Last week, the German BKA announced they had successfully shutdown one of the largest Russian markets on the darknet: Hydra.

[Hydra server seizure banner]

“The platform and the criminal content have been seized by the Federal Criminal Police Office (BKA) on behalf of the Attorney General’s Office in Frankfurt am Main in the course of an international coordinated law enforcement operation.”

Launched in 2015, Hydra has been a mythical and staying force of the darknet for nearly a decade.

Hydra market boasted over 17 million customers and over 19,000 seller accounts at the time of shutdown. It grew significantly after many of the buyers and vendors from its competitor: Russian Anonymous Market Place (RAMP), turned to Hydra after RAMP was seized by Russian authorities in September 2017.

Hydra was known for underground illicit goods trading, expanding its operations from drugs and narcotics into digital services, counterfeiting and forged goods, as well as stolen data in recent years. The market also provided a robust mixing service known as the “Bitcoin Bank Mixer” for laundering cryptocurrencies.

On April 5th, the US Justice Department published an indictment against 30 year old Russian national, Dmitry Olgevich Pavlov – the owner of the Russian web hosting company, Promservice, Ltd., and domain administrator for wayaway[.]biz. The US is charging Pavlov as a co-conspirator with “other operators of Hydra” to facilitate years of illegal trade across the darknet marketplace. According to the investigators, “Pavlov allowed Hydra to reap commissions worth millions of dollars generated from the illicit sales conducted through the site.”

There is a darknet forum with the same name, Wayaway that has been a long-time partner of Hydra.

According to users on Telegram, Pavlov has previously stated that his company has all the licenses and approval of Roskomnadzor (Russia’s Federal Service for Supervision of Communications, Information Technology and Mass Media, e.g. propaganda agency), does not actually administer any sites, but simply leases servers as an intermediary.

“We do not know what is hosted here, because after granting access to the server, clients change their password, and access is impossible.”

On the same day, the US Treasury Department imposed sanctions not only against the Hydra darknet marketplace, but also against the Garantex cryptocurrency exchange. The exchange was established in 2019, is reportedly compliant with AML and KYC laws, and fully regulated in Estonia and across Europe. The Treasury Department also published a list of over 100 cryptocurrency addresses affiliated with operators of Hydra and Garantex.

Future of Hydra and Russian Darknet Markets

Despite being such a popular Tor service, especially for the eastern European narcotics trade, there have been numerous deep web services and vendor shops emerge in recent years that similarly support underground illegal economies. The Hydra shutdown will have little impact on buyers seeking access to the goods and services they require. We believe many users will simply shift to other services of this nature across the darknet and deep web.

This weekend a representative from Hydra’s staff shared that there had been no arrests associated with the servers’ seizure and encouraged users not to panic. Their statement read like a typical commercial breach announcement to its users. Translated key points include:

The entire infrastructure of the hydra was removed and now we are restoring all the functions of the site from backup servers.

You should not panic and switch to militant resources with a platform, too, we will scold and punish for this.

Passwords are recommended to be changed after the restoration of all functionality.

… (arrests) are not expected if you kept your anonymity.

One thing that is constant in the darknet is change. DarkOwl analysts also noticed the shutdown of another massively popular decentralized marketplace in recent weeks: World Market. Unlike Hydra, World Market is believed to have exit scammed with reports that the admin, Lovelace likely stole over 4 Million USD of the market’s escrow funds.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.

About RaidForums

In March 2015, a discussion forum known as RaidForums emerged on the deep web. The forum quickly gained popularity amassing hundreds of thousands of users and became a reliable resource for breached and leaked databases in addition to combolists, cracked software, and adult content. The forum’s popularity crossed various underground communities with young script kiddies, prominent darknet threat actors, and seasoned data brokers all active and aiding in the forum’s success.

The forum is recognizable by a lavender-haired female as the default avatar for members and anime persona featured on the banner of the forum.

The forum also features a real-time ‘shoutbox’, private direct messages between users, and a credit system for accessing cloud-based hosting URLs of high-valued data leaks.

RaidForums’ administrator, using moniker “Omnipotent,” has been a key figure in the forum since its inception. While Omnipotent states the United Kingdom as their location on his Github profile, their exact location is unknown. There is a possible open-source connection between Omnipotent and the real identity, “K Gopal Krishna,” but nothing concrete to solidify an association.

Unusual Activity Begins on RaidForums

In late January and early February of this year, the forum mysteriously began experiencing connection issues and some users received an SQL internal error for the MyBB forum platform and couldn’t login. This all coincidentally occurred when Omnipotent was allegedly away for vacation (January 31st through February 7th).

On the forum’s Telegram chat, one user suggested Omnipotent “was on life support after fighting a mountain lion.” The comment sparked tremendous speculation and suspicion on the security of the forum and the whereabouts of its leadership.

According to DarkOwl Vision, less than three days later, the domain was back online and operational on February 11th, 2022.

Observation from our Analysts: Outages like those experienced in early-February was unusual, but not concerning. The website had experienced domain issues in the fall of 2021, when the Brazilian government attempted to have NameSilo – the domain’s registrar – shutdown the forum. This forced Omnipotent to setup mirror domains, like rfmirror[.]com while they migrated their services back to CloudFlare.

