In the past few weeks Nato has had to investigate two instances of sensitive military documents circulating on the dark web.
adrastea targets MBDA Missile Systems
At the end of August it was reported that Nato was assessing classified military documents being sold on the dark web. The hackers (who go by the moniker “adrastea”) claimed to be selling data from the European company MBDA Missile Systems, which is reportedly the world’s second largest manufacturer of missiles. We took a closer look.
According to the BBC, MBDA acknowledged that some of its data was included in the stash but claimed that it did not own the documents that were leaked, with investigations centering around one of its suppliers as the source of the files. When we investigated, we found that this denial was contested by the adrastea user when they posted an advertisement for the data on Russian cybercrime forum Exploit on August 5th:
In this post, the hackers claimed to have “confidential information about employees of companies, which took part in the development of closed military projects”, “activities in the interests of the Ministry of Defense of the European Union”, and “design documentation of their airbase, missile systems, and systems of coastal defense”.
The BBC obtained a free 50MB sample of the data, which it said did include “ documents labeled ‘NATO CONFIDENTIAL’, ‘NATO RESTRICTED’ and ‘Unclassified Controlled Information’.”
The data appears elsewhere
Reviewing historical dark web records through our Cerberus platform, we found that the Exploit forum post was not the only place that the threat group had advertised the MBDA data.
A now-deleted post on BreachForums shows the group advertising the data as far back as July 31st. Although the alias is slightly altered (andrastea rather than adrastea), the wording of much of the advert is the same:
Later (August 24th) the group posted again on BreachForums, advertising pre-2019 “NATO restricted data”:
And, on the same day, selling military intelligence relating to the armed forces of the Philippines on BreachForums:
Again, reviewing deleted dark web records, we can see that between the posts on BreachForums and Exploit the group also tried advertising the data on Helium forum:
This case demonstrates a number of idiosyncrasies with regards to groups operating on the dark web.
1. the dark web doesn’t have an honors system
Firstly, this case is yet another reminder to treat attackers’ claims about the data they possess with skepticism. While the sample files accessed by the BBC show that the data adrastea is selling certainly is sensitive, that does not necessarily mean it has come from MBDA as they have advertised.
Cybercriminal gangs often misattribute the data they are selling, either deliberately or by mistake. We have seen two instances of this in just the past month, with LockBit falsely claiming to have compromised the Italian Revenue Agency, and the Cl0p ransomware group erroneously asserting they had compromised Thames Water. The dark web is not known for its honest practices or due diligence, so we should be conscious that cybercriminals might not be being entirely truthful in their advertising.
2. The Dark Web Is An Underground Economy
Secondly, this case demonstrates how threat actors use the dark web to commercialize the data they have stolen. The appearance of the same documents on multiple forums, at different times, and at different prices, speaks to the eagerness of the cybercriminals to use the same pool of data to attract as many buyers as possible.
The dark web provides a number of marketplaces for cybercriminals to sell their wares, protected by relative anonymity and the difficulties faced by law enforcement and government agencies in policing sites on Tor. With better insight into forums and marketplaces, cybercriminal activity could be spotted and the perpetrators brought to justice quicker (which is where we come in).
3. The sensitivity of data sold on the dark web
Finally – and most importantly – this case highlights the sensitivity of the data being handled and sold by cybercriminals. It is hard to imagine data with more damaging implications than military intelligence and information on weapons systems.
Furthermore, this is far from the only instance we have seen of information related to the military sector being sold on the dark web. Last week (September 8th) it was reported that NATO was once again chasing documents on the dark web of “extreme gravity”, this time stolen from The Armed Forces General Staff agency of Portugal (EMGFA). The EMGFA was only made aware of the breach when American intelligence agents noticed the sale of stolen documents on the dark web and alerted Portuguese authorities.
This – and the MBDA case – therefore highlight the importance of dark web monitoring for organizations at all levels. Whether it is a military supplier, a government department, an energy company, or a financial institution – the ability to quickly identify data related to the organization being leaked or sold on the dark web provides invaluable time to mitigate the damage of a sensitive data leak.