Spotlight on the Russian Underground Infrastructure

The media is in an uproar at present, reporting on one cyber incident after another. Adobe, Target, Neiman Marcus, Home Depot, JP Morgan – these breaches are just the tip of the iceberg in the cybercrime arena. The Russian underground forums serve as fertile ground for planning cybercrime-motivated breaches worldwide – programming the malicious software, distributing it and sharing knowledge about the most profitable usage, selling the stolen data (such as credentials, etc.). Let us take a deeper look at the internal structure of these forums and the norms of behavior there.

Registration

While many forums have free registration, others require payment (Cybercriminals will never miss an opportunity to profitJ). Some of the forums that ask for registration fees do not contain useful information, and the fee is merely a farce, while for others, the fee is a means to keep poor or noob hackers away from the “big guy discussions.” Some of the forums ask potential candidates to fill out a detailed registration form, clarifying exact capabilities/programming languages they know, while others go one step further and send different hacking tasks to the applicants, demanding proof of their professional level. Many forums have strict policies about filtering out the registrants and very few people are accepted.

Registration page in one of the underground forums
Registration page in one of the underground forums

Communication

When it comes to personal contacts between the seller and buyer, the first choice is the Jabber messenger. Sometimes, one of the sides will request an OTR (Off-the-Record, allowing private conversation using encryption and elimination of all traces of the conversation) protocol for Jabber. Besides, exchanging messages via PM (private message) – the private mailbox on each forum is another popular means of communication. Users wishing to connect via Jabber are sometimes asked to authenticate themselves via private message beforehand – indicating the high level of confidentiality and security concerns.

ICQ is also used, although it is not very common and is perceived as a communication method for less experienced hackers.

Payment

On the underground, you will never see any payment method that would somehow enable identification of the parties in the transaction. Naturally, no credit cards, PayPal accounts or money transactions are accepted – only virtual currencies are used. BTC is rather popular, as well as PM (Perfect Money), LTC (Light Coins), WM (Web Money) and other virtual currencies.

Escrow System

Most of the forums maintain a well-established system of escrow services provided by an official forum member appointed by the administrator. In exchange for a reward, usually a percentage of the transaction value, he mediates between the buyer and the seller, keeping the money until the goods are supplied. He also checks that the product offered matches its description.

Reputation Score

The reputation of the members is one of the pillars of Russian underground forums. Despite the fact that each forum has its own scoring system, all have a common principle: forum members rate each other, based on the threads they post. For instance, by providing useful advice or uploading malware, the author will receive more points. Another reputation booster is the number of posts, as well as seniority on the forum that defines the status of the user: beginner, intermediate, specialist, etc. Certain threads are available only to members with a minimum numbers of posts.

Furthermore, some forums ask for monetary deposits that are displayed next to the user’s name, indicating his reliability. If monetary conflict arises, the sales thread will often be suspended until the issue is clarified. If no solution is found, the seller incurs a “ripper” status, thus losing the chance to sell anything ever again on the forum, unless he changes his nickname.

Member's profile in one of the underground forums
Member’s profile in one of the underground forums

Gods, Monsters and Pandas – Threats Lurking in the Cyber Realm

With new viruses constantly being developed and new groups being formed all the time, hackers should use their creative minds to come up with original names to distinguish their tools/group from the rest. While some names are rather trite and corny, others are more amusing and curious. Generally speaking, the names usually fall under one of about ten categories. Here are a few examples:

The following are some elaborations on specific names:

Torshammer666: Thor’s hammer, or Mjölnir in Norse mythology, is depicted as one of the most powerful weapons, forged by the skillful hands of the dwarves. However, it seems that one Nordic god was not enough for this specific hacker, so he walked the extra mile and added the ominous number 666 to the tool name, to create an intimidating effect stemming from the thought of a Nordic-Satanic-almighty-weapon.

Fallaga: The famous Tunisian hacker group Fallaga is named after the anti-colonial movement that fought for the independence of Tunisia (there were also Fallaga warriors in Algeria). The character in the group’s logo resembles the original Fallaga fighters.

熊猫烧香 (Panda Burning Incense) – Everybody loves those adorable, chubby, harmless bears called Pandas! They are native to China, and serve as its national animal and mascot. As such, it is no wonder that panda-themed characters and cartoons figure extensively in China in various contexts, often symbolically representing China internationally. And now the pandas have even invaded the virus realm! In 2006-2007 the 熊猫烧香 virus infected millions of computers throughout China and led to the first-ever arrests in the country under virus-spreading charges. The ultimate goal of the virus was to install password-stealing Trojans, but it was its manifestation on the victim’s device that attracted a lot of attention: the virus replaced all infected files icons with a cute image of a panda holding three incense sticks in its hands, hence the name “Panda Burning Incense.”

