May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 01, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
In the wonderful world of cyber threat intelligence and research, we often analyze the impact that cybercrime or nation-state activity has on the cyber threat landscape. Digital Shadows (now ReliaQuest)’ latest research, for example, includes analysis on recent ransomware attacks, new methods used in cybercriminal extortion, advanced persistent threat (APT) activity, dark web marketplace news, criminal forum member behavior — the (very exciting) list goes on!
Yes, we love writing about new discoveries and breakthroughs in the dynamic and ever-evolving cybersecurity realm, but this time around, we wanted to switch things up and flip our modus operandi on its head. Let’s talk about law enforcement and their impact on the cyber threat landscape.
The information security industry has been rocked by news of arrests on top of arrests, spanning between individual threat actors, nation-state affiliate groups, and drug-pushing cybercriminals. In response to this, we’ve been mulling over what this means for the threat landscape as a whole. Is this the end of the dark web golden era? Will cybercriminals be held accountable for their dirty deeds? Only time will tell, but we want to try and make a few inferences about what may be on the horizon, specifically as it relates to:
In 2016, a hacking group known as The Dark Overlord (TDO) began terrorizing and extorting organizations and quickly became known to extort medical providers and sell stolen medical records. In 2017, the group made headlines for extorting media companies, like Netflix, and threatening to leak advanced copies of their products if they did not meet the ransom. Later in 2017, TDO successfully targeted Johnston Community School District in Iowa and leveraged their stolen data to send text messages to students’ parents, including threats of killing students at the high school. Additionally, TDO dumped the stolen data on Pastebin and stated the data was released to “help child predators.”
Nathan Francis Wyatt was part of TDO since 2016; he was responsible for contacting victims and demanding ransom payments. However, as many criminals do, he made a mistake: Wyatt registered phone numbers in his name to contact some of the victims. Through this, law enforcement connected him to the group, and Wyatt was arrested in the UK in 2017 and extradited to the US to face charges in December 2019.
In a St. Louis federal court, Wyatt pleaded guilty to identity theft and computer fraud charges. He reportedly apologized for his part in TDO attacks and stated he never wanted to touch a computer again. He was sentenced to five years in prison and ordered to pay USD 1.4 million in restitution to the group’s victims. In court, Wyatt admitted that the group obtained sensitive data from companies and threatened to release the data unless the companies paid a ransom of between USD 75,000 and 350,000.
TDO has not appeared to have been active since January 2019.
In May 2018, Serbian authorities arrested another TDO-associated member; however, further details have not been released. TDO has always claimed to be a three-person team, and with two of the members arrested, it’s likely that their operations are significantly affected. The remaining member attempted to recruit new members by posting on the now-defunct hacking forum, KickAss, which ceased operations a few months later. An unsuccessful attempt to recruit new members indicates that law enforcement potentially succeeded in creating fear among cybercriminals, at least when operating with this trio.
Nathan’s arrest and conviction may have steered threat actors away from working with TDO. Still, given the ransomware groups’ activity throughout 2020, they were not successful in ultimately driving groups away from extortion tactics. With some groups reporting more than USD 29 million made since March 2020, it’s likely we won’t see a decline in these attacks anytime soon.
On 22 Sep 2020, a joint international operation resulted in 179 individuals’ arrest and the seizures of USD 6.5 million and 500 kilograms of illicit substances. The successful outcome of Operation DisrupTor (pause for appreciation of the operation name) elicited some strong words from the head of Europol’s European Cybercrime Centre (EC3). According to the EC3, “the hidden internet is no longer hidden, and your anonymous activity is not anonymous,” followed by Europol claiming that “the golden age of the dark web marketplace is over.”
