The Underground Economist: Volume 4, Issue 1

Welcome back to The Underground Economist: Volume 4, Issue 1, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of January 8th, 2024.

Stolen marinetraffic[.]com Data Available for Sale

On December 27, 2023, threat actor “APTlord” announced on the dark web forum RAMP that they were selling source code and other information owned by marinetraffic[.]com, which was allegedly obtained by the theft of backup data from web-based Git repository GitLab. Marinetraffic[.]com is an open-source analytics platform that provides real-time information on maritime vessels and activity around the globe. Some of the information available includes:

• The geographic positions of vessels (accuracy and update frequencies vary between vessels)
• Vessel details (such as photographs, country of operation, speed, design, and other physical attributes)
• Journey details (such as originating locations and destinations and expected arrival times)
• Information relating to maritime infrastructure (such as port locations, capacity, traffic statistics, and weather conditions)

RAMP post advertising the sale of source code owned by marinetraffic[.]com
Source:ZeroFox Intelligence

The price requested for the data is USD 8,000, and the threat actor claims that the information will only be sold to a single buyer. APTlord also explicitly agrees to using escrow (a third-party mediator able to facilitate the sale). This is likely indicative of a credible threat actor and sale.

APTlord asserts that some of the website's research areas—such as interactive information systems design, design of databases providing real-time information, and correlation of the collected information with weather data—can be exploited. It is unclear, however, how this information could be directly leveraged to facilitate attacks against maritime targets, especially given the abundance of detail already publicly available. There is a roughly even chance that the original purpose of the stolen data was the facilitation of extortion, which either failed or never took place.

This announcement comes at a time of uncertainty for many maritime organizations, with high levels of regional unrest influencing military, economic, and political maritime operations in the Mediterranean Sea, the Red Sea, the Suez Canal, the Indian Ocean, and the South China Sea. In addition to financially motivated threat groups seeking to conduct extortion attacks, it is likely that this advertisement is seeking to attract the attention of actors interested in geopolitical affairs. This likely includes government entities and politically/ideologically-driven threat groups—both of which have been observed targeting maritime assets in recent weeks.

New “Prank” Service Offered to Organizations in Dark Web Marketplace

On December 26, 2023, untested Russian-speaking threat actor “PrankService” announced a new global “prank” service on dark web forum exploit[.]in. The service offers to help clients deal with competition or enemies and turn the target's “life into a nightmare.” 

• Services on the dark web offering direct harassment and intimidation of third parties are relatively rare, particularly those involving physical or non-cyber techniques.

Exploit[.]in post advertising new “prank” service (translated)
Source: ZeroFox Intelligence

The actor claims that their actions can cause the target to change address, telephone numbers, and contacts; incur financial losses; and lose business opportunities. This can be achieved using both “online and offline measures,” which very likely alludes to the leveraging of both cyber and physical (non-cyber) disruption techniques such as systematic harassment, threats, and spam communications.

• The actor further claims that they can study intended targets to facilitate results, which likely relates to a service offering a more tailored or bespoke disruption approach.
• A client is only required to provide the target's “primary information” in order to ensure the legitimacy of the target.
• The service is allegedly available in every city and country. It is unclear how this may impact the actor's ability to conduct physical measures against the target.

Exploit[.]in post advertising “Prank” payment and contact details (translated)
Source: ZeroFox Intelligence

Services start at USD 1,000 and increase requisite with the time and complexity associated with the job. Although payment is said to not be required until the job is complete, it is unclear what conditions determine a “complete” attack. Payment is made to exploit[.]in’s escrow service, which—given the lack of the actor’s reputation and sales history/vouches—is the only element indicative of likely credibility.

The nature of the service is very likely to appeal to a vast array of individuals and organizations that are seeking to take punitive, disruptive, or vengeful measures against an opposition. Should the actor establish a credible reputation on exploit[.]in and keep the price relatively low, the service will likely attract a high volume of clients from across the globe. A similar service was observed in 2019 in dark web marketplaces, though it was restricted to “prank call” type communications. “PrankService” appears to be significantly more comprehensive in techniques leveraged, seemingly aiming to inflict actual reputational, financial, and psychological damage on the target.

• The service was announced solely in Russian, indicating the demographic/location of its target audience. The intended targets are, therefore, very likely to be Russian-speaking, particularly relating to the unspecified “offline measures.”