Bozok (Turkish) – It may refer to one of the two branches (along with Üçok) in Turkish and Turkic legendary history from which three sons of Oghuz Khan (Günhan, Ayhan, and Yıldızhan) and their 12 clans are traced (from Wikipedia.)

推杆熊猫 (Putter Panda, putter=golf stick) – Another Panda-themed name. It is widely recognized that golf is the sport of white collar professionals, usually those on the upper end of the salary ladder. That is why, when these prominent figures travel abroad to a convention or on a business trip (and engage in semi-business/semi-pleasure golf activities), they are sometimes subjected to sophisticated hacker attacks, usually initiated by their host country, as suspected in the case of Putter Panda and its ties with the Chinese government.

As you read these lines, more tools are being written, and we can expect to continue to see more intriguing names. The Chinese idiom 卧虎藏龙 (literally: “crouching tiger, hidden dragon”), which was the inspiration for the successful namesake movie, nowadays actually means “hidden, undiscovered talents.” Maybe it is time the gifted tigers and dragons of the hacker community climbed out of their dark caves, stopped performing illegal activities, and put their pooled talents (be they computing or copywriting) to good use?

 

Malware is Coming to the Trusted Software Near to You – Trade in Code Signing Certificates is on the Rise on the Russian Underground

Written by Tanya Koyfman

Instead of spending days and nights coding, crypting and modifying the malware to avoid AV detection, the underground market offers to sign it by a digital certificate issued for a legitimate entity.

While monitoring our Russian-speaking sources, we identified a Russian forum member offering code signing certificates issued by one of the largest CAs for sale.

The forum thread was opened on a Russian password-protected forum that serves as an illegal platform for cybercrime related discussions. On the forum, one can find sales of financial malware, stolen databases and exploits, as well as technical discussions regarding hacking and programming.

The post about the sale of certificates was initially published two months ago, and the topic is still updated regularly. In the first message, the post author offered one certificate for sale in exchange for almost $1000. According to the seller, the certificate can be used to sign exe files. Forum members who are interested in purchasing are requested to connect via Jabber (an instant messaging service based on XMPP protocol, highly popular among Russian cybercriminals).

The next day, the author published another post claiming that the certificate had been sold. He said that he could obtain 1-2 certificates per week, and that if there was a demand he could get his hands on also driver signing certificates.

The thread also included feedback messages from buyers, who testified that the certificates were useful in avoiding AV detection, but only for a specific malware infection. In a case of a mass distribution of malware programs, the certificate would be cancelled within days.

During the forum discussion, the seller mentioned that signing an exe file by certificate helped avoid detection by all AV pro-active detection mechanisms, except for one. He also clarified that the certificates could be used for .exe, .dll, .jar and .doc files, but not for .sys files (drivers).

To date, after almost two months of sales, at least 7-10 certificates have been sold (providing a profit of $10,000 for the seller).

The first message regarding the sale of the certificates
The first message regarding the sale of the certificates

Taking into account that the above forum member has regular access to legitimately issued certificates from one of the top five Certificate Authorities (CA) in the world, the above case is probably only the tip of a slippery slope. We may soon witness an increase in malware distribution attacks based on using genuine code signing certificates. The $1,000 paid for the certificates is an incredibly low price for the hacker to pay, compared to the large sums of money he can earn using these certificates in his attacks. While we do not know the precise origin of the certificates (a breach in an organization that purchases certificates, a breach in a reseller supplying the CA certificates or simply an “illegal” reselling or legally purchased certificates), the volume of certificates that the seller is supplying is reminiscent of the DigiNotar case.

The Case of DigiNotar (July-August 2011)

DigiNotar was a Dutch Certificate Authority company owned by VASCO Data Security International. DigiNotar went bankrupt following a security breach that resulted in the fraudulent issuing of CA certificates on September 3, 2011. DigiNotar hosted a number of CA’s and issued certificates including default SSL certificates, Qualified Certificates and ‘PKIoverheid’ – government accredited certificates.

