The term advanced persistent threat (APT) refers to cyber criminals with sophisticated capabilities and strong motivations - whether political (state-sponsored), financial (cybercrime), or ideological (hacktivism) - for targeted attacks. APTs are generally groups, occasionally with an international presence. In addition to a deep knowledge of computers and networking, they may also have familiarity with esoteric hardware and financial systems, a critical skill needed to reach their goals.
Learn more: Cut through the noise and prioritize attacks
APTs are known to apply stringent operational security. This means that due to the sensitivity and complexity of their operations, they go to great lengths to ensure that their identities, infrastructure, and actions will not be uncovered. Furthermore, considering their advanced capabilities, APTs generally develop their TTPs (tactics, techniques, and procedures) on their own instead of using external tools and commodity malware.
APTs stand in stark contrast with most of the deep and dark web’s users, who can be characterized as script kiddies — unsophisticated individuals with neither the skills nor the intent to carry out advanced attacks. Many script kiddies simply go to the deep and dark web to find credentials for their favorite streaming service or cheat for a video game.
All of this would suggest that APTs are not very active on the deep and dark web. If they are there, what are they doing? And even if they are, how could we possibly identify them?
Following an investigation, we were able to identify the forum usernames of nearly 20 known APTs on the underground, with a specific focus on groups with criminal/financial motivations. We characterized the general activity of these actors, which fell into five categories: selling malware-as-a-service (MaaS), initial access brokers (IABs), recruiting partners, and selling compromised data. Finally, we have found several examples showing that APTs can also be consumers of the very tools and services that other APTs provide.
Malware-as-a-service (MaaS) refers to malware that is sold on the underground. Just like non-malicious software-as-service, MaaS vendors issue bugfixes and version updates. They maintain customer support hotlines for customer feedback and complaints, or to make feature requests. Think of APTs that produce MaaS as structured similarly to regular software startups, complete with teams dealing with product, sales, and marketing.
Specifically, because most underground actors are incapable of creating their own malware, the deep and dark web provides a massive base of potential clients for MaaS. For a few dozen to a few hundred dollars, aspiring threat actors can purchase malware that is powerful, instantly ready, and simple to use. This enables anyone, regardless of their technical skills, to launch a more complex cyberattack.
Selling MaaS, in addition to monetizing APTs’ coding and hacking skills, upholds another underground business principle: the importance of not being caught. While the threat actor that ultimately executes the cyberattack can profit the most, they are also placing themselves at risk of being caught and prosecuted. However, by merely providing the weaponry without firing a shot, MaaS vendors ensure that they have a reliable, lower-risk revenue stream.
Examples of APTs that sell malware-as-a-service
The post below features a malware that the actor describes as “a web-based and multifunctional stealer.” The malware costs $40.
Note the professional graphics, suggesting that the actor invests in branding and marketing. Furthermore, in the post the actor offers “excellent support to help you in any minute for any question” and “constant updates that will delight you,” showing that this is an actor who very much cares about customer satisfaction.
Similarly, the post below features another infostealer malware-as-a-service. The post contains a complete guide to the malware, usage, development, and all the details one needs to know in order to use it.
Similar to other MaaS vendors, there have been several updates to this malware, which added functionality and new interfaces, just like one would experience from a regular software as a service company.
Initial access brokers
The first stage in a cyberattack is to gain initial access into the targeted network. Initial access brokers (IABs) are APTs that specialize in performing this critical step and then they turn around and sell the access. Access can come with a wide variety of protocols, such as VPN, RDP, Citrix, shells, domain admin, or sometimes via a specially installed illicit backdoor.
IABs provide an extremely valuable service to aspiring attackers. They make it easy for threat actors to simply purchase access for anywhere from a few dozen to tens of thousands of dollars. The final cost depends on the revenue of the compromised. With access already achieved, cyber attackers can proceed to a wide variety of attack options, including exfiltrating confidential data, using system resources to mine cryptocurrency, or most treacherously, deploying malware and ransomware.
