DarkOwl, LLC

[DEVELOPING] Impacts of Ukraine Invasion Felt Across the Darknet

Written by DarkOwl Content Team on August 26, 2022. Posted in Blog.

Last updated: April 18 18:30 UTC

The DarkOwl team are actively tracking the fallout from Russia’s invasion of Ukraine. The effects of the kinetic military operation are causing ripples across the global cyber space including critical underground ecosystems across the deep and darknet.

18 April 2022 – 01:12 UTC

DDoSecrets Leaks 222GB of Data from Gazregion Collected by Anonymous Hacktivists

Three different hacktivist groups (Anonymous, nb65, and DepaixPorteur) submitted archives consisting of emails and sensitive corporate files from Gazregion, a Russian supplier specializing in gas pipelines construction with direct support to Gazprom.

There have been numerous claims of attacks against Gazprom since invasion of Ukraine by Anonymous and other cyber offensive groups. nb65 posted to social media they compromised SSK Gazregion on April 3rd with their version of CONTI ransomware.

18 April 2022 – 01:12 UTC

nb65 Claims Attack Against Russian JSC Bank PSCB with CONTI Ransomware

The Hacktivist group, Network Battalion 65 had claimed they successfully attacked JSC Bank PSCB in Russia and successfully encrypted their network with their version of CONTI ransomware.

The group stated they managed to exfiltrated over 1TB of data including financial statements, tokens, tax forms, client information, and sensitive databases before deleting all backups to prevent data and functionality restoration.

The hacktivists further taunted the bank stating how grateful they were the stored so many credentials in Chrome – a browser for which several emergency security patches have been recently released.

We’re very thankful that you store so many credentials in Chrome. Well done. It’s obvious that incident response has started. Good luck getting your data back without us.

15 April 2022 – 21:59 UTC

GhostSec Leaks Data from domain[.]ru Hosting Provider

The Hacktivist group, GhostSec claimed to target Russian internet domain registration provider, domain[.]ru in a cyberattack. The group managed to exfiltrate over 100MB of data including screenshots of sensitive files and excel spreadsheet data.

According to the README file in the data leak, during the breach, GhostSec identified over 4TB of SQL databases, but in all the excitement the team’s presence was caught by the company’s intrusion detection systems and kicked off the network before the SQL data could be harvested.

15 April 2022 – 17:52 UTC

nb65 Confirms Attack on Continent Express; DDoSecrets Leaks 400 GB of Russian Travel Agency’s Data

The attack on a Russian travel agency occurred several days ago and was shortly after confirmed by the organization. DDoSecrets assisted nb65 in leaking over 400GB of sensitive files and databases from the travel agency. The details of the leak have not been confirmed.

15 April 2022 – 14:32 UTC

Anonymous Takes Over Pro-Russian Discord Accounts

Hacktivists from the Anonymous Collective have successfully taken control of several pro-Russian accounts on the chat platform, Discord, and are now using these accounts to circulate pro-Ukrainian messaging. An Anonymous member @v0g3lsec – who has been extremely active in the #opRussia campaign – shared an image of a hacked account where they posted links and information about the information operations group, squad303 to share truths about the invasion via SMS, WhatsApp, and email with random Russian citizens.

14 April 2022 – 20:02 UTC

DDoSecrets Leaks Unprecedented Amount of Email Data from Russian Organizations

In the last three days, DDoSecrets uploaded archives for five (5) different organizations across Russia totaling 1.97 Million emails and 2 TBs of data.

230,000 emails from the Blagoveshchensk City Administration (Благове́щенск) – 150GB
230,000 emails from the Ministry of Culture of the Russian Federation (Министерство культуры Российской Федерации) responsible for state policy regarding art, cinematography, archives, copyright, cultural heritage, and censorship – 446 GB
250,000 emails from the Deptartment of Education of the Strezhevoy (Стрежево́й) City District Administration – 221GB
495,000 emails from the Russian firm Technotec, which has provided oil and gas field services along with chemical reagents used in oil production and transportation – 440GB
768,000 emails from Gazprom Linde Engineering, which specializes in designing gas and petrochemical processing facilities and oil refineries – 728GB

13 April 2022 – 17:09 UTC

CISA Issues Alert About Destructive Malware Targeting US Critical Infrastructure

A joint advisory issued by the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) details how nation state actors (likely sponsored by the Russian government) have demonstrated the capability to gain full system access to multiple industrial control system (ICS) and affiliated supervisory control and data acquisition (SCADA) devices. The critical alert indicated there is an immediate HIGH cybersecurity risk to critical infrastructure around the US. The devices include:

Schneider Electric programmable logic controllers (PLCs);
OMRON Sysmac NEX PLCs; and
Open Platform Communications Unified Architecture (OPC UA) servers.

For more information read the advisory along with recommended security mitigation measures here: https://www.cisa.gov/uscert/ncas/alerts/aa22-103a

12 April 2022 – 15:31 UTC

ATW | Blue Hornet Announces That They are a “State-Sponsored” Group

The “GOD” account representing AgainstTheWest (APT49) on the new BreachedForums (with many users from the now officially seized RaidForums) announced moments ago that they are indeed a “state-sponsored” cyber group with “direct instructions to infiltrate, attack and leak the country of China, Russia, Iran, North Korea & Belarus.” The group’s Twitter account was also blocked by Russia’s Kremlin account earlier this week and the notification of this block was included in the post.

There is no way to verify the accuracy of the statement posted and it’s unclear whether or not the group will continue their operations in support of Ukraine.

11 April 2022 – TIME UNKNOWN

CONTI Claims Responsibility for Cyberattack Against German Wind Turbine Company

On the 31st of March, Nordex wind turbine manufacturing company in Germany suffered a significant cyberattack. CONTI has claimed responsibility for the attack (over 10 days later) posting the company’s name to their public-facing Tor service of victims. We anticipate that sensitive corporate data will be leaked by the RaaS gang shortly.

11 April 2022 – 20:58 UTC

Anonymous Compromises Regional Government of Tver, Russia; Leaks 130,000 Emails from Governor’s Mail Server

Hacktivists from the Anonymous Collective using the monikers DepaixPorteur and wh1t3sh4d0w0x90 have compromised the domain tverreg[.]ru believed to be associated with the Regional Government of Tver, Russia. Tver is located 110 miles (180km) northwest of Moscow on the banks of the Volga River. The archive is over 116GB in size and consists of over 130,000 emails exfiltrated from Governor Igor Rudenya’s email system dating from 2016 through 2022. The governor was appointed by President Putin in 2016.

Anonymous shared a leak consisting of Russian regional governors on the darknet on 23 March 2022.

11 April 2022 – 14:35 UTC

Finland Suffers Cyberattack; Announces They Will Expedite Application for NATO Membership

On April 8th, the Finnish government confirmed many of its military, defense, and foreign affairs webservers experienced unsophisticated, yet concerted DDoS attacks likely originating from Russian threat actors. The cyberattacks coincidentally occurred just as Ukraine President Zelenskyy started to address the Finnish Parliament on the status of the war in Ukraine around 10:30 GMT.

On the same day, the Finnish Minstry of Defense confirmed, hours earlier, Russia state-owned aircraft also breached Finland’s airspace off Porvoo in the Gulf of Finland – the first time in over 2 years. The aircraft, an Ilyushin IL-96-300 cargo transport airplane, was traveling east to west and landed in Berlin.

Both Finland and Sweden have signaled they will be submitting applications to join NATO. According to open-source reporting, Finland will likely finalize their application during the month of May in time for a NATO summit scheduled in Madrid, Spain in June.

Kremlin spokesman, Dmitry Peskov stated that Russia would have to “rebalance the situation ” with its own measures should Sweden and Finland choose to join NATO.

09 April 2022 – 03:39 UTC

ATW | BH Group Leaks Data Stolen from Russian Temporary Work Agency and Recruitment Firm: Rabotut

AgainstTheWest (Blue Hornet) announced on their Telegram channel they have successfully targeted the domain (rabotut[.]ru) for Rabotut, a “federal scale service” supplier in Russia. According to the threat actor, the archive includes the organization’s entire backend and front end source code, API keys, and SSL keys. According to open-sources, Rabotut is a temporary workers agency and provides contract employees to a number of critical government and corporate businesses around the country.

Contents of leak are in the process of verification by Darkowl analysts.

08 April 2022 – 21:41 UTC

KelvinSecurity Team Targets Russian Cryotcurrency Scam Website: alfa-finrase

KelvinSec released data reportedly from the domain (alfa-finrase[.]com) known for trading in fraud data, e.g. passports, driver’s license, and other sensitve PII. The group claims to have exploited the website, shutdown a cryptocurrency scam, deleted 400GB from the site’s server, and exposed 1.4GB of customer data from the deep web store.

07 April 2022 – 19:30 UTC

DDoSecrets Leaks Over 400,000 Russian Organization Emails Exfiltrated by Anonymous Operations

The leak site, DDoSecrets once again assists Anonymous hactivist collective in distributing sensitive data exfiltrated from companies and organizations in Russia. Three archives were leaked – within minutes of each other – for three organizations: Petrofort, Aerogas, and Forest. The data from these corporate email archives date back over decades of commercial activitiy.

Petrofort: 244GB archive consisting of over 300,000 emails between employees and clients. Petrofort is one of the largest office spaces and business centers in Saint Petersburg.
Aerogas: 145GB archive consisting of over 100,000 emails between employees and clients. Aerogas is an engineering company supporting Russia’s critical oil and gas infrastructure and supports such as: Rosneft, NOVATEK, Volgagaz and Purneft.
Forest (Форест): 35GB archive consisting of over 37,000 emails between employees and clients. Forest is a Russian logging and wood manufacturing company associated with many high-valued construction projects across the company.

A representative from DDoSecrets earlier shared thoughts about the extraordinary volume of leak data coming out of Russia earlier this week in a social media post.

06 April 2022 – 21:42 UTC

Anonymous Claims to Attack Russian MAUK Cinema, Mirkino Belebey

Members of Anonymous using the aliases ShadowS3c and Anonfearless3c have allegedly targeted servers for the Russian cinema and movie theatre, Mirkino Belebey (domain:mirkino-belebey[.]ru). The Mirkino theatre is also known as the MAUK Cinema a.k.a. “World of cinema” in the Belebeevsky District of Russia.

The hacktivists have leaked screenshots with credential data from the breached database containing hundreds of usernames, email adresses, and passwords.

This entry will be updated if/when the leak contents can be confirmed.

06 April 2022 – 20:42 UTC

Hajun Project Identifies Russian Soldiers Who Sent Parcels from Belarus Back to Russia

On April 3rd, the Hajun Project published three hours of surveillance camera footage from a CDEK delivery service located in Mazyr, Belarus. The video shows several soldiers from the Russian Armed Forces sending, among other things, items stolen from Ukrainians, during their “special military operation.”

Using leaked personal data available across the darknet and deepweb, the Hajun Project further confirmed the identities of the Russian military consignors and have released the names and phone numbers for at least 50 of the servicemen that sent parcels around the same time as the published camera video.

The Hajun Project maintains a Telegram channel and Twitter account monitoring and tracking the movement of military land and air assets in Belarus.

05 April 2022 – 16:22 UTC

Ukraine’s Defense Intelligence Agency (GURMO) Conduct SCADA Attacks on Gazprom

Due to the sensitivities of on-going military operations, there is limited detail available on the nature of the attack, but it appears that offensive cyber units under the direction of Main Director of Intelligence for the Ministry of Defense of Ukraine conducted SCADA cyberattacks against Gazprom pipelines. The attacks began within 48 hours of a fire at an oil depot in Russia’s Belgorod region last Friday, that western media reported was the first time Ukrainian helicopters had been spotted going across the border.

The cyberattacks likely triggered an underground gas leak from a highly pressurized gas pipeline in the village of Verkhnevilyuysk; the leak was reported in Russian open sources. Shortly after this, an explosion occurred in a main gas pipeline “Urengoy-Center-2” that civilians captured on Russian social media platform, VK as a large fire occurred in the Lysvensky district of the Kama region near the village of Matveevo.

Over pressurizing gas lines through disrupting infrastructure industrial control systems (ICS) is a documented method for using cyber to cause kinetic damage to pipeline critical infrastructure. The Congressional Research Services detailed such security risks to ICS in their 2021 report.

05 April 2022 – 14:21 UTC

Anonymous Leaks Data from Russian Rations Supplier, Korolevskiy

The company, Korolevskiy (korolevskiy[.].ru) appears to supply Russian companies and organizations with grain, nuts, and confectionaries in addition to rations for the military. This cyberattack could impact the availability of some food ingredient supplies, such as sugar, which is already in short supply and skyrocketing in price across the country due to sanctions.

The data leak includes an 82GB archive containing thousands of emails exfiltrated from the company’s mail servers.

05 April 2022 – 12:29 UTC

nb65 Claims to Hack Civilian Travel Service in Retaliation for Bucha Massacre

Anonymous and hacktivists around the world step up their offensive against Russia after images of Russian soldiers’ war crimes and atrocities against civlians in Bucha emerged on Monday.

Network Battalion 65 (nb65) reportedly targeted Continent Express (continent[.]ru), a Russia-based travel and supply company, with Conti’s ransomware variant in retaliation for the crimes.

Continent Express is one of the largest agencies for travel in Russia and helps arrange tickets and accomodations. As of time of writing the public facing website for continent[.] is operational.

Details of the group’s threatening message posted to social media called out the company’s CEO Stanislav Kostyashkinis in the image below.

“Why, you ask? The answer is simple. We read and watched the coverage of Bucha with horror. The utter lack of humanity in the way Russian soldiers have treated the civilian population of Ukraine left us all in tears. The world has pleased with your country to put an end to this madness drive by the mind of a cowardly tyrant: your president.”

(Update 6 April 2022) Earlier today, Continent Express posted to their news section of the website acknowledging the cyberattack but stated that important data and booking systems were not affected.

04 April 2022 – 12:29 UTC

DDoSecrets Distributes Data Exfiltrated by nb65 From Russian Broadcasting Company

Earlier in the campaign, nb65 leaked a sample of files and emails from All-Russia’s State Television and Broadcasting Company (VGTRK / ВГТРК). The Russian state-owned broadcaster operates five national TV stations, two international networks, five radio stations, and over 80 regional TV and radio networks and has been heralded as essential for the “security of the state.”

According to former VGTRK employees, Kremlin officials have dictated how the news should be covered, and provided incendiary phrases meant to discredit Ukraine. According to the former employees, editors normally have freedom to make decisions, but “where big politics are concerned, war and peace, he has no freedom.”

The 786 GB archive contains over 900,000 emails and 4,000 files spanning 20 years of operations at the broadcaster.

04 April 2022 – 06:24 UTC

Anonymous Leaks List of Russian Soldiers Deployed in Bucha

Anonymous shared a PDF file containing the identities of the members Russia’s 64 Motor Rifle Brigade that was positioned in the Kyiv suburb of Bucha. Since Russia’s withdrawl from the village, the atrocities and war crimes carried out by members of the Brigade have come to light.

The PDF consists of 87 pages detailing the identities of over 1,600 members of the Bridage, including their full name, date of birth, and passport number.

The file most likely originated from the Ukrainian government or intelligence services.

03 April 2022 – 06:16 UTC

Anonymous Shares Data Leaked from Russian Federal Agency for State Property Management

Anonymous shared a single PostGreSQL database, presumably from the domain: rosim.gov.ru, containing over 785MB of logged domain Internet activity available via the domain user: kluser. Much of the data is several years old, including IP addresses, domains, user agents of site vistors. Without further analysis, the value of leaking this data other than psychological operations and information warfare is unclear.

03 April 2022 – 05:07 UTC

nb65 Claims to Compromise Russian Gas Pipeline Supplier: SSK Gazregion

nb65 shared on social media that they have successfully hacked SSK Gazregion LLC (domain: ssk-gaz.ru) – a prominent natural gas pipeline construction company – with an ‘improved’ version of Conti’s ransomware. They taunted the company’s IT department, claiming that they also deleted all backups and restoring services would be an issue for the department.

They also claim to have exfiltrated 110GB of sensitive files, emails, and company data during the operation and trolled the company further stating it took forever to steal the data with the “chincy ass soviet connection” they were using for Internet connectivity.

“Federal Government: This will stop as soon as you cease all activity in Ukraine. Until then, fuck you. Your Preisdent is a coward who sends Russian sons away to die for his own ego. War in Ukraine will gain your country nothing but death and more sanctions. none of your internet facing tech is off limits to us.”

“We won’t stop until you stop.”

03 April 2022 – 04:24 UTC

ATW Release Dox of KILLNET Member

Similar to the personal details shared for various APT cyber groups in China, Russia, and North Korea, ATW targeted the pro-Russian cyber group, KILLNET. They released a dox containing the Russian national’s personal information, his social media, contact information, and familial associations.

KILLNET claimed to launch cyberattacks against Polish government and financial networks in support of Putin’s invasion in Ukraine. Last week, KILLNET also reportedly conducted DDoS attacks against the International Cyber Police agency, CYBERPOL and hacked the ticketing system at Bradley International Airport in Connecticut.

02 April 2022 – 17:28 UTC

Darknet Threat Actor, spectre123 Releases Sensitive Databases for the Indian Government and Military

The threat actor is well-known for targeting governments and defence contractors and has been circulating sensitive government databases for some time. This weekend, they released a “mega leak” of Indian government data for the PM Modi adminsitration’s “turning a blind eye to the humanitarian crisis…. in Ukraine.”

Over 40 GB of data is included in 11 different archived files and includes classified (up to TOP SECRET) and Confidential government documents from the following sectors: ALISDA, DGAQA, MSQAA, DRDO, DDP, Joint Defence Secretary India, BSF, MOD and the Indian Navy.

“The Indian government has a remarkably twisted propensity towards turning a blind eye to the humanitarian crisis in their own nation and now as well in Ukraine. It continues to do business with Russia and refuses to speak on the war, all in an effort to maintain their shallow political interests. These documents have been released to show that there are consequences for taking such foolish decisions.”

02 April 2022 – 06:13 UTC

ATW | BH Claims to Leak Personal Details of Members of Nation State APT Cyber Groups: ATP3, APT40, APT38, & APT28

The AgainstTheWest group continued their offensive against Chinese, North Korean, and Russian nation state cyber groups. Releasing a dox-style text file on Telegram and the deep web forum, breached.co, the ATW group included the names, email addresses, socials and Github accounts, credit card data, front companies, and other identifying information about the group’s participants along with other shocking revelations. Some include:

APT38: China and North Korea have collaboratively had a mole inside the United States Congress since 2011.
APT3: Threat actors are closely aligned with employees from Tencent – the Chinese technological giant behind WeChat and QQ.
APT38/APT3: The alias “ph4nt0m” appears in information for both groups and is believed to be affiliated with APT17 from China.
APT40: Threat actors are randomly connected to employees of ByteDance, the parent company for TikTok.

We are unfortunately unable to corroberate the veracity of the information shared by ATW (Blue Hornet).

01 April 2022 – 20:13 UTC

Anonymous Attacks Russian S-300 Supplier: Lipetsk Mechanical Plant

Anonymous shared another large archive of data stolen from a prominent Russian defense manufacturing facility. The archive is nearly 27GB total and consists of company emails and sensitive documents.

Russia’s “Lipetsk Mechanical Plant” produces several defense products for the Russian military and industrial defense complex. Today, the plant is one of the leading and main manufacturers of modernized self-propelled tractors for S-300V4 anti-aircraft missile systems in Russia. The S-300 is one of Russia’s premier air-defense platforms.

01 April 2022 – 16:00 UTC

Anonymous Leaks Multiple Data Archives From Critical Moscow-Based Organizations

Coordinating today through DDoSecrets on distribution, Anonymous shared several highly significant archives, consisting of over 500GB total of emails, files, and databases from critical Russian organizations with close ties to the Russian government.

Department for Church Charity and Social Service of the Russian Orthodox Church: Database containing 57,500 emails from the Russian Orthodox Church’s charitable wing.
Capital Legal Services: 200,000 emails exfiltrated from a prominent Russian law firm includes an additional 89,000 emails are located in a “Purges” mailbox, consisting largely of bounced email notifications, cron jobs and other server notifications.
Mosekspertiza: Three archives consisting of a) 150,000 emails b) 8,200 files and c) multiple databases totally over 400GB of data. Mosekspertiza is a state-owned company setup by the Moscow Chamber of Commerce to provide expert services and consultations to Russian businesses.

1 April 2022 – 08:56 UTC

GhostSec Wreaks Additional Havoc on Alibaba

After ATW attacked Alibaba Cloud days before, Ghost Security has allegedly hacked and deleted Alibaba’s UAE branch’s ElasticSearch service database. They included a leak to the database extracted from the company on their Telegram channel.

We have also deleted everything and even cleared the backups so there is no recovery, and we left a little celebration from us <3

31 March 2022 – TIME UNKNOWN

German Wind Turbine Company Impacted by Cyberattack

A German-based wind turbine – Nordex – with over $6 billion dollars in global sales faced a cyberattack that incident responders caught “in the early stages.” It’s likely the attack is retaliation for Germany pausing on the Nord Stream 2 natural gas pipeline deal with Russia.

“Customers, employees, and other stakeholders may be affected by the shutdown of several IT systems. The Nordex Group will provide further updates when more information is available.”

