Threat Research

Dark Web Profile: IntelBroker – SOCRadar® Cyber Intelligence Inc.

SocRadar

IntelBroker is a well-known BreachForums actor who sells access to compromised systems and data, with ongoing activity despite BreachForums’ revivals. The profile covers IntelBroker’s alleged exploits across government and corporate targets, its connections to CyberNiggers, and discussions of potential state-linked motives, while highlighting notable breaches such as Weee Grocery Service and Los Angeles International Airport. #IntelBroker #BreachForums #WeeeGroceryService #Apple #AMD #DARPA #Europol #FiveEyes #LosAngelesAirport #USDoD #CyberNiggers #EnduranceRansomware

Keypoints

  • IntelBroker is a high-profile actor on BreachForums who identifies and monetizes access to compromised systems and data, continuing to publish activity after the forum’s revivals.
  • IntelBroker has ties to the CyberNiggers group, whose major attacks were orchestrated during IntelBroker’s tenure, with the group now largely inactive but IntelBroker remaining active.
  • Notable breaches attributed to IntelBroker include Weee Grocery Service (about 11 million users) and the Los Angeles International Airport (2.5 million records), among other high-profile targets.
  • The actor has targeted government and critical infrastructure sectors (e.g., DARPA, Europol, Five Eyes-related entities) and a broad set of industries, including IT/telecom, healthcare, finance, and manufacturing.
  • IntelBroker’s tactics span initial access, data exfiltration, privilege escalation, lateral movement, and extensive data collection, with evidence of credential dumping and obfuscation to evade defenses.
  • Motives appear financial, with geopolitical considerations sometimes evident, and there are ongoing questions about possible state sponsorship or collaboration, given the actor’s high-profile targets.
  • Despite claims of Endurance Ransomware development, the profile notes BreachForums’ stance against ransomware topics and suggests extortion has become the preferred approach by many actors; IntelBroker is not currently linked to active ransomware.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploit vulnerabilities in public-facing applications to gain initial access to target systems. [‘Exploit vulnerabilities in public-facing applications to gain initial access to target systems.’]
  • [T1203] Exploitation for Client Execution – Use compromised systems to execute unauthorized commands or software to achieve objectives. [‘Use compromised systems to execute unauthorized commands or software to achieve objectives.’]
  • [T1098] Account Manipulation – Maintain access to compromised systems through manipulation of accounts, ensuring continued unauthorized access. [‘Maintain access to compromised systems through manipulation of accounts, ensuring continued unauthorized access.’]
  • [T1068] Exploitation for Privilege Escalation – Exploit weaknesses in systems to elevate privileges and gain higher-level access. [‘Exploit weaknesses in systems to elevate privileges and gain higher-level access.’]
  • [T1027] Obfuscated Files or Information – Obfuscate malicious files or data to evade detection by security measures. [‘Obfuscate malicious files or data to evade detection by security measures.’]
  • [T1003] Credential Dumping – Access and dump credentials from compromised systems, typically through methods like exploiting databases or compromised accounts. [‘Access and dump credentials from compromised systems, typically through methods like exploiting databases or compromised accounts.’]
  • [T1083] File and Directory Discovery – Discover files and directories within compromised systems to gather intelligence or identify valuable data. [‘Discover files and directories within compromised systems to gather intelligence or identify valuable data.’]
  • [T1078] Valid Accounts – Use valid accounts to move laterally across networks, leveraging access within diverse organization targets. [‘Use valid accounts to move laterally across networks, leveraging access within diverse organization targets.’]
  • [T1005] Data from Local System – Collect data from compromised systems, including sensitive information and operational data. [‘Collect data from compromised systems, including sensitive information and operational data.’]
  • [T1041] Exfiltration Over C2 Channel – Exfiltrate stolen data over command and control channels, ensuring successful data extraction without detection. [‘Exfiltrate stolen data over command and control channels, ensuring successful data extraction without detection.’]
  • [T1486] Data Encrypted for Impact – Encrypt data to cause operational disruption or financial harm, potentially as part of ransomware operations. [‘Encrypt data to cause operational disruption or financial harm, potentially as part of ransomware operations.’]
  • [T1132] Data Encoding – Encode communication with compromised systems to obfuscate commands and maintain stealthy control over compromised infrastructure. [‘Encode communication with compromised systems to obfuscate commands and maintain stealthy control over compromised infrastructure.’]
  • [T1485] Data Destruction – Intentionally destroy data to disrupt operations, cover tracks, or cause harm to targeted entities. [‘Intentionally destroy data to disrupt operations, cover tracks, or cause harm to targeted entities.’]

Indicators of Compromise

  • [File/Artifact Names] – AppleConnect-SSO, Apple-HWE-Confluence-Advanced, AppleMacroPlugin – internal Apple tools exposed in breach claims.
  • [Documents/Source Code] – source code, PDFs, reconnaissance materials, and operational guidelines (e.g., Europol claim referencing “FOUO source code, PDFs, documents for reconnaissance, and operational guidelines”).
  • [Personal Data] – full names, emails, and other PII exposed in breaches (e.g., Los Angeles Airport breach listing “full names, CPA numbers, company names, plane model numbers, aircraft tail numbers, and 1.9 million emails”).
  • [Credentials] – credentials stolen from HPE, AT&T, Verizon (as part of alleged breaches).
  • [Vulnerability/Exposure] – GitHub zero-day vulnerability referenced in Acuity breach affecting ICE/USCIS data access.

Read more: https://socradar.io/dark-web-profile-intelbroker/