In August 2011, a rogue certificate for *.google.com signed by DigiNotar was revoked by several Internet user browsers in Iran. Fox-IT conducted an investigation of the events in their report ‘Operation Black Tulip’ and found that a total of 531 fraudulent certificates had been issued. They identified around 300,000 requests to google.com with IPs originating from Iran that used the rogue certificate before it was revoked. The attack lasted nearly six weeks.

The compromised IP users might have had their emails intercepted, and their login cookie could have been intercepted making the attacker able to enter their Gmail accounts and all other services offered by Google. Having access to the e-mail account, the attacker is also able to reset passwords of other services with the lost password button. Fox-IT further examined the hacking tools and found some of them to be amateurish and some very advanced, some were published hacking tools and some specifically developed.

After Intimidating Humankind Around the World, the Ebola Virus is now Threatening the Cyber Arena

It is a well-known fact that hackers can be very creative, not only when writing malicious code, but also when bestowing a name on their creation or connecting it to some sensational subject.

This time, inspired by the outbreak of the Ebola epidemic in Africa, the authors of the ransomware discussed below coded it to change filenames on the infected computer into a string containing the word “Ebola”. Let us take a deeper look at this new malware.

We first encountered the malware in a discussion on VKontakte, a very popular Russian social network. One of the participants uploaded a sample of the virus that infected his computer.

According to his description, he received the malware via an email message that contained a link. Clicking the link initiated the downloading of an .RAR archive that DOES NOT pop-up an AV alert. After unzipping the archive, all the files on the PC (extensions: PDF, DOC, DOCX, XLS, XLSX, JPG, DWG) became encrypted and their names were changed to *id-*help@antivirusebola.com. The shared folders were also encrypted and access denied. To recover the contents of the PC, the victim had to send an email to the address help[at]antivirusebola.com, and was subsequently instructed to pay 1 Bitcoin (approximately US$380) to a given address.

Further investigation on the Russian-speaking web revealed many other reports of Ebola virus infections. In most of the cases, the malicious link was sent via an email message, allegedly from the tax authorities or traffic police.

The ransomware was reported on several security firm forums (such as Kaspersky, Symantec and Dr.Web), but no solution to decrypting the files was found.

According to the Russian security company Dr.Web, the malware, now called “the Ebola Virus,” firstly appeared on August 20. The same ransomware has been distributed since August 7, albeit in a slightly different format – the file names were changed to id-*_decrypt@india.com or id-*_com@darkweider.com). All three versions are probably variants of the same malware identified by Dr.Web as Trojan.Encoder.741, and coded by a Russian nicknamed Korrektor (presumably the author of other ransomware as well). The malware is written in Delphi language, packed with an Armadillo packer and uses the algorithm AES-128 for encryption.

A closer look at the sample revealed the IP address of the C&C server – 31.220.2.150 – which belongs to a company called KODDOS, registered in Hong Kong (offering Offshore hosting and DDoS protection). The network is generated over HTTP – the infected machine sends out a unique string, probably the UID of the infected machine.

The post in VKontakte

It is important to note that to date, the malware is largely unrecognized by AV vendors. (The detection rate varies for different samples on VirusTotal – the highest is 15/55.)

MacroExp – a Combined Social Engineering and Exploit Attack

Combining an executable, usually malicious file with a standard Word or Excel file, unbeknownst to the user, has always been an aspiration for cyber-criminals. With such an asset, they could make the victim unwittingly install the malware, without raising his suspicions or AV vendor alerts when running an executable file. For this reason, requests for such services are frequently posted on underground forums, as cyber criminals search for easy ways to spread their malware files. Occasionally, this demand meets a supply, usually highly priced due to the opportunities it provides.

On this occasion, while monitoring Russian underground forums, we came across an advertisement for an exploit that targets Microsoft Office Word via Visual Basic Scripting for Applications feature. The exploit, referred to as MacroExp v 1.0.5 by the seller, first appeared for sale two days ago (on August 11), for $1,000. The price includes the exploit builder, as well as further updates and technical support.

According to the description on the forum, the exploit binds an executable file with a .doc file, making the .exe invisible to the victim. It is compatible with all Microsoft Office Word versions (2000-2013), as well as Windows OS x86 and x64. Since the presence of the executable file is invisible, it is not detected by AV and IPS systems, or firewalls.

The disadvantage of the method, as described by the seller, is the pop-up of a macro-enabling alert required for the actual running of the executable file. He suggests overcoming this obstacle by using social engineering methods.

