Caught in a crossfire: how your data ends up on criminal forums

General news coverage might lull us into thinking that major hacks target businesses only. While there's some truth to that, cybercriminals will use everything they steal, including your personal data.

Combating modern cybercrime is akin to fighting the Hydra. Cut one head, and a new one will pop out almost instantly. That's because modern cybercrime operates supported by a vast network of illicit service providers.

More often, people who gain access to business networks are not the same people who abuse them. People who develop malware used in ransomware attacks don't partake in extortion themselves. We know that by looking at underground forums where threat actors buy and sell tools for cybercrime.

It's worth remembering that a lot of companies in the energy industry have the same type of data that you would see in other industries,

Paul Prudhomme.

It's personal

According to Paul Prudhomme, the Head of threat intelligence advisory at IntSights, if you learn about a cyber cartel or a ransomware affiliate program on a major news outlet, the particular attack vector has been in use for months if not years.

Prudhomme and his team dove into the underground forums to look for information on data breaches involving energy sector companies. They found that an attack on the Colonial Pipeline was just one of over 20 attacks on energy sector companies worldwide in less than a year.

For example, affiliates of the same cybercrime gang that breached Colonial Pipeline, Darkside, were selling a whopping 1 TB of data they stole from a Brazilian electricity utility. Now, the attack was directed at the company and not Brazilian citizens per se, but the criminals tried to monetize what they could.

While attacks on retailers and social networks might seem more important from a personal security side, business enterprises like energy companies possess as much if not more data on their customers. In one case, hackers stole data on 20 million customers of a Brazilian energy company.

"It's worth remembering that a lot of companies in the energy industry have the same type of data that you would see in other industries. Threat actors can use that for identity theft and credit card fraud," Prudhomme told CyberNews during IntSights webinar on threats in underground forums.

Credit card data from a gas station is just as good as credit card data from a large retailer. Skilled hackers can employ tactics like credential stuffing a lot easier with personal information on the target at hand.

Cheap access

Purchasing access to an energy company, a backbone of any functioning nation, is unbelievably cheap. According to Prudhomme, one threat actor sold access to the Romanian nuclear facility for $3 thousand, a typical price for this type of information.

Prices for network access usually depend on the privileges it gives. However, Prudhomme noted that information on oil & gas companies is usually sold at a higher rate since there's more valuable information to steal.

"Things like oil and gas exploration and competitive intelligence could be maybe more lucrative than something like an electric utility,'' he explained.

There's a good reason for that, as gas and oil exploration is notorious for the investment necessary to scan for new fields. Even with the most modern equipment, companies spend millions on looking for new fields.

However, why spend millions when it's possible to obtain stolen information from an oil and gas exploration company for as little as $12 thousand. That's an actual starting price at a criminal auction for stolen data obtained after breaching an energy company, whose primary interest is oil and gas fields.

Since the HR records might be a bit more detailed than whatever customer PII you might have, that might actually be a greater cause for concern,

Paul Prudhomme.

Employees are not worthless

Personally identifiable information (PII) on clients and sensitive business information is not all the data an energy company can offer to a threat actor. There are employees, too.

"Since the HR records might be a bit more detailed than whatever customer PII you might have, that might actually be a greater cause for concern," Prudhomme explained.

For example, his team found a threat actor selling a data set with personal data on many Saudi Arabian Ministry of Energy employees.

Dangers of stolen information don't usually appear instantly. Cybercriminals take time to evaluate which data points will be of most use in a future attack. A compromise might begin with something as simple as credential compromising without any noticeable effect.

"They get their foot in the door, and then they expand their access and move laterally until they reach their ultimate goal of getting some level of administrative privileges," Prudhomme noted.

Once threat actors have sufficient access, they can sell this to a ransomware group willing to employ extortion techniques with malicious software.

The Darkside cartel used similar tactics in the attack against Colonial Pipeline that caused gas shortages in the Southeastern US. Hackers penetrated the company's networks, using a password found on a credential dump in an underground forum.

'Panic buying' is driving the fuel shortage after Colonial Pipeline hack. Image by Shutterstock.

Never too safe

In June 2021, a 100GB TXT file that contains 8.4 billion entries of passwords was posted, later dubbed the RockYou2021 compilation. In theory, there's enough information for at least two accounts on every single person living on this planet.

If you suspect that one or more of your passwords may have been leaked, we recommend taking the following steps in order to secure your data and avoid potential harm from threat actors:

  • Use our personal data leak checker and leaked password checker to see if your data has been leaked in this or other breaches.
  • If your data has been compromised, make sure to change your passwords across your online accounts. You can easily generate complex passwords with our strong password generator or consider using a password manager.
  • Enable two-factor authentication (2FA) on all of your online accounts.
  • Watch out for incoming spam emails, unsolicited texts, and phishing messages. Don't click on anything that seems suspicious, including emails and texts from senders you don't recognize.

More from CyberNews:

Apple’s iCloud photo scanning: a stepping stone to greater surveillance?

Longtime cybersecurity professional Kathie Miley: unknown malware is stressing out CISOs

The LockBit 2.0 ransomware attack against Accenture – time is running out

Want access to corporate networks? That’ll cost $1,000

Sit back and relax: you can earn up to $10k just by watching ads

Subscribe to our newsletter