ZeroFox researchers observed a threat actor advertising compromised personally identifiable information (PII) from the Israeli Defense Force and the Israel Security Agency on the predominately Russian-language dark web forum RAMP.
On October 10, 2023, well-regarded threat actor “blackfield” advertised PII, photographs, and access to social media profiles for members of the Israeli Defense Force and the Israel Security Agency (AKA Shabak/Shin Bet) on the predominantly Russian-language dark web forum RAMP. The actor claimed to have hundreds of lines of data from the Israeli Defense Forces and only a few examples from the Israel Security Agency. Threat actor “blackfield” priced the package of compromised data at USD 15,000 and stated they would use the forum’s escrow service to facilitate a transaction, indicating they likely possess the data they claimed.
Figure 1. Threat actor “blackfield” advertises compromised Israel Defense Forces and Israel Security Agency data
Source: ZeroFox Intelligence
It is highly likely that “blackfield”’s goal is to profit from selling the compromised information to geopolitically incentivized parties. The threat actor advertising the compromised data for sale instead of sharing it for free indicates that their incentive is unlikely ideological. The initial date of compromise for the advertised data is unclear; however, it is likely perceived as more valuable after the outbreak of hostilities between Israel and Hamas. This is further demonstrated in the price, which is above average for the amount of data advertised.
The type of compromised data combined with the alleged access to social media handles indicates that the exploit likely involved credential stuffing attacks against social media profiles, as they often contain photos, PII, and telephone numbers. It is unclear how the targets were selected. It is likely that the threat actor responsible for compromising the data possessed additional information that allowed them to identify members of the Israeli Defense Force and the Israel Security Agency.
Another well-regarded actor on RAMP, “achillesec”, responded that they would purchase the data if they could procure a discount. Threat actor “blackfield” agreed to provide “achillesec” a discount, as “achillesec” purchased over USD 50,000 worth of initial network access and other compromised data from “blackfield” previously. ZeroFox researchers assess that it is highly likely that threat actor “blackfield” is a network access broker and “achillesec” is an affiliate of a ransomware gang. (ZeroFox researchers note that activity on the RAMP forum heavily focuses on initial network access brokers and ransomware affiliates. The forum has gained popularity among threat actors since it was relaunched in November 2021.)
Figure 2. Threat actors “blackfield” and “achillesec” discussing previous deals and a potential discount for the data
Source: ZeroFox Intelligence
Stay up to date on the latest security intelligence and resources about the ongoing conflict in Israel.