---

Key Data Leaks During RaidForums’ Short UpTime

During the weeks leading up to the invasion in Ukraine, various threat actors shared sensitive information pertaining to the Ukrainian cyberattacks from January and February. DarkOwl published an extensive analysis of Ukrainian data leaked leading up the to invasion. Several RaidForum users, like Carzita also claimed to be actively targeting Ukrainian government websites prompting alerts from the Ukrainian government. (Source: DarkOwl Vision)

Some threat actors, like the alias NetSec, claimed to be targeting the US government and military networks using Anonymous-style hashes such as #RaidAgainstTheUS. In the days leading up to the invasion of Ukraine, NetSec shared email addresses and hashed passwords for the U.S. Strategic Command (stratcom[.]mil), U.S. Special Operations Command (soc[.]mil), the Defense Technical Information Center for the US Government (dtic[.]mil) and Lockheed Martin defense contractor employees.

On February 22^nd, 2022, NetSec claimed to be working with “some Russian folks” to develop a zero-day for enterprise platforms used by the US Government by targeting an individual who worked directly for the enterprise platform. The threat actor refers to eis.army.mil – which resolves to the Program Executive Office (PEO) Enterprise Information Systems (EIS) for the Army.

NetSec is a self-proclaimed cybersecurity hacktivist reportedly in Switzerland with possible US citizenship, but not directly working with a government or for a company. They refer to being the “devil in the red hat” and feature women in their avatars in social media and forums, often in swimming suits or a big red hat.

On the evening of the invasion, RaidForums leadership projected a zero-tolerance approach to Russian actors on the forum. Moot, another staff administrator of RaidForums posted in a thread titled, “RAIDFORUMS SANCTIONS ON RUSSIA,” stating that anyone connecting to the forum from a Russian IP address would be banned.

Seizure Unofficially Announced

On the 25^th of February, users were no longer able to successfully log into the RaidForums domain. On the same day, a prominent moderator from the forum, Jaw posted to the forum’s Telegram that the raidforums.com domain had been seized and the current website domain was run by law enforcement as a honeypot and phishing operation.

Another RaidForums moderator, moot, locked the chat and Jaw suggested rf[.]to would be the new domain for future RaidForums operations. It’s unclear how Jaw confirmed the seizure of the RaidForums domain. Some speculate Omnipotent was allowed to call from inside police custody and notified Jaw directly. The rf[.]to domain is unresolvable and according to WHOIS records was setup around the same time as rfmirror[.]com.

Databreaches.net was unable to get confirmation from British or US law enforcement whether the RaidForums domain was seized. The FBI’s outright, “decline to comment” indirectly confirmed the community’s suspicions.

To this day, the raidforums[.]com domain continues to load but the forum is inactive. The domain’s registration information changed on February 25^th, 2022. Some threat actors state the new name services for RaidForums is the same servers the FBI has previously used with WeLeakInfo and is associated with an FBI hosted CloudFlare account.

---

RaidForums Replacements Quickly Emerge

Raid Forums 2

Right after the forum’s outage in early February, the deep web domain raidforums2[.]com was registered and protected by CloudFlare. RaidForums 2 (RF2) is reportedly administrated by the moniker, “burkeluke” and claims no association with the original RaidForums domain. The administrator stated RF2 would be focused on computer science with coding sections and workshops.

RF2 has been slow to adoption, but its members are well known including AgainstTheWest (a.k.a. Blue Hornet) who quickly used RF2 to share leaks it obtained through campaigns against critical Russian and Chinese targets in recent weeks. The forum also has a section dedicated to the SAMSUNG and Nvidia source code leaks released by LAPSUS$.

Raidforums’ staff aliases like Omnipotent and Jaw appeared, but their authenticity is in question. More than likely, these are classic cases of alias hijacking.

As of time of writing there are 1,025 registered members, 369 posts and 211 threads.

Breached Forums

When Jaw announced the raidforums[.]com domain had been seized and was now a honeypot, a legacy user of the community, pompomurin, reportedly DDoS attacked the domain to prevent users from exposing themselves and limit the FBI’s success in obtaining the credentials they sought by keeping the domain alive. The RaidForum user pompompurin is known for prominent commercial data leaks such as CVS and Park Mobile and represented by an adorable avatar – the beret wearing golden retriever character from the Japanese Sanrio Hello Kitty franchise. According to their surface web blog, pompur[.]in, pompompurin, resides in Canada.

During the first week in March, pompomurin setup BreachedForums (BF) on the domain: breached[.]co and opened the site on March 16^th for registration and forum discussion. The forum is setup identically to RaidForums complete with the same color scheme, shoutbox, and default avatars. pompompurin claimed no direct affiliation with RaidForums; yet stated that if RaidForums ever returned in an official capacity, then he would shut down BF and redirect the domain to the main RaidForums site.

The popularity and wide acceptance of BreachedForums is evident with the sheer volume of posts and memberships already active on the forum. In less than three weeks activity, the BF domain has registered 3,293 members, with 13,707 posts across 1,939 threads.

The Databases section of the forum includes over 80 unique ‘official’ datasets maintained by the forum’s staff with over 1 Billion records. DarkOwl estimates over 700 unofficial commercial and government data archives have been distributed by members in the leaks and databases sections of the forums.

Many of the posts are related to the conflict in Ukraine with shares of sensitive data exfiltrated in conjunction with Anonymous’s #opRussia cyber campaign.

The BF domain is already being targeted by malicious actors and/or law enforcement. Earlier this week, the forum was offline briefly after the domain was reported to its hosting provider for containing illicit content and CSAM. As a result, pompomurin setup a new onion service on Tor as well as five alternate mirrors in the deep web.

