A new Darknet platform called Industrial Spy that launched in mid-March represents a new milestone in insider cyberattacks by actively encouraging staff to cash in on any access they may have to confidential data or access codes.

The Industrial Spy platform has been divided into three main sections: the Premium Section, for the exclusive purchase of new data; the General Section, where offerings are transferred to if the initial seven-day premium offering was unsuccessful; and the Free Section, which gives registered users full access to the published data.

The threat actor publishing the post elaborated on the motives for using the Industrial Spy platform: “With our information you could refuse partnership with an unscrupulous partner, reveal dirty secrets of your competitors, and earn millions of dollars using insider information.”

Organizations of all kinds have always been vulnerable to insider security breaches by dishonest or disgruntled employees. In the past, the employee would generally either have to have been approached directly and discreetly by the cybercriminals or have possessed the know-how to delve into the Darknet themselves in search of prospective purchasers. But all rogue staff now need is a VPN connection and an encrypted Tor browser to access the new platform while preserving their anonymity. There’s even evidence that the threat actors behind Industrial Spy may use Twitter and Telegram accounts to publicize their offerings to make a more widespread public appreciate how much cash they can generate by anonymously selling out their employer.

So far, roughly a couple of dozen companies’ confidential data has been offered for sale on the platform. The victim profile is strikingly similar to Eastern European ransomware gangs as Industrial Spy’s targets are mainly from the U.S. and Western Europe (80%) and vary widely both in revenue and industry, ranging from software and medical companies to manufacturing and insurance companies. We ran analysis on the above mentioned victims list and noticed that 20% of the victims were already targeted or were declared as having been targeted by a ransomware group, mainly by the pro-Russian ransomware gang Conti. Security pros can find all the recycled data under the Free Section, which was dated as late 2021.

At the time of this writing, the Industrial Spy platform has been intermittent after being inaccessible last week. The threat actors had little difficulty reorganizing themselves and are back online, as their aim appears for their platform to become the criminal world’s main marketplace for stolen data. Although Industrial Spy is not the first data trading platform we have seen, it’s the one most focused on tapping into the largely un-accessed potential for insider breaches that lie within most organizations. The platform offers dishonest staff an easy opportunity to make hundreds of thousands of dollars. Its Premium Section, for example, initially offered two companies for $400,000 apiece.

Guarding against the insider threat with any organization is problematic, although organizations should, in any case, do their best to ensure that access to really crucial data is accessible to as few individuals as possible and that staff do not leave their employ while still in possession of access codes and company hardware. We also recommend that security teams carefully vet new staff with an IT background.

But the usual security training, warning staff of the dangers of opening attachments from an unknown source or of the potential perils of mixing their professional and personal lives on social media networks, doesn’t make sense today. Stressing the value of the information at their disposal might only encourage a dishonest member of staff to cash in on their insider knowledge. Trying to identify potentially dishonest staff doesn’t work either because it's prejudicial to good staff relations. However, given the growing cyber dimension to the Russia-Ukraine conflict, it makes sense to let the staff know that the company will continue guarding against internal and external cyberthreats.

All organizations need to step up their level of threat intelligence to a point where they are immediately made aware of the emergence of new criminal marketplaces where their data gets posted for sale. Companies need a high enough level of threat intelligence to keep a constant check on the Darknet and Telegram forums where some of their confidential data may already be available to the highest bidder.

Otherwise, organizations with insufficient threat intelligence regarding leaked data on the dark web may only learn of the potential leak when it’s too late to take remedial action – by which time the sensitive data will have been leaked and the insider will have had time to cash in and cover their tracks.

Doron Kapah, threat intelligence researcher, Cyberint