Similar to sellers of malware-as-a-service, initial access brokers are highly advanced actors or groups that monetize their expertise through lower-risk, lower-reward activities: threat actors that do not have the skills or resources to develop access on their own can simply purchase it for cash. The connectedness of the deep and dark web provides the perfect venue for these win-win transactions to take place.
Examples of APTs that sell initial access
In the post below, a threat actor sells full network access including domain admin privileges to a wide variety of organizations. These include a Jordanian electric company, a Saudi Arabian hospital, and an insurance company based in Thailand.
While stopping short of naming the organizations, the actor shares other indicative information, such as region, number of employees, and revenue. There is often some correlation between a compromised organization’s revenue and the price of access. Because organizations with more employees and larger revenues generally lead to larger payouts, the higher pricing for access to the higher revenue makes sense.
Similarly, in this post another APT sells network access to ten different organizations through vectors such as VPN and Citrix. While the post does not specify the compromised organizations, the actor notes that they are all “firms and companies” with annual revenue above $50 million. For an initial bid of $1,000, anyone can attempt to purchase this remote access bundle.
Recruitment and partnerships
While most dark web actors are less sophisticated, there are still many proficient hackers on its many forums. APTs, therefore, see this as a fertile ground for recruiting into their ranks any individual with a desired competency. APTs also post on forums when they seek to establish business partnerships. These can include calls for affiliates to execute ransomware attacks (in which both the affiliates and ransomware groups receive a share of proceeds), and searches for an actor that can provide a hard-to-find tool or service.
A benefit of recruiting and forging partnerships on underground forums is that actors build reputations over time. If a group is looking to attract a software developer, for example, they can view the prospect’s previous activity on the forum, and they can reach out to others to vouch for the software developers background and skills. Some forums even have VIP sections, whose users must demonstrate hacking capabilities in order to be accepted, and presumably APTs prioritize searching for employees from these VIP forum sections.
Examples of APTs that use the underground for recruitment
In this post, a threat actor solicits affiliates for a ransomware.
In this subsequent post on the thread, the actor explains that they will collect 70% of ransom proceeds, and affiliates will receive 30%.
In the next example, an APT seeks affiliates for a well-known ransomware program. The actor notes that the ransomware “fast and flexible,” uses “a convenient admin panel,” and works automatically. However, not everyone will be accepted; partners will be vetted, and the group will give preference to those with skills and prior experience.
In addition to ransomware, actors seek other professional partnerships. In the post below, an actor writes that they are seeking an experienced carder, meaning an actor specializing in procuring compromised credit cards. In response, the actor behind a known APT simply responds, “Send me your Telegram.” In this simple exchange, someone looking for credit cards is connected with a notorious group that specializes in procuring them. If this partnership succeeds, both parties stand to profit.
Since late 2019, many APTs associated with ransomware began to operate dedicated leak sites (DLS), in which they could “double extort” their victims. That is, prior to encrypting the victims’ systems, the ransomware groups exfiltrate troves of confidential and sensitive data, which can include employees’ personal information, proprietary and financial information, or anything else that, if exposed, could harm the organization’s finances and reputation.
On their DLS, the groups subsequently announce who was targeted and characterize the stolen data. If the victims pay, they will receive a key to decrypt the data. If they don’t pay the groups will auction or release the stolen data to the public.
While in the past, ransomware victims might have opted to simply forget to pay the ransom and instead rebuild their systems from backup, the added risk of data exposure now changes their calculations. This double extortion scheme is a large reason why ransomware proliferated tremendously over the last three years.
It is easy to see how DLSs have become a vital tool for ransomware APTs to maximize their income. By setting DLSs up as onion sites on the dark web, they ensure that the sites remain operational and accessible. This is mission-critical, as the more publicity ransomware announcements receive from researchers and journalists, the more it pressures the victim organization to pay.
