Insikt Group research examines the complex and dynamic risk environment of submarine cables, the information superhighways that underpin the global economy and facilitate worldwide telecommunications. The rapid expansion of the submarine cable network in the 21st century, driven by data demands, cloud computing, and the needs of hyperscalers like Amazon, Google, Meta, and Microsoft, must contend with converging geopolitical, physical, and cyber threats. State actors pose the greatest threat in terms of sabotage and spying, followed by non-state actors like hacktivists and ransomware groups, who pose a less capable and lower likelihood threat to the networks and operating systems that submarine cables rely upon. Accidental damage from ships and fishing vessels is more frequent but less impactful.

Map of submarine cables as of May 16, 2023 (Source: TeleGeographys Submarine Cable Map)

Major geopolitical developments, specifically Russia's conflict with Ukraine, China's preparations for potential forceful unification with Taiwan, and the deterioration of US-China relations, are likely to fuel physical attacks and intelligence collection efforts against submarine cables. Notably, Russia has shown intent to map the submarine cable system in the Atlantic Ocean and North Sea, very likely for potential sabotage. The impact of these attacks will vary widely, ranging from intermittent traffic disruptions to widespread outages that take days or weeks to resolve, depending on the redundancy and resiliency of the affected network. State actors seeking an espionage edge will almost certainly target the entire submarine cable ecosystem for intelligence collection: landing station infrastructure, the submarine cables themselves, third-party providers, and the hardware and software that knits it all together.

Other major developments in the production, ownership, and operation of submarine cables have introduced new geopolitical challenges and created potential vulnerabilities. The rise of Chinese state-owned enterprises as cable owners, operators, and producers has elevated concerns over digital surveillance, while the expanding ownership stakes by hyperscalers has brought forward questions about market monopolies and digital sovereignty. Finally, the pursuit of expanded bandwidth capacity within the submarine cable industry has led to the adoption of advanced network management systems, which could be exploited for cyberattacks.

To read the entire analysis with endnotes, click here to download the report as a PDF.

New research by Recorded Futures Insikt Group examines North Koreas cyber strategy. Despite the ever-increasing number of cyberattacks publicly attributed to North Korea, the regime does not publish an official cyber-strategy doctrine. North Korea's cyber strategy is focused on aggressive information collection and financial theft operations to support its goals of maintaining the Kim family dynasty and unifying the Korean peninsula under its leadership. The regime conducts information collection to gain insights into the thinking of its adversaries and to access technology that can provide an advantage during times of conflict. Financial theft is used to fund the regime's activities, including its nuclear and missile programs. Despite its centralized leadership system, North Korea creatively targets a wide range of industries across different countries.

A quantitative analysis of 273 cyberattacks attributed to North Korean state-sponsored threat actors reveals that the regime primarily engages in cyber espionage and financial theft activities. While it has the capability to conduct disruptive or destructive cyberattacks, it rarely does so. South Korea and the United States are the most common targets, but North Korean threat actors have a global reach, targeting entities in at least 29 countries. Cryptocurrency heists are on the rise, but espionage remains the primary goal of North Korean cyberattacks.

Breakdown of industry verticals of victims grouped by North Korean state-sponsored threat actors

North Korea's cyber strategy is part of its larger asymmetric strategy to achieve the perpetuation of the regime and the unification of the Korean peninsula. The regime has invested in STEM education and nurtures talented individuals in computer science. Students are sent to domestic and international institutions for further education and exposure to technology not easily accessible in North Korea due to sanctions. The regime also deploys IT workers for online services and freelance platforms, which may overlap with cyber operators.

The report presents a comprehensive analysis of cyberattacks attributed to North Korean state-sponsored threat actors. It examines the threat actor groups involved, their targets, purpose of the attacks, and geographical distribution. Kimsuky is the most common threat group, followed by Lazarus Group and APT37. The data set covers attacks from 2009 to 2023, with a significant increase in the number of reported cyberattacks from 2016 onwards. Kimsuky's activity has seen a dramatic increase in recent years.

Overall, North Korea's cyber strategy is focused on information collection, financial theft, and espionage. The regime has developed a considerable cyber capability and targets various industries globally. However, destructive cyberattacks are rare, and the regime continues to invest in training cyber operators to further its strategic goals.

To read the entire analysis with endnotes, click here to download the report as a PDF.

Recorded Future's Insikt Group, in partnership with Ukraine's Computer Emergency Response Team (CERT-UA), has uncovered a campaign targeting high-profile entities in Ukraine that was cross-correlated with a spearphishing campaign uncovered by Recorded Futures Network Traffic Intelligence. The campaign leveraged news about Russias war against Ukraine to encourage recipients to open emails, which immediately compromised vulnerable Roundcube servers (an open-source webmail software), using CVE-2020-35730, without engaging with the attachment. We found that the campaign overlaps with historic BlueDelta activity exploiting the Microsoft Outlook zero-day vulnerability CVE-2023-23397 in 2022.

The BlueDelta activity, identified by Insikt Group, appears to have been operational since November 2021. The campaign overlaps with activity attributed by CERT-UA to APT28 (also known as Forest Blizzard and Fancy Bear), which multiple Western governments attribute to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). In this operation, BlueDelta primarily targeted Ukrainian organizations, including government institutions and military entities involved in aircraft infrastructure.

The BlueDelta campaign used spearphishing techniques, sending emails with attachments exploiting vulnerabilities (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) in Roundcube to run reconnaissance and exfiltration scripts, redirecting incoming emails and gathering session cookies, user information, and address books. The attachment contained JavaScript code that executed additional JavaScript payloads from BlueDelta-controlled infrastructure. The campaign displayed a high level of preparedness, quickly weaponizing news content into lures to exploit recipients. The spearphishing emails contained news themes related to Ukraine, with subject lines and content mirroring legitimate media sources.

BlueDelta Outlook and Roundcube spearphishing infection chain overlap

BlueDelta has demonstrated a long-standing interest in gathering intelligence on entities in Ukraine and across Europe, primarily among government and military/defense organizations. The most recent activity very likely represents a continued focus on these entities and specifically those within Ukraine. We assess that BlueDelta activity is likely intended to enable military intelligence-gathering to support Russias invasion of Ukraine and believe that BlueDelta will almost certainly continue to prioritize targeting Ukrainian government and private sector organizations to support wider Russian military efforts.

Recorded Futures collaboration with CERT-UA further emphasizes the importance of partnerships between industry and governments to enable collective defense against strategic threats in this case, Russias war against Ukraine.

To read the entire analysis with endnotes, click here to download the report as a PDF.

Insikt Group has discovered malicious cyber threat activity spoofing several financial institutions and venture capital firms in Japan, Vietnam, and the United States. The group responsible, referred to as Threat Activity Group 71 (TAG-71), has significant overlaps with the North Korean state-sponsored APT38. Between September 2022 and March 2023, Insikt Group discovered 74 domains and 6 malicious files associated with TAG-71's activities.

TAG-71 has previously been observed spoofing domains belonging to financial firms and cloud services in Japan, Taiwan, and the United States. In March 2022, Insikt Group identified 18 malicious servers tied to TAG-71, which were also linked to the publicly reported CryptoCore campaign. These servers were used for malware delivery, phishing, and command and control operations, often impersonating popular cloud services and cryptocurrency exchanges.

The North Korean government has a history of financially motivated intrusion campaigns, targeting cryptocurrency exchanges, commercial banks, and e-commerce payment systems worldwide. TAG-71's recent activities align with this pattern, indicating North Korea's ongoing efforts to generate funds while facing international sanctions. The spoofing of investment banking and venture capital firms poses risks such as exposure of sensitive information, legal consequences, disrupted negotiations, or damage to strategic investment portfolios.

Select IOCs for TAG-71 mapped to the Diamond Model in the Recorded Future Intelligence Cloud

To mitigate TAG-71's activities, Insikt Group recommends configuring intrusion detection systems to block connections to the IP addresses and domains associated with the group. Clients of Recorded Future, Insikt Group's parent company, should also block command and control servers logged in the Command and Control Security Control Feed. Additionally, organizations should enforce security awareness among employees and customers to recognize phishing attempts, suspicious domains, and fraudulent documents. Monitoring for domain abuse and initiating takedowns of fraudulent domains through Recorded Future's Brand Intelligence module is also advised.

Overall, TAG-71's campaign aligns with North Korean state-sponsored threat actors' past activities, posing risks to financial and investment firms and their customers. Implementing the recommended mitigation measures can help protect organizations from these malicious activities.

To read the entire analysis with endnotes, click here to download the report as a PDF.

The Peoples Liberation Army (PLA) is using new collection, processing, and analysis technologies to exploit the massive amount of open-source information available from the internet and other sources for military intelligence purposes. A growing ecosystem of private companies, state-owned enterprises, state-run research organizations, and universities is supporting the PLAs push to leverage open-source intelligence (OSINT) by providing research services, platforms, and data. The PLA almost certainly views OSINT as an increasingly valuable source of military intelligence that can support decision-making and necessitates the use of new collection, processing, and analysis technologies, which the PLA and Chinas defense industry are actively developing.

The PLA and Chinas defense industry almost certainly take advantage of other countries open information environments to extract OSINT from foreign governments, militaries, universities, defense industry companies, scientific research organizations, think tanks, news media outlets, social media platforms, forums, individuals, commercial data providers, print media, radio broadcasts, satellites, and other sources. This OSINT almost certainly provides the PLA insight into foreign military capabilities, facilities, doctrine, decision-making, weapons, equipment, science and technology, exercises, training, intelligence, and deployments, providing a clear intelligence advantage.

In addition to supporting decision-making, Chinese observers have suggested more specific uses for military OSINT as well, such as carrying out long-range maritime target tracking, enabling early warning of crises, supporting precision strikes, countering enemy propaganda, facilitating domestic science and technology innovation, and supporting training and talent development.

This report profiles 5 private Chinese OSINT providers that serve the PLA, including providers that mainly sell platform and database products, providers that primarily offer research and analysis services, and providers that specialize in remote sensing data. The PLA very likely uses this data to support decision-making and better understand potential foreign adversaries in preparation for future conflicts. Given that China is very unlikely to open up its information environment, and that Western countries are very unlikely to close off their information environments, the PLA will very likely maintain its advantage over Western militaries in OSINT.

To read the entire analysis with endnotes, as well as receive more information about the author, Zoe Haver, click here to download the report as a PDF.

Deepfake voice cloning technology is an emerging risk to organizations, representing the evolution in the convergence of artificial intelligence (AI) threats. When leveraged in conjunction with other AI technologies such as deepfake video technology, text-based large language models (LLMs, such as GPT), generative art, and others the potential for impact increases. Voice cloning technology is currently being abused by threat actors in the wild. It has been shown to be capable of defeating voice-based multi-factor authentication (MFA), enabling the spread of misinformation and disinformation, and increasing the effectiveness of social engineering.

As outlined in our January 26, 2023, report I, Chatbot, open-source or freemium AI platforms lower the barrier to entry for low-skilled and inexperienced threat actors seeking to break into cybercrime. These platforms ease-of-use and out-of-the-box functionality enable threat actors to streamline and automate cybercriminal tasks that they may not be equipped to act upon otherwise. One of the most popular voice cloning platforms on the market is ElevenLabs (elevenlabs[.]io), a browser-based text-to-speech (T2S; TTS) software that allows users to upload custom voice samples for a premium fee. Voice cloning technologies, such as ElevenLabs, lower the barrier to entry for inexperienced English-speaking cybercriminals seeking to engage in low-risk impersonation schemes and provide opportunities for more sophisticated actors to undertake high-impact fraud. Threat actors have begun to monetize voice cloning services, including developing their own cloning tools that are available for purchase on Telegram, leading to the emergence of voice-cloning-as-a-service (VCaaS).

References to voice cloning on dark web sources significantly increase from May 2020 to May 2023

Voice cloning samples that surface on social media, messaging platforms, and dark web sources often leverage the voices of public figures such as celebrities, politicians, and internet personalities (influencers) and are intended to create either comedic or malicious content. This content, which is often racist, discriminatory, or violent by nature, enables the spread of disinformation, as users on social media are sometimes deceived by the high quality of the voice cloning sample.

In order to mitigate current and future threats, organizations must address the risks associated with voice cloning while such technologies are in their infancy. Risk mitigation strategies need to be multidisciplinary, addressing the root causes of social engineering, phishing and vishing, disinformation, and more. Voice cloning technology is still leveraged by humans with specific intentions it does not conduct attacks on its own. Therefore, adopting a framework that educates employees, users, and customers about the threats it poses will be more effective in the short-term than fighting abuse of the technology itself which should be a long-term strategic goal.

To read the entire analysis with endnotes, click here to download the report as a PDF.

The group is highly likely to have targeted entities associated with the non-governmental, media, international humanitarian, and development sectors. It is almost certain that the entities targeted shared an interest in Yemen, security, humanitarian aid, and reconstruction matters. The groups operations have reportedly included targeting persons attending Saudi Arabian government-led negotiations; coupled with the use of spoofed Android applications mimicking entities tied to the Saudi Arabian government, and a UAE humanitarian organization (among others). As of this writing, we suspect that the attackers targeted individuals the Houthis wanted direct access to.

Messages reportedly sent to targets from Saudi Arabian telephone numbers (Source: Meta 1, 2, 3)

OilAlpha has almost exclusively relied on infrastructure associated with the Public Telecommunication Corporation (PTC), a Yemeni government-owned enterprise reported to be under the direct control of the Houthi authorities. OilAlpha used encrypted chat messengers like WhatsApp to launch social engineering attacks against its targets. It has also used URL link shorteners. Per victimology assessment, it appears a majority of the targeted entities were Arabic-language speakers and operated Android devices.

OilAlpha threat actors are highly likely to be involved in espionage activity, as handheld devices were targeted with remote access tools (RATs) like SpyNote and SpyMax. We have also observed njRAT samples communicating with C2s associated with this group, making it likely that OilAlpha has used other malware for testing or attack operations.

Barring the discovery of new information or broader geostrategic shifts, OilAlpha is likely to continue to use malicious Android-based applications to target entities that share an interest in Yemens political and security developments and the humanitarian and NGO sectors that operate in Yemen.

To read the entire analysis with endnotes, click here to download the report as a PDF.

Latin America is currently experiencing a resurgence of the political left and far left, as left-leaning and far-left leaders now govern the majority of countries in the region. We define the start of this resurgence, sometimes termed a second Pink Tide (the first having occurred in the early 2000s) as December 2018, when Mexican president Andrs Manuel Lpez Obrador entered office; his election was the first in a wave of notable left-wing electoral victories in Latin America. As Latin America trends left, it also increasingly rejects United States (US) influence, which formerly played an outsized role in regional affairs, thereby opening avenues for China, Russia, and Iran to expand their activities in the region. While Chinese and Russian diplomacy and investments in Latin America have been examined extensively, less has been made of Irans efforts to deepen its ties to the region. Irans activities in Latin America deserve close analysis in light of the Iranian governments persistently malign and destabilizing activities and its governments sponsorship of terrorism.

In light of changing leadership in Latin America, Iran has found new opportunities to increase its political and economic footprint especially in Brazil, Colombia, Argentina, and Chile. At the same time, Iran has strengthened ties with its steadfast allies, Venezuela, Cuba, and Nicaragua. Most notably, Iran and Venezuela have significantly increased their energy trade to circumvent and mitigate sanctions.

Venezuelan president Nicols Maduro and Iranian president Ebrahim Raisi meet in Tehran, June 2022 (Source: Aljazeera)

In Latin America, Tehran seeks to expand trade relationships to mitigate the effects of US sanctions and ensure food security, and develop political partnerships to widen its sphere of influence. Iran will almost certainly seek to increase trade relationships, cooperation agreements, and diplomatic engagements with its steadfast allies in the region, and continue to make inroads with powerful democracies led by left-wing governments, especially Brazil, Argentina, Colombia, and Chile.

Iran will very likely continue to capitalize on opportunities presented by left-wing and anti-American leaders in Latin America to further expand its presence in the region, with a focus on energy deals and other economic partnerships. Outside of government-to-government channels, Iran gains influence in the region using online media, including covert state-sponsored information operations on social media and influences Latin American audiences through Iran-backed cultural and religious centers. In June 2022, Iran also applied for membership to the BRICS Union of countries, comprising Brazil, Russia, India, China, and South Africa. If Iran is able to gain membership, it will likely use this status, along with other multilateral bodies, to legitimize its presence in Latin America and appear as a responsible and influential power broker.

To read the entire analysis with endnotes, click here to download the report as a PDF.

Xiaoqiying (aka Genesis Day, Teng Snake) is a primarily Chinese-speaking threat group that is most well known for conducting website defacement and data exfiltration attacks on more than a dozen South Korean research and academic institutions in late-January 2023. New research from Recorded Futures Insikt Group has found that more recently, the groups affiliated threat actors have signaled a new round of cyberattacks against organizations in Japan and Taiwan. Although it shows no clear ties to the Chinese government, Xiaoqiying is staunchly pro-China and vows to target NATO countries as well as any country or region that is deemed hostile to China.

Since January 25, 2023, open-source reporting from South Korea has revealed a mass cyberattack against websites belonging to 12 South Korean research and academic institutions during the Lunar New Year holiday conducted by Xiaoqiying. According to Korea Internet & Security Agency (KISA) reports, all 12 of the websites suffered website defacements in which the adversaries replaced each hosted website with their own in a compromised server. KISA also identified IP addresses linked with the attack to origins within various countries such as China, the US, Singapore, and Taiwan. Based on a report from The Korea Times (koreatimes.co.kr), the Chinese threat group disclosed on its public Telegram channel that it included KISA as one of its potential targets and it is the first government agency targeted by the threat group. Other reports claimed that the threat group threatened to target approximately 2,000 government agencies, including South Koreas Ministry of Culture, Sports, and Tourism.

Our analysis of Xiaoqiyings activity on Telegram is based on 2 Telegram invitation links obtained in early January 2023. The Genesis Day threat group was active on Telegram up until February 2023 when the news of its alleged breaches reached the media. Then, both Telegram channels went offline. These 2 Telegram channels included an announcement channel and a member channel and consisted primarily of Chinese-speaking users. From analyzing the downloaded data, we identified the threat groups administrators, tools and data shared among members, tactics, techniques, and procedures (TTPs) used by the threat group, and connections with other special-access cybercriminal forums and threat actors. We also assessed the credibility of the offers and predicted the future course of action of the group.

The new year message posted by Genesis Day on December 31, 2022, served as a summary for the groups activities in 2022 and a call to action for 2023. The English translation is provided below. (Source: Telegram)

In the upcoming year, this channel will plan to launch another round of operations against NATO members and related countries/regions that are hostile to China, to paralyze the network and infrastructure of these countries. We are actively cooperating with our global allies and APT members, our partners include but are not limited to APT 35, Corecode [sic], Anonymous, Lapsus, Hive, Pakistani APTs, Russian APTs, Solitbit.ares [sic], Prynt Stealer, . A world without China would be a meaningless world, we are only trying to restore this country to her rightful place. We strive to wield our swords at the dawn of this new era. You are welcomed to join us, expect us

Happy New Year everyone

The group claimed to be responsible for some unverified cyberattacks before the confirmed intrusions against numerous South Korean organizations in January and February 2023. As a result, we rate its credibility as moderate. It shared available penetration testing tools, malware, proofs of concept and exploits, and leaked data, and it claimed to have working relationships with some well-known cybercriminal and APT groups around the world. The group appears to be ambitious and is actively recruiting individuals with hacking skills.

The most recent postings by its affiliated threat actors on special-access forums shows it has possibly compromised new targets in Japan and Taiwan and signaled a new round of cyberattacks against these countries. We recommend that organizations that are possibly targeted by this group, especially education, research, and government organizations in the Asian Pacific region, maintain a frequent patching cadence for their internet-facing devices and disable any unnecessary remote access tools.

To read the entire analysis with endnotes, click here to download the report as a PDF.

Recorded Futures Insikt Group examines the pro-Russian hacktivist threat group Joker DPR, which has become more prominent during Russias ongoing invasion of Ukraine. The group is well-known for its alleged cyber activities, which have targeted and publicized sensitive information on Ukrainian military and government web resources, and for its social media presence, which it has exploited to disseminate pro-Russian, anti-Ukrainian propaganda.

To date, Joker DPRs most significant claim has been an alleged breach of DELTA, a battlefield management system (BMS) that has proven effective for Ukraines national defense. Joker DPRs alleged breach was unlikely to have been as wide-reaching as the threat group claimed. Nevertheless, it is part of a growing body of evidence that suggests Joker DPR is deliberately supporting Russias information war in Ukraine.

Joker DPR is notorious for spreading pro-Russian, anti-Ukrainian propaganda. Here the threat group mocks the death of a pro-Ukrainian fighter in the Donbass.

Based on the alignment of Joker DPRs activities with the goals of Russian influence operations in Ukraine specifically, undermining support for the Armed Forces of Ukraine (AFU) and Ukrainian government it is likely that Joker DPRs activities are directed at amplifying Russian information operations in Ukraine, possibly with the coordination of the Russian state.

Joker DPR has cultivated a sophisticated persona. Although characterized as an individual in its communications, it is likely that Joker DPR is a threat group that is reliant upon a coordinated human infrastructure of Ukrainians who sympathize with Russia and like-minded threat actors to gather the sensitive information that the group publishes.

Joker DPR has built a sizable following on its Telegram channel. As its audience and infrastructure grows, it may gain the increased ability to undermine Ukraines war effort. Although Ukrainian authorities have not yet targeted Joker DPR, recent events suggest that they will make efforts to identify, arrest, and prosecute members of Joker DPRs network when they have the resources and opportunities to do so, or as the influence and threat level of Joker DPR grows. Although Joker DPRs alleged penetration of DELTA was unlikely to be as wide-reaching as the group claimed, similar activity may lead to the increased international scrutiny of pro-Russian hacktivist threat groups.

To read the entire analysis with endnotes, click here to download the report as a PDF.

Recorded Futures Insikt Group has identified a large cluster of new infrastructure associated with usage of the custom Windows and Linux backdoor KEYPLUG, attributed to a highly-likely Chinese state-sponsored threat activity group tracked as RedGolf. RedGolf closely overlaps with threat activity reported under the aliases of APT41/BARIUM and reportedly has targeted US government entities. RedGolf has also reportedly boasted of connections to the the Chinese Ministry of State Security (MSS) and its members were previously linked to the Chengdu-based company Chengdu 404 Network Technology ().

RedGolf remains highly active within a wide range of geographies and is known to target aviation, automotive, education, government, media, information technology, and religious organizations. Organizations of strategic interest to the Chinese government and security services are likely at increased risk of targeting. This report examines recent activity of the group, tactics, techniques, and procedures, and offers mitigation strategies for organizations.

According to public reporting, RedGolf used a Linux version of the custom modular backdoor KEYPLUG to target US state government entities during 2021 and 2022. Insikt Group has identified a wider cluster of KEYPLUG samples and operational infrastructure used by RedGolf from at least 2021 to 2023. We actively track this malicious infrastructure using the term GhostWolf. Alongside KEYPLUG, we also identified RedGolf using Cobalt Strike, PlugX, and Dynamic DNS (DDNS) domains, all of which are commonly used amongst many Chinese state-sponsored threat groups. Insikt Group identified multiple infrastructure overlaps between publicly reported APT41/BARIUM campaigns across the identified GhostWolf infrastructure cluster.

RedGolf infrastructure and TTPs (Tactics, Techniques, and Procedures) overlaps with APT41 and BARIUM. (Source: Recorded Future)

RedGolf will continue to target victims with KEYPLUG malware and its derivatives using command and control infrastructure spanning a variety of hosting providers. The group has previously utilized a mixture of both traditionally registered domains and DDNS domains, often featuring a technology theme. We believe this TTP will remain relatively unchanged with the exception of a decrease in DDNS use.

The employment of both Cobalt Strike and PlugX to target victim machines by Chinese state-sponsored threat activity groups, such as RedGolf, is highly likely to continue given the feature set provided by these tools, their ready availability, and the ability to obfuscate responsibility due to the number of other threat actors using these techniques.

Recorded Future proactively detects both Cobalt Strike and PlugX servers. We recommend incorporating this feed into blocking lists and/or alerting to prevent infections.

To read the entire analysis with endnotes, click here to download the report as a PDF.

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

Executive Summary

Cybercriminals devise and execute various workarounds to legalize their illicit income. After international sanctions were leveled against Russia in the wake of Russias full-scale invasion of Ukraine, ordinary Russian consumers have likely resorted to similar workarounds to obtain goods produced abroad.

Recorded Future has identified prepaid cryptocurrency virtual credit cards and mail forwarding services also known as reshippers as methods that can potentially be exploited to illegally bypass sanctions. International financial institutions and merchants that are indirect participants of these workarounds may be at risk of falling under secondary sanctions. This risk could be greatly reduced by implementing more stringent verification procedures for the services and transactions involved in these workarounds.

Key Findings

• Many crypto services allow customers to register prepaid cryptocurrency virtual credit cards with minimal or no verification. This lack of verification and dark web sources indicate that these prepaid cryptocurrency VCCs can be used for sanctions evasion.
• Various mail forwarding services allow Russian customers to order goods produced from abroad. Purchases and deliveries can be funded through various means, including cryptocurrency and Russian-issued payment cards. Although these services publish lists of restricted goods that they claim they are unable to ship, dark web sources indicate that they can be used to receive goods that are subject to export controls.
• We registered a prepaid cryptocurrency VCC using one of the crypto services described above. Open source analysis revealed the payment cards bank identification number (BIN) was issued by a US financial institution.
• It is likely that additional financial institutions and merchants are also being enlisted as unwitting participants in sanctions evasion schemes that involve prepaid VCCs and mail forwarding services. If this is the case, they may be at risk of secondary sanctions.

Background

Beginning on February 24, 2022, the US and 37 other countries implemented sweeping sanctions against Russia in response to its unprovoked invasion of Ukraine. These ongoing sanctions are explicitly intended to degrade Russias ability to wage war in Ukraine, and they include exhaustive restrictions on the export to Russia of luxury goods ranging from garments and accessories to high-end electronics, spirits, and even billiard sticks. [1, 2] According to the US Bureau of Industry and Security (BIS), the proscription of these exports is intended to steadily increase the financial consequences on Russia as a result of Russia's invasion of Ukraine. Altogether, these measures appear to be having the desired effect. In October 2022, the US Department of State assessed that US sanctions and export controls have severed Russias access to key technologies and industrial inputs that erode its military capability. Similarly, the European Council estimated that Russias GDP had contracted by anywhere from 2.2% to 3.9% in 2022, undermining Russias ability to finance its war.

Governments have not acted in isolation, either. Over 1,000 companies motivated by a combination of outrage and fear of secondary sanctions have voluntarily suspended operations in Russia. Among these are Visa and Mastercard, which at the time of their withdrawal controlled about 70% of the Russian debit card market.

At the same time, technical and legal barriers are unlikely to significantly harm Russian cybercriminals efforts to monetize their illicit earnings. We previously predicted that international sanctions and the accompanying decisions of private companies to cease or reduce operations in Russia would likely encourage criminal buyers to reship and resell foreign goods on the Russian market. This is because any shortage of foreign goods on the Russian market that are obtained through legitimate sources likely creates corresponding demand for the same goods obtained through illicit sources. This presents cybercriminals with an opportunity to earn increased returns from their fraud cash-out schemes.

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

Executive Summary

Tax season began on January 23, 2023, and with it came the return of tax refund fraud.

Recently, the threat group Infinity Hackers BY claimed to have conducted a successful cyberattack against the IRS. Whether or not the attack actually occurred, the threat groups claim highlights the threat posed by tax refund fraud, also known as stolen identity refund fraud (SIRF). Tax refund fraud occurs when criminals use stolen tax forms and personally identifiable information (PII) to submit fraudulent tax returns with the goal of stealing their victims tax refunds.

Tax refund fraud incurs costs both for taxpayers and government agencies, particularly the IRS, and has demonstrated year-on-year growth in popularity across the dark web. In recent decades, electronic filing has simplified tax refund fraud; in order to conduct it, threat actors require only stolen tax forms and PII, which are often available for purchase on dark web sources, along with a fraudulently registered bank account.

Key Findings

• Tax refund fraud has become an increasingly popular topic on dark web forums. For the past 3 years, dark web forum posts relating to tax refund fraud have shown year-on-year growth, and in 2022, we observed 78,032 references to the keyword tax on dark web marketplaces.
• To conduct tax refund fraud, threat actors must obtain fraudulent or stolen tax forms, victim PII, and a fraudulently registered bank account before they submit a fraudulent tax return. Criminal tutorials, guides, references, and paid services simplify each of these tasks, ultimately facilitating tax refund fraud for inexperienced threat actors.
• The availability of stolen tax forms and PII necessary to conduct tax refund fraud drive its popularity and increase the risk it poses. Both stolen tax forms and associated PII are widely available via breached databases and dark web marketplaces.

Background

On January 12, 2023, the US Internal Revenue Service (IRS) announced that the 2023 tax season would begin on January 23, 2023. Tax season is now in full swing, and more than 168 million individual tax returns for the 2022 tax year are expected to be filed, accepted, and processed before the filing deadline of April 18, 2023.

The return of tax filing season throws tax refund fraud also known as stolen identity refund fraud (SIRF) into stark relief. By acquiring tax forms and sensitive personally identifiable information (PII) through data breaches, criminal services, and dark web resellers, criminals can file fraudulent tax returns under a victims name in order to steal their tax refund. Electronic filing means that fraudulent returns can be swiftly submitted and processed, and stolen refunds can easily be deposited into fraudulently registered bank accounts, sent to prepaid payment cards, or even used to fund criminals crypto accounts.

According to the US Department of Justice, tax refund fraud threaten[s] to disrupt the orderly administration of the income tax system for hundreds of thousands of law-abiding taxpayers and [has] cost the United States Treasury billions of dollars. SIRF can result in delayed refunds for taxpayers and additional operating costs for the IRS. Once the fraud is discovered, victims must go through a daunting administrative process to prove their identities and rectify their situations.

The IRS recognizes the threat posed by SIRF, and has implemented advanced verification measures, encouraged taxpayers to safeguard their personal information and report suspicious activity, and even established a dedicated program to assist taxpayers affected by identity theft. The IRS also issues Identity Protection PINs (IP PINs) to confirmed victims of tax-related identity theft, which are used to verify the taxpayers identity upon filing their tax return.

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

This report evaluates Chinas position on the war in Ukraine and support for Russia, how this position and Beijings proposed form of peace relates to Chinas international interests, and whether China is likely to provide lethal aid to Russia. Information about the author, Devin Thorne, can be found at the end of the report.

Executive Summary

Recently renewed allegations that China is considering providing lethal aid to Russia contrast starkly with Beijings calls for peace and continued assertions that it is objective and just regarding the war in Ukraine. Based on a review of Chinas perspective on the war and what its leaders likely hope to achieve, Insikt Group judges that relations between China and the United States and Europe will almost certainly remain at odds for the duration of the war. Although Chinas position suggests there are areas of potential collaboration on peace, Beijing is likely pursuing a strategy of using a peace settlement to shape how future international crises are addressed, which contains elements that are almost certainly unacceptable to the US and others.

Chinas leadership almost certainly supports Russia politically, rhetorically, and by allowing trade in dual-use goods to continue to further its own strategic agenda, specifically the preservation of an important partner in the creation of a more multilateral international system. Chinas leadership very likely wants a peaceful end to the war. However, Chinas leadership very likely does not support a peace deal that conforms to, and returns to the status quo of, the current international system as led by the US and legitimizes coercive Western measures used against Russia (namely, sanctions) that could be levied against China in the future (such as in a Taiwan scenario).

Despite its support for Russias position, it is unlikely that Chinas leadership will approve the export of lethal aid to Russia. Such a decision will likely be judged too costly in light of other goals, such as stabilizing relations with the US and Europe and avoiding sanctions. The decision to provide lethal aid likely hinges on whether Chinas leadership judges that, in the short-to-mid term, stable (if not good) relations with the US and Europe are necessary. Chinese Communist Party (CCP) General Secretary Xi Jinpings personal relationship with Russian president Vladimir Putin also has the potential to inform how he weighs the available options. Chinas leadership has likely not yet made a decision to provide lethal aid, and as of this writing, has not (based on publicly available information) exported lethal aid to Russia. If Chinas leadership does decide to export lethal aid to Russia, the US and European response will very likely lead to a serious deterioration in relations with China for the foreseeable future.

Key Judgments

• Chinas leadership almost certainly supports Russia politically, rhetorically, and by allowing trade in dual-use goods to further its own strategic agenda.
• Chinas leadership very likely seeks a peaceful solution to the war, but not at the expense of its vision for how the international order should address future crises.
• It is unlikely that Chinas leadership will allow Chinese companies to provide to Russia what the US and Europe deem lethal aid.
• If Chinas leadership decides to export lethal aid to Russia, the US and Europe will almost certainly impose consequences that would very likely lead to a serious deterioration in relations with China for the foreseeable future.

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

The annual report surveys the threat landscape of 2022, summarizing a year of intelligence produced by Recorded Futures threat research team, Insikt Group. We analyze global trends and evaluate significant cybersecurity events, geopolitical developments, vulnerability disclosures, and more, providing a broad, holistic view of the cyber threat landscape in 2022.

Executive Summary

The physical conflict in Ukraine, and the effects it has had on the cyber threat landscape throughout 2022, frames our discussion of significant cyber threat events and geopolitical trends that occurred in 2022 and underscores the increased convergence of the cyber and geopolitical threat landscape.

