Dark Web Profile: IntelBroker
IntelBroker, a notorious figure known for orchestrating high-profile cyberattacks, operates within BreachForums. Specializing in identifying and selling access to compromised systems, sensitive data leaks, and possibly extortion, IntelBroker facilitates various malicious activities.
BreachForums, IntelBroker’s long-time base, was recently taken down once again in an operation. This led to the revival of a diminished, Frankenstein-like version that lost some of its key members. The struggling forum is no longer managed by ShinyHunters, while the USDoD is seeking to establish its own platform. Despite these changes, the forum’s standout member, IntelBroker, remains active.
Who Is IntelBroker?
Possibly the most known member of BreachForums, also known with ransomware attempts under the name Endurance Ransomware. IntelBroker we know today emerged in late 2022 and gained notoriety in early 2023 after allegedly breaching the Weee Grocery Service.
Other notable breaches attributed to IntelBroker include Europol, Autotrader, Volvo, Hilton Hotels, and AT&T, apart from the more recent incidents. Although not every breach can be verified to the same extent, many incidents caused by IntelBroker were confirmed leaks.
CyberNiggers
In 2023, IntelBroker became a member of CyberNiggers, a racist cybercrime group active on BreachForums. IntelBroker was just a member within the group, yet the group’s most significant attacks were orchestrated by IntelBroker during its tenure. The other group members also continued to execute similar attacks.
Statements in leak posts from group members suggested mutual assistance, although the extent of these collaborations remains unclear. Nevertheless, IntelBroker managed to preserve its distinctive identity and achieved notoriety, surpassing the group’s.
CyberNiggers’ lair, BreachForums is a complicated platform. It has been revived multiple times, firstly following the arrests of its administrator “pompompurin” but continued to be operational. The forum once again experienced a similar fate but now still remains operational.
- For a deeper understanding of IntelBroker, we invite you to read our blog post detailing the latest developments on BreachForums. This post covers both historical and recent events surrounding the hacker forum.
For now, CyberNiggers seems to no longer exist, but IntelBroker continues to publish its activities on this forum, gain contacts, and collaborate with other actors.
Behind the Mask
In the past, DoD Cyber Crime Center suggested that Endurance Ransomware might be an Iranian state entity, which is IntelBroker’s ransomware strain’s name, noting similarities between the malware it used and the infamous Shamoon wiping tool. However, IntelBroker denies these allegations, asserting independence and claiming to be a single individual from Serbia.
In a YouTube interview, IntelBroker stated it is from Serbia but resides in Russia for operational safety. This context may shed light on IntelBroker’s objectives and political stance.
Recent discussions about IntelBroker have long shifted away from claims involving Iran, yet similarities between the Tactics, Techniques, and Procedures (TTPs) of Iranian actors and those of contemporary hacker collectives and hacktivist groups based in Russia are evident. This could suggest a potential overlap in cyber capabilities and strategies between the two regions, akin to broader geopolitical dynamics such as Iran’s drone sales to Russia.
In conclusion, allegations around IntelBroker’s identity persist. Whether Serbian or not, it’s conceivable that IntelBroker operates independently, possibly utilizing Iranian malware variants previously. However, the actor’s sophisticated attacks on high-profile targets, particularly within the US defense sector, raise questions about potential state sponsorship or collaboration with state entities.
How IntelBroker Conduct Attacks?
Even if we do not have an incident response study, IntelBroker’s modus operandi can be estimated from its known techniques and the content of the leaked data.
IntelBroker possibly employs a multifaceted approach to cyberattacks characterized by strategic initial access brokering and data exfiltration tactics. Operating within the recently revived BreachForums, IntelBroker is pivotal in identifying and monetizing access to compromised systems, facilitating a range of malicious activities.
Initial Access
IntelBroker typically begins by attempting to sell the access he has acquired. If unsuccessful, it likely resorts to conducting its own infiltration efforts to steal data. However, this approach may have shifted from solely selling access to initiating its own data breaches over time. These days, the actor posts samples of data available for sale on the forum.
According to its statements across different posts, its modus operandi should encompass several techniques, like leveraging exploits targeting vulnerabilities in public-facing applications to gain initial access to targeted organizations.
Additionally, purchasing initial access leads from other actors who share similar tactics, techniques, procedures, and objectives is possible. Acquiring credentials through stealer logs and leveraging Personally Identifiable Information (PII) from these logs for impersonation attacks or insider threats are also common initial access vectors employed by such actors.
For instance, the threat actor USDoD, previously active on BreachForums, mentioned in an interview that its attack vector included these methods.
Inside the Systems
As can be interpreted by the content of IntelBroker’s leaks, once inside, IntelBroker executes unauthorized commands and manipulates accounts to establish persistent access, ensuring prolonged infiltration and exploitation capabilities.
