protests around the country and conflicts between activists and law enforcement.
Original Report
21 June 2022
As a result of the recent political landscape regarding Roe v. Wade, our analysts reviewed the topic of abortion and observed a surge in darknet economies providing abortion medications and home kits on underground marketplaces.
Background and Political Context
The historical January 1973 Roe v. Wade decision by the U.S. Supreme Court, which legally protected one’s rights to an abortion at the Federal level, is on a precipitous demise in a radical shift in political power across the United States. In a draft majority opinion that was leaked out of the Supreme Court to Politico in early May, the conservative majority of the Supreme Court justices are very likely to overturn the landmark Roe v. Wade and a subsequent 1992 decision — Planned Parenthood v. Casey, with Justice ALITO stating, “Roe was egregiously wrong from the start.”
Figure 1: Source POLITICO
If the position of the draft opinion goes ahead as written – which some legal experts predict might be officially published as early as this week – federal protections for one’s right to an abortion will immediately end and the issue will be tossed back for decision at the individual state level. With recent extreme state-legislative decisions such as the Texas Heartbeat Act criminalizing abortions any time after six weeks of pregnancy, 23 states have some form of restrictive abortion-related legislation in place. 19 states have protected the right to abortion by codifying it into their state laws, Colorado and California have established themselves as “sanctuary states” for women’s reproductive health.
According to the American Pregnancy Association, an abortion is defined as the early termination of a pregnancy and is induced by a clinical surgical procedure or the administration of drugs to remove the embryo and placenta from the female’s uterus. Two drugs associated with the “chemical abortion pill regimen” are oral Mifepristone (Mifeprex) and Misoprostol (Cytotec) used in conjunction to stop the production of pregnancy related hormones and induce contractions of the uterus to expel the embryo.
Impacts Seen on the Darknet
Within a week of the Supreme Court’s leaked draft opinion, DarkOwl analysts observed a noticeable volume of information related to medical abortions materialize – including offers for chemical abortion drugs for sale across the darknet.
Chatter on darknet discussion forums and deep-web adjacent chat platforms foster creating an online community to support US-based individuals’ access to abortion, calling it the “Underground Abortion Railroad” to help connect women with abortion and transportation providers and avoid criminal prosecution.
One forum user identified themselves from Europe and offered to stock up on abortion medications and emergency contraception pills such as “Plan B” from their local pharmacies, offering to ship them at fair market price to those in the United States who cannot access them legally through non-darknet sites.
Another user in a popular darknet forum mentioned a reliable marketplace selling Misoprostol, described as “28 Pills 200MG Safe Home Abortion Method.” The vendor of the marketplace commented on the thread that they don’t actually sell the pills anymore because there were not enough buyers, but would be willing to change their position and offer them again if there was demand.
Monitors on the darknet marketplace suggested has yet to offer a “Safe Home Abortion Method Kit” as mentioned in the thread or abortion-related pills on their site. The same vendor also offers a variety of illegal drugs and narcotics as well, including Cocaine, Percocet, Xanax, weight loss treatments, and Freebase.
Figure 2: Source Dread Darknet Discussion Forum
DarkOwl continues to observe other sources of underground abortion services on offer in its Vision database with multiple advertisements for Misoprostol and Mifeprex, and access to (purportedly) safe abortion services. One supplier recommended those in need of abortion pills contact them via XMPP with OMEMO for a direct, private sale.
Another classified-style advertisement describes the at-home abortion treatment in detail and the medications used, with pricing, ranging from $7 to $16 USD for the abortion-related medications. Multiple forms of contact information was also included.
Other drugs offered for sale on the same classified-advertisement forum have been affiliated with scammers that have no intention of providing the services or goods on offer. Tragically, there is increased risk that darknet scammers will exploit the current political abortion issue in the US for financial gain like they did during the COVID-19 pandemic.
Some darknet forum users point readers to “offshore pharmacy sites” where abortion-related medication could be purchased, mentioning a clinic taking online consultations in India among others. A quick OSINT search revealed numerous Surface Web domains offering abortion-related medications for purchase. How those sites will operate regarding shipping the drugs to customers in states who have banned abortions once Roe is overturned is yet to be determined.
Overall, opinions on the darknet about abortion are mixed with strong opinions on both sides of the issue. Members of right-wing aligned Telegram channels spin abortion as murder and celebrate the Supreme Court’s position.
Figure 4: Source DarkOwl Vision
While other users support less government over individual choices regardless and view the decision as a potential turning point for the loss of other individual rights.
