Web Intelligence

What Threats are Governments Facing on the Dark Web?

What Threats are Governments Facing on the Dark Web?

After 70 Ukrainian government sites were hit by hackers with suspected ties to Russia, our cyber analysts have run a series of checks to investigate the cyber risks governments are facing on the dark web.

Using our database, we searched for government domains and emails, the type of information cybercriminals will need to prepare an attack. These government related keywords returned dozens of thousands of results, every week.

Where are threat actors trading government-related information in the dark web?

The top dark and deep web sites and networks we found information related to governments are:

  • Datastores (marketplaces for stolen data like login credentials, cookies, PIIs, etc.) 
  • Chatting applications 
  • Pastes sites
  • Hackers forums 

Let’s dive into each and understand the type of threats that can be found on them.

Datastores

Here you can find one of the most popular credentials-markets on the dark web, the Russian Market. On this marketplace, we found tens of thousands of results only from the past 3 months that offer domain logins of various governments for sale. These login details can help threat actors gain unwanted access to government systems.

A screenshot of Colombian gov domains logins for sale on Russian Market
A screenshot of Colombian gov domains logins for sale on Russian Market

Chatting Applications

Another popular place we found tens of thousands of results from the last 3 months is Telegram. After filtering out general discussions related to governments, it is easy to spot high risk posts. For example, threat actors selling databases, shells (interface that enables remote access to a web server) and PUA configs (potentially unwanted application configurations on a remote computer or servers) belonging to different governments.

Telegram messages from Webz.io’s Cyber API showing Lebanese government database for sale
Telegram messages from Webz.io’s Cyber API showing Lebanese government database for sale
Telegram messages offering Ohio state config data for sale among others as shown on Webz.io Cyber API
Telegram messages offering Ohio state config data for sale among others as shown on Webz.io Cyber API

Paste Sites

On paste sites, we were able to detect different kinds of content including discussions about attacks and guides on attack methods used to hack into systems of government agencies. We also see actors using this platform to post data leaks.

A leak of data belonging to the Paraguayan Government on Pastebin
A leak of data belonging to the Paraguayan Government on Pastebin

Hacker Forums

Unsurprisingly, Raidforums, one of the most popular hackers forums, is a platform for a lot of illicit content relating to government cybersecurity intelligence. Some of the most common content we find on it are database leaks, discussions between threat actors, and trade of exploits and methods of attacks. For example:

  • Early Indicators of Attack – Discussions that include mentions of information regarding domains. This is often a strong indication that an attack is in the making because it means that the domain is on the radar of threat actors. 
Example of illicit trade of government domains on Raidforums
Example of illicit trade of government domains on Raidforums
  • Early indicator of abuse of email domains –  When a threat actor offers access to email domains belonging to a government, like the type mentioned in the post below, can be used for social engineering. As a result, the actor can obtain sensitive information or gain unlawful access to government assets.   
A post on Raidforums offering access to emails from domains belonging to NASA as well as to the U.S. Government and Senate
A post on Raidforums offering access to emails from domains belonging to NASA as well as to the U.S. Government and Senate

With more and more cyberattacks hitting at government sites and assets, tracking the dark and deep web spaces becomes key to the national security and stability of every country.

Avishag Yulevich
Avishag Yulevich

Senior Cyber Analyst

Spread the News

Not subscribed to our Dark Web Pulse updates?

Feed Your Machines the Data They Need

Feed Your Machines the Data They Need

GET STARTED