Before and throughout the physical invasion, Recorded Future has observed increased instances of distributed denial-of-service (DDoS) attacks, hacktivist activity, and the widespread deployment of wiper malware. And while Russias invasion of Ukraine dominated the discussion of kinetic and cyber-hybrid operations, threat actors affiliated with other prominent nation-states, specifically Iran, China, and North Korea, carried out cyberattacks throughout the year, informed by an era of heightened geopolitical tension, competition, and politically charged affiliations.

We also analyzed cyber threat events across the broader threat landscape, including those carried out by cybercriminal groups. While phishing campaigns and ransomware attacks continue to plague organizations across industries and geographies, Recorded Future identified a 600% increase in the number of credentials sold via information stealing malware between Q1 and Q4, a significant year-over-year increase in targeting of software frequently used in organizations supply chains, and a shift toward an increasingly managed service model as as-a-service offerings proliferated on dark web marketplaces and underground forums. Initial access brokers are increasingly active, likely due to the increased use of infostealer malware and the ability to monetize stolen data.

The effective use of infostealers often relies on the successful exploitation of vulnerabilities. Notable vulnerability-related trends in 2022 included ransomware and Chinese state-sponsored threat actors rapidly exploiting zero-day vulnerabilities, the ongoing exploitation of Log4Shell across all quarters in 2022, and the impact of Microsofts oscillation about the automatic disablement of macros.

Finally, ransomware remained an ever-present threat in 2022. While certain ransomware gangs disbanded, others were quick to assert their dominance and used their significant resources to undertake campaigns against organizations of all sizes across industries. Although ransomware payments decreased by about 60% between 2021 and 2022, likely due to increased guidance from governments to forgo making ransomware payments and increased due diligence on cybersecurity standards from insurance companies when underwriting policies for ransomware attacks, ransomware will continue to pose a major threat to organizations throughout 2023.

Key Takeaways

• Self-proclaimed hacktivist activity, likely a mix of grassroots and state-sponsored activity, surged in the first half of the year, as threat actors groups carried out attacks based on their allegiance to either Russia or Ukraine. While the majority of this activity was limited to targeting organizations involved in the conflict or located in areas close to eastern Europe, some hacktivist activity involved organizations in other regions.
• Spillover effects of the deployment of wiper malware and the hacktivist activity were the primary cyber threats to organizations not directly involved in the war in Ukraine.
• North Korea will most likely continue to test ballistic missiles in 2023. US military buildup in the western Pacific and increased defense spending and preparedness measures in Japan are likely to be met with equivalent actions by China.
• Diplomatic negotiations over the Joint Comprehensive Plan of Action (JCPOA; commonly referred to as the Iran nuclear deal) are unlikely to make any progress. Meanwhile, the Islamic Republic of Iran continues to enrich uranium in an effort to achieve a nuclear weapon. The Israeli government is likely to continue kinetic strikes on elements of the Islamic Revolutionary Guard Corps-Quds Force (IRGC-QF) operating in Syria while keeping its options open for strikes on nuclear facilities inside of Iran.
• 2022 was the year of as-a-service, as we identified the presence of new phishing-as-a-service (PaaS) offerings in the threat landscape, the continued success of the ransomware-as-a-service (RaaS) model, and the development and use of new strains of malware-as-a-service (MaaS) offerings.
• Open source or proprietary software packages were targeted throughout 2022. Given their effectiveness over the past year, these types of attacks will likely grow in severity in 2023.
• Infostealers were increasingly used by threat actors, and the increased advertisement of authentication information collected by infostealers poses a risk to multi-factor authentication (MFA) security solutions.
• While the adoption of countermeasures such as the disablement of macros by default has been highly effective, many threat actors have also pivoted their operations to subvert newly developed or implemented security protections, underscoring the need for a implementation of a defense-in-depth security strategy.
• The exploitation of widely used products, as well as continued exploitation of previously reported vulnerabilities like Log4Shell, underscores threat actors ongoing focus on attack vectors that can be used for extended periods of time.
• The volume of ransomware attacks is unlikely to shrink in 2023. However, if the finance gain from ransomware attacks continues to decrease, as observed from 2021 to 2022, threat actors are likely to adjust their tactics to continue realizing the historical financial incentives for ransomware attacks.

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

Executive Summary

Russias war against Ukraine has disrupted the cybercriminal ecosystem. On February 24, 2022, Russia launched a full-scale invasion against Ukraine. As outlined in the recent Recorded Future report Themes and Failures of Russias War Against Ukraine, Russia likely remains intent on seizing Kyiv, dismantling the government of Ukraine, and securing a decisive military victory despite compounding strategic and tactical failures. Russias offensive cyber operations have been unable to substantively augment Russias conventional military progress and will likely shift to targeting civilian infrastructure in an attempt to degrade Ukraines morale ahead of an upcoming, renewed offensive. Russias continued reliance on leveraging proxy groups to achieve its objectives in Ukraine while maintaining plausible deniability has further illuminated the links between Russian Intelligence Services (RIS) and non-state actors, evidenced by Russias direct, indirect, and tacit relationships with cybercriminal and hacktivist groups as outlined in our report, Dark Covenant 2.0: Cybercrime, the Russian State, and the War in Ukraine.

The so-called brotherhood of Russian-speaking threat actors located in the Commonwealth of Independent States (CIS) has been damaged as a result of political disagreements among threat actors in the context of the war. This damage has established a new norm of internal instability, as evidenced by a continued wave of insider leaks. Additionally, as Russia experiences a brain drain of IT professionals, these now-fracturing organized cybercriminal cartels will likely become more geographically decentralized, in turn making their relationships more diffuse.

The resurgence of crowdsourced hacktivism, an international phenomenon previously limited to the late 2000s, will likely create a new generation of non-state threat actors who are both politically and financially motivated. These so-called hacktivist groups, while their impact has been limited, have become symbolic in the publics perception of the cyberwar raging parallel to the war in Ukraine.

The economic consequences of the war in Ukraine are likely creating conditions conducive to an increase in the value of payment card fraud on the dark web, despite an overall slump in carding volume in 2022. Regardless of frauds reputation as an unsophisticated form of cybercrime, it is likely becoming less a crime of opportunity than of survival. International arrests, seizures, and disruptive actions have destabilized the business model associated with commodified cybercrime, leading to wide-ranging and rippling effects on the malware- and ransomware-as-a-service (MaaS, RaaS) threat landscapes. These disruptions have also spread to the dark web shop and marketplace ecosystems, leading to price fluctuations and newfound competition among market administrators. Cybercrime, both based in the CIS and globally, is entering into a new era of volatility as a result of Russias war against Ukraine.

Key Takeaways

• We did not identify any direct links between credential leaks preceding Russias war against Ukraine; however, we believe that these credential leaks could have been leveraged by threat actors seeking to exploit geopolitical tensions prior to the war. We also note that some of the database breaches we identified have since been attributed to nation-state actors.
• The so-called brotherhood of Russian-speaking threat actors located in the CIS has been damaged by insider leaks and group splintering, due to declarations of nation-state allegiance both in support of and opposed to Russias war against Ukraine.
• Russia is experiencing a wave of IT brain drain that will likely decentralize the organized cybercriminal threat landscape. In addition to brain drain, waves of military mobilization of Russias citizens are resulting in decreased activity on Russian-language dark web and special-access forums.
• The resurgence of crowdsourced hacktivism will likely create a new generation of non-state threat actors. The impact of hacktivism has been limited, but its role in enabling information operations (IOs) remains vital. Hacktivism has become symbolic in the publics perception of the cyberwar raging parallel to Russias war against Ukraine.
• Russian law enforcements seizure and closure of several top-tier carding shops in January and February 2022 severely disrupted the payment card fraud ecosystem until April 2022. Since May 2022, the emergence of new carding shops has driven a partial rebound in the volume of compromised card-not-present (CNP) data posted for sale on the dark web.
• International arrests, seizures, and disruptive actions have destabilized the business model associated with commodified cybercrime.
• Russias war against Ukraine has disrupted the dark web shop and marketplace ecosystems. International supply-chain disruptions and border closures have made the shipping of physical contraband impractical for Russia-based threat actors.

Background

On February 24, 2022, Russia began a full-scale invasion of Ukraine that was supported by ground and aerial bombardment, surface-to-surface and surface-to-air missiles, cyberattacks, electronic warfare, information warfare, and more. Almost immediately, the Russian cybercriminal underground reacted with declarations of allegiance from forum administrators, threat actors, and threat actor organizations. Hacktivist campaigns, coordinated distributed denial-of-service (DDoS) attacks, doxxing activities, trolling, website defacement, ransomware infections, and more began within hours of the invasion.

While the vast majority of non-state cybercriminal and hacktivist activities in the early days of Russias war against Ukraine targeted Russian and Belarusian entities in retaliation for the invasion, opportunistic threat actors sought to exploit the tensions by leveraging vulnerabilities in the cyber infrastructure of Russian, Belarusian, and Ukrainian entities and selling leaked information or unauthorized access for financial gain and publicity. Declarations of allegiance also prompted internal unrest within certain threat actor organizations, leading to hostile activities and schisms between threat actors.

Since February 24, 2022, we have been actively monitoring the daily activities of cybercriminal and non-state hacktivist entities that have been involved directly or indirectly in the Russian war against Ukraine.

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

Executive Summary

As organizations continue virtualizing their critical infrastructure and business systems, threat actors deploying ransomware have responded in kind. Between 2021 and 2022 we observed an approximately 3-fold increase in ransomware targeting ESXi, with offerings available from many groups including ALPHV, LockBit, and BlackBasta. We identified and described detection strategies for multiple TTPs that are often seen prior to the dropping of the ransomware payload in order to create detections and mitigations that are based on real-world, threat-actor use of these tools. In addition to providing tool-specific detections such as YARA and Sigma rules, we also identified detections for common enumeration, exploitation, and persistence techniques. The detections and mitigations provided can be used not only for the tools assessed below but also for custom (threat actor-specific) tools that are outside the scope of this report. Organizations looking to threat hunt, detect, and mitigate pre-ransomware TTPs for ESXi systems should use the detections provided as a starting point to develop detections specific to their environment and as part of a layered security approach. The infancy of defensive products such as endpoint detection and response (EDR) or antivirus software (AV) currently available for ESXi, combined with organizations increased reliance on virtualization, creates an attractive target for threat actors and can potentially lead to operational downtime and reputational damage to an organization.

Key Takeaways

• Ransomware targeting ESXi will continue to be a threat to organizations, putting them at risk of operational downtime, competitive disadvantage, and damage to their brand.
• Organizations should continue to deploy virtualized infrastructure, but it is critical to implement security best practices and similar precautions as used in existing infrastructure.
• The malicious tools targeting ESXi primarily abuse native commands to perform their actions, making them difficult to differentiate from normal system administrator activity.
• Openly available tools and device search engines will continue to be used by threat actors targeting ESXi, in addition to custom tooling.
• The immaturity of antivirus and EDR solutions that cover ESXi, coupled with the difficulty of implementing security measures, lowers the technical barrier for threat actors deploying malware on ESXi compared with those targeting Windows.
• Exploiting vulnerabilities for initial access is a common tactic; however, many threat actors simply rely on system administrator notes, stored passwords, or keylogging specific employees to gain access to a vSphere environment.
• Defensive practices are difficult to implement due to the complex nature of hypervisors; however, implementing utilities that provide host attestation, reduce the attack surface, and minimize access to other systems on the network can greatly reduce risk for organizations.

Background

Ransomware groups continue to evolve and expand their toolsets, focusing on more specialized targets and creating more refined tooling based on opportunities to make money. VMware ESXi is the market-leading, enterprise-grade hypervisor designed for deploying and serving virtual infrastructure. ESXi-targeting ransomware will continue to present a threat to organizations that are shifting towards virtualizing the majority of their server infrastructure. The practice of securing virtualized infrastructure is complicated due to the proprietary nature of the technology and the relative infancy of defensive products designed for it. As a result of these factors, ESXi presents an exceptionally attractive target for financially motivated threat actors.

In 2020, there were very few mentions of ESXi ransomware attacks, as threat actors primarily targeted Windows-based networks due to the availability of initial access presented by the pandemic and multiple critical vulnerabilities (such as CVE-2018-13379, CVE-2019-11510, and CVE-2019-19781). As organizations responded with more effective defenses against ransomware and threat actors recognized the defensive gaps in virtualized networks, threat actors began to create ESXi-specific ransomware and techniques. In 2021, cyberattacks involving ESXi ransomware increased. During 2022, we observed a 3-fold year-over-year increase in ransomware attacks by a larger number of ransomware groups and advanced TTPs and tooling targeting virtualized infrastructure, as seen in Figure 1 below.

Figure 1: Ransomware attacks focused on ESXi show a 3-fold increase in a single year (Source: Recorded Future)

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

Executive Summary

A year after Russia launched its full-scale invasion of Ukraine, Russia remains unsuccessful in bringing Ukraine under its control as it struggles to overcome months of compounding strategic and tactical failures. Despite these challenges, the Kremlins intent remains unchanged, leaving Ukraine and the international community at heightened risk. In anticipation of Russias planned renewed offensive, this report reflects on Russias key hybrid warfare themes over the past year, including military failures, exploitation of natural resources, reliance on proxy groups, and partnerships with anti-Western allies. By doing so, this report illuminates the Kremlins strategic miscalculations and its strategies for overcoming its shortfalls.

In the near term, Russia will very likely launch a renewed offensive in Ukraine with a likely focus on the Donbas. Russian state-sponsored cyber threat actors, as well as pro-Russian cybercriminals and hacktivists, will almost certainly support this campaign through continued targeting of Ukrainian critical infrastructure, at least in part in an attempt to further degrade Ukraines morale and will to fight. Meanwhile, Russia will also have to manage the direction of largely untrained troops and modern weapons shortages, with likely reliance on recently mobilized troops, proxy organizations like Wagner, and foreign weapon supplies from Iran and North Korea to augment its capabilities.

In the longer term, Russias actions over the past year have caused lasting geopolitical shifts far beyond Ukraine. In particular, the success of Ukraines collective defense model resonates globally, and European shifts away from reliance on Russian gas, serve to remind the international community about the benefits of allied cooperation and the importance of global partnerships. These partnerships are further supported by Russias burgeoning military cooperation with Iran and North Korea, which creates a heightened global threat environment. As the war stretches on, the risk of Belaruss involvement, escalation in the conflict, degraded Ukrainian morale, and international complacency compound, further threatening the security of both Ukraine and the international community.

Key Judgments

• Russia was almost certainly challenged by Ukraines cyber defenses, which were bolstered by its allies and industry partners, rendering cyber operations unable to substantively augment Russias conventional military progress and demonstrating the importance of collective defense.
• Russias persistent kinetic and cyber targeting of Ukraines civilians and critical infrastructure throughout winter very likely reflects the Kremlins intent to degrade Ukraines morale ahead of an upcoming, renewed offensive.
• Russias persistent use of proxy groups throughout the conflict, such as Wagner Group and pro-Russian cybercriminals, hacktivists, and influence actors, has revealed Kremlin control or direction over these groups, while further illuminating Russias desire to have plausible deniability over its actions.
• Russia has strengthened international partnerships with key anti-Western allies, including Iran and North Korea, who are likely to continue providing material support to Russia for its war against Ukraine and pose increasing threats to the West as their military cooperation expands.
• Russias leveraging of its natural resources over the past year has pushed the West to find alternative fuel sources, which will very likely decrease Russias ability to exert pressure over the international community.
• While Russia maintains its intent to bring Ukraine under its control, the numerous, unaddressed challenges its military faced during the initial invasion, in addition to largely untrained troops, weapons shortages, and Ukraines military being armed by the West, will very likely challenge future Russian successes on the battlefield.
• As the war continues, a variety of risks threaten both Ukraine and the international community, including formal Belarusian involvement, the potential for escalation, degraded Ukrainian morale, and international complacency.

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

Executive Summary

A Nigerian prince needs your help. Or a coworker texts you, urgently demanding that you send gift cards. Words like fraud and phishing often evoke simple scams that only fool the foolish. In reality, threat actors develop refined tactics, techniques, and procedures (TTPs) to target users who believe themselves too clever to be fooled.

Crypto drainers are malicious scripts that function like e-skimmers and are deployed with phishing techniques to steal victims crypto assets. The phishing pages that are deployed with crypto drainers often imitate popular crypto services and use common third-party applications and extensions (such as MetaMask) that are not unusual for the legitimate services that these phishing pages imitate.

We discovered a ready-to-go crypto drainer phishing page advertised by a threat actor on a top-tier dark web forum. This phishing page purports to mint non-fungible tokens (NFTs) and uses third-party services that are commonly used in the crypto sphere. After analyzing this crypto drainer, we concluded that it can be effectively used to steal crypto assets from compromised crypto wallets. Once crypto wallets are compromised, no safeguards exist to prevent the theft of crypto assets. Since their first appearance in 2022, crypto drainer phishing pages have surged in popularity, and crypto drainer phishing pages will likely remain relevant, effective, and widely used in 2023.

Key Judgments

• Crypto drainers are used on phishing pages that imitate popular crypto services to steal crypto assets from unsuspecting victims. They exploit legitimate extensions and applications that are frequently used with the crypto services that the phishing pages imitate.
• We analyzed a ready-to-go crypto drainer phishing page advertised by a threat actor on a top-tier dark web forum. This phishing page entices victims into connecting their wallets with an offer to mint NFTs. As soon as victims attempt to mint NFTs, the crypto drainer siphons available cryptocurrency and desired NFTs to the attackers wallet.
• Crypto drainer projects are surging in popularity, and a growing number of ready-to-go crypto drainer phishing packages could allow threat actors to execute them quickly and at scale.

Background

Though blockchain technology is designed from the ground up with security in mind, openings nevertheless exist for threat actors to defraud victims of their crypto assets. Crypto drainers are malicious files that function similarly to e-skimmers by automatically executing transfers of crypto assets.

Crypto drainers are commonly deployed on phishing pages that imitate popular crypto services. Examples of the crypto services that a crypto drainer phishing page might imitate include cryptocurrency exchanges or non-fungible token (NFT) platforms. Importantly, crypto drainer phishing pages often use third-party services or extensions (such as MetaMask) that are commonly used with the crypto services they imitate. The use of legitimate services on crypto drainer phishing pages may increase the likelihood that the phishing page will pass an otherwise savvy users scam litmus test.

Figure 1: Recorded Future analyzed a crypto drainer phishing page that entices victims to connect their wallets with the promise of minting NFTs (Source: Recorded Future)

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

This report examines the unspoken connections between the Russian Federation, cybercriminals, and self-described hacktivists in Russia and Eastern Europe in the context of the Russian war in Ukraine. It is a direct continuation of the findings presented in our 2021 report Dark Covenant: Connections Between the Russian State and Criminal Actors. This report will be of interest to threat researchers, as well as law enforcement, government, and defense organizations.

Executive Summary

Beginning on February 24, 2022, the Russian cybercriminal threat landscape underwent transformative changes in response to the Russian war in Ukraine. The war brought chaos to the cybercriminal underground, polarizing threat actors in Commonwealth of Independent States (CIS) nations. While some cybercriminal groups declared allegiance to the Russian government, others splintered over irreconcilable ideological differences or remained apolitical, opting to capitalize on geopolitical instability for financial gain. Some groups vanished entirely. Likely as indirect consequences of the war, there have been underground market disruptions, shifts in hacktivist and ransomware targeting, and a spike in financial fraud, among other phenomena affecting the Russian cybercriminal ecosystem.

Throughout these changes, one thing remained largely constant: cybercriminal threat groups continue to occupy important roles in direct, indirect, and tacit capacities with the Russian government. For cybercrime groups who have pledged their allegiance to the Kremlin, the unspoken connections have deepened. Russian cybercriminals and self-described hacktivists are actively involved in operations targeting Ukrainian entities and infrastructure, as well as entities located in states that have declared their support for Ukraine. Recorded Future has observed Russian and Russian-speaking threat actors targeting the United States, United Kingdom, the North Atlantic Treaty Organization (NATO), Japan, and others for financial gain and ego-driven publicity in support of Russia.

Figure 1: Conti Gang statement dated February 25, 2022, in which the group allies itself with the Russian government (Source: Conti.News)

Cybercriminal organizations like Conti have overtly declared allegiance to the Russian government, and commodity malware like DarkCrystal RAT, Colibri Loader, and WarZoneRAT, which are available on top-tier Russian-language forums, are being used by advanced persistent threat (APT) groups to target entities in Ukraine. We have identified cybercriminal activities preceding the war, and immediately after it started, that we believe are the work of the Russian state. Russian-speaking, self-described hacktivist groups like Killnet and Xaknet are almost certainly actively engaging in information operations (IOs) against organizations and entities in the West, enabled by Russian state-sponsored media with the likely intended goal of stoking fear or decreasing support for Ukraine. We have also identified other phenomena, such as a rise in payment card fraud, database leaks, dark web marketplace closures, and more, that we believe are the consequences of economic, diplomatic, and law enforcement activities aimed at Russian entities due to their support for the war in Ukraine.

Key Judgments

• It remains highly likely that Russian intelligence, military, and law enforcement services have a longstanding, tacit understanding with cybercriminal threat actors; in some cases, it is almost certain that these agencies maintain an established and systematic relationship with cybercriminal threat actors, either by indirect collaboration or via recruitment.
• Based on our understanding of cybercriminal and hacktivist activities related to the Russian war in Ukraine, it is likely that cybercriminal threat actors are working alongside the Russian state to coordinate or amplify Russian offensive cyber and information operations.
• Russian cybercriminal groups, tools, and tactics, techniques, and procedures (TTPs) likely serve to provide plausible deniability for state-sponsored threat actors involved in the Russian war in Ukraine. It is likely that financially motivated threat actors who are capitalizing on geopolitical instability are also aiding and abetting the interests of the Russian state, be it coincidentally or intentionally.
• Russian law enforcement seizures of dark web and special-access sources preceding the war appeared to be a show of good faith by the Russian state, signaling its willingness and ability to thwart cybercrime. However, we believe it is likely that these enforcement actions were intended to undermine allegations of cooperation between cybercriminals and the Russian state, providing further plausible deniability.
• Several cybercriminal industries have undergone transformational changes as a result of the Russian war in Ukraine. These include changes to the malware-as-a-service (MaaS) and ransomware-as-a-service (RaaS) threat landscapes, a rise in Russian payment card fraud, shifts in cybercriminal targeting, changes in infrastructure and hosting, and more.

Methodology

This report synthesizes information derived from open and human sources, including information gathered from monitoring of, and engagement on, dark web, special-access, and social media sources frequented by Russian-speaking cybercriminals. We looked at several English-language forums to cross-reference points of contact and link monikers suspected to be operated by Russian-speaking cybercriminals across the dark web. We also gathered intelligence from open and closed-source messaging platforms, such as Telegram, Tox, and Jabber (XMPP), as well as social media.

Our collections on ransomware extortion, chat, and payment websites helped us connect various ransomware groups with the Russian state. We used qualitative and quantitative methods to study ransomware victimology before and after the Russian invasion of Ukraine on February 24, 2022, to theorize about motives and ideology. This report relies heavily on the use of the Recorded Future Platform to visualize its findings and draw connections between geopolitical events, cybercriminal threat actors and threat actor groups, advanced persistent threats (APTs), and the Russian state in the context of the Russian war in Ukraine.

We also rely heavily on other forms of OSINT research, such as academic publications, industry white papers, conference presentations, and more, to fill in gaps in our HUMINT collections process. This report uses previous open-source reporting, as well as the original 2021 Dark Covenant report, as the background and warrant for its research. This report was researched and written between February 24, 2022 and August 24, 2022.

Figure 2: Timeline of events between the cybercriminal ecosystem, self-described hacktivist entities, and state-sponsored groups during the conflict in Ukraine (Source: Recorded Future)

Background

Dark Covenant

In 2021, we detailed how established, distributed networks of individuals in the Russian cybercriminal world and officials in Russian law enforcement or intelligence services also known colloquially as siloviki are connected. The report detailed how the relationships in this ecosystem are often premised on unspoken, yet understood, agreements that consist of malleable associations. This research was based on historical activity, public indictments, and ransomware attacks. Overall, the report broke down the associations between the Russian cybercriminal environment and the siloviki into 3 major categories: direct associations, indirect affiliations, and tacit agreements.

• Direct associations are identified by precise links between state institutions and criminal underground operators; an example of this is Dmitry Dokuchaev, a major in the Russian Federal Security Service (FSB) who was recruited after working as a cybercriminal.
• Indirect affiliations occur in cases where a direct link cannot be established but there are clear indications that the Russian government is using resources or personnel for its benefit; an example of this is the Russian governments likely use of the GameOver Zeus botnet for espionage or DDoS attacks by patriotic hackers during military conflicts.
• Tacit agreement is defined as overlaps in cybercriminal activity, including targeting and timing, that benefit Russian state interests or strategic goals; such activity is conducted without direct or indirect links to the state but is allowed by the Kremlin, which looks the other way when such activity is conducted.

In our 2021 report, we assessed that cybercriminal associations with the siloviki would almost certainly continue for the foreseeable future and these associations and activities would likely adapt to provide greater plausible deniability and fewer overt, direct links between both groups.

Since our first report, the Russian government has invaded Ukraine, an event that has illuminated our understanding of Russias capabilities and shortcomings as they relate to military strength and cyber capacity. For example, a series of leaks about the cybercriminal groups Conti and Trickbot (Wizard Spider) provided an unprecedented look at the relationship between these groups and the state. The conflict has given rise to self-described hacktivists conducting pro-Russian attacks purportedly motivated by patriotic interest; in some cases, however, it is likely that such groups are providing the Russian government with plausible deniability.

The Russian Invasion of Ukraine

The February 2022 Russian invasion of Ukraine has resulted in a broader humanitarian crisis in Europe as well as heightened international tensions. A number of pro-Russian threat actor groups, as well as some previously unseen entities from within the cybercriminal ecosystem, have participated in the conflict, which Russia has conducted across the physical, information, and cyber domains. The war has already seen large-scale distributed denial-of-service attacks (DDoS), website defacements, phishing and spam campaigns, malware deployment, and wiper attacks against numerous Ukrainian entities in both the government and private sector.

Russian Cybercrime in Cyber Warfare

The Russian intelligence services recruitment of highly skilled computer programmers, network specialists, and other technologically savvy personnel dates back to at least the 1990s, according to a Meduza report published on December 12, 2019. In this report, an FSB officer is quoted as suggesting that as soon as hackers achieve a certain level of success, they are targeted for recruitment: In [the FSB officers] words, as soon as the first technical college student from a humble background brought a Ferrari out onto the streets of Moscow, FSB agents started recruiting both getting the cybercrime business under control and making it their own.

In his 2019 book Intrusion: A Brief History of Russian Hackers, Daniil Turovsky quoted an unnamed Russian hacker who provided an account of the associations between the criminal underground and the Russian intelligence services. According to the hacker, the Center for Information Security at the Russian Federal Security Service (CIB FSB) had limited technical staff, so it often brought in outside specialists, reportedly going so far as to hide some hackers in safe houses.

Andrei Soldatov, a Russian investigative journalist and co-author of The Red Web, a book about the Kremlins online activities, said that while the Russian governments tactic of outsourcing cyber operations to various groups helps distance themselves (and ultimately provides deniability), it also left them vulnerable to hackers running amok.

Russian Cybercrime in Foreign Policy

In September 2021, around the time we released our initial Dark Covenant report, we identified a shift in calculus following recent high-profile ransomware attacks and subsequent intergovernmental consultations between the US and Russia. At the time, high-profile ransomware attacks against Colonial Pipeline, JBS, and Kaseya led the US to increase pressure on the Russian government to take action against the cybercriminal groups behind this activity. Around this time, the administrators of 2 major Russian-language forums, Exploit and XSS, quickly banned ransomware topics on their criminal underground platforms, likely as a result of the increased pressure. However, ransomware activities persist in the form of initial access and data leak brokerage services. Moreover, the DarkSide, REvil, and Avaddon ransomware families halted extortionist activities right before or days after the first meeting between US president Joe Biden and Russian president Vladimir Putin on June 16, 2021, in Geneva, Switzerland. This pause was only temporary, as ransomware attacks continued in 2022, including attacks affecting critical infrastructure targets in the energy sector and transportation entities in Europe (1, 2, 3).

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

Executive Summary

BlueBravo is a threat group tracked by Recorded Futures Insikt Group that overlaps with the Russian advanced persistent threat (APT) activity tracked as APT29 and NOBELIUM. APT29 and NOBELIUM operations have been previously attributed to Russias Foreign Intelligence Service (SVR), an organization responsible for foreign espionage, active measures, and electronic surveillance. In October 2022 we identified BlueBravo staging GraphicalNeutrino malware within a malicious ZIP file. The staging and deployment of this ZIP file overlaps with the previously employed dropper EnvyScout, the use of which is linked to APT29 and NOBELIUM.

BlueBravo used a compromised website containing the text "Ambassador`s schedule November 2022" as part of a lure operation. Based on the theme of this lure, we suspect that the targets of this campaign are related to embassy staff or an ambassador. This targeting profile aligns with previous reporting from InQuest in early 2022 that describes the group, reported as NOBELIUM, employing a lure document titled Ambassador_Absense.docx that displayed content relating to the Embassy of Israel. Following deployment and execution, InQuest reported that the malware, BEATDROP, employed trello[.]com for command-and-control (C2) in an attempt to evade detection and create challenges in attributing the activity.

Similar to the use of Trello for data exchange by BEATDROP, we have found that GraphicalNeutrino uses the United States (US)-based, business automation service Notion for its C2. The use of the Notion service by BlueBravo is a continuation of their previous tactics, techniques, and procedures (TTPs), as they have employed multiple online services such as Trello, Firebase, and Dropbox in an attempt to evade detection. The abuse of legitimate services, such as those employed by BlueBravo, presents a complex issue for network defenders due to the difficulty of defending against malicious access to legitimate services. The use of this technique is becoming more common and will continue to pose a problem for network defenders.

GraphicalNeutrino acts as a loader with basic C2 functionality and implements numerous anti-analysis techniques including API unhooking, dynamically resolving APIs, string encryption, and sandbox evasion. It leverages Notions API for C2 communications and uses Notions database feature to store victim information and stage payloads for download.

While we are unable to assess the intended targets of this operation based on the data available, it is likely that ambassadorial or embassy-themed lures are particularly effective during periods of heightened geopolitical tensions, such as is the case with the ongoing war in Ukraine. During such periods, Russian APT groups are highly likely to make extensive use of diplomatically themed lures, as the information potentially gathered from the compromise of entities or individuals receiving such communications is likely to have a direct impact on Russias foreign policy and broader Russian strategic decision-making processes.

Based on historical APT29 and SVR cyber operations and active measures, we assess it is likely that additional countries at the nexus of the conflict are at risk of targeting. This targeting almost certainly represents an ongoing interest from threat actors affiliated with the SVR and aligns with their continued intent to gain access to strategic information from entities and organizations engaged in foreign policy. Any country with a nexus to the Ukraine crisis, particularly those with key geopolitical, economic, or military relationships with Russia or Ukraine, are at increased risk of targeting.

Key Judgments

• We have identified new malware used by BlueBravo, which overlaps with Russian APT activity tracked as APT29 and NOBELIUM, which Western governments and researchers have linked to the Russian Foreign Intelligence Service (SVR).
• Identified staging infrastructure continues the trend of using compromised websites to deliver BlueBravo malware within archive files. The delivery of these files uses the same HTML smuggling technique as EnvyScout.
• The malware also takes advantage of DLL search order hijacking for execution, helping to evade detection on the host.
• A change to Notion as the initial C2 from Trello, Firebase, and Dropbox demonstrates BlueBravos broadening but continued use of legitimate Western services to blend their malware traffic to evade detection.
• Though no second-stage malware, follow-on C2 server, or victims were identified, the initial lure page suggests BlueBravos targeting was related to unknown embassy staff or an ambassador.
• Embassy-related information is likely considered high value intelligence, especially in the midst of the Russian war in Ukraine.

Background

BlueBravos targeting, its tactics, techniques, and procedures (TTPs), and its targeting interests and operations overlap with Russian advanced persistent threat activity publicly reported as APT29 and NOBELIUM, which has been previously attributed to Russias Foreign Intelligence Service (SVR). The SVR is responsible for foreign espionage, active measures, and electronic surveillance. APT29 has been active since at least 2008 according to third-party reporting, engaging in espionage operations against entities associated with security and defense, politics, and research. APT29 was initially observed surveilling Chechen and dissident organizations but expanded to target entities in the West such as the Pentagon in 2015, the Democratic National Committee (DNC) and US think tanks in 2016, and the Norwegian government and several Dutch ministries in 2017.

In 2021, public reporting detailed BlueBravos use of various iterations of a phishing campaign emulating government entities. The various campaigns delivered ISO files via methods such as using URLs to download the ISO file and execute an LNK file, and using an HTML attachment in the email to initiate the download of an ISO file. This activity was used to deploy NativeZone, an umbrella term for their custom Cobalt Strike loaders. NativeZone typically uses rundll32.exe to load and execute follow-on payload(s).

BlueBravo employs a wide range of custom malware and open-source tooling. A notable facet is their evolving malware families and development practices, with implants developed in various languages including Python, Go, PowerShell, and Assembly.

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

Executive Summary

ChatGPT is a chatbot developed by OpenAI, an artificial intelligence (AI) laboratory based in the US, which uses the GPT-3 family of autoregressive (AR) language models. ChatGPT launched on November 30, 2022, and has been subject to widespread attention. Among the potential advantages of ChatGPT, we have also identified several potential use cases ripe for abuse. While ChatGPT has the potential to be abused by nation-state actors to enable cyberespionage, information operations (IOs), and disruptive cyberattacks (cyberwarfare), we believe these use cases are not as immediate threats as those posed by cybercriminals. Short term, we believe that non-state actors with limited technical knowledge and resources pose a more serious threat via the malicious use of ChatGPT.

