Threat Management, Threat Intelligence, Data Security

Chinese threat actors extract big data and sell it on the dark web

A sign is posted on the exterior of Twitter headquarters on April 26, 2017 in San Francisco, California. (Photo by Justin Sullivan/Getty Images)

Researchers on Monday reported that cybercriminals are taking advantage of China’s push to become a leader in big data by extracting legitimate big data sources and selling the stolen data on the Chinese-language dark web. The stolen data ranges from lottery and stock data to commercial databases of Canadian and U.S. businesses.  

In a blog posted by Intel 471, researchers said the scheme involves several different layers of cybercriminals, including hackers and middlemen, the use of insider information, and unwitting victims that result in some serious data exposures.

The researchers observed the following incidents over the past several months:

  • One threat actor in January 2021 offered real-time data for casino gaming, lottery and stocks on a popular forum used by Chinese cybercriminals. The data allegedly originated from big data sources of the two most popular mobile network operators in China.
  • Another threat actor in February 2021 offered website and application crawler data collection services on a Chinese-language cybercrime marketplace. The threat actor claimed access to insider channels of Chinese mobile operators for data collection purposes.
  • In early March, a threat actor on a marketplace offered 10,000 user records tied to a parenting application. The offering was described as big data from an undisclosed mobile operator or operators.
  • In late March, yet another threat actor offered big data that included commercial databases of Canadian and U.S. businesses and investors, a hacked Twitter database, and information on Canadian and U.S. citizens.

Organizations that previously defined their risk of being targeted as low because they didn't think they had anything an attacker values should continuously re-evaluate their risk to incorporate developments in the attack landscape, said Jeff Barker, vice president of product marketing at Illusive.

“Increasing avenues for attackers to monetize more diverse data types, arguably means more organizations are potential targets,” Barker said. “Those organizations that previously assessed their attack target risk as lower than prominent targets like financial institutions should reassess their risk levels and evaluate if there are gaps in their inventory of compensating security controls and policies.”

Hank Schless, senior manager, security solutions at Lookout, said many of the scenarios emphasized in Intel 471’s research highlight an insider threat that’s willing to leak large amounts of sensitive data. Schless said cloud-based infrastructure at many organizations has gotten so large that they lack visibility into who’s accessing which sensitive data. Understanding data access becomes even more difficult when the biggest threat comes from insiders who are less likely to trip any alarms when accessing sensitive company data. 

“It’s important to secure access to all cloud infrastructure and resources by implementing a cloud access security broker and zero trust network access solution that lets companies create context-aware access policies,” Schless said. “These solutions should parse out device behavior and user behavior to understand if the person attempting to access resources is who they say they are. With your employees accessing cloud-based infrastructure and resources from so many different devices and locations, intelligent access policies help mitigate the risk of data loss.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.