Hackers Selling Access to Critical Infrastructure on Darknet

Cyber mercenaries are breaching the systems of governments, financial institutions, critical infrastructure, and businesses, then selling access to them on a marketplace on the darknet, a hidden internet accessible only via specialized software.

All of this is happening on a darknet black marketplace known as the CMarket or “Criminal Market,” formerly known as “Babylon APT.” The marketplace contains a public market, invite-only submarkets, and hacker-for-hire services ready to breach any network in any country.

The Epoch Times was provided with analysis, screenshots, and chat logs from the marketplace by darknet intelligence company BlackOps Cyber. An undercover operative for the company gained access to the marketplace’s invite-only sections and grew close to several of its top members.

According to BlackOps, the site is run by hackers from several countries, who claim to be Latin. However, the main operative, according to the researchers, appears to be a state hacker working for the Chinese Communist Party. The individual runs his operations for the Chinese regime in his day job, and then when operations are finished, he sells the data on companies, governments, and other targets on the black market.

“He doesn’t mind doing that crossover and back and forth from the underworld to his workplace,” BlackOps said. “He'll also recruit in the underground for his side business.”

The CMarket group brought together several international cybercrime syndicates, says BlackOps. The researchers noted that when the CMarket criminals are overworked, they contract out jobs to a team of hackers in Brazil. Some members of the group also appear to be Philippine nationals.

A CMarket seller stated in one of the chat logs that the group established their own market because sellers on other darknet black markets deemed their offerings too likely to gain attention from law enforcement. He wrote, “They’re afraid of our products.”

Government Contracts

When cybersecurity experts try to trace the origins of a cyberattack, the typical methods are to look at the tools used, to analyze which type of group would be interested in the target, and to look at other cyberattacks that used similar tools or had similar criminal interests.

The findings on the CMarket throw this system of attribution out the window, as they show significant overlap between governments, cybercrime syndicates, and global cartels and organized crime networks.

In one chat log provided by an undercover investigator with BlackOps, a CMarket seller offered access to the breached devices of a terrorist cell that was allegedly being trained to infiltrate Western Europe.

“They’re all active supporters and combatients [sic],” the seller wrote, noting that the terrorists were being trained at the time and “will be sent to other parts of Europe. ... Not all, but some.”

The CMarket hackers were hired by a Russian group to breach the cell’s devices in 2016. The seller said that the Russian group was planning to sell access to the breached devices to authorities, but was waiting for the terrorist group to begin carrying out attacks, since it would increase the value of the data.

The seller wrote, “Data of fighters raise value [sic] as soon they engage in operations.” He added, “Soon this names [sic] will appear on news :)”

The CMarket seller said that the Russian group had provided them with a unique cyberweapon to carry out the breach. The seller described the tool as “basically RAT but way more advanced ... capable infect [sic] through other ways researchers still dream about,” and noted, “They have a guy working on university developing new technology.”

RAT refers to a “remote access Trojan,” which can infect a computer and allow a hacker to gain full control over the hacked device, including its webcam.

Some data for sale on the CMarket is geared specifically toward government and military interests.

In one of the chat logs, a CMarket seller told the undercover investigator that he recently had sold databases on NATO and Germany’s Ministry of Defence, and said that he still had access to machines of the United Kingdom’s MI5 intelligence agency and its Royal Air Force.

When the investigator inquired, he was told the data on the defense and intelligence agencies had been gathered from a single operation and contained close to 5,000 logins. The seller wrote, “Members of that intranet are active personnel of NATO, MoD and Military.”

The cybercriminal also stated his group had begun infiltrating Qatar University, and noted, “The university is the only government university in the country.” University breaches are typically valuable for accessing research projects and for targeting professors for influence campaigns.

A tab on the site’s marketplace for “Government Attacks” listed data and access for sale, including “Personal Identity & Federal Voting Data” from Mexico and access to “Government Servers” in Mexico. Gaining access to voting data can help cyberspies map the voting systems of a targeted country, while accessing government servers enables hackers to infiltrate other systems within the government networks.