The types of threat actors that we believe currently pose the most threat can be classified as script kiddies, hacktivists, scammers and spammers, payment card fraudsters, and threat actors engaging in other lowly and disreputable forms of cybercrime. Within days of the ChatGPT launch, we identified many threat actors on dark web and special-access forums sharing buggy but functional malware, social engineering tutorials, money-making schemes, and more all enabled by the use of ChatGPT. While none of these activities have risen to the seriousness of ransomware, data extortion, denial of service, cyberterrorism, and so on, these attack vectors remain possibilities.

This report uses ChatGPT itself, sometimes in its own words, to demonstrate its functionality, rationalize its use and abuse, and replicate threats that currently exist in the cybercriminal underground.

Key Findings

• ChatGPT lowers the barrier to entry for threat actors with limited programming abilities or technical skills. It can produce effective results with just an elementary level of understanding in the fundamentals of cybersecurity and computer science.
• We identified threat actors on dark web and special-access sources sharing proof-of-concept ChatGPT conversations that enable malware development, social engineering, disinformation, phishing, malvertising, and money-making schemes.
• We believe that non-state threat actors pose the most immediate threat to individuals, organizations, and governments via the malicious use of ChatGPT.
• With limited time and experience on the ChatGPT platform, we were able to replicate malicious code identified on dark web and special-access forums.

Background

(The following description was written by ChatGPT and transcribed verbatim in response to the prompt to provide a detailed response addressing its history and functionality.)

ChatGPT, or the Generative Pre-training Transformer, is a powerful conversational language model developed by OpenAI. It is based on the GPT architecture and was first released in 2019. Since then, it has undergone several updates, including the release of version 3 in 2020.

The model was trained on a large corpus of text data and is capable of understanding and responding to a wide range of topics and prompts. This makes it highly versatile and well-suited for a variety of natural language processing (NLP) tasks, including question answering, language translation, text summarization, and even creative writing. One of the key strengths of ChatGPT is its ability to generate highly coherent and contextually appropriate text, which is why it is often used in applications such as chatbots, virtual assistants, and automated writing.

The model's large capacity allows it to perform well on NLP tasks with minimal fine-tuning. This makes it an attractive option for developers and researchers looking to build custom NLP models without the need for extensive training data. However, it's important to note that ChatGPT is a unidirectional model, meaning it can only generate text based on the input it has been given. This means that it is not able to answer questions that rely on understanding the context of the conversation or the world.

One of the most common use cases for ChatGPT is in chatbot development. The model's ability to generate human-like text makes it well-suited for creating chatbot conversations that are natural and engaging for users. This can be especially useful for customer service chatbots, which can handle a wide range of customer queries and complaints without the need for human intervention.

Another popular use case for ChatGPT is in automated writing. The model can be fine-tuned to generate articles, stories, and other forms of written content with a high degree of coherence and fluency. This can be useful for content generation in a variety of industries, including journalism, marketing, and publishing.

Additionally, ChatGPT can be used for language translation, which can be highly beneficial for companies and organizations that operate in multiple languages. The model can be fine-tuned to translate text from one language to another with a high degree of accuracy, which can save companies significant time and resources.

In conclusion, ChatGPT is a powerful conversational language model that can be used for a wide range of NLP tasks. Its ability to generate highly coherent and contextually appropriate text makes it well-suited for applications such as chatbots, virtual assistants, and automated writing. Additionally, its large capacity allows it to perform well on NLP tasks with minimal fine-tuning, making it an attractive option for developers and researchers looking to build custom NLP models.

ChatGPT was launched publicly by OpenAI on November 30, 2022. In the following weeks, it garnered widespread media attention for its functionality and its seemingly boundless potential for future use. Researchers, academics, and journalists speculated on use cases. Among the proposed benefits of ChatGPT include the automation of engineering tasks, applications for data science and analytics, software development, educational technology (edtech), and much more.

Figure 1: References to ChatGPT on dark web and special-access forums (Source: Recorded Future)

Amid the excitement, optimism, and transhumanist thought-experimenting, some cynicism has been expressed about the use of ChatGPT for deceptive, unethical, or malicious purposes. Some have argued that ChatGPT should be banned in schools due to its potential for enabling plagiarism and systemic cheating on homework, writing assignments, and take-home exams. Others believe that its open registration policy makes it easily accessible for threat actors interested in developing malware, gaining unauthorized access to networks, or coordinating convincing phishing campaigns. These debates raise questions about the authenticity and accuracy of ChatGPT (which is expected to improve over time) and its effects on the job market, remote work and education, freelancing, and more.

Will ChatGPT cause a widespread market disruption and displace individuals in affected roles? As an experiment, we examined some of the top-rated listings from the most active content creators on freelancing platforms such as Fiverr. We used ChatGPT to replicate these tasks, generating 500 to 1,000-word research papers in seconds, as well as miscellaneous technical tasks.

Figure 2: ChatGPT performing Writing & Translation tasks commonly advertised on the Fiverr freelancing platform. The tasks were chosen at random and based on top-rated Fiverr results. Tasks include writing 500-word essays on the causes of the American Revolution (Left) and the optimal number of sets and repetitions for muscular hypertrophy (Right). (Source: Recorded Future, ChatGPT)

Figure 3: ChatGPT performing Programming & Tech tasks commonly advertised on the Fiverr freelancing platform. Tasks were chosen at random and based on top-rated Fiverr results. They include creating an interactive advertisement banner in Javascript for a WordPress website (Left), a template for a responsive email newsletter in HTML (Right). (Source: Recorded Future, ChatGPT)

Cybercriminals have quickly caught on to this functionality of ChatGPT, monetizing fraudulent freelance work that uses ChatGPT to automate contracted tasks en masse. Threat actors also claim to have written e-books with ChatGPT, which they have allegedly listed for sale under false pen names on popular marketplaces. In some cases, these same threat actors have publicly claimed to make upwards of $4,000 per day abusing ChatGPT to deceive clients and customers. We believe that these earnings claims are possible, but likely an exaggeration intended to direct traffic to the authors profile.

Cybercriminals have also used ChatGPT to write scripts that automate commands such as dice rolling and strategic betting for online casinos and sports betting platforms, cheat on online videogames, create fraudulent affiliate marketing redirects to earn passive income, and more. Many of these tutorials are openly accessible on forums, messaging platforms, and social media frequented by cybercriminals and require no prior registration to view.

Below is a sample of such advertisements from the low-tier, English-language Cracked Forum, between December 16, 2022, and January 2, 2023:

Figure 4: Cybercriminal advertisements and tutorials on the low-tier Cracked Forum for money-making schemes using ChatGPT. Most schemes involve completing fraudulent tasks on freelancing platforms, auto-rolling on online casinos (Middle, Left), and directing traffic to affiliate marketing links (Bottom). (Source: Cracked Forum)

With the rise of ChatGPT in popularity on dark web and special-access forums also comes an influx of threat actors asking to register untraceable, unattributable, or fraudulent accounts with OpenAI that violate the ChatGPT community standards. In some cases, especially for threat actors physically located in the Commonwealth of Independent States (CIS), tutorials for registering accounts with temporary (burner) Russian phone numbers have also appeared.

Figure 5: MrK inquires about registering an account without a phone number (Source: Recorded Future, BreachForums)

Figure 6: Lorensaire, a member of the top-tier Russian-language cybercriminal forum XSS, inquires about acquiring an OpenAI application programming interface (API) key without the use of a verified phone number. The threat actor indicated that their Russian phone number cannot be used for SMS verification. (Source: Recorded Future, XSS).

Some threat actors, such as 0x27 and USDoD (aka NetSec, Scarfac33) on the mid-tier BreachForums, have used recent articles on the malicious use of ChatGPT from cybersecurity researchers at Checkpoint, Forbes, and Ars Technica to inflate their personal brand and boost their credibility rating on the forum. These articles, while showing the potential threat of ChatGPT abuse, have also brought attention to the threat actors that are engaging in such activities to an extent, possibly legitimizing them and solidifying their reputation. While many threat actors are opportunistic and financially motivated, some are ego-driven and inspired by media attention.

Figure 7: The threat actor 0x27 acknowledges reporting on the malicious use of ChatGPT, which includes references to previous threads authored by 0x27 and USDoD on BreachForums. (Source: Recorded Future, BreachForums)

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

This report provides trends and metrics for the payment card fraud landscape in 2022 and identifies the merchants most frequently compromised or abused as tester merchants. The target audience of this report is fraud and cyber threat intelligence (CTI) teams at financial institutions and merchant services companies.

Executive Summary

2022 was a year of system shocks, and the payment card fraud market did not survive unscathed. Russias cybercrime crackdown followed promptly by its full-scale invasion of Ukraine in February 2022 spawned lower carding volumes for the remainder of the year. In total, 2022 saw 45.6 million card-not-present (CNP) and 13.8 million card-present (CP) payment card records posted for sale to carding shops on the dark web. These figures were considerably lower than the 60 million CNP and 36 million CP records posted for sale in 2021. Taken together, this decreased supply, demand, and turnover defined the payment card fraud market and threat landscape throughout 2022.

In spite of this, the card fraud market and the threat actors who populate it demonstrated remarkable resilience. Magecart actors launched campaigns that employed fake payment card forms, exploited legitimate merchant web infrastructure to deploy e-skimmers, and used HTTP referer headers to impede remediation by security analysts. One of these campaigns led to the compromise of 2 online ordering platforms, a trending tactic that exposes merchants who use the platforms to the risk of being compromised. Meanwhile, high-profile merchants were increasingly exploited by individual threat actors and checker services on the dark web in order to verify the validity of stolen cards. And finally, as war in Ukraine hampered cybercriminals ability to engage in card fraud, one top-tier carding shop exploited the lull in supply by flooding the market with recycled payment card records. Although frustrated by these records low quality, resourceful threat actors may nevertheless use them as cheap sources of personally identifiable information (PII) that they can weaponize to carry out targeted account takeover (ATO) attacks against their victims.

By employing proactive anti-fraud strategies that integrate intelligence from throughout the payment fraud life cycle, financial institutions and card issuers can reduce card fraud losses in 2023. The overall level of card fraud activity in 2023 will be highly dependent on whether or not Russias war in Ukraine continues; if it does, threat actors ability to engage in card fraud will likely remain degraded. But should the war end, a renewal or increase in payment card fraud may follow.

Key Findings

• 45.6 million CNP payment card records were posted across dark web carding shops in 2022, down 24% from 2021. It is highly likely that this years relatively low CNP volumes are the result of Russias early-2022 cybercrime crackdown and its subsequent full-scale invasion of Ukraine. In 2022, the highest-impact CNP breaches affected online ordering platforms.
• 13.8 million CP payment card records were posted across dark web carding shops in 2022, down 62% from 2021. While it is possible the years events contributed to this drop-off, year-by-year CP volumes have also steadily declined due to the rising global adoption of more secure in-person payment methods. In 2022, CP breaches overwhelmingly affected small restaurants and bars.
• The Recorded Future Magecart Overwatch program discovered 1,520 unique malicious domains involved in the infections of 9,290 unique e-commerce domains at any point in 2022.
• Full primary account numbers (PANs) for at least 20.5 million compromised payment cards were posted as plaintext or images to various resources including dark web forums, pastebins, and social media.
• 21 card checker services monitored by Recorded Future abused 2,953 unique merchants associated with 660 unique merchant identification numbers (MIDs) for illicit card checks.
• Threat actors focused on avoiding or bypassing protections offered by the 3-D Secure (3DS) protocol and increasingly discussed the abuse of customer service call centers as a means of facilitating their attacks. Furthermore, a surge in cheap, reposted payment card records posted throughout 2022 increased the attack surface for ATO attacks.
• The payment fraud life cycle closely resembles a real-world market underpinned by supply chains, coordinated exchange between buyers and sellers, and the provision of services such as checkers. Although this high degree of organization increases the opportunities and impact of card fraud, it also produces a data-rich environment. Therefore, card issuers, acquirers, and merchant service providers should incorporate and integrate intelligence from across the payment fraud life cycle to proactively combat fraud.

Background

Payment card fraud exists as part of a sophisticated underground economy. Production networks, supply chains, and dark web carding shops provide threat actors with the means to market criminal services and wares to their peers or to purvey stolen data to end users who engage in card fraud. Within this shadow economy, payment card fraud conforms to a certain life cycle, as seen in Figure 1 below.

Figure 1: Payment card fraud conforms to a general life cycle (Source: Recorded Future)

At the beginning of the life cycle, physical compromises facilitate the theft of payment card data from merchants card-present (CP) transactions. Meanwhile, cybercriminals enact digital compromises often with Magecart e-skimmer infections to steal card data from online card-not-present (CNP) transactions. These stolen card records are posted for sale to the dark web, where partial payment card data is put on display so criminal buyers can go window shopping. Occasionally, carding shops release full stolen payment card data for promotional purposes, which provides one of the many opportunities for criminals to snatch up full primary account numbers (PANs). Before making a sale, carding shops use aptly named checkers to appraise stolen card sets; individual criminals use the same checkers to verify their records validity before or after purchase. Once end user fraudulent actors acquire their desired payment card data, they monetize it, usually through fraudulent transactions. If actors can acquire enough of a victims personally identifiable information (PII), they can even attempt account takeover (ATO) attacks to cash out their victims bank account.

Throughout 2022, Recorded Future monitored this shadow economy to empower clients to disrupt fraud at every stage of the payment card fraud life cycle. In the course of our monitoring, we observed both continuing trends from 2021 and novel trends that grew organically from the events of 2022.

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

We analyzed advertisements, posts, and interactions within Turkish-language hacking and cybercrime forums to explore the capabilities, culture, and organization of these communities. This report is a follow-up to our previous reporting on the state of the Turkish-language dark web as part of a series analyzing cybercriminal communities in Brazil, Russia and China, Japan, and Iran. It will be of greatest interest to organizations and geopolitical analysts seeking to understand the cybercriminal underground in order to better monitor security-related threats, as well as to those researching the Turkish-language underground.

Executive Summary

Turkeys increasingly unstable financial situation, with record inflation rates and a plummeting Turkish lira, has created conditions for disenfranchised young people to join underground communities and engage further in cybercriminal activities. We found that Turkish patriotic hacking collectives are continuing their defacement operations and at least 1 threat group is working to engage in more sophisticated hacking activities. Turkish-language cybercriminals are active on English- and Russian-language forums where they share and sell compromised data from Turkish entities. In our research, we identified at least 3 Turkish-language ransomware groups and we developed a YARA rule to detect TurkStatik Ransomware.

With the prevalence of ransomware-as-a-service (RaaS) models and the resulting decrease in barriers for entry to the ransomware space, we expect an increase in the number of Turkish-language ransomware groups. As a cornerstone of the Turkish underground community, we expect patriotic hacking collectives to continue their operations.

Key Judgments

• Turkish patriotic hackers continue their defacement operations targeting countries they perceive to be enemies of Turkey, and in some cases aim to ramp up the sophistication of their activities including leaking confidential data and building a hacktivist botnet.
• Turkish-language, financially motivated threat actors advertise their services, methods, and stolen data on popular global forums to avoid Turkish law enforcement attention and appeal to a larger audience. We identified at least 3 Turkish-language ransomware variants being used by threat groups including TurkStatik, SifreCikis, and DeadLocker. At the time of this report, we do not know the number of victims in Turkey affected by these ransomware variants as the operators of said ransomware do not operate extortion websites.

Background

As outlined in our previous reporting, Turkish-speaking dark web communities primarily focus on 2 functional areas: patriotic hacking (hacktivism) and financially motivated cybercrime. Patriotic hacking communities frequently respond to geopolitical events around the world, especially those relating to Turkey, and show support for the government agenda by targeting countries perceived to be enemies of Turkey. Financially motivated communities focus on a variety of fraud-related activities such as payment card fraud, data breaches, and social engineering. Due to pressure from law enforcement, Turkish-language forums do not host content, data, or methods targeting Turkish organizations. A majority of the compromised data and attack methods targeting Turkish organizations are found on English- or Russian-language forums like BreachForums, XSS, and Exploit.

Increased political and financial instability in Turkey are likely contributing factors to the popularity of dark web forums and financially motivated cybercrime. Researchers have argued for a correlation between financial instability (particularly youth unemployment) and cybercrime rates, using the case study of Nigeria as an example. On October 3, 2022, data from the Turkish Statistical Institute (TUIK) showed that inflation levels hit a 24-year high with 83.45% inflation, while independent experts at the Inflation Research Group (a private research group in Turkey) estimate the annual rate to be much higher at approximately 186.27%. Despite high inflation rates, the Central Bank of the Republic of Turkey has been pursuing an unorthodox easing cycle approach by lowering interest rates. As a result, the Turkish lira lost 44% of its value against the dollar in 2021, and the lira hit an all-time low in September 2022 with a further 100-point reduction in interest rates. The rising cost of living combined with the volatile financial situation continues to impoverish Turkeys youth.

Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

This report details recent activity conducted by the likely Chinese state-sponsored threat activity group RedDelta. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. This report will be of most interest to individuals and organizations with strategic and operational intelligence requirements relating to Chinese cyber threat activity, as well as network defenders in government organizations within Southeast Asia and Europe.

Executive Summary

Recorded Futures Insikt Group continues to track activity we attribute to the likely Chinese state-sponsored threat activity group RedDelta targeting organizations within Europe and Southeast Asia using a customized variant of the PlugX backdoor. Since at least 2019, RedDelta has been consistently active within Southeast Asia, particularly in Myanmar and Vietnam, but has also routinely adapted its targeting in response to global geopolitical events. This is historically evident through the groups targeting of the Vatican and other Catholic organizations in the lead-up to 2021 talks between Chinese Communist Party (CCP) and Vatican officials [1,2], as well as throughout 2022 through the groups shift towards increased targeting of European government and diplomatic entities following Russia's invasion of Ukraine.

During the 3-month period from September through November 2022, RedDelta has regularly used an infection chain employing malicious shortcut (LNK) files, which trigger a dynamic-link library (DLL) search-order-hijacking execution chain to load consistently updated PlugX versions. Throughout this period, the group repeatedly employed decoy documents specific to government and migration policy within Europe. Of note, we identified a European government department focused on trade communicating with RedDelta command-and-control (C2) infrastructure in early August 2022. This activity commenced on the same day that a RedDelta PlugX sample using this C2 infrastructure and featuring an EU trade-themed decoy document surfaced on public malware repositories. We also identified additional probable victim entities within Myanmar and Vietnam regularly communicating with RedDelta C2 infrastructure.

RedDelta closely overlaps with public industry reporting under the aliases BRONZE PRESIDENT, Mustang Panda, TA416, Red Lich, and HoneyMyte.

Key Judgments

• RedDelta has consistently conducted long-term cyber-espionage campaigns in line with the strategic interests of the Chinese government, including historical targeting of government and public sector organizations across Asia and Europe as well as overseas organizations associated with minority groups within mainland China such as Tibetan and Catholic Church-related entities.
• Despite the volume of public reporting on the groups activity, RedDelta employs a high operational tempo relative to other state-sponsored actors. The group also maintains a rapid pace of development for its flagship backdoor (remote access trojan [RAT]), a variant of the long-running backdoor PlugX that is heavily customized for anti-analysis for detection evasion.
• In November 2022, RedDelta actors shifted from using archive files to using malicious optical disc image (ISO) files containing a simplified shortcut (LNK) file for delivery of an updated PlugX payload.

Figure 1: High-level RedDelta TTPs and Recorded Future data-sourcing graphic; historically reported TTPs are shown in gray [1,2] (Source: Recorded Future)_

Editors Note: Click here to download the report as a PDF.

This report profiles the infrastructure used by the threat activity group TAG-53, which overlaps with public reporting on Callisto Group, COLDRIVER, and SEABORGIUM. The activity was identified through a combination of Network Intelligence and analysis derived from open-source reporting. The report will be of most interest to network defenders and individuals engaged in strategic and operational intelligence relating to the activities of the Russian state in cyberspace.

Executive Summary

Beginning in July 2022, Recorded Futures Insikt Group observed the recurring use of similar infrastructure by the threat activity group TAG-53. This newly discovered infrastructure likely overlaps with other infrastructure tactics, techniques, and procedures (TTPs) previously attributed to Callisto Group, COLDRIVER, and SEABORGIUM, who have been linked to activity aligning with Russian state interests.

Insikt Group has observed the recurring use of common traits by TAG-53 when curating its infrastructure, including the use of domain names employing a specific pattern construct along with Lets Encrypt TLS certificates, the use of a specific cluster of hosting providers, and the use of a small cluster of autonomous systems.

TAG-53 infrastructure was found to contain a spoofed Microsoft login page masquerading as a legitimate military weapons and hardware supplier in the United States, suggesting that some TAG-53 infrastructure has likely already been operationalized. Based on historical public reporting on overlapping TAG-53 campaigns, it is likely that this credential harvesting activity is enabled in part through phishing.

Key Judgments

• Insikt Group has identified new infrastructure used by TAG-53, a group likely linked to suspected Russian threat activity groups Callisto Group, COLDRIVER, and SEABORGIUM.
• The identified TAG-53 infrastructure features common traits including the use of specific domain registrars, the use of Lets Encrypt TLS certificates, and a small cluster of autonomous systems. Most of TAG-53s domains use a specific stylistic structure.
• TAG-53 has used domains masquerading as organizations across multiple industry verticals, with a particular focus on government, intelligence, and military industries.

Background

TAG-53 is consistent when setting up its infrastructure, which bears significant hallmarks and crossover with infrastructure attributed to Callisto Group, COLDRIVER, and SEABORGIUM. The group continues to use particular stylistic structures when registering malicious domains alongside the use of specific domain registrars with IP addresses that reside in a small cluster of autonomous systems.

On August 15, 2022, a Microsoft report published in collaboration with Googles Threat Analysis Group (TAG) and Proofpoints Threat Research Team detailed SEABORGIUMs phishing operations. In this research, Microsoft assesses that SEABORGIUM originates from Russia and has objectives and victimology that align closely with Russian state interests. Microsoft denotes that SEABORGIUM shares overlaps with Callisto Group, TA446, and COLDRIVER and indicates that the threat actor has carried out persistent phishing and credential theft campaigns that have led to intrusions and data theft. SEABORGIUM primarily focuses its targeting on NATO countries, including a specific emphasis on the United States and the United Kingdom. The group also targeted Ukraine in the run-up to Russias full-scale invasion of the country in February 2022.

Googles TAG reported in March and updated in May 2022 that COLDRIVER has conducted credential phishing campaigns using Gmail accounts targeting nongovernmental organizations and think tanks, journalists, and government and defense officials. TAG also suggests that COLDRIVERs TTPs have evolved over time, moving towards incorporating PDF or DOC file links that are hosted on Google Drive and Microsoft OneDrive within its phishing emails.

Threat and Technical Analysis

Insikt Group used intelligence provided in open-source reporting (1, 2, 3, 4) to profile TAG-53 infrastructure that likely overlaps with Callisto Group, COLDRIVER, and SEABORGIUM infrastructure. TAG-53 infrastructure was uncovered by analyzing specific combinations of domain registrars, autonomous systems, domain name structures, and related TLS certificates. Based on this information, it is highly likely that this threat group is continuing its phishing and credential-harvesting operations. While monitoring TAG-53 infrastructure, Insikt Group observed a spoofed Microsoft login page masquerading as a legitimate military weapons and hardware supplier in the US, suggesting that some TAG-53 infrastructure has likely already been operationalized.

Registrars

Using both current and passive Domain Name System (DNS) records, Insikt Group resolved IP addresses for 38 registered domains used by TAG-53 since January 2022. The identified TAG-53 domains, listed in Appendix A, have highlighted a trend towards the use of NameCheap, Porkbun, REG.RU, and regway for domain registration that has persisted since mid-2022, a breakdown of which can be seen in Figure 1. The reason for the preference of these registrars is unknown, but it is a useful metric when profiling candidate TAG-53 infrastructure.

Figure 1: Breakdown of domain registrars used by TAG-53 since January 2022 (Source: Recorded Future)

Autonomous Systems

Alongside the use of specific domain registrars is the use of particular autonomous systems, with all domains collected under TAG-53 found to exist in 10 autonomous systems with a significant concentration found located in 2 Autonomous System Numbers (ASNs) linked to MIRhosting (AS52000) and Hostwinds (AS54290) shown in Table 1 below.

Table 1: ASN detail breakdown for TAG-53 linked domains (Source: Recorded Future)

Domain Name Structure

Most of the domains discovered via TAG-53 tracking use similarly structured domain names, primarily made up of 2 terms separated by a hyphen, such as cloud-safety[.]online. Of the 38 domains identified, 33 used the stylistic form -.(com|online|ru). Of the remaining 5 domains, 4 were found to be similar, but consisted of 3 terms and 2 hyphens share-drive-ua[.]com, network-storage-ltd[.]com, land-of-service[.]com, and nonviolent-conflict-service[.]com and 1 contained no hyphens proxycrioisolation[.]com. However, additional factors enabled Insikt Group to link these domains to the rest of TAG-53s infrastructure.

A breakdown of the terms found in TAG-53 domains, shown in Figure 2, highlights the repeated use of specific words within the domains, most of which are common, generic computing terms.

Figure 2: Breakdown of terms used in TAG-53 linked domains (Source: Recorded Future)

X.509 TLS Certificates

All identified TAG-53 domains were found to host corresponding X.509 TLS certificates provided by Lets Encrypt, an example of which is shown in Figure 3. The prevalent use of Lets Encrypt TLS certificates allows for further correlations between TAG-53 domains and infrastructure, strengthening the clustering of this activity.

Figure 3: Partial X.509 TLS certificate for drive-globalordnance[.]com (Source: crt.sh)

Targeting and Victimology

Of the 38 discovered domains, 9 contained references to potential target organizations or organizations that TAG-53 may be attempting to masquerade as, shown in Table 2. The reason behind the use of these themed domains is not fully understood beyond the likely attempt to emulate real entities in order to appear more legitimate to potential targets and victims.

Table 2: Suspected targets/masquerades of TAG-53 linked domains (Source: Recorded Future)

Analysis of the 9 domains reveals that 7 share a focus around industry verticals that would likely be of interest to Russia-nexus threat groups, especially in light of the war in Ukraine. The 2 outlier domains are probably intended to masquerade as the Ministry of Internal Affairs of the Russian Federation. (MVD)

Credential Harvesting

The TAG-53 domain drive-globalordnance[.]com includes a spoofed sign-in page for the legitimate company Global Ordnance, a military weapons and hardware supplier in the US. The spoofed sign-in page, shown in Figure 4, uses Global Ordnance branding and is suspected to be used for follow-on credential harvesting after a target has been phished. It is unclear whether Global Ordnance is the intended target of this attempted credential harvesting operation or whether TAG-53 is using a Global Ordnance-styled domain and spoofed sign-in page to masquerade as a legitimate entity to target victims.

Figure 4: TAG-53 Global Ordnance spoofed sign-in page (Source: URLScan)

Mitigations

Users should conduct the following measures to detect and mitigate activity associated with TAG-53:

• Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on and upon review, consider blocking connection attempts to and from the external IP addresses and domains listed in the appendix.
• Recorded Future proactively detects malicious server configurations and provides means to block them in the Command and Control Security Control Feed. The Command and Control Feed includes tools used by TAG-53 and other Russian state-sponsored threat activity groups. Recorded Future clients should alert on and block these C2 servers to allow for detection and remediation of active intrusions.
• Recorded Future Threat Intelligence (TI), Third-Party Intelligence, and SecOps Intelligence modules users can monitor real-time output from Network Intelligence analytics to identify suspected targeted intrusion activity involving your organization or key vendors and partners.
• Monitor for domain abuse, such as typosquat domains spoofing your organization, through the Recorded Future Brand Intelligence (BI) module. The SecurityTrails extension is available to any customer that has a subscription to the Threat Intelligence or Brand Intelligence modules. The LogoType source and alerting is exclusive to the BI module, though the TI module does have access to the data via the Advanced Query Builder.
• Recorded Futures Fraudulent Domains and Typosquats playbook explains triaging typosquatting or similar domain alerts. If you have not yet set up your alerts, see activating certified alerts in the Intelligence Goals Library.

Outlook

Insikt Group continues to track TAG-53 infrastructure and observe changes in TTPs as the groups credential harvesting operations diversify. Notably, a consistent trend has emerged regarding the use of specifically tailored infrastructure by TAG-53 highlighting the long-term use of similar techniques for their strategic campaigns.

Readers should detect, block, and hunt for the indicators referenced in connection with TAG-53 reporting via the Recorded Future Platform in network monitoring, intrusion detection systems, firewalls, and any associated perimeter security appliances.

Appendix A Indicators

Domains

access-confirmation[.]com
allow-access[.]com
antibots-service[.]com
blueskynetwork-shared[.]com
botguard-checker[.]com
botguard-web[.]com
challenge-identifier[.]com
checker-bot[.]com
cija-docs[.]com
cloud-safety[.]online
cloud-us[.]online
dns-cache[.]online
dns-cookie[.]com
dns-mvd[.]ru
docs-web[.]online
drive-control[.]com
drive-globalordnance[.]com
drive-previewer[.]com
drive-us[.]online
dtgruelle-drive[.]com
dtgruelle-us[.]com
encompass-shared[.]com
filter-bot[.]com
goweb-protect[.]com
guard-checker[.]com
land-of-service[.]com
live-identifier[.]com
mvd-redir[.]ru
network-storage-ltd[.]com
nonviolent-conflict-service[.]com
proxycrioisolation[.]com
redir-document[.]com
response-filter[.]com
response-redir[.]com
sangrail-share[.]com
share-drive-ua[.]com
transfer-record[.]com
umopl-drive[.]com

IP Addresses

23[.]254[.]201[.]243
45[.]66[.]248[.]9
45[.]86[.]230[.]198
45[.]153[.]229[.]79
64[.]44[.]101[.]31
77[.]91[.]126[.]16
77[.]91[.]126[.]35
77[.]91[.]126[.]46
77[.]91[.]126[.]62
77[.]91[.]126[.]64
77[.]91[.]126[.]66
77[.]91[.]126[.]69
77[.]91[.]69[.]109
85[.]239[.]53[.]210
85[.]239[.]60[.]18
85[.]239[.]61[.]49
85[.]239[.]61[.]86
138[.]124[.]187[.]143
138[.]124[.]187[.]222
142[.]11[.]209[.]171
142[.]11[.]209[.]180
142[.]11[.]210[.]53
146[.]19[.]230[.]182
146[.]59[.]102[.]76
185[.]164[.]172[.]128
185[.]164[.]172[.]220
185[.]179[.]188[.]73
185[.]179[.]189[.]32
185[.]179[.]189[.]43
185[.]179[.]189[.]45
192[.]119[.]65[.]114
192[.]119[.]97[.]190
192[.]119[.]112[.]249
192[.]129[.]154[.]225
192[.]236[.]195[.]114
192[.]236[.]193[.]194
193[.]200[.]17[.]102
195[.]246[.]110[.]45

Appendix B Mitre ATT&CK Techniques

Editors Note: Click here to download the report as a PDF.

This report covers threat activity that is highly likely related to a broader campaign led by a suspected Iran-nexus threat activity group, TAG-56. Insikt Group discovered this threat activity via threat-hunting techniques. This research is pertinent to individuals and organizations that cover Iranian cyber operations, IT security employees, members of think tanks, non-governmental organizations, journalists, and governments.

Executive Summary

In early November 2022, Insikt Group identified a phishing and follow-on credential theft attack highly likely led by an Iran-nexus threat activity group directed against the US-based Washington Institute think tank. The credential theft component masquerades as a Microsoft registration form for the 2022 Sir Bani Yas Forum hosted by the government of the United Arab Emirates (UAE). The threat activity is highly likely indicative of a broader campaign that makes use of URL shorteners to direct victims to malicious pages where credentials are stolen. This tradecraft is common among Iran-nexus advanced persistent threat (APT) groups like APT42 and Phosphorus.

Insikt Group identified 5 domains highly likely used to host credential theft pages. The credential theft examples associated with this research were submitted to urlscan throughout 2022. The most recent submission was from the UAE on November 3, 2022. As of this writing, it is highly likely that this threat activity is related to an ongoing campaign. Insikt Group tracks this activity under the temporary group designator TAG-56.

Threat Analysis

Initial Discovery

On November 3, 2022, Insikt Group identified a suspicious urlscan submission from a user in the UAE that returned a fake Microsoft registration form for the 2022 Sir Bani Yas Forum as noted in Figure 1. The intended target of the attack is a senior fellow of the Washington Institute, a US-based think tank focused on US foreign policy in the Near East. The submission data revealed that the victim likely received a spearphishing message that, when clicked, would redirect them to a URL with the apex domain name mailer-daemon[.]net where the spoofed registration page is hosted.

Figure 1: Registration form purporting to be linked to the Sir Bani Yas Forum (Source: urlscan)

The domain mailer-daemon[.]net was registered on October 11, 2022, via Namecheap and uses WHOIS privacy protection. The domain has resolved to 162.0.232[.]252 since October 11, 2022. The reverse DNS for 162.0.232[.]252 is web-hosting[.]com, which is associated with Namecheap's shared hosting services.

Insikt Group identified 4 further domains, listed in Table 1 below, which use an identical domain naming convention as mailer-daemon[.]net. All but 1 domain, mailer-daemon[.]org, use Namecheap's shared hosting services. The domain mailer-daemon[.]org was registered using GoDaddy. Open-source reporting reveals similar domains, specifically mailerdaemon[.]me and mailer-daemon-message[.]co, were used by members of the Phosphorus APT group to lead attacks throughout 2020 and 2021.

