At the Black Hat USA 2019 cybersecurity conference in Las Vegas, CNET and CBS News Senior Producer Dan Patterson spoke with IntSights Charity Wright about cybercrime, the Dark Web, and cybersecurity laws. The following is an edited transcript of the interview.
Charity Wright:I think a lot of people think of Dark Web and think about black websites with forums and chat rooms. But it actually, surprisingly, it looks very normal like the clear web, except they’re just talking about criminal topics.
One thing about the Russian Dark Web is it’s the biggest and has been around the longest. The Russians created the Dark Web back in 1997. It started off very basic user interfaces, and now it’s websites that have been around for over a decade and deep forums, message boards, market places. The Dark Web in Russia is actually a legitimate business. Millions of dollars being made off of, you name it, cybercrime malware, Zero Days, but drugs, human trafficking as well.
There’s a few things that we’ve been researching lately that tend to be trending that don’t exist in other languages in the Dark Web. And one thing that we’ve noticed lately is insider trading is a really big issue. So we’re talking about Russians working inside government agencies in Russia, working for ISPs and telecom companies that are selling insider information on the Dark Web. That’s something we don’t see elsewhere, and it’s actually really successful so far.
Not necessarily regarding trading, but we’re talking about valuable information that could be used to exploit certain assets. So for example, one topic that we saw a post on recently was offering cell phone tracking services for sale. The individual worked for a telecom company inside Russia, and they’re selling geolocation services. So if I give you a cell phone number you’d be able to track down, within a couple of miles, where that cell phone is located. But not just location, also call logs and text message logs too.
We’re seeing unique information come out of there because they’re technically way more advanced than other users of the Dark Web around the world. Russians are far advanced and ahead of the game. So for example, earlier this year before the BlueKeep vulnerability was disclosed, there were Russian threat actors on cybercrime forums talking about this vulnerability, creating exploits for it and testing it before anybody else had been talking about it. So they’re ahead of the rest of the world. And I think there’s many environmental factors that contribute to that culture of criminality in the Russian Dark Web. And one is that the government just turns a blind eye to most of it. If it’s not specifically negatively affecting the Russian government or Russian entities, they turn a blind eye to the crime. It’s almost like they’re giving permission to criminals to use this Dark Web forum for crime and business.
Basically, in Russia, it’s free game. The Russian government has no accountability. They don’t hold these people accountable for their actions. So if they’re trying to exploit an American or a British or Australian asset, whether it’s for moneymaking opportunities or on behalf of the state, they’re not being punished or held accountable for that behavior. So it’s free game, and then you create this competition, and everyone is trying to make the most money off of the opportunity. As far as adversaries go, state-sponsored threat groups are not operating in the Dark Web like cybercriminals are. The Russian government has these huge advanced persistent threat groups, basically cyber operatives. They have hundreds of people working on behalf of the state, and they don’t really have a need to be in the Dark Web negotiating sales and conducting criminal activity, they work for the state.
An APT group is basically a sophisticated cyber operation funded by a government of a nation-state, in this case, Russia. There’s several different threat groups. They’re usually given a specific objective that serves the needs of that government or military.
We have a combination of automation with artificial intelligence that does a lot of scraping of Deep and Dark Web forums, but we also have an analyst team of almost 30 people right now. And we’re based in Israel, most of our analysts are from Unit 8200, a famous Israeli cyber operation. And then some of us are from the National Security Agency in the US as well. So very experienced cyber intel analysts and we’re out there digging through the forums. So the way it usually works is we create these avatars, anonymous profiles, that we operate under and we spend years maintaining this avatar and its reputation anonymously. We are negotiating with threat actors on the Dark Web forums. We are monitoring what’s going on, seeing what’s trending, bouncing ideas off of other hackers, and keeping an eye on what’s going on. So there’s a very important human element to it, and I think that a lot of security programs are trying to automate everything, but we’re talking about a human adversary, and I think it takes a human intelligence analyst to counter that or to collect on it from an intelligence perspective.
We have analysts that specialize in certain languages, Russian being one of them. I specialize in Mandarin Chinese. But our Russian linguists and analysts are in these forums building relationships with other hackers. Just talking story, tutoring each other, mentoring each other. And so when we, for instance, when we need to make a Dark Web purchase, we will purchase some malicious information from a threat actor to take it off the market. And we’re doing that on behalf of our customer. Let’s say the hacker posts a certain malware for sale or access to a server; then we will approach them through their preferred method of instant messaging. That’s usually how it goes. You can say, “Hey, I’m interested in this,” and he’ll say, “Message me on this app.” Telegram or whatever he uses, and then we message them and then that’s where the negotiation happens, in private. Some of the important linguistic processes is making sure that we have native speakers engaging in their native language so as not to give away, necessarily, who it is and where we’re from.