A week ago, CISCO reported this attack vector, detected by its researchers, in the wild. It was used in spear-phishing attacks in such industries as banking, oil, television and jewelry. The starting point involved sending a Word file written specifically for the recipient. When clicking on the document, a macro alert popped up. Once enabled, it led to the download of an executable malicious file and launched it on the victim’s computer.

It is difficult to say if the same perpetrators are behind the both attacks, or it is just the same vector that is used in the both cases. On the one hand, one of the CnC domains discovered by CISCO was registered seven years ago, which may indicate that the threat actor has been in operation since at least 2007. On the other hand, the seller connected himself to the CISCO report, claiming that the described attack is his project. Moreover, he mentioned that more than 20 clients were already using the exploit, and that this was not the first version since its release. The matter will become clearer as more cases are identified in the wild, combined with more feedback from buyers on the forum.

Screenshots of the exploit in action uploaded by the sellerScreenshots of the exploit in action uploaded by the sellerScreenshots of the exploit in action uploaded by the seller

Financial Scams Involving POS Devices

POS attacks appear to have become both more frequent and detrimental. These systems are considered “easy prey” for scammers because they are vulnerable in two respects: The first is the software aspect – POS terminals are based on popular operation systems and are connected to the Internet, thus serving as a target for infection by Trojans dedicated to data theft. The second is the physical nature of these kinds of systems – they are usually located in public places and are accessible to many people, facilitating the installation of malicious programs and components directly onto the POS terminals.

Russian-speaking platforms located on the web (forums) are known to be supporting grounds for the creation and development of a great deal of cybercrime the world over, and POS-related crime is no exception. This sphere of activity is included in the “real carding” forum topic that also deals with hacking ATM machines, installing skimming devices, hacking into ATM cameras for the purpose of recording PIN codes, etc. Below we summarized the main trends regarding POS systems that were discussed in the Russian forums in the last months.

Trade of Malware Targeting POS Terminals : While 2013 was a year of large-scale breaches via remote access to POS systems, since the beginning of 2014, we have not witnessed an inordinate number of discussions about the remote infection of POS devices, as a large part of them deal with the physical modification of POS devices. Nevertheless, we identified a sale of one new tool in May 2014, referred to by the seller simply as Dump Grabber.

Installing Firmware Components on POS Terminals: The sale of firmware components for different models of POS terminals is very popular on the underground, as is the sale of the complete terminal (ready for installation) already containing the firmware. The average price for a complete terminal is approximately $2,000, while firmware alone will cost around $700. The firmware collects track 1, track 2 and PIN code data while regular transactions are performed on the terminal, and then sends it to a specified destination.

An offer for the sale of a VeriFone POS terminal with installed firmware
An offer for the sale of a VeriFone POS terminal with installed firmware

Technical Discussions: It appears that since the infamous mega-breaches that occurred over the last year, this sphere has attracted a lot of cyber criminals, but some of them lack the technical skills necessary for success. They heard about the easy profits available in the area of POS terminals and are trying to familiarize themselves with the expertise required to make a profit via dedicated online platforms.

The two main issues recently discussed on the forums are obtaining PIN codes and bypassing the demand for chip identification. The energetic discussions that developed on these subjects may point to the difficulties they are facing in the area of POS-related cybercrime.

A forum member asks how to add a PIN requirement in POS transactions
A forum member asks how to add a PIN requirement in POS transactions

Business Models of POS-Related Scams: It is extremely difficult for a single scammer to commit a financial crime exploiting POS terminals. These scams are usually performed by small groups of cyber criminals. If the modus operandi of the scam is the remote infection of POS devices, there is a high probability that the attack group will include three types of perpetrators: the malware coders, the malware spreaders and the purchasers of the dumps.

In case of a physical infection of the POS terminals, of the kind that requires the installation of firmware components or the replacement of the terminal itself, the cooperation of someone at the business point (a shop or a supermarket) will also be required.

A forum member offers a fake POS terminal for rent, in return for 50% of the profit
A forum member offers a fake POS terminal for rent, in return for 50% of the profit

 

Mind the Gap – Mind your Android

Android holds approximately 80% of the global mobile market today. Due to the popularity of the Android operating system for mobile phones, it serves as a more attractive target for hackers and cyber criminals than iOS mobile phones.

Security researchers have discovered ways to take control over roughly 70% of Android devices via a Web page or apps – mostly devices that have outdated versions. Although Google releases patches approximately every four months, most of the devices will likely remain vulnerable to attack because they will not be updated.

Security consultant Graham Cluley accentuated this point when he said, “The fundamental problem is that they [Google] don’t control the hardware and software. Even though all these devices are Android-operated, they run different tweaked versions with different UIs and add-ons.

While the iOS operating system is only installed on Apple devices and it is relatively easy to obtain updates, security updates for Android OS devices are forced to pass through the mobile network operators and carriers – a hindrance that often takes a great deal of time.

The following chart describes the patching process for an Android device, from the first discovery of a vulnerability through to the repair that ultimately reaches the end-user device. The repair process at point C is typical for every software product. The repair software represented by point C is usually the end vulnerability window shown at point A.

Points D – G represent the repair process specific to Google; whenever a patch to Android becomes necessary, Google provides an update via its open source forum. The manufacturers produce the update, vendors release it and then the user installs the updated customized version of his operating system.

Chart showing the creating of a patch for an Android device
Chart showing the creating of a patch for an Android device

It should be noted that the patch release date is not the date when these updates are actually available to users. Once Google releases an update, the manufacturer must update it to suit his material. There is a possibility that the updates may never actually become available to the user, for example, if the vendor decides that distributing the update is too expensive for him.

As a result of the window of vulnerability and the different Google and the manufacturer release dates, hackers can use reverse engineering techniques to identify and exploit the vulnerability of a device by using the information found in the original published patch, or that of any other manufacturer who may have issued the patch at an earlier date.

Clearly, the fact that Google provides a secure platform for Android is insufficient – it is also important to ensure that their patches reach their targets, Android users, within the shortest possible time, to minimize the attack window.

Two New Banking Trojans Offered for Sale on the Russian Underground

It is the time of summer vacations in East Europe now, and we definitely see a certain recession in the underground cybercrime business. Just as “regular” people in Russia, cybercriminals also spend a week or two by the sea or in their dachas (chalets), after hard work round the clock during the year. We are witnessing this recession not only in the decrease of trade activity, but also in the lack of support for some services offered on the forums, long absence of several high ranked members from the boards etc.

Considering this situation, it was quite exceptional to see almost simultaneously the appearance of two new Banking Trojans on one of the Russian underground forums. Although offered by different sellers, the names of both of them are derived from the Greek Mythology – Kronos and Kratos. Kronos is the father of Zeus, the most important Greek God, while Kratos was a far less important figure. The prices match the significance of the gods – Kronos costs $7,000 (a special release price till July 18th is $5,000, and one-week trial is offered for $1,000, on your own domain), while Kratos is available for only $2,000.

Let us look deeper at the features of the above mentioned Trojans, as they are described by the sellers.

Kronos

Kronos, first published on June 10th, is claimed not to be based on Zeus source code, or other known banking Trojans, thus suggesting a new generation of financial malware. The extremely high price supports this suggestion.

It has a ring 3 rootkit which is compatible both with x86 and x64 systems and includes formgrabber for the last versions of the popular browsers (IE, FF and Crome). Kronos’ web injections are configured in Zeus’ format, so the adjustment of old injections for the new Trojan is supposed to be pretty simple. As for security features, the Trojan is capable of bypassing proactive AV protection, as well as bypassing user-mode sandboxes and rootkits.

Among the disadvantages of this Trojan, the seller mentions the lack of VNC module and the discrepancy of Opera browser. Nevertheless, a vigorous discussion about Kronos developed on the forum and gained mostly positive feedback.

On July 8th, the seller posted the results of AV scan that he performed to his product – it was detected by 10 out of 35 vendors, as a generic malware.

Kronos in action - a snapshot from a video published by the seller
Kronos in action – a snapshot from a video published by the seller

Kratos

Kratos’ sales started on July 7th. It is based on Carberp’s bootkit, without relying on Zeus source code, and has the php Citadel’s administration panel.

The seller describes the main concept of his product as blocking AV detection (depends on a successful installation of ring0 bootkit). It works on both x86 and x64 OS, and based on modulatory system – one of them is injecting module for all version of FF, IE and Chrome browsers. As to security functions, the Trojan bypasses UAC protection and has a unique, 16kb, RSA signature key.

Kratos’ seller emphasizes the fact that the change in one of the protocols (compared to Zeus), allowed compression of the traffic, thus opening the possibility of connection to TOR browser.

The thread about Kratos on one of Russian underground forums
The thread about Kratos on one of Russian underground forums

In both cases, the discussions still continue. We still have not seen feedbacks from satisfied purchasers, but in general both of the Trojans were accepted with positives responses.