Table 1: Domain names associated with TAG-56 threat activity (Source: Recorded Future)

The Fake URL Shortener

A fake URL shortener, tinyurl[.]ink, which spoofs the legitimate service TinyURL (tinyurl[.]com), was identified as part of our research. The fake URL shortener was used to deliver a lure document Iran nuke.docx titled "ANOTHER FLAWED IRAN DEAL AND THE NEXT PHASE OF US POLICY", which, as the title implies, concerns Iran's nuclear program. The document, shown in Figure 2, is benign and was likely used by the attackers to lower the precautionary behavior of the intended target. In a June 2022 report regarding an Iranian APT campaign that targeted US and Israeli government officials, Check Point Research noted that benign documents were sent to targets to initiate conversations.

Figure 2: Decoy document sent to intended targets (Source: Tria.ge)

As part of the delivery of Iran nuke.docx, TAG-56 operatives used the fake URL shortener in conjunction with the legitimate shortening service tinyurl[.]com as depicted in Figure 3. The attack chain started with the operatives delivering a message using the legitimate URL shortener (tinyurl[.]com) against a suspected target; if the target clicked on the link, they were redirected to the spoofed equivalent (tinyurl[.]ink). Another submission to urlscan from Israel revealed that TAG-56 used tinyurl[.]com to engage with a suspected target using the mailer-daemon[.]live domain. At the time of analysis, mailer-daemon[.]live resolved to another IP address owned by Namecheap: 198.54.116[.]118.

Figure 3: Observed redirects to Iran nuke document (Source: Recorded Future)

We do not know how TAG-56 disseminated any of the links associated with this research, although it is highly likely that spearphishing, or potentially an encrypted chat platform, was used for delivery. Some Iran-nexus operators, such as those associated with APT42, have been known to send links directly to victims' WhatsApp or Telegram accounts and engage in chats to manipulate them through social engineering.

Table 2: Information associated with Iran nuke.docx file (Source: Recorded Future and urlscan)

As noted in Table 3, the domain tinyurl[.]ink has resolved to IP address 199.188.200[.]217 since it was registered via Namecheap in mid-December 2021; WHOIS privacy protections were again employed by TAG-56 operators.

Table 3: URL Shortener has been operational since mid-December 2021 (Recorded Future)

Server Configuration

The Namecheap server configuration of tinyurl[.]ink revealed another notable overlap to threat activity reported by Check Point Research: the attackers used a shared web host provided by Namecheap to establish their infrastructure, an aspect of TAG-56s tactics, techniques, and procedures (TTPs) that was also observed in the campaign reported by Check Point Research. In that campaign, the attacker-controlled infrastructure also included a fake URL shortener, litby[.]us. This suggests that TAG-56 operators prefer to acquire purpose-built infrastructure as opposed to establishing their own.

Check Point Researchers also cited that the HTML of the URL shortener (litby[.]us) revealed direct links to a cluster of threat activity attributed to the Phosphorus APT in 2020. The domain de-ma[.]online underlined in Figure 4 has not had an active DNS A record since November 2020.

Figure 4: HTML code revealing links to de-ma[.]online domain (Source: Check Point Research)

Insikt Group identified the likely reuse of code in the HTML of the Sir Bani Yas spoofed registration page. A JavaScript function specifically lists a variable "passwd.trim()=="SaudiG20", which is likely not related to the Sir Bani Yas forum and is more likely associated with the G20 meeting hosted by Saudi Arabia in 2020.

Figure 5: Investigation of HTML revealed "SaudiG20" variable in a JavaScript function (Source: urlscan)

The Sir Bani Yas forum spoofed login page also contained a redirect that included the string "continue-to-settings.php". The same string was identified in another submission made to urlscan on August 6, 2021. This submission revealed a malicious login page for Yahoo mail (another case of credential theft), but the apex domain used for the attack was continuetogo[.]me. This domain was referenced in a report by Googles Threat Analysis Group in October 2021 and is associated with APT35. Threat researchers from multiple cybersecurity vendors have previously revealed strategic and technical overlaps between APT35, Charming Kitten, TA453, and APT42 (along with its forerunner UNC788).

Figure 6: Overlaps between 2 separate campaigns linked to APT35 (attributed by Google) and TAG-56 (Source: urlscan)

Mitigations

• Establish robust policies and carry out social engineering and anti-phishing awareness exercises to help detect and prevent attacks.
• Use strong passwords and enable multi-factor authentication (MFA) where possible to limit the potential damage of credential theft.
• Monitor for domain abuse, such as typosquat domains spoofing your organization, through the Recorded Future Brand Intelligence (BI) module. The SecurityTrails extension is available to any customer that has a subscription to the Threat Intelligence (TI) or BI modules. The LogoType source and alerting is exclusive to the BI module, though the TI module does have access to the data via the Advanced Query Builder.
• Cold-calling is a common method Iranian social engineering operators use to engage with victims. This includes direct messaging on social media platforms as well as on encrypted chats. Be on the lookout for signs of inauthentic or reused material and attempt to directly verify with the source when possible.
• Recorded Futures Fraudulent Domains and Typosquats playbook explains triaging typosquatting or similar domain alerts. If you have not yet set up your alerts, see activating certified alerts in the Intelligence Goals Library.

Outlook

TAG-56 depicts many of the known TTPs associated with groups like APT42 and Phosphorus. This includes the domain naming conventions associated with attacker-controlled infrastructure, the use of recycled code, and the intended victim of the credential theft operation. The use of recycled HTML code is presumably a recurrent aspect of TAG-56's tradecraft, which notwithstanding the increased chance of detection by threat researchers, is still likely providing the attackers sufficient return on investment to not warrant a shift in TTPs.

The victimology of the threat activity associated with APT42 and Phosphorus is widely reported in open sources (1, 2, 3), as think tanks provide strategic-level information of intelligence value to their presumed handlers. The targeting overlap identified with TAG-56 supports our assessment that this threat cluster has strong overlaps with the aforementioned APT groups.

Appendix

Domains:

mailer-daemon[.]netmailer-daemon[.]onlinemailer-daemon[.]memailer-daemon[.]orgmailer-daemon[.]livede-ma[.]onlinetinyurl[.]inklitby[.]us

IP Addresses:

92.205.13[.]202162.0.232[.]252198.54.116[.]118198.54.115[.]217199.188.200[.]217

URLs:

hxxps[:]//mailer-daemon[.]net/file=sharing=system/file.id.x=xxxxxx/first.check.htmlhxxps[:]//continuetogo[.]me/Sec=Tab=settings/id=xxxxx=xxxxx/continue-to-settings.phphxxps[:]//mailer-daemon[.]net/file=sharing=system/file.id.X=xxxxxx/continue-to-settings.phphxxps[:]//mailer-daemon[.]live/sec=file=sharing/check.id=xxxxxxxx=xxxxxx/index.phphxxps[:]//tinyurl[.]ink/8tio97cy/Iran%20nuke.docx

SHA256 Hash:

69eb4fca412201039105d862d5f2bf12085d41cb18a93398afef0be8dfb9c229

File:

Iran nuke.docx

Editors Note: To read the entire analysis with footnotes, click here to download the report as a PDF.

This report uses the Recorded Future Platform, satellite imagery, Chinese and Cambodian news sources, corporate records, and other publicly available information to assess progress on a Belt and Road Initiative (BRI) project in Cambodia that is led by a United States (US)-sanctioned company. This report specifically focuses on the development of this project since early 2018, when a report by the Center for Advanced Defense Studies (C4ADS) documented its then-current state, and since September 2020, when the US sanctioned the developer. This report will be of most interest to policymakers, journalists, and researchers interested in understanding developments along the BRI, China-led development in Cambodia, and the effects of American sanctions. Information about the author, Devin Thorne, can be found at the end of this report.

Executive Summary

US sanctions have failed to stop the development of new tourist facilities, basic infrastructure, and an international airport in a large-scale Belt and Road Initiative project in Cambodia. The project, known as the CambodiaChina Comprehensive Investment and Development Pilot Zone and Dara Sakor Seashore Resort (; hereafter, the Pilot Zone), began in 2008 and became part of the Belt and Road Initiative in 2016. The Pilot Zone was originally led by the now-sanctioned Cambodia-based project lead, Union Development Group (UDG Cambodia; ; ), a close affiliate or subsidiary of China-based developer Tianjin Union Development Group (UDG Tianjin; ). Yet, in spite of US sanctions, development continues under a new company created in 2018 amid rising negative press and under new branding adopted after UDG Cambodia was sanctioned in late 2020. The new company and brand are almost certainly still closely linked to the original developers.

Around the time when UDG Cambodia was sanctioned, a major concern expressed by the US Treasury Department and other parts of the US government was the potential of the project to host Chinese military assets or even become a military base. There is no specific evidence the Pilot Zone is being shaped for military purposes and not even the first of 3 planned ports that could support Chinese warships is completed, making it unlikely to have such a function in the near future. However, China uses commercial ports and port-city projects developed by Chinese companies to project naval power far from Chinas shores. Given the Pilot Zones broad scope including tourist resorts, industry parks, medical facilities, and ports and an international airport large enough to accommodate military assets and 99-year development timeline, it is prudent to monitor the projects continuing progress.

Key Judgments

• Despite US sanctions, construction and other forms of development continue within the Pilot Zone, particularly at tourist attractions such as new shopping districts and the Dara Sakor International Airport.
• Since early 2018, development in the zone has also focused on basic infrastructure such as establishing power and telecommunications and setting up partnerships to advance the non-tourism aspects of the Pilot Zone.
• In addition to a 10,000-ton pier (port) for cruise liners and commercial goods that is said to be completed (though it almost certainly is not), plans for the Pilot Zone now include 2 additional ports, 1 of which will reportedly accommodate 100,000-ton vessels.
• In mid-2018, a new company in the UDG family was created and now likely leads development of the Pilot Zone; originally called Union City Development Group Co. Ltd., this company adopted a new name Coastal City Development Group Co. after UDG Cambodia was sanctioned.
• Although the Pilot Zone is not overtly designed to provide logistical support to Chinas military, this potential cannot be dismissed as Chinese analysts continue espousing the use of commercial port and port-city developments to facilitate Chinas power projection.

A Controversial Project

Sanctions and Corruption

From the size of the land concession on which it sits, to the developers treatment of local residents, to environmental concerns, the Pilot Zone has been stalked by controversy for over a decade. At 45,100 hectares, the Pilot Zone constitutes 20% of Cambodias coastline and is 4.5 times the legal size of economic land concessions in Cambodia. Cambodian officials and international human rights bodies have expressed concern about land disputes with Cambodians living in the zone. The US Treasury Department sanctioned project developer UDG Cambodia in September 2020 under the Global Magnitsky Human Rights Accountability Act, though some analysts argue this was primarily motivated by a desire to punish Cambodia for strategic alignment with China rather than concern about human rights. Regardless, the company remains sanctioned today (see Figure 2).

Figure 1: The Pilot Zone and surrounding transport corridors (Source: BeyondRealty Asia)

Figure 2: UDG Cambodia listed in the Specially Designated Nationals and Blocked Persons list administered by the Office of Foreign Assets Control of the US Treasury Department, accessed July 2022 (Source: OFAC)

Cambodian law limits economic land concessions to 10,000 hectares and stipulates that the same person or legal entity cannot hold several concessions that total more than 10,000 hectares. Moreover, economic land concessions are only supposed to be granted from state private land. The Pilot Zones creation circumvented both of these requirements. Not only is the zone overlarge, it includes a portion of Cambodias Botum Sakor National Park that was converted into concession-eligible land by a royal decree. Some sources say the entirety of the original 36,000 hectares was carved from Botum Sakor National Park, driving concerns about deforestation in relation to the Pilot Zones development.

How UDG Tianjin and UDG Cambodia managed to secure an economic land concession flouting both of the restrictions discussed above is unclear. When the US Treasury Department sanctioned UDG Cambodia, it asserted the company had manipulated its corporate identity as described above to acquire the Pilot Zones land. This manipulation was first documented in a public report by former C4ADS analysts Devin Thorne and Ben Spevack. Using Cambodian corporate records, they showed how UDG Cambodia was initially registered as a foreign-owned Chinese firm but changed its status to that of a domestic Cambodian firm 1 year prior to signing the Pilot Zones lease agreement with the Cambodian government. After the lease agreement was concluded, UDG Cambodia issued 1,000 shares valued at $1,000 USD each. All of these were purchased by UDG Tianjin in China. UDG Cambodias chairperson at the time, a Cambodian national, was also replaced by a Chinese national with ties to UDG Tianjins parent company. However, Thorne and Spevack noted that the purpose of this manipulation was unclear, given that there is no exception for Cambodian-owned businesses regarding the 10,000-hectare limit on economic land concessions.

Figure 3: Changes to the corporate record of UDG Cambodia (Source: C4ADS)

In 2012, a report submitted to the United Nations General Assembly (UNGA) on the human rights situation in Cambodia by a Special Rapporteur on the situation of human rights in Cambodia expressed concern over treatment of local citizens living within the Pilot Zone. It documents the relocation of approximately 1,000 families and the struggles they faced after relocation, including limited options for generating income and poor compensation for their repurposed land. It states that UDG Cambodia hired guards to control access to villages from which some residents refused to relocate. In 2015, such guards reportedly burned crops and homes built by people on seemingly unused land. As late as 2017, the company reportedly constructed fences around properties owned by a small number of residents still resisting relocation. In 2019, the representatives of 140 displaced families protested outside of the Chinese Embassy, requesting promised compensation that they reportedly had yet to receive. As of October 2021, some Cambodian families were still refusing compensation for their land, believing the compensation amounts to be unfair. In November 2021, more than 1,000 families agreed to a compensation package, but some continued to express dissatisfaction.

The US Treasury Departments press release announcing sanctions on UDG Cambodia further asserted the company used Cambodian military forces to intimidate local villagers and to clear out land necessary for developing the Pilot Zone. These military forces and UDG Cambodia reportedly used violent means, despite calls by the Cambodian Council of Ministers and United Nations Office of the High Commissioner for Human Rights for the company to stop such activities. The US Treasury Departments announcement further asserts that use of Cambodian military personnel was arranged through General Kun Kim, a former high-ranking military leader who has also been sanctioned by the US government. Both the 2012 report to the UNGA and US Treasury Departments press release also mention concerns regarding environmental degradation caused, or that could be caused, by the Pilot Zones development.

Potential Military Use

A recurring question posed by foreign analysts, news media, C4ADSs report, and the US government related to the Pilot Zone is whether it could host Chinese military assets in the future or otherwise support Chinas military activities in Southeast Asia. There is no specific evidence that the Pilot Zone is being designed as a military base or for military use, and Cambodian officials deny that such is a possibility. Still, theories among military analysts in China regarding the role of commercial ports in extending Chinas military presence overseas and the characteristics of infrastructure in the Pilot Zone keep speculation alive and make it prudent to keep an eye on the project. Adding fuel to such concerns, a likely Chinese military-model aerial drone was reportedly found 7 kilometers outside of the Pilot Zone in January 2020.

Figure 4: Mentions of the Pilot Zone as tracked in the Recorded Future Platform (Source: Recorded Future)

Concerns regarding whether the Pilot Zone could be used by the Chinese military are informed by the value of dual-use commercial port and port-city infrastructure in supporting the logistics needs (replenishment, personnel and equipment transfer, etc.) of Peoples Liberation Army Navy (PLAN) warships operating far from Chinas shores. A major concept in this line of thinking is strategic strongpoints (), which authoritative sources refer to as locations that provide support for overseas military operations or act as a forward base for deploying military forces overseas. Researchers affiliated with the China Maritime Studies Institute find that strategic strongpoints are often marked by Chinese-led port projects involving commercial and infrastructure projects with dual-use functions that can enable both economic and military activities. Such dual-use strongpoints are situated in strategic locations, such as along sea lines of communication or near maritime chokepoints. An assessment in the Massachusetts Institute of Technologys International Security journal asserts that commercial port facilities enable considerable military logistics and intelligence capabilities in peacetime, though their utility in wartime is uncertain.

Not all Chinese-led commercial or infrastructure projects are strategic strongpoints. Given the Pilot Zones current stage and state of development, it is unlikely to support PLAN operations in the short term. However, the Pilot Zones characteristics and long development timeline mean it could evolve to meet the logistics of Chinese naval operations in Southeast Asia, such as around the Malacca Strait and into the Indian Ocean. Analysis highlighted by C4ADS report from China-based Journal of International Security Studies (), described a first civilian, later military () approach to make [Chinese-owned] ports gradually possess the capability for offering logistical support to Chinese vessels and become Chinas strategic [strongpoints] in Southeast Asia to create an advantageous external environment for Chinas rise. Such an approach is seen in the multipurpose port and related infrastructure in Gwadar, Pakistan, which are being developed as part of the BRIs China-Pakistan Economic Corridor and are viewed by Chinese analysts as suited for evolution into a strategic strongpoint. Importantly, the Pilot Zone does not need to develop into a military base in the traditional sense to be useful for expanding the geographic scope of PLAN operations. Commercial ports can and have functioned as pit stops to provide basic services such as refueling, provisioning, electrical power, and waste disposal for PLAN surface vessels.

Figure 5: The Pilot Zone in relation to Ream Naval Base with proposed and actual port positions. The outline of the Pilot Zone is based on official marketing materials but is not authoritative (Source: Google Earth, December 2020; Created by Insikt Group)

Highlighting Chinas likely assessment that Cambodias geographic position has strategic value, in June 2022 the Washington Post reported that China is building a naval facility for its exclusive use at Ream Naval Base in Preah Sihanouk province. The Pilot Zone is located roughly 35 nautical miles by sea and 180 miles by land from Ream Naval Base. When PLAN ships call at foreign ports, Chinese diplomatic missions and Chinese enterprises mobilize to provide logistical support. While it is most likely that Chinese enterprises located in Sihanoukville would be enrolled to provide such support, it is also plausible that some general supply and equipment warehousing could occur in the Pilot Zone even if PLAN vessels call at Ream, or that companies from the zone could mobilize to provide support. Chinese military personnel have also noted the role that commercial ports can play in accessing rest and entertainment and medical treatment, and the Pilot Zone will ultimately provide options for this type of activity regardless of where PLAN ships dock (if the zones development continues according to plan).

The Pilot Zones airport and ports are also large enough to support Chinese military assets, fueling concerns. Foreign analysts have observed the Pilot Zones airport runway is about 3,400 meters long, which is larger than the international airport in Phnom Penh and could accommodate any plane in the Chinese air force. In fact, this is longer than Sihanouk International Airports runway and those of Chinas dual-use military airfields on Woody Island and on Fiery Cross Reef in the South China Sea, as some observers have pointed out. Yet others stress this length is not uncommon at airports that will be able to accommodate airliners, especially in an area of the world that experiences high temperatures year-round. There are no other indications the airport is designed for military use.

Researchers further assessed in 2016 that a 10,000-ton pier (port) within the Pilot Zone would be large enough to host Chinese frigates and destroyers. At approximately 207 meters in length, the dock, which sits in 11-meter deep waters, could likely service 1 such vessel at a time based on the 2019-2020 Peoples Liberation Army Navy (PLAN) Forces Recognition and Identification Guide produced by the US Navys Office of Naval Intelligence. As discussed below, however, the Pilot Zone is now envisioned to include 2 additional deep-water ports. Outside of the tourist areas, most of the Pilot Zone is still at the conceptual stage and there are conflicting reports about the specifications of these other 2 ports. Some sources claim there will be 2 additional 10,000-ton ports, others point to a 100,000-ton general port (10), and some non-company materials claim (without citation) that 1 of the additional ports will be a 2,000-ton port. In any case, it is likely that at least 1 of the additional ports will increase the amount of space that could theoretically be used by PLAN ships.

The Project Continues

In spite of US sanctions and speculation regarding its potential for military-use, the Pilot Zone has continued to develop since 2017. Basic infrastructure has expanded, new developments within the zone have been approved and begun construction, and the international airport inches closer to its grand opening. This work is now likely spearheaded by a new firm in the UDG family: Coastal City Development Group Co. (CCDG; ; .). This company initially formed under a different name just after C4ADS published its report in early 2018 but adopted the CCDG name after UDG Cambodia was sanctioned.

In March 2022, the China-based Global Times tabloid reported that CCDG is now the project developer of the Pilot Zone on behalf of Chinese developer Union Development Group. Global Times does not specify UDG Tianjin or UDG Cambodia. Cambodian corporate records show that CCDG was initially established as Union City Development Group Co. Ltd. ( .) in July 2018. Insikt Group cannot say when plans to establish this company were formed, but its creation occurred several months after C4ADS report was published, which likely stimulated additional negative attention directed toward the Pilot Zone amid ongoing coverage of the longstanding land disputes.

In December 2020, just months after US sanctions were placed on UDG Cambodia, Union City Development in Cambodia changed its name to CCDG. The new identity distances this new member of the UDG family from the Union brand, though only in name. CCDG is registered as a foreign Chinese company according to the records of Cambodias Ministry of Land Management, Urban Planning and Construction. Although it is a separate commercial entity, CCDG is almost certainly closely linked to UDG Cambodia and UDG Tianjin. With CCDGs creation, the primary tourism-oriented development area within the Pilot Zone is now called Coastal City, rather than Dara Sakor. This can be seen in the logos on UDG Cambodias website (see Figure 7). This Coastal City logo also appears on CCDGs website. Highlighting the link between this CCDG and UDG Tianjin, the latter changed its name to Tianjin Union City Development Group Co. () in February 2022 (which is highly similar to CCDGs original name).

Figure 6: CCDG corporate registration record showing name change in December 2020 (Source: Cambodian Ministry of Commerce, Department of Business Registration)

Figure 7: The logo on UDG Cambodias website in 2018 (left) as compared to the logo in 2022 (right) (Source: UDG Cambodia 2018; UDG Cambodia 2022)

The overall plan for developing the Pilot Zone is largely the same as it was several years ago, but updated marketing materials use new names for some sub-projects in the Pilot Zone and provide additional details. The overall plan for the Pilot Zone now includes 3 primary divisions as listed below and shown in Figure 8. Each of these districts will be further subdivided into specialized zones and specific projects as depicted in earlier materials. In addition to the 10,000-ton pier (port) for cruise liners and commercial goods described in C4ADSs report, current plans further include a deep-water port in both Coastal City Future New District and Coastal City World Trade New District.

Marketing materials downloaded from CCDGs website show that current plans for the Pilot Zone also emphasize Smart City features enabled by information technology to provide security for people, property, and technology. They also show that medical and wellness facilities, including multiple hospitals (the largest having 500 to 800 beds), spa services and yoga providers, and access to Chinese traditional medicine; and education facilities, including a vocational school and international school, remain part of the zones vision. At least 1 marketing image, hosted on a realty website, suggests the Coastal City World Trade New District will include a Permanent Site for [the] ASEAN Forum. It is important to note that while UDG Cambodia owns the lease and CCDG is now a major, perhaps leading, contributor in developing the Pilot Zone, many other companies are also, or will be, involved as partners and investors. The future commercial ports could be operated by a company other than UDG Cambodia or CCDG.

Figure 8: Overall plan for the Pilot Zone from a CCDG marketing booklet published in 2022. Translations by Insikt Group (Source: CCDG).

Figure 9: Undated Pilot Zone area detail from CCDG, edited to accommodate translations by Insikt Group (Source: CCDG)

Comparing the content of CCDGs website, Google Earth satellite imagery from late 2020, and mid-2022 satellite imagery acquired through SkyWatch with C4ADS April 2018 report, satellite imagery from late 2017, and other sources indicates that construction and development of the Pilot Zone is continuing (see Figure 10). Aside from the airports construction, focus was very likely on establishing power and telecommunications infrastructure as well as expanding the tourism projects of the Pilot Zone (see Figure 10 and Figure 11).

Figure 10: Areas of development within the the Pilot Zone in December 2017 and December 2020 (Source: Google Earth, December 2017, December 2020; Created by Insikt Group)

Figure 11: Comparison of reported completed Pilot Zone development in 2017 and 2022 (Source: C4ADS; CCDG [1, 2]; UDG; Google Earth)

Since the September 2020 sanctions, work on the Pilot Zone has advanced in several areas. For example, the Tourism, Ecological, Marine and International (Temi) tourism city development project (also known as TEMI Mini Galaxy), which is reportedly valued at more than $500 million USD, has seen significant new construction based on satellite imagery from December 2020 and July 2022 (see Figure 12). The land area around the Chhne Dara Chan cultural tourism hub project has also undergone significant development (see Figure 13). The airport is also now more complete than it was at the time the US imposed sanctions (see Figure 14).

Figure 12: Artistic rendering of the future TEMI Mini Galaxy (top), development in December 2020 (left), and development in July 2022 (right) (Sources: CCDG; Google Earth, December 2020; Pleiades 0.5m, courtesy of SkyWatch)

Figure 13: Artistic rendering of the future Chhne Dara Chan (top), development from December 2020 (left), and development as of February 2022 (right) (Sources: CCDG; Google Earth, December 2020; Pleiades 0.5m, courtesy of SkyWatch)

Figure 14: Dara Sakor International Airport in December 2020 (left) and May 2022 (Sources: Google Earth, December 2020; Planet SkySat 0.5m, courtesy of SkyWatch)

Other aspects of development are also moving forward despite sanctions. Examples include:

• In late November 2020, representatives of CCDG promoted investment opportunities related to the Pilot Zone and Coastal City Tourist Resort () at the 17th China-ASEAN Expo under the companys original name (Union City Development Group).
• In January and April 2021, CCDG signed at least 3 cooperative agreements with universities and vocational colleges in China pursuant to education and cultural exchange projects in the zone.
• In March 2021, CCDG met with China Construction Sixth Engineering Division Corporation () and export credit insurer Sinosure (); the 3 discussed development of the Pilot Zones airport, ports, and industry parks (), as well as project financing.
• In March 2021, CCDG signed a letter of intent for strategic cooperation with China-Africa TEDA Investment Co. Ltd. () to develop industry real estate in the Pilot Zone.
• In April 2022, Dara Sakor International Airport passed flight verification of its communications, navigation, and lighting equipment. Reports from November 2021 asserted the airport would open to commercial operations in mid-2022, but this schedule has been delayed.
• On June 7, 2022, CCDG began inviting investors for an unspecified business street ().

However, one aspect of the Pilot Zone does not appear to have progressed: port construction. CCDGs website lists a 10,000-ton travel-commercial goods dual-use pier [port] as completed, but the appearance of this port in satellite imagery from mid-2022 is largely the same as its appearance in late 2017 and late 2020. The pier itself looks to be in better condition than previous years, possibly more complete, but the shore area remains underdeveloped. Some parts of the website reference a 20,000-ton cruise liner port () as also having been completed, but this is likely a misrepresentation of the aforementioned 10,000-ton pier (port). Insikt Group did not identify new construction on the 2 additional deep-water ports now planned for the zone.

Figure 15: The 10,000-ton pier (port) in January 2017 (top), July 2020 (left), and May 2022 (Sources: Google Earth, January 2017, July 2020; Planet SkySat 0.5m, courtesy of SkyWatch)

Outlook

When discussing Chinas military power projection, many news reports and commentaries focus on the concept of a military base. This evokes images of China building a series of permanent installations with hardened facilities similar to those of the US. Although there are differing assessments as to whether China is seeking or will, under certain conditions, seek to establish formal military bases beyond its current logistics base in Djibouti, China is very likely to continue employing a pit stop model that uses commercial port facilities to support the military logistics needs of operations other than war. The US government sanctioned UDG Cambodia in 2020 in part because it was concerned the Pilot Zone could host Chinese military assets. However, the sanctions have failed to stop progress in the zone. While not all Chinese port and port-city projects will become strategic strongpoints or otherwise be used for military purposes, the Pilot Zones location and envisioned or actual features point to this possibility. As such, continued monitoring of progress and activities within the zone is warranted.

*Editors Note: The following post is an excerpt of a full report. To read the entire analysis, <!-- [if lte IE 8]>

This report introduces international readers to the current geopolitical situation in Myanmar, including but not limited to the military coup and effective takeover of the government in Myanmar, violent crackdowns on pro-democracy protesters, limitations and forced blackouts of the internet service within Myanmar, and the effects of these crackdowns. The focus of the analysis is on the change in internet use among the population of Burmese civilians, the change in the internet landscape, and the overall trends including the use of encrypted messaging applications and access of the underground web, also known as the dark web. Insikt Group used the Recorded Future Platform, proprietary tools and sourcing, as well as open sources such as international news, global non-governmental organization statements, social media accounts of the incidents occurring in Myanmar.

To protect the people of Myanmar from further persecution and violence, this report does not reveal sensitive details and forum links where the pro-democracy groups collaborate and share information.

Executive Summary

On February 1, 2021, the Myanmar military staged a government coup, arresting the democratically elected leader, Daw Aung San Suu Kyi, as well as other members of her National League for Democracy (NLD). Min Aung Hlaing, the leader of the military junta, stated that the November 8, 2020 election was fraudulent and that Aung Sang Suu Kyi and her elected party members were not the rightful leaders of the country. Hlaing imposed a 1 year state of emergency which would be followed by another election. The detainment of Aung Sang Suu Kyi, a popular figure within Myanmar and a symbol for Myanmars democracy, has led to mass protests by her supporters, with thousands of individuals taking to the streets to protest against her arrest, and other individuals taking part in the Civil Disobedience Movement (CDM). The protesters have been in direct conflict with security forces, and there has been escalating violence and use of force by the military in recent weeks, with over 200 civilians reported killed and over 2,100 detained. The military has also imposed strict rules, such as curfews and censorship laws, aimed at preventing the mass coordination of protests within the country. The initial days of the military coup saw the shutdown of Myanmars internet entirely and the ban of many popular social media applications such as Facebook. While Facebook and other social media applications have since been reinstated, there are still nightly blackouts imposed by the military when Burmese are unable to access the internet. The military censorship has not deterred Burmese from finding alternatives to amplify their pro-democracy messaging, with many turning to alternative media sources, underground networks, and downloading tools to bypass censorship restrictions to amplify their narrative.

*Editors Note: This post was an excerpt of a full report. To read the entire analysis, <!-- [if lte IE 8]>

Insurance is a historical lever for hedging risk that dates to the ancient world. Few modern-day objects or events prove incapable of protecting as insurance companies devise policies for personal (home, auto, life, umbrella, etc.) and commercial (lawsuits, employee injury, unexpected events, etc.) coverage to reduce the probability of monetary loss. However, consumer choice in private insurance markets requires a profitable business model. Accordingly, insurance companies have determined profitable formulas for pricing risk which are codified in actuarial tables.

Conversely, cyber insurance policies have proven difficult to appropriately price evidenced by mounting insurance industry losses. Cyber insurance emerged at the end of the twentieth century and demand for coverage accelerated in the first two decades of the twenty first century as cyber threats matured and proliferated. Most recently, Ransomware-as-a-Service has proven to be an exceptionally successful criminal monetization model driving increased demand for risk mitigation strategies that includes cyber insurance. Thomas Johansmeyer encapsulates the current situation: So, prices are low, and the risk is high. This dynamic has negatively influenced the markets ability to continue to grow at its previous aggressive rate and has led to a profound shortage of cyber insurance. Interviews with an insurance broker, insurers, and Recorded Future clients confirm that the cyber insurance market is experiencing an aggressive contraction. Businesses are facing significantly higher premiums to obtain and renew cyber insurance policies with coverage parity. One company shared the prospect of employing ten different insurers to renew a policy with $100M of aggregate coverage. Demand is superseding available supply as insurers exit the market. The U.S. General Accountability Office confirmed these trends, The extent to which cyber insurance will continue to be generally available and affordable remains uncertain. Despite the upward trend in take-up rates to date, insurer appetite and capacity for underwriting cyber risk has contracted more recently, especially in certain high-risk industry sectors such as health care and education for the public-sector entities, according to the Council of Insurance Agents and Brokers, Marsh McLennan, and A.M. Best.

Losing access to private market cyber insurance is a threat to businesses and a disservice to the public interest, similar to personal flood or fire coverage in disaster prone areas. Even if governments must intervene with additional capital (becoming the insurers of last resort) or improved governance, taxpayers deserve a better model for insuring cyber risk. Certainly, reinsurers play a significant role in market liquidity, but even they face [sic] structural challenges and systemic risks, the increase in cyber-attacks, and an accumulation of exposures. These could include the nonaffirmative exposures we refer to as Silent Cyber. The risks remain opaque for insurers and reinsurers due to the difficulty with international cyber-attack attribution and the complexity of technical business operating environments. Further, technical control efficacy frequently changes, leaving point in time assessments lacking and traditional underwriters dependent on third-party auditing services that provide only partial exposure visibility. An improved underwriting model is required to restore insurer faith in risk exposure and expand the global cyber insurance market to the benefit of the global economy.

Editors Note: This post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

Recorded Futures Insikt Group has discovered a large-scale, likely state-sponsored influence operation against the British Broadcasting Company (BBC) and the United Kingdom (UK). The campaign involves hundreds of websites and social media accounts and thousands of comments across state-affiliated news sources, fake news websites, and Chinese and Western social media platforms. Chinas state-affiliated media and Communist Party of China (CCP) officials have recently increased their criticism of the UK and the BBC in response to a recent BBC report revealing that Beijings top propaganda outlets are incentivizing foreigners, called stringers, to create pro-China social media influence. To counter the BBCs allegations, these propaganda accounts have taken to social media to criticize BBCs journalistic integrity, accusing them of using an underworld filter or gloom filter () on photos and video of China to make the country look lifeless, dull, and sad to foreign audiences. The BBC adamantly denies these accusations.