The breached[.]co domain was unreliable and timed out numerous times while writing this report.

---

Question about something you read or interested in learning more? Contact us to find out how darknet data applies to your use case.

A review of the ongoing darknet risks associated with the compromise of Version Control Systems (VCS) and other software supply chain version control systems. Our full report can be found here.

Research from DarkOwl analysts continues to indicate that software programming and engineering tools are a viable exploitation vector

Last week, a maintainer for NPM package – a widely used package manager for the JavaScript programming language – showcased how potentially powerful supply chain attacks on software development and components can be. This individual, an open-source software developer known as RIAEvangelist, intentionally embedded malware in the latest stable release of a popular repository called node-ipc out of protest for Putin’s atrocities against Ukraine. The malware is officially labeled ‘peacenotwar’ and deploys with a readme file titled WITH-LOVE-FROM-AMERICA.txt, and notably only is triggered to install on devices with a Belarus or Russia geo-located IP addresses.

Developers and security researchers around the world have been equally appalled and conflicted by the intentional sabotage of an open-source software package. Many are particularly concerned about the reputational damage these incidences cause to the open-source software development movement.

Despite general widespread sentiments against Putin’s invasion of Ukraine, the open source software development community has marked RIAEvanglist’s NPM package as malicious, because this individual chose to deploy malware in the digital supply chain ecosystem.

“This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia's aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.” 

     - peacenotwar source code description

Exploitation of software-build processes and code repositories facilitates wider, more-catastrophic distribution of malware and enterprise-level software compromise. By poisoning software development, update processes, and link dependencies, threat actor’s malicious codes can be potentially distributed to thousands of users without need for social engineering, e-mail compromise, or drive-by-download malware delivery mechanisms.

In recent months, DarkOwl has observed a significant increase in instances of malware developers mentioning or discussing direct attacks to international software supply chain. In many cases, this chatter was centered around plans that involved targeting popular open-source software developer repositories like Github and Bitbucket, as well as associated software digital support infrastructure.

Exploiting Version Control Systems (VCS) and poisoning supply chains is not a new threat vector. In 2021, the Kaseya ransomware attack – via a simple malicious software update pushed to thousands of users by notorious ransomware gang, REvil – highlighted the extensive threat to software supply chains and cloud-based commercial software repositories. (Source)

The December 2020, the Solarwinds attack similarly inspired international concern for the integrity of commercial enterprise software and underscored the need for widespread implementation of zero trust architectures. (Source)

Another example of a threat actor group exploiting digital supply chain vulnerabilities is the hacking group LAPSUS$. The increasingly active group most recently announced that they had acquired privileged access to digital authenticator Okta’s networks via a support engineer’s thin client. The result of Okta’s compromise exposed significant intelligence findings, and highlights the overarching risks at stake to any software development and operational lifecycle. (Source)

Brief summary of how LAPSUS$ leveraged supply chain exploits to compromise global software company Okta:

• LAPSUS$ most likely gained access to Okta using credentials purchased on the deep web marketplace: Genesis Market, proving the underground continues to feed criminal empires.
• AWS credentials and code repository tokens were likely stored in company Slack messaging systems that LAPSUS$ then utilized to move laterally through peripherally associated digital infrastructure.
• LAPSUS$ clearly stated they were not interested in Okta, but the customers Okta supported and had access to.
• Okta’s implementation of zero trust architectures called into question given level of access available to third-party support engineer account.
• Okta estimates at least 366 unique clients’ organizational data could have been accessed by the threat group via the initial compromised privileged access.

We are witnessing – in real time – the terrifying realization of the dangers to software supply chains via malicious compromise of the tools and infrastructure critical to supporting the software development lifecycle. Any product or service that touches one’s network, i.e. customer relationship management (CRM) software, software version control (VCS) utilities, authenticators, payroll and timekeeping accounting systems, cloud service providers, internal employee messaging platforms (Slack, Teams, etc.) are all potential targets for compromise.

Research from our analysts

Version control systems and software supply chains are a viable and high consequential attack vector readily exploited by cybercriminal organizations, nation state actors, and hacktivists from the darknet. DarkOwl believes there will be continued and increased attacks against dependency libraries and software package managers, such as NPM and PyPI, with the intention of stealing information and establishing long term persistence in the victim machines. Read full report here.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case.

In light of disturbances in the darknet due to nationalistic fractures amongst ransomware and cybercriminal groups, DarkOwl analysts did a cursory review of activity across ransomware-as-a-service (RaaS) gangs since the invasion of Ukraine.

We reviewed the number of reported victims by RaaS groups and the location of the victims, and determined the following:

• Conti and Lockbit 2.0 lead in total number of victims announced since the 24^th of February, 2022.
• Conti was offline for almost a week due to infrastructure leaks and fractures with their Ukrainian-aligned affiliates. Since March 1^st, the group has resumed locking and leaking victims’ networks around the world.
• Several key Tor services for well-known RaaS gangs, including Pay2Key, Blackbyte, Cuba, are online and active; however, they have not shared any victim’s data since the invasion on February 24th, 2022.
• A new RaaS group called Pandora Gang hit multiple victims in a matter of days, including two victims from Japan.
• STORMOUS ransomware has been heavily targeting Ukraine.
• STORMOUS most recently attacked 4A Games (Ukraine) and EPIC Games (US).
• Given the severity of the attacks against Nvidia and SAMSUNG, LAPSUS$ is now being categorized as a RaaS gang, even though they do not have an affiliate program that we are aware of.
• US, Canada, UK, Czech Republic, and Germany have the highest volume of ransomware victims in the distribution of victims by location published in the last two weeks.
• Many ransomware victims have direct connection to US and Western critical corporate/government operations and supply chains.