Furthermore, IntelBroker is adept at escalating privileges within compromised networks as it publishes source codes from internal tools, using techniques to gain higher-level access and circumvent security measures. To evade detection, it employs tactics like obfuscating malicious files and information, making it challenging for security defenses to detect and mitigate its activities effectively.
Credential dumping might be another integral aspect of IntelBroker’s methodology, allowing him to harvest and utilize compromised credentials to expand its access within networks. Its operations include the comprehensive discovery of files and directories within compromised systems, such as alleged sensitive military files associated with DARPA.
Therefore, IntelBroker’s activities could extend beyond initial access and persistence to include lateral movement across networks using valid accounts, enabling him to explore and compromise diverse organizational targets. Its approach culminates in the collection and exfiltration of sensitive data via command and control channels, ensuring the extraction of valuable information from compromised environments.
Endurance Ransomware
IntelBroker, which claimed to be developing the Endurance Ransomware strain in a post in 2023, currently has no visible connection with ransomware. Notably, BreachForums banned ransomware-related topics during operations against ransomware groups such as ALPHV and LockBit. In this context, it appears that extortion is now preferred over ransomware in the general cybercrime landscape, and IntelBroker is not currently involved in ransomware activities.
Motives
IntelBroker’s activities are predominantly motivated by financial gain, as indicated by its sale of access to crucial data and systems. However, its actions sometimes intersect with broader geopolitical considerations, especially when targeting entities in NATO-aligned nations such as the United States. This dual emphasis on financial incentives and occasional geopolitical messaging highlights the complex nature of IntelBroker.
What Are the Targets of IntelBroker?
When examining the current posts on BreachForums, we observe at least 82 instances of leaks, access sales, and vulnerability sales. Some older posts are not accessible. Furthermore, some of its posts mention access sales for over 400 companies, and one post about an alleged attack on the US energy sector lists 27 companies. Therefore, it is possible to consider hundreds of companies are targeted, but in the analysis below, we will focus on victim analysis through unique posts.
IntelBroker is known for targeting a wide range of industries across multiple countries. The following analysis breaks down the patterns and preferences exhibited by IntelBroker based on its alleged victims on unique posts.
Geographic Distribution
IntelBroker, targets a diverse array of industries across multiple countries, displaying a strategic focus and methodical approach in victim selection. Geographically, their operations span continents, with notable concentrations in key regions. Predominantly, the United States serves as a primary target, leveraging its data-rich environments and critical infrastructure. Additionally, IntelBroker has shown significant interest in India, drawn by its rapid digital expansion, alongside frequent incursions into European nations such as the United Kingdom and France. Moreover, a politically motivated approach should also be mentioned.
Industry Focus
In terms of industry focus, IntelBroker exhibits a broad scope, targeting sectors with substantial data assets. They display no discernible bias against any particular industry but concentrate their efforts where data value is perceived to be high. This includes Information Technology and Telecommunications, Healthcare, Financial Services, Government and Public Administration, Education, Retail and E-Commerce, Transportation and Logistics, Professional Services, and Manufacturing sectors.
IntelBroker demonstrates a clear preference for targeting entities related to national security. Notable incidents include data leaks from the State and Homeland Security Departments, classified DARPA documents, and offers of access to a system named “US Army Dashboard.” It also targeted a cybersecurity defense contractor to exfiltrate classified NSA documents related to Five Eyes communications and Europol. These attacks on various government entities suggest a motivation to undermine the US government, evidenced by leaking flight logs from the US Transportation Department, breaching Los Angeles airport systems, compromising the US Citizenship and Immigration Services, and exposing Congress members’ personal information.
In addition to government entities, IntelBroker also targets critical infrastructure sectors, particularly IT and telecommunications. It has allegedly stolen credentials from HPE, AT&T, and Verizon and allegedly breached Zcaler. IntelBroker has also targeted e-commerce platforms like Weee! and PandaBuy, allegedly extracted credentials from financial institutions like Barclays and HSBC, attacked companies like Accor and Home Depot, and leaked thousands of records from Facebook Marketplace. This breadth of activity underscores their sophisticated and wide-reaching approach to cyber attacks.
Most Notable Breach Claims by IntelBroker
Weee Grocery Service: IntelBroker claimed responsibility for a significant data breach involving Weee Grocery Service, a popular online grocery platform. This breach affected approximately 11 million users, raising serious concerns about the exposure of personal and financial information. The importance of this incident lies in the fact that it was one of IntelBroker’s first high-profile attacks, marking the beginning of widespread attention to its activities.
Los Angeles International Airport: IntelBroker infiltrated a database containing 2.5 million records, including full names, CPA numbers, company names, plane model numbers, aircraft tail numbers, and 1.9 million emails. This breach was carried out through an attack on the airport’s vulnerable customer relationship management system.
