The Darknet & Advanced Cyber Threats – Exploiting Your Weaknesses

Advanced Persistent Threat (APT) groups have been utilising the Darknet to infiltrate large corporations and steal significant amounts of data since at least 2016, and we estimate that there are around 100 active groups globally – of which over 90% are backed by hostile nation states and are either a function of a nation’s military or intelligence branches, or are directly or indirectly funded and supported by their government. There is no doubt that some APT’s are more sophisticated than others. Russian APTs, for example, are much more advanced than those from Iran; and the long-term goals of Chinese APTs are different to those operating out of North Korea.

In late 2019, APTs – especially those associated with Russia and China – began to move away from standard phishing attacks to utilising the Darknet and, certainly with the case of Russia, combining data extraction with ransomware to create a ‘Double Extortion’ attack.

Once access into the corporate network has been achieved an APT spends weeks – if not months – extracting data from a target. By utilising a connection to the darknet, these gangs can exfiltrate huge amounts of data in small chunks over an extended period. For this, they look for poorly monitored and outdated systems – especially those networks which contain Industrial Control Systems, which makes the energy, pharmaceutical, and consumer goods sectors particularly inviting.

Once the data has been exfiltrated an APT may attempt to launch a ransomware attack – from inside the organisation’ own network, thus bypassing all the perimeter security measures. The organisation might have to pay the ransom to decrypt all its computers, but if it manages to restore service without paying the ransom (by having offline backups, for example) the APT will then still demand a payment for deleting the data it has stolen, or it will release it on to the dark web. This change in approach has been driven by companies undertaking work to recover quickly from ransomware attacks. Cyber criminals needed a new angle to elicit funds, and a lack of consistent darknet surveillance in most organisations has provided the holes they need to gain access and do their business.

When brewing giant Brown-Forman was recently attacked by a Russian APT group known as ‘Gold Southfield’, the group was quick to publicise that it had apparently stolen over 1Tb of data from the company before attempting to deploy the REvil malware on their systems – that’s a significant amount of data, since stealing a Terabyte is equivalent to not just stealing a single car from an airport car park, but all of the cars parked there. The attack demonstrates the lengths these APT groups will go to achieve their aims.

Being able to loiter undetected in an organisation’s network for many months – IBM’s 2020 Data Breach Report states it takes an average of 280 days to identify and contain a breach – an APT has plenty of time to do its homework, which means it is well aware of how much ransom they can reasonably demand from the victim. On top of that, the victim may also have to pay out to repair the damage caused to their systems and any regulatory fines. IBM puts the average cost of an attack at £2.94 million.

APTs continue to evolve their tools and tactics, and they are now fully exploiting the fact that organisations are not able to effectively monitor for darknet traffic in and around their networks. Organisations need to address this key vulnerability quickly by utilising darknet surveillance if they want to thwart a steady wave of new attack vectors on the horizon. Being able to detect the presence of APT groups around corporate networks will become a ‘must-have’ for many organisations, in order to prevent significant data theft and extortion, and those that incorporate robust surveillance and alerting tools as an integral part of their cyber defence programmes will be in a stronger position to meet these future threats.