NOTE: The charts below do not take into consideration attacks by Russia against Ukraine networks in conjunction with HERMETIC WIPER attacks or leaks released by Free Civilian. The totals, as reported by the Ukraine government, would exceed that of those counted here for the US.

LAPSUS$ Group: Additional Findings

The cybercriminal group LAPSUS$ has ramped up their activities since the invasion – emboldened by their attacks against Nvidia and SAMSUNG.

They recently solicited experts in various specific industries for their next victim selection, possibly looking for insiders to assist. Telecommunications, software development/gaming, hosting, and call-centers were among the industries requested.

Over the weekend, LAPSUS$ also implied they were responsible for recent “cybersecurity incident” with Ubisoft.

DarkOwl will continue to monitor RaaS activity and update as new information becomes available.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case.

DarkOwl is aware that as of February 23^rd, 2022 Ukraine’s digital infrastructure came under further significant DDoS attacks, with several government and financial websites under duress. Hours later Russia launched direct kinetic attacks against strategic targets around the country and ground forces crossed the border on multiple fronts. Ukraine’s critical infrastructure is under direct attack, martial law declared, and civilians are struggling to withdraw funds from ATMs. Our analysts will continue to update with key insights from the darknet as they become available.

---

Information related to January Ukrainian cyberattacks found on the darknet

In mid-January 2022, open-source and public news media reported that several Ukrainian government networks had been compromised during a series of cyberattacks the night of 13th-14th of January, including deployment of what security researchers have identified as the “WhisperGate” malware. Within hours of the attack, data described as originating from the Ukrainian government appeared on forums across the darknet and deep web.

DarkOwl observed a surge in Ukrainian government related leaked data in January, but has not uncovered conclusive evidence this data was stolen during the cyberattacks days before or merely released immediately after as part of a psychological intimidation campaign against the people of Ukraine.

Additional Ukrainian government and civilian data appeared on a Tor onion service called “Free Civilian,” that DarkOwl assesses to be possibly affiliated with a threat actor using the moniker “Vaticano” on Raid Forums.  The user was banned from the well-known deep web forum late January 15^th, by moderator Jimmy02, who stated:

“For one reason or another I have determined that this is a bad database, this could mean its a fake or just a shitty sample.”

---

Given increasing international tensions and the on-going cyberattacks against Ukraine, DarkOwl analysts compiled and reviewed Ukraine-related data on popular deep web forums and Tor hidden services shared in recent weeks. Most of the data “archives” consisted of raw text files, emails, spreadsheets, SQL databases, scanned photographs and PDF files containing various types of personally identifying information (PII).

While many of the leaked archives of data were created within a few hours of the attacks in mid-January, there are no indications they were directly obtained as a result of the attacks.

Mid-January Cyberattacks and Website Defacements

On 13th-14th of January, 2022, multiple Ukrainian government, non-profit, and information technology organizations experienced cyberattacks and public-facing website defacements. The attackers used a ransomware-esque malware attack, rendering many systems inoperable in addition to defacing official government websites across the country loading an ominous message in Ukrainian, Polish, and Russian.

“Ukrainians! All your personal data was uploaded to the internet,” the message read. “All data on the computer is being destroyed. All information about you became public. Be afraid and expect the worst.”

---

Microsoft’s incident responders indicated the destructive malware campaign was designed to mimic extortion-based ransomware, by deleting critical files, locking down the systems, and loading a ransom note demanding $10,000 USD in Bitcoin. The ransom demand was for show and irrelevant to the attackers’ intentions.

The Security Services of Ukraine (SBU) reported they were investigating the matter closely together with the State Service of Special Communications and the Cyber ​​Police and believed that over 70 organizations across Ukraine had been targeted by “special services of Russia” the night of the attacks on 13/14 January. While 10 organizations were subject to “unauthorized interference” no personal data had been compromised or leaked. (Source)

---

Cyberattack Methods Analyzed and Possibly Reused

Cybersecurity units at Microsoft, Crowdstrike, and Palo Alto Networks have published expert descriptions of the threat attack vectors deployed on the night of the January 13 cyberattacks against cyber targets across Ukraine. Technical analysis suggests a vulnerability in the OctoberCMS content management system allowed for the website defacements. The attackers also utilized the WhisperGate destructive wiper malware family to lock down the networks in a ransomware-style campaign.

According to Microsoft, WhisperGate involved two stages: the first stage overwrites the master boot record (MBR) with a ransom note; and, the second stage downloads a data-corruption malware named Tbopbh.jpg that overwrites targeted files with a fixed number of 0xCC bytes. Incidentally, the malicious file was downloaded from a Discord server.

By utilizing open source intelligence and DarkOwl Vision, our analysts discovered multiple instances of MBR-style attacks – including an attack against Banco de Chile attack from 2018. WhisperGate also shares strategic similarities with previous PotNetya attacks used against Ukraine back in 2017.

