Ukraine’s Call for Help Results in Global Cyberwar: Reviewing the Fallout

May 13, 2022

On the 24th of February, after months of failed diplomacy, the existing geopolitical landscape of Russia, Ukraine, NATO, the EU, China, and the myriad of complex international relationships drastically changed. Thousands of Russian troops and equipment crossed over into Ukraine’s sovereign territory and missile strikes of critical infrastructure and historical landmarks sent its people deep into bunkers underneath the cities, while other took up arms to defend their country.

While the kinetic war waged in the physical realm, Ukraine’s Ministry of Digital Transformation turned to the digital realm for assistance.  Within days of the invasion, a call across underground forums and chatrooms was placed and hundreds of thousands of volunteers – many who identify with the Anonymous hacktivist collective – answered.

Ukraine’s call for help sparked off the first ever global cyberwar.

Weeks before tanks and soldiers marched on the cities of Ukraine, Russia had already carried out a series of successful cyberattacks against Ukraine, hitting critical infrastructure and financial institutions around the country with at least six unique strains of destructive wiper malware. DarkOwl observed data exfiltrated during some of those attacks surface in the darknet, such as the Free Civilian service on Tor where hundreds of gigabytes of Ukrainian citizens sensitive personal data appeared. Recent reporting confirms Russia’s GRU also carried out a massive cyberattack against Viasat, knocking its customers’ KA-SAT satellite broadband offline an hour before the invasion.

Russia’s pre-invasion attacks against Ukraine pale in comparison to the retaliative cyberattacks launched against Russia by the international hacktivist community over the last 77 days. Since the invasion began, thousands of hacktivists, cybersecurity researchers, pen-testers, and ‘greyhats’ are actively participating in daily campaigns to disrupt Russia’s military offensive and influence the perceptions of the Russian people trapped behind the walls of the iron curtain.

Cyber Warriors Use Their Keyboards and Phones as Weapons in Global Cyberwar

Ukraine’s Ministry of Digital Transformation has played a large roll in mobilizing calls to arms from a digital perspective. The IT Army of Ukraine – a digital army of over 275,000 volunteers that was tasked by The Ministry – targets Russian websites every day for widespread distributed denial of service (DDoS) attacks. The Ministry also coordinated directly with SpaceX on acquiring thousands of Starlink terminals for redundant satellite Internet access and spearheaded public calls to international business leaders and retail suppliers to withdraw from operating in Russia.

Hacktivist cyber cells aligned with the Anonymous collective and pro-Ukrainian criminal cyber threat actors conducted hundreds of direct information operations campaigns against Russia using any and every exploit in their arsenal. To this day, the attacks continue relentlessly despite Russia’s attempts to use geo-fencing and Cloudflare services.

Within the first week of the war, we witnessed credentials for numerous critical Russian government ministries leaked on the deep web; the names, phone numbers and personal assets of Russian oligarchy released to the public; names, passports, and dates of birth for over 120,000 Russian soldiers deployed in Ukraine; internal documentation for Russia’s Police Force, Ministries of Foreign Affairs, and Economy leaked.

Darknet criminal communities split over their national alliances. Pro-Russian ransomware groups watched their affiliates abandon their programs and turn on them. We witnessed multiple groups have the internal documentation, source code, and private chats leaked. Several Tor forums and vendor markets hosted in Russia faced persecution through direct cyberattacks, database leaks, and deanonymization of IP addresses.

Propaganda as a Weapon

In any cyberwar, information is power. Knowing that Moscow would try to frame the war as a justified and a defensive strategic military operation, Anonymous worked immediately to identify facts and combat misinformationn. Videos of the attacks against civilian buildings went viral on social media, YouTube, and Discord. Russian television, radio, streaming services were illegally accessed to share images from Ukraine. Anonymous security specialists from Poland known simply as squad303 spun up their 1920.in service – named after a famous RAF squadron involved in WW2’s Battle of Britain – which allowed strangers to contact to a random Russian citizen via SMS, email, Whatsapp, and Viber using leaked lists of millions of Russian citizens’ personal contact information and social media.

As of the first week in May, the squad303 team announced that over 100 million direct messages had been sent using their service.

Figure 1: Screenshot of squad303’s Russian Citizen Phone Number Contact Service

The Kremlin responded by tightening their control on the public media narrative, shutting down social media platforms like Twitter, Instagram, and Facebook, officially calling their war a “special military operation” and using militarized riot police to enforce a strict ban on all forms of public protest of the invasion.

Western media and independent news sources have been threatened with journalists facing a potential 15-year prison sentence for reporting anything that countered Putin’s narrative of “denazification of Ukraine” and “freeing” its people from imminent nuclear threat from the US and NATO. Russian propaganda outlets began recirculating false claims of US-sponsored bioweapon laboratories and nuclear weapon storage facilities across Ukraine to justify the invasion.

Since the invasion, the Russian Internet Research Agency (IRA)-backed ‘troll army’ is in full force with thousands of bot accounts active across Twitter, Facebook, Discord, and Telegram spinning a different story on the ground in Ukraine. The accounts disseminate elaborate storylines of Ukraine shelling their own citizens and supporting fake videos and doctored media.

QAnon and Russian Disinformation

Deep web and darknet imageboards (or “chans”), historically supportive of the QAnon movement and home of the most outrageous conspiracy theories ever told, have also been supportive of Putin touting his critical international role – like that of former President Trump’s – in ridding the world of its secret Cabal and the greedy desires of the New World Order.

According to research shared by Bellingcat, posts on the imageboards in early March stated Russia capturing Ukraine’s Chernobyl plant was critical to stopping everything “from DNA experiments, adrenochrome, torture, childsex and rape facilities, cloning installations and much more.” Ironically, QAnon Russia – with one of the largest QAnon follower base at over 90,000 users – has a dissenting opinion and refuses to share the propaganda, but instead promotes peace in Ukraine, and a united brotherhood across all nations in the region including Belarus, Russia, and Ukraine.  

Anonymous retaliated against these coordinated disinformation efforts by hacking Russia’s Roskozmador information and propaganda agency and its All-Russian State Television and Radio Broadcasting Company (VGTRK) and leaked over 900,000 emails and 360,000 files from across the organizations which detail how television and radio are tightly regulated and programs censored directly by the Kremlin.

In anticipation for Russian propaganda expected to be broadcast on Victory Day on May 9th, Anonymous successfully compromised Russian state television changing nearly every television description during Victory Day ceremonies to read:

“The blood of thousands of Ukrainians and hundreds of their murdered children is on your hands. TV and authorities are lying. No to war.”
Figure 2: Television Program Description from Russian State TV Programming Hack (Source: Anonymous)

Virtual private network (VPN) use in Russia has skyrocketed increasing over 3,000% since mid-February. According to open sources, at least some percentage of curious Russian citizens are bypassing censorship by using VPNs to access international news about Ukraine and social media platforms. As of this week, reports estimated an average of 300,000 downloads of VPN applications occurred every day. 

The first fallout in the darknet from the cyberwar was direct attacks against the CONTI ransomware gang shortly after they publicly declared their support for Russia’s invasion. A Ukrainian-based ‘security researcher’ took to Twitter to leak CONTI’s ransomware source code, details of their internal operations, botnet infrastructure, along with private jabber chats and PII from members of the team.

Similar leaks followed for members of the FSB-backed Trickbot group including dossiers of their members.

Several darknet forums, marketplaces, and XMPP chat servers were taken offline, and information leaked in a digital public shaming for each group’s association with Russia.

In March, Kelvinsecurity exploited a simple IDOR vulnerability on the darknet site: DATABASE Market and leaked the contents of the market’s SQL database and deanonymized the server publishing the IP address of their host located in St. Petersburg.

Earlier this month, member of Anonymous known as v0g3lsec hacked a Russian-linked darknet vendor shop and replaced the site’s content with a description of squad303’s information service and link to their surface website.

Figure 3: Tor Service Defacement by v0g3lsec

Network Battalion (nb65) successfully deployed CONTI’s leaked ransomware source code with a modified cipher and has carried out over half a dozen or more attacks against targets across Russia. Their most recent attack involved Qiwi Кошелек Russian payment system, with over 149,000 kiosks and terminals around the country. Earlier this week, the group shared a database containing over 7 million unique credit card numbers and associated PII for Qiwi platform users in Russia.

Critical Infrastructure Attacks

We have not observed a mass disruption of Russia’s critical infrastructure such as gas, power, and water supplies. This is likely because like the US, such systems decentralized and distributed across various districts across the country. However, some limited interruption has been observed during the conflict. In early March, Cyber Partisans utilized industrial control system (ICS) attacks to shutdown trainlines supplying the Russia military in Belarus. Automated ticketing stations were knocked offline and forced the transportation authorities to issue paper tickets causing delays.

Oil and gas related entities in Russia such as: Gazprom Linde, MashOil, Neocom Geoservice, Enerpred, Aerogas, and Technotec have all suffered cyberattacks resulting in thousands of internal Microsoft Exchange email data leaks in the deep web. In late April multiple explosions occurred resulting in catastrophic fires and injuries at Druzhba oil depot. Subsequent open-source reports on Telegram suggest that the explosions at the Transneft-Druzhba Oil Depot supplier for military units were ‘delivered with the help of drones’ from Ukraine. The depot and associated pipeline is the main route for getting Russian oil into its European customers, although EU leaders have signaled a plan to stop purchasing oil from Russia by the end of the year which may lead to a full embargo across the continent.

In recent weeks, several other mysterious fires across the country have been reported including an ammunition depot in Staraya, another ammunition plant in the Russian town of Perm, an Aviation school in the same village of Perm, a government building in Korolev, a chemical plant near the border of Ukraine, an oil depot in Belgorod, a defense research center in Tver, a pro-Kremlin publishing house in Moscow, a storage hangar in the Bogorodskoe district, and oil tanks were set fire in the industrial zone of Nizhny Novgorod.

Another random fire also started in Belgorod less than two days ago. Reports have not specified where the fire originated specifically.

Figure 4: Recent Explosions in Belgorod Captured by Social Media Users (Source: VK)

It is unclear from reporting whether these explosions were a result of SCADA cyberattacks or direct arson and sabotage by Russian locals sympathetic with the situation in Ukraine. The darknet threat group GhostSec recently compromised Russia’s Metrospetstekhnika ASOTP system for transportation and successfully caused dozens of trains connected to the system to cease operation. The group claims they were able to access and disrupt the internal temperature, smoke, and backup battery systems for any of the trains connected to the network.

