Table of Contents
IntelBroker is a prominent and prolific threat actor that has rapidly gained notoriety in the cybercrime landscape since emerging in late 2022. Initially involved in ransomware operations, IntelBroker has shifted focus to data breaches, extortion, and selling access to compromised systems. This actor is known for targeting high-profile organizations, including government agencies, critical infrastructure providers, and major corporations, across a wide range of industries. IntelBroker also owns and operates the infamous BreachForums cybercrime forum, further solidifying their position as a significant player in the underground digital economy. This profile delves into IntelBroker's origins, evolution, tactics, techniques, and procedures (TTPs), target victimology, notable attack campaigns, and defense strategies.
Origins & Evolution
IntelBroker's activity can be traced back to October 2022. Initially, the actor was associated with the "Endurance" ransomware, a C#-based malware strain that functions more as a wiper, overwriting and deleting files rather than encrypting them in the traditional sense. The source code for Endurance was later made publicly available on GitHub. The U.S. Department of Defense Cyber Crime Center (DC3) confirmed that Endurance was used in attacks against several U.S. government agencies. There was speculation, denied by IntelBroker, about a connection between Endurance and the Shamoon wiper malware used by Iranian threat actors.
By 2023, IntelBroker had largely moved away from ransomware deployment, focusing instead on data breaches and extortion. A significant turning point was IntelBroker's acquisition of BreachForums, a notorious cybercrime forum. This move provided IntelBroker with a platform to advertise stolen data, sell access to compromised systems, and interact with other cybercriminals. The ownership of BreachForums also gives IntelBroker considerable influence within the cybercrime community.
While initially speculated to be a group, IntelBroker is now believed to be a single individual. They claim to be Serbian, residing in Russia for safety, and motivated primarily by financial gain, with a secondary interest in managing a cybercrime forum. IntelBroker has also expressed a belief that law enforcement and the media are biased.
IntelBroker was also a member of a racist cybercrime group called CyberN-----s. The group has since fallen out of favor and appears to be defunct.
OSINT (Open Source Intelligence) investigations have revealed a complex digital footprint associated with IntelBroker, including various email addresses (cock.li, proton.me, national.shitposting.agency, riseup.net), VPN usage (Mullvad, TunnelBear, NordVPN, VeePN, VPNAsia), and even Minecraft activity (usernames "ClamAV" and "Thick"). There's also a possible, though unproven, connection to the threat actor group AgainstTheWest (ATW), based on shared email addresses, cryptocurrency addresses, and similarities in writing style. Staying updated with what is threat intelligence is crucial in understanding threat actors.
Tactics & Techniques
IntelBroker employs a multi-faceted approach to compromise systems and exfiltrate data. Their tactics demonstrate a combination of technical expertise and social engineering skills.
Initial Access:
* Exploiting Public-Facing Vulnerabilities: IntelBroker frequently targets vulnerabilities in publicly accessible applications and services. Examples include exploiting CVE-2024-23897 (Jenkins LFI vulnerability) in the BORN Group attack and CVE-2024-1597 (Confluence data center vulnerability) in the T-Mobile breach (though T-Mobile disputes this claim). They have also been linked to exploiting Jenkins vulnerabilities in breaches of IT service providers.
* Leveraging Stolen Credentials: IntelBroker uses stolen credentials, often obtained from infostealer malware, to gain initial access.
* Social Engineering: Employing social engineering, to gain employees information or access.
* Purchasing Initial Access: IntelBroker is known to purchase initial access leads from other threat actors.
Persistence & Privilege Escalation: After gaining initial access, IntelBroker uses various techniques to maintain persistence and escalate privileges within the compromised network. This includes deploying backdoors, harvesting credentials (using tools like Mimikatz), and manipulating accounts. Preventing privilege escalation attacks is important.
Data Exfiltration: IntelBroker focuses on exfiltrating high-value data, including personal information, financial records, source code, intellectual property, and sensitive government documents. They often use encrypted channels for data exfiltration to evade detection.
Extortion & Monetization: IntelBroker's primary goal is financial gain. They achieve this through:
* Direct Sales: Selling stolen data and access to compromised systems on underground forums, primarily BreachForums.