This discovery caused us to have a retrospective look at the history of dark web marketplaces, a gander down dark web memory lane if you will. How can one forget Silk Road and the “Dread Pirate Roberts”? Silk Road was one of the first dark web marketplaces to conduct sales using the once-strange concept of Bitcoin in February 2011. It quickly gained notoriety and popularity, but popularity drew attention from criminals and law enforcement alike. In 2013, as a result of action taken by the FBI, Silk Road was no more, and dark web marketplaces took off in the wake of its demise. Dread Pirate Roberts, Silk Road’s founder, received a life sentence, which was likely meant to be a deterrent. Still, some reports claim that dark web activity and drug listings multiplied after the fall of Silk Road.
In a post-Silk Road dark web world, it was a matter of time to before a new market took over the reins; Silk Road 2.0 was created by some of the former Silk Road admins, but its tenure didn’t last – the FBI and UK’s National Crime Agency took it down via Operation Onymous. Enter Agora marketplace, which survived Operation Onymous and, in April 2015, surpassed the number of listings that Silk Road maintained at its height. Many dark web criminals were victims of exit scams during this time frame, where marketplace admins close down shop and take everyone’s funds. However, Agora remained a key contender for the dark web marketplace supreme until its disappearance in August 2015, which paved a path for the alpha of dark web marketplaces, AlphaBay.
AlphaBay took over a large portion of Agora’s customers and vendors and, by October 2015, held the dark web marketplace crown. That is until its downfall in July 2017, at the hands of Operation Bayonet, one of the most significant shakeups of the dark web marketplace landscape. The removal of AlphaBay and Hansa sent a message to the criminal underground; law enforcement agencies maintain a presence in these marketplaces – they even put this ominous splash page over AlphaBay and Hansa:
Following AlphaBay and Hansa’s fall, Dream Market reigned supreme for a while, alongside other notables such as Empire and Apollon. A more recent example of a marketplace that got the law enforcement treatment was Wall Street Market (WSM). WSM, at its peak, was booming with more than a million user accounts and 5,400 vendors. On 23 April 2019, rumors of an exit scam emerged as WSM admins claimed the site was going down for “maintenance.” As a part of that “maintenance,” the admins transferred customers’ funds to their accounts. Reports indicate WSM admins may have initiated an exit scam because of looming law enforcement activity. It’s also possible that reports of a potential exit scam caught law enforcement’s attention, and they wanted to catch the responsible parties before they got away and went into hiding. Regardless WSM ceased operations in May 2020.
Clearly there is a trend here. Dark web marketplace is created, dark web marketplace becomes popular, dark web marketplace is taken down, rinse and repeat. While Operation DisrupTor (again kudos to whoever is naming these things) was, in many ways, a successful operation and a landmark for law enforcement activity from a dark web marketplace perspective, the belief that the “Golden Era” of dark web market activity is over is a bit far fetched. It would be naive to assume that cybercriminals are unaware of law enforcement representatives maintaining a presence in these forums and marketplaces. In turn, this presence doesn’t stop them from continuing their wicked ways as the risk of being caught and likely will not outweigh the monetary reward they are achieving. The historical seizures of dark web marketplaces and marketplace exit scams have continually resulted in marketplace successors quickly taking over as top dog.
More than likely, law enforcement takedowns will be a powerful reminder of the importance of operational security (OPSEC). OPSEC is not just reinforced in the security world, but criminals practice this just as much, if not more. The screenshot below illustrates the level of detail that threat actors place in their OPSEC practices:
As law enforcement agencies continue to grow in their capabilities and establish footholds within the criminal underground, criminals will continue to adapt and adjust their tactics to circumvent compromise. That’s just how it has always been, and what would law enforcement agencies be without criminals? Batman needed the Joker, The Beatles needed The Rolling Stones, even Diane Sawyer needed Katie Couric.
Last week, the Department of Justice (DOJ) announced that they were able to track down and charge five members of the suspected People’s Republic of China (PRC) state-sponsored group, APT41 (aka Winniti Group). The hackers belonging to this group had become notoriously known for launching supply-chain attacks and intruding more than 100 technology companies and government entities worldwide. The group was also responsible for what some would consider unethical attacks, such as an incident where the group launched a ransomware attack on a non-profit organization designed to combat global poverty.