There have been over 11,000 references of the Mandarin-language term for gloom filter across open sources in the past 6 months, with over half of them occurring in the last 30 days. English-language mentions of BBC underworld filter have also spiked over the past several weeks, totaling over 56,300 in 6 weeks. Since the stringers have started spreading Chinese propaganda, English-language references to the gloom filter have increased dramatically, as shown in Figure 1. We are confident that this uptick results from recent pro-China influencers amplifying the gloom filter theory.

Figure 1: Timeline of references to gloom filter in social media, by language (Source: Recorded Future)

Insikt Group has observed these influencers, or stringers, on various English and Mandarin-language sources defending China against accusations of human rights abuses, authoritarian control, and Western reporting on China that contains negative sentiment.

On July 19, 2021, Chinas Ministry of Foreign Affairs spokesperson Zhao Lijian asserted across social media that BBC edited the color out of a photo of a popular British pro-China social media influencer named Jason Lightfoot, who also goes by the moniker Living In China. One post stated, #GloomFilter comes again! It could be accounted as one of BBC's familiar supernatural skills, to turn a green and prosperous city into a grey desolation. On his YouTube channel, which has over 157,000 followers, Lightfoot shared a before and after photo of himself from the July BBC report that he claims had a gloom filter applied to make China look dull and colorless in the background.

Figure 2: Disputed photo of Jason Lightfoot, as presented by Chinese news company CGTN

This claim is often accompanied by other criticisms of the BBC network and its reporters, accusing them of trying to make China look bad to the rest of the world through biased reporting and photo editing. This accusation was amplified across multiple English-language and Mandarin-language social media accounts and then shared by hundreds of PRC state-affiliated media, fringe media sites, and other pro-China stringers or influencers. Additionally, the so-called BBC underworld filter has been criticized in hundreds of videos throughout 2021 on popular video sites such as bilibili[.]com, CCTV, TikTok, and YouTube, with recent notable spikes in negative sentiment throughout July 2021.

China Attempts to Discredit the BBC and the UK

On December 10, 2020, BBC released a video titled Covid-19: How everyday life has changed in Wuhan, depicting how life for citizens of Wuhan, China, has changed since the outbreak of COVID-19 in late 2019. On January 18, 2021, the BBC also produced a documentary titled COVID-19: The Road Back to Wuhan, which documented how Wuhan has since recovered, socially and economically. Both of these videos were criticized by Chinas top spokespersons, state-affiliated media, and subsequently Chinas social media following, as being digitally altered as a deliberate attempt to misguide viewers and discredit China. By February 2021, the narrative had spread throughout all aspects of Chinese media: BBC is anti-China. The accusations are sourced only to netizens of China, with no evidence of the source for before and after photos represented in the media. Reports from state-affiliated media outlets such as Global Times state that an anonymous citizen made an observation, "Is it just me or are you using some kind of filter to make the colors in this video look old and give us a sense of the city looking poor?" The comment received hundreds of likes and sparked a large-scale social media campaign spreading the message of the gloom filter.

On February 10, 2021, China banned BBC World News from broadcasting within the country. China's National Radio and Television Administration (NRTA) based the decision on internal findings that BBC World News reports about China "seriously violated" broadcast guidelines, including "the requirement that news should be truthful and fair" and not "harm China's national interests". However, BBC World News is largely unavailable to the common Chinese audience, appearing only in international hotels and some diplomatic compounds. British Foreign Secretary Dominic Raab responded publicly to the move, calling it an unacceptable curtailing of media freedom, noting that China has some of the most severe restrictions on media & internet freedoms across the globe, & this latest step will only damage Chinas reputation in the eyes of the world. The United States (US) State Department also commented on the situation, calling it part of a wider campaign to suppress free media in China.

Figure 3: China state-affiliated media accusation of BBC gloom filter (Source: Global Times)

Throughout June and July 2021, Chinas foreign ministry spokesperson Hua Chunying shared images on social media that criticize the US, the UK, and Canada for alleged human rights abuses of the past. The image (Figure 3), created by Global Times and sourced from media reports, shows the name of the nation on the top, accompanied by the corresponding flag, and listed statistics of discrimination of ethnic groups (allegedly conducted by Clear View Research), incompetence in handling COVID-19, and violent treatment of civilians. The image was accompanied by a strong message shaming Western nations for interfering in Chinas affairs, almost certainly referring to the implementation of sanctions on China for human rights violations in Xinjiang: The #US, #Canada &the #UK should feel ashamed for their blind eyes to their own shocking #humanrights records and sheer lies &evil-purposed interference in China's internal affairs. Justice will prevail.

Figure 4: China amplifying anti-UK message in state-affiliated social media and news

Hua Chunyings original social media post received nearly 1,200 likes and 350 shares. The post was also shared by the account of the Chinese embassy in the UK, which received much less traction: 6 likes, 6 comments, and only 3 shares.

During a daily press conference on June 23, 2021, Zhao Lijian addressed the UK in a statement in response to criticism of Beijings handling of Uyghur Muslims in Xinjiang. In his statement, he deflects blame back on the UK: The UK is by no means a model student & has no authority to lecture others on human rights. It should earnestly reflect upon its own grave human rights violations instead of smearing China to divert attention & deflect responsibility. The tweet received over 100 likes, 27 shares, and very few comments, indicating it did not get much traction in English-language social media. However, the theme is consistent with how Chinas Ministry of Foreign Affairs is handling criticism at this time: deflecting blame and revisiting the past mistakes or perceived reputational weaknesses of its accusers.

Insikt Group judges with high confidence that this activity is a CCP-sponsored influence operation targeting the BBC and the UK government. The volume of activity paired with a clearly identifiable narrative, coordination across the Chinese state-sponsored media apparatus, use of both Mandarin and foreign-language content, use of dozens of fringe media outlets, and the campaigns alignment with the CCPs objectives create a clear picture of how the CCP is conducting large-scale information operations to counter criticism and censor foreign media. Similar recent campaigns, including against Canada and the US, have been observed by fellow disinformation researchers and further confirm the tactics, techniques, and procedures used in this particular campaign targeting the BBC and the UK.

Editors Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

Insikt Group reverse-engineered the Linux and Windows variants of BlackMatter ransomware and provided a high-level overview of the functionality in addition to IOCs, utilities, and detections. The intended audience of this research is threat intelligence professionals and those interested in a technical overview of the new ransomware variant.

Executive Summary

Insikt Group analyzed Windows and Linux variants of BlackMatter ransomware, a new ransomware-as-a-service (RaaS) affiliate program founded in July 2021. During our technical analysis, we found that both variants accomplish similar goals of encrypting a victims files and appear to have been developed by a relatively sophisticated group. The Windows version of the ransomware employs several obfuscation and anti-reverse engineering techniques, suggesting that it was created by an experienced ransomware developer. BlackMatters Linux variant is another example of an emerging trend of malware targeting Linux-based systems, including ESXi and network-attached storage (NAS) devices. Recorded Future has provided reverse-engineering utilities, a YARA rule, and IOCs that organizations can use to hunt or detect the ransomware.

Editors Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

Editors Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

_Recorded Future analyzed current data from the Recorded Future Platform, as well as dark web and open-source intelligence (OSINT) sources, to review the current landscape of online retail fraud scams and schemes popular with threat actors. This report will be of most interest to anti-fraud and network defenders, security researchers, and executives charged with security and fraud risk management and mitigation. This report expands upon findings addressed in the first report of the Insikt Groups fraud series, The Business of Fraud: An Overview of How Cybercrime Gets Monetized.

Executive Summary

Online retail fraud is a persistent, multifaceted threat to businesses of all sizes and their customers and is likely to persist for the foreseeable future as consumers engage more with online retailers and shop more online versus at traditional brick and mortar stores. Also called e-commerce fraud, online retail fraud is the act of committing some form of fraud, such as a fraudulent transaction, on a web-based retail platform. Generally, cybercriminals will use stolen payment or account information to conduct these transactions. Some elements of online retail fraud also involve social engineering schemes that look to defraud a retail platform directly, as in the case with refunding scams against ones customer service branch, or a third party, such as interception fraud or scams that target shipping companies.

Threat actors engaging in online retail fraud discuss the topic in multiple languages, primarily English, Russian, and Chinese, discussing methods, offering tutorials and guides, and selling various goods and services ranging from significantly discounted stolen gift card information to all-inclusive refunding services targeting major retailers. If major online retailers have implemented various methods of anti-fraud mitigation, threat actors often devise techniques to bypass anti-fraud measures, namely through anti-detection (anti-detect) browsers.

Key Judgments

• Online retail fraud will likely increase in the future as e-commerce platforms continue to grow in the coming years.
• We believe that threat actors will continue to demonstrate flexibility, adaptability, and opportunism amid a shifting e-commerce landscape, targeting emerging retail opportunities such as curbside pickup.
• Gift card fraud is its own type of service across the dark web and a way for cybercriminals to steal and launder money. Threat actors who specialize in gift card fraud operate dedicated shops due to its high demand.
• Refund fraud, or refunding for short, is both an entryway for threat actors to establish credibility on criminal forums and a growing avenue for threat actors to engage in criminal services against online retailers through social engineering.
• We believe that cybercriminals will continue developing and using anti-detection tools to circumvent organizations security mechanisms.

Editors Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

Editors Note: The following post is an excerpt of a full report. To read the entire analysis, to download the report as a PDF.

Recorded Future analyzed current data from the Recorded Future Platform, information security reporting, and other OSINT sources to review 11 fraud methods and services that facilitate threat actor campaigns. In subsequent months, Recorded Future will publish in-depth reports on each method or service, the threat actors offering them, technical details where applicable, and mitigation recommendations. This report will be of most interest to anti-fraud and network defenders, security researchers, and executives charged with security and fraud risk management and mitigation.

Executive Summary

The cybercriminal fraud ecosystem is a whole and interconnected enterprise. In this report, the introduction to our series on cybercriminal fraud, Insikt Group will describe 11 types of fraud methods and services currently used by threat actors to facilitate their campaigns. For each, we provide a brief overview of some notable recent developments, list some of the top vendors of these services on the criminal underground, and provide suggested mitigations for defenders to implement. The Recorded Future Platform enables research and analysis of fraud methods available on the dark web and other sources to identify cybercriminal schemes, as well as threat actors and communities that advertise said methods.

Outline

• Fraud tutorials and courses provide insights into possible vulnerabilities as well as schemes and techniques used by threat actors.
• Drops and mule services, unlike other cybercrime services, require a physical and human presence to successfully carry out criminal operations.
• Dating scams involve the creation of fake profiles on dating apps or social media platforms, or direct phishing emails that target victims with the end goal of tricking the victims into sending money or facilitating fraudulent activities.
• Online retail fraud, including gift card fraud and refund fraud, typically entails the use of stolen information and is frequently facilitated by anti-detect and shipping services.
• SIM swapping is a technique used by threat actors to gain access to a victims phone number with the end goal of using two-factor authentication (2FA) to obtain access to the victims online accounts.
• Money laundering services within the dark web provide a combination of services through which threat actors can conceal the origins of their money, transfer cryptocurrency into virtual currency, have funds sent to a bank account or payment card, move funds across borders, or exchange for physical currency.
• The role of botnets in the dissemination of malware to support fraud continues to grow as threat actors propagate some of the most prevalent malware families targeting individuals and organizations. These malware strains are specifically designed to exfiltrate information appealing to financially motivated threat actors seeking to conduct fraud.
• Travel and loyalty (hospitality) fraud involves threat actors scamming users into providing personally identifiable information (PII) and financial information through fraudulent travel and hospitality services, including car rentals, hotel and flight bookings, excursions, and other vacation-related offers such as bonus points, miles, and other rewards.
• Sales of personally identifiable information (PII) and protected health information (PHI) are conducted by threat actors who gather victim PII stolen from compromised networks, individual infected computers, leaked databases, or phishing attacks, which is then used to facilitate a wide variety of fraud.
• Tax return fraud, also known as stolen identity refund fraud (SIRF), is a specific case of identity theft where a criminal files a tax return with victim information to the Internal Revenue Service or state tax agencies with the goal of stealing the victims tax refund.
• Bank fraud is constantly evolving to follow current trends in the banking industry. Credit card fraud, online banking fraud, and wire transfers fraud are the main types of bank fraud.

Editors Note: This post was an excerpt of a full report. To read the entire analysis, to download the report as a PDF.

This report outlines a high-level landscape of tactics and techniques tagged in Recorded Future Platform data sources as mapped to the MITRE ATT&CK framework over 2020. The data covers January 1 to December 1, 2020. This report is intended for those familiar with the MITRE ATT&CK framework, with particular relevance to security teams that rely on the framework to inform red and blue team exercises, penetration testing, threat hunting, and various security protocol prioritizations.

Executive Summary

In 2020, the six most widely used techniques according to the Recorded Future Platform were T1027 Obfuscated Files and Information, T1055 Process Injection, T1098 Account Manipulation, T1219 Remote Access Tools, T1082 System Information Discovery, and T1018 Remote System Discovery. Additional Associated Techniques, or MITRE ATT&CK techniques that were related to the top six, included the following three: T1497 Virtualization/Sandbox Evasion, T1083 File and Directory Discovery, and T1036 Masquerading.

Four of these techniques are categorized under the Defense Evasion tactic, followed by Persistence and Discovery. Seeing Defense Evasion tactics prevail in the data is in line with Insikt Groups observations that these tactics are becoming more commonplace in malware. Identifying these techniques helps to identify what the cyber threat landscape looked like in the last year: from opportunistic threat actors taking advantage of a remote workforce due to COVID-19 to major expansions of prominent ransomware operators to include exfiltration and extortion. All of the techniques identified were critical to the success of cyberattacks in 2020.

The challenge for defenders is making this information actionable. Detection of some of these techniques can be difficult as more advanced threat actors attempt to hide their true intentions or blend in with normal activities. As mentioned in the MITRE ATT&CK glossary, data should not be viewed in isolation, but rather as a pattern of activity that highlights tactics like Defense Evasion or Persistence. By correlating these techniques with additional high-fidelity events, defenders can find better indications of suspicious activity. We have included detections for both individual malware observed using the highlighted techniques and more high-level detection strategies in this report.

Background

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK framework is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. With the help of the ATT&CK framework, security teams have a wider picture of adversary behavior, allowing mitigation and detection methods to be tested against the techniques. It has become a useful tool across many cybersecurity disciplines to provide intelligence, track trends in tactics and techniques, perform testing through red teaming or adversary emulation, and improve network and system defenses against intrusions.

The ATT&CK framework has evolved since its publication in 2018, containing almost 200 unique tactics, techniques, and procedures (TTPs). The recent consolidation of the Pre-ATT&CK framework with the main Enterprise ATT&CK framework, as well as the introduction of subtechniques, have only furthered the usability of the framework.

Methodology

In our 2019 report, Insikt Group relied on the Recorded Future Malware Detonation Sandbox as a source for finding top ATT&CK techniques. Based on the changes to the ATT&CK framework and the continued improvement of Recorded Future data, we used three queries in the Recorded Future Platform to aid in identifying the top MITRE ATT&CK techniques used in 2020. Data from each query is taken from Insikt Notes, Recorded Future Malware Detonation Sandbox samples, and Attack Vectors as automatically categorized by Recorded Future.

Insikt Group notes cover a wide range of threat intelligence and cyberattacks, which is represented in the first query. The second query, using the Malware Detonation Sandbox sample analysis as a source, provides a technical perspective focused on execution of malware. The third query looks for Cyber Attack events where a MITRE ATT&CK technique was specified as an attack vector to try and capture any additional information. The queries were separated to tune out false positives and to provide a more holistic picture of techniques used.

The mid-year revision of the ATT&CK framework, which included Pre-ATT&CK and subtechniques, created what we believe to be a more accurate and detailed representation of the Cyber Kill Chain from Reconnaissance to Exfiltration and beyond. Insikt Group notes cover pre- and post- exploitation tactics (Reconnaissance, Initial Access, Impact, and so on) by nature of the fact that they cover finished intelligence or hearsay (for example, a threat actor claiming to have access to credentials). Malware Detonation Sandbox results, however, are focused on exploitation tactics (such as Execution, Persistence, or Privilege Escalation) based on dynamic analysis of the malicious samples submitted. Attack Vector results are based on Recorded Futures processing and classification of tactics used in cyberattacks globally, which varied substantially.

Because Insikt Notes, Malware Detonation Sandbox results, and references to Attack Vectors cover different ranges of tactics, the three queries together better capture the full lifecycle of what core techniques were used in cyberattacks in 2020.

Each column below is populated with the top-referenced MITRE ATT&CK techniques per appearance in Insikt Notes, appearance in our Malware Detonation Sandbox source, or association with Attack Vector entities in the Recorded Future Platform. The lists in this table are ordered in descending order of reference count.

Table 1: Top 10 MITRE ATT&CK Techniques categorized by query (Source: Recorded Future)

Top Six ATT&CK Technique Analysis

Table 2: Overall Top Six ATT&CK Techniques in 2020 (Source: Recorded Future)

We identified six techniques that were observed in two or more sources, and of those, only two techniques were present in all three source groups: _T1027 Obfuscated Files and Information_and T1055 Process Injection. These two techniques, which fall under the Defense Evasion (TA0005) and Privilege Escalation (TA0004) tactics, respectively, have such prolific use among threat actors because they are essential to most successful cyber threat operations, unlike specific techniques such as T1486 Data Encrypted for Impact, which is only useful to ransomware operators.

The additional techniques, T1098 Account Manipulation, T1219 Remote Access Tools, T1082 System Information Discovery, and T1018 Remote System Discovery, were present in only two of the three source types. These techniques represent a small fraction of the cyber landscape of 2020, including opportunistic threat actors taking advantage of a remote workforce due to COVID-19 and major expansions of prominent ransomware operators to include exfiltration and extortion.

In line with 2019s results, the top tactic these techniques share is Defense Evasion. Threat actors deploying ransomware, remote access tools (RATs), or infostealers, will all look to evade detection whether that is through obfuscated files that remain undetected by static file detections, or masquerade as legitimate services through process injection techniques.

Insikt Group has compiled relevant examples of each of the six techniques from the past year, including associated malware, threat actors, and associated techniques. Suggestions for mitigations and detections for each malware mentioned are linked in line.

Additional ATT&CK Technique Analysis and Detections

Table 3: Remaining MITRE ATT&CK Techniques as displayed in Methodology (Source: Recorded Future)

Insikt Group identified 16 additional MITRE ATT&CK techniques (Table 3) that were widely used by threat actors in 2020. While they were identified within one of the three queries Top 10 list, they were not present in more than one of the queries and therefore not detailed in the Top Techniques Analysis section above.

Some of these are referenced in the Associated Techniques subsections, including three techniques mentioned more than once: T1497 Virtualization /Sandbox Evasion, T1083 File and Directory Discovery, and T1036 Masquerading. These techniques, categorized under Defense Evasion and Discovery tactics, derive their references from the Malware Sandbox query.

Detection of these techniques can be difficult as all three incorporate some attempt to hide their true intentions or blend in with normal activities. As mentioned in the MITRE ATT&CK glossary, data should not be viewed in isolation, but rather has a pattern of activity that highlights tactics like Defense Evasion or Persistence. By correlating these techniques with additional high-fidelity events, defenders can find better indications of suspicious activity.

T1497 Virtualization/Sandbox Evasion is not a new technique, but its use grew last year, manifesting in malware variants like Pysa Ransomware or BABAX Stealer. Detection of T1497 Virtualization /Sandbox Evasion techniques can be performed with the YARA rule Antidebug_antivm from The Yara Rules Project. This Yara rule detects only a subset of Virtualization/Sandbox Evasion tactic and should be considered a starting point or used in conjunction with other detection techniques or tools.

Detection of both techniques T1083 File and Directory Discovery and T1036 Masquerading can be done by monitoring for suspicious activity in your monitoring tools. For T1083 File and Directory Discovery, there are certain commands typically executed when a threat actor is actively enumerating a network. JPCERT has outlined some of the more common commands abused by adversaries. The commands most relevant to file discovery and enumeration are dir, type, net view and net use.

Detections of the commands such as dir, type, net view, and net use alone are not enough to alert you of malicious activity, as they are also used by system administrators. However, the execution of those commands combined with the activity of downloading a file from a remote drive within 30 minutes of each other, for example, would be better indicative of malicious activity. In addition to this, a threat actor will likely use multiple Discovery tactics including T1082 System Information Discovery and T1018 Remote System Discovery, as we observed in the Associated Techniques category.

Similar to T1083 File and Directory Discovery, detection for T1036 Masquerading relies on identifying improper use of legitimate applications and tools. The Sunburst malware is a good example of masquerading malware as the code is executed under SolarWinds processes and the code also uses the SolarWinds Orion Improvement Program (OIP) for its C2 communication. Detection of this activity requires understanding the normal behavior of such tools and then identifying anomalies. While the Sunburst malware uses sophisticated techniques for masquerading, detection could still be possible by monitoring outbound connections, or monitoring for activity from SolarWinds processes, users, or hosts indicative of credential harvesting or privilege escalation.

Outlook

The ATT&CK framework is designed to map the lifecycle of a cyberattack to a set of TTPs acknowledged by the cybersecurity community. Defenders can map cyberattacks to this framework to prioritize which techniques to defend against. As network and endpoint defense technologies adapt to the most novel threats, attackers will continue focusing on creating innovative ways to evade detections put in place by defenders. The constant struggle between attackers and defenders is why Defense Evasion remains the most prevalent tactic each year.

While defenders should prioritize tooling and detections to identify attackers during the Initial Access phase to stop the attack before it infects the victim, that is not always possible or easy to do. Defenders should also prioritize the 37 techniques encapsulated by the Defense Evasion tactic, specifically the ones outlined in this report that were most common in 2020. One challenge defenders face when building detections for a particular Defense Evasion technique such as T1140 Deobfuscate/Decode Files or Information is the wide variety of implementations attackers use. In these cases, it is more important to focus on the underlying detectable artifacts and behavior hidden underneath the specific technique than the technique itself.

In line with last years findings, the second most common tactic after Defense Evasion was Discovery in 2020. The extensive use of the Discovery tactic highlights the common goal among almost all attackers to discover and steal sensitive information. This includes ransomware operators such as those behind Netwalker discovering and exfiltrating data for extortion purposes, info stealers such as FickerStealer looking for Bitcoin wallets, and RATs such as SDBbot running network scans for future lateral movement. Many of the techniques used by threat actors to perform Discovery have legitimate uses, as described above, so defenders should focus on building detections to identify improper use of these legitimate applications and tools.

Identifying techniques encapsulated by the Defense Evasion and Discovery tactics often gives the defender the opportunity to detect an attack during an active operation, which is crucial to mitigating damages. Although these two tactics should be prioritized by defenders, it is still important to build detections for the other 12 tactics. Every time an attacker uses another technique in the ATT&CK matrix, a new opportunity is presented to the defender to detect the malicious activity. Using the mitigations, as prescribed in each section, publicly available ATT&CK-mapped detection mechanisms, and Insikt Group Hunting Packages, defenders can stay up to date with defenses against the latest TTPs.

to download the complete analysis as a PDF.

This report reviews the current threat landscape of unemployment fraud in the United States within closed sources and underground reporting. It contains information gathered using the Recorded Future Platform, as well as additional open source intelligence (OSINT), dark web sources, and underground forum research. It will be of interest to organizations seeking to better understand unemployment fraud within the criminal underground, as well as investigators of threat actors performing such attacks.

Executive Summary

The COVID-19 pandemic has led to the commoditization of a variety of criminal services themed around unemployment relief originally meant to be distributed to those whose lives have been disrupted by the virus. Unemployment fraud has become increasingly accessible to threat actors lately and presents a low barrier of entry for fledgling cybercriminals. The success of fraud campaigns this year themed around relief efforts to combat the COVID-19 pandemic is likely the result of a combination of factors, including successful social engineering campaigns, the use of money mules operating throughout the U.S., and threat actors use of login information or personally identifiable information (PII) exposed during data breaches, dumps, or leaks. Some fraudsters targeting unemployment benefit systems are more likely to rely on traditional forms of social engineering such as targeted phishing emails directed at a companys executive leadership. Other tactics, such as the suspected use of money mules in connection with this fraudulent activity, overlap with the tactics of other cybercriminal groups that specialize in various types of fraud, particularly crews that specialize in business email compromise (BEC) schemes.

Given the volume of underground references to the sale of unemployment fraud tutorials and the number of views these methods generate, many fraudsters are likely still new at conducting this form of fraud. Recorded Future has seen no evidence to suspect that actors are exploiting vulnerabilities within government systems, relying instead on their ability to opportunistically target as many victims around the country as possible by harvesting previously exposed information. The general increase in unemployment fraud throughout 2020 was also likely compounded by gaps in the security hygiene of multiple government organizations responsible for safeguarding unemployment applicant data both virtually and physically. This is evidenced by actors in some states believed to be attempting to intercept physical mail that contained personal information tied to unemployment claims. The general flood of fraudulent unemployment requests that has overwhelmed government workers in many states is also enabled by the low barrier to entry for cybercriminals who can purchase stolen accounts or cheap tutorials and methods on how they can conduct similar fraud.

Key Judgements and Findings

• The promotion of fraudulent unemployment services within closed-source reporting over the past six months can be divided into two broad categories:

• The sale of tutorials or methods to file fraudulent claims

• The sale of direct access to unemployment relief accounts that often contain a pre-existing balance of funds

• Over the past six months, cybercriminals have demonstrated a preference to advertise unemployment fraud tutorials or services via messaging platforms over criminal forums, shops, or marketplaces, specifically Telegram.

• Underground sources promoting unemployment fraud services typically specialize in a variety of other forms of fraud simultaneously, including credit card fraud and tax fraud.

• The scale of fraudulent unemployment claims within the U.S. has become widespread enough in recent months to unlikely be attributed to a single threat entity.

• Open source reporting on the reported losses stemming from unemployment fraud activity assessed to be in the millions of dollars has very likely contributed to the growing level of interest among underground threat actors.

• Money mules likely remain a critical component of the unemployment fraud supply chain as evidenced by images uploaded by underground sellers of fraudulent unemployment methods and open source reports surrounding the arrests of suspected mules throughout 2020.

Background

Since the onset of the COVID-19 pandemic, rampant unemployment fraud has been reported throughout the U.S., with every state being impacted to varying degrees. This has manifested in various forms, from threat actors filing unemployment claims using stolen PII to state officials contending with reports of money mules funneling stolen funds to fraudulent threat actors operating overseas.

• In January 2020, the Federal Bureau of Investigation (FBI) detailed how cybercriminals use spoofed websites to harvest PII and steal money to conduct fake hiring scams with increasing complexity, advertising alongside legitimate employers and job placement firms to target victims of all skill and income levels. Criminals seeking PII to conduct unemployment fraud are likely to continue to harvest information from previously reported data dumps or breaches or within other criminal marketplaces, often automated, that sell the information at low costs.
• Four months later, the U.S. Secret Service (USSS) linked increasing reports of fraud targeting state unemployment insurance programs to a well-organized Nigerian fraud ring. Researchers with Agari published information that attributed a portion of this Nigerian fraud occurring at the time to a group of cybercriminals dubbed Scattered Canary. Potential losses as a result of the groups activities over the past several years are assessed to be in the hundreds of millions of dollars. The USSS said the fraud network is believed to include hundreds of money mules, a term used to describe willing or unwitting individuals who are recruited to help launder the proceeds of fraudulent financial transactions.

Reports of rampant unemployment fraud continue to persist across multiple states. Recorded Future has seen no instances of unemployment fraud that have resulted from an inherent vulnerability within any government systems; rather, reports have detailed various techniques used by individual fraudsters from state to state, making it unlikely that all reports of unemployment fraud that have emerged this year are due to one overarching threat entity. The general increase in unemployment fraud throughout 2020 was likely compounded by failures in the security hygiene of multiple government organizations responsible for safeguarding unemployment applicant data. Security experts believe multiple states likely had pre-existing issues related to their ability to combat this specific form of fraud even prior to the COVID-19 pandemic, including failures to:

• Implement or renew identity verification software to review claims before they are disseminated
• Cross-check benefit claims against personal data on other individuals such as prison inmates, individuals listed as deceased, or out-of-state residents
• Ensure that applicant PII such as Social Security numbers (SSN) are not included in mail correspondence susceptible to physical theft

It is very likely that emerging cybercriminals have become emboldened by open source reports detailing how easy it is to conduct this form of fraudulent activity with no prior knowledge of unemployment systems, combined with the relatively low price of purchasing a tutorial or method to facilitate their activities.

Threat Analysis

The promotion of fraudulent unemployment services within closed source reporting over the past six months can be divided into two broad categories:

• The sale of tutorials or methods to file fraudulent claims with government systems or platforms that assist with unemployment relief
• The sale of direct access to unemployment relief accounts that often contain a pre-existing balance of funds

In March 2020, U.S. lawmakers passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which established the Pandemic Unemployment Assistance (PUA) program. This program expands unemployment insurance eligibility to self-employed workers, freelancers, independent contractors, and part-time workers impacted by the coronavirus. Though the PUA program is only one component of unemployment relief offered by government entities within the U.S. in response to the pandemic, it has continued to be an integral component of the growing volume of underground advertisements linked to unemployment fraud.

Figure 1: PUA program mentions within dark web sources (Source: Recorded Future)

The visual below shows the results of a survey provided to members of one Telegram channel devoted to multiple forms of fraudulent activity. Though the sale of PUA information came in last place in the survey, its very inclusion on the survey demonstrates that this element of fraudulent activity has generated enough demand among cybercriminals to warrant its own sales category within closed sources. Recorded Future has knowledge of at least one Telegram channel implementing an operation as a result of expectations that provisions surrounding unemployment relief were set to expire at the end of 2020, making fraudulent PUA claims a priority for admins of the channel attempting to generate as much revenue as possible in the event that the PUA program or other unemployment relief offerings were suddenly to cease.

Figure 2: November 2020 survey in Telegram channel dedicated to fraud activities (Source: Telegram)

Over the past six months, cybercriminals have demonstrated a preference for advertising unemployment fraud tutorials or account information via messaging platforms over criminal forums, shops, or marketplaces. However, the demand within traditional marketplaces remains high enough for administrators to continue to support various offerings related to unemployment fraud.

Another appealing aspect of this form of fraud is the relatively low price of tutorials or account information. Recorded Future observed tutorials and methods related to conducting unemployment fraud selling for anywhere between $5 to $100, depending on the state being targeted. The price of PUA information or access to a state government platform containing a pre-existing balance of relief funds was typically higher (as denoted in Figure 3 below, where some threat actors were asking for between $80 to $100 for PUA information associated with New York and Wisconsin unemployment claims).

Threat actors selling this information demonstrated a willingness to forgo accounts with relief balances valued in the thousands of dollars to ensure the long-term success of their underground business model. Additionally, the higher price for direct access to accounts with pre-existing balances as opposed to the tutorials is likely a result of buyers being in the position to more easily access the funds that another veteran actor likely already procured. This is in contrast with tutorials where the buyer is still ultimately responsible for obtaining victim accounts to achieve profit while avoiding attention from law enforcement.

Figure 3: Sale of access to random PUA account information

Other fraud methods related to unemployment scams contained what cybercriminals considered to be useful tips to increase the likelihood of achieving success when submitting a fraudulent claim. Tips recommended by fraudsters across multiple tutorials included the following:

• If asked on an application as to when the COVID-19 pandemic affected your employment activities, put March 25, 2020, just two days prior to when the CARES Act was implemented by Congress.

• Filing a claim as Self-Employed when possible will net applicants more money than those who filed that they work for another company.

• This same guide later advised other fraudsters which job they had success with when filing claims. In this tutorials case, the author recommended pretending to be a professional photographer or another job that would be more difficult to fulfill within a remote environment.

• If asked about how much you earned annually in 2019, when filing a fraudulent claim, list an amount between $16,850 and $42,100. The author in this case likely believed that providing a salary above a particular threshold would increase the likelihood of it being flagged by law enforcement investigators or state officials reviewing individual claims.

• Social engineering techniques were also encouraged within multiple tutorials. In one guide, the authors reported that calling a PUA claim line and entering a Social Security number (SSN) obtained from another source would verify whether that individual already had an open unemployment relief claim. If no claim had been filed yet, public record aggregation websites such as Verified and Truthfinder were recommended as sources of additional PII on a target. The actors specifically advised using good SSN and date of birth (DOB) information on a target to conduct further research on these public record aggregation sites, likely in an attempt to harvest additional PII. However, the actors also showed a level of bias within this guide, with their final recommendation being to visit a specific underground marketplace they are affiliated with to purchase additional information.

Underground sources selling fraudulent unemployment relief tutorials or account information typically specialize in other forms of fraud, including credit card and tax fraud. Additionally, sellers of these types of fraud do not appear to devote all resources to targeting unemployment systems in one state at a time. Instead, they offer services to access information from a variety of states simultaneously, based on client demand and the level of difficulty in obtaining access to unemployment relief accounts within a particular state.

Figure 4: Screenshot of state PUA offerings from a single underground actor (Source: Telegram)

Criminal shops such as Genesis Store and Russian Market that specialize in the sale of an end users browsing history or digital footprint have also regularly contained login information for state government domains associated with unemployment relief throughout 2020. Recorded Future saw no indication or comments among cybercriminals that these bots containing state government login information were being specifically purchased to commit acts of unemployment fraud, though the lack of a discussion functionality within these shops make it difficult to determine the specific motivation behind purchases from these sources.

