The dark web’s paradigm shift

Adam Darrah at ZeroFox describes how geopolitics are transforming the underground economy

 

Before February 24th, 2022, hackers typically avoided venturing into politics or geopolitics on the dark web. Much of the original intent of the dark web was to house and operate an “underground economy”, where cyber-criminals can exchange and broker goods such as stolen credentials, provide criminal or hacking services, and offer various ransomware strains to leverage for financial gain.

 

However, the underground economy has grown beyond its original intent; the dark web of today has developed a political consciousness.   

 

The Russia-Ukraine War catalysed this turning point in the dark web ecosystem, especially within the Russian and English-language communities, where geopolitical events now play a significant role in how cyber-criminals behave.

 

As hackers abandoned their previous reluctance to reveal their political affiliations or choose a side, geopolitics has become a major factor in shaping decisions about which organisations and governments to target, and which tools, techniques and procedures (TTPs) to use. 

 

But what does this look like from the inside of the underground economy? And how are recent geopolitical conflicts impacting the threat landscape for today’s organisations? 

 

Whose side are you on?

The overt alignment of hacktivist communities, cyber-criminals, and ransomware gangs with political ideologies has broken a longstanding pact to put money and reputation above politics. Unlike a few years ago, when geopolitical factors were less prevalent, global circumstances are influencing data sales and shaping cyber-criminal priorities more than ever. 

 

For example, you might see a pro-Palestine threat actor advertising compromised personally identifiable information (PII) of Israeli Defense Force and the Israel Security Agency personnel. Threat actors that align themselves with a group on one side of a conflict are more incentivized to purchase private, even embarrassing, information about the other “side”. This is a prime example of the increasingly blurred lines between physical and digital conflict, and how online attacks can further the goals of politically-motivated groups.   

 

Who is putting this information up for sale on the dark web? Initial access brokers (IABs) typically are tasked with facilitating these deals. IABs capitalise on the needs of these geopolitically incentivised parties, but advertising the compromised data for sale instead of sharing it for free underscores the fact compromised data is more valuable after a conflict breaks out and will act to maximise their profit.

 

In the example of compromised PII of parties involved in the Israel-Hamas conflict, the data was priced high above average for the amount of data advertised for sale. They saw their chance, and took it. 

 

A proactive approach to intelligence 

The openly political nature of today’s cyber-criminals makes it even more essential for organisations to monitor dark web chatter about their brand and current events to identify risks specific to them.

 

Threat intelligence is a critical component of this, specifically dark web intelligence. Deep and dark websites aren’t findable on the usual search engines and browsers, meaning this goldmine of data is often missed by traditional security tools. Dedicating resources to monitoring these communities allows companies to better understand their external attack surface and stay ahead of the evolving cyber-threat landscape. 

 

Implementing comprehensive dark web monitoring extends the reach of an organisation’s security team to give them greater insight into emerging threats and hopefully, stop them before they become a problem.

 

Oftentimes, the first indicator that an organisation has been compromised is when their information – such as leaked or stolen data, compromised or breached credentials, intellectual property, and other sensitive materials – shows up for sale on a dark web forum. By the time this makes it to the regular internet, news of the hack becomes accessible to the general public, leaving compromised organisations scrambling for a plan to mitigate the geopolitical, financial, and reputational damage that comes with an uncontained security incident.

 

The growing political consciousness of the dark web makes having this insight even more crucial, as threat actors can and will use geopolitical conflict to their advantage. Once again, information appearing on the dark web might be the first sign something is amiss. When looking at global conflicts such as wars, missing the signs of an impending attack can put human lives on the line. The need to convert intelligence into actionable strategies is undeniable.

 

The good news is that actionable intelligence is a reality today; recent advancements in AI have and will continue to make this process more automated, lightening the load for security teams. 

 

As the digital battleground associated with geopolitical conflict continues to grow, this combination of intelligence and action makes organisations unstoppable against threats found on the dark web.   

 

---

 

Adam Darrah is Senior Director of Dark Ops at ZeroFox 

 

Main image courtesy of iStockPhoto.com and BeeBright