Spy on Spy: Hacking into the Darknet

In the murky underground forums of the darknet, thousands of hackers trade secrets, discuss new forms of malware, and boast about recent attacks. Back when those logging in to the forums were primarily a bunch of computer geeks, it probably had the feel of a harmless secret society. Then came the bad guys.

Criminal enterprises, terrorist organizations, and nation-states with malicious aims changed the nature of these underground forums, turning the “Gotcha!” game of hacking into a serious enterprise with devastating consequences. Listening in on what is now known as the darknet’s hacker chatter is now the life or death stuff of governments and businesses.

The problem is getting an invite. Not just anyone can log on to the darknet—an encrypted network built on top of the existing internet—and participate in hacker forums like a typical webinar. Only vetted hackers can apply to learn the latest about hacking tactics, techniques and procedures (TTPs), as well as emerging and growing threats. Yet there are white hat hackers—the good guys—who have been able to find their way into these forums.

Among these white hat hackers are cyber security experts Shawn Cozzolino and Alex Heid. Each is a cyber spy with a made-up persona that opens doors across the darknet.

Cozzolino is the surveillance and human intelligence team lead in the Counter Threat Unit™ (CTU) team of Secureworks, which protects customer networks and information assets from cybercrime. Heid is the Chief Security Officer at SecurityScorecard, a company that provides cyber security ratings.

Both spies have colorful backgrounds. Cozzolino’s resume, for instance, includes a stint as a counter-terrorism expert at U.S. Homeland Security and another assisting intelligence collection at the U.S. Special Operations Command in Tampa.

“Our team here at Secureworks is all former military and intelligence professionals,” Cozzolino said. “We’ve created personas that we’ve built up over many years to gain a reputation as legitimate black hat hackers in the underground community. This way, we can engage in discussions with threat actors in forums in Russia, Europe, and the Middle East. Over time, we build up a rapport.”

Learning the Ropes

Like Cozzolino, Heid took years to create his darknet façade. “Any time I had access to a computer in my software coding class as a high school kid in the 1990s, I hacked it to leverage information to help me do better in class,” he said. “I had no intention of doing anything malicious. Back then hacker culture wasn’t about theft or destruction. That came later on when criminal groups began using hacking methodologies to steal data and shut down networks.”

Heid attended Barbara Goleman High, a Miami Lakes, Florida-based technology-focused school that had one of the few high-speed broadband lines connected to the internet at that time. “Every other school in the area had dialup,” he recalled. “Given my tinkering, my teacher eventually made me the unofficial systems administrator in the lab. I guess you could say I’ve always been a white hat hacker.”

In 2008, Heid and a friend, James Ball, created HackMiami as a physical hacker space. Ball had become famous in hacking circles for infiltrating an online Al Qaeda forum, and Heid, who had become proficient at analyzing banking botnets while working in the financial sector, had earned significant cred for hacking the stealthy Zeus botnet in Russia.

Today, HackMiami is the premier annual conference bringing together hundreds of the sharpest minds in the digital underground and information security industry, an eclectic mix of white hat hackers, black hat hackers, spammers, law enforcement, military and threat intelligence analysts, and the security recruiting firms that want to hire them.

Both Heid and Cozzolino describe the work they do as intelligence gathering. “It’s like `catfishing’ on a dating app, where a person creates a fake profile using a photo of someone else who is a lot better looking,” said Cozzolino, with a laugh. “You start slowly, laying your bait by pretending you’re just another threat actor. In earning credibility with the cybercriminals, patience is key. Gradually you gain the trust of the real threat actors.”

When asked how he gets the ball rolling, Cozzolino hesitated. “All I can say is that there are a variety of trade-craft methods we use to build a reputation, which I can’t disclose,” he explained. “The best way to describe what we do is like being an undercover detective. You’re in the field acting like a low-level drug dealer, talking with real drug dealers with the ultimate goal of finding the kingpin.”

Heid also won’t divulge specifics of his persona-building approach, other than commenting that it took years to cement his credibility. He started out in the early 1990s by attending text-based hacker forums in internet relay chat (IRC) rooms, and then graduated to underground web forums on the darknet.

