Reapers, Cryptos, and More: Our Top 5 Research Pieces From 2018

January 8, 2019 • Zane Pokorny

At Recorded Future, our technology has enabled research that pulls back the covers on places our opponents would rather we didn’t. In 2018, our threat analysts made some truly substantial findings — we found sensitive documents on military drones for sale on the dark web, looked at trends in cybercriminal use of cryptocurrency, and identified patterns in the tactics, techniques, and procedures of Chinese and Russian hackers and government agencies.

Understanding the underlying motivations of different cybercriminals is one of the things threat intelligence is uniquely about — getting context that helps you understand your foes is essential to preventing their attacks.

Most of this research is produced in-house by our very own Insikt Group (“insikt” is Swedish for “insight”), a team of expert analysts who each have on average over a decade of experience in fields like law enforcement, intelligence, and incident response. As we step into the new year, we thought we’d highlight some of our best and most popular pieces of research from 2018, in case you missed any of them.

1. Military Reaper Drone Documents Leaked on the Dark Web

The Insikt Group regularly monitors criminal activities across the dark web as part of their research. In June 2018, our team came across the attempted sale of highly sensitive U.S. Air Force documents, including maintenance documents relating to the MQ-9 Reaper unmanned aerial vehicle (UAV).

The team was able to contact the hacker involved and confirmed the authenticity of the leaked documents, which also included an M1 Abrams maintenance manual, a tank platoon training course, a crew survival course, and documentation on improvised explosive device (IED) mitigation tactics.

The hacker used a previously disclosed vulnerability in Netgear routers to gain access to the documents through the computer of a member of the U.S. military stationed at Creech Air Force Base in Nevada, where the U.S. Air Force’s 432d Wing operates Reaper drones.

This report, which was picked up by major publications like CNN, Forbes, and The Wall Street Journal, highlighted how “a single hacker with moderate technical skills [can] identify several vulnerable military targets and exfiltrate highly sensitive information in a week’s time,” providing “a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve.”

2. Litecoin Emerges as the Next Dominant Dark Web Currency

Cryptocurrency has been a game changer for cybercriminals, allowing them to conduct major transactions (and ask for ransoms in malware attacks) in relative privacy without needing to launder their money through more reputable institutions like banks. But crypto hasn’t exactly been stable, either. Beyond the heavily fluctuating value, Bitcoin in particular has suffered from rising mining and transaction costs, making it increasingly infeasible for day-to-day use.

As early as 2016, criminals began voicing their dissatisfaction with the performance and cost of Bitcoin and looking for alternative cryptocurrencies (the term “altcoin” refers to any standard that isn’t Bitcoin). Insikt Group took a deep dive into 150 of the biggest message boards, marketplaces, and illicit services on the dark web and determined that Litecoin was quickly becoming the second most popular cryptocurrency after Bitcoin.

This story, which was picked up by Bloomberg and Fortune, also highlighted some of the quirks of the cybercriminal underground, including how many of them see themselves as business people like any other who happen to be involved with illegal activities. Take this statement from one Russian-speaking user on a criminal discussion board, which would not be out of place in a Yelp review:

3. Iran’s Hacker Hierarchy Exposed

In our increasingly digital world, cyberattacks continue to become more devastating tools in the arsenal of nation-states seeking to undermine their enemies. That’s certainly been the case for the Islamic Republic of Iran, which since 2009 has regularly responded to sanctions or perceived provocations by conducting offensive cyber campaigns.

For this research piece, Insikt Group interviewed a former Iranian hacker who started one of Iran’s first security forums and gathered further information through the Recorded Future platform, third-party metadata, and open source intelligence (OSINT) techniques. They determined that Iranian cyberattacks against the West were likely to follow the economic sanctions levied against Iran by the United States in May 2018, with the highest-risk targets being banks and financial services, government departments, critical infrastructure providers, and oil and energy institutions.

They also examined the hierarchical structure of state-sponsored Iranian hackers, finding that Iranian cyber operations are usually conducted through a tiered approach, where an ideologically and politically trusted group of middle managers translate intelligence priorities into segmented cyber tasks which are then bid out to multiple contractors who are pitted against each other.

Given the Iranian government’s baseline of paranoia and propaganda, the situation creates unique trade-offs in Iran’s government-sanctioned offensive cyber campaigns — “individuals with demonstrated adherence to the government’s ideology and individuals with the greatest offensive cyber skills are almost always mutually exclusive,” the report finds.

4. Thieves and Geeks: Russian and Chinese Hacking Communities

Are hackers all motivated by the same objectives and ideologies across cultures, or do unique subcultures emerge in different parts of the world? In this analysis, Insikt Group took a close look at Russian and Chinese hacking communities and identified stark differences between the two. To gather information, researchers analyzed advertisements, posts, and interactions within hacking and criminal forums, finding that each country’s hackers had their own codes of conduct, payment methods, motivations, and more.

Generally, Russian hackers can be characterized as valuing money above anything else, and their practices give weight to the old adage that there’s no honor among thieves. Russian underground forums are places of business, not communities — reputations are directly tied to how consistently good your product is and how reliable you are much more than a shared patriotic spirit or anything else. Lose your good reputation, and you’ll be blacklisted.

Chinese hackers, on the other hand, appear much more closely bound together by patriotism and “geek spirit,” a translated term that denotes a hacker culture that seeks to create a better society. Chinese cyberattacks are often politically motivated and driven by a sense of community.

5. Chinese Cyberespionage Originating From Tsinghua University Infrastructure

In August 2018, Insikt Group found evidence of Chinese cyberespionage against various targets, including communities in Tibet, that originated from infrastructure registered to Tsinghua University, an elite Chinese academic institution.

The research highlighted a few key characteristics common to Chinese cyber activity — the depth and scale of sophisticated techniques used by the Chinese state against perceived domestic threats like Tibet, their savvy use of cyber activity in support of their economic development goals around the world, and the blurred lines between third-party and state-sponsored actors in the country.

“The People’s Republic of China (PRC) claims sovereignty over Tibet and regards all Tibetan independence movements as separatist threats,” Insikt Group explains in this piece, which was picked up by Reuters. “While the PRC uses many forms of coercion against the Tibetan community, cyberespionage against Tibetan targets has become a frequently used tool, especially during times of heightened tensions.”

And regarding China’s use of cyber activity to further their development goals, Insikt Group found network reconnaissance activities conducted from the same Tsinghua University infrastructure targeting various geopolitical organizations — groups like the Alaska state government, the United Nations office in Nairobi, and the Kenya Ports Authority — at the same time that those groups had dialogues with Chinese representatives.

Stay Informed Daily

Our biggest stories and research pieces will continue to be shared publicly right here on our blog, but if you’re looking for an easy and quick way to get more threat information, try out our Cyber Daily newsletter.

Sign up for it now to get daily top trending results on technical indicators as reported by the web — free and all in one place. For security professionals, it’s one of the best ways to start your day.