* Extortion: Threatening to publicly release stolen data if a ransom is not paid. The ransom is often demanded in Monero (XMR).
Command and Control (C2): Utilizes data encoding and exfiltration over C2 channels.
Specific TTPs based on MITRE ATT&CK Framework:
|
Tactic
|
Technique ID
|
Technique Name
|
|---|---|---|
|
Initial Access
|
T1190
|
Exploit Public-Facing Application
|
|
Execution
|
T1203
|
Exploitation for Client Execution
|
|
Persistence
|
T1547.001
|
Boot or Logon Autostart Execution
|
|
Privilege Escalation
|
T1068
|
Exploitation for Privilege Escalation
|
|
Defense Evasion
|
T1027
|
Obfuscated Files or Information
|
|
Credential Access
|
T1003
|
OS Credential Dumping
|
|
Discovery
|
T1083
|
File and Directory Discovery
|
|
Lateral Movement
|
T1021.002
|
SMB/Windows Admin Shares
|
|
Collection
|
T1005
|
Data from Local System
|
|
Exfiltration
|
T1041
|
Exfiltration Over C2 Channel
|
|
Impact
|
T1496
|
Resource Hijacking
|
|
Command and Control
|
T1071
|
Application Layer Protocol
|
|
Impact
|
T1485
|
Data Destruction
|
Targets or Victimology
IntelBroker has demonstrated a broad target selection, impacting organizations across various industries and geographic regions. However, certain patterns and preferences are evident:
Geographic Focus:
* United States: The primary target, with numerous high-profile breaches reported.
* Europe: Significant activity targeting European organizations, including Europol.
* India: Increasingly targeted due to its rapid digital expansion.
* Global: Has operated in over 47 countries, and can target organisations indiscriminately.
Industry Focus: IntelBroker targets sectors with substantial data assets and where disruption can cause significant impact:
* Government and Public Administration: A key target, with breaches involving U.S. government agencies (ICE, USCIS, Department of Transportation, Pentagon), and Europol.
* Critical Infrastructure: Targeting IT, telecommunications, and other critical infrastructure providers.
* Technology: Major technology companies like Apple, AMD, Zscaler, Cisco, and Hewlett-Packard Enterprise (HPE) have been targeted.
* Financial Services: Financial institutions and related services are also targeted.
* Healthcare: Healthcare providers and related organizations are vulnerable.
* Retail and E-Commerce: Companies like Weee! (grocery service) and Pandabuy have been breached.
* Other Industries: Also includes; energy, transportation/logistics, manufacturing, education and business services
National Security: IntelBroker has shown a particular interest in targeting entities related to national security, potentially suggesting motivations beyond purely financial gain. Digital forensics can help uncover digital clues.
Attack Campaigns
IntelBroker has been linked to numerous high-profile attacks, often characterized by significant data exfiltration and subsequent attempts at extortion. Some notable examples include:
Los Angeles International Airport (LAX): Infiltration of the customer relationship management system, exposing 2.5 million records.
U.S. Immigration and Customs Enforcement (ICE) and United States Citizenship and Immigration Services (USCIS): Accessed data on over 100,000 U.S. citizens.
Weee!: Exposed personal information of over one million customers.
DC Health Link: Breached a health insurance marketplace, exposing data of members of the U.S. Congress.
Pentagon & US Army: Claimed to have obtained sensitive information about communications.
Europol: Confirmed breach involving employee information, FOUO source code, and operational guidelines.
Zscaler: Breached the computer networks of Zscaler.
General Electric (GE): Claimed to have stolen DARPA data (controversial).
Acuity: Hacked a technology contractor for the U.S. government, obtaining data belonging to the Five Eyes intelligence organization and the U.S. military.
Apple: Claimed to have acquired source code for internal tools (later clarified to be plugins).
AMD: Claimed breach with data samples, including future products and employee information. AMD downplayed the impact.
Cisco: Pilfered data, including source code and confidential files, claiming access through a JFrog token. Cisco confirmed data exfiltration but stated it was from a public-facing DevHub environment.