We focus on cybercrime, and we focus on specific threats, cyber threats, to our customers, but the majority of the Dark Web is not cybercrime. The majority of the Dark Web is drug trafficking and human trafficking, and unfortunately, we’re exposed to a lot of that stuff during our analysis process. In the past, I’ve worked with human trafficking groups. We mentor people that are rescued, so I’m trained in that, but if you’re not trained and prepared, it can be really shocking when you come across some stuff like that.
In Vietnam, we saw that after the cybersecurity laws were created, which severely restricted how people are using the internet in that country, there’s been a migration to Dark Web for anonymity from the government. It’s different in Russia because Russian citizens, they’re restricted from using certain websites like LinkedIn, GitHub, Wikipedia, so they’ll use Dark Web or Tor browser or other anonymizers to access sites like that. But in general, they don’t have to hide criminal activity from their government as much. So it really depends on the country and the laws that they have there.
It depends on the region where that threat actor is; they tend to use certain messaging apps. Whatever’s legal, allowed, unrestricted in that area.
Well, I mean, given the geopolitical history of Hong Kong and then being reintegrated and the Chinese government trying to implement their laws, their control over these people, I think it’s obvious that they’re not putting up with it. And I thought it was really interesting how they’re trying to evade the surveillance cameras using lasers. Did you see that? That’s really interesting in the news. So they’ve got all these protestors, and they’re using lasers pointed at the surveillance cameras to block their face out to avoid being punished by the government. That’s pretty smart.
So I recently did a talk about how new internet laws are changing the cyber landscape around the world, and one of the focuses is on China. I try to take my Western spin-off of this and say that China is the best at surveillance efforts. They are the epitome and the pinnacle example of what a surveillance state should look like if that would be the goal of a nation-state. That’s how I’m trying to state it. That being said, they’ve recently been implementing even more strict control over how people are behaving socially, legally. So we know that they’re far advanced in artificial intelligence and facial recognition technology, and they’re utilizing that to monitor their citizens. The rest of the world is freaking out like, “This is very futuristic, this makes us feel very uncomfortable, we don’t like being watched in Western countries.” The perspective in China is a little bit different and a lot of the citizens have told me, “We feel safe because the government is controlling crime and terrorism and so we get to operate in our normal lives and as long as I’m doing the right thing, I don’t have to worry about what they’re using this camera footage for.”
And I find that fascinating because then a few days later we hear about tourists coming in through the Xinjiang border where there is a large minority group that is being monitored and suppressed by the Chinese government. Tourists coming in through that border are being forced to download malware, basically, applications on their cell phones that scan for over 73,000 different types of files that the Chinese government may find objectionable. It could be pornography, it could be terrorist files or rhetoric, but what they’re looking for is actually related to minority groups that they are trying to suppress in China. And so we see that they will stop at nothing to know what’s going on within their borders and they have complete control over all of the internet infrastructure because of The Great Firewall. And now with this huge surveillance effort, we’re watching something big happen in the world, and it starts there, but it has implications for the rest of the world. Because the rest of the world, especially communist governments like Vietnam, are looking at China as a prime example of how to control data within their borders. And how to monitor everything that happens.
It’s fueling their intelligence agencies; it’s fueling their cyber operations, so it’s pretty interesting. We’re monitoring and watching how these new laws are actually going to start changing things.
I can’t answer directly as an insights analyst because we are monitoring more cybercrime and not necessarily geopolitical situations. Personally, I find the topic intriguing as I specialize in the APAC region and I’m monitoring it, but we’re not doing a lot of specific research on how the protestors in Hong Kong are using Telegram. We know how cyber threat actors are using it and we have to assume that if users in China are using these applications, they’re connected to Chinese cell cellular telecom providers, or they’re connected to Wi-Fi in China, they’re being monitored by the government. Their conversations are accessible. All of that messaging traffic is accessible to the government.
Well, I have to separate my role in the US military and my knowledge of what’s happening around the world from what I know in the Dark Web. And they have very segregated cybercriminal organizations and infrastructure. So for instance, in China, they’re really using the clear web to communicate in cryptologic language about crime because they’re not allowed to use the Dark Web. So they’re trying to hide from the government what they’re doing using, “I’m going to mom’s for noodles tonight,” but they’re really talking about, “Hey, let’s meet up to trade drugs” or whatever. Whereas Russians, their government doesn’t control their Dark Web usage and therefore it’s the biggest landscape of Dark Web in the world. So I don’t see a connection yet, but that’s not to say it won’t happen.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays