Dark web threat actors are looking to take advantage of the tensions between Russia and Ukraine, offering network access and databases that could be relevant to those involved in the conflict, according to a new report from Accenture.
Since mid-January, cybercriminals have started to advertise compromised assets relevant to the Russia-Ukraine conflict, and they are expected to increase their offering of databases and network access, with potentially crippling effects for the targeted organizations.
Just over a month ago, soon after the destructive WhisperGate attacks on multiple government, IT, and non-profit organizations in Ukraine, threat actors started to advertise on the dark web access to both breached networks and databases that allegedly contained personally identifiable information (PII).
On February 2, an underground forum user was asking $160 for access to a subdomain of a Ukrainian agricultural exchange. The threat actor claimed to have shell and database access to the subdomain, as well as access to payment information and contracts.
That level of access, Accenture notes, allows an attacker to “obtain PII and payment card data, resell exfiltrated data, deploy malicious software such as ransomware, deface websites on the affected subdomain, or possibly even disrupt active exchanges and trades.”
Starting late January 2022, threat actors have been offering on a Tor website five databases named “gov.ua,” allegedly containing the personal information of Ukrainian citizens that was allegedly harvested from Ukrainian government sites. As of February 10, two of the databases appear to have been sold.
Also in late January, an underground forum user shared a SQL database supposedly stolen from a Ukrainian federal agency, which allegedly contains detailed information on wanted criminals. According to another user, however, the data is publicly available on a Ukrainian government website.
On January 23, another forum user started offering for sale over 70 administrator accounts at a Ukrainian bank and advertised 220 email addresses along with alleged vulnerabilities in the systems of a Ukrainian energy sector investor. In other posts, the same user claimed to have discovered vulnerabilities at biotechnology companies, US banks, and UK telecommunications organizations.
On January 22, an underground forum user started advertising personal information of Ukrainian citizens and also provided a link for interested buyers to download a sample of the data, as proof of legitimacy.
Some of these threat actors appear to have high credibility, being endorsed by other users on the same underground forums, which suggests that some of these claims might be legitimate. Others, however, do not have the same level of feedback, making it difficult for security researchers to assess the credibility of their claims.
“Nation-state actors could purchase and leverage network access to critical infrastructure organizations, such as telecommunications or energy organizations, as well as banks. They could use the accesses with asymmetrical tactics to cause disruptions, including depriving users of interconnectivity, energy, or financial transactions, if timed correctly,” Accenture notes in its report.