“I do believe everyone should have a choice, it’s a sensitive topic, but I will stand on democracy, taking peoples choices away is not democracy.” – Dread User
Figure 5: Source DarkOwl Vision
A controversial pro-choice group, Ruth Sent Us (RSU), named after late liberal Justice Ruth Bader Ginsburg, recently admitted to publishing on social media the home addresses of Chief Justice John Roberts alongside five other conservative associate justices: Samuel Alito, Clarence Thomas, Neil Gorsuch, Brett Kavanaugh and Amy Coney Barrett. The group claimed the information was publicly available and never encouraged violence against any of the justices.
The release of such information has fueled on-going deep web forum debates about the topic with some stating such information releases violates 18 USC 1503, which “prohibits ‘endeavors to influence, intimidate or impede… officers of [the] court’.” Despite the online debate, a 26-year old man, Nicholas John Roske, likely relied on such leaked information to target Justice Kavanaugh last week. Roske was arrested for attempted murder after arriving at Kavanuagh’s home with a Glock 17 handgun, ammunition, a knife, zip ties, pepper spray, and duct tape, that he told police he planned to use to break into Kavanaugh’s house and kill him. Other left-leaning U.S. politicians have also been targeted in their homes since the draft opinion leaks with users on Telegram calling them “pro-abortion death cult democrats.”
Figure 6: Source Telegram
DarkOwl analysts have not yet observed abortion pills such as Mifepristone and Misoprostol widely available on principal decentralized darknet markets, but they are available for purchase via threads in discussion forums, as well as classified-style advertisements on transient paste services.
Closing Thoughts
Users across darknet forums have voiced interest in abortion-related pills and services following the leaked Supreme Court documents and advocate for organized protests in support of and against the potential ruling. Once the U.S. Supreme Court officially issues their ruling, we anticipate a more concerted response from darknet marketplaces in offers for abortion related drugs and services. The darknet will also continue to be a resource for activists to organize political protests and circulate sensitive information related to the abortion debate.
Irrespective of which side of the debate one stands, the darknet will continue to fuel the controversy both in support of and criticism of a woman’s right to abortion. In a world of increased digital surveillance and the fundamental privacy-centric nature of Tor and similar anonymous platforms, individuals will seek out like-minded communities on the darknet for social activism related to the topic. DarkOwl predicts an increased use of Tor to organize political protests and circulate sensitive information related to the abortion debate.
Curious about darknet marketplaces or something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.
Of the numerous quantitative models that attempt to define and quantify the cybersecurity risk to organizations, very few consider risk indicators from the deep and dark web. Using ransomware as a case study, this presentation reviewed the content that exists on these hidden networks, and explored how data from the dark web can serve as an important data point for more comprehensive risk models. Further, Ramesh Elaiyavalli, CTO of DarkOwl, discussed the unique challenges and considerations that must be made when examining dark web data.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Kathy: Thank you, everybody, for joining us today for our webinar: Deep and Dark Web Data and Its Impact on Modeling Cybersecurity Risk. My name is Kathy, and I will be the host for today…And now I’d like to turn it over to our speaker today, Ramesh Elaiyavalli, our Chief Technology Officer here at DarkOwl, to introduce himself and to begin.
Ramesh: Alright! Thank you, Kathy. Appreciate the intro. Hi. Hello. My name is Ramesh. I go by Ramesh Elaiyavalli. I’m the Chief Technology Officer and am responsible for product and technology groups to set the strategic technical vision of DarkOwl, as well as kind of the day to day workings and implementation of our platform, our processes and our people.
So with that, today’s webinar, as Kathy mentioned, is to go over at a high level: what is the darknet and the deep web and how risk modeling is relevant to the current web dates. I will talk a little bit about ransomware as a darknet data multiplier. We’ll also review the security risk frameworks, and some of the stakeholders that need to be engaged as you look at risk modeling and the application of darknet and deep web as it relates to modeling and any future quantification efforts of darknet data.
We believe that the deep web and the darknet data have a significant impact in any type of cybersecurity risk modeling.
If you look at the dark web in general, think of it as an iceberg where the tip of the iceberg is the surface web, that we all know and use every day. It was originated back in the nineties. It was basically browser based and we all know that a ton of content which is publicly available is available via the surface web, and there are many content or many types of content ranging from discussion boards to pay sites and so on.
The deep web is anything that is not indexed like Google, simply put, and that is typically behind some type of the authentication of the websites that you require authentication or any type of human intervention. So this is where things like IRCs, telegrams, criminal forums, marketplaces, they all reside in the deep web. And that kind of emerged in the mid-nineties.
