Kaspersky Digital Footprint Intelligence team has over the past two years uncovered almost 40,000 dark web posts about the sale of internal corporate information. These posts – created by cybercriminals – are used to buy, sell, or distribute data stolen from various companies through cyberattacks. The number of posts offering access to corporate infrastructure has seen a 16% increase compared to the previous year. Worldwide, every third company was referenced in dark web posts associated with the sales of data or access.
Kaspersky Digital Footprint Intelligence experts observed an average of 1,731 dark web messages per month about the sale, purchase and distribution of internal corporate databases and documents, totaling almost 40,000 messages between January 2022 and November 2023. The monitored resources encompassed dark web forums, blogs, and also shadow Telegram channels.
Distribution of the Dark web messages related to corporate data sale, purchase, or distribution, January 2022 – November 2023
Another category of data available on the dark web is access to corporate infrastructures allowing cybercriminals to purchase pre-existing access to a company, enabling attackers to streamline their efforts. According to Kaspersky’s research, more than 6,000 dark web messages have been advertising such offers in January 2022-November 2023. Currently, cybercriminals are increasingly offering access, with the average number of corresponding monthly messages witnessing a 16% rise from 246 in 2022 to 286 in 2023. While the number of messages may not seem high, it doesn’t diminish the potential magnitude of the issue. With the looming threat of supply chain attacks in the coming year, even breaches targeting smaller companies could escalate to impact numerous individuals and businesses globally.
“Not every message on the dark web contains new and unique information. Some offers can be repetitive; for instance, when a malicious actor aims to quickly sell data, they may post it on different underground forums to reach a larger audience of potential criminal buyers. Moreover, certain databases might be combined and presented as new. For instance, there are ‘combolists’ - databases that aggregate information from various previously leaked databases, such as passwords for a specific email address,” explains Anna Pavlovskaya, expert at Kaspersky Digital Footprint Intelligence.
An example of a ‘Combolist’ offer
To further enhance security of businesses worldwide, Kaspersky Digital Footprint Intelligence experts tracked mentions of 700 random companies related to corporate data being compromised in 2022, providing information about cyberthreats originating from the dark web.
The findings revealed that 233 organizations – one-in-three companies – were mentioned in dark web posts related to the illicit exchange of data. These references specifically involved topics such as data breaches, stolen access to infrastructure, or compromised accounts[1].
More statistics about dark web discussions are presented on Securelist, while the Kaspersky Digital Footprint Intelligence website provides a comprehensive incident response playbook for handling leak-related incidents. To avoid threats related to data breaches, it is worth implementing the following security measures:
- Swift identification and response to data breaches is essential. Those facing a crisis should start by verifying the source of the breach, cross-referencing internal data, and assessing the information’s credibility. Essentially, a company must gather evidence to confirm the attack occurred and that data has been compromised.
- Continuously monitoring the dark web allows for the detection of both fake and real breach-related posts, as well as the tracking of spikes in malicious activity. Given the resource-intensive nature of dark web monitoring, external experts often take on this responsibility.
- It's beneficial to prepare a communications plan in advance to interact with clients, journalists, and government agencies.
- Developing comprehensive incident response plans that include designated teams, communication channels, and protocols allows for the prompt and effective handling of such incidents when they occur.
[1] To prevent unauthorized access to the affected companies’ data or infrastructure during the initiative, compromised data was not verified in any way.