Threat Research

Dark Web Profile: CyberNiggers – SOCRadar® Cyber Intelligence Inc.

SocRadar

CyberNiggers, a racist threat group, has resurfaced on Breach Forums with IntelBroker playing a central leadership role in its cyber operations. The piece outlines their targets (including GE and DARPA-linked data), recruitment dynamics, and how initial-access, potential ransomware ambitions, and low-cost access sales shape their activities. Hashtags: #CyberNiggers #IntelBroker #GE #DARPA #WeeeGroceryService #ColonialPipeline #Autotrader #Volvo #HiltonHotels #AT&T #FiveEyes

Keypoints

  • CyberNiggers has re-emerged on Breach Forums, with IntelBroker taking a prominent role in its cyber operations.
  • The group claims high-profile breaches, notably General Electric (GE) and data related to DARPA.
  • Other targets include Weee Grocery Service (affecting millions of users) and Colonial Pipeline, among others like Accenture, KitchenPal, UsDoT, and Vauxhall Motors.
  • IntelBroker functions as an initial-access broker, selling access to compromised systems and sometimes conducting intrusions to obtain data.
  • Prices for access and data are reportedly low (e.g., DARPA files offered for $500; data sold for around $4,000), with a discussion of a future ransomware strain.
  • There are national-security implications due to DARPA/GE data exposure, plus reputational, legal, and financial risks for victims.
  • The group appears to emphasize a mixed motive of financial gain with a publicly racist agenda, while excluding Russia as a target and reportedly being monitored by Five-Eyes.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Breaching General Electric and Weee Grocery Service by exploiting vulnerabilities in public-facing applications. ‘Breaching General Electric and Weee Grocery Service by exploiting vulnerabilities in public-facing applications.’
  • [T1203] Exploitation for Client Execution – Utilizing compromised systems to execute unauthorized commands or software. ‘Utilizing compromised systems to execute unauthorized commands or software.’
  • [T1098] Account Manipulation – Possibly maintaining access to compromised systems through account manipulation, as indicated by activities in various organizations. ‘Possibly maintaining access to compromised systems through account manipulation, as indicated by activities in various organizations.’
  • [T1068] Exploitation for Privilege Escalation – Gaining higher-level privileges through exploitation of system weaknesses. ‘Gaining higher-level privileges through exploitation of system weaknesses.’
  • [T1027] Obfuscated Files or Information – Likely obfuscating malicious files or data to evade detection, as seen in sophisticated cyber attacks. ‘Likely obfuscating malicious files or data to evade detection.’
  • [T1003] Credential Dumping – Accessing credentials, possibly through methods like database access or system compromise. ‘Accessing credentials, possibly through methods like database access or system compromise.’
  • [T1083] File and Directory Discovery – Discovering files and directories in the compromised systems, as in the case of DARPA files in GE breach. ‘Discovering files and directories in the compromised systems, as in the case of DARPA files in GE breach.’
  • [T1078] Valid Accounts – Using valid accounts to move laterally across networks, inferred from the pattern of diverse organization targets. ‘Using valid accounts to move laterally across networks, inferred from the pattern of diverse organization targets.’
  • [T1005] Data from Local System – Collecting data from compromised systems, as seen in breaches of organizations like Colonial Pipeline. ‘Collecting data from compromised systems, as seen in breaches of organizations like Colonial Pipeline.’
  • [T1041] Exfiltration Over C2 Channel – Likely exfiltrating data over a command and control channel, given the nature of their operations. ‘Likely exfiltrating data over a command and control channel.’
  • [T1486] Data Encrypted for Impact – Potential for ransomware use, as mentioned by IntelBroker or may have led into a ransomware attack. ‘Potential for ransomware use, as mentioned by IntelBroker or may have led into a ransomware attack.’
  • [T1132] Data Encoding – Communicating with compromised systems using encoded data. ‘Communicating with compromised systems using encoded data.’

Indicators of Compromise

  • [File] context – DARPA files, military files, SQL database files, PDFs, and source code (example contexts within GE and Colonial Pipeline breaches) – DARPA files, database files, PDFs, source code
  • [Credential/Key] context – private keys, public keys, passwords, and emails (data assets discussed in breaches) – private keys, passwords, emails
  • [Cloud/Storage] context – AWS S3 Buckets, Bitbucket, Blobs, and SMTP services used or accessed in breaches – AWS S3 Buckets, Bitbucket

Read more: https://socradar.io/dark-web-profile-cyberniggers/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint