Threat Intelligence Blog

Every month it seems a new industry is being targeted by cyber attacks, whether it’s healthcare, financial services, education, or retail. Some industries (financial services, retail) may make more sense to target than others. In other cases, why would a hacker go after an individuals’ medical records?

The answer may be as simple as data farming. Hostile cyber attackers use data farming to collect information on their targets, building profiles of them that can be monetized in the underground or used for other nefarious purposes. While personal information is valuable to threat actors on its own, it becomes even more lucrative when it comes as “fullz” – criminal slang terminology referring to full packages of individuals that typically include name, Social Security Number (SSN), date of birth, account numbers, and other related data. Fullz are also for sale in underground markets and the dark web, ranging in price from $15 to $65 USD for a U.S. citizen’s complete record.[1]  What’s more, it’s not just individuals’ information that is for sale. Fairly complete dossiers on businesses, primarily Russian businesses, can be bought for 40,000 to 60,000 rubles (about $547 to $822 currently), according to that same vendor report.

Data farming is not unique to any one actor set but has been leveraged by cyber criminals, hacktivists, and cyber espionage actors. Cyber criminals continue to make lucrative practices of stealing this type of information in the underground where forums and marketplaces are flush with personal identifiable information (PII) for sale. One reputed vendor, an actor named “peace of mind,” has been linked to the sale of some of the larger database compromises.  As of June 2016, “Peace” has a 100 percent satisfaction rating from patrons and a growing selection of merchandise including 167 million LinkedIn user accounts; 360 million MySpace accounts, and 68 million Tumblr accounts, to name a few.[2] However, recent activities on underground forums reveal that malicious actors don’t necessarily look to immediately monetize what they have reaped in large database exploitation operations. As seen in the recent Yahoo incident, sometimes as much as two years pass prior to organizations detecting or acknowledging that they had been compromised.[3]

How can an organization go two years with detecting a compromise? Research has revealed that organizations typically are unaware of the more savvy attackers infiltrating the integrity of their network space. According to Verizon research that looked at 100,000 incidents and 2,260 breaches of 67 organizations, in 93 percent of those incidents in which data was stolen, systems were compromised in minutes or less; in 80 percent of the cases, the victims didn’t discover the breach for weeks or longer.[4]

These attackers typically conduct substantial surveillance prior to committing to gaining unauthorized access into their network targets. Once inside, these actors try to remain obfuscated thereby allowing them to entrench themselves, searching the network for information that may be of interest or supplement current data holdings. The longer they can remain undetected, the more fruitful their efforts are likely to be.

Nation states and cyber espionage actors suspected to be working on behalf of a government have demonstrated their interest in collecting seemingly benign reams of information for nefarious purposes. The recent exposure of the Democratic National Convention hacking incidents show that suspected state powers look to gain access to prized networks and remain inside collecting information that can be used immediately or as time will tell, at a later date.[5] Indeed, in the aftermath of the Office of Personnel Management (OPM) breaches in 2014 and 2015, many security professionals believed that the Chinese government – the suspected perpetrators – were using the information obtained from those and the Anthem breach to be used to support human intelligence operations.[6][7]

Hacktivists – politically or ideologically motivated actors – have also been observed stealing PII data in addition to committing acts of cyber civil disobedience via distributed denial-of-service attacks or web site defacements. According to a 2012 annual study on data breaches, hacktivist groups were responsible for 58 percent of all data stolen the previous year, with the data taken including customer lists of names, usernames, and e-mail addresses.[8] Hacktivists have been known to use these dumps to “doxx” their targets, publishing sensitive PII on the Internet. For example, in March 2016, the hacktivist group Anonymous doxxed Donald Trump, publishing his cell phone, SSN, and the names and addresses of some of his employees.[9] Doxxing is a way to either embarrass or incite retaliation against the individual whose private information has been exposed.

data farmingNo longer are threat actors content with stealing some data from individuals and organizations and moving onto other victims. Now, they are looking to exploit as much as they can from their victims, leveraging obtained information as an access point to venture into other areas. For example, in February 2016, the Internal Revenue Service (IRS) reported that stolen SSNs and personal data stolen from other sources was used by cyber criminals to try and access and E-File PIN for approximately 46,000 users.[10] With most individuals having at least one online account, compiling profiles of their victims enables any hostile actor to use that information to get into other potentially lucrative areas.

Ultimately, the more information an adversary has, the better positioned he is to exploit that information to the fullest. Therefore, it should come as little surprise that in the wake of major breaches like OPM, the data does not immediately surface in the criminal underground. Depending on the intent, there is a host of options available once information is collected and aggregated.

In a time when any and all personal information has value to any and all threat actors, we must remain vigilant on how data is stored and secured. Understanding the threat actor landscape better informs our abilities to make better decisions in what is shared with the outside world. Maintaining situational awareness and frequent monitoring of our digital and informational assets must be ongoing. It’s incumbent on us to get it right all the time; the bad guys just need to get it right once.

By Emilio Iasiello, LookingGlass CTIG


You May Also Be Interested In…


[1] https://www.secureworks.com/resources/rp-2016-underground-hacker-marketplace-report
[2] https://www.wired.com/2016/06/interview-hacker-probably-selling-password/
[3] https://radio.foxnews.com/2016/09/27/ceo-of-yahoo-faces-pressure-for-cyber-hack/
[4] http://www.cnbc.com/2016/04/27/most-hacks-take-minutes-to-do–and-weeks-to-discover.html
[5] https://www.wired.com/2016/08/security-news-week-dnc-hack-worse-thought/
[6] http://www.huffingtonpost.com/entry/opm-data-breach-investigation_us_57cfcf69e4b06a74c9f1903b
[7] http://breakingdefense.com/2015/02/chinese-stole-anthem-data-for-humint-should-raise-us-hackles/
[8] http://money.cnn.com/2012/03/22/technology/hacktivists-verizon-data-breach-report/
[9] http://www.mediaite.com/online/anonymous-claims-credit-for-doxxing-personal-trump-info-thats-been-online-for-a-while/
[10] http://www.darkreading.com/endpoint/over-100000-e-file-pins-fraudulently-accessed-in-automated-attack-on-irs-app/d/d-id/1324266

Additional Posts

Soltra Shutdown: What It Means for Threat Intelligence Business Challenges and Technology

Recent events in our industry, such as the Soltra shutdown and an article featuring Comcast’s ...

LookingGlass Ranked Number 90 Fastest Growing Company in North America on Deloitte’s 2016 Technology Fast 500™

RESTON, Va.--(BUSINESS WIRE)--LookingGlass Cyber Solutions™ today announced it ranked 90 on ...