[This takes us] all the way to darknet, which was founded as part of the Tor Project in 2006. So this is the intentional anonymizing of networks accessible only by a proxy or a specific peer to peer protocol. So the best example is Tor or called the Onion. And then we have I2p, ZeroNet, Freenet, Oxen, Yggdrasil, so the list goes on and on with a ton of such networks and protocols that only exist in the darknet. And they have become kind of a very important infrastructure for advanced threat intelligence and long defined risk.
When we talk about darknet data, the data is both diverse as well as dispersed all over the internet, The surface web as well as the dark web. So when you look at the diversity of data, data is available as email addresses or email breaches with passwords, which is really the authentication data. There is domain data, subdomains, the IP addresses that are tokens that are common vulnerabilities, exploits and so on. There are source code available. There is content and text available about a company, which is the chatter across the threat actors. There is critical corporate data, contract and financial information, intellectual property, executive insights, as well as employee activity, phone numbers, PII data, banking data and so on and so forth.
So, as you could see, the data is very diverse. Also, the data is spread and dispersed across various sites that could be transient in nature, there are darknet data places, there are forums that criminals use for discussions, there are image boards or chans, there are blogs on ransomware, there are marketplaces where data is being sold in classifieds, and last but not least, is Telegram and some of the IRC chatrooms.
Given the diversity and the dispersion of data, we also know that the data is really valuable when the data is at scale. And scale matters more so now than ever before. Why is this? Number one, there is a rapid digitization in our society overall. Everything that is paper and tribal knowledge is becoming a digital asset.
And, with COVID-19, the pandemic has changed the fundamental way in which we work. A lot of the hybrid and work from home exposes organizations to networks that are only as good as the weakest link. So, there is quite a lot of attacks surface that has been exposed with the work from home networks and the garden variety wifi protocols that are out there.
The third one is [that] the Ukrainian-Russian conflict has significantly shifted the threat landscape. If you think the Ukraine Russia war is far off from you, think again, because a ton of supply chain risk exists today from vendors that you work with and you partner with. And they are directly impacted because of the war or because of the supply chain issues.
And, number four, there is an unprecedented number of never before seen malware and critical zero-day issues in the wild. There is a significant increase in ransomware, ransomware attacks and all of this kind of has fundamentally changed the landscape in which we look at darknet. So it is taken in from a corner of the Internet to now center stage. So the dark web usage has really jumped over 80% in the last three years. 2 million active users, if not more in the Tor browser and the ransomware cost, just the sheer cost is over 20 billion in 2021.
Now, ransomware-as-a-service is a term [increasingly] in vogue. And the threat actors have become very sophisticated in not only attacking and penetrating your organization, but they have the maturity to go after these ransomware-as-a-service providers to make the transaction more professional. You can transact on the internet, on the darknet, and the deep web, where you leverage these initial acts as brokers and third parties wherever they are possible. And the consultants would help in the victim negotiations as well as target the qualification, meaning they would know how big your company is, how much can you pay, and what’s your propensity [to do so]? How badly do you want to be covering your exposures here? So based on that, they offer a service which is the ransomware-as-a-service, and these are paid insider threat partners that criminals and threat actors work with.
[Lastly], with the Ukraine conflict, like I mentioned, there’s a fluctuation between Ukraine conflict and the various international law enforcement operations. We’ve heard about Conti and Cooming and Stormous data which are available immediately after the invasion. The Happy Blog, for example, returned despite the arrests by the FSB. LockBit, AlphV, Snatch – they all have increased activity. Victim data leaks continue at a very high volume CONTI pretty much disbanded and dispersed into not just one group, but various splinter groups. And such threat actors are directly contacting our stakeholders for pressuring the victims.
The bottom line is this ransomware as a darknet ecosystem is extremely well-structured. It is operationally very efficient. And the biggest fear is they are running this at scale with ransomware as a service. So this kind of changes the entire threat posture of a lot of companies out there.
And, if you were to be a victim of a ransomware attack… from a customer standpoint, you are completely shut off from your access points. There are messages that prevent you from getting in unless you’re willing to talk to and pay the ransomware and the threat actors.
Ransomware Shame Site on Tor
Now, [let’s talk about] ransomware as a threat signal and overall as a dataflow lifecycle. You start with a pre-cyber incident, and then there is an initial access where that campaign has been launched. There are then incident responses and negotiations as part of the public announcement over to the post cyber incident management and then the whole attack cycle restarts. So, that’s kind of a quick [overview of the] lifecycle of the entire ransomware threat signal and data flow.