Acuity: IntelBroker accessed data from the US Immigration and Customs Enforcement and US Citizenship and Immigration Services by exploiting a critical GitHub zero-day vulnerability. This breach compromised the personal information of over 100,000 US citizens and allegedly included sensitive documents related to the Five Eyes alliance’s investigative methods and the ongoing Russia-Ukraine war.
Other breaches linked to IntelBroker involve high-profile targets such as General Electric, Hewlett Packard Enterprise, AT&T, and Verizon.
Europol: the European Union’s law enforcement agency, allegedly fell victim to a data breach on May 10, 2024, exposing highly sensitive information and classified data. The alleged breach claimed by IntelBroker. The allegedly compromised data included many sensitive materials, ranging from alliance employee information to FOUO source code, PDFs, documents for reconnaissance, and operational guidelines. In the same week, IntelBroker claimed that it had also breached Zscaler.
Apple and AMD: One of its most recent attacks targeted two tech giants. IntelBroker claimed to have breached Apple’s internal site on June 19, 2024. It claimed exposure of internal tools such as AppleConnect-SSO, Apple-HWE-Confluence-Advanced, and AppleMacroPlugin. Furthermore, on June 18, 2024, IntelBroker purportedly breached AMD’s database, exposing a wide range of data, including future product details, spec sheets, customer databases, property files, ROMs, source code, firmware, finances, and extensive employee information (User ID, full names, job functions, phone numbers, emails, etc.).
What Are the TTPs of IntelBroker
Below are the most possible TTPs for IntelBroker’s activities. However, it should be reminded again that this is not an incident response and investigation study, but has been prepared based on the content of the alleged activities and data.
Tactic | Technique | Procedure |
Initial Access | T1190 – Exploit Public-Facing Application | Exploit vulnerabilities in public-facing applications to gain initial access to target systems. |
Execution | T1203 – Exploitation for Client Execution | Use compromised systems to execute unauthorized commands or software to achieve objectives. |
Persistence | T1098 – Account Manipulation | Maintain access to compromised systems through manipulation of accounts, ensuring continued unauthorized access. |
Privilege Escalation | T1068 – Exploitation for Privilege Escalation | Exploit weaknesses in systems to elevate privileges and gain higher-level access. |
Defense Evasion | T1027 – Obfuscated Files or Information | Obfuscate malicious files or data to evade detection by security measures. |
Credential Access | T1003 – Credential Dumping | Access and dump credentials from compromised systems, typically through methods like exploiting databases or compromised accounts. |
Discovery | T1083 – File and Directory Discovery | Discover files and directories within compromised systems to gather intelligence or identify valuable data. |
Lateral Movement | T1078 – Valid Accounts | Use valid accounts to move laterally across networks, leveraging access within diverse organization targets. |
Collection | T1005 – Data from Local System | Collect data from compromised systems, including sensitive information and operational data. |
Exfiltration | T1041 – Exfiltration Over C2 Channel | Exfiltrate stolen data over command and control channels, ensuring successful data extraction without detection. |
Impact | T1486 – Data Encrypted for Impact | Encrypt data to cause operational disruption or financial harm, potentially as part of ransomware operations. |
Command and Control | T1132 – Data Encoding | Encode communication with compromised systems to obfuscate commands and maintain stealthy control over compromised infrastructure. |
Data Destruction | T1485 – Data Destruction | Intentionally destroy data to disrupt operations, cover tracks, or cause harm to targeted entities. |
Conclusion
IntelBroker, operating within the shadows of BreachForums, remains a formidable presence in the cyber threat landscape despite recent disruptions to the forum. Specializing in exploiting vulnerabilities across a wide range of industries and geographies, IntelBroker’s activities span from high-profile data breaches at companies like Weee Grocery Service and AT&T to infiltrating sensitive government agencies and critical infrastructure. Notably, its recent claims of breaching Apple and AMD highlight its ongoing capability to target major technology firms and extract valuable intellectual property.
How Can SOCRadar Help?
Response to breaches, confirmation of claims, and building strong cybersecurity defenses are crucial for reducing the impact of cyber threats. In today’s cybersecurity environment, it’s essential to stay alert and adaptable and work together to protect critical infrastructure, national security, and personal data.
SOCRadar Dark Web Monitoring offers comprehensive monitoring across the web’s different layers—surface, deep, and dark web. SOCRadar allows organizations to detect and tackle threats effectively. With our expertise in reconnaissance and threat analysis, we provide practical insights to strengthen your proactive security efforts. Integrating automated cyber intelligence with expert analysts empowers Security Operations Center (SOC) teams to handle threats proactively, extending their defense capabilities.