Figure 5: Announcement of Metro Train Attack by GhostSec (Source: Telegram)

Anonymous Leaks Stolen Data

Within days of the invasion, targeting and exfiltrated data from targets across Russia surfaced in the deep web. DarkOwl has been monitoring mentions and announcements of data leaked in relation to the since the start of the cyberwar and found hundreds of leaks related to numerous government and commercial industrial sectors across Russia, Belarus, and China. The chart below demonstrates the volume of unique URLs observed containing information related to the war. In the early days, much of the leaked information contained network reconnaissance information (IP addresses, domains, credentials) for carrying out attacks against critical targets, and PII for government, military, and citizens of Russia.

As the war progressed, stolen data of all kinds, e.g. intellectual property, design schematics, military plans, financial account data, and emails appeared. While in recent weeks the number of unique leaks are fewer, the contents contained therein are higher volume and significant in value. For example, over the last two weeks, Anonymous has released – via DDoSecrets – over 3TB of data archives containing thousands of emails and sensitive internal documents from victim organizations across Russia.

Figure 7: Distribution of Data Leaks from the Cyberwar by Industry Sector

Nearly 90% of the leaks DarkOwl has observed are related to targets in Russia. The figure below is a distribution of the non-Russian countries information that has surfaced, with direct mention of the cyberwar. The threat actor group, AgainstTheWest (ATW) concentrated on technology, government, and financial targets across China in the weeks following the invasion. ATW has since stopped participating in the campaign.

Figure 8: Percentage of non-Russian Data Leaked with Direct Mention of Global Cyberwar

Russia’s Response Takes Many Forms

Readers should not be fooled into thinking that this data means that Russia is sitting back idly during these attacks. In addition to the crippling Viasat attack the day of the invasion and widespread propaganda dissemination, GRU-affiliated cyber actors have regularly attacked Ukrainian telecommunications and critical infrastructure alongside its ground-based offensives. Elon Musk also recently stated that Starlink satellites in use by the Ukrainian government for Internet broadband access is under frequent targeted signal jamming by Russian-linked hackers.

State-sponsored malicious cyber actors, ransomware and affiliated extortion groups linked to Moscow continue to spray US and western European companies with widespread spear-phishing attacks and malware deployment. During our recent review, we estimate ransomware gangs successfully encrypt on average a dozen organizations per day.

DarkOwl will continue to monitor the darknet and deep web for critical information pertaining to the quickly evolving cyber landscape.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.

Using DarkOwl Vision to Protect Brand Value and Reputation

May 10, 2022

This blog discusses how DarkOwl’s software-as-a-service (SaaS) product suite – Vision App, Search API, and Entity API, can be utilized to protect corporate brand reputation and value.

Darknet Background

The darknet – also referred to as the dark web – is a segment of the Internet, hidden by the novice user, that is only accessible by using specialized software or network proxies. Due to the inherently anonymous and privacy-centric nature of the darknet, it facilitates a complex ecosystem of cybercrime and illicit goods and services trade. The most common darknet to date is “The Onion Router” or simply, Tor.

The deep web is a collection of websites that do not require anonymization software to access but require unique knowledge of the URL or account curation and authentication for entrance. While a personal banking account portal is technically in the deep web, much of the deep web facilitates cybercrime through criminal marketplaces and discussion forums.

DarkOwl defines darknet-adjacent networks, such as servers and channels from Telegram, IRC, and Discord as instant-messaging chat platforms featuring real-time communications (or “chatter”) of on-going criminal activity and active cyber operations.

Decentralized Darknet Marketplaces

The darknet is home to decentralized darknet marketplaces (DNM), e-commerce platforms where buyers and sellers transact directly with each other through peer-to-peer networks or the Tor network. Marketplaces usually employ cryptocurrency-based escrow built into the marketplace to facilitate secure and anonymous deals between the buyers and vendors.

One of the first and most well-known darknet marketplaces is the Silk Road, established in 2012 by its founder, “Dread Pirate Roberts” – Ross Ulbricht. Upon its shutdown and for years after, the US government seized an estimated of $1 billion USD in Bitcoin connected to Silk Road.

The seizure of Silk Road and the lifetime sentence of Ulbricht has not deterred criminals from continued illicit goods trade in the darknet. As of time of writing, DarkOwl has knowledge of 30 large-scale decentralized markets currently online and hundreds of smaller single-vendor operated or single-product marketplaces in operation across the darknet and deep web. 

Forms of Brand Mentions in the Darknet

Corporations and organization, along with their key leadership, are regularly targeted and ‘mentioned’ in the darknet – across marketplaces, discussion forums, and transient paste sites. Many times, the references are specific to a cyber campaign to target the company while others are perfectly-matched counterfeited goods marketed by underground counterfeiters and resold on darknet decentralized marketplaces.

The most common types of critical brand mentions in the darknet include:

  1. Derogatory Mention by a Disgruntled Customer or Employee
  2. Personal Dox of Corporate Leadership and/or Board Members
  3. Targeting Data in association with Malicious Cyber Operations
  4. Leaked Critical Company Data
  5. Cracked Software Distribution
  6. Pirated Media and Streams
  7. Counterfeit Product Sales

Examples of Corporate Brand Mentions in Vision

Using the common forms listed above, this section provides real-examples of brand mentions in the darknet, deep web, and darknet-adjacent platforms and captured by DarkOwl’s autonomous content crawlers.

A disgruntled employee of Wells Fargo states that the company is ‘scandalous’ and ‘corrupt.’ They also highlight a major cyber risk for the company, where they have been instructed to use other employee’s logins to do their job.

Figure 1: Source DarkOwl Vision DocID: 7f32e227c2590d5c2e04fd0b3e5d051042940641

An employee at Amazon compares tradeoffs NBA players must perform with the harsh working conditions at Amazon corporate (not warehouses).

Figure 2: Source DarkOwl Vision DocID: 136d898fde08e2217c8bf43c26930f1fd7356bd1

A dox (also doxx) is a detailed public record of someone’s identity. To ‘dox’ someone is to publish private information about that person – as a form of public shame and generated to enact revenge on the company or person for some perceived wrongdoing. The dox presents a significant security threat to the company and the individual, with detailed information such as their mobile phone numbers, residential address, social media accounts, bank accounts, and familial associations publicized and subsequently targeted for phishing, fraud, and even kidnapping for murder or extortion.

Every ‘dox’ has a reason for publishing the information to a public record.

Corporate leadership, members of the board of directors, and key figures related to many brands and international entities are regularly targeted for ‘doxing’ in the darknet.

Figure 3: Source DarkOwl Vision DocID: d8ba881fd4f01f8e691a7fcfada1b4ad3ebc7d64

Threat actors identify Gazprom’s subdirectories, subdomains, and IP addresses in preparation for a concerted attack against the oil and gas supplier in retaliation for Russia’s invasion in Ukraine.

Less than a month later, a significant volume of data from Gazprom and its subsidiary, Gazprom Linde Engineering was leaked on the darknet including 768,000 emails from the joint Gazprom-Linde Microsoft Exchange server.

Figure 4: Source DarkOwl Vision DocID: 77be2205969371938bb235f463f94fa32cb4552d

Hacktivists regularly target companies and brands in support of geopolitical and social injustice initiatives.

The image below includes an announcement on Telegram by pro-Ukrainian hackers calling for the boycott of purchasing Nestle products due to their continued operation in Russia and subsequent economic support for the Putin-backed Kremlin.

In the days following the post on Telegram, prominent darknet threat actor group, KelvinSec compromised Nestle’s company network and leaked sensitive databases containing their customers, transaction, and shipping data.

Figure 5: Source DarkOwl Vision DocID: 9b5dde8629bcb38002c81e3d19a47470ebddd263
Figure 6: Screenshot from the actual database leaked from Nestle, consisting of customer entity data, orders, payment information, and passwords (10GB total)

Cybercriminals often leak large sets of company-proprietary and sensitive data obtained via ransomware attack or malware infection of a company’s network. Critical corporate data might include – but is not limited to – software source code, sensitive email communications, employee W2 verification data, identity documents such as driver’s licenses and passport images, and financial statements.

The example below is source code exfiltrated by LAPSUS$ threat actors after a major cybersecurity incident against the SAMSUNG corporation.

Figure 7: Source DarkOwl Vision DocID: f7d9d309d34853f0b1236d437ef1314460b54223

“Cracking” is a broad term used by darknet and deep web threat actors to describe the process of breaking into something, more often bypassing software licenses and passwords required by computer software programs.

Adobe Products are regularly targeted for ‘cracking’ due to steep costs for their software product licenses and subscriptions. Threat actors on Telegram detail how to install ‘cracked’ version of Photoshop and DLL manipulation to override licensing requirements.

Figure 8: Source DarkOwl Vision DocID: 52401ddd38f3386b57b07bfc161d06813d6bd23d

Pirated media, movies, and streams have continued presence on the darknet. The Pirate Bay – considered the “most resilient BitTorrent site” on the Internet still circulates the latest movie titles.

Figure 9: Source DarkOwl Vision DocID: db4dda0c5ab85082b2c6b98c5948f1ad60c162ba
Figure 10: The Pirate Bay BitTorrent Download Landing Page

The illicit trade of counterfeit goods is a multi-billion-dollar international industry – which continues to be led by China. According to Europol, surface web monitoring helps crack down on the major counterfeit goods suppliers, but many sophisticated networks simply shift to the darknet and use decentralized darknet markets to sell their counterfeited items.

Many darknet marketplaces feature a section of “counterfeit goods” that encompasses physical counterfeited items, a buyer can purchase and have sent to them directly. Watches and fine jewelry are the most common physical goods offered on underground marketplaces.

Figure 11: Active Listing for a Counterfeit Ladies’ Panthere de Cartier Watch on Vice City

Marketplaces are more commonly known for their diverse and extensive selection of drugs available for purchase. DarkOwl has witnessed the defamation of many brands in affiliation with common street drugs.

For example, the Warner Bros (WB) entertainment brand has been extensively used by drug dealers on the darknet in the advertisement of “WB-shaped” ecstasy (XTC) pills and their comic-book heroes and cartoon franchises exploited in the distribution of marketed Batman, Superman, and Looney Toons-specific drugs.

Figure 12: Screenshot of Offer Captured in DarkOwl Vision DocID: 1411b1671a1aeedae7c1add5b996d769
Figure 13: Source DarkOwl Vision DocID: 58f39ef647bfdb931f6b8d147cd86b85

DarkOwl Solutions for Brand and Reputation Management

DarkOwl’s SaaS product suite of its Vision App, Search API, and Entity API are designed to help augment surface web monitoring for brand mentions like those discussed and outlined in this document.