And, 46% of the ransomware victims, unfortunately, have not been compromised once, but multiple times. Over 90% of the data leaks we observed in the last year were attributed in some way or the other to these ransomware actors.
Darknet Ransomware Threat Signal and Data Flow
Now in talking about ransomware, here’s another great example that we tell our customers about: Volvo.
As we all know, Volvo is a very large auto manufacturer. But interestingly, their ransomware attacks did not come from their own compromises, but it came from their supply chain. It started with November 2021, where snatch one of the Chinese Volvo corporations that had a breach. And then it went on to Denso and then it went on to the Volvo Corp update will work to back defense over to StrongCo and so on.
So, various subsidiaries of Volvo, such as the Mack, the Mack defense, the Mack trucks and so on, were exposed as part of this attack. And these impacts we are observing pretty much up and down the entire supply chain. And there are multiple, not just one threat actor, but there are multiple threat actors that are finding ways, finding vectors, finding threat surfaces to expose and bring down some of the largest companies that are out there, either directly or as part of their supply chain and their vendor relationships.
Now, when you look at the darknet and you look at security risks overall, we talked a little bit about ransomware, but there are other type of threats that you should be worried about. We all know about the phishing attacks and the malspam campaigns, the cyberattacks, all the way from the overt or covert malware, DNS hijacking, data exfiltration, cyber espionage, denial of service attacks, insider threats, and basically any type of information based reputation attacks. So the types of threats have multiple dimensions, and ransomware has kind of bubbled up to the top. However, there are other threats that you need to equally pay attention.
And, what are the consequences of these threats? It is data corruption, it is operational downtime, a huge and a tremendous amount of financial and revenue loss, regulatory issues and fines, damage to your virtual or physical infrastructure issues with your shareholders and society as a whole, and the loss of customer confidence and a significant dent in your brand reputation. The consequences of ignoring these threats are significant and threats continue to evolve and [be a] cost concern for various organizations.
Having said that, how do you do threat modeling is not [the exact same as] how you look at risk modeling. Threat modeling is a subset of what you have to think from an overall risk modeling standpoint. Now, are there standards? [What are] the best practices for risk modeling? The good news is that there are some, but the bad news is there are plenty of them. There is no one single overarching standard for risk modeling. So, depending on your use case, depending on your company, your business, your operations, and your exposure to various security and methodologies, you can adopt one or more of these frameworks for your risk modeling.
The stakeholders for such risk modeling would pretty much be everybody in the organization and beyond. It starts with your SOC, your incident response teams, executives, data protection officers, the governance folks, CISOs, IT leadership.
If you are in Insurtech space, it very much applies if you are a broker, you’re an engineer, you’re an underwriter, you’re a reinsurer. All aspects of insurance underwriting and cyber security assessments need to be worried about risk modeling. It also applies to investors, private equity, and venture capital firms who are looking to fund that startups or to do mergers and acquisitions type activity. So all of those decision makers need to be aware of this, including policy makers, security agencies, military decision makers and so on and so forth.
When it comes to risk modeling stakeholders, it is everybody who has some form of decision making capability and they are doing an assessment, they are underwriting the risk in a way. So the NIST really defines the cyber risk assessments as the ones that are used to identify and estimate and prioritize risk across your organization, your operations, your assets and the people that you have within the organization.
One of the things that we are interested in talking about, [and] is a question we get a lot, is how do you quantify risks? At DarkOwl, we spend a lot of time thinking about it, and we have come up with ways, strategies, and products and score models that would help us objectify and quantify risk at scale. It’s not an absolute risk metric, but we see a very strong correlation and influencers for their risk calculations and your business decisions based on the exposure of data about you and the company that you represent as it relates to the darknet. So we call these “entities” which are basically email credentials, it could be domain names, it could be IP addresses, the set of entities that are easy to take, tokenized, and quantified.
Like I mentioned, this model is not basically the threat modeling aspect, but much more. And, you know, you need to give a lot of considerations for all the external and influential factors, which is the who and the where and the when as it relates to getting your data exposed.
So here’s an example of Microsoft whose overall risk profile, or we call it the darknet score, their score has been trending upwards (pictured below). A lower score is better. So, when your score is going up, that is not a good thing. So it could be either as a result of the amount of leaks that they have or the documents that are being exposed, how much hackishness is in those documents. So risk quantification with scores is a very important way to measure and assess risk.