In the early days of the cyberwar, a cyberattack on the satellite communications company Viasat caused 5,800 Enercon wind turbines in Germany to malfunction.

31 March 2022 – 19:43 UTC

Anonymous Leaks 62,000 Emails from Moscow-Based Marathon Group

Anonymous again targets associates of those closest to Putin launching recent cyberattacks against Marathon Group. The Marathon Group is an investment firm owned by Alexander Vinokurov. Vinokurov is the son-in-law of Russian Foreign Minister Sergei Larov and is under heavy sanctions by the EU for providing financial support to Russia. The leaked archive is over 51GB in size and is being distributed via DDoSecrets.

31 March 2022 – 14:31 UTC

Ukraine Government Sets Up Website for Whistleblower Reporting

The Ukrainian Prosecutor General’s Office in coordination with the National Agency on Corruption Prevention and Task Force Ukraine deployed the Whistleblower Portal on the Assets of Persons Involved in the Russian Aggression against Ukraine. The website is setup to provide a secure and anonymous method for the submission of tips and evidence of corruption any activities causing national harm. The website will ideally help in the “tracing, freezing, and confisicating of assets of those involved in Russia’s War Crimes.”

Many OSINT sleuths have identified Russian oligarchs’ and government officials’ assets, like super yachets parked in international ports and submitted photographs via posts on social media. This website could be used to officially report supporting information leading to the seizure of those assets or other correlative intelligence obtained through leaks shared by Anonymous.

30 March 2022 – 22:09 UTC

Database Containing the PII of 56 Million Ukrainian Citizens Leaked on Deep Web

A user on the forum breached.co leaked an arhive containing the personal identification information for over 56 Million citizens of Ukraine. The database includes the full name, dates of birth, and address for the individuals. Its unclear the origins of the data. Members of the forum stated it was the Ukrainian Tax Service and could be dated back to 2018.

30 March 2022 – 21:53 UTC

ATW Continues Offensive Against China, Leaks Alibaba Cloud & Ministry of Justice of PRC Data

The AgainstTheWest/Blue Hornet group have ramped up their attacks against Chinese targets and leaked the largest archive they have exfiltrated to date. ATW successfully breached the e-commerce company Alibaba and have dropped a 30GB archive consisting of Alibaba’s cloud endpoint environment, source code, and customer data. They also released a smaller database obtained from the Ministry of Justice of the People’s Republic of China. Both were shared to the deep web forum, breached.co.

30 March 2022 – 19:49 UTC

Anonymous Continues to Encourage SCADA Attacks; Leaks Default Credentials for COTS Hardware Suppliers

Members of the Anonymous Collective circulate spreadsheets and websites containing the default factory credentials for most commercial-off-the-shelf (COTS) vendor hardware. Hardware, that in turn, is often affiliated with and successfully exploited via SCADA-based industrial control system (ICS) cyberattacks.

One list includes 138 unique products including manufacturers such as Emerson, General Electric, Hirshmann, and Schneider Electric accompanied with default factory settings such as username: admin and password:default. Another resource is a surface web website (intentionally not included but available upon request) which lists 531 vendors and over 2,100 passwords deployed with hardware from the factory.

Sadly, most companies will rely on the default passwords upon installaton and do not bother with updating to a more robust credential security standard.

30 March 2022 – 18:19 UTC

Anonymous Leaks 5,500 Emails Stolen from Thozis Corporation

Anonymous successfully attacked Thozis Corporation – a Russian investment firm with links to Zakhar Smushkin of St. Petersburg. According to the Panama Papers, the company is registered in the British Virgin Islands. The firm is allegedly involved in one of the largest development projects in Russia, including a project to build a satellite city within St. Petersburg.

The trove of leaked emails likely include sensitive documents and agreements between the Russian government, its societal elite, and other international entites.

DDoSecrets assisted in the publication of the 5.9GB archive obtained by Anonymous.

30 March 2022 – 17:55 UTC

GhostSec Leaks Shambala Casino Network Data

GhostSec claimed a few days ago they had successfully attacked a prominent casino operator in Russia, known as Shambala.

The hacktivist group targeted the casino as they believed members of the Russian government used Russian casinos to move cash into different currencies besides the Ruble. At least 27 computers were reportedly compromised, data exfiltrated, systems locked, and files erased.

29 March 2022 – 06:12 UTC

Russian Aviation Sector Suffer Additional IT Operational Impacts

A post shared on the Russian Telegram channel, Авиаторщина, indicates that the aviation industry of Russia will have additional impacts to their IT support with the withdrawl of the Swiss-based company, SITA as of 29 March.

According to the Telegram post, SITA shutting down their operations will impact numerous systems utilized by the aviation industry and airlines across Russia.

[translated]

“Products for pilots such as AIRCOM Datalink, AIRCOM FlightMessenger, AIRCOM FlightTracker, and AIRCOM Flight Planning services will no longer be available. Such software is utilized by airlines and flight crews to plan, perform aeronautical calculations and track flights, and more accurately calculate remaining fuel, flight time, etc.”

The company – choosing to withdrawl from operating in Russia due to Putin’s invasion – suffered a significant cyberattack on 24 February, the same day as the invasion of Ukraine, resulting in the compromise of passenger data stored on their SITA Passenger Service System (US) Inc. servers. SITA supports numerous international air carriers.

This annoucement comes within days of the cyberattack against Rosaviatsiya (see below), Russia’s Federal Air Transport Authority.

(Update 30 March – 23:42 UTC) No alias associated with Anonymous has claimed credit for the 28 March cyberattacks against Rosaviatsiya which resulted in 65TB of lost agency data. Interestingly, new Anonymous groups have only recently joined the campaign, including RedCult, increasingly the likelihood that widespread industry sector attacks will continue across Russia.

28 March 2022 – 18:23 UTC

nb65 Claims to Hack JSC Mosexpertiza; Steals 450GB of Sensitive Data

In a social media post, nb65 hacktivist group claims they compromised Joint Stock Company (JSC) Mosexpertiza, Moscow’s independent center for expertise and certifications, via the domain mosekspertiza.ru.

They claim they also infected the domain with, none other than Conti’s “crypto-locking ransomware variant” – released earlier this month in the opRussia campaign. In the process of hacking the network nb65 also exfiltrated 450GB of emails, internal documents, and financial data.

28 March 2022 – 17:07 UTC

Anonymous Leaks 140,000 Emails from Russian Oil & Gas Company, MashOil

Distributed via DDoSecrets, the Anonymous hacktivist collective recently targeted MashOil, releasing over 140,000 sensitive corporate emails from the company.

Moscow-based, MashOil manufacturers equipment for hydraulic fracturing and enhanced oil recovery (EOR); injection, nitrogen and cementing equipment; top drive mobile drilling rigs; directional drilling equipment; and, ejector well clean-up.

Anonymous continues to target companies in Russia and any companies that continue to contribute to economic and financial viability for the Russian Federation.

28 March 2022 – 12:41 UTC

Anonymous Leaks Russian Document Ordering Propaganda Video Development

Knowing propaganda is widely circulated by both Ukrainian and Russian affiliated organizations, Anonymous has leaked an official Russian document, titled “On holding informational events on the Internet”, dated 21 March 2022, stating this was an official “order issued” by the Russian government to develop videos to discredit the Ukrainian military and their treatment of prisoners of war (POWs). The order was signed by the “Temporary Minister of Defense of the Russian Federation”, Dmitry Bulgakov and decrees:

Develop and distribute a series of video materials demonstrating the inhuman behavior of the military personnel of the Armed Forces of Ukraine and nationalist formations on the territory of Ukraine in relatinos to prisoners who showed a voluntary desire to surrender
Develop and distribute sermographic materials, evidence of the use of briefings by captured military personnel of the Armed Forces of the Russian Federation during the filming
Provide informational support for materials in the comments, the main argument is the violation of the Geneva Convention on the Treatment of Prisoners
To impose control over the implmtnation of this order on the head of the Information Warfare and Disguise Department of the Ministry of Defense of the Russian Federation

(UPDATE 29 March 2022 – 20:56 UTC) DarkOwl advises that recent open source intelligence research suggests this letter could be fake and disseminated as part of an information operations campaign. Researchers caught signature mismatches of the Russian official, Bulgakov. Such data is a reality in the the fog of asymmetric warfare.

28 March 2022 – 11:58 UTC

Ukrainian Defense Intelligence Doxxes 620 Russian FSB Agents

The Ukrainian Military Intelligence Agency of the Ministry of Defence of Ukraine, known simily as Defence Intelligence of Ukraine or GUR, has leaked the identities of over 600 Russian FSB spies. The database includes the agents’ full names, dates of birth, passport numbers, passport dates of issue, registration addresses as well as other identifying markers for the FSB employees.

Many of these agents may be conducting covert operations around the world and leaking their identities may compromise the success of their operations.

28 March 2022 – 11:05 UTC

ATW (BH) Targets Chinese Companys and Government Organizations

After a brief vacation announced on 23 March, the AgainstTheWest (Blue_Hornet) group returns with concerted attacks against a number of Chinese companies and government organizations. The group claims they successfully attacked the following:

The group also referenced a supply-chain software dependency attack, via a poisoned burgeon-r3 NPM package.

Fenglian Technology-Digital Ecological Platform Solution
Bluetopo China security development tool
China Pat Intellectual Property
Weipass
Ministry of Transport China
Freemud Software (supplier to Starbucks)
China Joint Convention Committee.

Shortly after the announcement and initial round of leaks, the group also released source code affiliated with China Guangfa Bank, along with associated Maven releases. The group also claims to have breached the Chinese social messaging platform, weChat.

We are still evaluating the data and determining the specific types of data compromised and released.

28 March 2022 – 03:22 UTC

Russian Federal Air Transport Agency, Rosaviatsiya Confirms CyberAttack; 65TB of Data Erased

The civil aviation agency Rosaviatsiyan responsible for air cargo transportation confirmed with a letter shared on the Russian Telegram channel, Авиаторщина that their website domain favt.ru was offline since Saturday due to a significant cyber attack. The attacks had severely impacted their ability to plan and conduct flight operations and the agency had resorted to pen-and-paper-based operations in the interim.

The notice stated that over 65TB of emails, files and critical documents had been allegedly erased along with the registry of aircraft and aviation personnel. There were no systems backups to restore from because according to the agency spokesperson, the Ministry of Finance had not allocated funds to purchase backups.

“All incoming and outgoing emails for 1.5 years have been lost. We don’t know how to work…”

“The attack occurred due to poor-quality performance of contractual obligations on the part of the company LLC ‘InfAvia’, which carries out the operation of the IT infrastructure of the Federal Air Transport Agency.”

27 March 2022 – 20:44 UTC

Anonymous Leaks 2.4GB of Emails from Russian Construction Company, RostProekt

Over the weekend, DDoSecrets helped Anonymous distribute over 2 gigabytes of sensitive company emails exfiltrated by breaching a prominent Russian construction company, RostProekt (in Russian: РостПроект). The company primarily operates in Russia, with the head office in Moscow Oblast. RostProekt is a primary contributor to Russia’s lumber and other construction materials merchant wholesalers sector. The breach may impact construction projects in the country.

As of time of writing, the website for the company is online.

25 March 2022 – 20:36 UTC

nb65 Leaks Sample Internal Data from the All-Russian State Television and Radio Broadcasting Company (VGTRK)

The nb65 hacktivist team targeted and released data affiliated with a state-sponsored propaganda broadcasting company of the Russian Federation, VGTRK. The All-Russia State Television and Radio Broadcasting Company, also known as Russian Television and Radio (native: Всероссийская государственная телевизионная и радиовещательная компания) owns and operates five national television stations, two international networks, five radio stations, and over 80 regional TV and radio networks. It also runs the information agency Rossiya Segodnya.

nb65 claims they have successfully compromised the organization’s network and exfiltrated over 750GB of data, much of which consists of employee email (.pst) files from the company’s email network. The group claims to be ‘watching’ for their ‘eventual incident response.’

The group continued to troll the organization…

“Your blue team kinda sucks. Hard to find good IT help when all your techies are fleeing the country, eh?”

25 March 2022 – 18:36 UTC

Anonymous Releases Files Exfiltrated from the Central Bank of Russia

Anonymous has released data the hacktivists collected while conducting attacks against the Central Bank of Russia. The archive, broken up into 10 separate parts consists of over 25GB of archived data consisting of over 35,000 files of sensitive bank data. Earlier in the campaign, we observed several posts containing targeting information, e.g. domains, IP addresses, etc for the bank on the deep web.

24 March 2022 – 20:49 UTC

GNG Claims to Hack Russian Mail Server, mail.ru

Georgia’s Society of Hackers (GNG) announced today they successfully attacked Russia’s equivalent to Gmail, mail.ru, including their maps.mail.ru subdomain. The hacktivist group is in process of exfiltrating the data and will provide the detailed data dump in the next few days.

As of time of writing this, the maps.mail.ru website is online and operational.

24 March 2022 – 14:11 UTC

Anonymous Shares Proof of Hacked ATMs in Russia

Earlier today, users at what appears to be a Sberbank ATM reportedly located in Russia experienced technical errors when selecting the Russian language on the screen. Upon selection, the ATM monitor quickly flashes to the Ukrainian flag and the words Glory to Ukraine (Слава Україні!). See the video captured video here.

ATM malware is widely circulated on the darknet and used extensively in the fraud and financial crime communities.

24 March 2022 – 10:43 UTC

Pro-Russian Killnet Launches Anonymous-Style Campaign Against Ukraine – Targets Poland and NATO

The pro-Russian cyber threat actor group, Killnet have been conducting attacks against Ukraine for several weeks and have stepped up their demands and threats against Ukraine and western Europe. Today, they released a video on social media, mirroring the ominous messaging of an Anonymous-style video with the Russian flag in the background. During the video, the group stated they would attack targets in Poland for their assistance to the Ukrainian government during the invasion. They recently also posted specific targeting information for the National Bank of Poland on their Telegram channel.

“…together with the Russian cyber army, we disabled 57 state websites of the Kiev regime, 19 websites of nationalist parties…”

The group also referred to the Colonial Pipeline attack in the US from May 2021.

[translated] “Let’s remember American gas company attack, which resulted in 40% paralyzed infrastructure of America for few days.”

23 March 2022 – 16:45 UTC

AnonGhost Claims to Hack Russian Street Lighting System and Drops Proofs of Access to Moxa Industrial Wireless Networking Infrastructure

AnonGhost known for their attacks against industrial control systems, continued their campaign against Russia by targeting МонтажРегионСтрой г. Рязань street light control system. They stated they successfully shutoff the street lights at 19:35 Moscow time and it was a “gorgeous show.”

Shortly before announcing the breach of the lighting contol panel, AnonGhost also provided proof of access to Moxa (moxa.com) industrial networking devices. They leaked proof of access to router information for a industrial wireless Moxa device, its associated OnCell specifications, along with defacement of the device’s name, description, and login message.

In addition to the proofs they linked to a pastebin file containing over 100 Russian Moxa IP addresses for additional targeting.

It’s unclear where the Moxa device compromise is physically located or whether the Moxa compromise provides direct access to the streetlight control system.

23 March 2022 – 02:44 UTC

BeeHive Cybersecurity Claims They Are Running Ransomware Campaigns Against Russian Targets

When one thought they only hijacked Discord users and trolled pro-Russian ‘hackers’ like @a_lead_1, BeeHive Cybersecurity claims they have been quiet because they are running ransomware operations against targets across Russia.

Oh, in case you guys were curious why we’ve been so quiet. May or may not have a new #ransomware operation running in Ru right now. Alas, we find allies quicker than Putin finds ways to invade Ukraine. We’ll have more details soon but…consider this the public disclosure.

This would not be the first Russia-specific ransomware variant to emerge. According to Trend Micro, RURansom was detected targeting Russian-specific devices with AES-CBC encryption and hard coded salt. Another ransomware variant recently detected, known as “Antiwar” appends the file extension, “putinwillburninhell” to encrypted files.

22 March 2022 – 19:14 UTC

ATW (Blue Hornet) Compromises Russia’s Hydrometeorology and Environmental Monitoring Service with Bitbucket

The AgainstTheWest / Blue Hornet team has recently leaked several internal documents from Russia’s Hydrometeorology and Environmental Monitoring service (spelled by the threat actors as ROSHYDRO). According to open sources, the monitoring service is hosted on the meteorf.ru domain. The data leaks consists of 45 PDF files containing historical software change descriptions and feature requests from the company’s internal software development tracking system. ATW refers to a superadmin account for the GIS FEB RAS Team on Bitbucket in the leak.

21 March 2022 – 22:44 UTC

ATW Returns to Campaign with Attacks Against Almaz-Antey

After a disruption in the ATW team’s cyber activities due to personal issues, the ATW/Blue Hornet team returns leaking a 9GB archive of data allegedly exfiltrated by breaching Almaz-Antey’s corporate networks. The data leak includes employee login data, multiple documents containing PII, confidential and classified intellectual property, schematics, and SQL database files.

Almaz-Antey (Russian: ОАО “Концерн ВКО “Алмаз-Антей”) is one of Russia’s largest defense and arms enterprises, known for the development of Russian anti-aircraft defense systems, cruise missiles, radar systems, artillery shells, and UAVs.

21 March 2022 – 15:26 UTC

Anonymous Targets Russian Software Developer, naumen.ru

Hacktivists from the Anonymous collective have leaked data exfiltrated from Naumen, a software vendor and cloud services provider in Moscow. The company markets itself as “world class IT solutions fully adapted to the Russian market” and lists several prominent international companies as partners. The leaked data consists of an SQL database containing thousands of usernames, email addresses, hashed passwords, and associated PII. The specific purpose and origins of the database from inside Naumen is unclear, but partner companies could experience supply chain / vendor risk issues.

21 March 2022 – 03:27 UTC

KelvinSec Targets Nestle for Continued Commercial Operations in Russia

The KelvinSec ‘hacking’ team have reportedly compromised Nestle in retaliation for continuing to operate and distribute their products in Russia. The group leaked multiple databases from Nestle consisting of customer entity data, orders, payment information, and passwords (10GB total). The group insisted its a “partial” database leak and more data may be released in the future.

Nestle defended its business decision after President Zelenskyy called the company out to protestors on Saturday night in Bern, Switzerland.

(Update 3/22 – 01:48 UTC) Anonymous issues warning and gives a number of US companies 48 hours notice to pull out of Russia or become targets of the #opRussia cyber offensive campaign. Example corporations include: Subway, Chevron, General Mills, Burger King, citrix, and CloudFlare.

20 March 2022 – 23:33 UTC

Anonymous Compromises Russian Social Media VK to Send Message to Millions

Anonymous accesses VK’s messaging platform and sends direct messages to over 12 million Russian users of the social media app. The message, written in Russian, speaks to the realities of the war in Ukraine, the demise of the Russian economy, and threatens that users using the Russian “Z” insignia on as their profile avatar will be targeted by international authorities.

VK users have shared proofs of the message received to confirm the campaign in VK occurred.

20 March 2022 – 15:32 UTC

GhostSec Leaks Military Asset Monitoring System and More from Russian Networks

The leak includes data exfiltrated from a military operational readiness monitoring website (orf-monitor.com), including inventory tracking of key Russian military assets; a leak of a Russian investment company that includes recent Chinese contract data; and lastly, technical data leaks from Russian Defense Contractor Kronshtadt, that includes computational specifications related to their UAVs, along with military operational doctrine, etc.

GhostSec teased on their Telegram channel they had more data coming and this archive they were sharing was a sample of a much bigger dataset.

20 March 2022 – 13:40 UTC

Honest Railworkers in Belarus Help Stop Lines Going to Ukraine

According to open source reporting and the hacktivist group known as Cyber Partisans, the railways going out of Belarus into Ukraine have stopped. Earlier in the campaign, Cyber Partisans disrupted rail operations in Belarus using cyber attacks against ticketing systems and switching systems; however, others report that the rails are inoperable due to “honest railworkers” who do not want to see Belarus military equipment transported into Ukraine for use in this war. (Source)

“I recently appealed to Belarusian railway workers not to carry out criminal orders and not transport Russian military forces in the direction of Ukraine. At the present moment, I can say that there is no railway connection between Ukraine and Belarus. I cannot discuss details, but I am grateful to Belarus’s railway workers for what they are doing” – Oleksandr Kamyshin, director of the Ukrzaliznytsya state railroad

20 March 2022 – 10:28 UTC

Arvin Club Takes Down STORMOUS Ransomware’s Tor Onion Service

Shortly after STORMOUS ransomware gang setup a Tor onion service, the Arvin Club ransomware group compromised their site and leaked SQL databases, information, and performance schemas. It’s unclear whether or not this attack occurred out of STORMOUS’s Russian allegiance or if Arvin merely wanted to teach the cyber criminals a lesson in setting up secure sites on the darknet.

The STORMOUS ransomware group had previously operated only on Telegram.

(UPDATE) As of 3/22 the Tor service is still offline.

20 March 2022 – 02:18 UTC

Anonymous Leaks Database from Russian Aerospace Company Utair

Hacktivists from the Anonymous collective have released the customer database for Russia’s Utair airlines. (Russian: ОАО «Авиакомпания «ЮТэйр»). The JSON database appears to have been collected long before the 2022 #opRussia campaign, as the MongoDB is dated 2019. There are records containing personal data for over 530,000 clients using Utair’s services.