In the Vision App, analysts can create automated monitors and alerts to notify when critical corporate information or counterfeited products are circulated in darknet paste, discussions forums, or marketplaces.

Figure 14: Screenshot from DarkOwl Vision’s Search, Monitoring, and Alert Features

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.

All Your Passwords Belong to Us

May 05, 2022

In honor of World Password Day – a date established in 2013 by Intel Corporation to foster security awareness – the content team at DarkOwl decided to compile some interesting statistics based on the email and password entities available in the DarkOwl Entity API.

DarkOwl’s Entity Volume

Every day we hear of another commercial data or app breach. At this point, everyone can assume their email address and/or password has been leaked on the darknet or deep web. DarkOwl has collected and tokenized over 8.68 billion (with a “B”) email addresses. 5.46 billion of those emails include a password. 57% of those email addresses include a ‘plaintext’ or legible password.

But My Password is Complex!

If you’re still using your cat’s name followed by the exclamation point (“Fritzie!”), your password is not complex, and you have most likely already experienced an account compromise. But, you’re not alone. Complex, lengthy passwords are not the norm across DarkOwl’s data.

The most common password length is 8 characters.

Password Length
Figure 1: Distribution of Password Volume by Password Character Length

Is an 8-character length password strong enough?

The strength of an 8-character password depends on the motivation and the tools available to the cybercriminal targeting your account. There are plenty of password ‘cracking’ tools readily available to hackers to conducting dictionary and brute force style password attacks. Some of the most popular tools include:

  • John the Ripper
  • Cain & Abel
  • OphCrack
  • THC Hydra
  • Hashcat
  • Brutus
  • RainbowCrack
  • CrackStation

Even the most sophisticated password crackers will need significant processing power and time to successfully break long, complex passwords. Unless an 8-character password includes numbers and symbols, the password can be potentially brute forced.

Time to Crack Passwords
Figure 2: Time to Crack Passwords of Varying Degrees of Character Length and Complexity

Over 4 billion of the passwords (4,285,451,030) available in DarkOwl’s Entity API are 32 characters or less. 662,341,057 passwords could be classified as extreme and greater than 32 characters in length.

Figure 2 demonstrates that passwords including numbers and symbols are harder to crack than letters alone. DarkOwl’s data contains a significant volume of passwords with some degree of complexity but only 637 million plaintext passwords would be classified as “strong.”

Strong passwords defined as containing special characters, digits, lowercase, uppercase, and length greater than 8 characters.

Passwords That Age Us

Do you have a favorite year that you include in your password for uniqueness? Perhaps it’s your birthday year or anniversary. Both are very common. We found over 707 million passwords include a year string that starts with “19XX” or “20YY.”

Years

According to our data distribution, peak volumes of passwords include the data range of 1980 to 1994. The most frequent years we observed were:

1990: 14,006,141

1987: 13,795,566

Distribution of Passwords
Figure 3: Distribution of Passwords Containing a Date (Year) String

QWERTY is Simply Lazy

The “QWERTY” keyboard layout originated in the late 1860s and was designed to help people type and translate Morse code faster. Regardless of its origins, people heavily rely on the top row of the American keyboard characters in many password fields; 5,793,906 passwords in DarkOwl Entities API contains the6-character string “qwerty.”

Even worse is sequential numbers with 29,010,394 consisting of “123456” and 11,718,471 going to the trouble to add the whole number set, “123456789.”

DarkOwl has collected 5,857,363 passwords using the laziest password of all: the word, “password.”

Hashed Passwords > Plaintext

Billions of leaked plaintext passwords are tragic, no matter the complexity, character length, or whether a date string or qwerty is included. Therefore, if you suspect a plaintext password you use or have used in a commercial webservice has been compromised, change it immediately and cease using it on any authentication logins. Credential stuffing campaigns exploit password reuse and utilize email address and password combinations to attempt logins outside of the source of the original leak.

Given the propensity for commercial data breaches, most authentication and digital identification protection platforms strongly suggest users passwords are stored in a hashed format instead of plaintext to reduce the likelihood of immediate malicious use upon compromise.

6% (518,566,724) of the passwords available in DarkOwl’s Entity API are hashed passwords.

In cryptography, hashing involves using a mathematical algorithm to map data of any size into a bit string of a fixed size. In password hashing, a ‘hash’ consists of a unique digital fingerprint (of a fixed size) corresponding to the original plaintext password which cannot be reversed. There are several different types of ‘hashing algorithms’ available for encrypting passwords.

The most common hash in DarkOwl’s data is MD5 followed by SHA-1.

Some MD5 hashes in phpBB and WordPress appear as 34 characters instead of 32. DarkOwl has 345,431 hashed passwords consisting of 34 characters.

Both MD5 and SHA-1 have been deemed vulnerable as they are subject to collision attacks and dehashing. One of the most popular password hacking programs to date, Hashcat, contains lookup tables for popular wordlists, like RockYou allowing for the original plaintext password to be deciphered.

Password Strengthening Tips

Although you can’t prevent commercial services getting breached and usernames, email addresses, and password combinations getting leaked, you can follow some simple steps to ensure you employ robust password hygiene and reduce the risk of a password getting brute forced or exploited in a credential stuffing campaign.

  • Use an automated complex password Manager like Lastpass, BitWarden, or 1Password.
  • Don’t reuse passwords. Have unique password for every login and streaming service you sign up for.
  • Choose passwords at least 16 characters in length.
  • Include symbols and numbers for increased complexity.
  • Avoid using passwords with dictionary words or names.
  • Don’t use sequential numbers or the word “password”
  • Don’t use the year of your birth or anniversary in your password.
  • Turn on multi-factor authentication (MFA) for important accounts like financial and banking sites.

Celebrating World Password Day

Today’s World Password Day is a perfect time to pause and review the security – or lack thereof – of your most common password habits. After reading this blog, we invite to you to consider taking the following actions today:

  • Review passwords stored in your keychain, password managers, or sticky notes.
  • Change any passwords you might be reusing across multiple sites.
  • Share password tips on social media with friends and family.
  • (#WorldPasswordDay)
  • Transform a weak password into a strong one using the password strengthening tips above.
  • Turn on MFA for all important accounts.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.

Ransomware Resurgence and Emergence: Continued Analysis of RaaS Activity Since the Invasion of Ukraine

May 04, 2022

Ransomware on the Darknet Continues

Netblocks Status of Vodafone
Figure 1: Netblocks Status of Vodafone, 6 March 2022

The interruption in victim announcements was more like a slow-down and did not last long with a quick ramp up from the major RaaS industry players: CONTI, Lockbit 2, and CL0P announcing dozens of victims during the month of April.

LockBit2 – a gang that “claimed” neutrality in the Russian-Ukraine war – has the highest number of total victims since the 24th of February at 280. That’s an average of 4.5 victims per day by a single group.

DarkOwl is currently tracking 25 active ransomware groups. Across those groups, the total number of victims – just since 24 February – totals 813, presenting an even more worrisome average of 11.8 victims per day.

Figure 2: Scatter plot distribution of daily ransomware victims per RaaS gang

Critical Infrastructure Targeted

Unsurprisingly, victims include several US and NATO-based critical infrastructure organizations and suppliers including local government municipalities, electrical and alternative power providers, water, telecommunications, and transportation suppliers.

DarkOwl also observed an increase in manufacturing and construction-related companies with downstream victims including international lumber and steel processing companies mentioned quite frequently.

CONTI announced last week they successfully encrypted US-based MACK Defense, LLC a major parts supplier and sales organization attached to the MACK trucking company. This will likely cause further interruptions to an already encumbered and fatigued US ground-based supply chain.

Meanwhile, Snatch leaked over a gigabyte of data from a popular European travel website, TUI Group.

Figure 3: CONTI Announcement of Ransoming MACK Defense, LLC

Ransomware groups have announced at least half a dozen victims across electrical, water, or natural gas-affiliated suppliers the US, Canada, and Europe in the last 10 days.

In March, German wind-turbine supplier Nordex suffered a severe cyber incident carried out by CONTI shutting down over 5,000 wind turbines across the country. On April 23rd, CONTI leaked 145GB of exfiltrated data related to the company, archived across 82 compressed data files. The Nordex cybersecurity incident was likely a critical infrastructure retaliation attack for Germany’s support of Ukraine.

HiveLeak and AlphaV’s activity also increased significantly with nearly 100 victims between the two RaaS gangs alone. Vice Society also leaked 20 victims in the last 10 days of April after previously having a relatively slow ransomware

Statement from Snatch Ransomware
Figure 4: Statement from Snatch Ransomware

The Resurrection of REvil

REvil’s “Happy Blog” suddenly appeared online and operational on April 20th on the Tor network, redirecting to a new URL which announced 5 victims. The last victim posted by the REvil group was in mid-October 2021 shortly before experiencing 404 errors and rumors emerged suggesting the FBI had seized the admin panel had deleted the Tor service using UNKN or another admin’s keys.

According to the BBC, members of the REvil RaaS operation were reportedly taken into custody by the Russian FSB after an international law enforcement operation last December.

The redirected URL includes a link to “Join Us” with a request for affiliates to contact them using a Tox address provided. The advertisement continues their historical 80/20 ransom split and states they have a “Тот же проверенный (но улучшенный) софт” [TRANSLATED] “The same proven (but improved) software.”

Figure 5: REvil’s Latest Call for Affiliate Partners

The new REvil Tor service boasts an odd-mix of victims, including an oil and gas company in India, asphalt production company and a corporate signage company. By the end of the month, the service was offline and inaccessible. The intentions of revitalizing the REvil Tor service is unclear, but the timing was near coincident with the US closing diplomatic channels with Russia on cybersecurity.

The resurrection of REvil could indicate that President Putin has released arrested ransomware operators to carry out retaliatory attacks against critical targets in the US and Europe.

New Ransomware Groups and Patterns Emerge

A new RaaS group called Blackbasta appeared online and announced 11 new victims on the 26th of April. Blackbasta uses the ChaCha20 and RSA-4096 cipher, an upgrade from groups like Maze and Sekhmet that utilized ChaCha20 and RSA-2048 ciphers. They also call their Tor victim’s page, “Basta News” playing off the CONTI marketing strategy.