DarkOwl also noticed a cybersecurity researcher (@Petrovic082) using the hashtag #KillMBR on Twitter which they linked to potential malicious executables associated with the malware family. Users active on Chinese bulletin boards have since been closely analyzing the uploaded executables for reuse and virus detection. (Source)

Breaking news indicates Russia deployed a new hard disk wiper malware variant called HermeticWiper (KillDisk.NCV) across strategic cyber targets on the 23rd of February prior to the full-scale military invasion of Ukraine sovereign territory.

---

Analysis of Leaked Data Found in the Dark Web

On the 14^th of January, the now-banned Raid Forums user known as Vaticano posted what appeared to be a user SQL database for the my.diia.gov.ua website. This leak surfaced within hours of the ransomware attack and website defacement on the DIIA server in Ukraine, although the raw user database from DIIA appears to have been created in late December.

Other users on Raid Forums doubted the veracity of the data posted by Vaticano, asking “where is the full data base?” calling it “bullshit and fake advertising,” “not true and old information,” or that the “data is identical to the old leak.”

In response to the criticism, Vaticano shared additional databases from their “archive” described as “medstar.sql” and “somefilesfromnotcatholic.zip” discussed below.

my.diia.gov.ua

According to the leaked data, a DIIA SQL database, users.sql, was generated via a PostgreSQL database dump, and dated 24 December 2021, 12:17:17 EST. A table, public.users, appears to contain email addresses, passwords, dates of birth, phone numbers, home addresses, passport numbers, ID card numbers, and foreigners’ document numbers.  The SQL file is likely an excerpt of a larger database. DarkOwl found 103 email addresses for users of the service, with most consisting of accounts from personal email providers such as gmail.com and ukr.net.

medstar.sql

The website, medstar.ua is a commercial cloud-based ‘digital-medicine provider’ with telemedicine, prescription, medical imaging, and laboratory medical services in Ukraine.

The medstar.sql leaked database does not contain any header information to denote the name of the tables or date of extraction. However, the SQL table appears to be a registry of 669 medical appointments with the patient’s personal information, e.g. full name, date of birth, phone number, address, age, gender, and even photo with links to an external website domain: health.mia.software containing their image and scans. The doctor’s information is also included with each record, with 606 doctors affiliated with the territorial medical association of the Ministry of Internal Affairs. The appointments covered a range of specializations such as therapy, neurology, infectious diseases, etc.

The latest appointment date in the database was November 30, 2021, suggesting this file was likely created sometime in December before the new year.

somefilesfromnotcatholic.zip

The files contained in the archive somefilesfromnotcatholic.zip are all date/timestamped: January 15^th 2022 / 12:48. The archive consists of five folders, each containing 20 subfolders spanning several years of various official letters, photographs, and applications for government services. One folder contained letters directed to the Ukrainian Ministry of Internal Affairs requesting the production of specific license plates for individuals. The data archive includes several Ukrainian citizens’ personal information such as phone numbers, email addresses, driver’s licenses, passports, and national identification information related to vehicle registration and driving. The latest data file in the archive was date/timestamped: November 15^th, 2021/19:58.

Notably, the archive appears to be a sample of a larger dataset of vehicle data the threat actor has in their possession.

mail.minregion.gov.ua

Less than 18 hours later and on the original thread, Vaticano shared an archive of supposedly stolen emails from the Ukrainian Ministry of Community and Territories Development server, mail.minregion.gov.ua. The sample included 79 email messages (.msg files) with various correspondences between employees of the organization in November and December 2021. The messages appear to have originated with one email address, and the latest message was dated December 20^th, 2021, 14:17:18 EET.

It’s unclear if this a subset of a larger volume of emails the threat actor has access to, or whether they only had access to one user’s mailbox within the organization. DarkOwl was able to extract 425 unique group and individual e-mail addresses from the archive shared.

diia_filestorage_db01.rar

Shortly before getting banned on Raid Forums, the user Vaticano shared yet another database on the original thread, labelled, diia_filestorage_db01.rar. The archive consists of 81JSON files with records containing unidentified applicant user information, e.g. full name, date of birth, passport number, phone number, email address, physical address, photo, and COVID vaccination and medical data privacy consent. The latest applicant record was dated October 22^nd, 2021.

According to their website, DIIA is a mobile app developed by the Ministry of Digital Transformation of Ukraine and launched in 2020. It allows Ukrainian citizens to upload digital versions of their official documents in their smartphones, instead of carrying physical ones, for identification and verification purposes. It’s likely that this dataset is a sample of a larger set of files held by the threat actor. DarkOwl found 77 unique personal email addresses for Ukrainian citizens in the database, mentioned mostly from gmail.com and ukr.net.

Free Civilian

Within a week of Vaticano’s exile from Raid Forums, the Tor onion service “Free Civilian” appeared online offering to sell various databases from government organizations across Ukraine along with a personal statement detailing the drama between the admin of the Tor service and the moderators of Raid Forums, declaring the forum is no longer “the island of freedom” anymore. (Source: DarkOwl Vision)

Additional data proofs on the Free Civilian onion service confirmed that the leaks Vaticano shared on Raid Forums were smaller samples of data from larger databases they had access to and were offering for sale on the darknet site.

On the Tor onion service, the size of the databases for sale were significantly larger than the samples shared on Raid Forums. The DIIA database size was 765 GB and offered for sale at $85K USD, with a price increase to $125K USD by early February. Another database, titled, “e-driver.hsc.gov.ua” database containing Ukrainian driver and vehicle information was listed at 431GB and offered for sale for $55K USD. The samples from Free Civilian correlated to the samples Vaticano provided in the somefilesnotcatholic.zip archive on Raid Forums.