Data on government employees can be used as a starting point for government-level espionage; hackers will typically try to breach computers of government employees to gain deeper access to the agencies.

Another entry offered access to SCADA systems, which are used to control moving parts in critical infrastructure facilities, such as power plants. The cybercriminals listed access to SCADA systems for 3 to 5 bitcoins ($6,855 to $11,425) each, noting they had multiple targets available.

Criminal Networks

Several items in the marketplace area were marketed specifically to cartels and organized crime rings.

One offering was for access to the U.S. Coast Guard’s Vessel Identification System, which can monitor automatic tracking systems used to identify and trace ships, including those used by law enforcement. The files were being sold for 5 to 7 bitcoins ($11,761 to $16,465).

According to BlackOps, the CMarket cybercriminals were trying to market the breach to smugglers who could use it to trace and avoid Coast Guard ships.

Among the other offerings were the identities and personal information of agents in the Federal Police of Brazil. The post noted that some of the agents identified “participated in the operation darkode,” referring to the federal takedown in 20 countries of the Darkode cybercrime online forum in July 2015.

Another post offered access to a radio base of a major telecommunications company in Latin America. The data included “radio location for advance [sic] cyberspy,” available for between 7 to 10 bitcoins ($16,465 to $23,628).

A larger post offered access to a major telecommunications project across Mexico, and advertises data from 32 states and 26 municipalities. The post said that five Mexican state prosecutors used the Unified Criminal Information System and that the stolen data could offer indirect access to the system through data stolen from the National Migration Institute. The data also incorporated databases from Mexico’s national public security system and its federal police force. Access to the system was offered for 100 to 120 bitcoins ($236,280 to $283,536).

BlackOps said the information, which is marketed to drug cartels and organized crime groups, could be used to identify undercover agents or monitor police communications.

The specific mention of the Darkode takedown in the federal police files carries the connotation that some of the agents may have been involved in investigating online criminal networks, and such information would be of interest to cybercriminal networks keeping tabs on official investigations.

Other data is marketed to cybercriminals, including access to hospitals, which are typically used for ransomware attacks in which cybercriminals lock critical computers and charge a fee to have the devices unlocked. Hospitals also hold databases of personal information that can be used for identity theft.

Included among the information on sale was an entry on the United States, advertising it had everything needed for “cyberespionage United States [sic].” Other entries included close to 150 million records from Mexico, 20 million records from Argentina, 40 million from Peru, and a separate database specifically for identities of government employees in various countries.

Business Intelligence

Some of the information being offered by the CMarket is geared more specifically toward industrial espionage and economic competition. Data such as this would allow a company or a state industry to monitor competitors, get information on pricing and contract negotiations, and steal intellectual property.

One of the private offerings was for “all company united states [sic],” as one of the cybercriminals described it to the undercover investigator in a chat log. The cybercriminal added, “All this information is detailed information, researched each part.”

The data was allegedly stolen by them from a contact information database of a major U.S. news outlet. The cybercriminal said it included 350,000 records with personal information on individuals who could be targeted through cyberespionage operations, so as to gain deeper access to the companies.

An entry in the marketplace offered information on employees of a large gas and oil company in Yemen, advertising the data for use in targeted attacks, and noted the breach maintained zero detection.

A separate entry offered a database containing personal and structural information on a chemical company in Egypt, noting it was “one of the main sources of production.” The entry was advertised at 35 to 40 bitcoins ($80,790 to $92,332).

Another entry for sale was one advertising “vulnerability sistem [sic]” airlines, which listed several major airlines by name, including United Airlines and Japan Airlines, as well as cargo airlines such as UPS and FedEx.

In one of the chat logs, the seller offered the undercover investigator data from breaches of a major Indian bank and an Indian stock exchange. The seller offered access to the bank for $50,000, stating the group had breached the bank’s “central computer” and were in the process of “[making] sure all infect [sic] and see if can get more computers.” The seller also noted the breach of the stock market was “a work in progress but %90 [sic] done.”