Figure 6: Blackbasta Tor Service “Basta News” 30 April, 2022

Another new group, Onyx ransomware started leaking their victim data on a Tor service titled, “Onyx News” with 7 new victims added at the end of April. The victims appear to be primarily small businesses and organizations, including a local US police office and a couple of family medical practices.

The x001xs ransomware group appears to have pivoted to a different underground industry with no victims announced since late January. Their Tor service also now redirects to a darknet credit card provider called “BitCarder.”

RaaS group activity across the whole industry has steadily increased over the last 10 days. When visualizing the various groups’ victim announcements as a function of post-date, they demonstrate quite noticeable “peaks and valleys” that suggest less publishing collectively occurs on weekends.

The outlier for this trend is CL0P who drops several groupings of victim announcements only around the weekends. The CL0P group was much less active in March with announcements only at the beginning and end of the month.

Figure 7: Daily Distribution of Total Victims Per Day Across All Groups, with 3pt Moving Average Filter

Ransoming Russia

Since the end of March, an Anonymous-linked, pro-Ukrainian cyber threat cell known as Network Battalion ’65 (or simply nb65) has carried out cyberattacks against Russian entities using ransomware. The group allege they are deploying a variation of the leaked CONTI ransomware source code, which surfaced shortly after the invasion. We have identified and downloaded at least half a dozen data leaks provided by the nb65 group that accompanied the group’s announcement of the CONTI code use.

Figure 8: nb65 Announces Use of CONTI ransomware Against JSC Bank of Russia

Hackers Hacking Hackers

On 20 March, Arvin Club published a data leak associated with the pro-Russian aligned STORMOUS ransomware gang. Arvin claimed the group poorly configured their ‘new’ Tor service after mirroring their Telegram content to the anonymous network. It was unclear whether this was motivated by malice or geopolitical alliances.

In early March, STORMOUS posted an official statement to their Telegram channel stating they did not intend to attack Ukraine but could not sit back and watch attacks against the country [Russia] that “means so much to us.” They also included CONTI’s logo and the handshake emoji with their respective hashtags, symbolizing some level of partnership.

Figure 9: Arvin Club Leak of STORMOUS Info on Tor | STORMOUS World Announcement

In the last month, Russian ransomware groups and threat actors are actively targeting pro-Ukrainian cybersecurity researchers and Anonymous-linked cyber cells. Many researchers have been doxed and threatened across social media and Telegram in vendetta-like attacks.

Figure 10: Twitter Post Warning Anons that Russian Ransomware Gangs are Targeting the Anonymous Collective

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.

Understanding Darknet Intelligence (DARKINT)

April 28, 2022

NEW: Download this report as a PDF

The darknet (or “dark web”) is a thriving ecosystem within the global internet infrastructure that many organizations struggle to incorporate into security posture, but is becoming an increasingly vital component. In certain cases, that is because taking raw data and turning it into actionable security intelligence requires leveraging DARKINT – or data points sourced from the darknet and other OSINT sources that together form a risk and/or investigative portfolio.

Darknet 101

The darknet is a layer of the internet that was designed specifically for anonymity. It is more difficult to access than the surface web, and is accessible with only via special tools and software – specifically browsers and other protocols. You cannot access the darknet by simply typing a dark web address into your web browser. There are also darknet-adjacent networks, such as instant messaging platforms like Telegram, the deep web, some high-risk surface websites.

Quick Definitions:

darknet: Also referred to as the “dark web.” A layer of the internet that cannot be accessed by traditional browsers, but requires anonymous proxy networks or infrastructure for access. Tor is the most common. 

deep web: Online content that is not indexed by search engines, such as authentication required protected and paste sites and can be best described as any content with a surface web site that requires authentication.

high-risk surface web: consists of areas of the surface web (or “regular” internet) that have a high degree of overlap with the darknet community. This includes some chan-type imageboards, paste sites, and other select forums.

For a full list of darknet terms, check out our Glossary.

What is Darknet Intelligence (DARKINT)?

DARKINT is a term, trademarked by DarkOwl, that combines two concepts: darknet and intelligence.

The darknet, also referred to as the dark web, is a segment of the Internet, hidden by the novice user, that is only accessible by using specialized software or network proxies. Due to the inherently anonymous and privacy-centric nature of the darknet, it facilitates a complex ecosystem of cybercrime and illicit goods and services trade.

Data scientists define intelligence as a continuum of increasing data complexity. At the foundation of the pyramid is “raw data.” In statistics, raw data refers to data that has been collected directly from a primary source and has not been processed in any way. (Source)  

Assembled collections of raw, unverified data across multiple sources with context forms the basis of “information.”

Intelligence is the consequence of combining analyzed, interpreted, and validated information with informed perceptions and personal experience to drive decisions.

Some key features of intelligence:

  • Intelligence is created and shaped by humans. Machines can compile information but cannot produce intelligence.
  • Intelligence is based on multiple, trusted and verified sources.
  • Data intelligence is also sometimes referred to as ‘insights.’
  • Intelligence utilized by national security or geopolitical decision makers is often accompanied by a numerical confidence value, calculated using the history, veracity, and perceptions of the information available.

DARKINT™ is intelligence derived from pure darknet, deep web, and associated adjacent underground cyber information sources.

Darknet Intelligence and DARKINT™

DarkOwl’s product suite facilitates the formation of actionable, DARKINT because its Vision platform collates darknet data from multiple sources including the deep web, high-risk surface web, and darknet-adjacent networks, such as instant messaging platforms like Telegram and IRC. 

In the framework of underground criminal activity and darknet(s), the continuum of data, information, and intelligence follows the example: 

  • a sample of raw data could be a leaked credential for ABC software company; 
  • information consists of a document in DarkOwl Vision collected from a darknet forum where a threat actor shares a database containing the leaked credentials from ABC software company in conjunction with a known vulnerability against Microsoft Exchange server; 
  • a security analyst receives an alert of this document and analyzes this information to find the threat actor’s social media account touting they will carry out a ‘special’ cyber-attack next weekend, coupled with a scan of the software company’s network indicating they haven’t installed multi-factor authentication on their employee accounts. Using this analysis and their intuition, the analyst produces a security risk intelligence assessment stating they believe with high confidence the threat actor is very likely to attack ABC software company as early as next weekend and alerts ABC’s IT department to deploy multi-factor authentication and immediately patch all potential points of network entry. 

The information in DarkOwl Vision, combined with open-source intelligence (OSINT) resources such as social media, port scanning, and network data, facilitate comprehensive business decisions across a numerous diverse set of use cases: threat intelligence, fraud detection and mitigation, cyber insurance, supply chain and vendor risks, digital identity protection, national security, critical infrastructure protection, and law enforcement investigations. 

Common Types of Raw Data & Information Circulated on the Darknet

Personally Identifiable Information (PII)

Personally Identifiable Information, or PII, is any information used to identify an individual. This type of data is incredibly valuable on the darknet, especially when combined with credential information. Examples include full name, billing address with the zip code, date of birth, email address, passport numbers, national identification numbers, and phone numbers. It also includes anything associated with one’s online presence such as a social media profile. Even information like a leaked mobile phone number can be leveraged by threat actors for social engineering activities like SIM swapping, which is used by criminals to bypass multi-factor authentication and gain unauthorized access to online accounts. 

Banking and Transaction Data 

Debit and credit card numbers are a common type of raw data available on the darknet. Some criminals specialize in the trade of the cardholder’s sensitive PII associated with associated details for debit and credit card numbers, e.g. CVV, expiration date, and personal pin code. Criminals use card numbers to make fraudulent purchases online and deliver them to a different address, make a series of low-cost purchases the victim won’t notice, or buy expensive goods in person. 

There are numerous forums and marketplaces specializing in banking, carding, and financial fraud on the darknet and in DarkOwl Vision. 

Critical Corporate Data

Critical corporate data consists of mentions of company names, domain names, IP addresses and other corporate identifying markers on the darknet. Sometimes raw corporate data like the domain name, subdomains, or IP addresses for a company are shared in the darknet or deep web temporary paste sites for threat actors to collaborate ahead of a concerted cyberattack against the company. 

A darknet database brokerage service advertising a company’s stolen competitive intellectual property, product design schematics, and sensitive financial or contracts packages for sale is information, not intelligence.  

Credentials and Compromised Accounts 

Credentials are the secure information required to safely log in to network accounts. It is user-specific information that verifies the identity of the user attempting to access to the website or service. Some credentials are also considered PII. Credentials which include personal names such as usernames, are also considered PII. Email addresses and passwords are the most common type of credentials. More sophisticated credentials include PGP keys, AWS/Azure developer secret keys and security tokens. Credentials can also include user-verification and digital identity authentication tools. 

Malware, Exploit Toolkits, and Ransomware

Malware is malicious software with harmful code designed to break into, infect, steal, surveil, compromise, or crash networked devices. It is used to get what a criminal wants from a target without their consent. There are many categories of malware like viruses, spyware, keyloggers, and ransomware. 

Several types of malware, exploit toolkits, and ransomware are available for purchase on the darknet. High quality malware has detection-evasion, to bypass network security systems, and will establish persistence, meaning it will stay undetected and continue giving the cybercriminal access to the information on the compromised device for months or years. 

Information consists of feeds and documents in DarkOwl Vision detailing the advertisements for such malware on offer or a ransomware Tor service publishing the identities of their victims along with the extorted sensitive corporate data and PII stolen from the victim.  

Malware development and exploitation attack techniques are also openly discussed in darknet forums collected by DarkOwl Vision. 

Example Darknet Sources Containing High-Consequence Information 

Threat Actor Chatter from Instant Messaging Platforms 

Conversations (also known as “chatter”) directly from and associated with threat actors and their associated criminal communities on instant messaging platforms are an important aspect of information gathering to develop intelligence assessments based on DARKINT. 

Instant Relay Chat (IRC) has been a historical, real-time chat environment for threat actors to plan, collaborate, and securely distribute stolen information related to cybercrime. Modern chat platforms like Telegram are an increasingly popular, high-frequency source of substantial darknet-adjacent information, despite not being directly connected to the darknet. These types instant messaging platforms are widely utilized by threat actors, who administrate both public and private servers and channels. 

Chatter from instant messaging platforms coupled with darknet forum posts and OSINT aides in the translation of information into actionable, high-confidence DARKINT judgements. 

Nation State Actors and Political Activity 

Darknet intelligence concerning nation state actors and political activity is becoming increasingly relevant. Nation-states are typically on the darknet for intelligence gathering and espionage, campaigns to disrupt critical infrastructure of other nation-states, activism and propaganda, sharing and testing source code, exploits, and vulnerabilities, and for financial gain. Disinformation and misinformation are powerful tools some nation-states use to sway public perception and opinion.

