Dark Web Intelligence Alone Is Complicating Efforts for Nation-State Attribution, Creating a New Reality with Cross-Industry Collaboration
The growing number of election-related events advertised and exposed in Dark Web forums, combined with the frequency of media coverage it often garners, is complicating efforts to distinguish among official state sponsorship, so-called hacktivism, and independent threat actors showcasing their expertise.
This convergence increases the risk of miscalculation on the part of the aggrieved victim state.
To cut through the hype and provide an assessment that sheds light on the complexity of this very troubling trend of interfering in the domestic and foreign policy of other nations' affairs via cyber actions, InfoArmor analysts have been monitoring the activities of several threat actors or groups who have been observed in overt displays of election-related mischief.
InfoArmor submits that Dark Web intelligence alone cannot be relied upon to confirm or disconfirm with high confidence whether an actor is operating on behalf of a nation-state. It is our opinion that cyber intelligence industry professionals must remain above the political hysterics to provide expertise to business, academic, government, or industry partners with integrity.
In turn, our potential partners outside of the industry should recognize the calculated risks companies such as InfoArmor take to provide insightful, reliable, and actionable intelligence to our clients. These risk-taking ventures have produced expertise that has enriched the datasets and analyses of our partners and eased the security decision-making burden of our clients.
To illustrate the complexity surrounding the issue of proving or disproving nation-state complicity and attribution in election-related cyber activity, InfoArmor submits three separate and poignant cases of well-organized threat actor and threat actor groups. The threat actors profiled have a broad spectrum of expertise and motivations, sometimes employing tactics similar to that of a state intelligence service, further muddying the waters and complicating the nation-state attribution problem.
KelvinSecTeam: Professional rabble rousers, hackers, and disruptors for hire
KelvinSecTeam is a probable Russian hacking organization with a robust presence on Deep and Dark Web forums popular with hackers and cybercriminals, with probable team members in Central and South America — and they are growing.
We currently assess that the KelvinSecTeam's goal is to showcase their hacking credibility and disrupt for disruption's sake, with most posts focusing on embarrassing information on or about US government, military, political, and business affairs—escalating its efforts against central and south American countries . Some of their public disclosures have the potential to put US citizens in harm's way. Or at the very least, the information they expose risks exacerbating political and social tensions for the sake of merely sitting back and watching the chaos unfold.
IA states that it has found no evidence KelvinSecTeam has a particular political agenda or side in a political fight. Moreover, there is no evidence to suggest the group is part of an influence effort sponsored or sanctioned by a nation-state, their similar goals and tradecraft notwithstanding.
For example, in a probable bid to sow chaos, flex their hacker bona fides ahead of US midterm elections, and in a possible nod to further action, the group offered user details from their hacking of a US political discussion forum website americanpol.com.
The group published email and login details on pastebin.com — a platform popular with hackers, on which they post dumps of proprietary information resulting from hacking into government, business, or an individual's networks or databases. This information has the potential to embarrass forum users by taking statements out of context to accuse either political camp of extremist behavior.
Such tactics and tradecraft are usually indicative of a hostile state intelligence agency’s influence operation — the collection of information about an adversary, as well as the dissemination of propaganda in pursuit of gaining the advantage over an enemy, which includes and is not limited to sowing public discord to destabilize otherwise stable societies.
In early December, the group grew its team to include new account name KelvinSecTeamNew, which group-posts new hacks and data breaches almost daily. On its inaugural post, the group put up for sale "Airlines Exploit and Vulnerabilities" and advertised a sample of an independently unverified example of US Air Force equities that they claimed was hacked. The group has not offered a lot of specificity as to which airlines or airliners are at risk, suggesting a potential compromise of an underlying developer or vendor.
The new group also posted the sale of a major US credit card intranet database with over 500 users. Although the number of leaked users involved is relatively smaller than some other data dumps, the more significant impact could be on the reputation of this prominent US credit card company.
It is likely that this group will continue to showcase its skillset, sow further chaos, and keep research teams on their toes.
Deep Research Uncovers Government Worker Selling Voter Databases; Documents Requisite with Professional Access
In early October 2018, IA researchers came across an actor selling a voting database to a major European country in a mostly Russian-language Dark Web forum. This set off alarm bells in the minds of our team of researchers and analysts. A decision was made to investigate further. During the investigation, researchers discovered that this same actor also had a history selling forged European Union passports.
All of the feedback was positive, as the actor was very responsive to pre- and post-sale buyer inquiries. Moreover, this actor conducted business exclusively in Russian-language forums, which pointed to a few possibilities: a law enforcement provocation, political influence campaign, election meddling (nation-state or otherwise), or outright fraud.
IA researchers' investigations further confirmed the voting database information is authentic and the actor was not trying to perpetuate a fraudulent transaction. Moreover, we learned that the manner in which the actor ordered the data from the database suggested that it was acquired from within the company infrastructure, vice maliciously injecting malware to acquire.
Shortly after that, and due to some tradecraft errors on the part of the actor, IA researchers learned the probable true identity of the actor selling the voting database and scanned EU passports. With medium confidence, IA researchers identified a government employee who has access to and was cleared for the information being sold in the Dark Web forums.
This is where it gets complicated and dangerous for both the actor or actors involved, the buyers, and industry analysts. Where do the actions of this actor “fit?” In this case, our researchers were able to pull on a thread that returned an attributable result, but in an overwhelming majority of cases, there is a lot of credible smoke without a clear view of the nation-state fire.
Hacktivists conduct own foreign policy, claim to offline politically significant cyber infrastructure
IA researchers recently discovered known cyber threat actors took to Twitter to advertise alleged cyber operations campaign taken against Saudi Arabia. Dubbed #OpJamalKhashoggi, they claimed retaliation for the death of Saudi journalist and author Jamal Khashoggi. The actors claimed that the Saudi royal family’s website, a Saudi hosting company, the Saudi Central Bank, and a power plant were “#tangodown.” This means the hacker or the group of like-minded hackers claimed to attack the digital infrastructure to the point of forcing it to shut down.
This same group continued its campaign against the African nation of Gabon after the country’s president allegedly flew to Saudi Arabia to seek medical treatment. Whether these claims are true, foreign policy disagreements spurring outraged hackers and their fellow travelers to take measures into their own hands has serious implications that affect every nation and its people.
Widespread claims of these vigilante, ad hoc attacks muddy the waters of discussions on state sponsorship, which are likely to complicate efforts by governments to respond proportionately and increase the likelihood of miscalculation.
This incident is an excellent reminder to high profile companies in all industries — for safety as well as public relations reasons — of the need to monitor social media for possible accusations made against the company or its employees during times of geopolitical tensions.
Nation-state complicity in cyber campaigns to meddle in elections, offline infrastructure, or fan the flames of societal tensions have real implications — and it’s time organizations get sophisticated in how they approach the problem and dispense with political and tribal hysterics to find the truth.