MandaTORy Threat Intelligence: Clues From the Web

Posted: 3rd September 2015

Criminal activity leaves traces. Sometimes those traces are obvious, and sometimes they’re shrouded by careful planning. But just as investigators of physical crime can piece together small bits of evidence to (often) identify the perpetrator, so too can investigators and analysts in the digital world.

Recently, our CEO, Christopher Ahlberg, wrote an opinion piece for the Christian Science Monitor entitled, “The Value of Unmasking Tor’s Dark Side,” in which he explained how Tor’s exit nodes—the unencrypted entry and exit points—can provide valuable clues about criminal hacker activity.

Recorded Future has concentrated quite a bit of effort in this area and published several articles about our findings, because the exit nodes tell us a lot about the criminals using Tor to try to mask their steps.

“My firm recently honed in on a specific hacker group that unsuccessfully used Tor to hide its activities. We identified their emails, passwords, connections, and the geographic regions where they operated. We know their hacker handles and where they like to trade their information on the open Web,” wrote Ahlberg.

This was all possible because, as Ahlberg explained, Tor connects to the open Web—the same Internet we all use to browse for a new refrigerator or the hottest toys for our kids’ birthdays. While Tor, itself, anonymizes the user, the website(s) to which users browse from Tor are not. Cross-referencing all known Tor exit node Internet protocol (IP) addresses with other illicit sites, Recorded Future’s analysts have successfully uncovered multiple databases for illegal hacking activity, as well as the likely perpetrators of the activity, based on their hacker names, email addresses, and other identifying information.

This information, pulled together in a bigger picture, then becomes the threat intelligence that can be used to illuminate criminal activity and, if applicable, hunt down the threat actors.

Finding the “breadcrumbs” of information on the open Web (that is to say: threat intelligence) takes time and patience, but doing so provides invaluable clues to identifying criminal hackers, their habits, and their intents, and can help organizations stay one step ahead of the threats.

To learn more about our threat intelligence research on Tor, take a look at:

Want to try for yourself?

Request a demo to see Recorded Future’s threat intelligence for yourself or ask specific questions about emerging threats that may be traced to your organization.