Understanding the Cyber Intelligence Ecosystem

Technology Evolution

The intelligence world has undergone dramatic change in recent years. The growth in traffic, online platforms, applications, devices and users has made the intelligence gathering process much more complex and challenging.

Today, each individual makes multiple simultaneous online appearances. We operate social media accounts, such as Facebook and Twitter (in Russia there is VK and Odnoklassniki and in China RenRen and QZone). We are also active on professional networks, such as LinkedIn. We participate in discussion groups and forums. We share pictures and videos via dedicated websites, and we process transactions by way of ecommerce sites, etc. This makes it much harder today to track the online footsteps of an individual and connect the dots between his diverse online representations, especially if he uses multiple aliases and email addresses.

Man versus Machine

In today’s virtual world, web-crawlers and automated collection tools have limitations. Don’t get me wrong – they are very important and we are dependent on automated tools in our daily work, but in some areas they simply cannot compete with a human analyst.

I will give you an example – in order to access a particular Russian closed hacking forum, you must write 100 posts, receive a recommendation from the administrator of the forum and finally, pay 50 dollars in Bitcoin. Such a task cannot be accomplished by a crawler or an automated tool. You must have an analyst that understands the relevant ecosystem and who is also familiar with the specific slang or lingo of the forum members. You must know that “Kaptoxa” (“Potato” in Russian) on a deep-web hacking forum does not really mean “Potato”, but rather refers to the BlackPOS – a Point-of-Sale (POS) malware used in the Target attack at the end of last year.

BlackPOS is offered for sale on a Russian closed hacking forum (February 2013)
BlackPOS is offered for sale on a Russian closed hacking forum (February 2013)

Cyber Activity Areas

If we take a look at the threat actors in the world of cyber security, we can roughly divide them into four categories: hacktivists (such as Anonymous-affiliated groups around the world); cyber terrorists (for example, the cyber unit of Hezbollah, and lately we have seen clear indications of al-Qaeda (AQ) attempts to develop a cyber unit within their organization).

Collaboration between Al-Qaeda and Tunisian hackers
Collaboration between Al-Qaeda and Tunisian hackers

A third category is cyber criminals (we have recently heard about cybercrime activities organized by groups in Ukraine, Eastern Europe, China and Latin America). The final category is governments, or state-sponsored groups (such as the Chinese PLA Unit 61398, also known as APT1, or the Izz ad-Din al-Qassam Cyber Fighters, an Iranian hacker group that launched “Operation Ababil” two years ago against the American financial sector).

Today, it is clear that every industry or sector is a potential target for cyber attack, or, as the Director of the FBI said two years ago, “There are only two types of companies: those that have been hacked and those that will be.”

And indeed, we are witnessing attacks on media organizations, public records (and in recent months attacks against healthcare services, mainly for the purpose of extortion), academic institutions, banks, the energy sector, and, of course, government agencies.

These diverse threat actors use the Internet to chat, plan their attacks, publish target lists, and even upload and share attack tools. But where can we find them? They have different online platforms.

Unlike APT campaigns that have almost no online footprint, the strength of hacktivism is its capability to recruit large masses for its operations, using social networks. In recent hacktivist campaigns we have identified Facebook as a “Command and Control” (C&C) platform for the attackers, where they plan the operation, publish a target list and share attack tools.

OpFIFA 2014 Campaign
OpFIFA 2014 Campaign

Cyber terrorists are mostly active on closed, dedicated forums where you must login with a username and password after receiving admin approval. We have experience with such forums in Arabic, Persian and even Turkish.

Cyber criminals, on the other hand, can be found on Darknet platforms, where you need to use a special browser to gain access. They can also be found on password-protected forums that sometimes require an entrance fee, payable in Bitcoin or other crypto-currencies. On these platforms we can find sophisticated attack tools for sale, pieces of advanced code, zero-day exploits, stolen data dumps and more.

Silk Road - the infamous online market on Darknet
Silk Road – the infamous online market on Darknet

Regarding governments or state-sponsored groups, I do not believe that they chat online, and generally speaking they do not leave footprints on the Web. However, we occasionally uncover activities by nation-state actors, such as the Syrian Electronic Army (SEA) or Iranian-affiliated groups.

I would like to argue that in today’s world we must use traditional methods of intelligence gathering, specifically operating covert agents, or virtual spies, throughout the Web – in closed discussion rooms, on secret Facebook pages, in the deep-web and Darknet platforms – in order to obtain quality, relevant and real-time intelligence.