In addition to selling data procured from ransomware attacks, advanced groups sell other compromised data on the underground, including credentials, payment card data, and personal data (PII). This is just one way in which these groups monetize their advanced skill set.
Examples of APTs that operate as Data Brokers
On the group’s DLS, a ransomware group posts about a ransomware victim, an organization that manufactures and distributes industrial machinery.
The post claims that about 1 TB of sensitive information was stolen, and since the victim is not cooperating with ransom demands, the group will begin publishing its data until it is paid. Creating a feeling of a ticking time bomb, the post includes a link to 1 GB of stolen data.
Similarly, this ransom demand from a different group threatens to release 720 GB of stolen data, which includes financial, contractual, and operational information, unless the victim contacts the ransomware group. The post includes several screenshots of documents to prove the authenticity of the threat.
Consuming tools and services
While APTs are more capable than the typical actor, it is a mistake to believe that every group can do everything. And sometimes, it is simply more cost-effective for the APTs to purchase a tool or service instead of developing it in-house.
While some APTs use the dark web to sell malware and network access, others login to buy those very items. Simply put, the underground economy mirrors that of the real world, in which businesses specialize in the type of labor or service they can perform most efficiently and sell to the highest bidder.
Unfortunately, it is not always possible to know who purchased from whom. While we can see public posts on forums selling items, we are unable to view which actors responded to that post privately, and which of those who responded ended up purchasing the item. However, sometimes we are lucky, and actors share what other tools and services they have purchased.
Examples of APTs that consume tools and services
If we take a closer look at the post shown above, the remote access broker that we profiled earlier noted that the logs that were for sale were procured by the MaaS called Smoke Bot.
Next, in the post below, the actor responsible for a notorious ransomware, responded to a post selling credit card information and dumps data. The actor comments, “How can I reach you to do business,” indicating that they are interested in purchasing the credit card data. Considering that this actor is almost certainly capable of compromising credit card data on their own, it is very telling that they choose to purchase instead. For this actor, this is a simple business decision: it is more efficient for them to pay than to devote the necessary time and effort to do their own hacking.
In this final example, an APT that we profiled earlier looks for a SIM swap services. In a SIM swap, the attacker gains control of the victim’s phone number, thus enabling them to intercept reset passwords or one-time security codes from banks, cryptocurrency exchanges, and other financial institutions and personal accounts. The need for SIM swapping services may indicate on the next attack vector that will be used by this group. Indeed, noting that they specialize in banking trojans, we might speculate that they need one-time passwords in order to access and cashout accounts whose passwords were compromised by their malware.
In this handbook, we reviewed five functions of APTs on the deep and dark web. More broadly, these advanced groups use the underground to either sell (malware, access, and data) or to buy items (recruitment, tools, and services) that advance their criminal activities.
APTs do not neatly fit into one category. As we explored, many of them can perform several functions, such as purchasing access and then, after deploying ransomware, announcing the attack on their DLS. Similarly, APTs can interact with one another, for instance by purchasing malware-as-a-service from another in order to procure and then sell logs.
It is important to understand that APTs—specifically financially-motivated criminal groups—have a very strong presence on the deep and dark web. It could be said that while they only account for a fraction of the underground population, the tools and services that they sell are much of the reason why so many other users log in, and their actions constitute the largest-scale cyberattacks in the world. APTs also find much value in purchasing products and recruiting affiliates from the underground, because they know the forums provide a natural venue for the expertise that they need to scale up their attacks.
The mixing of APTs and script kiddies is perhaps what makes the deep and dark web so dangerous in the first place. Anyone with the Tor browser and a curious mind can log in to the many underground forums. Add some appetite for crime and some fractions of a bitcoin, and any amateur can acquire weapons-grade malware from advanced groups. A few years later, after they have grown more sophisticated, those who started out as curious amateurs may be recruited into the ranks of the APTs. For this reason alone, it’s worth paying close attention to what’s happening on the deep and dark web.