It sounds strange, but sometimes threat groups in the dark web want to be seen.
Dark web publicity
The dark web gives us an insight into how threat groups organize and operate. This intelligence usually comes from catching cybercriminals out when they think they are acting under the radar (that is, afterall, why cybercriminals choose to congregate on the dark web).
However, somewhat paradoxically, this intelligence sometimes comes from messages and posts that threat groups want to be seen. That is because, in spite of their desire to evade attention from law enforcement, there is a counter need for them to communicate with others in order for their operations to be successful. Often, they need to communicate with other cybercriminals to collaborate, or to buy or sell goods. Sometimes they need to speak to their victims. Some groups (as we’ll see) are also reliant on publicity – and therefore have to disseminate information to the public and the press.
Therefore, while the individuals obscure their real names and identities with aliases, there is a lot of intelligence to be gained about the groups as a whole from their chosen communication methods.
We have selected the threat groups DarkSide and LAPSUS$ to illustrate this point. They make a good comparison: they both operated recently, both have ceased operations, both focused on “big game hunting”, and both relied on similar network intrusion tactics. Nonetheless, their dark web communication methods are a stark contrast from one another.
Furthermore, because the group began an affiliate program (offering its ransomware to third-party actors in return for a share of the profits) it adopted “customer facing” communication methods to share updates with its users and even address their issues and concerns.
Take, for example, these posts communicating an update to its product following a decryptor released by Bitdefender that compromised some of the group’s operations. On January 12, 2021 the darksupp alias provided a thorough overview of the situation to reassure its customers that it was still trustworthy:
While other actors do use insiders to compromise organizations’ defenses, these employees are typically sourced in a less conspicuous manner – such as over private messages – rather than on a public Telegram channel with 47,000 subscribers, in full view of law enforcement and security researchers.
In comparison to DarkSide’s efforts to win the trust of the cybercriminal community, LAPSUS$ was also more than happy to make some enemies as it became increasingly bold and outspoken.
For example, after a partial leak of data stolen from the software company Nvidia in February 2022, LAPSUS$ faced increasing calls from its followerbase to release the second half of the breach. After repeatedly assuring its followers that the data was forthcoming, LAPSUS$ changed tact – updating its Telegram channel “group rules” to include point 4: “Stop asking about NVIDIA”. It also missed another self-imposed deadline to release their alleged cache of Vodafone data, much to the ire of its followers.
Gathering adversarial intelligence
The differences between groups is more than just a point of interest. Understanding where and how threat actors communicate can help organizations gain valuable adversarial intelligence. This can be seen with both LAPSUS$ and DarkSide.
LAPSUS$’ Telegram channel provided information that helped better understand the group’s methods and operation. For example, initial reports that LAPSUS$ was a ransomware gang were proved false when LAPSUS$ itself stated on their channel “we said it was a ransom, not a ransomWARE”. Security researchers subsequently classified LAPSUS$ as a data extortion actor – one which breaches corporate networks, exfiltrates sensitive data and demands a ransom in return for not leaking the information online.
Meanwhile, DarkSide’s communication with its affiliates stated the “rules” of the program, with the group forbidding its partners from targeting certain industries, including healthcare, funeral services, education, public sector and non-profits, for “ethical” reasons. Those watching closely at the time might have spotted a warning sign that attacks were going to escalate when in March 2021 – approximately one month before the initial compromise of Colonial Pipeline – it announced a change to its affiliate program on the forum Exploit, removing layers of “bureaucracy” and allowing its affiliates to “make calls” without asking the ransomware operators.
This demonstrates the opportunity presented by threat actors’ need to communicate. Monitoring these conversations and messages on the deep and dark web allows organizations to build a profile of their adversaries, to better understand their tactics, techniques and procedures. They can use this pre-attack intelligence to inform their cybersecurity strategy, building their defenses on a more accurate understanding of the threats they are facing.