18 March 2022 – 21:29 UTC

nB65 Leaks Data from Russian Space Agency

After a disappointing trolling exercise against Kaspersky, the nb65 hacktivist group returns with data leaks from Russia’s Space Agency, Roscosmos. The group claims they still have persistent access to the agency’s vehicle management system and leaked the IP of the compromised network to prove their access. The leaked data archive consists of over 360MB of user and operations manual, along with solar observatory logs.

Hours earlier, the group also claims to have compromised tensor.ru and leaked 1.6GB of compromised emails for a corporate mailbox for the Russian digital signature company.

18 March 2022 – 15:39 UTC

Russia Targets Ukraine Red Cross Website in Cyber Attack

The Ukrainian Red Cross reported their Internet web servers have been hacked, likely by Pro-Russian cyber threat actors. The website domain – redcross.org.ua – is currently offline with the statement “account disabled by administrator.”

The social media account for the Ukrainian Red Cross stated that no personal data of beneficiaries stored on the website were compromised by the cyber attack.

The Ukrainian Red Cross staff and volunteers are busy and actively providing medical aid and support to vulnerable and wounded Ukrainian civilians across the country as Russian military continue their barrage of cruise missile strikes.

17 March 2022 – 11:43 UTC

AnonGhost Leaks Screenshots of GNSS Satellite Hacks Along with IP Addresses

AnonGhost shared several screenshots as proof of attacks they conducted against Russia’s Trimble GNSS satellite interface. They claimed on social media that other “fake Anonymous” accounts had taken credit for the operation. They also leaked 48 unique IP addresses associated with the GNSS satellite systems. The group did not specify the nature of the attacks against the Russian assets.

17 March 2022 – 09:23 UTC

Anonymous Claims to Have Located Putin’s Bunker

Using OSINT analysis involving satellite imagery and topography and landmark comparisons like rivers and powerplants, the Anonymous community claims they have detected President Putin’s bunker. There no means to verify the accuracy of these assertions.

17 March 2022 – 03:58 UTC

Anonymous Leaks 79 GBs of Emails from R&D Department of Transneft – OMEGA

DDoSecrets released the data on behalf of Anonymous hackers operating in cyber campaigns against Russia. Anonymous compromised email inboxes of OMEGA Company, the R&D arm of Russia’s state-controlled pipeline company known as Transneft [Транснефть]. Transneft is the world’s largest oil pipeline company with over 70,000 kilometres (43,000 miles) of trunk pipelines and transports an estimated 80% of oil and 30% of oil products produced in Russia. The emails cover the accounts’ most recent activity, including after the introduction of US sanctions on February 25, 2022. Some of the emails reflect some of the effects of those sanctions.

16 March 2022 – 10:47 UTC

Russian Foreign Intelligence Service (SVR) Requests Information via Tor

Russia’s external intelligence agency has issued instructions on how to establish secure communcations via their Virutal Reception System (VRS) to relay any threats to the Russian Federation. The call for leads, found on svr.gov.ru, details how to install the Tor anonymous network, details the v3 .onion address of their secure communications system, and advises the informant using PGP in order to further encrypt the details of any messages provided.

“If you are outside Russia and have important information regarding urgent threats to the security of the Russian Federation, you can safely and anonymously share it with us via the virtual reception system (VRS) of the SVR over the TOR network.”

If you are in hostile environment and/or have reasons to worry about your security, do not use a device (smartphone, computer) registered to you or associated in any way with you or people from your personal settings for network access. Relate the importance of information you want to send us with the security measures you are taking to protect yourself!

15 March 2022 – 11:48 UTC

Pro-Russian Group Xaknet Threatens to Attack Critical Infrastructure Information Centers

“We cannot endlessly give you ‘lessons of politeness.’ We demand the cessation of hacker attacks against Russian infrastructures, we demand the cessation of the activities of information centers for the dissemination of fakes.

In case of refusal, we will be forced to use the most sophisticated methods, and reserve the right to act as the enemy does. Critical information infrastructure facilities will become a priority target for the group. All work will be aimed at the complete destablization of the activities of the aforementioned CIIs.”

It’s unclear from the threats what specific websites or services the cyber threat group considers critical infrastructure information services. The IT Army of Ukraine’s extensive information operations spread across most all social media platforms and information communication mediums across Russia.

15 March 2022 – 07:19 UTC

User on Telegram Leaks New Letter from FSB

A user on pro-Ukrainian Telegram channel (name redacted) has released a new letter, reportedly from an FSB agent, translated into English.

The temperature has really risen here, it’s hot and uncomfortable. I won’t be able to communicate for some time here in the future. I hope we can chat normally again in a few days. There are a lot of things that I have to share with you…
The questions are raised by the FSO (Federal Protective Service of the Russian Federation, aka Putin’s Praetorian Guard) and the DKVR (Russian Military Counterintelligence Department). It is precisely the DKVR that is mounted on horseback and is looking for “moles” and traitors here (FSB) and in the Genstaff (General Staff of the Armed Forces of the Russian Federation) regarding leaks of Russian column movements in Ukraine. Now the task of each structure is to transfer the fault to others and to make the guilt of others more visible. Almost all members of the FSB are busy with this task at the moment.

The focus is on us more than others at the moment, due to the hellish circumstances regarding the intra-political situation in Ukraine: We (the FSB) have released reports that at least 2,000 trained civilians in every major city of Ukraine were ready to overthrow Zelensky (President of Ukraine). And that at least 5,000 civilians were ready to come out with flags against Zelensky at the call of Russia. You want to laugh ? We (FSB) were supposed to be the judges to crown Ukrainian politicians who were supposed to start tearing each other apart arguing for the right to be called “Russia’s allies.” We even set criteria on how to select the brightest of the most competent (among Ukrainian politicians). Of course, some concerns have been raised about the possibility that we may not be able to attract a large number of people (Ukrainian politicians) to Western Ukraine, to small towns and to Lvov itself. What do we actually have? Berdyansk, Kherson, Mariupol, Kharkiv are the most populated pro-Russian areas (and there is no support for Russia even there). A plan can fall apart, a plan can be wrong. A plan can give a result of 90%, even 50%, or 10%. And that would be a total failure. Here it is 0.0%.

There is also a question: “How did this happen?” This question is actually a (misleading) trap. Because 0.0% is an estimate derived from many years of work by very serious (high-ranking) officials.
And now it turns out that they are either agents of the enemy or simply incomprehensible (according to the FSO / DKVR who are now looking for “moles” within the FSB).

But the question does not end there. If they are so bad, then who appointed them and who controlled their work? It turns out that they are people of the same quality but of a higher rank. And where does this pyramid of responsibilities stop? At the boss (Putin).
And this is where the evil games begin: Our dear Александр Васильевич (Alexander Vasilyevich Bortnikov – Director of the whole FSB) cannot fail to understand how badly he got caught. (Bortnikov realizes the deep mess he is in now)

And our evil spirits from the GRU (Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation) and the SVR (Foreign Intelligence Service – equivalent to the CIA) understand everything [and not only from these two organizations]. The situation is so bad that there are no limits to the possible variations (of events that will happen), but something extraordinary is going to happen.”

Shortly after a first letter from an FSB whistleblower surfaced around 5 March, Putin quietly placed his FSB chief, Sergei Beseda and his deputy on house arrest last Sunday. While telling the public he arrested them for embezzlement charges, according to open-source reports, the “real reason is unreliable, incomplete, and partially false information about the political situation in Ukraine” and Putin is holding them responsible for the Ukrainians’ success in the invasion thus far.

14 March 2022 – 12:00 UTC

Russian State Duma of the Federal Assembly Confirms Censorship of VPNs

Citing it was “a difficult task” Alexander Khinshtein, chairman of the State Duma Committee on Information Policy, commented that Russia’s media and propaganda agency, Roskomnadzor has been tasked with blocking over two dozen VPNs [virtual private networks] across Russia. (Source)

We anticipate that number to increase as Putin continues to crack down on Russian citizens’ media consumption.

VPNs have been targeted by Russian authorities since 2017, when an initial VPN law was passed. In 2019 many of the VPN providers across Russia received compliance demands from Roskomnadzor representatives via email – captured in the image below.

The demand for VPNs in the country has reportedly increased by over 2,000% in the last month. Users on Telegram encourage widespread use of anonymity tools like VPNs and Tor, and share links to VPN services still in operation and accessible in the region. Many of the VPNs are available via Telegram directly and offer free trial subscriptions to Russian users.

14 March 2022

Russian Cyber Actors Setup IT Army of Russia Group

The collective of cyber threat actors self identifies as the “IT Army of Russia”, mirroring the IT Army of Ukraine Telegram initiative, and claims it has targeted critical Ukrainian cyber services with DDoS attacks. The group has less than a 100 subscribers and many of the members are affiliated with the Killnet forum.

The group recently posted a detailed dox containing personal information for President Volodymyr Zelenskyy [in Ukrainian: Володимир Олександрович Зеленський]. The dossier contains specific information such as his date of birth, passport number, car registration details, and familial associations.

13 March 2022 – 09:31 UTC

Anonymous Germany Exfiltrates Data from Russian Rosneft Operations in Germany

An Anonymous hacktivist group from Germany, referring to themselves as “AnonLeaks” had access to the networks of Russia’s Rosneft subsidiary in Deutchland for almost two weeks and exfiltrated over 20 terrabytes of corporate data. According to a preliminary review, the data consists of laptop backups, virtual disk images, excel files, work instructions, and other operational information for the refinery.

Anonymous Germany emphasizes they did not have access to critical infrastructure in Germany, nor was the intent of their operation to access critical infrastructure for the refinery or compromise it in any way.

Rosneft is Germany’s third largest petroleum refinery company, processing roughly 12.5 million tons of crude oil per year.

(Update) Details of the leaked data has appeared on a dedicated Tor darknet service setup by the hacktivists.

13 March 2022 – 07:19 UTC

nB65 Claims to Be Jonathan Scott, a US-based Malware Researcher

Since the invasion, a social media account reportedly affiliated with the group nB65 was extremely active in sharing their leaks and targets across Russian networks – including claims of accessing Roscomos Space Agency. Most recently, they stated they had access to Kaspersky’s source code, with many teasers in the hours leading up to a what amassed to a disappointing dump of publicly available code from the Russian antivirus software developer. The group essentially trolled Kaspersky and received heavy criticism from members of the information security research community.

The owner of the group’s Twitter account claimed today they were in real life, Jonathan Scott, a US-based Computer Science PhD student researching mobile spyware and IoT malware. Shortly after, the Twitter account for the group was deleted.

11 March 2022 – 06:25 UTC

GhostSec Claims to Access, Shutdown, and Deface Control Panel of Russian ICS via SCADA Attack

GhostSec continues their offensive against Russian critical infrastructure with attacks affecting industrial controls systems. Today, they claimed they successfully accessed an unknown Russian industrial control system, deface the control panel, and shut the system down. They also stated they deleted the backups to make restoring services more challenging.

They included the screenshot below which appears to correlate to a typical ICS system. The name or location of the network was not identified.

11 March 2022 – 01:34 UTC

BeeHive Cybersecurity Enters Campaign and Targets Pro-Russian Discord Users

A pro-Ukrainian group, known as “BeeHive Cybersecurity” claims to have attacked over 2,700 pro-Russian Discord users, compromising their accounts and defacing their profiles with statements about the realities in Ukraine posted in English, Ukrainian, and Russian.

The group insinuates that they “CnC [command and control] the platforms of the ignorant” and use compromised devices to help combat disinformation.

10 March 2022 – 12:30 UTC

KelvinSec Leaks Private Chats from Darknet Tor Service: Database Market

KelvinSec, a pro-Ukrainian cyber threat actor on the darknet, has leaked 3,178 files containing the private chats from DATABASE Market. DATABSE is a relatively newly-launched service on Tor, where carding and fraud cyber-criminals congregate and transact.

The service is allegedly hosted by IT Resheniya on the IP address 45.155.204.178. KelvinSec reported they infilitrated the market via an insecure direct object reference vulnerability, commonly called “IDOR” which gives an attacker access to the website’s hidden information.

The compromised Tor service is still active as of time of writing.

10 March 2022 – 11:24 UTC

DDoSecrets Leaks Over 800GB of Data from Russian Media Censor, Roskomnadzor

The whistleblower leak site, DDoSecrets has obtained 360,000 files from Роскомнадзор (Roskomnadzor) via hacktivists from the Anonymous campaign against Russia. Roskomnadzor is a Russian state-controlled agency responsible for monitoring, controlling and censoring Russian mass media. The agency is responsible for the recent crackdowns on digital bans of Facebook, Twitter, and YouTube. The two part dataset totals over 800 GB including files, emails, and information critical about their operations.

10 March 2022 – 08:35 UTC

GhostSec Hits Hundreds of Printers Across Russia

GhostSec reportedly hacks hundreds of printers across Russia to spread the message about realities in Ukraine. They tagged on to the announcement an obscure 4chan meme, “Hey Russia do you liek mudkipz?” on their Telegram channel. The stated they are targeting Russian government and military networks for the printer exploit.

9 March 2022 – 20:05 UTC

Pro-Russian Group, devilix-EU Joins Campaign Against Ukraine and the US

Late last week, a new Pro-Russian persona appeared on social media and began sharing pro-Russia propaganda, Pro-Trump rhetoric, and counter #opRussia Anonymous content. Over the last five days, they’ve ramped up their attacks claiming to have compromised AWS instances, Microsoft IIS sysstems, and performed BGP hijacking with mentions of several US-based IP addresses.

The group makes further claims that they’re named after their own custom ransomware, “DEVILIX shark.”

DEVILIX named as me is one of the strongest viruses on the world DEVILIX shark is ransomware which can do anything we can create BotNet. where we want. Just a Simple but it’s not.

They most recently shared their thoughts about the cyber war in Russian, declaring that this was not about Ukraine and Russia, but the US and NATO and their intent to keep Russia and Ukraine divided.

Я вижу, что речь идет о двух сторонах, России и Украине. Почему мы разделены из-за политики? Разве вы не видите, что здесь делает Запад и хочет, чтобы мы были разделены. НАТО избежало конфликтов, и теперь привет! Слава России

[Google Translate]

I see that we are talking about two sides, Russia and Ukraine. Why are we divided because of politics? Don’t you see what the West is doing here and wants us to be divided. NATO has avoided conflicts, and now hello! Glory to Russia

8 March 2022 – 21:05 UTC

Anonymous Hacks Hundreds of Russian Security Cameras, Many Affiliated with Russian Government Ministries

Hacktivists from the Anonymous Collective successfully tapped the security camera feeds of hundreds of retail businesses, restaurants, schools, and government installations across Russia. They setup a website to share the leaked camera feeds — all to discover some where critical security offices. Anonymous also defaced security camera displays with the message:

Putin is killing children
352 Ukrainian civilians dead
Russia lied to 200rf.com
Slava Ukraini! Hacked by Anonymous

8 March 2022 – 18:34 UTC

nb65 Group Claims to Have Acquired Kaspersky’s Source Code

After keeping quiet for several days, the group sent out mysterious posts across social media claiming to have accessed Kaspersky source code and found “interesting relationships” in this code.

They also claimed it was “sloppier than Putin’s invasion.”

7 March 2022 – 17:31 UTC

22nd Member of Notorious TrickBot Gang Doxxed

The pro-Ukrainian affiliate of the Trickbot cybercriminal empire has leaked the personal identity of 22 key members of the gang along with private chats between group members. Since the 4th of March, DarkOwl has seen the following aliases mentioned: baget, strix, fire, liam, mushroom, manuel, verto, weldon, zulas, naned, angelo, basil, hector, frog, core, rocco, allen, cypher, flip, dar, and gabr.

7 March 2022 – 13:01 UTC

Digital Cobra Gang Claims 49 “A-Groups” Led by Conti and Cobra Are Attacking America Cyberspace

The Pro-Russian group entered the campaign shortly after Anonymous started #opRussia (28 Feb) with the statement:

“DIGITAL COBRA GANG DCG has officially declared cyber war on hackers who attacking Russia as well and to protect justice”

They’ve given little indication of success, other than inflated claims they have acquired over 92Tb data from US’s military personnel files but no proof has been published.

Earlier today, they posted that members of Conti were helping and 49 “A-team” groups were hacking Amera.

(9 March 2022) – US AWS and Azure cloud platforms have experienced higher than normal traffic on the network but no major disruptions.

7 March 2022 – 06:44 UTC

RedBanditsRU Leaks Russian Electrical Grid Source Code Data

The pro-Russian group, originally assembled to counter-hack Anonymous and cyber actors targeting Russian organizations, posted today that they are leaking the source code Rosseti Centre’s [mrsk-1[.]ru] electrical grid networking infrastructure. Rosseti Centre provides reliable electricity for more than 13 million people in the subjects of the Central Federal District of the Russian Federation.

The group is sharing this information because they believe Putin and his supporters are “leading this country to an apocalypse state.”

DarkOwl warns security researchers opening these archives should always use isolated sandbox environments in the event there is malware and viruses included in the leak.

7 March 2022 – 04:55 UTC

AgainstTheWest (ATW) Returns to the Fight and Drops Multiple Leaks of Russian Corporate Data

In the last 24 hours, ATW dropped URLs for at least 7 leaks corresponding to various Russian technical companies and organizations, reportedly breached by the cybercriminal group. ATW’s participation in the campaign has been controversial as they have had multiple dramatic departures and returns to the campaign and reports of “health issues” of some of the team’s members.

Security researchers reviewing the information from dataleaks last week calls into question the veracity of the information ATW is sharing. Checkpoint released analysis stating that after, “checking their claims deeper reveals that for many of the claims there are no solid proofs apart of very generic screenshots that are allegedly from the breached organizations.”

(Update 7 March 2022 – 18:36 UTC) The group also posted to their Telegram channel that they had successfully breached a Russian cybersecurity company that has been “hording” US-based government data, exposure of multiple SonarQube instances and requested someone get in touch with them immediately. It’s unclear if this is legitimate or just further ego inflation.

6 March 2022

Free Civilian Tor Service Leaks Entire DIIA Contents

Recently, the administrator of Free Civilian shared a post on their Tor service containing the entire Ukraine’s DIIA database of users. They stated the buyer of the database consented to the release, with the understanding some records were deleted. The downloads consist of 60+ archives containing gigabytes of data. The download links have been unstable since DarkOwl discovered them.

The administrator also expressed desire to have the ban on their “Vaticano” Raid Forums account lifted, claiming this leak proved the legitimacy of the information they shared back in January.

Recently, screenshots of an indictment for the alleged seizure of Raid Forums on VeriSign has been in circulation, after users spoke of rifts between pro-Ukrainian users and Russian hackers, potential FBI seizures, and the alleged hijacking the alias of former admin Omnipotent on Darknet World. Prominent users from the forum have setup RF2 and advised any old working Raidforums links are likely phishing logins for the FBI.

6 March 2022 – 18:43 UTC

Anonymous Continues Information Warfare Against Russian Media; Video Services Wink and ivi Stream Anti-War Messaging

After Putin’s overt authoritarian take on media sharing the realities of the war in Ukraine, Anonymous managed to hack Russian video services Wink and ivi to stream pro-Ukrainian messages and video of the conflict.

This weekend, Putin’s parliament passed a “fake-news” law imposing prison sentences for media using the words “war” or “invasion” prompting numerous western outlets to pull their journalists and suspend operation.

6 March 2022 – 15:39 UTC

AnonGhost Enters Campaign and Claims SCADA Attacks Against Multiple Russian Infrastructure Targets

This weekend, AnonGhost entered Anonymous’ #opRussia campaign with a vengence, and claims today they have hacked multiple Russian infrastructure control systems via SCADA attacks and “shut it down.”

They list the following targets:

Волховский РПУ> Volkhov RPU
Бокситогорский РПУ> Boksitogorsk RPU
Лужский РПУ> Luga RPU
Сланцевский РПУ> Slantsevsky RPU
Тихвинский РПУ> Tikhvinsky RPU
Выборгское РПУ> Vyborg RPU

This is after they leaked data from 9 Russian commercial servers hours earlier.

azovkomeks[.]ru
vserver24[.]ru
dvpt[.]ru
ach[.]gov[.]ru
itmo[.]ru
vpmt[.]ru
pvlt[.]ru
hwcompany[.]ru
corbina[.]ru

DarkOwl is in the process of pulling in this data to review and assess the contents of all of the databases.

The AnonGhost group is reportedly one of the more senior anonymous hacktivist teams in the underground, with reporting of the group going back to the early 2010s. According to open-source reporting, AnonGhost was led by Mauritania Attacker. In an online interview with a hacker’s blog in 2013, Mauritania Attacker claimed to be a 25 year old male from Mauritania who started hacking at a young age by joining TeaMp0isoN and ZCompany Hacking Crew (ZHC), two hacking groups known for their attacks of high-profile targets such as NATO, NASA, the UN, and Facebook. (Source)

For those who remember Stuxnet, SCADA type attacks are controversial as there is a fine line between disruption and destruction. Services knocked offline but able to be restored is disruptive and inconvient, causing delays in operation and psychological concern over the safety of such services. However, disruptions that lead to destructive events, e.g. hard disks wiped and unrecoverable, de-railed trains, power plant overheating resulting in explosions, & satellites falling out of the sky are considered serious and may be interpreted as an act of war and result in severe retaliation.

Yesterday, Putin declared western sanctions an act of war and uttered similar threats about hacking satellites earlier this week.

6 March 2022 – 14:52 UTC

GhostSec Returns with Leaks from Russia’s Joint Institute for Nuclear Research (JINR) and Department of Information (DOI) FTP Server Data

Hours ago, an archive consisting of several gigabyte emerged from GhostSec reportedly containing information from Russia’s nuclear research and disinformation activities. GhostSec has been silent for most the last week, perhaps busy with this activity.

According to their website (jinr.ru), the Joint Institute for Nuclear Research is an international intergovernmental organization established through the Convention signed on 26 March 1956 by eleven founding States and registered with the United Nations on 1 February 1957.

As of time of writing, the public facing website is online.

6 March 2022 – 12:34 UTC

Anonymous Dumps Leak of 139 Million Russian Email Addresses

An archive of over 139 Million email addresses, broken up into 15 separate files with mail_ru at the beginning of each file, lists the email addresses for presumed account holders for mail_ru services. VK (VKontakte) assimilated mail.ru email services into its internet services conglomerate in the fall of 2021.

The files included two additional HTML files with ominous warnings – possibly shared on the servers from which these leaks were obtained.

[image translation]

Russian soldiers!
If you think that you are going to an exercise, in fact you are being sent to Ukraine to DIE.

DarkOwl has not determined the veracity of this data, nor confirmed how these emails were obtained; some combolists of this nature are created as an aggregation of other leaked data.

As of time of writing, mail.ru’s public facing website is still online and operational.

5 March 2022 – 20:41 UTC

Anonymous Targets Russian FSB; Letter Appears from Possible FSB Whistleblower

The Federal Security Service (FSB) of the Russian Federation [Федеральная служба безопасности (ФСБ)] is the principal security and intelligence agency of Russia and the main successor agency to the Soviet Union’s KGB.

Earlier today, Anonymous hacktivists targeted the FSB (at the direction of the IT Army Ukraine) and managed to take the external facing website offline. Rumors on social media and chatrooms suggested Anonymous managed to “breach” the FSB’s server.

Shortly after the announcement of the website’s offline status (e.g. #TangoDown) a deep web paste emerged containing a list of 62 subdomains for the fsb.ru domain. This could be for additional targeting and exploitation.

The stability and alliances of members of the FSB are in question by threat intelligence and security researchers across the community. Last night, an alleged FSB whistle-blower letter surfaced (via the founder of http://gulagu.net) that damned Russia’s military performance in Ukraine and predicted a disaster for the RU in the next weeks and months. An English translation of the letter has appeared in the deep web (excerpt below).

To be honest, the Pandora’s box is open – a real global horror will begin by the summer – global famine is inevitable (Russia and Ukraine were the main suppliers of grain in the world, this year’s harvest will be smaller, and logistical problems will bring the catastrophe to a peak point). I can’t tell you what guided those at the top when deciding on the operation, but now they are methodically lowering all the dogs on us (the Service).

We are scolded for analytics – this is very in my profile, so I will explain what is wrong. Recently, we have been increasingly pressed to customize reports to the requirements of management – I once touched on this topic. All these political consultants, politicians and their retinue, influence teams – all this created chaos. Strong. Most importantly, no one knew that there would be such a war, they hid it from everyone.

And here’s an example for you: you are asked (conditionally) to calculate the possibility of human rights protection in different conditions, including the attack of prisons by meteorites. You specify about meteorites, they tell you – this is so, reinsurance for calculations, nothing like this will happen. You understand that the report will be just for show, but you need to write in a victorious style so that there are no questions, they say, why do you have so many problems, did you really work badly. In general, a report is being written that when a meteorite falls, we have everything to eliminate the consequences, we are great, everything is fine.

And you concentrate on tasks that are real – we don’t have enough strength anyway. And then suddenly they really throw meteorites and expect that everything will be according to your analytics, which was written from the bulldozer.

That is why we have a total piz_ets – I don’t even want to pick another word.

5 March 2022 – 16:37 UTC

Anonymous Claims to Breach Yandex (Russia’s Mail and Search Service); Leaks Account Credentials

DarkOwl discovered two leaks shared through the Anonymous hacktivist collective network consisting of over 5.2 Million user accounts’ email addresses and password combinations. We are in the process of analyzing this data leak to determine the veracity of its contents. 1.1 Million Yandex accounts were previously dumped in 2014. Many hackers are using #opRussia to opportunistically claim clout for breaches that did not occur, when in reality they are circulating old previously dumped data and/or verifying accounts by credential stuffing.

5 March 2022 – 15:23 UTC

Paypal Suspends Service in Russia

Paypal announced on LinkedIn they would be halting its operations in Russia; a statement released days after suspending signing up new users on the payment platform on Tuesday. Dan Schulman, CEO wrote:

We remain steadfast in our commitment to bring our unique capabilities and resources to bear to support humanitarian relief to those suffering in Ukraine who desperately need assistance. We will also continue to care for each other as a global employee community during this difficult and consequential time.

On Wednesday, 3 March, the IT Army of Ukraine launched a petition calling for all supporters to sign a petition on change.org:

[TRANSLATION]

While Ukraine protects its people and places, and Russia faces the radical consequences of its war crimes, the most popular payment service via PayPal is still available to the aggressor. This means that it also helps finance the bloody war against Ukraine through PayPal.

We are absolutely sure that modern technologies are a powerful response to tanks, grads and missiles. We call on the company to block its services in Russia via PayPal and launch them in Ukraine, as well as provide an opportunity to raise funds to restore justice and peace in our country and the world.

5 March 2022 – 15:03 UTC

Anonymous Leaks Private RocketChat Conversations from Russian Government Officials

Anonymous is targeting Russia by any means possible and managed to collect private chats between Russian officials on the messaging service, rocket.chat. After review, these chats are different from the ones dropped by @contileaks last week.

The chat includes the network ID, username, and “real name” of 14 members of the chat group. The domain associated with the leak corresponds to the official website of the Russian government and the Governor of the Moscow region.

5 March 2022 – 06:04 UTC

squad303 Sets Up SMS Messaging System to Text Random Russian Citizen Phone Numbers

With the lack of Russian media coverage of the invasion of Ukraine and the intentional misinformation spread by Putin’s disinformation agencies, a pro-Ukraine hacktivist collective, known as squad303 setup an SMS messaging system for citizens around the globe to use to randomly text Russian citizens a scripted message about the nature of world events.

The squad303 team also setup an API for more advanced users.

Update: As of 8AM UTC, 6 March 2022, the service had been used to send over 2 Million texts Russian mobile phone numbers.

The team also reports of suffering from heavy DDoS attacks from pro-Russian cyber actors.

5 March 2022 – 02:34 UTC

Anonymous Hackers Claim to Have Accessed Communication Data for a Russian Military Satellite

After nb65’s reported success accessing Roscosmos earlier this week, it appears that members of the Anonymous collective under the campaign #opRussia have ventured into breaching the communications of Russian military satellite for data collection. The satellite – designated COSMOS 2492 (aka glonass132) is likely active in geospatial intelligence collection over Ukraine for Russia. (note: the original indication of the connection occurred 4 March 2022 @ 09:35 by Anonymous collective member, @shadow_xor.)

DarkOwl also uncovered a leak shared by LulzSec member @shadow_xor titled, “Leak_RUSAT_shadow_xor.zip” which contains significant geopositioning data since the satellite’s launch in 2014. The hacker stated they could not change the coordinates of the satellite, but did capture orbital, passage, and communications data.

Our original reporting on this suggested the hackers were Russian-based, but further analysis only indicated that a number of Russian-based hackers supported the attack on COSMOS 2492.

4 March 2022 – 18:16 UTC

Putin Officially Bans Facebook in Russia

In order to combat the information operations campaign against them online, Putin ordered for ISPs to block Facebook servers and websites across Russia. Security researchers also note an uptick in Russian trolls on social media with bot accounts promoting Putin’s military operations in Ukraine.

Putin’s parliament also passed a law imposing prison terms of up to 15 years for individuals spreading intentionally “fake news” about the military. The terms “invasion” and “war” are no longer allowed in press and media coverage.

Several foreign and Western media outlets, including BBC, CNN, and Bloomberg, have temporarily suspended reporting on the war from Russia.

4 March 2022 – 09:44 UTC

NB65 Teases Information Security Community with Riddles on their Activities

NB65 – the pro-Ukrainian group who claimed responsibility for accessing and shutting down Russia’s spy satellites via SCADA vulnerabilities – teased the information security community that they been quiet cause they were parsing and analyzing numerous vulnerabilities in Russian cyber targets.

If we seem quiet, it’s because we have an olympic sized swimming pool worth of data and vulnerabilities. But here’s some fun that you can participate in…

DarkOwl discovered a post matching the target hidden in the riddle and the content suggests the group has access to RUNNET: Russia’s UNiversity Network.

4 March 2022

IT Army of Ukraine Calls for Volunteers to Support the Internet Forces of Ukraine

Ukraine’s Ministry of Digital Transformation steps up its information warfare against Putin’s propaganda by forming the Internet Forces of Ukraine (ITU). Forming a separate Telegram channel at the start of the month, the channel is dedicated to posting instructions and guidance for citizens around the world that want to aid Ukraine and lack an IT/cybersecurity background.

Друзі, наш ворог, окрім наявної війни у наших містах та селах, веде також інформаційну війну. Не вірте фейкам, не вірте брехні пропаганди путіна – ніякої капітуляції України НЕ БУДЕ!!! У нас потужна армія, ми сильні духом і нас підтримує весь світ! Тому, не ведіться на провокації і вірте в Україну. Поширюйте це серед рідних та близьких у соціальних мережах, щоб вони також не велись на нісенітниці кремля. Ми разом і ми переможемо!!🇺🇦

Friends, our enemy, in addition to the existing war in our cities and villages, is also waging an information war. Do not believe fakes, do not believe the lies of Putin’s propaganda – there will be no capitulation of Ukraine!!! We have a powerful army, we are strong in spirit and we are supported by the whole world! Therefore, do not be fooled by provocations and believe in Ukraine. Spread this to your family and friends on social networks, so that they also do not fall for the Kremlin’s nonsense. We are together and we will win!! 🇺🇦

4 March 2022 – 01:46 UTC

Trickbot Gang Members Doxxed and Links to FSB Confirmed

At 15:00 UTC, before DarkOwl could even finish analyzing the ContiLeaks, a Ukrainian-aligned underground account leaked details of key members of the infamous TrickBot gang. Over the course of the day at a cadence of every 2 hours, dossiers for the individuals appeared on social media. Private chats between members of the gang were included with each of the leaks. 7 male members and their aliases identified: baget, fire, strix, mushroom, manuel, verto, and liam. Twitter has since suspended the account.

3 March 2022 – 20:54 UTC

Russian-Aligned Hackers Target Anonymous Hacktivists in Canada

A pro-Russian cyber group using the name Digital Cobras, claims to have been targeting #opRussia hackers from the Anonymous collective across the US, UK, Greece, and Canada. Earlier today, they posted several names of individuals along with pictures of some of the alleged members of Anonymous.

They also claimed to have “hacked Anonymous’ servers” and downloaded over 260gb of their files and tools. They also claimed to have full access of the administration of Tor Project, including their crypto accounts.

Anonymous does not possess servers or centrally locate their information or tools as it is an organic decentralized collective of hacktivists around the world. Similarly, the Tor Project is run by a network of volunteers.

It is very likely this group is designed to spread disinformation and FUD.

3 March 2022

Size of Zeronet Anonymous Network Increases Since Invasion

In the week since the Putin launched an invasion against the Ukrainian people, DarkOwl has noticed an increase of 385 Zeronet domains in the last week and a near 20% increase in the network’s activity. Zeronet has been historically most heavily used by Chinese threat actors. The trend in “new domain” activity appears to have started on or about February 27th, within hours after the IT Army of Ukraine rallied the underground.

The Tor Project has reported significant increases in the number of unique addresses on Tor on the same day.

3 March 2022 – 17:10 UTC

Anonymous Leaks Database Containing Bank Account Holders Information

bkdr – member of the Anonymous hacktivist collective – released an Excel spreadsheet containing the personal information of over 8,700 business bank account holders in Russia. Full names, passport, DoBs, account standing, etc are included in the file.

3 March 2022 – 15:40 UTC

Pro-Russian Cyber Team, Killnet Claims To Hack Vodafone Services in Ukraine

Killnet, a Pro-Russian organized threat actor has claimed they were successful in attacking Vodafone’s telecommunications services across Ukraine. The group shared links to the vodafone.ua website (as offline) and network graphs proving the website suffered an outage.

The group also claims to have attacked “Anonymous” networks directly, prompting criticism as the Anonymous hacktivist has no central severs or repositories.

[Google Translate]

Cellular communication services under the Vodafone trademark on the territory of Ukraine are provided by the partner of Vodafone Group plc, PRO “VF Ukraine”

⚠ OUR ATTACK WAS REPELLED [REFLECTED] AFTER 4 HOURS.

3 March 2022 – 05:22 UTC

Anonymous Breaches Private Server in Roscosmos and Defaces Website

v0g3lSec – member of the Anonymous hacktivist collective – claims to have infiltrated private servers at the Russian Space Agency, Roscosmos and exfiltrated files from their Luna-Glob moon exploration missions. The archive consists of over 700 MBs. Many of the files are drawings, executables, and technical documents dating back to 2011. A scientific review of the content would be needed to assess the value of the information collected.

In addition the website for the Space Research Institute (IKI) Russian Academy of Sciences (RAN) was also defaced by the same group.

3 March 2022 – 01:11 UTC

Anonymous Leaks Data from Rosatom, Russia’s State Atomic Energy Corporation

According to DarkOwl’s preliminary review of the 74 files, the leak appears to be a mixture of budget data, conference materials, powerpoint presentations, and technical files dating back to 2013. There is random mixture of information included that it is unclear whether this was obtained directly from a breach of the corporation’s servers, an employee at the organization, or collected via OSINT and compiled for use in #opRussia.

“There is no place for dictators in this world. You can’t touch the innocent, Putin. No secret is safe. State Atomic Energy Corporation Rosatom has been hacked!”

2 March 2022 – 19:55 UTC

ATW Quits Campaign – Cites Conflict with Anonymous, Attribution, and Twitter Suspension

Drama in the group started yesterday with AgainstTheWest claiming Anonymous was taking credit for their successes in the cyber war against Russia. They briefly turned their attention to China announcing several new victims, including the Chinese Science, Technology and Industry for National Defence organization. After their suspension from Twitter earlier today, they announced retirement claiming they had no means for communicating with the public. (Analysts note rebrand to BlueHornet occurred shortly after their announcement)

2 March 2022 – 19:09 UTC

Conti Leak Source Code, Panel, Builder, Decrypter Appear on Darknet Forum

Less than 48 hours after a pro-Ukrainian leaked the infrastructure of the CONTI gang’s operation, including botnet IP addresses and source code executables, users begin circulating the ransomware gang’s critical data across popular darknet forums and discussion boards.

2 March 2022 – 16:35 UTC

Leak Documents Surface Proving War Against Ukraine was Approved on 18 January

Anonymous hackers released photographs of captured documents from Russian troops titled, “WORKING MAP”, and authored by the commander of Russia’s Bomb Battery of the Black Sea Fleet. The maps and documents affirm to the public that the invasion of Ukraine was approved on January 18th with intention to seize the country sometime between 20 February and 06 March 2022. Liveuamap, under intermittent DDoS since this started, confirmed the data.

2 March 2022 – 13:52 UTC

XSS Admin Reports XMPP Jabber Service Ransomed and Heavy DDoS Attacks

A darknet forum popular with the Russian-speaking community has been experiencing technical issues, suffering from Jabber service outages and heavy DDoS attacks. The forum is well known in the darknet for malware discussions and coordination of attacks. The admin shared a post that the jabber service was hit with ransomware and the contents of the chats wiped from the services. They nonchalently suggested users register and continue using the service.

[Translated]

The server didn’t work yesterday. Because of ransom (which, by the way, is prohibited here) we were listed in a spamhouse. Instead of reporting the violation, the “brilliant” spamhouse immediately leafed through us. In principle, for many years I got used to their “adequacy”. I’m not surprised at anything. We have more than 21,000 users, and no one is able to check everyone. To do this, in fact, they came up with feedback contacts (xmpp, e-mail), they are listed everywhere.

Why, I wonder, they don’t block gmail.com ? So many, so to speak, violators of law and order use it, and nothing, for some reason they are not immediately listed.

In parallel with this, a powerful DDoS attack was conducted on us.

Our XMPP project is not commercial, completely free and subsidized. I’ve never understood the point of attacking toads.

At the moment, the functionality has been restored.

An unpleasant moment. Backups according to the law of meanness turned out to be broken. The last one alive was a week ago. Suddenly someone has lost contacts or a toad has disappeared, re-register.

2 March 2022 – 10:33 UTC

Leak Appears with Russian Air Force Officer’s Information

Anonymous leaked another database containing the personal information for over 300,000 of Russia’s military personnel and civilian citizens. The archive, titled “Translated Base Database” contains 35 separate database files containing personal details of the individuals. Information includes: full name, date of birth, age, passport number, address, occupation, etc.

1 March 2022 – 20:46 UTC

Russian Criminal Gang TheRedBanditsRU Recruits on Social Media – Offers Payments for Affiliates

The RedBandits openly recruit “affiliates for certain jobs” stating they did not want white hats, but that they want to “speak to exploit Devloplers, Spammers (phishing skills, vishing etc), Pentesters. We’re building an army!” They incentivize skilled hackers to join their cause for monetary gain, claiming partners would be paid well and to apply directly via qTox.

Earlier today, the group claimed that they did not agree with Putin as a leader nor of his invasion of Ukraine, but will protect him as a citizen of Russia.

“War is good for no one, come, take my hand, make money help your family”

1 March 2022 – 12:57 UTC

STORMOUS Ransomware Group Aligns With Russia

The STORMOUS ransomware group, which has been targeting international victims with their ransomware strain for months, claimed their alliance with the Russian government and threatens greater attacks against Ukraine.

The STORMOUS team has officially announced its support for the Russian governments. And if any party in different parts of the world decides to organize a cyber-attack or cyber-attacks against Russia, we will be in the right direction and will make all our efforts to abandon the supplication of the West, especially the infrastructure. Perhaps the hacking operation that our team carried out for the government of Ukraine and a Ukrainian airline was just a simple operation but what is coming will be bigger.

1 March 2022 – 09:26 UTC

Ukrainian Paper Leaks Personal Data for 120,000 Russian Military Personnel

In an effort to target the Russian soldiers invading Ukraine, the Centre for Defence Strategies in Ukraine has acquired the names and personal data of 120,000 servicemen who are fighting in Ukraine. Ukrainian newspaper, Ukrayinska Pravda has leaked the details of the soldiers which could be one of the biggest information warfare campaigns using doxing mid-military conflict, ever seen.

The doxxed soldiers are likely to face increased engagement on social media and direct phishing attacks.

1 Mar 2022 – 00:38 UTC

NB65 Takes on Russia’s Satellite Technology

nB65 claims that they successfully accessed Russia’s Roscosmos Space Agency and deleted the WS02, ‘rotated’ the credentials and shut down the server. They did not provide any leaks with the social media announcement.

The Russian Space Agency sure does love their satellite imaging. Better yet they sure do love their Vehicle Monitoring System.

Network Battalion isn’t going to give you the IP, that would be too easy, now wouldn’t it? Have a nice Monday fixing your spying tech. Glory to Ukraine.

28 February 2022 – 23:54 UTC

ATW Targets Russia’s Electrical Grid

AgainstTheWest Leaks Information from Russia’s PromEngineering corporation. Archives of corporate emails between employees, clients, vendors, as well as blueprints and engineering documentation for power stations around Russia are included in the leak.

28 February 2022 – 22:00 UTC

CONTI’s Entire Infrastructure Leaked

Does this signal the end of CONTI’s reign as leading RaaS?

Ukrainian aligned affiliate decides to destroy CONTI ransomware gang’s operation by exfiltrating and sharing 141 additional JSON data files of private Jabber chats from 2020, details of their server architecture, their sendmail phishing campaign data information, command and control botnet architecture, and ransomware executables (password protected). Analysis confirms that the gang uses BazarLoader backdoor for installing persistent malware on infected machines.

DarkOwl analysts also noted from leaked Jabber messages that RaaS affiliates were persistent at determining how to evade AV/EDR protection systems like Sophos and Carbon Black. Stating that they had setup sales calls and demos with Carbon Black and Sophos AV providers’ sales teams using proxy companies to gain more information, test the product and attempt to find specifics of the product’s AV/EDR bypass mechanisms.

This reminds us all the importance of vetting and verifying all commercial in-bounds for requests for demos and sales information, especially when it might present an opportunity to learn critical corporate intelligence.

The affiliate leaking the details wrote how this war against their people and Ukraine was breaking their heart.

My comments are coming from the bottom of my heart which is breaking over my dear Ukraine and my people. Looking of what is happening to it breaks my heart and sometimes my heart wants to scream.

