October 2, 2019 Mark Stamford

Emerging trends in threat actor communication methods

Abstract communications network diagram

Threat actors are adapting to current intelligence gathering techniques. We are observing the switch from hidden services (i.e. Tor) to conventional communication methods that are used by the general public. Platforms such as Twitter, Facebook, and even Discord (a popular app originally intended for gamers) are seeing an increase in usage as part of their operational infrastructure. These platforms are overlooked by both individual white-hat hackers and threat intelligence gathering companies due to the amount of content and resources required to effectively investigate them.

The darknet marketplaces are advertised and openly discussed over social media and clearnet websites as they want to draw-in consumers to increase sales. As these locations are broadcast, it is easier to find them and converse with nefarious sources. While a majority of these marketplaces are related to the sale and purchase of illegal substances, these marketplaces also deal in cyber related commodities such as credit card numbers, exploited boxes, user/password lists, etc. These commodities are evidence of successful malicious attacks; however, it does not necessarily provide an indicator for current or potential attacks.

In order to gather the intelligence that indicates a future attack, access to and understanding of a group’s communications is required. Malicious actors are aware of this and some groups have since transitioned to a “communications spread”, leveraging multiple communications channels and methods in order to subvert automated threat intelligence collection.

Historically some groups have leveraged one or two common communications methods, such as a combination of a clearnet message boards and instant messaging applications. Now, there is a trend of incorporating communications spreads in order to improve operational security (OpSec) within the groups. Independently, in various geographical regions,  this method of communicating  is emerging as the new modus operandi, incorporating methods that were originally considered exclusive to one region.

Current Methods Identified

Clearnet forums (such as vBulletin, Proboards, etc), IRC (Internet Relay Chat), the variety of instant messaging apps that have varying degrees of popularity based on locality and geography (Line/Jabber/WhatsApp/Signal), and the globally popular social media platforms (Facebook, VKontakte, Twitter, Instagram, etc).

Specific topics switch communications methods that are only known by select individuals in a group. Using a special code phrase or word in a clearnet communication will indicate a specific topic of discussion that select individuals will recognize, and they will switch communications methods in order to discuss the topic in more detail. In certain situations, questions may be asked in one method with answers only coming from a designated second form of communication, such as asking a question on Twitter and receiving answers via Signal. We have received access to a specific onion site via a mobile messaging application; it was indicated that this was the designated method of providing access and not to be discussed outside of this defined method. We have also witnessed an administrator reprimand a specific user on Discord for mentioning a topic that was out of bounds, reminding everyone that there are topics that are not up for discussion unless it is through the proper channels.

With all of these communication spreads, it is making automatic collection difficult. Conversations that are able to be collected appear to be benign technical talks and anything that is overtly malicious is only a fragment of the conversation; unless all communications methods are known and accessible.

Why This is Important

While chatter has become an area of focus by security researchers, the areas of active organization and hacking efforts are ignored. The Darknet is the source for already compromised data and historical records. This data is useful to companies wishing to find out if they have been compromised in the past (on average 180 days ago), however it does not support proactive defense, or  counter offensive, capabilities.

Sophisticated threat actors are constantly adapting and improving their OpSec. Communication spreading, segregated conversations, and siloing means the organization’s intelligence gathering and analysis may not be as privy to all the active or potential campaign operations as they were once before. When working with a threat intelligence feed or vendor, try to ascertain where data is being collected from, and if the methods used are being updated inline with the bad guys.