Even before the invasion of Ukraine, DarkOwl found evidence that nation-states were increasingly using the darknet as an information-based battlefield for a variety of key intelligence and cyber military campaigns.

In just the last 90 days, Telegram has featured as a critical network for 24/7 disinformation campaigns and information operations spearheaded and sponsored by the governments of Russia and Ukraine. Channels regularly include interviews with prisoners of war (POWs), digitally altered videos to trigger false-flag operations or claim kinetic military success against critical infrastructure, and leaked data disseminated from successful cyber operations. 

Conclusions 

DARKINT is the byproduct of combining human-powered analysis of validated data derived from darknet sources with informed perceptions and personal experiences. 

By actively monitoring for raw data points such as sensitive PII, compiled information advertised and discussed on forums and marketplace, along with darknet-adjacent chatter and associated OSINT signals, one can create concrete DARKINT, and quickly deploy remediation or defense mechanisms accordingly. 

DARKINT is most effective when applied to drive complex decisions like quantifying supply chain and vendor risk, underwriting cyber insurance policies, fraud mitigation and digital identity protection efforts, or creating qualified, actionable threat intelligence products in matters of national security, critical infrastructure protection or law enforcement investigations. 

DarkOwl’s Vision-derived DARKINT helps international governments, local law enforcement, individuals, and companies create a more comprehensive security posture.

Download this report as a PDF

Blackpanda x DarkOwl: Leveraging Dark Web Expertise to Respond to Cyber Incidents

April 20, 2022
Or, watch on YouTube

Learn how DarkOwl’s darknet intelligence platform plays a critical role in how Blackpanda supports customers bounce back from an attack, providing robust darknet data to fully understand customers’ risk profile and asses threats. Plus, dive into a case study and see the platform in action.

For those that would rather read the conversation between CEO of DarkOwl, Mark Turnage, and Director of Strategic Development at Blackpanda, Mika D., we have transcribed the presentation below.

NOTE: Some content has been edited for clarity.

Mika (Blackpanda): Thank you, everyone, for coming to this Blackpanda, DarkOwl information session. Very excited to be partnered with DarkOwl, Blackpanda being an incident response firm. We’re going to get into more of that. Today we really wanted to present the value to end users, customers, large companies, and organizations of this partnership that we’ve developed. So with that, we’ll jump into some introductions. Mark is the CEO and founder of DarkOwl with a very, very long list of credentials and much experience, I will hand it over to him to do a bit of introduction.

Mark (DarkOwl): Great, thank you for having us, Mika, and delighted to be here. My background is as an entrepreneur in the security space. All the companies that I’ve run have been security related companies, most recently DarkOwl, which we founded five years ago. My co-founder and I and are very pleased to be here and looking forward to this conversation.

Mika: Great, thank you, Mark. I’m representing Blackpanda, Director of Strategic Development. I was also the founding incident response member of the Blackpanda Group that’s based out of Singapore and Hong Kong. We address special risks from incident response malware, business email compromise, different kinds of cyber attacks all the way down the cycle to cyber insurance. So, risk transfer and mitigation ahead of time to try to prepare the environment in the event that something happens. My background is primarily in national security and a full range of cybersecurity services, products, and a little bit of time in the intelligence community. So excited to jump into this webinar and give you a better idea of how our incident response services and deep web threat intel work together a bit on the cyber incident response side of the house. We hyper focus on digital forensics, the investigation, and cyber crimes, and we are stationed in different cities across Southeast Asia so that we have a local presence in all of these markets if and when an incident occurs.

A bit about the incident response lifecycle because it’s confusing what happens exactly when an organization is hacked and how does that move forward? How do we work with our partners, especially when something happens?

Essentially, incident response starts with a call, an alert or an automated indicator that comes from one of our intelligence platforms, be it DarkOwl or an endpoint detection and response tool or our own proprietary software. Once we receive that alert or notification, we will then determine the validity and extent of the attack. So it’s kind of like scoping out what happened and what resources do we need to deploy in order to address it? We prepare the team and we proceed to a triage process where we’re gathering evidence. We’re looking for indicators of compromise, we’re collecting a plan of action, and we work with the client in order to basically stop the infection from spreading any further. Then we move into the containment phase. Within the first 48 hours, we’ve figured out roughly what’s going on, who is the threat actor, and question what assets could be at risk and what data is at risk.

The customer always wants to know, has data been leaked? What kinds of emails or passwords or proprietary files might be out and be in the dark web? And at that point, we will then turn to some of our partners, such as DarkOwl, in order to enhance that information. So, as we’re containing the malware, we’re also providing the suite of the environment to look for extended attacks. This could be second stage payloads, which would be if the attacker first gets in and spreads more malware, or they’re looking to steal credentials or steal certain files. So, we’re really examining both inside the organization as well as from outside what might have left the organization.

And then, finally, once everything’s been contained, we feel comfortable that the organization can get back online, we prepare a report and present lessons learned. We also try to assemble any and all information that could have been leaked because that’s where regulation and compliance comes into play. So that’s essentially the incident response lifecycle and is one of Blackpanda’s areas of expertise.

Now onto DarkOwl.

Mark: Thank you, Mika. And as Mika mentioned, we are involved in both the frontend and the backend of the incident response cycle with Blackpanda. Just a bit about DarkOwl and what we do. Darkowl has built a platform that actively and continuously monitors the darknets, many darknets, and makes that data searchable by our clients. Among the darknets that we monitor are ToR, I2P, Zeronet, a range of other darknets. And I should say, that we call it the darknet, because in most of these forums and most of these darknets, user identity is obfuscated and traffic is encrypted. So, it’s a very difficult environment to monitor, and we have built a platform that does that across 25 to 30,000 darknet sites a day and it archives that data so that not only will you look and see what was happening today and on a continuous go forward basis, but you also have an archive to see what has happened in the past.You’ll see some of the some of the numbers of records that we have available in our database today.

Records available in DarkOwl database as of April, 2022

Records available in DarkOwl database as of April, 2022

Just to talk a little bit about what is in the darknet, why is it important for both an incident response team and then more broadly. Among the types of data that are found in the darknet are very large quantities of personally identifiable information credentials, compromised accounts, malware, ransomware. There’s a lot of chatter among a variety of different forums between threat actors. There are lots of vendor and supply risk indicators as well. Most recently, in the context of the Ukraine Russia war, we are finding significant indicators of risk among vendors, supply chain vendors and supply chains that have presence in Ukraine, Belarus, and Russia. A lot of that chatter, a lot of those indicators show up in the darknet and in our platform. A lot of our platform is very intuitive to use. We can deliver data a number of ways what you’re looking at here is our vision platform search UI.

Screenshot of DarkOwl Vision UI platform

Screenshot of DarkOwl Vision UI platform

And actually, later in this webinar, I’ll do a quick tour. But you can see from looking at the top of this, it’s a very simple search bar. We can look for whatever you’re looking for in the darknet, at any given time. You can see there’s a search loaded on this slide for Conti, one of the threat actors out of Russia, and there are 52,000 results. We see 52,000 pages in the darknet at the time this search was run talking about Conti or mentioning Conti, or where Conti is participating in it in a forum. So, it’s a comprehensive platform to monitor the darknet and in the context of an incident response team, it can both alert you to a breach or to an incident and then it can provide you with the intelligence, as Mika said, to assess that breach and then really remediate it.

Mika: And I was just going to jump in exactly on that point. We’ve dealt with several Conti breaches, and once we see indicators that that might be the malware in use the threat actor in use, not only are we on the hard drive examining the forensic artifacts of the system to pull out what time they got in, what they’ve taken and basically any signs of lateral movement or their actions on objectives, we’re also coming over here and plugging in the exact threat actors names. They have handles, they have email addresses, they have IP addresses, so whatever we find in the environment, this search platform is kind of where we go to see what’s happening on the outside as opposed to just on the inside of the organization across the systems.

Mark: And connecting those dots is critical. If you don’t connect those dots, you’re only looking at one particular piece of relevant information. And we are delighted to be able to offer that level of intelligence to teams like your own.

Mika: Absolutely, and sometimes the crawl date will show a date that much precedes the actual incident. So, the event might have happened even before, and that also helps our forensics because it gives us pivot points in time so we might go back further to the first sign of chatter on a certain target.

Well, I guess this comes back around to how we work together. The reconnaissance phase is what we just mentioned, where a threat actor is mentioning a potential target, the threat actor has scoped out where they’re looking to go and what they’re looking to do, actions on objectives. During that reconnaissance phase, we might see chatter in the dark web. The cyber kill chain is a Lockheed Martin concept that helps explain the chronology of an attack. So, they’re scoping out the target, they’re preparing an exploit that could be used against a vulnerability at the organization, and then delivery exploitation installation is typically where the customer would pick up on the fact that something is happening. Command and Control is quite noisy and usually limited to just forensics and network analysis. But that’s where they are continuing to operate within the environment, using remote access to the organization. And, like we said, actions on objectives. This is where data is leaked or sold on the dark web. This is where they’re actually putting ransomware across systems and trying to extort the organization. All of this can either be incident response based, so in the event of an attack or a proactive service called compromise assessments, which is where we would continuously perform these darknet searches with DarkOwl and we would have software on the endpoints that allow us to perform advanced threat hunting. So, anything we’re seeing, like Mark said, there’s chatter and there’s also indicators across the internet of potential events that could be happening. We can sweep the environment and look for signs of that before something actually happens. So even though antivirus and anti-malware were just some percent of the time, there are advanced threats that don’t yet have signatures that nobody’s tracking yet across the board and these allow us this advanced threat hunting skills and darknet searches allow us to find signs of that much earlier.

We can jump into a case study a little bit before Mark demos. But essentially, Blackpanda had a great success tracing down data leaks following a case in Southeast Asia. We were tasked to discover, analyze, and report stolen or misappropriated data related to client domains or keywords. This essentially means they thought they might have been breached. They hadn’t yet signed on for a compromise assessment, which is basically like a sanity check. Is there something going on? My antivirus didn’t check, and they came to us with the suspicion that something had happened. Over the course of this project, partnering with DarkOwl, and performing very targeted searches for their keywords we then pivoted to compare how this attack was similar to another found threat actor groups and different sites in the deep web that held their records. After about two months, we had 13,500,000 records related to this one company. That allowed them to report and take precautions, and follow on measures to contain the attack and also try to remediate the damage of that data leak. It was very important for them to know the extent and just how much data was actually released. And then we walked them through how to actually patch and repair the systems that led to that attack. So, what happens? How do we find 13,000,000 sum records, Mark?