Free Civilian lists several other databases for sale summarized below:

• wanted.mvs.gov.ua – Ukraine’s government database of criminal records.
• health.mia – Ministry of Internal Affairs servers hosting patient health data.
• mtsbu_samples_db – Ukraine’s Motor (Transport) Insurance Bureau.

As of the date of publication, both the DIIA and e-driver.hsc.gov.ua databases were marked as sold.

More Ukraine Data Surfaces

Banning Vaticano did not stop Ukraine-related data from appearing on Raid Forums. Another user shared a sample called “PFU of Ukraine” which consists of a text file containing over 53,000 names of individuals in Ukraine and phone numbers.

DarkOwl uncovered 156 unique email addresses in the file. The domain pfu.gov.ua is associated with the Ukrainian government’s pension fund website.

Days after the PFU leak, a post titled, DTEK[UA] appeared with the offer to sell over 200 credentials exfiltrated from employees at a large energy investor in Ukraine. The post also stated the vulnerability used to extract the data was also available. The Raid Forums user has history on the forum authoring at least 46 posts. (Source: DarkOwl Vision)

A leak titled “Ukrainian Police Dox” also emerged containing a zip file of various PDFs with PII for officials dated October 2020.

---

There is no evidence to conclude any of the recently shared data was sourced during the mid-January cyberattacks.

The Ukrainian data leaks in January were not the first time Ukrainian government and citizen data has been exposed in the underground. Last year, DarkOwl captured numerous spreadsheets and database archives allegedly affiliated with Ukraine disseminated and discussed on a Telegram channel known for stolen data brokerage.

DarkOwl also follows the popular Telegram channel, DB Leaks (a.k.a. @d3atr0y3d)who shares posts in English and in Russian and uploads files believed to have been captured from compromised sites and servers around the world. Coincidentally, they shared the same DIIA archive shared by Vaticano on the 23^rd of January, within days of the appearance of the Free Civilian Tor service. (Source: DarkOwl Vision)

Furthermore, in fall 2021, they uploaded several Ukraine-specific databases including a list of personnel assigned to the Special Operation Forces of Ukraine and Ukrainian candidates for local parliamentary elections. The figure below includes more examples of the types of data they shared.

The channel has also posted leaked databases from targets inside Russia, including the list of donors to the FSK, the non-profit, Anti-Corruption Foundation, setup by Alexei Navalny.

Interestingly, during the second half of 2021, several other Raid Forums users circulated information about Ukraine’s nuclear power plant, a spreadsheet of stolen and lost weapons in Ukraine, residents of Ukraine, and companies registered in Ukraine along with information pertaining to the country’s financial and economic activity. (Source: RaidForums)

Closer analysis revealed these archives were re-shares of various posts on the DB Leaks Telegram channel dropped earlier in 2021, perhaps by proxies of @d3atr0y3d or one of their associates (information support) at their request directly.

---

The date of the DDoS attack, while it could be insignificant, is exactly one month after the defacement and malware attacks in January. The malfeasance from the DDoS was not large enough to be categorized as a full cyberattack, but with geopolitical tensions rising to possibly the brink of war, the campaign was likely apart of a larger asymmetric psychological operation.

US Intelligence reporting of the second wave of cyber attacks in February assessed that Russia’s Main Intelligence arm, GRU was responsible.

---

Propaganda and Disinformation

The sheer volume of propaganda in open-source reporting renders correlating darknet findings against OSINT around the conflict challenging, if not impossible. Tor discussion forums known for historical propaganda circulation are surprisingly absent of any Ukraine-specific reporting in recent months while some users on Telegram shared fake photos of mushroom clouds inciting fear that Russia had used a nuclear weapon against eastern Ukraine.

One could interpret the lack of information as stemming from the possibility that the Russians did not have need in using typical darknet services for dissemination; the disinformation and misinformation campaigns are directly targeting other sources and platforms; or, it is already embedded within other news media sources. According to Reuter’s, Ukraine’s Deputy Secretary of the National Security and Defense Council, Serhiy Demedyuk, officially attributes the 13/14 January defacements to a cybercriminal group operating out of Belarus identified as UNC1151.

“This is a cyber-espionage group affiliated with the special services of the Republic of Belarus.”

Mandiant assesses that UNC1151, also identified as the “Ghostwriter” campaign, as responsible for direct espionage and obtaining confidential information for Belarusian dissidents, media entities, and journalists. Other research indicates that UNC1151 are potentially affiliated with Russia-supported anti-NATO disinformation campaigns that have been in circulation over recent years, replacing genuine articles on news sources with fake ones and spreading false quotes of political and military officials across Lithuania, Latvia, and Poland. However, direct attribution of UNC1151’s role in recent cyberattacks in Ukraine is indeterminate.

DarkOwl also found a darknet threat actor group known as Cyberpartisans trying to help defend Ukraine from Russia’s aggressions. The group claimed responsibility for an attack against the Belarusian rail network system to stymie Russia’s movement of troops towards Ukraine, despite the movement of troops via rail would not be a necessity for an invasion. The Cyberpartisians self-identify as a pro-democracy group of hacktivists, and last year tapped Belarus’s Ministry of Internal Affairs phone lines, leaking conversations between officials about organized protests against the country’s infamous dictator on Telegram.