Threat Collective ALPHV Continues a Reduced Attack Tempo

Evidence observed by ZeroFox indicates that Ransomware & Digital Extortion (R&DE)  threat collective ALPHV (also known as BlackCat) is still operational following the Federal Bureau of Investigation’s (FBI) disruption and seizure of their dark web infrastructure and release of a free decryption tool on December 19, 2023. ALPHV representatives quickly disputed the extent of the disruption caused, claiming sufficient contingency to continue operations on alternative infrastructure.

• In the most recent instance, on December 23, 2023, well-regarded threat actor “Братислава“ (“Bratislava”) once again affirmed via a post on dark web forum RAMP that ALPHV is still operational. Bratislava referred to a functioning darknet blog belonging to the threat collective and noted that a new victim had been added very recently.

• ZeroFox Intelligence has observed 14 attacks conducted by ALPHV in the 17 days since December 19, 2023. This is roughly equal to the number of attacks in the 17 days prior to the FBI disruption.

Post translating to “As I have already said, alpha (ALPHV) is still working. Here is the link (. . .) and there is already a new client”
Source: ZeroFox Intelligence

• The restored darknet blog indicated that “clients” (victims) were added by ALPHV on December 22, 23, and 24, soon after the FBI’s initial statements relating to the operation.

Threat Actor Seeks to Profit from Israel-Hamas War

On December 24, 2023, threat actor “Blackfield” posted on the dark web forum RAMP announcing a data breach targeting the Israeli Defense Force (IDF). Blackfield is a well-regarded threat actor and was among the first RAMP actors to announce the sale of stolen information relating to the IDF and Shin Bet (Israel’s Internal Security Agency), as reported by ZeroFox on October 11, 2023. 

The most recent breach reportedly affects members from the military intelligence capability Unit 8200, which is subordinate to the IDF’s Military Intelligence Directorate. The data is alleged to include personal information pertaining to both current and ex-members, such as:

• Email addresses
• Phone numbers
• Personal photographs
• Data relating to family members

The actor indicated that the breach took a long time (two months in total) due to numerous “Honeypots” set up by the Israeli government and the leveraging of “Insiders.”

RAMP post claiming Unit 8200 data breach
Source: ZeroFox Intelligence

The actor announced a price of USD 50,000 for the breached data. The steep price is likely indicative of the actor’s intent to advertise the information to politically and ideologically motivated threat actors deemed able to afford it, such as nation-states and affiliated groups. 

• The willingness to use escrow, longstanding forum reputation, and the offer of alleged samples are all positive indicators and behaviors consistent with a reputable actor.

The thread gained significant traction on the forum, garnering positive feedback and congratulations by likely ideologically incentivized actors. A skeptical minority questioned whether the data originated from an already-known breach, such as the Israeli Technion breach in February 2023, and doubted the credibility of the alleged samples.

Embedded “Samples” serving as a proof of life
Source: ZeroFox Intelligence

Notwithstanding these uncertainties, this post confirms the continued targeting of Israeli government entities in data theft attacks by high-profile threat actors that likely seek clients of nation state-level capabilities. Depending on the threat actor’s credibility, it may also attest to the ongoing employing and leveraging of insiders within the Israeli military that are used to extract sensitive, very likely classified information.

The intended use of this information is unclear; however, such information is likely appealing to the governments and intelligence services of states opposing Israel and its role in the ongoing Israel-Hamas War. Militant groups in the region and the numerous cyber threat collectives that have been observed conducting attacks against Israeli targets in recent weeks would also likely deem such information valuable to the pursuit of their geopolitical ends.

Recommendations

• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege. 
• Implement network segmentation to separate resources by sensitivity and/or function. 
• Implement secure password policies with phishing-resistant multi-factor authentication (MFA), complex passwords, and unique credentials.
• Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently. 
• Develop a comprehensive incident response strategy.
• Configure email servers to block emails with malicious indicators and deploy authentication protocols to prevent spoofed emails.
• Deploy a holistic patch management process and ensure all IT assets are updated with the latest software updates as quickly as possible. 
• Proactively monitor for compromised accounts being brokered in deep and dark web forums. 
• Configure ongoing monitoring for Compromised Account Credentials.

Learn More about the Authors Behind The Underground Economist

The ZeroFox Dark Ops team is embedded in the underground economy, offering dark web intelligence, direct threat actor engagement, and unmatched visibility into the dark web. Our global threat hunting and dark web intelligence team extends the reach of your security resources, engaging with the underground community. We give you an advantage over emerging threats and stop active threats before damage can be done. Integrated into hundreds of dark web communities and places where most can’t infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to you. Learn more here.