Mark: Well, that’s a that’s a very good question, and we’ll show you a couple of searches to show you how we do that. It is not unusual for sizable companies to have that level of exposure in the darknet. They are usually the result of multiple leaks, multiple breaches that have occurred over the years. The risk, by the way, to this company and to other companies is that a substantial portion or even a small portion of those records are still alive. So many people will remember the Colonial Pipeline breach that occurred last summer here in the United States, shut down a saline supply to a large portion of the east coast for about a week. It has been publicly reported that the way the hackers got into the Colonial Pipeline network was in fact, via a credential that had been formerly used by an intern that was available widely in the darknet. In other words, there was no phishing that occurred. They just went into the darknet, pulled down a credential, discovered that it was live and walked right into the network into the Colonial Pipeline network. That is one of the risks that occurs. That’s exactly where Blackpanda can add significant value to any client.

Mika: Excellent. So we’ve already been through this kind of wave as to how we could either proactively identify those leaked credentials after a compromised assessment and prevent a lot of these from happening. There’s also the incident response where we get indicators and intelligence that we need to enrich and also check externally whether there’s any additional signs. So these are just more kind of snapshots of how this could work proactively. But, you know, in our reporting, we’re very thorough, this is sort of inside the organization. We’ve deployed a certain endpoint detection and response tool where we’re looking for signs of malware, signs of threats. These are all technical threats that would only be available given a view into the organization. These are all the kinds the strains of malware and hash values that might be in a report. And again, signs of these things can also be thrown into DarkOwl, or a platform that helps us enrich that intelligence. So what else do we know about a file with this hash values of the hash that is the unique signature of a single piece of digital information? Whether it’s a single document or a giant binary file, everything can be hashed to a unique value. So these are great ways to leverage DarkOwl as well. Has anyone else been talking about or posting about malware by this name or with this hash value? Are these websites places that this backdoor Trojan might be still sitting? Has anyone else talked about these particular indicators of compromise? IOCs across the deep web. So these are just a few of the ways that we would really get into DarkOwl and use it not only during an investigation, but proactively as well.

Mark: One of the strengths of the DarkOwl platform is that any of these terms can be inserted in and searched for on the platform. It’s a search tool. It has a fundamental search capability. And as Mika said, we can then identify the threat actors who are discussing it, whether there are future targets, whether there was there were discussions in the past about targeting this particular client’s environment. It’s a wealth of information that opens up once you have the ability to search across the entire dark web for any of these terms or any of these hash values.

Mika: Absolutely, and that’s exactly how we enrich our intelligence and report on what really happened and what could be happening even outside the organization. With that again, DarkOwl traces and brings into their intelligence ecosystem a number of different breaches. So although this was particular to a certain client, you know, these breaches hold passwords of thousands and millions of users. They could be huge. They could be massive databases that are even sometimes an amalgamation of different breaches over time. So DarkOwl keeps us current on what else is happening. And with that, again, we’ve kind of been over the flow in a sense, but we extract indicators of compromise from the evidence we received by going through the forensic intake and triage process. Then we enrich across dark web intelligence sources and perform forensic analysis on the actual system itself. So getting timestamps, trying to bring it back to the root cause. So when did this happen? Why did this happen? And then our reporting can be very robust as a result of us having this level of intelligence. So I guess it’s time to see it in action.

Mark: Well, thank you. If you could let me share my screen, I will switch over. What you see in front of you is the landing page for DarkOwl Vision, our user interface. It’s quite intuitive. There’s a search bar and you can search for any term. As mentioned, they can be hash terms, they can be nicknames, they can be user handles, they can be combinations of all of the above. I’m going to do a quick search and I’m going to pick on AT&T for no good reason. I apologize if anyone from AT&T is going to see this. I’m going to do a search for AT&T .com, and I am going to search for any mentions of AT&T .com in the darknet, meaning any page that has a credential or mention of AT&T .com domain on it. And as you can see, there are almost half a million pages in our database in the darknet mentioning AT&T .com. The results are presented here. If you scroll down, you’ll notice that M.J. Matthews of AT&T .com has, as mentioned, a range of email addresses that are mentioned here, and the results are can be sorted and presented in a number of different ways. If I search, if I sought these results, these half million results by crawl date, for example, and there are a lot of results, so this will take a second. You’ll see that the most recent of these results was extracted from the darknet about an hour and a half ago. So this is a very recent result, and I can then sort them by relevance and hackishness, is a term we use to date to determine how dangerous those results are. So, for example, I won’t click on it, but down here, my guess is this is 100 percent hackishness because there’s a password associated with that particular domain. So it’s very intuitive, it’s very easy to use. As Mika mentioned, a team that is looking for a specific term or an actor in the darknet can very easily and very intuitively jump onto this platform and see what’s happening and then say, what were they doing most recently? And you can sort by crawl date. I want to show one other feature that is relevant to what Mika has been talking about, which is our dark and exposure scores. I can create a score for any domain, any domain in the world, and I’ve just randomly selected. You can see even there’s a dark score here if I click on this AT&T score. This is a score of how exposed AT&T, since I just did the search, is in the darknet and you’ll see the score changes and you’ll see as I move my cursor, the score changes in proportion to how much data is available in the darknet at any given point in time around AT&T. And I’ll take the example of BlackBerry here. BlackBerry on the 5th on the 14th of May of last year had a score just above 10, and overnight their score jumped to just under 14. That’s a massive jump in our scoring metric and in our scoring algorithm. And the reason is somebody released a bunch of data around BlackBerry. In fact, a terrific amount of data around BlackBerry. If you’re a user of the platform or a partner like Blackpanda, this is an indicator that something’s gone wrong. There has been a major compromise. We need to investigate this very quickly. So this provides a very quick back of the envelope way to monitor clients, to monitor your own environment, to see what’s going on and to compare how you are doing relative to, say, your competitors or other peoples, other people who are in your sector. The platform comes with a range of other ways that you could pass data, search data, and make use of data, including an alerting platform, so that if, for example, AT&T is a client or you are AT&T and you’re monitoring your own environment, you can be alerted by email to any critical elements that show up in the darknet at any given time. So that a very quick demo, Mika, and thank you for allowing me to do that. But you can see it’s a very intuitive platform. It has direct usage in the incident response phase, and we’re delighted, as I said earlier, to partner with Blackpanda.

Mika: I think that’s our last topic, just on that again, it’s been very powerful for us to be able to show again every, every organization that’s been hacked. It’s the worst day. It’s a terrible event. But in the event that we get those early indicators and we’re able to stop something before something even worse happens, you know, at the sign of chatter or proactively by finding initial indicators of an intrusion and correlate that with deep web intelligence and then stop this thing before it happens. It’s just a very powerful solution. So we’ve been thrilled to partner with DarkOwl. And if there are any questions after the webinar by all means, we’ll provide contact details in posting this this recording.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case. You can also reach out to Blackpanda here.

Darknet Criminals Capitalize on Tax Fraud in U.S.

DarkOwl has evidence that criminals from the darknet are actively exploiting the American Treasury Department and its Internal Revenue Service (IRS). Many actors are advertising offers for ‘refund methods’ for sale in fraud communities across the darknet and adjacent chat platforms such as Telegram. Fraudsters have also detailed how to directly utilize tax preparation software such as TurboxTax to steal refunds for quick, but fraudulent financial gain.

Other underground fraud methods such as ‘glass checks,’ are increasingly popular. DarkOwl has observed several victims’ tax payment checks to the IRS and/or state revenue departments have been stolen and sold on the darknet for financial exploitation.  

One of the primary financial economies of the darknet is fraud, and tax fraud is a booming sub-economy that is constantly evolving. Our analysts have provided the below as the result of our latest observations in regards to tax fraud on the darknet.

Fraud on the Darknet

The brokerage of corporate and private information is one aspect of fraud we see realized in leak after leak of corporations and consumers’ private information. However, the fraud industry is much larger than data alone. This ever-growing segment of the darknet encapsulates not only the carding industry and associated banking malware and exploit development, but also what we casually refer as the ‘get-rich-quick’ schemes that prey on loopholes in payment interfaces and programs.

During the pandemic, we observed an influx of new ‘get-rich-quick’ fraudsters entering the darknet -capitalizing on vulnerabilities in the US government subsidized funding programs for those financially impacted by COVID-19. We also witnessed programs such as the Small Business Administration (SBA)’s Paycheck Payment Program (PPP) and state-level Pandemic Unemployment Assistance (PUA) regularly mentioned across Telegram with regular ‘sauce’ offers and updates available. We detailed how some of these programs were exploited our in-depth report last year.

According to public media sources and recent academic reporting, it is estimated that the US paid out at least 10-15% of the $800 billion USD PPP in fraudulent payments. PUA fraud estimates are closer to $400 billion USD.

Many of the same fraudsters who buy, trade, and sell methods for pandemic-related financial fraud schemes, also advocate, and disseminate tax refund fraud methods in the underground.

Current Tax Fraud Mentions

Most of the fraud IRS methods on Telegram include offers for “fullz” for the IRS tax refund walk through method. “Fullz” is darknet community slang for ‘full information’ and usually includes an individual’s full name, social security number (SSN), date of birth, physical address, credit card number, and other key identification information to conduct identity theft.

According to DarkOwl Vision, the price of ‘fullz’ has decreased in recent years with US citizen ‘fullz’ readily available for less than $20 USD. More expensive ‘fullz’ will also include a copy of the victim’s driver’s license or falsified bank statements for additional identity verification.

In addition to individual ‘fullz’, some underground data brokers sell ‘access’ to drives and databases with significant volumes of PII. A couple of years ago, a RaidForums member using the moniker “fairbanksfires” advertised an offer to purchase access to stolen devices associated with an online tax filing company in the United States.

This cybercriminal could provide its buyer access to millions of US social security numbers, email addresses, passwords, and bank routing and account numbers for extensive tax fraud for years to come.

Screenshot for an advertisement from "fairbanksfires' offering access to stolen devices associated with an online tax filing company, example of tax fraud.
Source: DarkOwl Vision DocID: 54252bc0220f0304b85021690f7e3cc50ebf1665

IRS Method using Fullz’ Identity

The most common ‘irs method’ and tax refund fraud method costs no more than $150 USD. Other personalized offers for IRS tax fraud includes not only the ‘fullz’, but supporting falsified self-employed business licenses, 1099 and W2 forms generated by the fraudster to supplement the IRS tax forms and increase potential for higher refund amounts. Most methods upon purchase detail how to perform an OSINT background search on the ‘fullz’ information provided to locate the employer of the fullz or their previous employer.