Two Malaysian businessmen who conspired with the group were also successfully arrested and charged with Malaysia’s government aid. The five accused members were nationals of the PRC and remained fugitives in the country. While law enforcement could not arrest all individuals involved, the FBI released a wanted poster on their website, exposing each member’s name and picture.
The court charged Zhang Haoran and Tan Dailin with 25 counts of aggravated identity theft, conspiracy, wire fraud, money laundering, and violations of the Computer Fraud and Abuse Act (CFAA). Court records also stated that Zhang and Tan participated in a “video game conspiracy,” where the group targeted video game companies and sought to generate video game currency to sell for a profit. Tan had also been formerly known to develop a fraudulent anti-virus company named “Anvisoft.” https://www.fbi.gov/wanted/cyber/apt-41-group
The other three members, Jiang Lizhi, Qian Chuan, and Fu Qiang, were charged with nine counts of racketeering conspiracy, conspiracy to violate the CFAA, identify theft, aggravated identity theft, money laundering, and access device fraud. These three members were associated with a Chinese company called Chengdu 404 Network Technology, which acted as the legal front for the members’ activities.
Considering the Chinese government allegedly sponsored the group, arrest and extraction may not be possible for China’s five fugitives. The charging documents even stated that the group’s connections with the PRC led the criminals to believe that they were provided with a “free license to hack and steal across the globe.” However, the indictment sent a strong and powerful message – the United States is cracking down on cybercriminal activity and will do everything in its power to bring justice. FBI Deputy Director, David Bowdich, stated:
“Today’s announcement demonstrates the ramifications faced by the hackers in China, but it is also a reminder to those who continue to deploy malicious cyber tactics that we will utilize every tool we have to administer justice. […] This case demonstrates the FBI’s dedication to pursuing these criminals no matter where they are, and to whom they may be connected.”
Is this indictment likely to deter future activity from APT41 and other nation-state threat actors? Perhaps not, but it is a step in the right direction. The arrests in Malaysia have shown that threat actors will be brought to justice for crimes against the United States whenever it is possible. Furthermore, it will remind threat actors that cyberattacks against the US will not be without consequences.
Ideally, we would love to say that these law enforcement actions have spooked criminals into dropping off from the cybercriminal scene altogether; however, it’s not realistic. While we are still monitoring for chatter surrounding behavioral changes, criminals will likely continue to carry out their wicked schemes. There’s still so much more money to be made and intelligence to gather.
Online users will likely comment that these events provide a reminder for the importance of OPSEC and not getting complacent. Cybercriminals will probably use law enforcement action as a learning curve and improve their methodologies in the future. As the story goes, it’s always a story of the good guys trying to catch up to the bad, and that will continue to remain.
The significance of law enforcement coalitions tackling cybercriminal vendors on marketplaces, and their ability to track down vendors, may encourage criminal marketplace administrative teams to take more security-aware approaches, such as implementing PGP encryption, two-factor authentication (2FA), and leveraging Monero (XMR) to avoid tracking. Ultimately, cybercriminal marketplaces still have a purpose; it just might be in a different guise as to what it is now. While this may be the end of the golden era of marketplaces as we currently know them, vendors will still need to advertise via an open platform to acquire as many buyers as they can.
While many law enforcement entities have adjusted their processes to enable nation-state threat actor arrests, there’s still plenty of red tape to consider, such as extradition laws. Law enforcement has progressed leaps and bounds throughout the last decade; however, many government-sponsored threat groups remain protected. As nation-state operations are investigated and pieced together, the US will likely continue to file indictments against associated actors to add pressure and bring awareness to current cybersecurity events.
We still have a way to go when it comes to holding criminals accountable for their dirty deeds. We look forward to seeing policy changes, improvements, and progression in law enforcement activity and its impact on the cybercriminal threat landscape.