Secureworks Counter Threat Unit™ (CTU) researchers monitor and participate in underground forums to gain insights into threat activity. My role as the CTU™ Threat Intelligence Knowledge Manager involves helping to curate our underground data, so I’ve been exposed to some of the threat actors’ communication. But when given the opportunity to dive into the forums myself, I discovered aspects of these communities that I never expected.
What is an Underground Forum?
An underground forum is an online community where users engage in discussions and exchanges related to illicit or illegal activities. These forums are often part of the dark web or accessible through private networks to maintain anonymity and security. They can encompass a wide range of topics:
- Tactics and compromises: Discussing malware development, intrusion techniques, and cyberattacks
- Illegal goods and services: Buying and selling illegal drugs, weapons, counterfeit goods, and stolen data
- Fraud and financial crime: Advertising and promoting credit card fraud, identity theft, and money laundering schemes
- Pirated content: Distributing unauthorized copies of digital media such as software, movies, and music
- Exploitation and harassment: Exchanging information and advice on activities such as child exploitation and victim harassment
Participants in these forums often use pseudonyms and virtual private networks (VPNs) to protect their identities, making it difficult for law enforcement to track and stop them. Regular users may exchange information and trade resources, creating a community and a marketplace for threat actors.
Perception Versus Reality
Embarking on a journey into underground forums is a bit like stepping into an abyss. I had preconceived notions of ominous, malicious shadows lurking at every turn. Yet I have unearthed a far more complex world filled with paradoxes, unexpected insights, and surprisingly human nuances.
-
A hidden world: Underground forums provide opportunities for threat actors to connect and engage. They serve as coffee shops for casual chats and meeting like-minded individuals; bustling marketplaces for shopping; community centers for mentorship, training, and job opportunities; and courthouses for conflict resolution. Despite the notorious reputation of these forums, they function as crucial networking hubs for individuals living on the fringes of legality.
-
Unexpected humanity: I expected a space dominated by faceless threat groups and nefarious gangs. However, I found the unforeseen presence of humanity amid these virtual corridors. Individuals celebrate the new year together and offer guidance and helping hands to fellow threat actors struggling with their tradecraft. Similar to some corporate Slack or Teams environments, there are channels for ‘water cooler’ chats, discussions on topics such as favorite games and literature, and even ‘introduction’ spaces to meet new members. Threat actors contribute to these channels while simultaneously engaging in malicious activity such as selling malware, sensitive data, and stolen PII. Every online persona is a human being with their own characteristics, quirks, and behaviors.
-
Rich diversity: Individuals may come and go, but underground forums reflect an intricate tapestry of different personalities, backgrounds, and intentions. The threat actors speak various languages, have different hobbies and interests, and represent varying skill levels and goals. Each persona has its own presence, purpose, and level of participation, from just observing discussions to regularly posting or even rallying other members.
-
Glimmers of morality: I assumed that all attacks would be celebrated, yet some of the threat actors adhere to moral codes. For instance, when a persona named ‘Weakem’ attempted to sell access to a hospital network, responses included calls to delete the post, to ban the seller, and to prevent those types of posts on the forum (see Figure 1). These reactions reveal ethical standards within the community.
Figure 1. Negative reactions to forum post advertising hospital access. (Source: Secureworks)Forum moderators ensure that participants follow a clear set of rules and behaviors, including where and how to post content, expected data quality, and rules of engagement. Individuals who break the rules can face consequences determined by the moderator, including open arbitration, an order to issue refunds for poor services, and even a ban from the forum.
-
Abundant stolen data: Understanding the sheer volume of stolen information available on underground forums is challenging, but possible. In October 2024 alone, almost nine million logs were advertised by infostealers such as Lumma and RedLine. The logs contain sensitive information, including login credentials and cryptocurrency wallets. This abundance of exposed data reinforces the importance of timely patching and multi-factor authentication (MFA).
-
Extensive marketplace: Underground forums epitomize a shopper's paradise for threat actors, offering malware, network accesses, stealer logs, classified information, stolen PII, and more. Intangible services are also available, including offers of legal help if threat actors are prosecuted for their crimes, certification assistance (e.g., test answers, fake certificates, codes to circumvent fees), and mentoring (e.g., videos and manuals describing malware or attack techniques). The transactions are pragmatic, with established payment methods and fixed pricing to ensure transparency. There are even dedicated spaces for requests that other threat actors may endeavor to fulfill for a cost.
Clarity In The Abyss
My exploration of these digital depths reduced personas from elusive ‘elite hackers’ to cybercriminals with human traits, behaviors, and flaws. This journey has taught me that understanding is the first step to effectively countering these threats. When facing threat actors who are undeniably human, our strength lies in our ability to empathize with their struggles and predict their actions. The CTU research team has the knowledge, processes, and skillset to respond accordingly.
Learn more about CTU researchers’ insights from underground forums by watching presentations from the Secureworks 2024 Global Threat Intelligence Summit and reading our 2024 State of the Threat report.