Alert to Changes in Government Monitoring

As a result of the steady uptick in reports of unemployment fraud across the U.S., states have attempted to mitigate the threat posed by this form of fraudulent activity to varying degrees. As of November 2020, the USSS reported 700 open investigations related to fraud targeting the Paycheck Protection Program and the Unemployment Relief Insurance program. As individual states continue to develop stronger security postures to combat this rampant fraud, cybercriminals advertising unemployment fraud methods or account information are continuing to monitor these changes as well and adjusting accordingly.

• Figure 5 below shows an administrator of a Telegram channel devoted to fraud activity advising members to avoid purchasing or attempting to access unemployment platforms linked to seven specific U.S. states they no longer believed to be distributing financial relief.
• Individual Telegram channels appear to have varying recommendations as to which state is or is not an ideal target at any given time. For example, within two weeks of the Telegram post in Figure 5, originally uploaded in November 2020, threat actors resumed selling methods or account information associated with state systems in Ohio within the same channel, despite these prior warnings by channel administrators.
• Threat actors within these messaging platform channels have also expressed concern that some states are more capable of identifying their location than others. In one scenario, Recorded Future observed a comment from a user advising users to stay away from four specific U.S. states they believed to be likely using tracking applications to monitor for fraudulent claims. The use of proxy IP addresses were highly encouraged within closed sources to prevent this form of tracking and ensuring that a user is not locked out of any unemployment platforms, were government entities to flag their originating IP address as suspicious.

Figure 5: Threat actor advising channel members to avoid targeting certain states (Source: Telegram)

Figure 6: Warning from admin about government efforts to spy on Telegram channels (Source: Telegram)

We are not aware of any security vulnerabilities within government or corporate systems that have assisted in the spread of this fraudulent activity. It is more likely that threat actors will continue to opportunistically target unemployment relief platforms by harvesting exposed login information or purchasing bundles of PII for sale within underground sources.

Assisting Other Fraudsters

Generally, administrators maintaining channels within messaging platforms devoted to unemployment fraud were receptive to the idea of mentoring newer users, likely in an attempt to develop a long-term relationship with partners capable of generating demand for their channels and increasing revenue. This willingness among cybercriminals to partner with one another on unemployment fraud carried over to cybercriminal forums as well, where we observed recurring requests from users seeking serious partners for long term-fraud activity. Given that these threads encouraged interested parties to contact the vendor via private channels, the visibility Recorded Future has had into the potential success of these partnerships has been limited.

_Figure 7: Request for unemployment benefit partner _

Vendors of employment scams or PUA fraud methods are often involved in several different scams simultaneously, including disaster relief fraud, Social Security fraud, tax fraud, and credit card fraud. This is the norm for cybercriminal organizations able to operate multiple services capable of providing different streams of revenue.

Recorded Future reviewed several tutorials and methods circulating within the criminal underground regarding a combination of PUA or general unemployment fraud techniques. For the majority of the methods advertised, cybercriminals were expected to already be in possession of stolen PII or fullz to take advantage of the guides and be in a position to turn a profit. Fullz is a slang term for "full information" that criminals who steal PII use to refer to a set of information on a prospective fraud victim, generally including an individuals name, address, date of birth, Social Security and drivers license numbers, as well as the PII of family members and any other miscellaneous information available (such as criminal or employment records).

The same sellers of PUA fraud methods were very often willing to sell this information separately at additional cost. This demonstrates that financial success remains the underlying motivation, despite any attempts by the vendors to portray themselves as good Samaritans willing to assist fledgling criminals who may be new to this type of fraudulent activity.

Figure 8: Underground forum member discussing how to apply for fraudulent claims in Washington and Massachusetts

Figure 9: Underground member requesting a fake ID to commit Massachusetts unemployment fraud

Unemployment Fraud Targeting and Attribution

In May 2020, researchers at the security firm Agari published their findings regarding a Nigerian cybercriminal group tracked as Scattered Canary committing fraudulent unemployment and CARES Act claims throughout the U.S. The Scattered Canary cybercriminal group acts as a full-service business email compromise (BEC) operation that uses scams, such as email impersonation and phishing, to manipulate businesses into paying phony contracts and other fake invoices. Based on Agaris telemetry, most of the targets were located in seven U.S. states: Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington, and Wyoming. Threat actors associated with Scattered Canary were reported to have used a combination of prepaid cards to receive payments and mass-create email accounts:

• Overall, Scattered Canary used at least 47 prepaid card accounts from Green Dot to receive the fraudulent payments.

• Scattered Canary used Gmail accounts to mass-create accounts on each target website. Because Google ignores periods when interpreting Gmail addresses, Scattered Canary is believed to have been able to create dozens of accounts on state unemployment websites and the IRS website dedicated to processing CARES Act payments for non-tax filers (freefilefillableforms[.]com).

• Examples of the Gmail dot formatting structure used by Scattered Canary to send unemployment assistance phishing emails:

• badactor2021@gmail[.]com

• badactor202.1@gmail[.]com

• badactor202.21@gmail[.]com

• By using this tactic, Scattered Canary was able to scale their operations more efficiently by directing all communications to a single Gmail account. According to Agari, this removes the need to create and monitor a new email account for every account they create on a website, ultimately making transactions faster and more efficient.

The targeting of state unemployment benefits was reported by Agari to be of interest to the group, which had specifically targeted Texas unemployment systems under nine identities as of May 2020. At this time, Recorded Future does not have further insight into how many of the fraudulent claims linked to Scattered Canary are being paid out by the individual states. However, a review of videos uploaded to messaging platforms selling state unemployment relief information did reveal a likely nexus to operators based in West Africa.

• One video uploaded to a fraud messaging platform revealed a likely member of the channel receiving a package from Samamiah (Shipping) Enterprise Limited, a shipping and delivery company that accepts goods for carriage (door-to-door) from the U.K. to Ghana. According to Agari, 10 percent of BEC fraud originated from Ghana between May 2019 and July 2020.

Victim reports obtained by Recorded Future state that the requesters typically knew a targets name, SSN, and place of employment, but all the other data is static. In some scenarios reported to Recorded Future, requesters know the targets name, SSN, and place of employment, likely attempting to target executives or individuals of high networth. This is a common technique within BEC campaigns orchestrated by threat entities like Scattered Canary, which was first identified by Agari as a result of the threat entity impersonating an executive at Agari in an email targeting their chief financial officer.

Fraudulent unemployment claims within the U.S. are widespread enough that they are unlikely coming from a single threat entity. Threat actors have likely become emboldened by open source reports of the monetary impact that fraudulent unemployment claims continue to have.

Though this reporting focuses specifically on unemployment fraud circulating within closed source reporting, some opportunistic actors with little regard to maintaining operational security have also been observed advertising on traditional social media platforms. The large volume of open source reporting on the subject of unemployment fraud activity and losses estimated to be in the millions has very likely contributed to the growing level of interest and motivation among underground threat actors.

Figure 10: Social media ad for unemployment methods/tutorials

This level of interest has been reflected in multiple statistics reported across both the state and local levels of government since the start of December 2020.

• A follow-up investigation by KrebsOnSecurity in August 2020 reconfirmed that a group of scammers was likely sharing highly detailed personal and financial records of Americans via a free email service. Another undisclosed source informed KrebsOnSecurity that they had been monitoring the groups communications for several weeks and sharing the information with U.S. state and federal authorities in a bid to disrupt their fraudulent activity. Similar to earlier reports on the scale of these unemployment fraud campaigns, the source said the threat group appears to consist of several hundred individuals who collectively have stolen tens of millions of dollars from U.S. state and federal treasuries via phony loan applications with the U.S. Small Business Administration (SBA) and through fraudulent unemployment insurance claims made against several U.S. states.

• This nexus to phony loan applications filed with the U.S. SBA is noteworthy given that it overlaps with the techniques of Scattered Canary operations detailed by Agari in May 2020.

• In a warning to state legislators in December 2020, Bank of America estimated that fraud in Californias unemployment benefits system alone could now total $2 billion in losses. Bank of America stated they identified 640,000 accounts with suspicious activity that should be investigated to determine whether they are bogus and should be shut down.

• The total number of members registered within underground channels devoted to unemployment fraud have been on the rise. One channel monitored by Recorded Future analysts had approximately 7,500 members at the beginning of November 2020. A month later, the total membership exceeded 18,000 members, with new messages uploaded by an administrator of the channel on a regular basis garnering several thousand views on average.

Figure 11: States referenced in unemployment fraud ads in the underground since November 2020 (Source: Recorded Future)

Reliance on Money Mules

Money mules likely remain a critical component of the unemployment fraud supply chain as evidenced by images uploaded by underground sellers of fraudulent unemployment methods and open source reports surrounding the arrests of suspected mules throughout 2020. The COVID-19 pandemic has forced reshipping mule operators to alter business strategies this year. A USSS advisory reported that the suspect fraud ring behind these filings already possessed a substantial PII database to submit the volume of applications observed earlier this year. Additionally, the USSS said the fraud network is believed to consist of hundreds of money mules.

Mules are essential for fraudsters who require a commodity to be physically moved from one place to another, or when fraudulent funds need to be moved between accounts. In money mule schemes, the scammers will also often recruit individuals to receive direct deposits from the fraudulent transactions, and then forward the bulk of the illicit funds to the perpetrators, keeping a percentage as payment for their efforts. The increased number of arrests around the country with a nexus to fraudulent unemployment relief claims has also provided clarity that multiple strings of fraudsters are likely operating independently with no direct nexus to any overseas operations.

• In September 2020, Attorney General (AG) Josh Shapiro of Pennsylvania (PA) announced charges against 20 inmates and accomplices, charged with committing unemployment fraud in three state prisons in central and eastern Pennsylvania. The AGs office stated there were also six individual inmates arrested without any known links to a ring.

• Posts from underground marketplace vendors observed as recently as October 2020 reveal that money mules likely play an integral part in assisting operations advertised on dark web sources.

• On October 25, 2020, a member of the forum Omerta began advertising cash-out services for fraudulent unemployment claims in the U.S. The threat actor stated that their money mules (bank drops) can cash-out unemployment funds for a separately negotiated percentage of the bank transfer.

Figure 12: Unemployment fraud 2020 arrest timeline (mainstream news sources) (Source: Recorded Future)

Mitigations

A federal fraud investigator who spoke with KrebsOnSecurity in May 2020 on the condition of anonymity said many U.S. states do not have enough controls in place to detect patterns that might help better screen out fraudulent unemployment applications, such as looking for multiple applications involving the same IP addresses or bank accounts. The investigator went on to clarify that in some U.S. states, fraudsters need only to submit someones name, SSN, and other basic information for their claims to be processed. The investigator is reported to have implied that the list of questions about a claimants previous employer for authentication purposes, at some agencies, had diminished or been entirely eliminated as a result of the pandemic.

States have begun adopting their own individual measures to address the risk posed by this form of fraudulent activity. Representatives from states such as Massachusetts previously stated that they had begun implementing additional identity verification measures that will temporarily delay the payment time frame for many unemployment claims. As a result of these measures, certain unemployment claimants may be asked to provide additional identity information in order to verify the validity of their claim.

Organizations that suspect their employees have fallen prey to unemployment fraud scams can do the following:

• Relay the information regarding this fraud to the appropriate office at your local state level and USSS field office. The USSS has also encouraged victims to continue to liaison with local financial institutions to identify mules and potential seizures.
• Use features in monitoring software or applications that are capable of flagging potential spam or scams for payments in the app and sends text messages to users when it detects suspected fraud. Flagging potential criminal activity using tools and data sets to verify the identity of a claimant can help stop fraudulent activity before it begins.

Outlook

In a number of cases, the most important component for unemployment or insurance claim fraud is access to victim PII. This type of information can be accessed and purchased on a number of dark web marketplaces, shops, and forums for fairly low prices by anyone with enough knowledge to set up an account on underground sources. It is difficult for us to determine which of these fraud types are being carried out with the greatest frequency based on available data. However, scam activities that depend on PII will likely continue to spike following the release of some larger data dumps, especially any that are widely publicized and easily accessible.

Click here to download the complete analysis as a PDF.

Recorded Future analyzed data from several Western social media platforms from January 1 to March 9, 2020 to determine how the Chinese state exploits social media to influence Western public perceptions of the coronavirus disease 2019 (COVID-19) outbreak. This report details those techniques and campaigns using data acquired from the Recorded Future Platform, social media sites, and other OSINT techniques. This report will be of most value to government departments, geopolitical scholars and researchers, and all users of social media.

Executive Summary

Over the course of 2019, we published research on Chinese English-language social media influence operations, revealed that they are seeded by state-run media, and that they generally present a positive, benign, and cooperative image of China. This research examines Chinese influence attempts during the novel coronavirus, known as the coronavirus disease 2019 (COVID-19) outbreak, and is an effort to characterize Chinese state-run medias attempts to influence Western public perceptions of the pandemic.

Chinese overt messaging around COVID-19 has evolved over the course of this pandemic. Insikt Groups research has identified two distinct phases of Chinese overt messaging. The first, from January 9 through February 10, consisted of an initially informative public response that followed the progression of the outbreak. The second, from February 11 to the present, was characterized by shifts shifting the blame for the pandemic away from the Chinese government, highlighting the prominence of Xi Jinping as the leader of effective response, and shifting from China as the source of the pandemic to China as a global leader in its response.

Key Judgments

• We assess that the effort we see today to cast doubt on the origin of COVID-19 and shift the blame away from China began in mid-February with the transition away from the use of Wuhan-specific hashtags in COVID-19 posts.
• Chinese overt influence accounts did not address the COVID-19 crisis until January 9, 2020. This was nine days after the Wuhan Health Commission declared the outbreak, yet 11 days before national-level state media would acknowledge the crisis domestically on January 21.
• Sentiment and content analysis revealed that Chinese state-run influence accounts waged a broadly positive messaging campaign on Western social media. However, messaging surrounding COVID-19 was starkly more negative than around campaigns we have previously studied.
• Contrary to other English-language social media campaigns that we have tracked, the numbers of positive and negative sentiment posts were nearly the same. Additionally, as the number of both negative and positive posts increased, the strength of the negative and positive sentiment did as well. Comparatively, we assess that this COVID-19 campaign was far more negative than prior Western-focused influence operations run by China.

Background

According to the World Health Organization, the novel coronavirus, known as coronavirus disease 2019 (COVID-19), was first reported as originating from Wuhan, China on December 31, 2019. COVID-19 is a viral, respiratory disease that has spread throughout the world, causing fear and panic as the outbreak progresses. To date, hundreds of thousands of people have been infected across the world, and tens of thousands have died.

Insikt Group conducted a retrospective analysis of numerous accessible, non-Chinese language social media posts from accounts run by Chinese state-run media organizations and associated foreign influence accounts on Western social media platforms. The data set includes posts from several social media platforms from January 1 through March 9, 2020 that included terminology related to COVID-19. There were no mentions of COVID-19 among Chinese overt influence accounts prior to January 9, 2020.

Analysis

As of March 9, 2020, Chinese overt influence accounts had published over 32,000 posts related to COVID-19 on several Western social media platforms. Nearly half of all posts from Chinese overt influence accounts since January 9 mention coronavirus or COVID-19.

The progression of Chinese overt influence account messaging around the COVID-19 outbreak on Western social media platforms.

Chinese overt influence accounts first addressed COVID-19, then known as the previously unidentified pneumonia outbreak, on January 9. This was the same day that the World Health Organization (WHO) announced that Chinese authorities had determined the illness was a novel coronavirus. The WHO announcement included several complimentary statements about Chinas healthcare system and ability to respond to outbreaks, as well as an assurance that the virus does not transmit readily between people.¹ Several state-run influence accounts, including the Peoples Daily, CGTN, Global Times, and China Daily, all posted their first social media content concerning the outbreak on the morning of January 9 (GMT).

Examples of the first posts addressing COVID-19 posted by Chinese state-run influence accounts.

Over the course of the first five days of messaging, Chinese overt influence accounts repeatedly emphasized two points: First, that China was being transparent and helpful to the international community, and second, that the spread of the virus to new areas was limited.

An example post from a Chinese state-run influence account addressing COVID-19.

As January progressed, Chinese overt influence accounts continued to minimize the outbreak and the potential for human-to-human transmission despite the confirmation on January 20 by Chinese officials that it was occurring.

Examples of posts addressing COVID-19 posted by Chinese state-run influence accounts.

Further, Chinas role in containing the virus and working with the international community continued to feature prominently in social media messaging. This included posts on the Chinese government setting up resources to share information on the virus, Chinese cooperation with the WHO, and Chinese companies increasing production of medical supplies.

An example of a post by a Chinese state-run influence account addressing how Chinese companies were responding to COVID-19.

By late January, the volume of posts concerning COVID-19 by Chinese overt influence accounts operating on Western social media spiked dramatically. Themes of the posts emphasized economic and price stability, the everyday heroism of nurses and doctors working the epidemic, and Chinas transparent and positive role in addressing the crisis.

By early February, as the disease spread to cruise ships and numbers of deaths increased, the messaging from overt influence accounts began to shift. The efforts of the government and Xi Jinping were highlighted with greater frequency, and overt influence accounts highlighted statements of corporate support for Chinese government efforts.

An example of a post addressing COVID-19 from Chinese state-run influence accounts.

Among the top 20 hashtags used by Chinese overt influence accounts through mid-February, only two #Shanghai and #XiJinping were not related to the COVID-19 crisis. Shanghai-focused posts highlighted public health measures and indicators of economic stability, while Xi Jinping-focused posts spotlighted his domestic and international leadership.

Examples of posts addressing COVID-19 from Chinese state-run influence accounts.

By late February and early March, overt influence account messaging shifted again, with the following themes remaining consistent:

• China has successfully managed the outbreak and its response should be the model for containing the spread of the virus in other countries. Some sub-themes of this message include: (1) China has a better system of governance, which enabled it to respond better and faster than the West; and (2) now that Chinas outbreak is over, it is Chinas turn to help the world (China as a good global citizen).
• The West is using COVID-19 as an excuse and a tool to contain Chinas rise.
• Origins of COVID-19 are unclear and the Chinese government is not at fault.

In the early days of the outbreak, Chinese overt influence accounts were using several hashtags to post about COVID-19. The top hashtags used to describe the virus in January and early February included:

• #wuhancoronavirus
• #wuhanpneumonia
• #coronavirusoutbreak
• Combinations of #wuhan, #coronavirus, and #novelcoronavirus

By February 11, all Chinese overt influence accounts had stopped using the #wuhancoronavirus and #wuhanpneumonia hashtags completely. They were instead replaced with #covid19 and #coronavirus. At this point, the accounts also started to address both real and perceived misinformation around the origin of the virus and its global and financial impacts.

For example, in late February, overt influence accounts tried to disprove the theory that the Wuhan Institute of Virology was the original source of the COVID-19 virus.

An example of a post from Chinese state-run influence accounts addressing the actions taken by the Wuhan Institute of Virology.

Simultaneously, accounts began to post content decrying the politicization of the pandemic and the blame many nations were placing on China. We assess that these posts in February were the beginning of the effort we see today to cast doubt on the origin of COVID-19 and shift the blame away from China by promoting conflicts over virus naming convention.

Examples of posts from Chinese state-run influence accounts shifting attention away from China.

Sentiment Analysis

Insikt Group also conducted a sentiment analysis of Chinese overt messaging on COVID-19 during this time period. Sentiment analysis assigns a number value to a message based on a set of established lexical rules. These rules position certain words, phrases, word placement, punctuation, and other vagaries of human speech into sets, which then score messages based on these inputs.

Recorded Future proprietary sentiment analysis assigns a score to each message based on the strength of sentiment within the message. On a scale from zero to one, a message with a strongly positive sentiment would yield a higher number on the positive sentiment metric (.675, for example) and a message with a strongly negative sentiment would yield a higher number for the negative sentiment metric (again, .675, for example).

Below are two examples first of content that was scored as highly positive, and second of content that was scored as highly negative.

Example of a post that was scored as highly positive.

Example of a post that was scored as highly negative.

Over the course of the messaging campaign surrounding COVID-19, Chinese overt influence accounts projected an overall positive message. Contrary to other English-language social media campaigns that we have tracked, the numbers of positive and negative sentiment posts were nearly the same. There were only 6% more positive sentiment posts than negative sentiment ones through March 9. Over that time frame, as the number of both negative and positive posts increased, the strength of the negative and positive sentiment did as well.

The progression of Chinese overt influence account messaging sentiment around the COVID-19 outbreak on Western social media platforms.

Outlook

This research examines Chinese state-run influence attempts during a critical period for Chinese leadership. It is an effort to characterize how Chinese state-run media is attempting to influence Western public perceptions of one timely issue the COVID-19 pandemic.

To date, Chinese overt messaging around COVID-19 has evolved over the course of this pandemic. Insikt Groups research has identified two distinct phases of Chinese overt messaging. The first, from January 9 through February 10, was the initial, largely informative public response. We believe that during this period, Chinese Communist Party censors and propagandists had not yet communicated coordinated guidelines for foreign messaging by state-run media.

The second, from February 11 to the present, is characterized by shifts shifting the blame for the pandemic away from the government, shifting the prominence of Xi Jinping as the leader of effective response, and shifting from China as the source of the pandemic to China as a global leader in its response.

We believe it is important to continue to research Chinese influence operations on Western social media platforms for purposes of fact checking, countering blatantly false or misleading information, and to gain a greater understanding of how the Chinese Communist Party and government react in a public emergency. Our series of research pieces on this topic, as well as the work of others, have illuminated a general pattern in Chinese leadership crisis messaging on Western social media platforms. This pattern indicates that in the early days of a crisis, social media posts from state-run organizations are likely at their most transparent and accurate. The utility of social media posts are high at first, as they give early insight into a crisis, but degrade over time as the propaganda machine kicks in to influence the message being sent abroad.

Footnotes

¹This assertion has since been disputed, and the CDC states that COVID-19 seems to be spreading easily and sustainably in the community.

Research by Recorded Futures Insikt Group explored the tools and services used by threat actors to automate tasks associated with malicious campaigns and the mitigation strategies available through SOAR and threat intelligence solutions.

Cyberattacks frequently start with a compromised network or a database of credentials as a result of threat actors obtaining unauthorized access to a network, who then sell credentials on underground forums. This access can be used for privilege escalation within the network, business email compromise, ransomware, and other types of attacks.

Mitigation strategies include:

• Keeping all software and applications up to date
• Filtering emails for spam and scrutinizing links and attachments
• Making regular backups of systems, and storing them offline
• Compartmentalizing company-sensitive data
• Instituting role-based access
• Applying data encryption standards

Attackers with credentials obtained by data breaches then leverage checkers and brute-forcers to direct large-scale automated login requests to determine the validity of victims or gain unauthorized access through a credential stuffing attack for thousands of accounts.

Mitigation strategies include:

• Using unique passwords for accounts, in addition to a password manager
• Requiring additional details for login (e.g., CAPTCHA) or require multi-factor authentication (MFA)
• Establishing customized web application firewalls
• Slowing date or rate limit login traffic
• Removing unused public-facing logins
• Baselining traffic and network requests to monitor for unexpected traffic

Threat actors will also apply loaders and crypters to elude detection by endpoint security products, such as antivirus, and then download and execute one or more malicious payloads, such as malware.

Mitigation strategies include:

• Updating antivirus software regularly
• Implementing additional response and detection controls beyond antivirus to detect malicious payloads
• Training and educating individuals on phishing and associated risks

Stealers and keyloggers are used to exfiltrate sensitive information from victims, including credentials, PII, and payment card information, and install secondary payloads onto victims systems.

Mitigation strategies include:

• Investing in solutions offering patch posture reporting
• Configuring network defense mechanisms to alert of malicious activity on devices
• Monitoring for suspicious changes to file drives and registries

Automating the process by not having to write their own script, threat actors can easily obtain banking injects, which are widely published, popular, and powerful tools for performing fraud. Fake overlays or modules are used with banking trojans to inject HTML or JavaScript code to collect sensitive information before redirecting to a legitimate website.

Mitigation strategies include:

• Keeping software and applications up to date
• Installing antivirus solutions, scheduling updates, and monitoring the antivirus status on all equipment
• Enabling MFA via SMS authenticator applications
• Solely using HTTPS connection
• Educating employees and conducting training sessions
• Deploying spam and web filters
• Encrypting all sensitive company information
• Disabling HTML or converting HTML email into text-only email

Used to automate the exploitation of web browser vulnerabilities to maximize the delivery of successful infections, exploit kits deliver malicious payloads such as trojans, loaders, ransomware, and other malicious software.

Mitigation strategies include:

• Prioritizing the patching of Microsoft products and older vulnerabilities in the technology stack
• Ensuring that Adobe Flash Player is automatically disabled in browser settings
• Conducting and maintaining phishing security awareness

Threat actors leverage spamming and phishing services to conduct email campaigns that give them access to hundreds of thousands of victims to deploy malware or gain further access into a network.

Mitigation strategies include:

• Refraining from publishing your email address online or replying to spam messages
• Downloading additional spam filtering tools and antivirus software
• Avoiding using personal or business email addresses when registering online
• Developing a password security policy
• Requiring encryption for all employees
• Educating employees and conduct training sessions

To extend the longevity of their criminal actions, threat actors leverage proxy and bulletproof hosting services (BPHS) to obfuscate their activities. BPHS provide secure hosting for malicious content and activity, and anonymity by relying on a model that promises not to comply with legal requests that would disrupt operations or result in arrests.

Mitigation strategies include:

• Leveraging threat intelligence platforms, like Recorded Future, to assist in the monitoring of malicious service providers
• Blacklisting servers affiliated with known-malicious BPHSs

In the underground economy, sniffers refer to a type of malware written in JavaScript that are designed to infiltrate and steal card-not-present (CNP) data from the checkout pages of e-commerce websites.

Mitigation strategies include:

• Performing regular audits of a website to identify suspicious scripts or network behavior
• Preventing non-essential, externally loaded scripts from loading on checkout pages
• Evaluating third-party plugins on an e-commerce website and monitoring for changes in their code or behavior

In order to monetize the content that threat actors have acquired, they sell stolen data in online credit card shops, account shops, and marketplaces. Money is made through the buying and selling of credentials for bank accounts, cell phone accounts, online store accounts, dating accounts, and even digital fingerprints of compromised systems to facilitate further breaches.

Mitigation strategies include:

• Monitoring shops and marketplaces for accounts relevant to your enterprise
• Acting on spikes in the number of accounts available in shops
• Paying attention to credentials for non-public facing domains
• Enabling MFA via SMS authenticator applications

For more information on the 10 types of tools and services currently used by threat actors to automate tasks, and suggested mitigations for defenders to implement, check out the full report by Recorded Futures Insikt Group, Automation and Commoditization in the Underground Economy.

Click here to download the complete analysis as a PDF.

Insikt Group used the Recorded Future Platform, proprietary sources, and underground forum analysis to provide deeper insight into the operations of two of the more sophisticated disinformation vendors on Russian-speaking underground forums. To test the operational capabilities of these vendors, Insikt Group engaged with one threat actor to generate positive disinformation and the other for negative disinformation, both directed at a fictitious company we created.

Editors Note: In order to protect Recorded Future sources and operations, this report will use pseudonyms for all involved parties, identifying the threat actors involved with the code names Raskolnikov and Doctor Zhivago, while the fictitious company involved will be identified as Tyrell Corporation for the purposes of this report.

Executive Summary

Insikt Group analyzed the operations of two threat actors who were offering disinformation as a service on Russian-speaking underground forums in order to understand the business model of how disinformation is used by cybercriminals, as opposed to nation-states. To do so, we created a fictitious company and commissioned two different threat actors to generate intentionally false narratives across the web.

One threat actor created propaganda in the form of positive PR to make our company seem appealing, while the other generated malicious material accusing that same company of unethical business practices. In the end, we were able to launch both campaigns in less than a month for only a few thousand dollars.

Key Judgments

• Disinformation services are publically available on underground criminal forums and are run by criminal threat actors and nation-states.
• Disinformation services are highly customizable in scope, costing anywhere from several hundreds of dollars to hundreds of thousands of dollars, or more depending on the clients needs.
• Disinformation service providers have the ability to publish articles in media sources ranging from dubious websites to more reputable news outlets.
• Disinformation service providers have the ability to create and maintain social media accounts in bulk and use a combination of both established and new accounts to propagate content without triggering content moderation controls.

Threat Analysis

Disinformation has been a tactic used in information warfare commonly associated with the statecraft of the Soviet Union throughout the Cold War. Disinformation, or dezinformatsiya, is defined by the Great Soviet Encyclopedia as false information with the intention to deceive public opinion. The term was coined by Joseph Stalin, and even the word itself was a form of disinformation; according to Soviet defector Ion Mihai Pacepa, Stalin deliberately gave it a French-sounding name in order to claim that both the term and the tactic originated in Western Europe and was a tool used by the Capitalist Imperialists to destroy Communism and the workers paradise.

Disinformation operations have existed throughout history and have been used by kings, dictators, and governments throughout the world. Octavian wielded propaganda to destroy the reputation of Mark Antony during the last of the Roman civil wars. The Soviet Union launched a multitude of campaigns slandering Pope Pious XII as Hitlers Pope and distributed copies of the antisemitic Protocols of the Elders of Zion throughout Islamic regions of the world to foster religious tensions.¹ In another campaign, the USSR spread a conspiracy theory via Indian news outlets that the United States had developed the AIDS virus in a laboratory as a biological weapon.² The Reich Ministry of Propaganda and Public Enlightenment headed by Joseph Goebbels in Nazi Germany spread propaganda throughout Germany and its occupied territories. Recent disinformation campaigns include attacks against the 2016 and 2018 U.S. elections by the Russian intelligence services, including the GRU and SVR, along with Kremlin-backed media sites RT and Sputnik News.

While in recent years there has been an increased focus on state-sponsored disinformation campaigns, Recorded Future identified that there is also a private-sector market for disinformation and threat actors who are ready to provide the services to those who are willing to pay. In particular, Recorded Future analysts have identified established threat actors operating in the Russian-speaking underground forums offering these services. There, Insikt Group discovered two threat actors advertising such services. For the sake of this report, we will refer to them as Doctor Zhivago and Raskolnikov. To put their skills to the test, we decided to create a fictitious company located in a Western country to use as our target. We will refer to this company as Tyrell Corporation.

We wanted to investigate both aspects of the disinformation spectrum, so we hired Raskolnikov to market Tyrell Corporation with positive PR, and Doctor Zhivago to do the opposite. In Doctor Zhivagos case, they proposed spreading invented stories of misconduct and poor business practices to damage the reputation of Tyrell Corporation. In the end, both Raskolnikov and Doctor Zhivago delivered on their promises, and Insikt Group discovered that disinformation campaigns, even against a Western company using Western media, could be launched in a timely and affordable manner.

Launching a disinformation campaign was a simple process, and both Raskolnikov and Doctor Zhivago were very informative and helpful. Their services were advertised on popular Russian-language underground forums, where they listed their Jabber and Telegram handles for all to see. Both actors had pricing models showing the cost of content generation so you could budget out your disinformation campaign. Doctor Zhivagos services were priced very specifically, as seen below:

• $15 for an article up to 1,000 characters
• $8 for social media posts and commentary up to 1,000 characters
• $10 for Russian to English translation up to 1,800 characters
• $25 for other language translation up to 2,000 characters
• $1,500 for SEO services to further promote social media posts and traditional media articles, with a time frame of 10 to 15 days

Raskolnikov, on the other hand, had less specific pricing:

• $150 for Facebook and other social media accounts and content
• $200 for LinkedIn accounts and content
• $350$550 per month for social media marketing
• $45 for an article up to 1,000 characters
• $65 to contact a media source directly to spread material
• $100 per 10 comments for a given article or news story

We contacted Raskolnikov claiming to be a business owner who needed some media attention for their new company: Tyrell Corporation. Shortly thereafter, we used a different alias to contact Doctor Zhivago, claiming to have a personal grudge against the Tyrell Corporation, who we competed with, and needing Doctor Zhivagos services accordingly.

Both Raskolnikov and Doctor Zhivago were true salespeople. They patiently answered question after question about what they would do and how they would do it, even providing samples of what they had done in previous operations. After our objectives were agreed upon and payment was made, first our positive and then our negative disinformation campaigns were launched targeting the Tyrell Corporation. In all, the process took less than a month.

Raskolnikov created accounts for Tyrell Corporation on several social media platforms and gathered a following of over 100 users for each account on various platforms. The profiles generally appeared authentic, using images and names of managers from Tyrell Corporations website. At this time, we are unsure how many of the followers were trolls or bots, but we did see what appeared to be comments from real people asking questions about the company. This led us to believe that it was probably a combination of both: bots, or trolls, spreading disinformation content that was picked up by real users. There is really nothing suspicious about the Tyrell Corporations social media accounts aside from it being a new company.

The next step was publishing articles in the media. Raskolnikov informed us that we could essentially publish as many articles praising our new company as we wanted, so we chose to start with two. Raskolnikov wrote up two separate articles with essentially identical content, and sent them to us for review before publication. The articles were generic, announcing our new, wonderful company Tyrell Corporation to the world, and why we were better than the rest. However, the writing was not at the level of a native English speaker and we had Raskolnikov rewrite the articles multiple times until we felt the language could pass for a genuine article in an English-language media outlet.

Raskolnikov provided the following price list for publications where articles could allegedly be published for a U.K.-based disinformation promotion campaign:

In two weeks, the Tyrell Corporation was in the news one of the media sources was a less established media outlet, though the other was a very reputable source that had published a newspaper for nearly a century. While creating and publishing disinformation content with Raskalnikov was bumpy, in the end, the actor delivered, confirming the claim of being able to operate disinformation campaigns in Western countries.

