Where has all the Stolen Data Gone? And who the heck is “King S”

I just returned from Israel where one of the more interesting sessions I participated in included an impromptu discussion with some very smart attendees, including former Israeli intelligence officers trying to answer a very basic question:

“Where has all the stolen data gone and how is it being used? “

We have all been bombarded by weekly, if not daily reports of breaches and theft of sensitive personal information at organizations such as Anthem, JP Morgan Chase and OPM. Yet, despite the ongoing onslaught of reported breaches (and we have to assume that only the sloppy hackers get caught and that the reported breaches are just a fraction of the total breach pie) – we have not seen widespread identity theft or personal damage inflicted from these breaches.

Have any of you heard of direct negative impacts from these thefts amongst your friends, family, or acquaintances? I certainly have not.

Yet we do have strong evidence — courtesy of those who monitor the Dark Web such as counter intelligence experts who work for Israeli cyber security firm “Diskin Advanced technologies (DAT)” — that the stolen data is being actively sold in deeply hidden black markets.

In this underground, data for sale and potential buyers are heavily screened before they can become a trusted party to a sale. Common knowledge among prominent cyber criminals is that someone we refer to as “King S”, thought to be a Chinese entity, is the most powerful credit worthy buyer of all. “King S” always pays quickly and his payments are always good. There are all kinds of buyers of information but “King S” is King according to threat intelligence analysts who eavesdrop and participate in underground conversations.

Background on the Dark Web Black Data Market

These hidden Dark Web black data markets are reportedly very different than the black markets where stolen credit card data is sold. In the dark web data markets, only 4-5% of the information is exposed to initial site visitors. The rest is buried further down in what’s known as the Deep Web, and access to this information requires that potential buyers pass intense background check and credentialing process.

Threat intelligence experts, such as those who work for DAT, try to infiltrate these deep corners of the dark web and those who succeed are experts at ‘human intelligence.’ They spend months, if not years, digging in and establishing relationships with the crime rings and actors using all sorts of clever techniques, many of which involve use of social media. They also use automated techniques to cull information but do so ever so gently so as to remain undetected by the black market site operators.

In this dark deep web, the information sold is very different than commodity credit cards whose valuable life is short-lived since compromised cards are often quickly revoked by issuing banks.

There are basically three types of information for sale in this dark underground and most of this information has a very long shelf life. Use of it may not occur for years.

a) Sensitive personal information (aka PII) like the type stolen from Anthem, Chase and OPM, or usernames and passwords stolen from any number of recent breaches.

b) Intellectual Property such as infant powder milk formulas or a technology company’s merger and acquisition plans

c) High level technological data that is useful for pre-attack reconnaissance of a company, such as proven accessible servers and vulnerable internal systems. In some rare occasions names of possible insiders within a target enterprise are also traded.

What’s the Goal of “King S” and the other Buyers?

Of course no one I know is absolutely certain of the answer to this question, but the consensus amongst the session participants was that unlike cybercriminals — buyers, notably “King S” and others less powerful, are buying up all the data they can get to help their intelligence efforts on future projects– whether they are for financial, political or military gain.

Intelligence has now become a data science and data mining job. Now the main tool of intelligence is data mining and the more data an intelligence analyst has to mine the better. This data can be used in a roundabout way to get to a specific target.

For example, intelligence officers pursuing terrorists might ask these questions from a big data store:

a) Who are all the taxi drivers in a certain area from which a terrorist is going to depart? Once that question is answered, taxi drivers could be monitored and identified when a terrorist used their service to be driven to his destination before launching an attack.

b) Who are all the doctors in a specific neighborhood where a terrorist lives? Once that question was answered, the doctors could be monitored so that when the terrorist was injured, he would be found going to one of these doctors since he would not expose himself in a public hospital.

Similarly, let’s hypothesize that some Asian aircraft manufacturer wanted to steal a decryption key used to unscramble the contents of confidential communications between an airplane parts manufacturer with a major aircraft producer in the United States.

This communication included information on the aircraft parts design. The Asian competitor could mine troves of stolen personal data to answer all kinds of questions about employees at the U.S. aircraft producer, such as whom they associate with, where they frequent, and where their children go to school in order to find a way to infiltrate an embassy employee’s desktop. Once that desktop is infected, the Asian competitor could presumably find his way to the decryption key.

Certainly, the type of personal and sensitive data recently stolen from OPM would be extremely helpful in such a data mining exercise.

In any event, this theory of building databases that support surreptitious intelligence efforts makes a lot of sense to me. Yes the bad guys stole tens of millions of personal records from companies like Chase, Anthem and from government agencies. And even if these bad guys were “simple cyber criminals” they seem to have found a way to sell the stolen information to nation states and ‘behind-the-scenes’ covert actors such as “King S”. These nation state actors will certainly mine these vast troves of data to determine how to infiltrate their desired targets in unexpected ways and with unexpected motives.

Using Automation to Find the Crime Rings

I was particularly interested in learning how some of the threat intelligence companies have used automation to detect the criminal activity in the dark deep web. In essence, they look for gathering places by analyzing lots of traffic and certain key words indicating trading activity. They also look for key words indicating disputes amongst the criminals and in fact just discovered a major battle between two culprits who claim to be behind one of the biggest recent attacks on a US bank. Apparently, one of the actors stole money from the second and is now ‘blacklisted’ and considered a traitor amongst his peers.

This information could also be valuable to the ‘good guys’ who can potentially befriend the victim or traitor named in this dispute and use the new-found friendship to gather more information on the bank heist.

So what does this all mean to me and you?

Basically it means that each of us has to always be on guard. The activity on the hidden deep web shows we just never know when we will be approached by someone with criminal intent to use us as a pawn in a much bigger scheme. Any one of us can end up unwillingly participating in a nation-state cyberwar. Good security practices starts here – with you and me. In a sense we have all become soldiers in this new age of cyber-war. Certainly, our companies and employers have become the new battleground.