Imagine this scenario: Everyone in your accounts payable department receives an invoice for a service your organization uses frequently. The invoice appears legitimate and doesn’t set off any alarm bells, but is in fact loaded with malware purchased on the darknet — a popular marketplace for tools that can be used as backdoors into your network.

This is happening to more companies than you might think.

Over the last few years, there has been a 20 percent increase of threat actors on the darknet selling tools, services and stolen data to target the world’s most prominent organizations. Even more alarming, 40 percent of darknet actors are selling targeted hacking services against FTSE 100 and Fortune 500 businesses.

These are some of the findings in a June report, “Behind the Dark Net Black Mirror,” which presented research conducted by Dr. Mike McGuire, a respected criminology lecturer at the University of Surrey in the U.K. Also included in the report are details surrounding how the researchers engaged in communication with criminal vendors offering services targeting the enterprise.

As soon as I began exploring the contents of the report, I couldn’t wait to connect with McGuire for answers to the burning questions I had. I needed to understand how serious of a threat the darknet represents for the enterprise, what information revealed in the report every business must know about and, more importantly, what the enterprise can do to mitigate this cyber risk.

It’s Getting Harder to Track Darknet Activity

It’s fascinating to learn the lengths to which McGuire and his team went to obtain the data.

“For this report, we embedded researchers within gated and private platforms and communities within the dark net,” McGuire said. “This gave us unique insights into how cybercriminals target enterprises and helped expose conversations with ‘vendors’ of cybercrime services.”

According to the research, it’s clear that the darknet has become a major threat to the enterprise and a key enabler of cybercrime. The kid in the candy store analogy is perfect here: The darknet’s cookie jars are full of everything threat actors need to breach enterprise networks, steal data and spy on company activities. With one quick trip, attackers can fill their virtual carryalls with all the tools and services they need to launch attacks.

What might be most concerning, however, is a trend that makes it more challenging to track cybercrime in the future.

“Increased law enforcement activity has forced cybercriminals to become more secretive, with 70 percent inviting us to talk over private, encrypted channels in the invisible net, such as Telegram,” said McGuire. “This is making it even harder for law enforcement to track dark net transactions, and helps to cover-up plans for future attacks on the enterprise.”

A Virtual Treasure Trove for Threat Actors

Ian Pratt, co-founder and president of Bromium, the publisher of McGuire’s report, is no stranger to advanced threats. But after reviewing the report’s findings, he was caught off guard by the increased demand for bespoke malware, which is outnumbering off-the-shelf varieties 2 to 1. Pratt noted that almost every vendor offers tailored versions of malware that can poke holes through an enterprise’s defenses. Even more surprising was the report’s spotlight on the dedicated market for corporate network access — stolen credentials and remote access Trojans (RATs) included.

“This raises the very real threat that cyber actors could stroll into corporate networks at any time, leaving them free to obtain high-value assets and install further backdoors for future access,” warned Pratt. “This suggests that targeting the enterprise has become big business.”

I’ve always drawn analogies between threat groups and the mob, but according to McGuire, the mob analogy no longer fits the methods of today’s bad actors. A better analogy, he suggested, might be with targeted marketing and sales campaigns.

“Research about the target is conducted, intelligence is gathered, then specific tools are obtained which can exploit known vulnerabilities, whether in the form of a direct ‘attack’ on a network, a more long drawn out campaign using phishing tools, or a ‘backdoor/insider’ breach which exploits an organization’s internal vulnerabilities,” he said.

No Better Time to Be Proactive

Before you get too alarmed, it’s critical for the enterprise to understand that the darknet can be a good resource for cyberthreat intelligence gathering. For McGuire, there are certain advantages to the enterprise in using the darknet for enhancing network and customer security, with a wealth of information available on darknet forums to alert cybersecurity teams about potential vulnerabilities and emerging threats. He advised that the enterprise can gain significant cost savings in developing cybersecurity strategies by learning about the advanced intelligence on new hacks, tools and compromised servers that could be used against them.

“Active involvement in monitoring darknet activity can be extremely useful in guarding against phishing attacks, for example, or when customer data has been breached and appears for sale there,” McGuire said.

To help reduce the impact of darknet threats, experts advocate for organizations to fully assess and understand this particular cyber risk. To do that, however, there needs to be a complete rethink on security.

The most worrying trend to me is the ease with which a company employee can be tricked into installing and triggering malware. People are always the weakest link in the security chain, and it appears that tools on the darknet are like a big pair of wire cutters. Darknet vendors are even offering the means to create convincing lures for phishing campaigns using official-looking company invoices and documentation.

“These documents can be used to defraud organizations or as part of phishing campaigns to trick employees into opening them,” McGuire noted. “They may look real, but in reality, they deliver malware that triggers a breach or gives hackers a backdoor to corporate networks which could be sold on the dark net.”

Don’t Leave Yourself in the Dark About the Darknet

The bottom line is to ensure you’re not in the dark about the darknet. While it may be yet another security threat to worry about, ignoring it can be costly.

So what can we do if risk mitigation is in our job description? One thing is to take matters into our own hands. We need to strengthen cybersecurity posture and apply layered defenses — including application isolation capabilities to identify and contain threats. If we learn anything from McGuire’s report, cybercriminals are in a prime position to disrupt business operations and gain a foothold in our networks.

A proactive approach to security and intelligence gathering is the best way to stem the tide of threats and lucrative trading of business-critical data on the darknet.

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read