However, of these two threat actors, Recorded Future analysts believe Doctor Zhivago to be the more experienced. This threat actor had been on the underground forums longer than Raskolnikov and had a well-established status. Based on discussions we had with Doctor Zhivago, we believe our primary contact was a Russian national and native Russian speaker, similar to Raskolnikov. In our communications, Doctor Zhivago was politely formal, as well as informative, even providing examples showing publications in some very reputable Russian-language media sources. Doctor Zhivago claimed to work with a team that included journalists, editors, translators, search engine optimization (SEO) specialists, and hackers. Doctor Zhivago maintained that this organization could spread disinformation accusing an individual or company of everything from business misconduct to criminal activity whatever it took to permanently destroy a reputation.

Since the Tyrell Corporation now had a positive presence on the internet, it was time to see if it could be destroyed. We decided to use Doctor Zhivago to discredit our companys business practices, staying away from any criminal accusations that could theoretically have real-world implications. Doctor Zhivago estimated that our campaign would take a month or two to go into full effect because a successful disinformation operation happens in phases by gradually introducing an intentionally false narrative in an organic manner. The proof for our disinformation needed to come from real people, so Doctor Zhivago created them in the form of individual and group accounts on the same major social media platforms that Raskolnikov had used.

Since the Tyrell Corporation was both new and fictitious, there wasnt any publicly available information for Doctor Zhivago to manipulate. The group submitted a few articles for our review that accused the Tyrell Corporation of manipulating its employees by putting them in compromising situations. The articles stopped just short of accusing the company of criminal offenses, but anyone reading the articles would likely come to the conclusion that the Tyrell Corporation was not reputable and treated its employees as disposable objects. The content was written in much better English than what Raskolnikov had provided us, though there were a few awkward sentences that suggested this too wasnt the writing of a native English speaker. But like Raskolnikov, Doctor Zhivago was quick to correct these linguistic issues after we provided our feedback. With the articles published, it was now time to spread them throughout Doctor Zhivagos social media apparatus.

Doctor Zhivago had an organic, layered approach to propagating material throughout social media. First, a group of older accounts referred to as aged accounts that posted links to the articles they had published in media sources was employed. Then, a new batch of accounts that reposted content from the aforementioned aged accounts to amplify the messages was used. These new accounts befriended citizens living in the same country the Tyrell Corporation was located in to make the campaign more effective by targeting the audience. Doctor Zhivago explained to us that they usually create a few thousand social media accounts when engaging in these types of operations, as only a percentage of them would survive without being banned. Once the operation began, the articles went live on a number of media sites and were referenced throughout the social media platforms by accounts controlled by Doctor Zhivago.

Doctor Zhivagos list of media resources available for a U.K.-based disinformation campaign can be seen below. Doctor Zhivago broke up the media resources into categories they identified as low profile, medium profile, and top level.

Outlook

From our research, Insikt Group discovered that launching a disinformation campaign is alarmingly simple and inexpensive. Recorded Future spent a total of $6,050 on both campaigns, with $1,850 going to the initial promotion by Raskolnikov, and $4,200 going to Doctor Zhivago for the negative disinformation to discredit our fictitious company.

Disinformation services are publically available on the underground criminal forums, and accessible to private sector clients not only nation-states. These services are affordable and customizable. Their operators work in teams to publish articles on media websites and to propagate that material throughout social media accounts under their direct control.

They are willing to go to extreme lengths to accomplish their tasks, including filing false accusations with law enforcement against target entities. In the case of Doctor Zhivago, the threat actor offered to file a complaint against our fictitious company for involvement in human trafficking. And even though we used the Raskolnikov threat actor to promote Tyrell Corporation, Raskolnikov also offered a takedown service should we ever need to get even with another individual, set someone up at their place of work, destroy a competitors reputation, counter an opponents disinformation attack, or even sink an opponent in an election.

Today, the Tyrell Corporation lives on in social media and search engine results. Googling the domain name will present the unfavorable content created by Doctor Zhivago, though searching the company name directly will produce the positive articles and social media accounts created by Raskolnikov. If our experience is any indication, we predict that disinformation as a service will spread from a nationstate tool to one increasingly used by private individuals and entities, given how easy it is to implement.

Footnotes

Click here to download the complete analysis as a PDF.

Insikt Group examined Recorded Futures collection of references from the source RT in both English and Russian in order to assess what, if any, differences exist between the outlets reporting in the two languages. This analysis also examines what those differences may say about RTs goals related to messaging and desired influence over the English and Russian information spaces.

This report will be most useful to organizations that engage with Russian-speaking populations or clients or seek to possess a fuller understanding of the goals and motivations of the Kremlin, for which state media is an important tool.

Executive Summary

RT is a news outlet funded by the Russian government. It is an important complement to Russias intelligence services. While RT obviously lacks the kinetic and cyber capabilities of those agencies, it is essential to conducting information warfare and priming the information space for Russian influence. Although RTs English-language content has been well covered in the existing literature, little has been written about how this content compares to and interfaces with its Russian-language reporting. This report uses the Recorded Future Platform to analyze references from RT and construct an image of how it not only functions as an active measure against the Western world, but also how it seeks to mold the Russian-speaking world.

Through this analysis, Insikt Group establishes with high confidence that RTs output can be generally described as geared toward sowing discord abroad and establishing the Kremlins perspective as valid at home, a modus operandi that is in line with that of Russias intelligence community.

Key Judgments

• RT shows a strong regional bias in Russian, reporting on Russia in the native language far more than it reports on the U.S. or the U.K. in the English edition.
• RTs English coverage has consistently attempted to focus on entities related to the 2016 U.S. presidential election up to two years after the election, most notably including then-candidate Hillary Rodham Clinton.
• RT covers issues such as immigration and race relations for its English audience, but not for its Russian audience, and is likely to exploit controversies over these issues.
• RT supplies far more information to Russian audiences on the conflict in Ukraine, bans on Russian athletes participation in the Olympics, and pro-secession narratives about regions such as Catalonia, likely in support of the Kremlins own ambitions.
• RT shows a readiness to platform whistleblowers and increase the visibility of leaks when they are damaging to Western states, individuals, and organizations, but not if they concern alleged Russian misdeeds.
• RT seeks to be an influential voice in the Russian language narrative surrounding Russian involvement in the Crimean annexation, the conflict in the Donbas, and in Ukrainian affairs writ large.
• RT often seeks to reinforce its narrative in Ukraine by supporting analogous cases and stories in other parts of the world.

Background and Literature Review

The phrase Russian disinformation has been in vogue among national security experts and, increasingly, regular citizens. While the term might evoke images of a shadowy conspiracy, distortion of the information space is often carried out by organizations operating in the open. RT is a well-used weapon in the countrys hybrid warfare arsenal. This report seeks to add an additional dimension to this: RTs Russian-speaking audience.

Existing literature notes that the pressure points exploited by the Kremlin in the course of informational or political warfare are not random; they all ultimately serve to shore up the Russian state. These studies have demonstrated that topics favored by the Kremlin are necessarily dual purpose. For example, polarizing coverage of police brutality in the U.S. obviously widens political divisions there, but in Russia, where those divisions are not as apparent, it normalizes the states use of force. Kremlin-linked media operating in Balkan and Baltic states notably promote Euroscepticism via consistently negative coverage of the North Atlantic Treaty Organization (NATO). The cycle is often self-reinforcing: negative portrayals of Western international organizations breed nationalist sentiment; the Kremlin publicly supports this sentiment; and, finally, domestic Russian nationalism is further legitimized. In sum, support for nationalism has been bolstered in both foreign and domestic arenas. Theoretically, this strategy would condition both arenas to be more tolerant of aggressive actions such as the Russian Federations annexation of Crimea in 2014, an act justified using rhetoric about the protection of Russian-speaking people.

What these analyses omit, however, is what role RT plays as a domestic news organization. A definitive judgment on the goals of the Kremlins disinformation campaign cannot be reached without comparing the narratives shown to English-speaking and Russian-speaking audiences; this report seeks to make inroads on providing that judgment. Additionally, although it is not a primary goal of this report, the success of the Kremlins information warfare in relation to its domestic audience will also be assessed.

Project Scope and Methods

Insikt Group analyzed Russian- and English-language content from RT published between January 2017 and July 2019. The data was divided by language, and will mostly be examined over the entire three-year period. Each languages data set consisted of a list of terms or entities as well as the number of times they were tagged in a reference over a set period of time.

These entities were cleaned, removing ones that were ambiguous to a degree that prevented their ready classification as well as ones that fell outside of the scope of this research. Some examples of entities that were removed include URLS, titles not connected to an individual (for example, President or ambassador), and other entities which did not clearly denote a subject of discussion (for example, World or via). Examples of entities that were removed because they fell outside of the research scope include news outlets likely cited as sources rather than discussed as entities themselves and international sports entities. Olympic and other international sports entities, such as FIFA, were kept because participation in them is analogous to representing ones country.

This data was then organized and processed further in one of two ways. In the first method, the top 100 entities were sorted into one of the following categories:

These categories were usually ones that emerged during the cleaning and processing of the data. The appendix to this report elaborates on the types of entities that fell under each category or topic.

The second method of analysis involved collecting, for each year, the top 100 entities for each language, and examining how consistently they were discussed by RT in either language. To do this, Insikt Group calculated the number of times an entity was referenced by RT by month, from January 2017 to July 2019, and found the standard deviation of references by month for that entity, provided that the entity was in the top 100.

Entities that had appeared in fewer than 12 months over the entire period were removed from this second method of analysis, purging entities that did not develop past topics of passing interest in RTs coverage, regardless of their total reference count. Thus, it should be noted that this second analysis measures the consistency of frequently covered entities, rather than of all entities. The lower the standard deviation of a given entitys data set, the more consistently it appeared in RTs reporting.

Threat Analysis

Breakdown of the top categories for the full English data set (2017 to 2019).

Breakdown of the top categories for the full Russian data set (2017 to 2019).

Top 10 most consistent entities by number of monthly references in the English data set.

Comparing the data gathered from both the English and Russian language versions leads to several interesting takeaways.

Regional Focus

The first observation is that the English version of RT discusses the United States and United Kingdom significantly less than the Russian version discusses Russia. The English-speaking world, here defined as consisting of the U.S., U.K., and Canada, makes up 18.7% of the entities found in RTs English reporting. In the latter case, references to Russia make up 25.8% of the reporting over the period from 2017 to 2019.

Additionally, the Russian-language data shows that entities categorized as belonging to the Russian government or its intelligence community comprised 13.2% of the references, whereas entities belonging to the U.S. government and U.S. intelligence community make up just 3.1% of the content. While this finding can partly be explained by the idea that content in a given language tends to be about the region(s) in which that language is spoken, it does not account for the disparity in proportion of coverage.

2016 U.S. Presidential Election and Russian Interference

Coverage of entities related to the 2016 U.S. presidential election in the English data set.

The standard deviation data for the English-language content shows that entities related to the 2016 U.S. presidential election have been consistently reported on, even after the election. Among those entities are Russian hackers, COLLUSION, Democratic National Convention, and Hillary Rodham Clinton. It is unsurprising that RT would wish to have control over the narrative of an event that implicated Russias intelligence services in attempting to influence a U.S. election, but the appearance of 2016 presidential candidate Hillary Clintons name is telling.

The literature surrounding the Kremlins attempts to influence the election notes that Clinton was targeted almost exclusively negatively. While the Donald John Trump entity does have a high volume of references, it appears that he is not as frequently discussed in the English-language data set as the aforementioned entities. Insikt Group assesses with high confidence that Clintons appearance as a consistently covered entity within a data set spanning over three years after the election likely points to a concerted effort to deflect attention from the investigation into Russian interference, especially as Clinton has not been a significant political figure since the end of 2016.

Secession

An examination of the data through standard deviation (the second method of analysis) shows that Catalonia is one of the most consistently covered entities in the Russian-language data set. Catalonia is an autonomous community in Spain that notably held an independence referendum in 2017 wherein 92% of Catalonians voted to secede from Spain.

Hits for Catalonia in the Russian data set by month.

Previous analysis of social media activity surrounding Catalonia shows that RT was a top influencer on the topic. The three accounts appearing as more influential than RT are linked to Edward Snowden, Julian Assange, and WikiLeaks, all of which have links to Russia and appear to have had their posts on the issue amplified by bots. These entities reappear in the reference count analysis, suggesting that they serve to amplify more than one idea for RT.

While it is not clear why this topic would be covered more consistently in the Russian-language content than in the English alternative, one possibility is that it is to legitimate other separatist action, such as the separatist movement in Ukraines Donbas region or in the Crimean Peninsula, also in Ukraine. Insikt Group assesses with moderate confidence that this finding in the data set from Recorded Futures sourcing of RT likely confirms the news agencys bias in favor of pro-Russian separatism.

Whistleblowers and Leaks

The 2010s have been host to a number of significant leaks of sensitive documents, most all of which show up as well-covered entities in the English version of RT. Whistleblowers and leak-related entities such as Edward Snowden, William Binney, Julian Assange, Vault 7, and WikiLeaks constituted 1.9% of the 2017 to 2019 results. RTs Russian-speaking audience, however, appears to be far less exposed to coverage of these entities, as just one related entity, Julian Assange, appears in the top 100 for any of the three surveyed years. When looking at the aggregated data over the full three-year period, this single whistleblower entity makes up just 0.1% of RTs 2017 to 2019 coverage in Russian.

In July 2019, a threat actor by the name of 0v1ru$ breached SyTech, a contractor for the Federal Security Service (FSB), Russias national intelligence service, and gathered information on a number of FSB projects. These projects included efforts to scrape social media data, deanonymize Tor traffic, monitor and log email traffic from Russian companies, and split the Russian internet away from the rest of the world. Although these projects were known or expected, the release of additional data on them is noteworthy because it increases their visibility, including their visibility to the Russian populace which they affect or target. To examine how RT might have responded to this leak, Insikt Group ran a query for references on RT which mentioned 0v1ru$, the threat actor responsible for this breach. The sole results from this search were three references from RTs German-language version.

Results from the query for 0v1ru$ on RT.

Ukraine

Breakdown of reporting on Ukrainian entities in the Russian-language version.

Ukraine has been in conflict with pro-Russian separatists located in the countrys Donbas region, which borders the Russian Federation, since 2014. In March of that year, the Crimean Peninsula was annexed by the Russian Federation. Since then, evidence of Russian support for the separatists in Ukraines east has surfaced. During this period, approval of the Kremlin and especially of President Putin rose significantly, with the latters approval peaking at nearly 90% in 2015, over a year after the Crimean annexation, after sitting at 65% in January 2014. Additionally, in response to the annexation, the European Council and the United States have issued economic sanctions targeting specific sectors of the Russian economy, as well as sanctions on individuals and entities responsible for violating the sovereignty and territorial integrity of Ukraine.

As mentioned, Russian involvement in Ukraine has shown itself to have both a powerful effect on the Russian populaces perception of the Kremlin and a negative economic and reputational one. Coverage of Ukraine and related entities such as the Kerch Strait, Sevastopol, Crimea, and Ukrainian President Volodymyr Zelenskiy, constitutes the second-largest portion of RTs Russian-language content at 13.3%, compared to 1.6% of RTs English-language reporting. Notable, however, is Crimeas appearance as the 11th most consistently discussed entity in the English data set.

Accordingly, Insikt Group assesses with high confidence that it is likely that control over the narrative of Russias relationship with Ukraine, the Crimean annexation, and the conflict in the Donbas is a priority for RT. Insikt Group likewise concludes with high confidence that this is likely not a case of Ukrainian entities being overrepresented because of Ukraines proximity to Russia or because a considerable portion of the country speaks Russian, seeing as Belarussian entities constitute just 0.7% of RTs Russian-language content over the same period, approximately 18 times less coverage than Ukrainian entities received despite Belarus also having a great number of Russian speakers and close ties to Russia.

Ethnic and Religious Groups

0.8% and 0.3% of RTs English-language reporting discusses Jewish and Muslim people, respectively. In the Russian version, the category does not apply to any of the top 100 entities for any of the three years surveyed. This is in part significant because the Russian Federation is home to an estimated 20 million Muslims, making RTs choice to cover that population in one language but not in another considerably suspect.

Extant literature discusses RTs proclivity for inflaming racial and ethnic conflict. A study from Kings College in London describes RT and Sputnik, another Kremlin-funded news agency, as highly specific aggregators of stories of immigrant crime and ethnic conflict across Europe. In an incident known as the Lisa case, RT infamously promoted a fake story about the murder of a German girl by migrants and accused German authorities of covering up the matter once the girl was found alive.

It should also be noted that this tendency to provide inflammatory content on issues of ethnicity and religion is aligned with the concerns of both the Russian and English audiences. In a poll conducted by the Russia-based Levada Analytical Center in February of 2019, 14% of respondents in Russia stated they felt that the flow of migrants into Russia was the most pressing issue faced by the country. With regard to English-speaking countries, a Gallup poll conducted in January of 2019 showed that, when choosing among non-economic issues, 21% of Americans chose immigration as the most important problem facing the country today. Additionally, a poll conducted in the same month by U.K. pollster Ipsos MORI found that 19% of the British public believes immigration to be the most pressing issue facing the country. Although the perception of the threat of immigration appears moderately higher in the English-speaking world, this does not account for the relative absence of reporting on issues of race and ethnicity in RTs Russian-language content.

The high incidence of entities such as Jewish and Jew is possibly a reflection of long-standing accusations by the Kremlin and associated news organizations, including RT, that the government in Ukraine is anti-Semitic. A more likely cause is that these terms often appear in reporting on Israel. RTs reporting on Israeli entities constitutes 2.2% of its English-language content, compared to 1.6% for Ukrainian entities in the same.

Given existing proof of RTs intent to mislead in covering stories related to ethnic and religious tensions, immigration, and similar issues, Insikt Group assesses with high confidence that RTs lack of reporting on these issues in Russian is likely intended to preserve social stability, whereas its decision to cover these issues in English is intended to provoke and widen divisions in those societies.

Outlook

As this report shows, monitoring the activity of Kremlin-associated media such as RT in several languages, provided that it is available, can provide valuable insight into the Kremlins goals for both the foreign and domestic information environments. Moreover, examining the differences between reporting in several languages, as Insikt Group has done here, is another valuable method of ascertaining the goals of a news organization, and arguably provides greater depth of knowledge than would be possible with the examination of a single language, as much of the extant literature has done.

The examination of both English and Russian here is also important from a geopolitical perspective. Changing the behavior of an aggressive state such as Russia requires both an in-depth understanding of the disinformation employed by that state abroad for the purposes of destabilization as well as of disinformation employed at home for the purposes of maintaining power and restricting access to the truth. To this end, it would be beneficial to conduct a multilingual examination of other well-known Kremlin media associates, such as Sputnik International. This understanding may serve to inform preventative measures against disinformation and so-called fake news. It may also provide Western media with the tools necessary to fight disinformation in Russia and in regions neighboring it, namely the Baltics, Belarus, and Ukraine.

Editors Note: This report was written by a member of our summer internship program.

Click here to download the complete analysis as a PDF.

_Insikt Group researchers used proprietary methods, including Recorded Future Network Traffic Analysis and Recorded Future Domain Analysis, along with common analytical techniques, to profile Iranian cyberespionage threat actor APT33 (Elfin) and determine whether the public exposure of their TTPs in March 2019 impacted their operations.

Data sources include the Recorded Future Platform, Farsight Securitys DNSDB, ReversingLabs, VirusTotal, Shodan, and common OSINT techniques.

This report will be of greatest interest to those interested in Middle Eastern geopolitics, as well as network defenders of organizations with a presence in the Middle East or in industries targeted by APT33, such as aerospace and defense, energy, finance, telecommunications, and manufacturing.

This research is based on data collected between February 10, 2019 and June 6, 2019._

Executive Summary

The United States and Iran continue to escalate tensions, most recently accelerating rhetoric and actions in the Strait of Hormuz, but also in the cyber domain. Over the past three months, Recorded Futures Insikt Group has observed an increase in APT33s (also known as Elfin) infrastructure building and targeting activity, and on June 21, 2019, Yahoo! News reported that the U.S. Cyber Command launched cyberattacks on an Iranian spy group.

Iranian state-sponsored threat actor APT33 has been conducting cyberespionage activity since at least 2013, predominantly targeting nations in the Middle East, but also notably targeting U.S., South Korean, and European commercial entities across a wide variety of sectors.

Insikt Group researchers used proprietary methods, including Recorded Future Domain Analysis and Recorded Future Network Traffic Analysis, along with other common analytical approaches, to profile recently reported Iranian threat actor APT33s domain and hosting infrastructure in an effort to identify recent activity and better understand the groups tactics, techniques, and procedures (TTPs).

Our research found that APT33, or a closely aligned threat actor, continues to conduct and prepare for widespread cyberespionage activity, with over 1,200 domains used since March 28, 2019 and with a strong emphasis on using commodity malware. Commodity malware is an attractive option for nation-state threat actors who wish to conduct computer network operations at scale and hide in plain sight among the noise of other threat actor activities, thus hindering attribution efforts.

The targeting of mainly Saudi Arabian organizations across a wide variety of industries aligns with historical targeting patterns for the group, which appear undeterred following previous exposs of their activity. Western and Saudi both public and private sector organizations in industries that have been historically targeted by APT33 should be monitoring geopolitical developments and increasing the scrutiny of operational security controls focusing on detection and remediation of initial unauthorized access, specifically from phishing campaigns, webshells, and third-party (vendor and supplier) relationships. Additionally, real-time security intelligence should be used to improve hunting in internal network and host-based telemetry.

Key Judgments

• In response to the publication of operations in late March 2019, domains associated with suspected APT33 activity were parked or changed to new hosting providers.

• APT33, or a closely aligned threat actor, continues to control C2 domains in bulk.

  • Over 1,200 domains have been in use since March 28, 2019 alone.
  • 728 of these were identified communicating with infected hosts.
  • 575 of the 728 domains were observed communicating with hosts infected by one of 19 mostly publicly available RATs.

• Almost 60% of the suspected APT33 domains that were classified to malware families related to njRAT infections, a RAT not previously associated with APT33 activity. Other commodity RAT malware families, such as AdwindRAT and RevengeRAT, were also linked to suspected APT33 domain activity.

• We assess with medium confidence that APT33, or a closely aligned threat actor, has targeted the following organizations since the disclosures in late March:

  • A conglomerate headquartered in Saudi Arabia, with businesses in the engineering and construction, utilities, technology, retail, aviation, and finance sectors
  • Two Saudi healthcare organizations
  • A Saudi company in the metals industry
  • An Indian mass media company
  • A delegation from a diplomatic institution

• We assess that the recent reporting on links between the Nasr Institute and Kavosh Security Group, as well as technical and persona analysis, overlaps among APT33, APT35, and MUDDYWATER, and is probably a result of the tiered structure that Iran utilizes to manage cyber operations.

Background

APT33 is an Iranian state-sponsored threat actor that has engaged in cyberespionage activities since at least 2013. They have typically used commodity malware and possess an expansive network infrastructure that enables them to scale their operations for victim targeting. Historically, this targeting has focused on the aerospace and defense industries, as well as the oil and gas industry, with a strong focus on companies based in Saudi Arabia. Symantecs Elfin report denoted additional targeting of the engineering, chemical, research, finance, IT, and healthcare sectors. Recorded Futures Insikt Group has been monitoring APT33 activity, beginning with research published in October 2017, which revealed new infrastructure, malware hashes, and TTPs relating to the threat actor(s).

Threat Analysis

On March 27, 2019, Symantec published research titled, Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. The report outlined a three- year APT33 cyberespionage campaign. Using the IP addresses and malware hashes provided in that research, Insikt Group researchers conducted a follow-up analysis of the malicious domains used by APT33 to determine two things:

1. Whether or not APT33 had continued their activities, and if so, if they had changed TTPs in response to the publication
2. Whether or not there were any previously unreported historic activities conducted by the group that were worthy of publication

Nasr Institute and Kavosh Redux

In our previous report, Irans Hacker Hierarchy Exposed, we concluded that the exposure of one APT33 contractor, the Nasr Institute, by FireEye in 2017, along with our intelligence on the composition and motivations of the Iranian hacker community, pointed to a tiered structure within Irans state-sponsored offensive cyber program. We assessed that many Iranian state-sponsored operations were directed by the Iranian Revolutionary Guard Corps (IRGC) or the Ministry of Intelligence and Security (MOIS).

According to a sensitive Insikt Group source who provided information for previous research, these organizations employed a mid-level tier of ideologically aligned task managers responsible for the compartmentalized tasking of over 50 contracting organizations, who conducted activities such as vulnerability research, exploit development, reconnaissance, and the conducting of network intrusions or attacks. Each of these discrete components, in developing an offensive cyber capability, were purposefully assigned to different contracting groups to protect the integrity of overarching operations and to ensure the IRGC and/or MOIS retained control of operations and mitigated the risk from rogue hackers.

Obfuscating Iranian government involvement in offensive campaigns.

FireEye also noted in their 2017 report that the online handle xman_1365_x, found within the PDB path in an APT33 TURNEDUP backdoor sample, belonged to an individual at the Nasr Institute. The same handle was then linked to destructive operations using NewsBeef and StoneDrill malware families. Then, in March 2017, researchers linked StoneDrill to the Shamoon 2 operation and to the APT35 (also known as Charming Kitten, Newscaster, or NewBeef) threat actor.

Our previous analyses showed that the person behind the xman_1365_x handle self-identified on Iranian hacking forums as Mahdi Honarvar from Mashhad, with speculation that he was also affiliated with the Kavosh Security Center since around 2017.

Kavoshs role within the Iranian cyber ecosystem was further uncovered by Group-IBs recent analysis detailing that Kavosh was the employer for Nima Nikjoo between 2006 and 2014. Their analysis concluded that a March 2019 campaign targeting a Turkish military electronics manufacturer was perpetrated by another Iranian threat actor, MUDDYWATER. MUDDYWATER used the POWERSTATS backdoor, proliferated in maldocs that contained metadata revealing the author as Gladiyator_CRK, with a possible name of Nima. Additionally, an email address suspected to be related, gladiyator_cracker@yahoo.com, was associated with , which translates to Nima Nickjou, in a 2014 blog that exposed the names and email addresses of individuals allegedly employed at the Nasr Institute. Another research blog authored by pseudonym 0xffff0800 corroborated some of these findings and revealed Nima Nikjoo to be Nima Nikjoo Tabrizi.

LinkedIn profile picture of suspected APT33 threat actor Nima Nikjoo Tabrizi. (Accessed on June 14, 2019)

Who Is Nima Nikjoo Tabrizi?

OSINT reveals there is an active Linkedin account and other active social media accounts in the name of Nima Nikjoo Tabrizi, claiming that he is a reverse engineer and malware analyst at Symantec. Symantec, however, has confirmed to Recorded Future that Tabrizi has never worked for them:

"We have been aware of this individual for a long time. Nima Nikjoo is not a Symantec employee and we have no record of an individual by this name working at Symantec."

Having been exposed working for the Nasr Institute, a government organization, and the Kavosh Security Center, which has strong associations with Iranian state-sponsored cyberespionage activity, we assess with high confidence that Tabrizi is engaged in cyberespionage activity on behalf of the Iranian state.

Employment history of suspected APT33 threat actor Nima Nikjoo Tabrizi.

Based on this information, it is possible that upon the exposure of the Nasr Institute as a front for Iranian state-sponsored offensive cyber activity, employees transitioned over to other entities, such as Kavosh, to protect their identities and minimize further exposure. There were no further widely reported exposures relating to the Nasr Institute until the links between Mahdi Honarvar to Kavosh Security Center were revealed in 2017. Therefore, we assess that the overlapping technical and personal information points to a historic linkage between the threat actors APT33, APT35, and MUDDYWATER.

These technical and persona overlaps among Iranian threat actors are not unexpected given the tiered structure of Iranian state management of cyber operations. Within this structure, we assessed that managers are running multiple teams, some of which are associated with government organizations and others that are contracted private companies (such as ITSec Team).

Technical Analysis

APT33 Cleaning Up?

Starting with the APT33 indicators documented by Symantec, Insikt Group profiled the domain and hosting infrastructure used by the group using the Farsight Security extension within the Recorded Future platform, revealing updated IP resolutions for some of the domains.

As expected, many of the domains exposed in the original Symantec report have been parked or no longer resolve to a real IPv4 address. Interestingly, four of the original domains (backupnet.ddns[.]net, hyperservice.ddns[.]net, servhost.hopto[.]org, and srvhost.servehttp[.]com) were all updated the day after publication, and resolve to the same IP, 95.183.54[.]119. This IP is registered to Swiss-dedicated hosting provider Solar Communications GmBH. It is unclear as to why these domains were not likewise parked. Possible reasons include:

• The domains were deemed high value by the threat actor, and therefore retained for continued operational purposes.
• The operators had difficulty with or could not update the domains for administrative reasons.

Recorded Future Intelligence Card for microsoftupdated[.]com, enriched using the Farsight Security extension.

In order to identify additional related and potentially malicious infrastructure, we pivoted on the Swiss IP 95.183.54[.]119 and identified approximately 40 domains that were newly resolving to the IP since mid-February 2019. We positively identified RAT malware communication from a selection of domains.

Additionally, many of the domains that resolved to the Swiss IP were registered with hostnames that reflected the names of commodity RATs, such as XTreme RAT, xtreme.hopto[.]org, and njRAT ( njrat12.ddns[.]net), as well as popular tools like Netcat (n3tc4t.hopto[.]com). Interestingly, a domain spoofing a popular Farsi-language Telegram channel called BistBots (bistbotsproxies.ddns[.]net) was also co-hosted on the same IP. We assess that this likely indicates a desire to target users of BistBots who seek up-to-date, high-speed internet proxies, possibly to circumvent network filtering and access sites such as Facebook, Twitter, and YouTube, which are restricted in Iran.

Further analysis of the domains above, including windowsx.sytes[.]net, njrat12.ddns[.]net, and wwwgooglecom.sytes[.]net shows that they have been classified as C2s for Nanocore and njRAT, according to their respective Recorded Future Intelligence Cards. The information detailed are correlations derived from hash reports from malware multiscanner repositories and malware detonations that contain direct references to the domains.

Interestingly, while the Symantec research noted APT33s use of Nanocore, njRAT was not mentioned, which indicates a previously unknown addition to the groups ever-expanding repertoire of commodity malware.

Context panel from the Recorded Future Intelligence Card for windowsx.sytes[.]net, showing the relationship between the domain and the Nanocore RAT malware.

The Maltego chart below shows the link analysis of selected domains hosted on the Swiss IP, with derived hashes associated with malware family name.

Maltego graph of domains hosted on the known malicious APT33-linked IP.

Deeper Infrastructure Correlations

Insikt Group enumerated all domains reported as being used by APT33 since January 2019. We pivoted through common infrastructure hosting patterns using passive DNS and similar approaches to identify additional suspected APT33 infrastructure.

A preliminary analysis identified 1,252 unique, correlated domains likely administered by the same APT33 attackers behind the campaign documented by Symantec. Of these, 728 domains were identified as communicating with files on infected hosts, with 575 of these positively correlated to a RAT malware family. The remaining 153 domains were identified as malicious based on AV engine hits but could not be conclusively classified to a specific malware family automatically.

Editors Note: A selection of the domains, hashes, and associated IP address infrastructure connected to suspected APT33 domains will soon be made available to Recorded Future clients in a specialized Certified Data Set called Weaponized Domains, enabling companies to regulate the interaction with malicious free/anonymous infrastructure, including dynamic DNS (DDNS) domains.

Pie chart of suspected APT33 malware use.

A top-level activity breakdown of these suspected APT33 domains and their linked malware families since March 28, 2019 reveals that 60% of the domains use the njRAT malware, with a wide selection of other commodity tools being used. In total, 1,804 unique malware hashes were analyzed to classify them into the 19 malware families, listed below.

From the table and the accompanying chart, we noted that APT33, or a closely aligned threat actor, have been prolific in their continued use of commodity malware and publicly available tooling, and have added several malware families previously unreported to be associated with the threat actor, including njRAT, RevengeRAT, and AdwindRAT. A significant proportion of the samples (25%), while deemed malicious, contained generic code that could not be definitively classified at a high enough degree of confidence to warrant further manual static analysis. We will continue to focus closely on these samples in subsequent analyses.

Many of the domains uncovered spoofed global technology providers such as Microsoft and Google, as well as business-oriented, web-based services such as video conferencing provider Zoom. Geopolitically themed domains were also present in this list of suspected APT33 infrastructure, such as vichtorio-israeli.zapto[.]org (Victory to Israel), fucksaudi.ddns[.]com and palestine.loginto[.]me. The choice of hostnames may offer insight into the targeting pattern of APT33 operations against the Islamic Republic of Irans perceived enemies notably, Israel, Saudi Arabia, and the wider Gulf Cooperation Council (GCC) nations.

Targeted Organizations

Using data from Recorded Future Domain Analysis and combining it with data derived from Recorded Future Network Traffic Analysis, Insikt Group researchers were able to identify a small selection of likely targeted organizations impacted by suspected APT33 activity.

Outlook

Following the exposure of a wide range of their infrastructure and operations by Symantec earlier this year, we discovered that APT33, or closely aligned actors, reacted by either parking or reassigning some of their domain infrastructure. The fact that this activity was executed just a day or so after the report went live suggests the Iranian threat actors are acutely aware of the media coverage of their activities and are resourceful enough to be able to react in a quick manner.

Since late March, suspected APT33 threat actors have continued to use a large swath of operational infrastructure, well in excess of 1,200 domains, with many observed communicating with 19 different commodity RAT implants. An interesting development appears to be their increased preference for njRAT, with over half of the observed suspected APT33 infrastructure being linked to njRAT deployment.

