In the final part of this blog series on Telegram we explore how the messaging app is used by criminals with much deeper roots on dark web hacking forums.
Telegram’s Place in the Cybercriminal Ecosystem
As our previous two blogs established, Telegram is home to very active markets of cybercriminal activity. However, this activity does not exist in isolation.
It is important to remember that the activity on Telegram is just the tip of the iceberg of online criminality. It is usually at the lower end of the scale in terms of illegality, with more serious crimes discussed on deep and dark web hacking forums where cybercriminals believe they are further out of the reach of law enforcement.
By “deep web hacking forums”, we are referring to the likes of BreachForums or Cracked – sites that you are able to visit via regular browsers but which require credentials to post, creating a barrier for non-criminals.
Meanwhile, dark web hacking forums such as Exploit or XSS are hosted on The Onion Router (Tor) (as well as having clear web sites). These forums tend to view themselves as more professional than other cybercriminal communities, often shunning non-Russian speakers and those perceived as unskilled or inexperienced. These sites act as a network for career cybercriminals to connect with potential collaborators. For example, they are used by Initial Access Brokers to auction access to organization’s infrastructure and by Ransomware-as-a-Service (RaaS) operators as a PR channel.
Communication Channel for Cybercriminals
While Telegram is further down the hierarchy of serious cybercrime, the lines blur, and we do observe actors crossing from these more serious hacking forums into Telegram – and vice versa. Criminals on deep and dark web hacking forums use Telegram as an auxiliary communication platform, which we know because they discuss Telegram channels and share their handles in their forum posts.
For example, when cybercriminals post adverts to recruit insiders at organizations they often provide their Telegram handles so an employee can message them directly and don’t have to respond openly on the forum where they could be potentially identified by their employer. The following posts are taken from the Exploit and Cracked hacking forums:
Cybercriminals looking to recruit malicious insiders aren’t the only ones using Telegram. The post below shows an Initial Access Broker trying to sell access to a bank in South America on the hacking forum BreachForums. The seller asks for potential buyers to direct message them on TOX or Telegram:
Use of Telegram By Threat Groups
There have also been cases of cybercriminal groups using Telegram channels to promote their activity and build a following.
Perhaps most infamous was the hacking group LAPSUS$’s Telegram channel, which was created in December 2021 to amplify its attack on the Brazilian health ministry. At one point, this Telegram group had tens of thousands of subscribers. It was a notable divergence from other ransomware and threat actors, who favor dark web sites to publicize their attacks.
LAPSUS$ often used its Telegram channel to claim responsibility for attacks, for example, suggesting that it was responsible for an attack against Ubisoft by resharing a news story accompanied by a smirking emoji. It also used its Telegram channel to crowdfund access to organizations. For example, putting out a recruitment call to malicious insiders at large telecommunication, software, call center, and server host firms:
Today, while most of the major ransomware groups still use the tried and tested method of dark web leak sites to advertise their attacks and extort their victims, smaller ransomware groups such as STORMOUS ransomware and bl00dy have been observed using Telegram channels as an alternative.
Monitoring Cybercrime on Telegram
Telegram won’t ever compete with cybercriminal activity present on underground forums in terms of scale but it will continue to be used for the fraudulent activity discussed in the previous posts. Its ease of use, reliability, and low barrier to entry also mean that it will continue to be used by the cybercriminal community active on more serious hacking forums when they need to communicate with the wider world.
While this is clearly a problem for law enforcement and cybersecurity professionals, it also provides some opportunities for them to monitor, track, and potentially stop criminal activity. Contrary to popular belief, Telegram messages are not encrypted by default. In fact, the channels that criminals routinely use are completely open and available for cybersecurity professionals to join and monitor, if they know where to look.
For the organizations impacted by the fraudulent activity that takes place in these channels, this creates an opportunity to learn more about the techniques and technology that hackers are using, identify if your company is being targeted, and take preventative measures based on a better understanding of how they are exploiting your systems – whether that is monitoring for malicious insiders, finding new solutions to mitigate vulnerabilities, or putting controls in place to combat social engineering techniques used in Refund-as-a-Service schemes. Gathering threat intelligence on how cybercriminals operate is one of the most effective ways of ensuring that your security matches the most up-to-date attack techniques.