“I’m now circling around spaces like jabbers, which are encrypted chat rooms on the darknet,” he said. “They’re tougher to penetrate, requiring a bigger effort to hide one’s true identity.”

Wearing the Mask

Like traditional forums on the internet, each Darknet forum typically has an administrator, a moderator, longstanding verified attendees, and newer unverified people signing up for a visit. Some forums have high levels of security and restrict attendance to only active members of that group. Others are a bit more relaxed, willing to allow participants with a referral from someone they trust.

And most forums have an attendance limit, just like in the real world. “Sometimes you try to register, but you’re too late,” Heid said.

Once registered in a forum, the other participants are an odd lot, ranging from people cruising the scene for fun to criminal groups to hactivists like Anonymous who are there for political and financial reasons. “Depending on the culture of the group you’re dealing with, you can sometimes be completely transparent and let them know you’re a researcher or a journalist looking to learn about emerging threats,” Heid said. “They may let you in, or they may kick you out.”

Threat actors in different countries host forums through different platforms. “In the Middle East, hackers use a messaging tool called Telegram, whereas in China they use something called QQ,” Cozzolino explained. “Very few people use IRC anymore. We have been able to routinely access hundreds of forums, burnishing our personas as we go along.”

In creating and enriching his persona, Heid said building trust is a critical process. “It all boils down to social engineering; at the end of the day you’re dealing with people,” he said. “The more forums you attend, the greater your trustworthiness. There’s a running joke among white hat hackers that for every chat room with 100 people, only ten are real hackers and the rest are spectators.”

The cyber criminals are well aware such spies exist. Hackers even have a phrase describing an online identity used for the purpose of deception—a “sock-puppet.” “They know we exist, but they don’t know who we are,” Heid said.

Hackers also expect to be hacked by fellow hackers. In fact, it’s a bit of a sport. “Rival hackers are at each other’s throats,” Heid added. “There are long-standing rivalries between certain hackers who hack each other’s websites and release data from each other’s databases. There’s no honor among thieves. This makes threat actors paranoid and wily—all the more reason to gradually build your credibility.”

Taking Stock of the Spoils

According to Cozzolino, his team’s cyber spying has paid off for Secureworks’ clients. “We’ve picked up vital intelligence about new variants of malware and ransomware early on, and found exploits well before they were published,” he said. “Last year, for instance, we discovered three exploits before they were disclosed publicly.” (An exploit is the use of software, data, or commands to take advantage of a weakness in a computer system to carry out some form of malicious intent, such as a denial-of-service attack.)

But just like a fake lead in a physical criminal investigation, cyber spies must be careful to ascertain the validity of intelligence culled from a darknet forum. “There’s a fair amount of counterintelligence going on, with the actual threat actors leaking false information to muddy the waters,” Heid said.

Cozzolino agreed. “Some threat actors have horrible reputations for leading people astray,” he explained. “Each time we find something, we label it with high confidence, medium confidence, or low confidence.”

So, has he ever blown his cover? “We take very good precautions so there is no way the threat actors can link us back to anything real,” he said. “Everything we do is on a separate system with multiple layers of security.”

Cyber risk professionals say the white hats are making a big difference in the war on cybercrime. “They’re providing a valuable resource by being preemptive, spying on potential threats before they become full-blown disasters,” said Vance Brown, CEO of the National Cybersecurity Center, a cybersecurity think tank that provides cyber risk management training to business executives. “The intelligence they provide is an extremely important piece of the overall puzzle.”

As more light is shed on hackers’ brewing inventions and attack strategies, everyone benefits, Cozzolino said. “To guide better decisions on cyber preparedness and response, you need to collect, analyze and authenticate each piece of threat data,” he explained. “The intelligence we’ve vetted and provide to our business clients helps them better manage their cyber risks. That’s of value to them, the economy, and all of us.”

Russ Banham is a Pulitzer-nominated financial journalist and author who writes frequently about the intersection of business and technology

Leave a Reply