Microsoft darknet exposure score (DarkOwl Vision)
The next one I want to briefly touch on is an experimental basis. We have Scores 2.0 that we are actively building. We are very excited about these scores to point out where we have used our own data, which is data from our entities, from our e-mail breaches, credentials and so on, and we believe it has predicted 73% of the breaches overall and 100% of all the four ransomware cases that we analyzed in the past. So here’s an example of a company such as Okta, which is the largest security authentication company out there. And interestingly, their exposure on the darknet was partly due to their leaks and some of their breaches. But more importantly, their biggest supply chain vendor is Sitel, which is a call center company which had access to Okta data. And when Sitel got compromised, that bubbled up to Okta. So we we always advise our clients to say, look carefully with your company within your data set, but also make sure that you are monitoring your supply chain vendors. So this is a perfect example.
How do we see the future of quantifying darknet data? It is very important that a very critical time is right now where we need to see a dialog among multiple organizations on what are the best methods and the best practices for quantifying darknet data and how do you do the risk modeling. We would love to see folks getting rid of questionnaires and checklists and, you know, making decisions based on data that is available in the open net or OSINT data.
We advocate for education on darknet and darknet data and how important it is for overall cybersecurity. There is a clear need we see in establishing a common language and a common set of mathematical models, be it the darknet score, or it could be something else. But, we want to see more such quantified risk models that are available in the industry.
There is a need for better understanding on the relationships between not just the threat actors, but between the personal and corporate risks that every companies go through. And [as we showed earlier] – you got to take a closer look at the type of data that is being leaked by some of the ransomware groups and the threat actors. Some of it is because they may want money, but a lot of it is also, they’re trying to build reputation by leaking data.
[We advise that] you take a close look at what data types are being leaked and what the cohorts and the verticals in the industry are talking about. Also, the key question here is this: how do you measure the goodness or the effectiveness of your current cybersecurity risk model? Ask that question often, ask that question early, and ask that question constantly. Which is, is your risk model effective enough and is it good enough?
With that, if you want to know more about DarkOwl, please talk to us. Get in touch with us at [email protected]. Or you can follow us on various social media and you can also check out, check us on our blog or on our website. And if there are any other questions, I’m happy to address them. That’s the end of the presentation.
Kathy: Thank you, Ramesh. We have had a couple of questions come in. So let’s see if we can get to some of them. The first one we have is” Why do I need DarkOwl? Most of the darknet can be accessed by individuals.
Ramesh: It’s a it’s a great question. Darknet data can be accessed by any individual or any company for that matter, but I would not recommend doing this at home. The reason being that you’re dealing with data that is extremely sensitive in nature and you are potentially interfacing with criminals and threat actors and it is a very dangerous place. So there is very likely challenges that you would run into is you may get attacked yourself when you expose yourself and your network, if you tried to do it without much expertise.
At DarkOwl, we take great lengths to make sure that our access to the darknet and our ways of ethically gathering data is serving you as a customer so that you can access data through our platform and the safety and security that comes with our platform, as opposed to interfacing directly with the threat actors and the criminals. So I would always recommend go through a provider and sort of avoiding direct.
Kathy: Great. Thank you. Another question that came in is: I want to access your data. What is the best way for me to do so?
Ramesh: Okay. The best way to access our data. The short answer is it depends. If the use case is you are a cyber security analyst or you’re looking for a very specific thing. You want to search on the dark web on a limited basis. The best bet would be to leverage our Vision platform. The next step is if you’re a developer and let’s say you want to build an API because you have a platform already built out, or you’re thinking of building a platform or you’re in cybersecurity and insurance business and you want to leverage darknet data for those type of use cases. We would recommend to our API. And by the way, our API, we offer a Search API, we offer Entity API for lookups on email credentials or crypto and so on. We also offer source via API and we offer entities and searches also via API.
So, there’s a variety of APIs that you can leverage, assuming that you want to be building code and develop and integrate dark data into your platform. And then all the way, if you’re a data science person, you are looking at large amounts of data and big data, right? And you have a data science team that is available. We would do what we call DataFeeds, which is snapshots in time that you can have either our entire dataset or filter based on criteria that you provide as well as we can do these historic data dumps and we can take snapshots in time and send it over in a in a secure transmission over to you and your data science team. So it really depends on the use case. The bottom line is you can leverage our Vision UI, platform or you can leverage our API platform or you can consume our big data, be our data feeds.
Kathy: Great. Thank you so much…Ramesh, thank you so much for this insightful presentation to our attendees. If you’re interested in learning more about how darknet data applies to your use case, please feel free to request time with us using the link in the chat. We look forward to seeing you at another one of our webinars in the future. Thank you.
Ramesh: Thank you.
Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.