28 February 2022 – 21:41 UTC

STORMOUS Ransomware Hits Ministry of Foreign Affairs of Ukraine

The Pro-Russian STORMOUS ransomware gang claims to have attacked Ukraine’s Ministry of Foreign Affairs, mfa.gov.ua using their custom ransomware. The group posts victims’ information on their Telegram channel, posting in both English and Arabic. The group stated the Ukraine government network “fragile” and called for DDoS attacks them.

Their network is fragile – their various data has been stolen and distributed according to their phone numbers, email, accounts and national card numbers with an internal network hacked and access to most essential files. This is with placing denial attacks on their main site !

28 February 2022 – 18:00 UTC

China’s Huawei Steps in to Assist Russia with ISP Network Instability

According to Chinese deep web forums, Huawei is reportedly building a mobile broadband in Russia to help with internet outages. As of 26 February, at least 50,000 technical experts will be trained in networking and securty in Russia’s R&D centers.

28 February 2022 – 12:00 UTC

Russian Gas Station Pumps Hacked

Video of disabled electric vehicle (EV) charging stations in Russia surface, displaying error status and the following warning:

”Putin is a dick”, “Glory to Ukraine”, ”Glory to our heroes”,” death to our enemies”

27 February 2022 – 23:06 UTC

Anonymous for Ukraine Leaks Customer Data from Sberbank Russia

While Anonymous leaked the files, the credit for the hack goes to Hacktivist group, Georgia Hackers Society. The two text files (bygng.txt & bankmatbygng.txt) appear to be personal data from the financial institution with the bankmat file containing 4,568 records.

27 February 2022 – 21:00 UTC

CONTI RaaS Suffers for Professing Their Allegiance to the Russian Federation

DarkOwl just discovered 393 JSON files containing private Jabber chats from the ransomware group since January 2021 leaked online. Many of CONTI’s affiliates were displeased with the group’s alliance with Russia.

27 February 2022 – 19:00 UTC

ATW Claims to Take Down CoomingProject Ransomware Group

AgainstTheWest assesses “CoomingProject are actually one of the dumbest “threat” groups online.” AgainstTheWest statement on Twitter:

“RIP CoomingProject. All data on them is being passed to relevant authorities in France.”

27 February 2022 – 16:54 UTC

Cyberpartisans Take Belarusian Railway’s Data-Processing Network Offline

The hacktivist group of cyber specialists located in Belarus managed to force the railway switches to manual control mode, to significantly slow down the movement of trains. The webservers for the railway’s domains (pass.rw.by, portal.rw.by, rw.by) are also offline.

The rail services are being essentially held hostage until Russian troops leave Belarus and there is peace in Ukraine.

27 February 2022 – 11:00 UTC

AgainstTheWest Ransomware Gang Enters the Campaign

AgainstTheWest (ATW) claims to have attacked Russia’s Department of Digital Development and Communications of the Administration of the Pskov Region with their own custom “wiper” malware. All data has been reportedly saved and deleted.

27 February 2022 – 09:00 UTC

Anonymous Attacks Russian Critical Infrastructure

Tvingo Telecom offers fiber-optic networking, internet and satellite services. Tvingo Telecom is a major provider to Russian clients.

27 February 2022 – 00:00 UTC

GhostSec Leaks More Data and Claims Attacks Against Belarusian Cybercriminals, GhostWriter

GhostSec is active in the Anonymous cyber war against Russia and released a sample of databases stolen from additional government and municipality sites across Russia (economy.gov.ru and sudak.rk.gov.ru).

They state on their Telegram channel they have been conducting attacks against “Russian hackers” and the “hacker group GhostWriter” (a.k.a. UNC1151).

26 February 2022 – 18:00 UTC

IT ARMY of Ukraine Now Active on Telegram

A Telegram Channel titled “IT ARMY of Ukraine” appeared earlier today to help coordinate cyber activities against Russia. The channel has already accumulated over 96K followers. Posts are shared in Ukrainian and English containing target server IP addresses and media for mass distribution on social media.

Videos of what events are really happening across Ukraine have appeared on intercepted Russian State Television channels.

В найближчу годину буде одне із найголовніших завдань!

26 February 2022 – 16:00 UTC

Anonymous Hackers Interrupt Russian State Television

Multiple reports across underground chatrooms suggest Russian television was allegedly briefly interrupted to play Ukrainian music and display national images. (Source)

Ukraine’s telecommunications’ agency also announced that Russia’s media regulator’s site was down as well.

26 February 2022 – 09:00 UTC

Russia Restricts Facebook and Twitter to Control Information

Open source internet monitoring reporting organizations discovered Twitter has been blocked by multiple ISPs across Russia. Ukraine’s government is regularly posting on social media to show the Russian people they are still fighting in the invasion. Cybercriminals and hacktivist campaigns also disrupt Russia’s information operations by calling out disinformation bots and taking critical communications sites offline. Twitter has reportedly blocked account registrations from IPs originating in the Russian Federation.

Russia’s state-controlled television station, RT, is still offline.

26 February 2022 – 01:00 UTC

Hackers Leak Data from Belarusian Weapons Manufacturer Tetraedr on the Darknet

Anonymous Liberland and the Pwn-Bär Hack Team announce the start of #OpCyberBullyPutin and leak a two-part archive (200GB total) of confidential employee correspondences from prominent defense contractor and radar manufacturer, Tetraedr in Belarus. The first part is the most recent 1,000 emails from each employee inbox, in .EML format. The second part is a complete archive of each inbox in .PST format.

The hacktivists stated they successfully attacked the company through an unpatched ProxyLogon security vulnerability.

25 February 2022 – 23:30 UTC

Russian Military Radio Frequencies Hijacked

Ukrainian radio frequency (RF) hackers intercepted Russian military numbers stations UVB-76, frequency 4625KHz, and trolled Russia communications by playing Swedish pop group Caramella Girls’ Caramelldansen on top of the radio waves.

The group also successfully intercepted frequencies utilized by Russian strategic bomber planes.

25 February 2022

CoomingProject Ransomware Group Announces Support for Russia

Another ransomware gang sides with Russia officially declaring war against anyone conducting cyber attacks against the Russian government on their Telegram channel.

“Hello everyone this is a message we will help the Russian government if cyber attacks and conduct against Russia”

25 February 2022 – 21:00 UTC

Russia’s Gasprom Energy Corporation Knocked Offline

Headquartered in St. Petersburg, Gasprom (ПАО “Газпром”) is the largest natural gas transmission company in Eastern Russia. The company is mostly owned by the Russian government even though the shares are traded publicly.

The Anonymous hacktivist collective, operating their campaign against Russia via the hashtag #OpRussia, has claimed responsibility.

25 February 2022 – 20:00 UTC

Anonymous Hackers Leak Database for Russia’s Ministry of Defense (MoD)

Russia’s gov.ru and mil.ru website server authentication data, including hundreds of government email addresses and credentials, surface on transient deep web paste sites and Telegram channels. Another leak consisting of 60,000 Russian government email addresses is also now in circulation.

GhostSec, also participating in Anonymous’s cyberwar against Russia, #OpRussia, claimed all subdomains for Russia’s military webservers were offline hours earlier as of 11:00 UTC.

Over around 100+ subdomains for the russian military were hosted on this IP (you may check DNSdumpster for validation) now all downed. In Support of the people in Ukraine WE STAND BY YOU!

25 February 2022

CONTI’s decision to side with Russia has dire consequences for the RaaS Gang

The ransomware-as-a-service (RaaS) gang CONTI (a.k.a. CONTI News) has officially sided with the Russian Federation against “Western warmongers” in the conflict.

Many of their affiliate partners are reportedly in disagreement – siding with Ukraine – which became evident once certain private chats were leaked on their internal affiliate platform on social media. It’s uncertain how these political divisions will impact the effectiveness of the ransomware gang’s campaigns. Conti revised their WARNING statement claiming they do “not ally with any government and we condemn the ongoing war.”

25 February 2022 – 16:30 UTC

Hundreds of Russian IP Addresses Appear on Deep Web for Targeting

Over 600 IP addresses correlating to key Russian web services emerge on transient paste sites and underground hacker forums. (Source DarkOwl Vision)

25 February 2022 – 05:00 UTC

Anonymous Threatens to Take Russian Industrial Control Systems Hostage

The hacker group known as Anonymous stepped up its participation in defending Ukrainians through its cyber war with Russia. In an ominous video posted to Twitter, the group called for UN to establish a “neutral security belt” between NATO and Russia to ease tensions. They elevated their influence by threatening to “take hostage industrial control systems” against Russia. Expect Us. We do not forgive. We do not forget.

“If tensions continue to worsen in Ukraine, then we can take hostage… industrial control systems.” Expect us. Operation #Russia Engaged

24 February 2022 – 19:00 UTC

Free Civilian Tor Service Announces 54 New Ukrainian Government Database Leaks

The administrator of the Free Civilian Tor Service – who DarkOwl analysts believe is the Raid Forums threat actor, Vaticano – updated their database leaks service, stating they had confidential data for dozens of Ukrainian government services. DarkOwl analyzed these databases closely and confirmed the threat actor likely exfiltrated the data in December 2021. (Source)

24 February 2022 – 17:00 UTC

Russia’s FSB Warns of Potential Attacks against Critical Infrastructure as a result of Ukraine Operations

The National Coordination Center for Computer Incidents (NCSCI) released an official statement warning citizens of Russia of imminent cyber attacks and for the country to brace for the disruption of important digital information resources and services in response to the on-going special military operation in Ukraine.

“Attacks can be aimed at disrupting the functioning of important information resources and services, causing reputational damage, including for political purposes” – NCSCI

24 February 2022 – 05:00 UTC

Cryptocurrency Markets Crash in Wake of Invasion

Bitcoin cryptocurrency fell below $35,000 USD for the first time since January in reaction to the Russian troops crossing over the Ukraine border. Ethereum fell more than 12% in the last 24 hours.

According to open-source reporting, the collective cryptocurrency market has plummeted over $150 billion dollars in value since the tensions began.

beginning of post

[DEVELOPING] Darknet Economy Surges Around Abortion Rights

Written by DarkOwl Content Team on July 1, 2022. Posted in Blog.

SCOTUS members credit card information continues to be doxxed

July 1, 2022

The recent doxxing of Supreme Justices – presumably in retribution for the Roe v Wade rulings – has spread widely across social media platforms, including Twitter, Instagram, TikTok, and more.

While all members of the Supreme Court have been doxxed to some degree in the past, this latest round of public information sharing contains Credit Card information for at least four Justices.

Many posts circulating on the darknet, deep web, and paste sites include other associated PII (as pictured above), which together form a comprehensive doxx of the targeted Justices that could be exploited for social engineering attacks, fraud and more.

SIEGEDSEC Targets Pro-Life State Governments

27 June 2022

Over the weekend cyber hacktivists enraged about the SCOTUS decision, decided to direct their anger towards their keyboards and targeted the networks of pro-life state governments, e.g. Kentucky and Arkansas. The group claimed to have accessed and exfiltrated several gigabytes of sensitive data, including employee PII from state government servers. The cyber threat group, SiegedSec, who we featured earlier this month, has been recently emboldened by their involvement in the Russia-Ukraine cyber war and stated on their Telegram channel, the attacks against Kentucky and Arkansas are just the beginning with planned continued attacks against pro-life organizations and states with anti-abortion regulations.

“THE ATTACKS WILL CONTINUE!” – SiegedSec

Source: Telegram

SCOTUS Overturns Roe v. Wade

24 June 2022

On Friday morning, the U.S. Supreme Court uploaded their controversial decision on the case titled, DOBBS, STATE HEALTH OFFICER OF THE MISSISSIPPI DEPARTMENT OF HEALTH, ET AL. v. JACKSON WOMEN’S HEALTH ORGANIZATION ET AL; a decision which effectively removed one’s constitutional right to an abortion as provided by the long-standing 1973 Roe v. Wade precedent. The decision sparked widespread protests around the country and conflicts between activists and law enforcement.

Original Report

21 June 2022

As a result of the recent political landscape regarding Roe v. Wade, our analysts reviewed the topic of abortion and observed a surge in darknet economies providing abortion medications and home kits on underground marketplaces.

Background and Political Context

The historical January 1973 Roe v. Wade decision by the U.S. Supreme Court, which legally protected one’s rights to an abortion at the Federal level, is on a precipitous demise in a radical shift in political power across the United States. In a draft majority opinion that was leaked out of the Supreme Court to Politico in early May, the conservative majority of the Supreme Court justices are very likely to overturn the landmark Roe v. Wade and a subsequent 1992 decision — Planned Parenthood v. Casey, with Justice ALITO stating, “Roe was egregiously wrong from the start.”

Figure 1: Source POLITICO

If the position of the draft opinion goes ahead as written – which some legal experts predict might be officially published as early as this week – federal protections for one’s right to an abortion will immediately end and the issue will be tossed back for decision at the individual state level. With recent extreme state-legislative decisions such as the Texas Heartbeat Act criminalizing abortions any time after six weeks of pregnancy, 23 states have some form of restrictive abortion-related legislation in place. 19 states have protected the right to abortion by codifying it into their state laws, Colorado and California have established themselves as “sanctuary states” for women’s reproductive health.

According to the American Pregnancy Association, an abortion is defined as the early termination of a pregnancy and is induced by a clinical surgical procedure or the administration of drugs to remove the embryo and placenta from the female’s uterus. Two drugs associated with the “chemical abortion pill regimen” are oral Mifepristone (Mifeprex) and Misoprostol (Cytotec) used in conjunction to stop the production of pregnancy related hormones and induce contractions of the uterus to expel the embryo.

Impacts Seen on the Darknet

Within a week of the Supreme Court’s leaked draft opinion, DarkOwl analysts observed a noticeable volume of information related to medical abortions materialize – including offers for chemical abortion drugs for sale across the darknet.

Chatter on darknet discussion forums and deep-web adjacent chat platforms foster creating an online community to support US-based individuals’ access to abortion, calling it the “Underground Abortion Railroad” to help connect women with abortion and transportation providers and avoid criminal prosecution.

One forum user identified themselves from Europe and offered to stock up on abortion medications and emergency contraception pills such as “Plan B” from their local pharmacies, offering to ship them at fair market price to those in the United States who cannot access them legally through non-darknet sites.

Another user in a popular darknet forum mentioned a reliable marketplace selling Misoprostol, described as “28 Pills 200MG Safe Home Abortion Method.” The vendor of the marketplace commented on the thread that they don’t actually sell the pills anymore because there were not enough buyers, but would be willing to change their position and offer them again if there was demand.

Monitors on the darknet marketplace suggested has yet to offer a “Safe Home Abortion Method Kit” as mentioned in the thread or abortion-related pills on their site. The same vendor also offers a variety of illegal drugs and narcotics as well, including Cocaine, Percocet, Xanax, weight loss treatments, and Freebase.

Figure 2: Source Dread Darknet Discussion Forum

DarkOwl continues to observe other sources of underground abortion services on offer in its Vision database with multiple advertisements for Misoprostol and Mifeprex, and access to (purportedly) safe abortion services. One supplier recommended those in need of abortion pills contact them via XMPP with OMEMO for a direct, private sale.

Another classified-style advertisement describes the at-home abortion treatment in detail and the medications used, with pricing, ranging from $7 to $16 USD for the abortion-related medications. Multiple forms of contact information was also included.

Other drugs offered for sale on the same classified-advertisement forum have been affiliated with scammers that have no intention of providing the services or goods on offer. Tragically, there is increased risk that darknet scammers will exploit the current political abortion issue in the US for financial gain like they did during the COVID-19 pandemic.

Drugs offered for sale on darknet marketplaces

Figure 3: Source DarkOwl Vision

Some darknet forum users point readers to “offshore pharmacy sites” where abortion-related medication could be purchased, mentioning a clinic taking online consultations in India among others. A quick OSINT search revealed numerous Surface Web domains offering abortion-related medications for purchase. How those sites will operate regarding shipping the drugs to customers in states who have banned abortions once Roe is overturned is yet to be determined.

Overall, opinions on the darknet about abortion are mixed with strong opinions on both sides of the issue. Members of right-wing aligned Telegram channels spin abortion as murder and celebrate the Supreme Court’s position.

Figure 4: Source DarkOwl Vision

While other users support less government over individual choices regardless and view the decision as a potential turning point for the loss of other individual rights.

“I do believe everyone should have a choice, it’s a sensitive topic, but I will stand on democracy, taking peoples choices away is not democracy.” – Dread User

Figure 5: Source DarkOwl Vision

A controversial pro-choice group, Ruth Sent Us (RSU), named after late liberal Justice Ruth Bader Ginsburg, recently admitted to publishing on social media the home addresses of Chief Justice John Roberts alongside five other conservative associate justices: Samuel Alito, Clarence Thomas, Neil Gorsuch, Brett Kavanaugh and Amy Coney Barrett. The group claimed the information was publicly available and never encouraged violence against any of the justices.

The release of such information has fueled on-going deep web forum debates about the topic with some stating such information releases violates 18 USC 1503, which “prohibits ‘endeavors to influence, intimidate or impede… officers of [the] court’.” Despite the online debate, a 26-year old man, Nicholas John Roske, likely relied on such leaked information to target Justice Kavanaugh last week. Roske was arrested for attempted murder after arriving at Kavanuagh’s home with a Glock 17 handgun, ammunition, a knife, zip ties, pepper spray, and duct tape, that he told police he planned to use to break into Kavanaugh’s house and kill him. Other left-leaning U.S. politicians have also been targeted in their homes since the draft opinion leaks with users on Telegram calling them “pro-abortion death cult democrats.”

Figure 6: Source Telegram

DarkOwl analysts have not yet observed abortion pills such as Mifepristone and Misoprostol widely available on principal decentralized darknet markets, but they are available for purchase via threads in discussion forums, as well as classified-style advertisements on transient paste services.

Closing Thoughts

Users across darknet forums have voiced interest in abortion-related pills and services following the leaked Supreme Court documents and advocate for organized protests in support of and against the potential ruling. Once the U.S. Supreme Court officially issues their ruling, we anticipate a more concerted response from darknet marketplaces in offers for abortion related drugs and services. The darknet will also continue to be a resource for activists to organize political protests and circulate sensitive information related to the abortion debate.

Irrespective of which side of the debate one stands, the darknet will continue to fuel the controversy both in support of and criticism of a woman’s right to abortion. In a world of increased digital surveillance and the fundamental privacy-centric nature of Tor and similar anonymous platforms, individuals will seek out like-minded communities on the darknet for social activism related to the topic. DarkOwl predicts an increased use of Tor to organize political protests and circulate sensitive information related to the abortion debate.

Curious about darknet marketplaces or something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.

DarkOwl Returns to The International Cybersecurity Forum

Written by DarkOwl Content Team on April 16, 2024. Posted in Blog.

April 16, 2023

At the end of March, DarkOwl participated in FIC, The International Cybersecurity Forum, in Lille, France for the second year in a row.

Now in its 16th year, FIC proudly asserts itself as the preeminent gathering in the realm of digital security and trust. Positioned as a cornerstone event in the European cybersecurity landscape, FIC distinguishes itself by fostering an inclusive environment that unites every facet of the cybersecurity ecosystem. From end consumers to service providers, law enforcement agencies to academic institutions and consultants, FIC’s scope encompasses them all.

With a dual mission, FIC addresses the operational hurdles of cybersecurity while also championing the development of a digital future aligned with European values and interests. This holistic approach ensures that attendees and sponsors gain comprehensive insights into the state of cybersecurity in Europe and have the opportunity to glean knowledge from industry luminaries.

At FIC, the over 20,000 attendees have unparalleled access to both end-users and providers of solutions and services, facilitating discussions on both tactical challenges and strategic imperatives in cybersecurity.

“Ready for AI?”

The theme of FIC 2023, was “Ready for AI?”. According to a recent report by Forbes, the artificial intelligence (AI) market is projected to reach $407 billion by 2027 and 64% of businesses expect AI to increase overall productivity.

To build relationships and trust, and share the value and essential need of darknet data for any cybersecurity posture, David Alley, CEO of DarkOwl FZE based in Dubai and Magnus Svärd, Director of Strategic Partnerships, based out of DarkOwl’s headquarters in Denver, CO, represented DarkOwl at FIC.

In addition to networking and conversations at the booth, top minds of the space have the platform to share thought leadership, innovations and the latest in the cyber security space. Speakers were present from all across Europe and the world: France, Switzerland, Luxembourg, Belgium, the United States, Netherlands, Germany, Spain, Canada, Singapore, Poland, Norway, Romania, Mexico, South Africa, China, Thailand, and more. Topics ranged from industrial infrastructure cybersecurity, quantum-resistant cryptography, identity security, international cybersecurity law, AI and counterterrorism, digital crime, social engineering, cybercrime trends, trust and safety in the cloud, and many more. Many of the presentations throughout the three days were not just thought leadership, but also practical presentations – showing the “how to.”

David and Magnus both expressed that they experienced “non-stop traffic” and kept busy on the show floor throughout the event meeting new prospects and showcasing our industry leading darknet platform, Vision UI, and meeting with several current clients and partners. With many current clients present, the DarkOwl team was able to spend time understanding how we can best optimize and elevate our current partnerships and how we can continue to provide the most value as their darknet data provider, focusing on continuing to build up our customer relationships and building trust. The DarkOwl team is confident there will be many follow ups and successful connections coming from our participation at FIC and looks forward attending The International Cybersecurity Forum in 2025.