In recent weeks, Lukashenko has been overtly supportive of Putin, jointly overseeing strategic military exercises in Belarus, including launches of Russia’s hypersonic missiles in a public show of the two countries’ alliance and continued cooperation. Belarus will undoubtedly play a critical role in the region in the events unfolding.

---

DarkOwl is monitoring the darknet as the conflict in Ukraine ripples throughout the European continent impacting the global economy and stressing international partnerships and alliances. We anticipate a fluctuation in underground network and criminal activity across Tor and other anonymous networks in the near term. We also forecast the KillMBR/KillDisk destructive wiper malware and attack methodologies debuted in Russia’s asymmetric operations against Ukraine’s critical digital infrastructure to be widely adopted by other criminal gangs and nation-state sponsored cyber operatives in future campaigns.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case.

In order to curate interesting darknet data collection from sources across the deep web, Tor, I2P and other “darknets” our analysts regularly follow “darknet threat actors” that openly discuss and disseminate stolen critical corporate and personal data.

In December 2021, DarkOwl witnessed increased activity on the darknet regarding the cybercriminal gang known as LAPSUS$. The group appears to have preference for attacking Portuguese-speaking organizations using data extortion-style campaigns and leverage compromised AWS servers where possible. Thus far, LAPSUS$’s attacks seem to have little critical impact to the victim’s organizational operations, with seasoned darknet community members stating the group is “amateur.”

DarkOwl believes the cybercriminal group has potential to become a formidable darknet threat actor with the increasing frequency of attacks in recent weeks. The lethality and economic impact of the attacks against their victims have yet to be determined.

Vodafone Telecommunications in Portugal

Since last December, the darknet threat actor group known as LAPSUS$ has been actively targeting Portuguese speaking services across Latin America and Portugal including prominent media and telecommunications companies on both continents.

Most recently, between 7 and 8 February, Vodafone Portugal – a subsidiary of Vodafone Group in the UK – stated in a press release the company was subject to a “deliberate and malicious cyberattack with the aim of causing damage and disruption.” Open-source reports indicate the attack impacted Vodafone’s 4G/5G voice and SMS service as well as its television services, but no ransom was demanded. While there is limited information about the attack in the press, Vodafone persists no subscriber or sensitive customer data was accessed or stolen.

On the LAPSUS$ Telegram channel, the group posted Vodafone with the eyes emoji without directly claiming credit for the attack. When someone directly asked if they were responsible for the Vodafone outage affecting millions of mobile phone subscribers, they stated:

“we don’t confirm or deny this yet.”

LAPSUS$’s Flurry of Activity Since December 2021

DarkOwl analysts began closely following LAPSUS$ across the darknet, deep web, and adjunct communication platforms since they claimed responsibility for a major cyberattack against the Brazilian Ministry of Health in mid-December. The cyberattack, allegedly “ransomware in nature” compromised Brazil’s Ministry of Health COVID vaccination records database, deleting the entire database contents, and defacing its website with the following message:

[TRANSLATED]

“The internal data of the systems were copied and deleted. 50 Tb of data is in our hands. Contact us if you want the data back”

The Brazilian government acknowledged their web services were offline and inaccessible to users for a short period of time without directly admitting it was LAPSUS$ who carried out the attack. The attack was like other ransomware/extortion-based attacks in the reported deletion of data; however, there was never a monetary ransom demand stated nor evidence of the group possessing the data or sharing compromised records on the darknet – despite cheers from their online supporters to release information on President Bolsarno’s vaccination status.

The group posted a statement on Telegram indicating that they had gained access to the Ministry of Health’s Amazon Web Services (AWS) and claimed they did not want to post evidence of their access because they still had access to the system despite the Ministry of Health restoring their services.

On Christmas Eve, the LAPSUS$ group attacked Claro and Embratel Telecommunications companies in Brazil reportedly stole over 10 PB (10,000 TB) of sensitive corporate information and SIM details for Claro customers across mass data storage systems such as: AWS, 2x Gitlab, SVN, x5 vCenter (MCK, CPQCLOUD, EOS, ODIN), Dell EMC storage, and Telecom/SS7.

The group shared screenshots detailing their level of access to the Claro network infrastructure and data on the dark web. We are still investigating how the group originally gained access to Embratel and Claro’s infrastructure. The group emphasized the extent of their access in the companies, highlighting they had access to over 1,500 virtual machines in use by Embratel and 23 unique hosts (IP addresses). From the screenshots, DarkOwl confirmed they used Windows Remote Desktop application to connect to many of the compromised computers within the Claro Network on their web browser. The screenshots included network management utilities for the network and their SIM network.

They also shared screenshots from a Powerpoint presentation they found on Claro’s network that detailed how law enforcement intercepts phone calls, SMS messages, and Claro customer network activity. 

(Note: the images below have been blurred intentionally so as not to reveal PII)

It is unclear from the screenshots shared whether members of the LAPSUS$ group used their local machines or a virtual environment to carry out the attacks. Nevertheless, the desktop of the browser screenshot suggests the OS was Windows and the temperature was 4 degrees Celsius at 21:56 on December 25, 2021.

Applying some simple OSINT analysis using historical weather databases, we discovered São Paulo, Brazil did not have weather conditions at that date/timestamp, but London, United Kingdom experienced similar weather patterns. This either means that the LAPSUS$ Group includes members from around the world or their computing environments are set to the UK/GMT time zone.

Regardless of their physical location, the LAPSUS$ group has preference for attacking Portuguese-speaking organizations on both the South American and European continents. Representatives of the group speak English on their Telegram channel.