The web service FreeERISA is often mentioned which provides free access to registered users all form 5500s filed with the Department of Labor for most all companies across the United States, including tax identification numbers. Methods further detail how to estimate tax credits and beneficiary information to submit into the return to maximize the refund amount.

One user shared a video on a Telegram channel using this method that demonstrated a fraudulently filed Federal tax return with a refund amount more than $20,000 USD and the California State return was close to $3,500 USD.

Screenshot of fraudulently filed Federal and State tax return from Telegram, proof of tax fraud.
Source: Telegram

Another fraudster’s IRS method advises the buyer to use known persons that have little to no credit history but will pass SSN validation checks in tax account software applications. They recommend using their own children’s, elderly parents’, grandparents’ or distant familial associations’ SSNs and identities for higher success of the tax fraud method.

IRS Method using Buyer’s Identity

This method is directly tied to the buyer’s identity and SSN and involves utilizing automated tax software like TurboTax and TaxAct to obtain a refund of upwards of $20,000 USD in combined federal and state funds. This method caveats up-front that this method will lead to the IRS eventually catching on and will force the buyer repay the amount refunded during this tax year. The purpose of this method is to give the buyer financial relief for an estimated two to six years before audit is highly likely.

Any W2 can be utilized for this method – or one can be obtained from the fraudster directly. The buyer does not actually have to be employed to use this method. The fraudster stated that the buyer may enter any amount in the Wages, Tips, and Compensation field of the W2, but the amount should not exceed $100,000 USD. The exact percentages for federal and state social security wages and tax withheld calculations are provided in the method as guidance for the buyer’s fraudulent W2 entries.

The fraudster suggested adding real life or ‘fullz’ dependents to increase the refund amount.

Screenshot of an example of the IRS Method using Buyer's Identity to commit tax fraud.
Source: Telegram

The fraudster was upfront that this method is only recommended for the worst-case buyer in extreme financial duress, e.g. has no money whatsoever, homeless, or unable to make ends meet and needs money quickly.

Competitive Fraudsters

Naturally, fraud vendors are incredibly competitive with each other and speak out against other popular fraud shops and declare that most methods are scams. DarkOwl noticed one user on Telegram berating the widely discussed ‘irs method’ avowing their method alone was the ‘real method’ and payments are readily available in 48 hours.

“you’d never get paid with the irs method”
Screenshot of a Telegram user berating the 'irs method' stating that their own method is the only 'real method' for committing tax fraud.
Source: DarkOwl Vision DocID: 412ad26824e9b69bd0981efb3563735b300a8431

‘Glass Fraud’ Catches IRS Payments Mailed via USPS

A new fraud method involves the physical theft of mailed paper checks inside US Postal System (USPS). According to fraudsters, the method is commonly called ‘glass’ because “the checks always clear” and often requires an insider threat, e.g. cooperative postal workers who provide copies of the universal mailbox access keys or steal the mail directly and turn it over to the fraudsters for resale.

The fraudster sells the check to the buyer for some base price or percentage of the value of the check, usually via Bitcoin or similar cryptocurrency. The stolen checks are then digitally altered and deposited into mule-controlled bank drops that payout the specified amount of the check to the buyer via their preferred method of choice, such as: cash, Western Union, or CashApp. The buyer assumes the risk that the check will not go through, but because the victim is completely unaware their check has been stolen, it is most likely not yet cancelled. It is only until the payment is never received to the payee’s address, that they realize they are a victim of fraud.

Although this method does not directly target the IRS and tax refunds specifically, many of the stolen checks include tax payments submitted via physical checks via the US mail.

The screenshots of the ‘glass check’ examples below are two of dozens we found on a popular fraud Telegram channel. Many paper checks included payments to the IRS or the state revenue departments for thousands of dollars in value.

The sell value of the check is directly proportional to the value of the check itself with a $2,000+ tax payment check selling for more than twice as much as the $843 USD one. Some of the checks also included the signee’s social security number in the memo line which could be used for additional identity theft and fraud. We’ve intentionally obfuscated any identifying information for the checks we included here, but the dates and check payment amounts are clearly visible.

Screenshots of 'glass checks' from Telegram, another example of tax fraud.
Sample Glass Checks for Sale on (Source: Telegram)

Curious about something you read about tax fraud or the darknet? Interested in learning more? Contact us to find out how darknet data applies to your use case.

Hydra Server Seizure May Not Be the End of the Darknet Beast

Last week, the German BKA announced they had successfully shutdown one of the largest Russian markets on the darknet: Hydra.

Hydra server seizer banner declaring that the platform and content have been seized by the BKA.
[Hydra server seizure banner]
“The platform and the criminal content have been seized by the Federal Criminal Police Office (BKA) on behalf of the Attorney General’s Office in Frankfurt am Main in the course of an international coordinated law enforcement operation.”

Launched in 2015, Hydra has been a mythical and staying force of the darknet for nearly a decade.

Hydra market boasted over 17 million customers and over 19,000 seller accounts at the time of shutdown. It grew significantly after many of the buyers and vendors from its competitor: Russian Anonymous Market Place (RAMP), turned to Hydra after RAMP was seized by Russian authorities in September 2017.

Hydra was known for underground illicit goods trading, expanding its operations from drugs and narcotics into digital services, counterfeiting and forged goods, as well as stolen data in recent years. The market also provided a robust mixing service known as the “Bitcoin Bank Mixer” for laundering cryptocurrencies.

On April 5th, the US Justice Department published an indictment against 30 year old Russian national, Dmitry Olgevich Pavlov – the owner of the Russian web hosting company, Promservice, Ltd., and domain administrator for wayaway[.]biz. The US is charging Pavlov as a co-conspirator with “other operators of Hydra” to facilitate years of illegal trade across the darknet marketplace. According to the investigators, “Pavlov allowed Hydra to reap commissions worth millions of dollars generated from the illicit sales conducted through the site.”

There is a darknet forum with the same name, Wayaway that has been a long-time partner of Hydra.

According to users on Telegram, Pavlov has previously stated that his company has all the licenses and approval of Roskomnadzor (Russia’s Federal Service for Supervision of Communications, Information Technology and Mass Media, e.g. propaganda agency), does not actually administer any sites, but simply leases servers as an intermediary.

“We do not know what is hosted here, because after granting access to the server, clients change their password, and access is impossible.”

On the same day, the US Treasury Department imposed sanctions not only against the Hydra darknet marketplace, but also against the Garantex cryptocurrency exchange. The exchange was established in 2019, is reportedly compliant with AML and KYC laws, and fully regulated in Estonia and across Europe. The Treasury Department also published a list of over 100 cryptocurrency addresses affiliated with operators of Hydra and Garantex.

Future of Hydra and Russian Darknet Markets

Despite being such a popular Tor service, especially for the eastern European narcotics trade, there have been numerous deep web services and vendor shops emerge in recent years that similarly support underground illegal economies. The Hydra shutdown will have little impact on buyers seeking access to the goods and services they require. We believe many users will simply shift to other services of this nature across the darknet and deep web.

This weekend a representative from Hydra’s staff shared that there had been no arrests associated with the servers’ seizure and encouraged users not to panic. Their statement read like a typical commercial breach announcement to its users. Translated key points include:

The entire infrastructure of the hydra was removed and now we are restoring all the functions of the site from backup servers.
You should not panic and switch to militant resources with a platform, too, we will scold and punish for this.
Passwords are recommended to be changed after the restoration of all functionality.
… (arrests) are not expected if you kept your anonymity.

One thing that is constant in the darknet is change. DarkOwl analysts also noticed the shutdown of another massively popular decentralized marketplace in recent weeks: World Market. Unlike Hydra, World Market is believed to have exit scammed with reports that the admin, Lovelace likely stole over 4 Million USD of the market’s escrow funds.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.

Legends Never Die: RaidForums Legacy Continues Despite Seizure

About RaidForums

In March 2015, a discussion forum known as RaidForums emerged on the deep web. The forum quickly gained popularity amassing hundreds of thousands of users and became a reliable resource for breached and leaked databases in addition to combolists, cracked software, and adult content. The forum’s popularity crossed various underground communities with young script kiddies, prominent darknet threat actors, and seasoned data brokers all active and aiding in the forum’s success.

The forum is recognizable by a lavender-haired female as the default avatar for members and anime persona featured on the banner of the forum.

RaidForums Landing Page before the RaidForums Seizure
RaidForums Landing Page – Before RaidForums Shutdown

The forum also features a real-time ‘shoutbox’, private direct messages between users, and a credit system for accessing cloud-based hosting URLs of high-valued data leaks.

RaidForums’ administrator, using moniker “Omnipotent,” has been a key figure in the forum since its inception. While Omnipotent states the United Kingdom as their location on his Github profile, their exact location is unknown. There is a possible open-source connection between Omnipotent and the real identity, “K Gopal Krishna,” but nothing concrete to solidify an association.

Unusual Activity Begins on RaidForums

In late January and early February of this year, the forum mysteriously began experiencing connection issues and some users received an SQL internal error for the MyBB forum platform and couldn’t login. This all coincidentally occurred when Omnipotent was allegedly away for vacation (January 31st through February 7th).

MyBB SQL Error Page for RaidForums from Early February 2022
MyBB SQL Error Page for RaidForums from Early February 2022

On the forum’s Telegram chat, one user suggested Omnipotentwas on life support after fighting a mountain lion.” The comment sparked tremendous speculation and suspicion on the security of the forum and the whereabouts of its leadership.

Telegram chat: "We don't have any information on when the site will be up, please don't ask. Pray Omnipotent as he currently on life support after fighting a mountain lion."
Source: RaidForums Telegram

According to DarkOwl Vision, less than three days later, the domain was back online and operational on February 11th, 2022.

Observation from our Analysts: Outages like those experienced in early-February was unusual, but not concerning. The website had experienced domain issues in the fall of 2021, when the Brazilian government attempted to have NameSilo – the domain’s registrar – shutdown the forum. This forced Omnipotent to setup mirror domains, like rfmirror[.]com while they migrated their services back to CloudFlare.


