After 70 Ukrainian government sites were hit by hackers with suspected ties to Russia, our cyber analysts have run a series of checks to investigate the cyber risks governments are facing on the dark web.

Using our database, we searched for government domains and emails, the type of information cybercriminals will need to prepare an attack. These government related keywords returned dozens of thousands of results, every week.

Where are threat actors trading government-related information in the dark web?

The top dark and deep web sites and networks we found information related to governments are:

• Datastores (marketplaces for stolen data like login credentials, cookies, PIIs, etc.) 
• Chatting applications 
• Pastes sites
• Hackers forums 

Let’s dive into each and understand the type of threats that can be found on them.

Datastores

Here you can find one of the most popular credentials-markets on the dark web, the Russian Market. On this marketplace, we found tens of thousands of results only from the past 3 months that offer domain logins of various governments for sale. These login details can help threat actors gain unwanted access to government systems.

Chatting Applications

Another popular place we found tens of thousands of results from the last 3 months is Telegram. After filtering out general discussions related to governments, it is easy to spot high risk posts. For example, threat actors selling databases, shells (interface that enables remote access to a web server) and PUA configs (potentially unwanted application configurations on a remote computer or servers) belonging to different governments.

Paste Sites

On paste sites, we were able to detect different kinds of content including discussions about attacks and guides on attack methods used to hack into systems of government agencies. We also see actors using this platform to post data leaks.

Hacker Forums

Unsurprisingly, Raidforums, one of the most popular hackers forums, is a platform for a lot of illicit content relating to government cybersecurity intelligence. Some of the most common content we find on it are database leaks, discussions between threat actors, and trade of exploits and methods of attacks. For example:

• Early Indicators of Attack – Discussions that include mentions of information regarding domains. This is often a strong indication that an attack is in the making because it means that the domain is on the radar of threat actors. 

• Early indicator of abuse of email domains –  When a threat actor offers access to email domains belonging to a government, like the type mentioned in the post below, can be used for social engineering. As a result, the actor can obtain sensitive information or gain unlawful access to government assets.   

With more and more cyberattacks hitting at government sites and assets, tracking the dark and deep web spaces becomes key to the national security and stability of every country.