An important part of cyber intelligence and threat research is HUMINT, or Human Intelligence, the process of collecting intelligence from real people, through interactions. The world of cyber crime is a thriving, chaotic ecosystem with a remarkable amount of structure, and is a place where researchers and intelligence professionals routinely collect data both through HUMINT, and OSINT (Open Source Intelligence). I’m going to talk a bit about what it really looks like down there, and what we really classify as ‘Dark Web’. In this case, referring to dark web forums won’t just be the ones that end in .onion, but any underground forums used for illicit services and exchange of illegally obtained data.
Blending In
As part of my job, I frequent dark web forums and chat groups to obtain information important to clients in relation to their businesses. This process involves creating what we call an ‘Avatar’. This avatar is a persona, something we craft to separate our real lives from the person we pretend to be in this underground world. Creating this persona is important to keep things distinct, and have something to use when we do interact with the individuals in these communities. Not all instances require this, as a lot of information can be obtained through OSINT, and passive discovery.
A lot of researchers and firms will talk about establishing trust when you use your avatar on these kinds of forums and chat groups, which is important, but honestly not as difficult as it sounds. Ultimately as they say, “there is no honour among thieves”, and the distinction between trusted members of a community and scammers is thin in almost all of these communities. Many of them use escrow services and middle-man operations to help improve trust where money is involved, but being active in the community is a simple step to building a reputation.
In my case, I specialise in Russian-language forums, or of course English-language forums. Some of them overlap, some are Russian-only, and having knowledge of this language is useful. My Russian is by no means effective enough to have complex discussions with anyone, but I read cyrillic well and know the most common 100 or so words and translate the rest. Even this basic level of language proficiency enables me to transliterate and understand what’s really being said, without falling victim to Google Translate inaccuracies (that you’ll commonly see a lot of researchers fall victim to). My passive understanding is improving through this work somewhat, though I wonder sometimes if I’ll end up having an odd tone and vocabulary from this learning source.
What It’s Like Down There
You might wonder why these forums even exist outside of the actual dark web, and it’s a good question. The truth is, much like the TOR network, it is important for these things to exist to provide law enforcement, governments, and intelligence analysts like myself a place to find illicit activity. It is the devil you know, and in this case, a lot of these forums haven’t been taken down because they provide valuable information. They are also relatively resilient to takedowns in the short term, but this never stops law enforcement eventually.
Every minute of every day, thousands of messages, posts, and interactions occur on darknet forums, and chat groups on apps like Telegram. Individuals sell stolen passwords, accounts, credit cards (known as ‘Carding’), malware, phishing ‘kits’, and more. A huge proportion of these sales are scams, at least on the common black market group chats that sell accounts and financial information, but there are plenty of “trusted” avenues to get it. A lot of threat actors will obtain old data, or grab data from other sources for cheap, and attempt to sell on or share to improve their reputation in a more established community. This kind of behaviour contributes to some of the ‘scam’ type listings seen, or if you frequent many forums, why they all seem to have similar sets of leaks or products.
Cyber criminals and adversaries on these platforms come from everywhere in the world – literally everywhere. Common forums are often in English, Russian, and Chinese, but there are many forums in other languages and communities, including Turkish, Arabic, Polish, French, Indonesian, Farsi, etc. Researchers have been able to attribute certain groups and individuals to state-sponsored operations, commonly in the Russian, Chinese, and North Korean circles (though the latter isn’t openly active in these larger communities the way the others are).
Collecting Intelligence
A big part of my work is to collect intelligence through OSINT and HUMINT sources, some of it generalised, but most of it specific to certain organisations. The first step in this process is gathering intelligence requirements. From each organisation I collect intel for, I have general intelligence requirements (GIRs), and priority intelligence requirements (PIRs). The latter are the things they really care about, and the former forms the entire scope of what they want to see. Ultimately, anything I can find through these sources that’s relevant will be provided to them, but many organisations care more about some things, and not at all about others.
When gathering the intelligence, I usually work down from OSINT sources, to underground forums with privileged access, to HUMINT sources. The latter is the hardest and requires the most dedication, so interacting with threat actors is something I only do when I believe they have specific and highly valuable intelligence for an organisation, and not something I do as purely an exercise in learning more about them or their activities – that’s for law enforcement (or more hardcore research). In summary, it is a chaotic environment down there, but there is a gold mine of valuable intelligence that can help organisations prioritise their cyber strategy and respond to events before they even occur.
Leave a Reply