DarkOwl looks forward to continuing their presence at several international events in the future. You can see what conferences we will be attending coming up and request time to chat with us here.

Tax Season Alert: How Cybercriminals Target Your Taxes and What You Can Do About It

Written by DarkOwl Content Team on April 15, 2024. Posted in Blog.

April 15, 2024

As the tax deadline fast approaches, it is important for us all to be aware of the risks that are posed to us by cyber criminals at this time of year. Whether it be identity theft from tax forms, targeting of tax filing providers, or fraudulent returns, there are a number of ways that the tax system can be exploited for criminal financial gain.

As we do each year, DarkOwl analysts have reviewed the activity of cyber criminals on the dark web and dark web adjacent sites and messaging platforms to highlight some of the activities cyber criminals are participating in.

Selling Tax Refund Methodologies

Fraudsters on the dark web will sell step by step guides on how to conduct specific types of identity fraud. The below advertisement from Telegram is soliciting users to contact an individual to buy a tax refund methodology that allegedly bypasses the ID.ME facial recognition verification method that has recently been implemented by the IRS as a fraud prevention method.

DarkOwl analysts have also noted several instances where the technology vendor, ID.ME, has been targeted on stealer log marketplace websites like 2Easy or Russian Market, which may allow threat actors to access accounts of users for fraudulent purposes, as stealer logs usually contain usernames, passwords and session cookies.

Another Telegram post claims to provide buyers with a guide to obtain a Federal Tax refund claiming to offer advice on what bank account you should cash out to and what method to use. They claim that a refund will be guaranteed.

Phishing Templates

ID.ME is commonly targeted across the darknet. DarkOwl analysts have observed fraudsters selling phishing admin panels for sites like ID.ME, PayPal, and USPS on Telegram as well, meaning that they are able to collect the data of unsuspecting victims who believe they are adding their credentials to a legitimate site. Access to these accounts could mean that a threat actor is able to steal someone’s identity whether that be for tax fraud or other types of financial fraud.

Selling Tax Forms

DarkOwl analysts identified threat actors on the popular carding forum 2crd and found an actor advertising counterfeit identification documents, and also included tax return information and common tax forms which could be used to impersonate an individual. It is unclear if these documents are fraudulent in nature or had been stolen from a legitimate owner.

Similar postings were found on another site, ProCRD, offering W2 forms with a 1040 and full info. These documents are being sold for as little as $10. These appear to be sold as part of Fullz, which is a term used by dark web actors to indicate they have the full information for an individual – this usually includes financial information and identity details to be used to conduct identity fraud or financial crime.

A post on a Telegram channel claimed to have W2 forms, tax returns, and pay stubs for sale as well as credit card numbers, Social Security numbers and other sensitive personal information used to conduct fraud. DarkOwl analysts note this advertisement relates to an automated Telegram bot where one can purchase these illicit items. Telegram bots are an effective way to sell illicit items on Telegram because it maintains a certain level of anonymity between the seller and end user.

Another Telegram advertisement was identified which sells similar products, but notes all of the sensitive documents being sold are from other countries like the UAE and European countries. This highlights that it is not just the US that is subject to this type of fraud.

A third similar example from Telegram is shown below. It is important to note, as shown in all of these examples that tax forms are typically sold with other identity fraud products like fullz, credit card numbers, etc. This allows the fraudsters to be more convincing in their fraudulent activities as they have more information which makes them appear legitimate.

The tax fraud community is considerable on Telegram, a search across DarkOwl’s dark web collection for the mention of “tax refund” on Telegram resulted in nearly 100,000 hits. However, Telegram fraudsters will typically also advertise across the darknet and deep web from sites like Royal or Russian Market to ProCRD or WWH Club – often moving to private messaging on Telegram for security.

Telegram is a major medium/vehicle for all types of identity fraud in 2024 because the platform allows for increased security, anonymity (between sellers and end users), as well as more efficient transactions through automated chat bots, rather than processing transactions directly on a .onion site. DarkOwl analysts therefore identify a large amount of this activity on Telegram but cross over from other dark web sites highlighting that similar communities are active on both.

Tax Filing Providers

Many individuals will use services in order to file their taxes, as it often removes some of the stress associated with tax season, and hopefully ensures that you maximize your return. However, these organizations are also targeted at this time of year.

A review of Stealer Logs collected by DarkOwl highlighted several instances in the last several months where credentials for these organizations were stolen. Allowing actors to access sensitive information and conduct fraudulent filings.

There are also Telegram channels which offer buyers the chance to obtain tax refunds through TurboTax.

Ransomware

Ransomware attacks continue to be prevalent in 2024, with many companies subject to attack, one group PLAY, like many other groups, post their victims details on their leak site as well as details about what information they have relating to them.

In almost all of the posts relating to their victims the group claim to have information relating to taxes, likely both the company taxes as well as employees’ details. Some of them also claim to have evidence of tax evasion.

If/when these details are released by the ransomware group that information can be used by other threat actors to conduct other types of fraud.

Conclusion

Tax season is just another thing that can be used by threat actors to commit fraud against individuals and companies. However, financial fraud can be committed at any time of the year and it is important to protect your personal information by practicing good cyber hygiene, do not reuse passwords, and be vigilant to phishing and malvertising campaigns.

Learn more about how DarkOwl can help your organization detect and investigate fraud by contacting us here.

Q1 2024: Product Updates and Highlights

Written by DarkOwl Content Team on April 11, 2024. Posted in Blog.

April 11, 2024

Read on for highlights from DarkOwl’s Product Team for Q1, including new exciting product features. The team is starting the new year off strong and looks forward to an exciting 2024!

Enhanced Forum Structuring

The team made upgrades to forum structuring within the platform, empowering users with unparalleled insights into darknet forums. This latest development enables users to navigate darknet conversations in a structured manner, presenting discussions in chronological order for accurate and effortless reconstruction. The upgraded search capabilities further empower users to pinpoint relevant information swiftly, facilitating comprehensive analysis.

Access to forum data in a structured format is particularly crucial for organizations seeking to bolster their cybersecurity defenses and proactively address emerging threats.

Figures 1 and 2 (left to right): Previous view of a thread versus new enhanced view

Last month, the DarkOwl Marketing team sat down with DarkOwl’s Director of Client Engagement, Caryn Farino and Product Manager, Josh Berman to learn more. You can read that interview here.

Access the Darknet Safely and Securely Directly from DarkOwl Vision

This quarter the team released “Direct to Darknet” within Vision UI in partnership with Authentic8, a leading provider of cloud-based secure browsing solutions. This feature allows users to further investigate Vision UI search results on forums, marketplaces, and other Onion sites. This can be helpful for an investigation to view the original website, view images or advertisements that may be on the sites, take a screenshot for reporting, and more. By combining DarkOwl’s comprehensive darknet database and monitoring capabilities with Authentic8’s Silo cloud browser, which is known for its secure browsing environment, organizations will gain unprecedented visibility and protection against cyber threats surfacing on the darknet.

Figures 3 and 4 (left to right): Vision UI result and associated darknet result for guns in Miami

Context and Enrichments

The team has significantly increased context information for leaks, actors, ransomware, and has added features to make doing research easier than ever.

On the new Leak Explore page, customers can see information about our leak dataset and get information about an individual leak. Customers can look for a leak that we have in our system, see if it’s relevant to them, pivot to the filetree or original posting, and look at the underlying data. We highlight some of leaks we collected this quarter in the next section – all of the information highlighted below is taken directly from this feature.

Tox ID search and Compare features (Tools/CVEs) have been added to Actor Explore profiles. The compare feature on the Tools and CVEs page allows users to see commonalities between actor groups, including timelines and any commonalities between actor groups.

Site Context on Ransomware search results provide site names, relevant dates, cipher information, and pivoting options to Actor Explore or further research, all provided by the DarkOwl analyst team.
The DarkOwl analyst team has added several new Search Block translations in Arabic, Russian, and Chinese languages.

More Vision UI Updates

Multi-Factor Authentication login option for customers
Alert section enhancements to delete single alerts and display Category in the main table. This makes alerts easier to use and more functional. “Category” has been added as a new column on the Alerts page to more effectively use these tags to organize alerts. One way to use these tags is to classify alerts by organization or category such as “Credentials,” to view related alerts from multiple monitors together.

Collection Stats

This quarter showed tremendous growth in data collection. The team had 5% growth quarter over quarter in added Tor documents, 27% growth in I2P documents, 31% growth in ZeroNet documents, 15% growth in records from Telegram, to highlight a few.

Highlights

Chat platform collection continues to grow as darknet threat actors migrate to darknet adjacent sites. Currently, the platform has coverage of more than 22,000 channels across multiple chat platforms.

The team added 117 data leaks this quarter alone, many of which were requests from customers, which the team always prioritizes. A select few of those are highlighted in the next section – all gathered from the DarkOwl analyst team.

Actor Explore continues to grow – with a total of 307 actor profiles able to searched, compared, and researched within the platform.

Leaks of Interest Collected

As mentioned, the descriptions below are all available in our Leak Context product feature.

Naz.api

The naz.api leak was made available on BreachForums, on January 15, 2024. According to the post, it is a 35 GB collection of public URLs, usernames and passwords. The post also notes that it was originally on xkey.info but was taken down for allegedly not being the real naz.api leak. naz.api is one of the largest credential stuffing lists originally posted in September 9, 2023 by 0x64. According to that post, the database was created by extracting data from stealer logs, and contains over 1 billion unique records of saved logins and passwords in users’ browsers. The post also notes that the original naz.api dataset was donated to 0t.rocks. Infostealer logs are files produced when a trojan is installed on a system that collects information from the infected system. Depending on the infostealer malware, the extracted data can include system information and browser session data (including autofills, credentials, financial information, cookies, browser history, etc.). Some malware will also capture stored local files and install keylogging on the system to exfiltrate data outside of the browser sessions.

USA 500K SSN

Data purported to be of US Social Security numbers was posted on LeakBase, a hacking forum, on September 11, 2023. Data exposed includes full names, dates of birth, social security numbers, and physical addresses. Analyst Note: Three leaks with “500K SSN” included in the leak name were identified during a recent review, with each leak containing the same data format. These leaks may have been parsed from a larger historical leak and reposted in several parts. For this data leak, DarkOwl noted references to the same sample data dating back to December 2021, supporting this leak contains older content. Notwithstanding, given the presence of social security numbers, the recirculation of this data is of concern.

DC Health Link

Data purported to be from DC Health Link was posted on BreachForums, a hacking forum, on July 22, 2023. According to the post, this breach occurred in March 2023. Data exposed includes member names and IDs, policy information, social security numbers, full names, dates of birth, e-mail addresses, phone numbers, physical addresses, employment information, genders, medical records, and other personal identifiers such as ethnicity and citizenship status. Analyst Note: Review of the original post on Breach Forums on March 9, 2023, indicates the original leaker was thekilob. This is further supported by commentary in the Telegram Channel, BreachForums Chat, where they indicate thekilob was removed as a reference from the original post. Analyst Note 2: DC Health Link made a public statement about the breach on their website on March 14, 2023, detailing information about the breach.

AT&T

Data purported to be from AT&T was posted on BreachForums, a hacking forum, on March 17, 2024. According to the post, AT&T’s database was hacked by ShinyHunters in 2021 and contains 70 million lines. Data exposed includes names, e-mail addresses, phone numbers, physical addresses, social security numbers, and dates of birth. Analyst Note: According to the information provided in the post, in order to link the SSN and DOB for each record, one will need to grep and replace the encrypted values for these fields in the master file with unencrypted value of these fields provided in a separate file. Analyst Note 2: DarkOwl notes to replicate this connection in the raw indexed files, a search will need to be run using the encrypted value in quotes as the keyword to locate both documents in the leak (i.e. “1lpxFgIp7MlY” would result in both the document that contains the full record with the SSN encrypted value and the file which contains the decrypted SSN value). Analyst Note 3: A high level review of the data indicates the data is from customers in the United States. Analyst Note 4: Research in DarkOwl Vision indicates the data was initially posted for auction on August 22, 2021, for $80,000.

Curious how these features can make your job easier? Get in touch!

Israel and Hamas Conflict : A 6 Month Review

Written by DarkOwl Content Team on April 9, 2024. Posted in Blog.

April 09, 2024

A new Middle East conflict emerged on October 7, 2023, when Hamas launched an attack on Israel. It rages on to the present day, resulting in physical, digital, and hybrid events that threaten both Israel and Palestine and their borders with multiple surrounding countries. Regional stability is extremely low as actors supporting all sides of the conflict take stances and attack their self-defined opponents on the ground, at sea, and with cyber capabilities. Most recently, Hamas rejected an Israeli offer for a ceasefire on 25 March 2024, ensuring that this conflict continues for an undetermined amount of time.

In the past six months, some of the trending issues the world has witnessed include drastic upticks in maritime and ground-centered activity against Iranian-supported actors, such as the Houthis and Hezbollah. Air attacks and maritime incidents against the Houthis continue all over the Middle East region, impacting civilian vessels in various bodies of water and civilian shipping routes. Telegram remains a vital part of the conflict, with propaganda emerging from Iranian, Arabic, and Israeli Telegram channels, as well as sympathizers and opponents from all sides of the conflict taking a public stance and offering to attack on behalf of their beliefs. A sampling of these activities over the past six months since the start of the conflict is covered in this blog.

Telegram and Choosing Sides

As was previously mentioned and covered extensively in a previous blog, a trend that emerged almost immediately and continues six months later to today, was actors choosing sides in the conflict. No matter what side is supported, whether an entity is pro-Israel or pro-Hamas, supporters publicly emerge and then are targeted by opponents.

Figure 1: Killnet posting their intention to target the Israeli government on Telegram

Figure 2: Anonymous Sudan posting their intention to target the Israeli government on Telegram

Figure 3: The group Garuna Ops made a number of posts on Telegram in support of Israel and stated as well as attacking Palestine they would attack any other countries that supported them

The end of 2023 witnessed a few key events, ensuring the conflict would continue into the new year of 2024. The list below is not exhaustive, and is only meant to provide high-level examples:

Navitas Petroleum, based in Israel, was purportedly hit by BlackBasta ransomware (December, 2023)
- However, as of the time of this writing, Navitas had no entry on the BlackBasta ransomware victim blog. It is possible this event was fabricated, or that the impacted entity struck a deal of some kind with the BlackBasta actors to have their data removed from the ransomware website. Either way, the threat of malicious actors coming after an organization because of their country or other allegiance is a continuing trend.

Predatory Sparrow hacking group attacked 70% of Iranian gas stations (December, 2023):

Figure 4: Predatory Sparrow group publicizes their attack of Iranian fuel stations in December, 2023; Source: DarkOwl Vision

Iran issued a statement that the October 07 attack against Israel was in retaliation for the January 2020 assassination of IRGC commander Qassem Soleimani (December, 2023)
- Hamas leaders publicly rejected this claim.

In 2024, some incidents included (the list below is not exhaustive, and is only meant to provide high-level examples):

Anonymous Sudan claims to have hit Israel’s telecom company Pelephone (January, 2024):

Figure 5: Anonymous Sudan uses their Telegram channel to advertise the January 2024 attack against Israeli Telecom Pelephone; Source: DarkOwl Vision

Lulzsec group targeted Israeli red-rocket alert system:

Figure 6: Lulzsec hacking group advertises their mid-January 2024 efforts against the Israeli rocket alert system on Telegram

Anonymous Sudan claims to have hit Israel’s Bazan group:

Figure 7: Hacking collective Anonymous Sudan uses their Telegram channel to publicize an attack on Israeli Bazan Group in January, 2024; Source: DarkOwl Vision

Anonymous Sudan also claimed it conducted a cyberattack targeting “critical parts” of healthcare infrastructure in Israel, and adds “more than a thousand devices are completely disconnected.”
Terminator Security hacking group claims to have taken down Israeli Air Force servers.
As of mid-March 2024, Raytheon was again targeted, this time by the Anonymous group due to their supplying weapons to Israel. However, Raytheon and other US defense contractors are frequently targeted by Russian groups, such as this Snatch Ransomware group observation which also came in March 2024:

Figure 8: Snatch ransomware group details attacks against US government contractor Raytheon, which is frequently targeted due to its weapons supplied to Ukraine; Source: DarkOwl Vision

Maritime Activity

Underwater mining conducted by the Houthis and other attacks against maritime vessels continued as recently as mid-March, with this physical element of conflict having cyber implications:

Underwater sea telecom cables that transit approximately 17% of international data were damaged as maritime conflict continued in the Red Sea. Some media outlets blamed Houthi militants, while other experts state the cables were damaged by ships sinking and hitting them, as they are in shallow waters.

Maritime activity in the Red Sea also involved the United States conducting a cyberattack on an Iranian ship that had been gathering intelligence on cargo vessels in the region. This was intended to prevent the ship from sharing intelligence with Houthi members in Yemen, who have been frequently targeting civilian vessels. DarkOwl analysts have observed multiple platforms, including Discord, onion websites, and 8kun, sharing information regarding the hostile situation in the Red Sea:

Hybrid Incidents

Hybrid events, comprised of both digital and physical efforts to have a real-world impact, have also grown. In mid-February 2024, international media reported on an attempt to reroute an Israeli El Al airliner. The original flight path was from Bangkok, Thailand, and Tel Aviv, Israel. However, during the flight, the crew were provided with instructions that derailed them from their set route. These instructions were discarded, and the crew remained on their original flight path, once they contacted other air traffic controllers and compared flight data, and realized actors were trying to intentionally mislead them.

The incident occurred over Somali airspace, and Israeli sources revealed a certain frequency that was consistently trying to change flight paths, indicating a constant attempt to disrupt air activity. Using technology to attempt to derail a plane or any other means of transportation that carries humans who could be used as leverage in a geopolitical situation, or harmed, brings a new level of urgency towards vetting online information tied to any world event, especially a conflict.

Conclusion

As is confirmed by the events above, conflict these days has a new paradigm using technology to influence and increase physical air, ground, and maritime events, such as using a certain frequency to communicate with planes while trying to pull them from a planned, safe route. Global infrastructure such as underwater cables are either accidentally damaged by water mining or intentionally cut, in some cases, to interfere with regional internet access and connectivity. These physical threats to infrastructure and personnel are separate to the propaganda that is quickly spun and shared among all sides via messaging platforms and social media.

Malicious actors use technology to go after petroleum and water supplies, or even put services for human life, such as healthcare, at risk during geopolitical incidents. Even weapons supplies are in danger, as actors try to prevent weapons delivery or jeopardize the providers of the weapons. The technological component to conflict is here to stay, and actors will undoubtedly use any platform they feel is safe – Telegram, social media, or private messaging, or an online collection of supporters who can contribute to research, and disseminating propaganda to try and influence the public to see issues from a certain perspective.

Authentic8 and DarkOwl Forge Strategic Partnership to Revolutionize Cybersecurity Solutions

Written by DarkOwl Content Team on April 3, 2024. Posted in Press Releases.

April 03, 2024

Authentic8, a leading provider of cloud-based secure browsing solutions, and DarkOwl, the leader in darknet data, are proud to announce an innovative partnership that revolutionizes cybersecurity capabilities for organizations globally. This partnership showcases the power of product integration, leveraging DarkOwl’s unparalleled darknet intelligence alongside Authentic8’s secure browsing technology, Silo, to set new standards in threat detection and mitigation.

This partnership brings together the advanced technologies and expertise of both Authentic8 and DarkOwl to address the escalating challenges posed by cyber threats. By combining DarkOwl’s comprehensive darknet database and monitoring capabilities with Authentic8’s Silo cloud browser, which is known for its secure browsing environment, organizations will gain unprecedented visibility and protection against cyber threats surfacing on the darknet.

With this partnership, DarkOwl’s platform serves as the launch point for identifying darknet content and initiating investigations. Once identified, Silo enables full-page analysis for deeper research, providing full isolation from darknet cyber threats and anonymity from malicious actors. This capability enables organizations and government agencies to leverage DarkOwl’s data and Authentic8’s platform to uncover and investigate various threats, including cybercrime, ransomware, malware and other threats arising from the darknet.

“We are excited to partner with Authentic8 to empower organizations to stay ahead of evolving cyber threats,” said Mark Turnage, CEO of DarkOwl. “By combining our unmatched darknet intelligence capabilities with Authentic8’s secure browsing technology, we are enabling organizations to strengthen their defenses and safeguard their digital assets against sophisticated cyber adversaries.”

Ramesh Rajagopal, CEO of Authentic8 adds, “Investigative work in the Silo browser complements DarkOwl’s innovative intelligence solutions, enabling investigators to secure and streamline their dark web intelligence activities across both solutions.”

Together, Authentic8 and DarkOwl demonstrate their shared commitment to driving innovation and excellence in cybersecurity with this partnership. With this, they lead the industry in delivering cutting-edge solutions that address the evolving challenges in the cybersecurity space.

About Authentic8
Authentic8 are the creators of Silo for Research, a purpose-built solution for safely conducting open-source research on the surface, deep or dark web. The cloud-based, isolated browsing environment offers one-click access to Tor and in-region points of presence around the world. To learn more, visit www.authentic8.com.

About DarkOwl
DarkOwl uses machine learning and human analysts to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. For more information, visit www.darkowl.com.

DarkOwl Purchases Certain Assets of Skurio Ltd.

Written by DarkOwl Content Team on April 2, 2024. Posted in Press Releases.

April 02, 2024

DarkOwl LLC announced today that it has purchased certain assets of Skurio Ltd from the Administrators Keenan CF Ltd, effective March 22, 2024. These assets include certain customer information, source code, and other commercial material.

Mark Turnage, DarkOwl CEO commented that “the purchase of these Skurio assets will enhance DarkOwl’s market presence in the UK and Europe, and add optional new features to the DarkOwl product platform. Supplementing DarkOwl’s unique darknet capabilities with these Skurio improvements will enhance the depth and breadth of our market positioning.”

About DarkOwl
DarkOwl uses machine learning and human analysts to collect automatically, continuously, and anonymously index and rank darknet, deep web, and high-risk surface net data. This allows for comprehensive searching, monitoring and alerting of these sites, as well as layering analytical tools on the data for pattern mapping. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. For more information, visit www.darkowl.com.

Dodging Digital Deceptions: Unraveling the Web of Cyber Tricks This April Fools’ Day

Written by DarkOwl Content Team on April 1, 2024. Posted in Blog.

April 01, 2024

Disclaimer: This blog seeks to illuminate the practices used by threat actors that involve the nefarious application of artificial intelligence (AI) technologies. While the instances discussed herein do not imply that chatbots and similar tools are intrinsically hazardous, they serve to demonstrate the potential for their misuse by cybercriminals. None of the examples generated should be used.

Introduction

Cyberattacks are becoming more and more commonplace, with no one immune from attacks, whether it be corporations suffering from ransomware attacks or individuals falling victim to romance scams. But as people become more educated about the risks of cyberattacks and scams, cyber attackers must change their methods to ensure success.

Last April Fool’s Day, we looked how cyber actors trick us with phishing emails. This April Fool’s Day, we explore some of the ways that cyber actors could use new technology such as AI to fool their victims into allowing them access to their systems or finances.

Phishing

A phishing email is a deceptive email designed to trick the recipient into believing it’s from a trustworthy source, with the aim of stealing sensitive information, such as login credentials, financial details, or personal data. These emails often mimic the appearance and tone of official communications from well-known companies, banks, or government agencies. The emails will often request personal information, include suspicious links or attachments and generic information.

Most people these days are aware that they should not click on links in emails from people they don’t recognize and emails that appear to have spelling or grammar mistakes in them. But phishing emails are becoming more sophisticated, and AI can be used to generate emails that are more believable.

We asked an AI platform to write us an email:

This is the response we got:

This took seconds to generate and could be used to fool people.

Smishing

Smishing is a type of phishing scam conducted through SMS (Short Message Service) text messages. It involves sending deceptive text messages that aim to trick recipients into revealing personal information, clicking on malicious links, or performing actions that compromise their security. These messages often impersonate legitimate companies, organizations, or even acquaintances, creating a sense of urgency or fear to prompt immediate action from the victim.

Smishing campaigns are often used by threat actors to entice people as part of a romance scam or pretending to be customer support asking a user to share a password or click on a push notification. They can take many forms pretending to reward you with a prize or tell you that you missed a package delivery. They are becoming increasingly sophisticated and take many forms. Below we show a sample of these.

Social engineering is a manipulation technique that exploits people to gain unauthorized access to information, systems, or buildings. Unlike traditional hacking, which often relies on technical vulnerabilities, social engineering targets the human element of security systems. The goal is to trick or deceive people into doing what the attacker wants them to do, whether that be access to systems or obtaining financial reward.

Social engineering can take many forms, from generating a phishing email based on specific information found on social media to make it more targeted to the victim to creating fake social media profiles to target individuals whether on a dating app or networking app to entice people to communicate with them.

We had an AI tool generate us a dating profile:

But we also need a picture to go with the profile to make it more believable, so we asked AI to generate us one of those as well.

These prompts could be tailored in order to create a profile that is more likely to appeal to the desired victim. Research can be conducted, and all of that information can be inputted into an AI generator to create the perfect profile for the job.

Vishing

Vishing, short for “voice phishing,” is a form of social engineering attack where fraudsters use telephone services to scam individuals into disclosing sensitive personal information, such as bank account numbers, credit card details, personal identification numbers (PINs), and passwords. Unlike traditional phishing attacks, which typically occur through email or malicious websites, vishing specifically involves voice or telephone communication.

While threat actors previously had to conduct these calls themselves it is now possible to generate voices using AI. While it is difficult to use this for an actual conversation it can be used to create prompts of voicemails. Using AI, it is also possible to emulate someone’s voice meaning that you could receive a voicemail from someone who sounds just like your boss asking you to send funds or resent a password that sounds really believable. There have also been reported instances of people appearing on video conferencing calls where their image and voice have been manipulated to provide the message the threat actor wants to give.

Using AI, we are able create a voice message. You can select the type of voice you want to hear, the tone of the message, how to pronounce certain words and where to pause in the conversation. Leading to a believable message.

Conclusions

It is worth noting that most AI providers have tried to implement security features and guardrails to prevent threat actors from utilizing their platforms for nefarious purposes. However, systems can be jailbroken and threat actors are also able to use the technology to create their own LLM (large language model) to generate the kinds of responses that they want. There are already dark web AI tools that have been developed such as WormGPT and FraudGPT. AI does not create new scams or ways of working. As it does with all of us, it simply speeds up and improves the activities the prompter is seeking to conduct. In fact, some of the descriptions in this blog were generated using AI highlighting legitimate uses.

There are lots of ways that cyber criminals can trick us into providing information we don’t want to, falling for scams, providing funds or access to profiles. However, this is nothing new and we should continue to be vigilant in the same way we always have been, while understanding that as technology develops, cyber actors are also developing the tools and techniques they use to try and fool us.

Curious how DarkOwl can help with your use case? Contact Us!

Threat Intelligence RoundUp: March

Written by DarkOwl Content Team on April 1, 2024. Posted in Blog.

April 01, 2024

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. LockBit ransomware re-emerges after law enforcement takedown – The Hacker News

Proving resilient, LockBit ransomware came back into operation using new infrastructure just days after a global law enforcement operation took them offline. The actors debuted a new onion address and already had 12 new victims in their post-takedown operations. Additionally, the actors themselves authored a long note explaining what happened from their perspective. Read full article.

2. ALPHV/BlackCat ransomware group exit scams – The Hacker News

One of the most active ransomware groups of the past few years, ALPHV/BlackCat, shut down their onion site after their latest big victim, UnitedHealth’s Change Healthcare unit, purportedly paid their $22 million ransom. Actors believed to be a part of the gang engaged in conversation on Russian forum RAMP. Read article.

3. US government agencies are impersonated in business email compromise attacks – SC Media

US government agencies have been impersonated in business email compromise (BEC) attacks. The Department of Transportation, Department of Agriculture, and the Small Business Administration have all faced QR codes circulating in PDF documents. The QR codes send victims to phishing sites mimicking portals for the aforementioned agencies. All PDF’s had the same metadata, which indicated creation in Nigeria. Article here.

4. Iranian actors observed targeting aerospace and aviation industries in the Middle East – The Hacker News

Malicious Iranian cyber activity was observed targeting various industries using cloud infrastructure for their command and control (C2) along with social engineering tactics to deliver two backdoors named Minibike and Minibus. Targeting these industries allows for strategic information to be procured and sent back to the Iranian government. Article here.

5. Darknet marketplace Nemesis Market seized by German police – Bleeping Computer

German authorities, using intelligence from Lithuanian and American agencies and partners, captured infrastructure in both Germany and Lithuania, resulting in the take down of popular dark web Nemesis Market. Authorities seized $100,000 in cash as well as digital infrastructure that supported the illicit goods market. No information was provided regarding the status of the platform’s operators being arrested or contacted as of the time of this writing; DarkOwl will continue to monitor for updates. Read article.

6. Cybercrime gangs join forces to launch double extortion ransomware attacks – The Hacker News

GhostSec and Stormous ransomware groups have combined their operations to conduct ransomware attacks against technology, education, government, and many more verticals. Both groups are part of “The Five Families.” In August of 2023, cybercrime conglomerate SiegedSec announced the formation of “The Five Families” to attempt to offer structure to the digital criminal underground on August 28. They named ThreatSec, GhostSec, Stormous, Blackforums, and themselves as the five participants. Read full article.

7. China’s “Earth Krahang” infiltrates organizations throughout 45 countries – Bleeping Computer

Government organizations worldwide were the target of a two-year, Chinese state-sponsored campaign. Spear-phishing is employed to deploy backdoors while exposed internet-facing servers are also attacked, leading to a multi-pronged attack. The group uses open-sourced tools to build VPN servers and then brute-forces email accounts to procure passwords, focusing on compromised Outlook accounts. Article here.

8. Microsoft source code accessed by Russian actors Cozy Bear – CyberScoop

As of January 2024, Russian state-sponsored actors Cozy Bear (who are believed to be part of Russia’s SVR intelligence branch) accessed Microsoft source code and company systems. The actors were able to read the emails of senior Microsoft executives. While the exact nature of this infiltration is still under investigation, Microsoft offered that they do not believe customer-facing systems were accessed/impacted. Read full article here.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

[Webinar Transcription] Navigating the Cyber Landscape: Strategies and Capabilities of Iran, China, North Korea and Russia

Written by DarkOwl Content Team on March 28, 2024. Posted in Blog, Webinars.

March 28, 2024

Or, watch on YouTube

The government, along with Law Enforcement, is heavily impacted by ever-evolving technology and there is a multitude of malicious actors conducting espionage, stealing data, attempting to infiltrate, and shut down systems critical to everyday life.

These malicious actors with a proven state-sponsored tie are often called Advanced Persistent Threats (APTs). The digital realm is heavily involved in geopolitical conflict, and its role and that of adversarial actors must be explored.

In this session, we will dive into the big 4 cyber adversaries:

Explain how cyber experts are trained
Explore the use of front companies and technology to online activities
Examine ties to their governments
Cover common offensive and defensive capabilities
Glimpse into the possible future with AI used in operations

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

Mark: My name is Mark Turnage, I’m the CEO and Co-Founder of DarkOwl and with me, I have Erin Brown, who’s our Director of Intelligence. We’re pleased that you joined us here this morning. I’m just going to make some introductory remarks, and we’re going to conduct this webinar as a sort of fireside chat between me and Erin and talk about four cyber countries – powerful cyber countries: Iran, North Korea, China, and Russia.

Just a couple of introductory remarks from me, we live in very interesting times. It’s a very famous Chinese curse and I think it’s fair to say that over the last several years, the world has become considerably more uncertain and more unstable. We have wars being waged in Ukraine, in the Middle East, we have a considerable amount of tension in East Asia, between China and Taiwan, and against that backdrop, there are a number of elections taking place this year around the world, including here in the United States, our presidential election. All that means that the cyber sphere has become even more important and more deserving of our attention as we think about that instability and how to better manage that instability. And against that background, four countries are continually mentioned: Iran, Russia, China, North Korea. Interestingly enough, two of those, China and Russia, are quite large countries and powerful in their own right. Two of them, North Korea and Iran, are cyber superpowers, in spite of being relatively small and in the case certainly of North Korea, having quite a small economy. So, we thought it would be useful to talk, to have a conversation about those four countries and talk about their cyber capabilities and how they use the cyber sphere, both for their own purposes and to sow instability and discord. So, with that, I’m going to just start asking Erin some questions.

What are the main cyber threats posed by these four countries?

Erin: There are a lot of different threats that they’re posing, and it really depends on what they’re trying to achieve. We see them conducting cyber espionage, we see intellectual property theft, attacks on infrastructure. It really depends on what their motivations are and they have many groups within their countries that are conducting these types of attacks – but most of them, all four of them, I would say, have a joint desire to advance their global influence. They all want to be the superpower of the world and they want to do that in both the digital and the physical world. We’re seeing that overlap, as you just mentioned in your introduction, as there’s more and more real-world conflicts happening. We’re seeing a huge cyber element to that. But then they do have their own distinct motivations as well in terms of what operations they’re conducting. North Korea, for example, we’ve seen them conducting a lot of attacks that lead to financial gain because they’re using those funds to finance other operations that they’re doing and things that they’re doing within the country. So, they all pose a huge amount of risk to both countries and organizations in terms of what they’re trying to achieve to advance their global power, basically.

And is it fair to say that of those four, North Korea is the most quote unquote, financially oriented in terms of their cyber activities? Or is the same true, say, of Russia?

I would say so. I think we know North Korea from a government perspective, is doing that financial motivation and gain. I think with Russia, especially and Iran, to a certain extent as well, we see that overlap and bleeding between who is the state-sanctioned, state-sponsored groups, and those actors that maybe the state is allowing them to operate. So obviously, you know, the ransomware gangs in Russia are making a huge amount of money off of corporations worldwide and there are suggestions that they’re at least allowed to conduct their activities by the Russian government. One could infer from that that the Russian government may be getting kickbacks from them and from that type of activity, but we don’t see necessarily the state-sponsored groups that are the military groups necessarily having that financial motivation and other countries. But Iran and Russia certainly have that criminal overlap.

Which brings us to the question of how these countries actually organize their cyber operations. You mentioned that some of them may or may not incorporate private actors in those operations, and others are more official. So, how do they organize their operations?

It’s quite a complex makeup across all the different countries and they all do it slightly differently. You do get those differences between what is state-sponsored, what is state-sanctioned, what is state-allowed. So, there are all of these distinctions within how you group them, but primarily, we see that the countries have military and civilian intelligence services. So, they’ll have military operators that are part of their armed forces that are going out and conducting these cyberattacks, and then you’ll also have intelligence agencies. So similar to how we have the CIA in the US, they have their equivalents that will also be conducting cyber operations on their behalf as well and depending on who’s conducting the attack, you’ll see different types of attacks and different victims as well in terms of what they’re trying to achieve.

But then we do also see civilians that are somewhat separated from the government being utilized. So, we do see a lot of front companies being used by these countries. This will be a seemingly legitimate company that is set up in country that has government backing behind it. That’s not necessarily obvious, so that they can have that air of conducting activity and not being linked to the government, even though they are. Then also we do see, as we just mentioned, with the financial motivation, we do see in especially North Korea, around countries that don’t have as much stability and financial security. We’ll see these actors that are doing a day job with the government and then in the evening, they’ll be using those skills that they’ve learned with the government to conduct cyber activities and criminal activities. So, it’s a murky infrastructure in terms of how these are set up but I would say is all of these countries do have set up groups and organizations that are there to conduct cyber espionage and cyberattacks on other countries.

Mark: This odd mixture of official and unofficial criminal gangs must make attribution really difficult when you’re looking at an activity, trying to attribute who the actor is who is behind the actual action.

Erin: Yeah, it’s incredibly difficult. And I would say it’s probably more difficult for people like ourselves that are outside of the government remit to identify that information because it’s very noisy in terms of what’s being conducted, who’s doing what attacks, and then things like the malware that they use. A lot of countries will use off the shelf malware, but lots of other groups use that as well. So, just because a malware is being used doesn’t mean that it’s attributed to one particular group. Even if that group invented it. For instance, Stuxnet is a good example of that – it was developed by the US and the Israelis, but it has been utilized far and wide by other nation-states, and by criminal actors since then. So, it’s really difficult to know who is conducting these activities and mistakes are made in terms of these attributions as well between different groups. Whenever we’re looking at this attribution, whenever we’re looking at this activity, the attacks that are happening, we’ll make assumptions about what we think that’s connected to you don’t really know unless you’re in those groups and being able to see that. So attribution is incredibly difficult and when we’re talking about APTs and we’re talking about nation-states, we’re talking about probably the most sophisticated cyber actors that are out there, that most of the time are trying very hard to obfuscate their activities and obfuscate who they are and who is conducting them. It’s a very tricky thing to be able to attribute that activity. So, one of the things I would say about it is it’s more about knowing what the techniques are than knowing who is doing it so that you can protect yourself from those techniques and those vulnerabilities within your organization. I guess some might say it doesn’t really matter who’s doing it when it comes down to attribution, it just matters that you stop it. So, it’s an interesting balance.

Mark: Yeah. Although, if you’re a foreign leader, say, the president of the United States, the Prime Minister of Great Britain, the President of France, and your country is in some fashion attacked by a cyber operator, attribution becomes important in terms of how you respond. So that’s a challenge I’m sure that many leaders face.

Let me switch gears a little bit and talk specifically about China. The Great Firewall of China – what’s the impact of that on both their capabilities and on the ability of outsiders to see what’s happening in China?

Erin: For those who don’t know, I’m sure most people do, but the Great Firewall is what we refer to as the operations that China put in place to silo their internet from the rest of the world. So, it means that most of their citizens aren’t able to access the internet in the same way that we do and they’re not allowed to access certain things. So, it means that the government can really lock down the messaging and the news that citizens are being able to access. And as part of that, they do also have their own apps and search engines and things like that. A lot of social media like Facebook and Instagram and WhatsApp can’t be accessed in China. Instead, they have WeChat and WeChen and Weibo and other ways that they’re, doing that. It always from the outside is seen as a way of controlling the citizens and the messaging that they’re getting and what they’re able to do, but it does also highlight the sophistication that the Chinese government have in terms of cyber activities, in terms of how they’re able to monitor their own citizens and lock down that information and how sophisticated their surveillance and censorship is. So, it really highlights some of the skills that they have. It’s the same cyber operators influencing the Great Firewall as conducting some of these attacks that are happening, and it shows how they want to have their world order and what some of their motivations are in terms of the cyber operations that they’re targeting.

It’s worth mentioning that they aren’t the only country that’s doing that. Russia has Runet – they are expanding and trying to lock down what their citizens are able to see. And Iran and North Korea have very similar methodologies in place. I would say with North Korea, we know even less about that, just because of the isolationist way that North Korea operates. It’s very hard to know how that functions but I think it just demonstrates the sophistication that they have and the abilities that they have of surveillance and censorship that they utilize outside of the firewall as well as inside it.

Mark: So, from an adversarial perspective, we’re in an environment where these four countries have unencumbered access to the world’s internet. It’s open. We’ve made it open deliberately, but we have very limited access, on a variable basis to their internal country networks and I would put, you would put China at the top of that at the top of that list.

Erin: Yeah, definitely. So, it’s very hard as analysts. Going back to that attribution point as well, to know what’s going on inside of that firewall because they’re locking down that information. What messages are they sharing? What is it that they’re putting out about adversaries when there is a campaign that is publicly reported or Chinese actors are indicted, which has happened several times? What is the messaging that they’re putting inside internally? And I think, with Russia, we’ve seen this with the Ukraine war and the messaging that they’ve put forward about Ukraine to their citizens in terms of “they’re saving the country, it’s not a war, it’s a defensive position,” like very different to what we’re seeing outside of, of that realm. So, it definitely impacts on that attribution and what we’re able to understand about what they’re doing. One thing I would mention, just as well, because we’re a dark web company, but this is one of the ways that Tor can be used in a very legitimate way. I think we tend to focus on the dark web being a bad thing for criminal activities, but it’s a way that a lot of citizens are in these countries that have lockdown internet, are able to access Western and outside media and this is the reason that a lot of social media companies will have mirrors on the dark web. X, formerly Twitter, has it, Facebook has it, some governments have websites on the dark web. So, people are able to access that information. It’s a useful way for people to be able to get that outside information as well.

Can you talk about some of the notable cyber campaigns that have been conducted by these four countries?

Sure. There are a lot, and as we’ve already covered attribution is tricky in terms of how we associate particular campaigns that we’re seeing to particular countries and the groups within them. China has had some very significant operations in recent years targeting a lot of countries in their region. We’ve seen them spying on Cambodia, the Philippines, South Korea, and they do this using phishing techniques to gain access. So, you know, they are using some of the same techniques that we’re seeing criminals using that we’re all warned about at our companies in terms of “don’t click on a link.” Those sophisticated users are using those methodologies as well and we have seen things like when they recently targeted Japan’s space agency and one of the things that China is well known for is targeting companies in stealing intellectual property, and then taking that information back and using it to develop their own technologies and issue patents on their technologies. So, that is a thing that they continue to do in terms of expanding their power and what they have access to. That’s something that we’ve seen China doing a lot of recently.

With Russia, probably the most significant one that is fairly recent was that they targeted Microsoft’s corporate systems. They targeted the executives and I believe the legal team and were able to access some emails and documents, and they did this again with fairly simple methodology. It was a password spray attack. So basically, they just took lots of different ways that people might use a password and put it across all of their systems. This really highlights why you need to have good password hygiene across your corporation, and governments everywhere because that is a way, not just with nation-states, but across the whole adversarial cyber field that we’re seeing people get access is through credentials. So, it’s a really important thing to identify. And then I think you can’t talk about Russia’s activities without mentioning the war in Ukraine, because there definitely is a cyber war going on as well as the on the ground war. One of the things we’ve seen fairly recently was they hacked into webcams in Kiev, so that they could look at what air defenses were being used in the city and they did that ahead of a missile attack. They wanted to see where their missiles would be defended and where they wouldn’t. That is a real-world example of how the cyber and the real world are linked together and they’re utilizing cyber tools to help them with military campaigns.

In terms of Iran, there is a group known as, Mint Sandstorm. So again, using phishing techniques, but social engineering as well. This is something we see a lot with Iranian actors – utilizing social media and fake social media accounts to lure people into giving them what they want. We saw them on a large recruitment and job networking sites that were creating these accounts, creating several levels of personas that knew each other to make them look as, as real as possible and then we’re using that to identify people that they wanted to target as part of the Israel-Gaza conflict. They were using this as an espionage dash intelligence gathering campaign. With these campaigns, it’s not just about disruptive action or getting access, sometimes it’s just understanding things that are going on to help them with other areas.

Then North Korea, again, is a trickier one just because of their isolationism and the groups that we see. Probably the most prominent group that’s been mentioned in recent years, and they have been around for a long time now is Lazarus. They have been involved in significant financial thefts as well as espionage. So, a lot of cryptocurrency, ransomware attacks, etc. They were responsible for the Sony hack way back when, I believe it was 2016, but as recently as this year, they’re still operating. They were seen conducting cyber espionage campaigns, targeting defense technologies, again creating fake social media profiles, and then deploying malware once they’ve got access to individuals. So, you know, there’s a range of activities that are going on and that very much is a high-level overview of some of the activities. There’s probably a lot more going on that we don’t know about, and a lot more going on that we do know about, but it hopefully gives you a sense of the types of campaigns that they’re conducting and also the variety of people that they’re targeting. I think you said earlier about governments obviously care about attribution, and they should, and their governments hopefully are better at attribution, but I think there’s an old world view that nation-states and spying and espionage is a thing between governments and these days with cyber, it just isn’t like everyone is vulnerable to attacks. Everyone has information worth stealing, so everyone has to be vigilant.

Mark: It’s notable that in your answer, in talking about the various cyber campaigns conducted by these countries that many, if not most of them, are using basic password access, phishing, social engineering, as opposed to, Zero-day exploits that they have access to on an exclusive basis. That’s quite notable.

Erin: Zero-day exploits are really hard to develop and they’re really expensive to develop. If you don’t need them, because you can get in by a weak link of a person clicking on a link or believing a phishing email, then then why waste your time and infrastructure? I would say they still definitely do utilize those Zero-day attacks and that is something that’s developed, especially Russia and China, but those are the ones that it’s harder to hear about, right? Those are the ones that they don’t want people to know what that capability is and who they’re targeting. And they would save that for their most important victims.

Mark: We, in the cyber security industry, live in evolving times. There’s a lot of changes in technologies and I would include in that, by the way, artificial intelligence, the rise of artificial intelligence. How does that affect how these four countries are both organizing themselves and conducting their cyber operations?

Erin: I think in the same way that the rest of us are, right, they’re still learning. They’re still coming to grips with these new technologies and how they can utilize them and how they’re going to work, but they definitely are. I think they definitely want to utilize them and there is a growing sophistication. We have seen particular countries trying to target AI companies. I think there was an article, a month or two ago about OpenAI reporting, I think it was 4 or 5 specific APT actors that they had kicked off of their site and they were using AI to do the things that a lot of other people are doing, like help them with their work, but also create phishing emails and ask it questions to do research for them about the capabilities that other countries and their victims have. So, we know that they’re using AI, we know that that’s happening.

There are also, I believe it was China, I’m trying to remember – it was either China or North Korea, but they’re actually investing in companies that are developing AI in certain areas of the world so that they can own that technology for themselves as well. What I would say with AI and those technologies is the US and Europe and the likes of OpenAI, oh, I can’t their name is escaping me. But, you know, the prominent AI providers at the moment, they are far and above, ahead of Russia, and China at the moment. But I was actually at a talk with someone from those companies a couple of weeks ago, and they were saying, we’re only a couple of months ahead and they are going to catch up, like it is going to happen. So, it’s something that everyone needs to be aware of and needs to be vigilant about. I think the takeaway point from that is that they are using it. They are keeping an eye on emerging technologies. They themselves as well have to constantly evolve to remain relevant and successful because people’s defense gets better all the time. So, you need to constantly evolve to get around those defenses and those ways of operating. It’s definitely something that they focus on.

Mark: You mentioned earlier, by the way we’re a darknet company and we cover the darknets, and we cover darknet adjacent sites. You mentioned earlier in one of your answers the use of the darknet by citizens in countries which are behind firewalls or where they have limited access to the outside internet. But how do the countries themselves use darknet and these other online platforms in their own operations?

Erin: Yeah, that’s a difficult one and it’s a bit murky. Again, going back to that attribution problem and especially on the dark web where everyone is trying to stay as anonymous as possible to know who is doing what. We know that they definitely do utilize it. We know that there are probably actors on there that are sowing disinformation and details on the dark web and sharing them. But, you know, one of the things that we’ve seen more in recent years and is a bit more obvious is hacktivist groups and criminal groups that are associated or in somewhat sanctioned by governments. So, we’ve seen this with Killnet in Russia and a handful of other groups that came out in support of Russia when the invasion of Ukraine happened, and they are very active on things like Telegram. They will say who they’re targeting. They will say why they’re targeting them. They’re often going after NATO participants. They will show evidence of defacements or DDoS attacks. So, they’re very vocal and they want people to know what they’re doing, and they do have those links or at least a nationalist fervor that is very clear. And we see that other groups linked to North Korea and Iran also have telegram channels and other channels that are very vocal. One of the interesting things that we’ve seen, though, that is less how they’re operating but gives us more insight into how they’re operating, is we have seen a lot of data leaks relating to some of these countries and their governments. Everyone’s falling victim to data leaks in recent years. It’s big business on the dark web – selling that data, but there’s been a huge increase in the last probably 6 to 9 months, especially for China in terms of government data being leaked. There was a huge leak of the Shanghai police late last year that was assessed to be one of the biggest breaches ever, data breaches ever, and it had a huge amount of information about their law enforcement, but also their tools that they were using to target their citizens. So, it gave security analysts insight into what they’re doing that the governments wouldn’t necessarily want them to have and there was another recent one as well on a GitHub repository. So slightly not the dark web, but where it was one of the front companies that was conducting cyberattacks on behalf of China. All of their information was released, and we’ve seen large scale releases of Russian data, Israeli data as well, talking about those conflicts. There is information like that and while we’re all looking at that dark web data and saying, oh, this is giving us insights into these countries that we don’t know as much about. You can believe that they are also doing the same. So, when there are leaks of US, UK, European data, those countries are definitely going to have individuals that are on those dark websites collecting that data and reviewing it as well.

What do we do about this? It’s not like these four countries are going to wake up tomorrow and become parliamentary democracies and decide to conform to rules of international law. So, what do we do? What do we do about this?

Erin: I think it’s points we’ve already mentioned. You just have to be vigilant, and you have to have as much security as possible. I think there’s education that needs to happen to people about how you should operate, as you said, like these phishing techniques, password spray attacks, things like that. They’re fairly simple and they’re things that we can educate people about and I think we’ve been too focused in recent years on; okay, people know that if you get a bad email that you shouldn’t click on it, hopefully most of the time, but we’re seeing more and more smishing attacks, so text messaging and with the advent of AI, you can develop someone’s voice and get them to say anything you want them to say. So, you can get like a voicemail from your boss telling you to send you money or to click on a link. Things are becoming way more sophisticated in terms of how attacks can be conducted and therefore, our education to people about how to combat those attacks needs to be more sophisticated and I think it’s just staying up to date with what these threat actors are doing and this isn’t just the nation-states, it’s across the board, like what tools and techniques are being utilized, and are your systems set up to protect against those vulnerabilities? So I think it’s trying to be as proactive as possible and not just reacting when attacks happen.

Interested in reading more on this topic? Check Out Our Research Report.

Ransomware RoundUp: 2023

Written by DarkOwl Content Team on March 26, 2024. Posted in Blog.

March 26, 2024

Ransomware continues to be a threat globally. While it is difficult to track complete ransomware statistics because criminals cannot be counted as a reputable reporting source, 2023 was the year that broke several records in ransomware according to what attacks were reported by both ransomware actor blog sites and publicly reported incidents.

According to the cyber threat intelligence industry and government metrics made publicly available, the United States remained the top targeted nation, with 55% of ransomware incidents targeting the country. In the majority of months, the number of monthly attacks soared, with November 2023 clocking in at 89 reported attacks, the record set for reported incidents within a month. But the number of incidents is not the only significant increase – ransomware data exfiltration rates exploded, with notable data exfiltration to China. Likely due to the increase in the use of the double extortion technique, payments also increased, with traceable payments exceeding one billion dollars for the first time. In this blog, we review the key ransomware trends of 2023 as well as the notable events.

2023 Ransomware Trends

Commonly observed ransomware trends throughout 2023 included:

Ransomware actors intentionally use two different ransomware variants in the same attack on the same victim, which often results in data destruction at various, close-together time periods.
- Double extortion, where threat actors demand a payment or threaten to release data, has been a trend for years; this new trend of a different ransomware variant entering an already-compromised network results in significantly more financial loss, reputational damage, data loss, and exfiltration, making recovery even more difficult.
Extortion increased
- Multiple layers of extortion, including triple and quadruple, became part of regular ransomware operations instead of only sporadically included in ransomware campaigns.
Encryption Decreased
- Intermittent encryption became more common than complete encryption to reduce the time needed for successful operations. Encryption is a time-consuming process. Partially encrypting data allows for less time needed in malicious operations, and less time for possibly exposing malicious actor presence in a network. By reducing the amount and frequency of encryption, actors can exfil data more quickly and then exit the network.
PII continues to appear on data leak and ransomware victim Leak sites, and a increase in other documents being shared has also been observed.
- Ransomware actors are increasingly targeting Critical Infrastructure/Key Resources (CI/KR) blueprints and documents to move towards damaging physical structures and sectors needed for everyday life services, such as water, power, electric, food supplies, and more.

Most Active Groups

LockBit ransomware gang were the top actors of 2023, with BlackCat/ALPHV coming in second as most active. The latter was temporarily taken offline by law enforcement operations in December 2023, while the former was also temporarily taken offline in February 2024. Both groups, however, came back online almost as quickly as they were removed, resuming operations under new infrastructure.

Summer of Ransomware

Originally observed in 2019, Cl0p ransomware gang began their use of the MOVEit vulnerability to target victims in May 2023, and continued this campaign all summer long. Also known as TA505, the ransomware group exploited SQL injection vulnerability CVE-2023-34362, the MOVEit transfer; MOVEit is used to manage file transfer operations in thousands of organizations. Cl0p’s use of this vulnerability impacted many big-name brands and firms and received a high level of media attention. One of the final estimates is that about 2,000 installations of the MOVEit vulnerability were installed impacting ~60 million individuals globally. Numbers will remain uncertain due to unreported incidents and entities trying to cover up the impact of a network intrusion (Figure 1). However, experts estimated that the group could receive $100 million in payments from exploiting this vulnerability.

Figure 1: Cl0p actors communicate with the public via one of their many messages on their leaks site, from summer 2023

ALPHV/Blackcat ransomware group were one of the most active ransomware groups throughout 2023. In September 2023 they claimed responsibility for the MGM cybersecurity incident that occurred through a post on their leak site. Down slot machines, non-functioning key cards, and more services were interrupted at MGM resorts and hotels nationwide. News articles broke Wednesday, 13 September, that ALPHV/Blackcat ransomware gang was responsible. On 14 September, new rumors emerged that “Scattered Spider” was also involved in the incident. Scattered Spider is assessed to be an English-speaking cybercrime group which is an affiliate of ALPHV. Additionally, Scattered Spider reportedly hit Caesars Entertainment on 7 September 2023. Caesars paid tens of millions to remain operational and did not experience an outage. Actors addressed the MGM outage on the ALPHV blog (Figure 2):

Figure 2: Actors discuss the summer 2023 MGM incident, for which Scattered Spider, an ALPHV affiliate, took responsibility; Source: DarkOwl Vision

Most Targeted Sectors

Healthcare

The healthcare sector was the most targeted sector of 2023. The healthcare industry is a valuable target, and in the words of cyber professionals is a “Target rich, security poor” industry, which is why some malicious actors so frequently target it. While some ransomware gangs swear off medical/healthcare industry entities, others actively go after this industry and view it as an easy target. Examples are not exhaustive and are only meant to provide a high level of observed trends:

Rhysida ransomware, a group that emerged in August 2023, targeted Prospect Medical Holdings (PMH) in early August 2023, and recently released the claim that they procured upwards of 500,000 corporate documents and patient information, including social security numbers.
- This incident established Rhysida as a serious ransomware gang, as this is a notable target and the data procured is quite sensitive.
AlphV/BlackCat ransomware attacked Henry Schein Healthcare for the second consecutive month. The first incident was in October 2023, and in November 2023, they remained a victim. Henry Schein declined to speak to reporters about the multiple incidents but did acknowledge (after each incident, and after each appearance on the ransomware blog) that they were working quickly to reestablish the customer-facing services which were impacted.
30 hospitals in the Ardent Health Services system were successfully targeted by a ransomware attack in November 2023 by an unknown group, resulting in all emergency services being redirected. While Ardent is headquartered in Tennessee, the impact has been felt throughout six states. Ardent Health issued a public statement about their “around the clock” efforts to restore services. For the initial three days after the incident, ambulances were re-routed to other providers and Ardent Health also advised patients to call their providers directly for any help. In January 2024, they began mailing letters directly to impacted patients.

The impact on healthcare as a whole was so large, CISA authored guidelines specifically for the health sector to improve cybersecurity practices and reduce the chances of becoming a victim.

Defense

While healthcare was the most targeted sector, the defense industrial base was not far behind as a ransomware target. Many large incidents involved governments as well as defense contractors who provide weapons and technology for world governments. As the Ukraine-Russia conflict continued, and then a new Middle East conflict emerged, in October 2023, the defense sector remains at an elevated risk for cyber-meddling and incidents. Examples are not exhaustive and are only meant to provide a high level of trends observed:

UK-based Zaun Ltd, which specializes in physical and perimeter security, revealed on 1 September 2023 they were a victim of LockBit ransomware.
LockBit further claimed to have infiltrated Boeing’s systems using a zero-day. Boeing appeared on the LockBit leak site at the end of October 2023, but they offered no proof of data or material belonging to Boeing.
Australia-based Austal USA, a shipbuilding company, revealed it was the victim of a cyberattack as of December 6, 2023. Austal USA itself is a subsidiary of Austal and has contracts and multiple programs working with the US Navy. Ransomware gang Hunters International group claimed responsibility for the incident.

Going Offline: Ransomware Operations that Shut Down Throughout 2023, Early 2024

Whether to preserve their operations and profits, or because law enforcement finally caught up to them, several high-profile ransomware groups went offline throughout 2023, and this trend continued into the first part of 2024 (Table 1):

	Date Observed Offline	LE Involvement?	Intentional Rebrand?	Sold Source Code?	Reestablished Operations?
Hive	Jan 2023	Y	N	Y	Y, as “Hunters Int’l“
Royal	Fall 2023	N	Y	Unconfirmed if code was sold, but the overlap between Royal and Black Suit is publicly documented	Y, as “Black Suit”
RansomedVC	Oct 2023	N	Y	Y	Y, as “Raznatovic“
Ragnar Locker	Oct 2023	Y	N	N	N
BlackByte	Dec 2023
ALPHV/BlackCat	Dec 2023	Y	N	N	Y
LockBit	Feb 2024	Y	N	N	Y
Knight	Feb 2024	N	N	Y	TBD, as the post selling the code has been taken down, but no purchase or rebranding has yet been announced.
ALPHV/BlackCat	Mar 2024	N	N	TBD, affiliates could have access to what infrastructure was used post law enforcement takedown. If they aren’t paid part of their profits, they could expose what information they have for profit, revenge, or both.	No, exit scammed.

In March 2024, ALPHV/BlackCat continued to make news when they shut down their onion site after their latest big victim, UnitedHealth’s Change Healthcare unit, purportedly paid their $22 million ransom (Figure 3):

Figure 3: ALPHV affiliates discuss the shutdown of BlackCat/ALPHV operations; Source: DarkOwl Vision

More of the groups who shut down of their own volition issued public statements or sentiment on various platforms (Figures 4 and 5). RansomedVC announced their source code sale on Telegram after pulling out of the project for “…personal reasons” while Knight ransomware group offered their source code for sale on RAMP forums:

Figure 4: Ransomed VC goes offline, sells source code via Telegram; Source: DarkOwl Vision

Figure 5: Knight ransomware source code is offered for sale on RAMP forum. The post remained available for under 24 hours, and then was taken down. It is unknown if the source code was purchased.

Newly Emerged: Ransomware Forums and Tactics

In October 2023, DarkOwl analysts identified a new darkweb ransomware forum when the admin of Ramp posted an in-depth advertisement and endorsement for Ransomed Forums. This forum advertises topics related to ransomware, such as RaaS offerings and more, advertised in Figures 6 and 7 below. DarkOwl analysts additionally identified Ransomed Forums chatter on other platforms has increased during the fall of 2023, so anticipation from the wider threat actor community is likely high as this forum gains users and momentum online.

Figures 6 and 7: Ransomed forums, a new ransomware focused online community, emerged in October 2023 and had an advertisement on similar forum Ramp.

New websites and forum offerings such as these will give alternatives to the traditional onion websites used to advertise victims as well as data for sale. Actors have espoused, on multiple platforms, that onion websites may no longer be safe, and that certain forums or online communities are better options for malicious operations. These include direct messaging platforms, such as Tox or Jabber (Figure 8).

Figure 8: An actor discusses not using onion websites for certain kinds of hacking activities; Source: DarkOwl Vision.

Figure 9: Actors discuss Tox being a safe chatting option on the DDW; Source: DarkOwl Vision

Copycat Operations

When the notorious ransomware group Conti ceased operations in 2022 and one of their disgruntled affiliates leaked internal documents and chats, the CTI community gained important insight into ransomware processes and operations. Their setup as a business with recruitment operations was confirmed; they had penetration testers and coders, as well as financial incentives for their employees.

In a similar vein, LockBit 3.0’s ransomware builder leaked in 2022 but 2023 was the year that cybercrime groups and threat actors alike put hundreds of new variants out using the builder. Variants were sold to other cybercriminals and used against multiple victims. This new version was more evasive, able to escape detection tools, than its predecessors. The CTI community noticed that it also shared overlap with BlackCat source code.

After these series of events, the community was able to take a few observed incidents and confirm them as trends moving forward:

Tox was confirmed as the preferred method of contact versus DDW forums, even the messaging options contained in those forums.
Ransomware actors appear to want to sell their ransomware operations to other actors for financial gain and are less willing to carry out operations themselves due to law enforcement actions and the possibility of unhappy affiliates leaking sensitive information or turning in the primary operators of ransomware.
Other groups reusing complete or partial source code of famous ransomware operations will likely continue. They can take source code and improve it on their own, adding language exceptions, tool evasion techniques, and more personalized instructions to improve speed and efficiency of ransomware campaigns instead of starting from scratch coding their own operations.

A new group, NATIONAL HAZARD AGENCY (NHA), debuted using a new kind of ransom note, a Tox ID and an email address (Figure 10). As National Hazard Agency continues to define their operations and TTPs, the community will inevitably monitor and learn more about preferred communication methods and platforms, and best operational practices for newly formed ransomware groups who have ties to older groups no longer operating:

Figure 10: Purported aliases of a LockBit ransomware actor are discussed online, as are the links between LockBit and newly formed National Hazard Agency; Source: DarkOwl Vision

Conclusion

While 2023 witnessed several high-profile ransomware gangs shutdown operations, the context and intelligence gained from these events better informs future possibilities and trends surrounding ransomware activities. Based on observed conversations on DDW forums and DDW adjacent chat platforms such as Telegram, the criminal underground wants to continue to capitalize on the fear caused by ransomware. Actors know that financial opportunities abound by going after large companies and organizations, and they are especially encouraged by large payments. Furthermore, geopolitical conflicts allow hacktivist groups to choose sides and further their beliefs and values by targeting their opponents; so, ransomware leads to both fruitful financial opportunities as well as fame and attention for hacktivism.

After reviewing online discussions and exchanges between malicious cyber actors, analysts expect continued reuse and repurposing of ransomware source code from older groups that is purchased or stolen, with actors making their own tweaks to said code to both personalize and capitalize on their operations and campaigns. On platforms such as Telegram, actors have been openly discussing reuse of groups’ source code who are no longer active, the pricing that this code should have, and generally sharing ideas about gaining entry to desired sectors such as healthcare, tech, and supply chains of weapons providers as well as the global defense industrial base.

Ransomware remains an efficient criminal operation yielding high profits. Even with increased disruption of ransomware groups, throughout 2023 and into 2024, the criminal actors stay informed and move infrastructure to protect their profits and operations. Critical infrastructure, academic, technology, and government sectors must all raise awareness and assist in protection from ongoing ransomware campaigns. With the advent of AI, ransomware operations will become even more robust due to the automation of spear phishing templates and emails being able to reach several thousand, versus several hundred, of possible entry points into organizations. Continuous monitoring allows for identifying events like ransomware attacks earlier. By detecting your brand, employee name, intellectual property, or other material on a leak site before the actors auction it off to the highest bidder or make it publicly available, you can reduce the reputational damage and avoid the degradation of trust that occurs during cyber incidents.

DarkOwl Vision allows organizations to monitor these ransomware groups on the darknet, to identify more information about their tactics, techniques, and procedures and the sectors they are targeting. DarkOwl analysts continuously monitor the darknet to identify emerging new groups and who the most recent victims are to best track and predict potential attacks.