- The predominant activity observed against the energy industry on the dark web are the auctions for initial access to energy companies that routinely take place on dark web forums.
- Threat actors often use the terms “start,” “step,” and “blitz,” which indicate the start price, the increments of the bids and a “buy-it-now” or "blitz" price.
- Searchlight Cyber found activity all over the world, including in the United States, Canada, the United Kingdom, France, Italy, and Indonesia.
- While the dark web forum Exploit has been the most popular for these activities, the researchers also found these activities on RaidForums and BreachForums.
- In one of the examples outlined in the report, bidding started at $1,500 and bids are placed increments of $500. However, if somebody wanted to purchase the access outright they could do so at the “blitz” price of $2,500. Asking prices do vary, sometimes they are as low as $20 and range up to $2,500.
- The sale of compromised VPNs is especially common, which the researchers say indicates that security teams should put their efforts into protecting.
“The auctioning of initial access to corporate networks on dark web forums should serve as a wake-up call to all energy sector companies, regardless of their size or location,” said Chaudhuri. “The reality is the energy industry is not merely a collection of companies. It represents the backbone of global infrastructure, and a breach in this sector could have far-reaching and devastating consequences.”
Andrew Barratt, vice president at Coalfire, said the auctioning of critical infrastructure gives us insight into the perceived value of these entities on the black market. Barratt said rather than just a relatively low ticket (some initial access is sold for under $1,000) there’s potentially an expectation that nation-state actors pick up these critical infrastructure items for leverage in the future. “It’s not uncommon for companies to use threat intelligence feeds that show the initial access brokers pricing, and where they can determine they are at risk will acquire the vulnerable access just to shut it off,” explained Barratt.Mike Parkin, senior technical engineer at Vulcan Cyber, pointed out that the energy sector is not a new target for cybercriminal attack, which this report reinforces. However, it also shows just how advanced the cybercrime ecosystem has become: between crime-as-a-service offerings, brokers selling access to compromised targets, botnets, and cryptomining farms, they are showing the diversity and maturity we expect from legitimate commercial organizations. “Having this additional information can be helpful for an organization to understand what sort of adversaries they may face, but the truth is anyone can be a target,” said Parkin. “Ultimately, the standard precautions we should all be taking — up-to-date patches, secure configurations, and educating users — applies regardless of where we expect an attack to originate.”