Key Data Leaks During RaidForums’ Short UpTime

During the weeks leading up to the invasion in Ukraine, various threat actors shared sensitive information pertaining to the Ukrainian cyberattacks from January and February. DarkOwl published an extensive analysis of Ukrainian data leaked leading up the to invasion. Several RaidForum users, like Carzita also claimed to be actively targeting Ukrainian government websites prompting alerts from the Ukrainian government. (Source: DarkOwl Vision)

Some threat actors, like the alias NetSec, claimed to be targeting the US government and military networks using Anonymous-style hashes such as #RaidAgainstTheUS. In the days leading up to the invasion of Ukraine, NetSec shared email addresses and hashed passwords for the U.S. Strategic Command (stratcom[.]mil), U.S. Special Operations Command (soc[.]mil), the Defense Technical Information Center for the US Government (dtic[.]mil) and Lockheed Martin defense contractor employees.

On February 22nd, 2022, NetSec claimed to be working with “some Russian folks” to develop a zero-day for enterprise platforms used by the US Government by targeting an individual who worked directly for the enterprise platform. The threat actor refers to eis.army.mil – which resolves to the Program Executive Office (PEO) Enterprise Information Systems (EIS) for the Army.

NetSec is a self-proclaimed cybersecurity hacktivist reportedly in Switzerland with possible US citizenship, but not directly working with a government or for a company. They refer to being the “devil in the red hat” and feature women in their avatars in social media and forums, often in swimming suits or a big red hat.

Post from NetSec referring to being the "devil in the red hat"
Source: DarkOwl Vision

On the evening of the invasion, RaidForums leadership projected a zero-tolerance approach to Russian actors on the forum. Moot, another staff administrator of RaidForums posted in a thread titled, “RAIDFORUMS SANCTIONS ON RUSSIA,” stating that anyone connecting to the forum from a Russian IP address would be banned.

RaidForums post titled "RaidForums Sanctions on Russia"
Source: RaidForums

Seizure Unofficially Announced

On the 25th of February, users were no longer able to successfully log into the RaidForums domain. On the same day, a prominent moderator from the forum, Jaw posted to the forum’s Telegram that the raidforums.com domain had been seized and the current website domain was run by law enforcement as a honeypot and phishing operation.

Another RaidForums moderator, moot, locked the chat and Jaw suggested rf[.]to would be the new domain for future RaidForums operations. It’s unclear how Jaw confirmed the seizure of the RaidForums domain. Some speculate Omnipotent was allowed to call from inside police custody and notified Jaw directly. The rf[.]to domain is unresolvable and according to WHOIS records was setup around the same time as rfmirror[.]com.

Chat where RaidForums moderator, moot, locked the chat and Jaw suggested rf[.]to would be the new domain for future RaidForums operations.
Source: Telegram

Databreaches.net was unable to get confirmation from British or US law enforcement whether the RaidForums domain was seized. The FBI’s outright, “decline to comment” indirectly confirmed the community’s suspicions.

To this day, the raidforums[.]com domain continues to load but the forum is inactive. The domain’s registration information changed on February 25th, 2022. Some threat actors state the new name services for RaidForums is the same servers the FBI has previously used with WeLeakInfo and is associated with an FBI hosted CloudFlare account.

Cyber Dork post stating that state the new name services for RaidForums is the same servers the FBI has previously used with WeLeakInfo.
Source: breached[.]co

RaidForums Replacements Quickly Emerge

Raid Forums 2

Right after the forum’s outage in early February, the deep web domain raidforums2[.]com was registered and protected by CloudFlare. RaidForums 2 (RF2) is reportedly administrated by the moniker, “burkelukeand claims no association with the original RaidForums domain. The administrator stated RF2 would be focused on computer science with coding sections and workshops.

Post by “burkeluke," claiming no association with the original RaidForums domain.
Source: RaidForums2

RF2 has been slow to adoption, but its members are well known including AgainstTheWest (a.k.a. Blue Hornet) who quickly used RF2 to share leaks it obtained through campaigns against critical Russian and Chinese targets in recent weeks. The forum also has a section dedicated to the SAMSUNG and Nvidia source code leaks released by LAPSUS$.

Raidforums’ staff aliases like Omnipotent and Jaw appeared, but their authenticity is in question. More than likely, these are classic cases of alias hijacking.

As of time of writing there are 1,025 registered members, 369 posts and 211 threads.

Breached Forums

When Jaw announced the raidforums[.]com domain had been seized and was now a honeypot, a legacy user of the community, pompomurin, reportedly DDoS attacked the domain to prevent users from exposing themselves and limit the FBI’s success in obtaining the credentials they sought by keeping the domain alive. The RaidForum user pompompurin is known for prominent commercial data leaks such as CVS and Park Mobile and represented by an adorable avatar – the beret wearing golden retriever character from the Japanese Sanrio Hello Kitty franchise. According to their surface web blog, pompur[.]in, pompompurin, resides in Canada.

During the first week in March, pompomurin setup BreachedForums (BF) on the domain: breached[.]co and opened the site on March 16th for registration and forum discussion. The forum is setup identically to RaidForums complete with the same color scheme, shoutbox, and default avatars. pompompurin claimed no direct affiliation with RaidForums; yet stated that if RaidForums ever returned in an official capacity, then he would shut down BF and redirect the domain to the main RaidForums site.

Post by pompomurin claiming no direct affiliation with RaidForums and if RaidForums ever returned in an official capacity, then he would shut down BF and redirect the domain to the main RaidForums site.
Source: BreachedForums

The popularity and wide acceptance of BreachedForums is evident with the sheer volume of posts and memberships already active on the forum. In less than three weeks activity, the BF domain has registered 3,293 members, with 13,707 posts across 1,939 threads.

The Databases section of the forum includes over 80 unique ‘official’ datasets maintained by the forum’s staff with over 1 Billion records. DarkOwl estimates over 700 unofficial commercial and government data archives have been distributed by members in the leaks and databases sections of the forums.

Many of the posts are related to the conflict in Ukraine with shares of sensitive data exfiltrated in conjunction with Anonymous’s #opRussia cyber campaign.

The BF domain is already being targeted by malicious actors and/or law enforcement. Earlier this week, the forum was offline briefly after the domain was reported to its hosting provider for containing illicit content and CSAM. As a result, pompomurin setup a new onion service on Tor as well as five alternate mirrors in the deep web.

The breached[.]co domain was unreliable and timed out numerous times while writing this report.


Question about something you read or interested in learning more? Contact us to find out how darknet data applies to your use case.

Version Control Systems and Software Supply Chain Risk

A review of the ongoing darknet risks associated with the compromise of Version Control Systems (VCS) and other software supply chain version control systems. Our full report can be found here.

Research from DarkOwl analysts continues to indicate that software programming and engineering tools are a viable exploitation vector

Last week, a maintainer for NPM package – a widely used package manager for the JavaScript programming language – showcased how potentially powerful supply chain attacks on software development and components can be. This individual, an open-source software developer known as RIAEvangelist, intentionally embedded malware in the latest stable release of a popular repository called node-ipc out of protest for Putin’s atrocities against Ukraine. The malware is officially labeled ‘peacenotwar’ and deploys with a readme file titled WITH-LOVE-FROM-AMERICA.txt, and notably only is triggered to install on devices with a Belarus or Russia geo-located IP addresses.

Developers and security researchers around the world have been equally appalled and conflicted by the intentional sabotage of an open-source software package. Many are particularly concerned about the reputational damage these incidences cause to the open-source software development movement.

Despite general widespread sentiments against Putin’s invasion of Ukraine, the open source software development community has marked RIAEvanglist’s NPM package as malicious, because this individual chose to deploy malware in the digital supply chain ecosystem.

“This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia's aggression that threatens the world right now. This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite.” 

     - peacenotwar source code description

Exploitation of software-build processes and code repositories facilitates wider, more-catastrophic distribution of malware and enterprise-level software compromise. By poisoning software development, update processes, and link dependencies, threat actor’s malicious codes can be potentially distributed to thousands of users without need for social engineering, e-mail compromise, or drive-by-download malware delivery mechanisms.

In recent months, DarkOwl has observed a significant increase in instances of malware developers mentioning or discussing direct attacks to international software supply chain. In many cases, this chatter was centered around plans that involved targeting popular open-source software developer repositories like Github and Bitbucket, as well as associated software digital support infrastructure.

Exploiting Version Control Systems (VCS) and poisoning supply chains is not a new threat vector. In 2021, the Kaseya ransomware attack – via a simple malicious software update pushed to thousands of users by notorious ransomware gang, REvil – highlighted the extensive threat to software supply chains and cloud-based commercial software repositories. (Source)

The December 2020, the Solarwinds attack similarly inspired international concern for the integrity of commercial enterprise software and underscored the need for widespread implementation of zero trust architectures. (Source)

Another example of a threat actor group exploiting digital supply chain vulnerabilities is the hacking group LAPSUS$. The increasingly active group most recently announced that they had acquired privileged access to digital authenticator Okta’s networks via a support engineer’s thin client. The result of Okta’s compromise exposed significant intelligence findings, and highlights the overarching risks at stake to any software development and operational lifecycle. (Source)

Brief summary of how LAPSUS$ leveraged supply chain exploits to compromise global software company Okta:

  • LAPSUS$ most likely gained access to Okta using credentials purchased on the deep web marketplace: Genesis Market, proving the underground continues to feed criminal empires.
  • AWS credentials and code repository tokens were likely stored in company Slack messaging systems that LAPSUS$ then utilized to move laterally through peripherally associated digital infrastructure.
  • LAPSUS$ clearly stated they were not interested in Okta, but the customers Okta supported and had access to.
  • Okta’s implementation of zero trust architectures called into question given level of access available to third-party support engineer account.
  • Okta estimates at least 366 unique clients’ organizational data could have been accessed by the threat group via the initial compromised privileged access.

We are witnessing – in real time – the terrifying realization of the dangers to software supply chains via malicious compromise of the tools and infrastructure critical to supporting the software development lifecycle. Any product or service that touches one’s network, i.e. customer relationship management (CRM) software, software version control (VCS) utilities, authenticators, payroll and timekeeping accounting systems, cloud service providers, internal employee messaging platforms (Slack, Teams, etc.) are all potential targets for compromise.

Research from our analysts

Version control systems and software supply chains are a viable and high consequential attack vector readily exploited by cybercriminal organizations, nation state actors, and hacktivists from the darknet. DarkOwl believes there will be continued and increased attacks against dependency libraries and software package managers, such as NPM and PyPI, with the intention of stealing information and establishing long term persistence in the victim machines. Read full report here.

Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use-case.

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.