While we havent observed a widespread targeting of commercial entities or regional adversaries like in previously documented APT33 operations, the handful of targeted organizations that we did observe were mainly located in Saudi Arabia across a range of industries, indicating ongoing targeting aligned with geopolitical aims. We assess that the large amount of infrastructure uncovered in our research is likely indicative of wider ongoing operational activity, or the laying of groundwork for future cyberespionage operations. We recommend organizations take measures to monitor their networks for evidence of suspected APT33 activity by following the guidance in the Network Defense Recommendations section below.

Finally, our recommendation to Recorded Future clients is to use our upcoming Weaponized Domains Certified Data Set, which has been derived from predictive analytics that assist in the identification of malicious APT infrastructure. This is meant to empower your security teams to hunt, detect, and block high-fidelity malicious indicators at scale.

Network Defense Recommendations

Recorded Future recommends that organizations conduct the following measures in order to detect and mitigate suspected APT33 activity:

• Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on and upon review, consider blocking illicit connection attempts from the external IP addresses and domains listed in Appendix A.
• As detailed in our previous blog on APT33 available to our clients only, Dynamic DNS (DDNS) continues to be a relevant operational choke point for security control implementation. All TCP/UDP network traffic involving DDNS subdomains should be blocked and logged (using DNS RPZ or similar).
• Conduct regular Yara scans across your enterprise for the new rules listed in Appendix B.

To view a full list of the associated indicators of compromise, download the appendix.

Click here to download the complete analysis as a PDF.

This report covers the current threat landscape of credential stuffing attacks. It reviews the most popular tools used by cybercriminals to initiate credential stuffing and describes some of the most popular marketplaces that sell compromised credentials. This report contains information gathered using the Recorded Future Platform, as well as additional open source, dark web, and underground forum research, and will be of most interest to analysts protecting e-commerce, telecommunications, and financial organizations from credential stuffing attacks, as well as those looking for investigative leads on threat actors performing such attacks.

Executive Summary

The rapid proliferation of automated marketplaces on the dark web, fueled by the widespread availability of support infrastructure such as account-checking software, email and password combo lists, and proxy service providers, has created the perfect attack landscape for the abuse of thousands of popular web services such as e-commerce, financial services, travel websites, and telecommunications companies. It is safe to assume that almost every large organization with an online retail presence has had their users exposed to credential stuffing attacks in the past few years, with some companies having upwards of millions of exposed login credentials available for purchase on the dark web at any given moment.

Key Judgments

• The first widespread credential stuffing attacks were observed in late 2014, coinciding with the proliferation of automated underground marketplaces. When selling accounts, attackers offered the quick and easy monetization of compromised account credentials. Some actors who engaged in credential stuffing attacks remain active today.

• With an investment of as little as $550, criminals could expect to earn at least 20 times the profit on the sale of compromised login credentials.

• The overall supply of compromised login credentials across several large marketplaces exceeds tens of millions of accounts.

• Insikt Group identified at least six popular variants of account-checking software used by cybercriminals; however, dozens of lesser-known variants can be found on the dark web.

• While some companies may choose to implement multi-factor authentication (MFA), which blocks the credential stuffing attack vector, organizations may not be prepared to choose security over convenience.

Background

Around late 2014 and in the beginning of 2015, we observed the widespread adoption of new dark web business models specifically tailored to facilitate a high volume of trades in a fully automated manner. Designed to emulate legitimate retail platforms such as eBay and Amazon, these so-called automated shops allow even low-level criminals to become vendors of stolen data, such as compromised login credentials, without having to worry about maintaining their own infrastructure or marketing campaigns. By and large, the adoption of account marketplaces was made possible primarily by the proliferation of account-checking software, or simply checkers, used as the main tool in credential stuffing attacks.

Threat Analysis

Compromised account credentials were always a valuable commodity in the dark web the number of transactions was relatively small, and they were primarily conducted either on a peer-to-peer basis or via semi-automated markets such as AlphaBay, Silk Road, and Hansa Market. In older models, buyers received their wares only after the seller manually approved the deal and delivered the purchased data. Moreover, sellers had to maintain the listings and communicate with the buyers personally.

However, with the advent of automated shops, the need for manual engagement was eliminated and the business of compromised accounts fully transitioned from peer-to-peer dealings to a much more democratized, open-to-everyone enterprise.

For a nominal 10 to 15 percent commission deducted from the amount of each sale, members can upload any number of validated compromised accounts, which in addition to email and password, often include data such as the account holders city or state of residency, transaction history, and/or account balance. All of this is valuable data to fraudsters seeking to buy accounts tailored to their specific needs. The vendors main focus is replenishing the stock, while all customer support, remittances, and dispute resolutions are handled by the shops support team.

Automatic shop listings. Alongside the compromised company name, buyers can see the available balance or loyalty points, the account holders place of residency, associated payment cards, the date of the last transaction, and a hostname of the account holders login email.

At first, only a handful of select vendors became the primary suppliers of stolen data, but as the tradecraft was shared among members of the criminal underground, the business of stolen credentials has grown exponentially.

Since regular internet users tend to reuse the same passwords across multiple websites, threat actors quickly learned that instead of attempting to obtain access to an individual account, which may take a very long time, they should instead focus on hacking multiple random accounts, reducing their efforts.

A combination of several elements made the hacking of various online services accounts not just effortless, but also incredibly lucrative. To launch account brute-forcing, also known as credential stuffing attacks, an attacker only needed brute-forcing software, a database of random email and password combinations, and access to a pool of proxies.

The Economics

Early versions of checkers were made to target a single company and were sold for between $50 and $250, depending on the tools capabilities. These tools would attempt to log in to a website using an email and password combination obtained from a random database often obtained on the dark web. If a combination worked, it would be marked as valid. If not, the software would simply pick another combination from the list and attempt to log in again. For valid logins, more expensive and complex checkers would also collect additional information from the compromised account, such as linked banking and payment card information, account balances, the owners address, and even transaction history. Until this day, the ingenuity of the method truly lies in the economy of scale, allowing criminals to process hundreds of thousands of combinations in a very short period of time.

Eventually, several dominant players such as STORM, Black Bullet, and Sentry MBA entered the market with more robust tools, supporting an unlimited number of custom plugins, also called configs, which essentially offered hackers the capability to target almost any company with an online retail presence.

What had initially started as several hundred or several thousand compromised accounts quickly ballooned to hundreds of thousands, or even millions, of accounts. Some of the most prominent account shops have tens of millions of compromised accounts for sale at any given moment.

Although the competition quickly brought the average price of a single compromised account from over $10 down to a mere $1 to $2, the overall profitability of credential stuffing attacks increased significantly through sheer volume.

According to underground chatter observed over time, the average success rate for credential stuffing is anywhere between one to three percent. Hence, for every one million random combinations of emails and passwords, attackers can potentially compromise between 10,000 and 30,000 accounts. Moreover, the same database could then be reused over and over again to hack dozens of different websites, yielding even higher profits.

Based on a conservative success rate of one percent per 100,000 compromised emails and passwords, the economics behind credential stuffing attacks reveals at least 20 times higher profit levels.

Technical Analysis

Below are the most prominent variants of account-checking software used by cybercriminals in credential stuffing campaigns. It is important to note that lesser-known solutions, which are often built to target a single company, are also available for purchase. However, such one-off tools rarely gain significant market presence and tend to disappear quickly, as the developers cease product support due to slow adoption.

STORM

STORM is marketed across several English-speking forums, and unlike other account-checking tools, is available free of charge. However, users are encouraged to make donations. The exact identity of the developer is unknown; however, according to underground forum chatter, the software was allegedly created by the actor mrviper. STORM was first launched in January 2018, and according to the description found on dark web advertisements, it is characterized as a free cracking program designed to perform website security testing. STORM is written in C language and was developed in close cooperation with members of the Cracked forum. The tool has the following technical features:

• Supports FTP cracking

• Simultaneous FTP and HTTP attacks

• Concurrent sessions

• Debug functionality for activity analysis

• Supports combo lists of up to 20 million email:password records

• Supports HTTP/HTTPS

• Supports SOCKS4 and SOCKS5

• Proxy auto update with automated harvesting from public sources

• Keywords capture (collection of premium account details)

• JavaScript redirect

STORM account cracker advertisement on the dark web.

Black Bullet

Black Bullet first appeared on the dark web in early 2018 and likely was created by the actor Ruri, who operates the official www.bullet[.]black website; however, according to the information found on the main page, the community no longer accepts new members. Several members of the dark web, including daltonbean8 and Doberman, were observed distributing the tool.

In contrast to other account-checking tools, BlackBullet does not offer multi-threaded capabilities, and only allows a single company at a time to be attacked. The tool also comes with a brute-forcing feature that can perform dictionary attacks when run against specific accounts.

• Captchas bypass

• Configuration files: ~ 530; however, users have an option to modify and create new configurations themselves

• Selenium Webdriver support

• Price: Between $30 and $50

BlackBullet V.2.0.2 control panel interface.

Private Keeper

Private Keeper was developed by the actor deival909. According to the description provided by the actor, the tool is based on in-line technology. Private Keeper is by far the most popular account-checking software in the Russian-speaking underground.

• Price: From 49 Russian rubles (approximately $0.80)

• Concurrent sessions

• Utility software to aid in automated connection to the private or publicly available proxy services

• Official online store: www.deival909[.]ru

• Latest version: 7.9.3.34

Private Keeper control panel interface.

SNIPR

SNIPR was sold and publicly shared on multiple underground forums. The threat actor PRAGMA is the developer of the malware. SNIPR is a configurable account-checking software, written in C language that supports both online credential stuffing and offline brute-forcing dictionary attacks. Although the tool was advertised by multiple threat actors, this account checker has its own website with a forum and a marketplace www.snipr[.]gg. The website allows third party developers to share custom-made configuration files.

• Configuration files: More than 100 are part of the official package

• Concurrent attacks: Up to four targets

• Price: $20

Over 100 config files are included in the SNIPR account checker by default.

Sentry MBA

Sentry MBA, with over 1,000 configuration files available, is one of the most prominent and readily available examples of account-checking software on the dark web. Several criminal forums maintain ongoing discussion threads dedicated to Sentry MBA. As of December 2018, the registration at https://sentry[.]mba, the official Sentry MBA marketplace and discussion board, is closed and available by invitation only. Insikt Group identified that the tool has been actively advertised on the dark web since late 2014. However, the official Twitter account was launched in July 2013. The tool was allegedly developed by an actor using the alias Sentinel and later modified by another actor, Astaris. Sentry MBA uses OCR (optical character recognition) functionality to bypass captcha. However, Sentry MBA doesnt support Javascript anti-bot challenges. Sentry MBA can be configured to recognize specific keywords associated with a websites responses to successful and unsuccessful login attempts.

• Available Configs: More than 1000

• Official Website: https://sentry[.]mba

• Price: Between $5 and $20 per configuration file

• Supports HTTP/HTTPS

• Supports SOCKS4 and SOCKS5

Sentry MBA control panel.

WOXY

Unlike a typical account-checking software, the WOXY email checker allows criminals to verify the validity of email accounts, scan email content for valuable information (like gift card codes or online subscriptions to streaming services, travel websites, and financial institutions), and hijack valid accounts by resetting login passwords automatically. According to the conducted analysis, WOXY was developed by the actors Dreamzje and Deos, who operated the currently defunct website www.keepit[.]online. The original price of the WOXY checker was $40; however, in September 2018, actors Crank and Yuki shared the cracked version of WOXY on the dark web, which now can be easily obtained free of charge.

WOXY email checker V3.4 info.

Mitigation

1. Criminals will often use paid proxy services aside from using publicly available free proxies to further obfuscate attacks. However, our analysis shows that such services often use geo-spoofing techniques to create a wide pool of IPs. Such domains will have the same IP addresses, but they will use different subnets. Monitoring for web traffic activity from such IPs offers additional mitigation capabilities.

2. The introduction of multi-factor authentication has proven to be a highly effective mitigation practice for many organizations that historically experienced a high level of credential stuffing attacks.

3. Monitoring criminal underground communities for the availability of new configuration files targeting your organization, acquisition, and the thorough analysis of such files for additional attack indicators.

4. End users can reduce the risk of being victimized by a credential stuffing attack by using a password manager and setting a unique strong password for each online account.

Click here to download the complete analysis as a PDF.

Scope Note: Over the course of the past year, Recorded Future has examined the publication speeds, missions, and utility of the national vulnerability databases (NVDs) of two countries: China and the United States. We decided to apply the same analytic techniques to Russias vulnerability database to see what we could learn. This report includes a detailed analysis of vulnerabilities published by the Federal Service for Technical and Export Control of Russia (FSTEC), official Russian government documents, Recorded Future data, and open source intelligence (OSINT). The data analyzed for this report was compiled on March 30, 2018.

Executive Summary

Russias vulnerability database is highly focused. However, it is incomplete, slow, and likely intended to support the control of the Russian state over technology companies and users. Generally, Russia publishes only 10 percent of known vulnerabilities, is on average 83 days slower than Chinas National Vulnerability Database (NVD), 50 days slower than the U.S. NVD, and incomplete in the few technologies it does cover.

Key Judgements

• Russias vulnerability database is run by the Federal Service for Technical and Export Control of Russia (FSTEC). FSTEC is the military organization responsible for protecting state secrets and supporting counterintelligence and counterespionage operations.

• FSTECs vulnerability database is also known as the BDU ( ). The BDU has published only 11,036 vulnerabilities of the 107,901 CVEs reported by NVD (approximately 10 percent).

• FSTEC has published 61 percent of vulnerabilities exploited by Russian state-sponsored threat groups. This is substantially above the norm of 10 percent; however, the data is insufficient to determine the influence of Russian intelligence services on FSTEC publication.

• FSTEC populates the BDU database with vulnerabilities that primarily present a threat to Russian state information systems. This gives researchers information on which technologies, hardware, and software are used on Russian government networks.

Background

The Federal Service for Technical and Export Control of Russia (FSTEC) was established in 2004 and is subordinate to the Ministry of Defense (MOD). FSTEC has a central office in Moscow, seven regional headquarters, and an information security research and testing institute known as the State Science and Research Experimental Institute of Technical Information Protection Problems of FSTEC, or the GNIII PTZI FSTEC.

FSTEC headquarters in Moscow, located at 105066, Moscow, ul. Staraya Basmannaya, 17.

The prime ministers official website describes FSTEC as a federal executive body responsible for implementing government policy, organizing interdepartmental cooperation and interaction, and exercising special and control functions in the area of state security.

According to further official documentation released in 2016, FSTEC implements state policy, organizes interdepartmental cooperation, and exercises special functions of state security in the fields of:

• Information systems security
• Countering foreign technical threats to Russia
• Security of state secrets
• Export control

As intimated in the organizations title, the first three areas fall squarely under the technical control mission. According to our extensive review of FSTEC documentation, export control likely assumes a much smaller share of FSTEC resources than all of the tasks and functions under technical control. The technical control mission covers internal control, state information systems, and foreign technology sold in Russia.

While subordinate to the MOD, FSTEC has a much longer and more extensive list of authorities, particularly in the realms of technical control and security of state secrets. According to documentation listed on FSTECs website, the organization also regulates commerce surrounding materials that could be used in chemical and nuclear weapons, counters technical intelligence, issues opinions on the use of Russian territory for foreign scientific research, and finances research on the study of radiation emitted from different types of systems and devices.

FSTEC also has a board of senior government officials appointed by position. This board includes the First Deputy Chief of the General Staff Department of the Russian Military, Deputy Minister of Internal Affairs, Head of the Economic Security Service under the Federal Security Service (FSB), and the Deputy Director of the SVR, among others. The primary function of the board is setting and administering the FSTEC budget, as well as coordinating interdepartmental functions.

Among the myriad responsibilities under the four primary FSTEC functions, the organization also works with the FSB in protecting state secrets, supports technical counterintelligence and counterespionage,¹ and is empowered to monitor the communications of government officials who work with state secrets.

FSTEC is currently run by Director Vladimir Selin, who has been in that position since May 2011. Selin is supported by one First Deputy Director, Sergey Yakimov, and four Deputy Directors. In addition to his position as Director of FSTEC, Selin is also a member of the Defense Ministry Board, and Deputy Chairman of the Commission on State Secrets (on which he sits with Chief of the General Staff of the Russian Military General Valery Gerasimov).

According to official state documents, in 2015 FSTEC was assigned a total of 1,111 employees, not including security, protection, or maintenance personnel. Of the 1,111 employees, 225 are located in the Moscow headquarters, and the remaining 886 are spread out over FSTECs seven regional offices.

Given the mission focus on technical control, it is likely that the majority of these 1,111 employees work on issues related to this mandate, while a much smaller minority support FSTECs export control work.

FSTECs Vulnerability Publication Process

FSTEC also runs a vulnerability publication database, to which it provides public access via the website bdu.fstec.ru/vul. The homepage states that the purpose of the database is to increase the awareness of interested persons in existing threats to information security systems and that it is designed for a wide range of customers, operators, developers, information security professionals, testing laboratories, and certification bodies.

FSTEC also states that the database contains information about the main threats to information security and vulnerabilities, primarily those characteristic of state information systems and automated systems for managing production and technological processes of critical facilities.²

Homepage of FSTECs Security Threats Database, which lists the purpose and intended audience for the data.

FSTEC does not claim that this database is exhaustive. Instead, it focuses on publishing vulnerabilities for information systems used by the state and in critical facilities. This mission is also exhibited in the responsibilities and activities of FSTECs seven regional departments. The majority of tasks levied upon each of the regional headquarters are overwhelmingly centered around countering foreign technical intelligence and protecting state information systems and data within each district. Of the 10 or 11 tasks levied upon each of the regional headquarters, the top seven all concern countering foreign technical intelligence collection and protecting state information systems, while the remaining relate to export control.

Reporting a threat or vulnerability to the database (known as the BDU) is relatively simple. FSTEC provides a form for submission which closely matches the vulnerability entries themselves.

FSTEC vulnerability submission form.

FSTEC BDU entry for CVE-2018-8148.

FSTEC even provides simple download links to retrieve its entire database as either Excel or XML files. These downloads contain fields typical of other vulnerability databases including internal IDs, corresponding CVE identifiers, affected technologies, links to supporting documents, severity assessments, etc. What is not included in the publication is the date for when FSTEC first disclosed the vulnerability. We used proprietary techniques to establish these dates for vulnerabilities disclosed by FSTEC since January 1, 2017.

FSTEC Is Not a Public Service Organization

FSTEC is an organization subordinate to, run by, and administratively part of the Ministry of Defense (MOD). All current FSTEC senior leadership, including the director, deputy directors, and all heads of regional headquarters³ are former military officers, many of whom also served concurrently in officer or reserve positions in previous roles within FSTEC.

Screenshot of the biography of Pavel Maksyakov, head of the FSTEC Volga District office.

FSTECs primary mission is explicit, documented, and repeated in law after law and order after order; state security is its overarching mandate. Unlike sister organizations in other countries, such as CNITSEC in China (which runs CNNVD), FSTEC does not claim to have a public service mission, but instead populates its vulnerability database (BDU) with vulnerabilities that primarily present a threat to state information systems. However, FSTEC is dissimilar to CNITSEC in that FSTEC is an overt military organization with an overt state secrecy mission.

A 2014 meeting between Chinese Premier Li Keqiang and Russian Prime Minister Dmitry Medvedev indicates that the Russian government views the Chinese Ministry of Commerce as the functional Chinese counterpart to FSTEC, not CNITSEC or the Ministry of State Security. This is probably because of FSTECs primary focus on technical control of the domestic information and technology environment, which is a much broader mission than CNITSECs.

Since FSTEC is an overt military organization, the questions about FSTECs vulnerability database primarily center around why FSTEC even publishes the few vulnerabilities that it does. As documented below, the BDU is extremely slow and not comprehensive. The few vulnerabilities it does publish tell us more about FSTECs mission and Russian state information systems than the intentions of the Russian military for offensive cyber operations.

Threat Analysis

FSTEC began publishing vulnerability data in 2014, roughly 15 years after the U.S. National Vulnerability Database (NVD) was established. As seen below, the FSTEC vulnerabilities published by year demonstrate an initial low volume of publications in 2014, a surge in 2015, and then a lower level of publications between 2016 and 2018.

Russian vulnerabilities published by year.

What Happened in 2015?

In examining the mapping of FSTECs BDU identifiers to NVDs CVE identifiers, we observed that the mappings were not always one to one. FSTEC occasionally linked multiple CVEs into a single BDU vulnerability, and also occasionally created multiple BDU identifiers for different operating systems vulnerable to a single CVE. Russian BDUs cover 11,036 or approximately 10 percent of the 107,901 CVEs reported by NVD. This difference is not simply due to FSTEC starting later, as approximately 25 percent of CVEs covered by FSTEC were from years before FSTEC began operation.

Despite the non-linear correlation between BDU and CVE identifiers, it is clear that FSTEC published far more vulnerabilities in 2015 than any other year. This is probably because 2015 was an experimental year for the BDU database, in which FSTEC evaluated its functionality and utility. Although the 2015 FSTEC annual activity report (issued in March 2016) did not address the outcome of the BDU experiment, it is clear from the data that a decision was made to drastically reduce the scope and number of vulnerabilities published. A narrower scope is also in better alignment with the databases public mission, which is to report on vulnerabilities in information systems used by the state or in critical facilities.

Furthermore, among the vulnerabilities that FSTEC published the fastest, 75 percent were vulnerabilities for browsers or industrial control-related software.

In previous reporting, we assessed the differing rates of vulnerability disclosure publications between the Chinese and U.S. national vulnerability databases and learned that the Chinese are much faster at disclosure on average than the United States. We examined the set of vulnerabilities published in 2017 to 2018 that were in common among the three national vulnerability databases and observed that Russian vulnerability disclosure dramatically lags behind both U.S. and Chinese disclosure. Russian vulnerability disclosure is not only incomplete, but also extremely slow.

Days of vulnerability disclosure delay across different national vulnerability databases.

To better understand how FSTEC selected vulnerabilities to disclose, we examined the technology vendors that FSTEC covered at a higher rate than expected given its overall coverage level of 10 percent. The black line in the two charts below (at the value for 10) represents the 10 percent of all vulnerabilities that FSTEC publishes. All vendors with coverage under 10 percent are considered under covered, and all vendors substantially over 10 percent are considered over covered.

Percentage of vendor CVEs covered by FSTEC.

Percentage of vendor CVEs covered by FSTEC.

Similar analysis suggests that FSTEC significantly under covered content management systems (such WordPress, Joomla, and Drupal), as well as IBM and Huawei compared to its baseline level of coverage across all technologies.

Coverage of Russian APT Vulnerabilities

In a 2016 Recorded Future publication, we provided an analysis of vulnerabilities used by Russian APTs, and in particular, which vendors were most widely represented.

Image from a Recorded Future blog, Running for Office: Russian APT Toolkits Revealed.

Vendors for all of these technologies were listed in the areas that FSTEC over focused on. This means that FSTEC published far more than 10 percent of the vulnerabilities discovered for each vendor. However, each of these vendors produces some of the most widely used software in the world and it would be reasonable to expect that Russian APT groups would target these technologies.

To explore this point more thoroughly, we also conducted an updated analysis of all vulnerabilities exploited by Russian APT groups in the last four years. Utilizing only vulnerabilities with a CVE number and those which were also published by U.S. NVD and CNNVD, we identified 49 vulnerabilities that had been utilized by Russian APT groups in that timeframe.

Thirty of those 49 vulnerabilities, or 61 percent, were published by FSTEC. This is substantially higher than FSTECs average of 10 percent. Further, 18 of those 30 published vulnerabilities have been exploited by APT28, which has been attributed to the Russian militarys Main Intelligence Directorate (GRU). This amounts to FSTEC publishing 60 percent of vulnerabilities exploited by the Russian military. This is far outside FSTECs statistical average of 10 percent.

Again, many of these vulnerabilities are for the most widely used software in the world. However, this abnormally high reporting rate for both the software vendors and vulnerabilities themselves raises two possibilities. First, since FSTECs mission is to protect Russian government information systems, this indicates that Russian government systems utilize these programs and were themselves exposed to these vulnerabilities as well. This is further confirmation that examining FSTEC publications can yield insight into Russian government information systems.

Second, FSTEC is a military organization, has several military intelligence members on its board, and would regularly interact with military intelligence to protect classified systems. It is possible that military intelligence could be obligated to protect Russian state information systems with knowledge they possessed on vulnerabilities, or that Russian military hackers could be leveraging vulnerabilities published by FSTEC for their operations.

The public record and available data is not yet sufficient to determine the relationship between FSTEC and Russian state-sponsored cyber operations. However, it is clear that FSTECs vulnerability database is utilized by Russian intelligence services in a different manner than CNNVD is by Chinese intelligence. In China, CNNVD delays or hides the publication of vulnerabilities being used by the intelligence services, while in Russia, it is possible that FSTEC publishes vulnerabilities being used by the intelligence services in order to protect against them.

The only high-coverage vendor covered by FSTEC but not listed above is Novell.

From our over-coverage analysis, we know FSTEC focuses on Adobe more than any other individual vendor by covering nearly half of all Adobe vulnerabilities. However, when we took a closer look at the Adobe vulnerabilities not covered by FSTEC, we observed that FSTEC has not published 386 Adobe vulnerabilities with a CVSS score of 10, or 871 Adobe vulnerabilities with a CVSS score greater than eight. FSTEC is not even comprehensive on vulnerability disclosure for the technology area in which the data clearly shows the most interest.

If FSTEC was a serious resource for vulnerability information, it would have to be faster and more comprehensive. Even FSTECs corporate partners do not claim to exclusively use the BDU database. We examine three hypotheses for why FSTEC publishes so few vulnerabilities below.

Technology Licensing

A primary portion of FSTECs technical control mission is to conduct product reviews and issue licenses to companies that want to sell their products in Russia. According to a June 2017 Reuters article, both the FSB and FSTEC conduct reviews of foreign technology including source code for security products such as firewalls, antivirus applications, and software containing encryption before permitting the products to be imported and sold in the country. The FSB reportedly utilizes certified partner companies to conduct some of the reviews, including a company called Echelon, which is also a partner to FSTEC in administration of the BDU database.

According to Echelon and the websites of a number of other certified FSTEC partners,⁴ the FSB is responsible for the reviews of cryptographic and encryption tools, while FSTEC issues licenses for the development or production and technical protection of confidential information. FSTEC licenses are broadly required for the production and sale of software in Russia.

Among FSTECs partners in administering the BDU, including Digital Security, Institute of System Programming of The V.P. Ivannikova Russian Academy of Science, Rusbitech, All-Tech-Soft, and Perspective Monitoring, only Echelon claims to be able to assist customers with FSTEC, FSB, and MOD reviews.

However, unlike the FSB, FSTEC does not use partners or intermediaries to conduct its reviews. In October 2016, FSTEC issued a clarification on its website, stating that FSTEC does not interact with intermediaries and does not work with any private organizations in the provision of government services for licensing.

FSTEC publishes a registry of licensees for each certification it issues. Fourteen licenses have been issued in 2018 for the development and production registry, while 66 technical protection licenses have been issued this year (as of July 9, 2018). This is in contrast to the 140 development and production licenses and 293 technical protection licenses issued in 2017.

Many well-known international companies have received these certifications, including Honeywell, Alcatel-Lucent, Kaspersky, Huawei, Hewlett-Packard, Bombardier, Atos, and Symantec.

Timeline of foreign technology inspections conducted by FSTEC.

The criteria for obtaining an FSTEC license are so broad that it is difficult to assess which information from a software company would be deemed unnecessary to the approval process. Further, despite the different certification regimes and credentials, the information a company must share with FSTEC is very similar to that required by the FSB for its licensure. This includes extensive data on personnel, facilities, products, software production and testing, and more.

Outlook

Why Does FSTEC Publish so Few Vulnerabilities?

As the research above demonstrates, FSTEC broadly publishes only about 10 percent of known vulnerabilities. The larger question is, Why? Why waste resources on a vulnerability disclosure database that does not address 90 percent of vulnerabilities for its users? There are three likely hypotheses:

1. FSTEC is vastly under resourced and can only focus on key technologies for Russian users and key vulnerabilities of these technologies.

2. FSTEC is a military organization and is publishing just enough content to be credible as a national vulnerability database. The Russian government needs vulnerability research as a baseline for FSTECs other technical control responsibilities, such as requiring reviews of foreign software.

3. FSTEC has a dual offensive and information security mission and publishes based on the competing needs. This would be similar to how Chinas NVD (CNNVD) functions.

In prior research, we disclosed that the NIST Information Technology Laboratory (ITL) employs about 400 scientific and technological staff and possesses a budget of roughly $120 million annually. The ITL is comprised of seven divisions and runs numerous databases and systems, including the U.S. NVD. In comparison, Russias FSTEC has 1,111 employees, not including security, protection, or maintenance personnel, and a roughly comparable (if not slightly larger) bureaucratic structure and mission scope. While NIST ITL and FSTEC are not analogous organizations, this loose comparison does demonstrate that FSTEC is not vastly under resourced for its mission and that reporting only 10 percent of published vulnerabilities is a function of choice and not due to resource constraints.

Further, FSTEC does not even provide adequate coverage of the technology it focuses on most. As shown in our example above, FSTEC has published about half of all Adobe vulnerabilities; however, it is still missing over 1,000 Adobe vulnerabilities with a CVSS of critical or high. If Adobe truly were that important to it, then FSTEC would not omit the publication of these vulnerabilities with the highest possible severity scores. This leads to the conclusion that FSTEC does not determine the need for publication simply by focusing on several key technologies. This also rules out hypothesis number one, that FSTEC is hugely under resourced and does not have the personnel or capital to keep up with NVD.

Second, we find no evidence to support hypothesis number three, that FSTEC is following CNNVDs model in trying to balance public disclosure and offensive cyber missions. FSTEC is not a public service organization its database is not comprehensive or timely and does not publish enough vulnerabilities to support a broadly protective mission. FSTECs mission, instead, is very focused and specific: to protect Russian state and critical infrastructure systems and support counterintelligence efforts.

Additionally, FSTEC over reports on vulnerabilities that have been exploited by Russian state-sponsored threat groups, while CNNVD delays or hides the publication of vulnerabilities that have been utilized by Chinese intelligence. If anything, FSTEC might be a little too focused in its support of Russian state information systems, as the few vulnerabilities it does publish yield insight into Russian government priorities and software.

Finally, we assess with high confidence that hypothesis number two accurately describes the mission and intent of Russias NVD. This intent is that FSTECs vulnerability database provides a baseline for state information systems and legitimate cover for foreign technology reviews. According to February 2017 amendments to FSTEC documentation regarding inspection and requirements for state information systems, vulnerabilities in the BDU database are intended to provide a baseline of security not a comprehensive vulnerability listing for state information systems. This is further demonstrated by the surge in vulnerability publication during 2015, which was an experimental year for the databases future functionality and led to subsequent publication declines. Our research and data indicate that the BDU database is not intended to be comprehensive, but is simply a baseline for government information systems security and software inspections.

It is also possible that given the functional, managerial, and informal overlaps between FSTEC and the FSB, some of the BDU databases focus on the exact technologies Russian APT groups are known to favor could be derivative of FSB knowledge about its own operations and the exploitability of these technologies. There is minimal evidence to support this theory, aside from the overlap between the vulnerabilities that FSTEC over covers and those most used by Russian APT groups.

To this end, the vulnerabilities that FSTEC does publish convey more information about the hardware and software Russian government organizations use on their networks than which vulnerabilities they will target in offensive cyber operations.

Editors Note: The following post is an excerpt of a full report. To read the entire analysis, to download the report as a PDF.

This report continues our quarterly series analyzing trends in malware use, distribution, and development throughout 2020. Insikt Group used the Recorded Future Platform to look at mainstream news, security vendor reporting, technical reporting around malware, vulnerabilities, security breaches, and dark web and underground forums from October 1 to December 31, 2020, to examine major trends to malware impacting desktop systems and mobile devices. The trends outlined below illustrate the tactics, techniques, and procedures (TTPs) that had a major impact on technology. This report will assist threat hunters and security operations center (SOC) teams in strengthening their security posture by prioritizing hunting techniques and detection methods based on this research and data.

Executive Summary

In Q4 2020, ransomware operators continued to have an opportunistic mindset when conducting campaigns, putting more emphasis on data theft extortion to increase their chances of profitability. There was an increase in Egregor activity throughout the quarter, likely due to Maze ransomware operators shutting down. There was also an increase in Conti ransomware as use of Ryuk, a persistent ransomware family throughout the year, plateaued.

Arguably the most significant malware attack of 2020 was disclosed to the public in this period: the SolarWinds supply chain attack. This attack was significant due to the sophistication of the attack along with the volume of prominent organizations impacted, including United States government entities, along with several prominent technology companies and cybersecurity organizations. As this attack is still being investigated, it is likely that there will be more details released associated with victims targeted and infrastructure used.

Trickbot, a malware family that has been persistent and prominent throughout the year, went through notable changes in Q4 2020, as multiple organizations worked together to take down the malwares infrastructure before the November 2020 U.S. presidential election. While these efforts temporarily reduced Trickbot activity, the use of QakBot, a discrete loader malware, began to increase, likely as threat actors shifted away from Trickbot.

Lastly, Android malware continued to dominate the mobile malware landscape this quarter, with two new mobile malware variants emerging. While COVID-19-themed mobile malware activity dipped in Q3 after a high during the first half of the year, Insikt Group observed a resurgence of activity in Q4. This was especially true as virus cases increased and digital assets (websites, mobile applications, and so on) regarding the COVID-19 vaccine were released.

Editors Note: This post was an excerpt of a full report. To read the entire analysis, to download the report as a PDF.