In early January, the group conducted similar defacements to the Ministry of Health in Brazil for Impresa, a major media outlet, parent to SIC and Expresso in Portugal.  The group’s access to Expresso’s direct digital resources was extensive. During the attack LAPSUS$ members sent phishing SMS texts to Expresso’s subscribers, posted tweets from the news media’s verified Twitter account, and defaced its Twitter account, pasting to the top of the page the phrase:

 “Lapsus$ is officially the new president of Portugal.” (Source)

Information security researchers have noted that the text on the defacement is ‘Brazilian’ Portuguese – instead of Portuguese from the European continent – increasingly the likelihood the threat actors are based out of Brazil. LAPSUS$ claimed in their defacement they had access to their cloud services at AWS.

[TRANSLATED]

The data will be leaked if the necessary amount is not paid. We have access to the ‘cloud’ panels (AWS). Among other types of devices, the contact for the ransom is below.

Note from our analysts: When we think of “exposed credentials” we generally think of e-mail or server authentication data, e.g. username, e-mail address and/or password. The darknet is also haven for other types of critical corporate data credentials, including developer AWS cloud account identifiers, such as: Keys and Secrets for S3 buckets and web services.

Barely a week after the attacks, LAPSUS$ announced on their Telegram channel their next victim had been Localiza Rent a Car SA. The attack appeared to be a DNS spoofing attack on their website, redirecting Localiza website visitors to a porn site instead.

According to open-source reporting, the company reported a “partial interruption” and there was no evidence any customer data or sensitive information was stolen. No ransom demand was made either. 

Less than two weeks later, LAPSUS$ shared a Twitter post from Portugal-based Francisco Martins speaking of how the Grupo Cofina attack was against the company and not an attack on press freedom and another post referencing a popular Cofina journalist. LAPSUS$ never officially claimed responsibility for attacking the Portuguese media outlet that impacted multiple digital content platforms including: Correio da Manhã (Morning Mail), Sábado (Saturday) magazine, Jornal de Negócios (Business Journal), Diário desportivo Record and CMTV. (Source)

Technical specifics of the attack against Cofina are still murky, with little to no information coming directly from LAPSUS$. Security researchers note similarities in the “no ransom demand” style of ransomware, e.g. file corruption and extortion carried out by LAPSUS$, and the fact the group hit other major Portugal-based media companies merely weeks before.

Portugal’s Judicial Police (PJ) are actively investigating the incident and it is not proven LAPSUS$ carried out the attack. The group could be posting to their Telegram to infer their connection without proof and gain criminal credibility.  

[TRANSLATED]

“The Lapsus group just wanted to shut up Tânia Laranjo #Respect”

Additional Historical Evidence Surfaces

Using DarkOwl Vision, DarkOwl detected previous activity from the LAPSUS$ on the deep web and darknet including posts in July 2021 on RaidForums and other darknet forums claiming they had compromised networks and stolen data for the FIFA soccer games from EA. On those posts, they shared their PGP Key, signed the posts “LAPSUS$”, and logged into the forums using the pseudonym, 4c3.

Posts from the group on another darknet forum last summer were shared in the English language detailing to EA that they found a Remote Code Execution (RCE) vulnerability in the “frostbite engine” and they had no intention to target console users. This is a typical approach to trying to extort a company for specific vulnerability, e.g. “malicious bug bounty.”

In August 2021, the LAPSUS$ group ended up leaking the EA/FIFA data they had stolen after their attempt at extorting the company for $28 Million USD had failed to materialize. (Source: Raid Forums)

Users on RaidForums indicated the 4c3 moniker for LAPSUS$ on the forum was also tied to a CryptBB staff member known as Cyberjagu who was also trying to sell the EA source code. 4c3 denied any connection. According to open-source reporting, analysts with Blackberry’s Research and Intelligence Division confirmed Cyberjagu is some sort of “intermediary” for the cybercriminal group behind the EA/FIFA attack.

Drama Between Doxbin & LAPSUS$

In early January, the “dox” of a potential LAPSUS$ member surfaced on the controversial deep web paste site known as “Doxbin” and has received over 7,000 views as of time of writing. The dox – intentionally not included here – suggested the LAPSUS$ member was actually a 16-year-old teenager residing in Kidlington, UK and regularly used the pseudonym(s) SigmA, wh1te, and Breachbase in the underground. The dox may have been leaked in retaliation after LAPSUS$ shared hacked internal docs from Doxbin on their Telegram channel on the 5^th of January.

According to the LAPSUS$ Telegram channel and the LAPSUS$ Twitter, SigmA (@sigmaphoned/Alexander) might be a “high-ranking” member of the LAPSUS$ group. Since late January, many of the users on Telegram have been trying to reach SigmA, but he’s not responding to messages. The January dox suggested might be in the process of relocating to Spain with his family. (Source: DarkOwl Vision)

A Preference for Monero Leads to a Telecommunications Phishing Campaign

Last summer, LAPSUS$ also posted a Monero address on a deep web forum discovered by DarkOwl Vision. The same address was also included in numerous scam/phishing reports from users with British mobile telecom providers, EE and Orange. In July, users from EE reported receiving an ominous message from LAPSUS$ demanding EE pay them “4 millions USD” after making normal iTunes purchases. Perplexing to users, the texts arrived from historical “iTunes messaging” phone numbers.

---

Curious about something you’ve read? Interested to learn more? Contact us to learn how darknet data applies to your use case