Hewlett-Packard Enterprise (HPE): IntelBroker and the CyberN-----s group claim to have exfiltrated data, including private Github repositories, Docker builds, SAP Hybris data, certificates, product source code (Zerto & iLO), old user PII, and access to HPE's API, WePay, GitHub, and potentially other services.
BORN Group (Supply Chain Attack): Exploited CVE-2024-23897 (Jenkins vulnerability) to gain access to BORN Group, a digital marketing agency. Stole SSH keys, accessed their GitHub repository, and used hardcoded credentials to compromise other systems (BORN Group's clients), including 1stwave, Bank of Ireland, BTEC, Celcom, Delta Faucet, Frontier Saw Mills, Gourmet Egypt, Hitachi, Lindt Chocolate, Nestle, Reebok, TOPCON, and Unilever. Protecting from supply chain attacks is critical.
It is crucial to note that many of IntelBroker's claims have not been independently verified. Some targeted organizations, like T-Mobile and AMD, have disputed or downplayed the impact of the claimed breaches. However, IntelBroker's track record and the release of sample data in some cases lend credibility to their assertions.
Defenses
Organizations can take several steps to mitigate the risk of attacks from IntelBroker and similar threat actors:
Vulnerability Management: Prioritize patching known vulnerabilities, especially in public-facing applications and services. Implement a robust vulnerability management program with regular scanning and timely patching. Also, learn how to remediate vulnerabilities effectively.
Strong Authentication: Enforce strong, unique passwords and multi-factor authentication (MFA) for all user accounts, especially privileged accounts. Also, consider passwordless authentication.
Network Segmentation: Segment networks to limit the lateral movement of attackers in case of a breach.
Data Loss Prevention (DLP): Implement DLP solutions to monitor and prevent the unauthorized exfiltration of sensitive data.
Security Awareness Training: Educate employees about phishing attacks, social engineering tactics, and the importance of reporting suspicious activity. Also, it is important to know the types of phishing attacks.
Incident Response Plan: Develop and regularly test an incident response plan to ensure a swift and effective response to security incidents. Also, understanding the cyber incident response plan is important.
Threat Intelligence: Leverage threat intelligence feeds and platforms to stay informed about the latest TTPs used by threat actors like IntelBroker.
Supply Chain Security: Thoroughly vet third-party vendors and service providers, and implement robust security controls for supply chain interactions.
Endpoint Detection and Response (EDR): Employ advanced EDR solutions to detect and respond to malicious activity on endpoints.
Regular Security Audits: Conduct security audits for companies, especially using third-party service providers
Strengthen access controls: For repositories, and servers, containing sensitive data.
Conclusion
IntelBroker represents a significant and evolving threat in the cybercrime landscape. Their shift from ransomware to data breaches and extortion, coupled with their ownership of BreachForums, positions them as a major player with considerable reach and influence. The actor's targeting of high-profile organizations, critical infrastructure, and government agencies highlights the potential impact of their activities. While attribution remains challenging, and some of IntelBroker's claims require independent verification, their track record and the sophistication of their tactics warrant serious attention. Organizations must proactively implement robust security measures, including vulnerability management, strong authentication, data loss prevention, and threat intelligence, to mitigate the risk posed by IntelBroker and similar threat actors. The ongoing evolution of IntelBroker's TTPs underscores the need for continuous vigilance and adaptation in the face of the ever-changing cyber threat landscape. SOAR can help automate some of these responses.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
IntelBroker Reveals Major Data Breach at Hewlett Packard Enterprise
Russian Hackers Breach HPE Office 365 Exposing Employee Data
Chinese Threat Actor SilkSpecter Launches Massive Phishing Campaign Against Holiday Shoppers
Cybercriminals Exploit New SMS Phishing Platform Devil-Traff Worldwide
Digital PR Firms Unmasked in Global Pro-China Influence Operation Network
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- March 3, 2025
- March 3, 2025
- March 3, 2025
- March 3, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- March 3, 2025
- March 3, 2025
- March 3, 2025
- March 3, 2025
