xorl %eax, %eax

Archive for the ‘threat intelligence’ Category

Analysis of the CardingMafia March 2021 data breach

leave a comment »

One relatively large carding forum, the CardingMafia, was breached and their data were shared in darkweb channels in late March 2021. I got a hold of this data set and found some interesting information. Of course, I cannot share PII or other sensitive material in a public blog post, but I can share some of the more generic analysis to hopefully provide better insights in this underground carding community, and the overall darkweb carding communities.

First of all, CardingMafia was both a “shopp” and an English-speaking forum. This means CardingMafia members were able to have forum discussions on topics of interest but there was also a section of the website where members could buy and/or sell stolen digital goods (compromised accounts, cardholder data, etc.)

The data leak that happened in March 2021 was from the “user” table of the SQL server of the forum. In total, there were 297,076 accounts with various details such as username, IP address, creation time, hashed password, email, status, likes, etc. This is the dataset I’m using for this blog post.

As always, this is a personal research. I’m neither a lawyer nor I’m talking on behalf of my employer. This is 100% personal threat research to enrich some of my personal threat intelligence cases and projects.

The top 100 IP addresses with the highest amount of user accounts in CardingMafia are shown below. Each of those IP addresses had anything from 180 to over 13,000 unique forum accounts associated with it.

Although some were automated accounts (probably from darkweb scraping bots), it appears that many legitimate users were also using those services to hide their real IP addresses (proxies, VPNs, hosted jumphosts, etc.)

From those top 100 IP addresses you can see that the vast majority were coming from the US (29%), France (14%) and Ukraine (12%). Again, this doesn’t necessarily mean that the forum users were actually from these countries, but that they were using services from those countries to access the forum.

To have a more holistic view, the following geo-heatmap is based on all of the 297,076 IP addresses. It’s worth noting here that in reality there were only 56,685 unique IP addresses that were used to open CardingMafia forum accounts.

With this bigger picture view, we get a better understanding of likely the real countries of the forum members since many of them were connecting directly from ISPs. The United States is probably skewed due to the amount of cloud services and proxies, but the rest should be closer to reality.

To make this clearer, below you can find the top 20 countries along with the amount of CardingMafia accounts based on geolocation data of the IP addresses recorded with each of the CardingMafia forum accounts.

  1. USA (19393 accounts)
  2. Germany (2553 accounts)
  3. United Kingdom (2479 accounts)
  4. Russia (1841 accounts)
  5. China (1781 accounts)
  6. France (1632 accounts)
  7. Indonesia (1559 accounts)
  8. Netherlands (1458 accounts)
  9. Canada (1410 accounts)
  10. Ghana (1384 accounts)
  11. Australia (1138 accounts)
  12. India (1042 accounts)
  13. Ukraine (1016 accounts)
  14. Nigeria (992 accounts)
  15. Brazil (705 accounts)
  16. Spain (663 accounts)
  17. Japan (647 accounts)
  18. Hong Kong (586 accounts)
  19. Vietnam (572 accounts)
  20. Singapore (560 accounts)

Since the United States is the top one in all of the above statistics (although it’s mainly due to the amount of cloud and proxy services based in the US), here is a similar geo-heatmap per US state.

And the top 5 states with the highest amount of CardingMafia accounts created from IP addresses geolocated in there were the following:

  1. California (3189 accounts)
  2. New York (1771 accounts)
  3. Florida (1721 accounts)
  4. Texas (1302 accounts)
  5. Illinois (823 accounts)

The email addresses used by the CardingMafia members also provide some interesting insights. For example, there were 294,887 unique email addresses. To avoid clutter, I picked the top 20 email service providers used for those accounts and you can see them here. Unsurprisingly, GMail.com is the top one with 51.7%, followed by Yahoo.com (13.4%) and Hotmail.com (6.3%).

There is something else which is interesting though. There were some email addresses from corporate accounts which again, could be benign but it it could also be an insider threat. I will not list those here but it was everything from small businesses to large multi-national corporations across various industries.

Something else which is notable is that only a tiny percentage of the forum members were using privacy-focused email service providers. For example, using the top 5 list from CyberNews we have:

  1. ProtonMail: 3155 accounts (1.07% of the total accounts)
  2. Tutanota: 375 accounts (0.13% of the total accounts)
  3. Zoho Mail: 60 accounts (0.02% of the total accounts)
  4. Thexyz: 0 accounts
  5. Startmail: 4 accounts (0.000014% of the total accounts)

I want to highlight this since we keep on hearing how cyber-criminals are very privacy-/anonymous-aware by many government officials, but the above is a clear indication that the vast majority (over 97%) of the members of a relatively large cyber-criminal forum were using unencrypted email providers.

The above is also supported by breaking down the type of connections used for the creation of each of those accounts. Based on the enriched IP addresses described earlier, here are the connectivity types.

Suggestions for threat intelligence production

I didn’t want this blog post to be just a selection of statistics for a carding forum, so here are some suggestions for turning this data breach into actionable intelligence. There are other use cases too in the more generic threat research space, but I tried to keep it limited to actionable threat intelligence suggestions.

  • Check if any accounts where created with your domain name(s) as it could be benign (curious employees, threat researchers, etc.) but it could also be an insider threat.
  • If you are an email service provider, use the dataset to find out which of your users have been using your services to host and/or access cyber-criminal content. Again, it could be benign (threat research, law enforcement, etc.) but it could also lead you to some real cyber-criminals.
  • If you are a hosting provider, use the IP dataset to find out which of your customers have been using your services to host and/or access cyber-criminal content. Again, it could be benign (threat research, law enforcement, etc.) but it could also lead you to some real cyber-criminals.
  • If you are a national CERT (or similar entity) use this dataset filtering on your ASNs and TLDs to better understand the threat landscape of your country and potentially even uncover some cyber-criminal activity.
  • If you are working on de-anonymization or tracking of a cyber-criminal use this dataset for enrichment and pivot searching (e.g. emails, hashed passwords, IP addresses).
  • Check if any accounts were created from your IP address ranges (there are some originating from corporate networks). That could be anything from a curious individual, to a threat researcher or even an insider threat.
  • You can use the email addresses of the CardingMafia members to identify and profile high-risk individuals/customers you might have. For example, if you are a payments platform and you have CardingMafia members with accounts on your platform it might worth some proactive fraud investigation.

Written by xorl

April 23, 2021 at 18:17

Chinese Cyber Operations Groups

leave a comment »

And after the Russian and US ones, here is the one of the publicly known Chinese offensive cyber operations groups and their associations. Just like in the other cases, this will be a live document updated in this page as soon as new information becomes available.

For the same reason, if you notice any mistakes, errors, or missing information please let me know and I will update it as soon as possible. Also, to improve the transparency below the diagram you can find a complete list of the sources used to construct it.

Last Update: 18 June 2021



  • Version 1.0 (20 April 2021): First publication.
  • Version 1.5 (13 May 2021): Added GSSD and relevant entities.
  • Version 1.6 (13 May 2021): Removed China Chopper as it’s not an actor (credits: @r0ny_123)
  • Version 2.0 (18 June 2021): Added PLA 69010 (thanks to @monacasec for the heads up)

Written by xorl

April 20, 2021 at 22:05

US Cyber Operations Groups

leave a comment »

My previous post on the Russian (offensive) Cyber Operations Groups became more popular than what I expected, so I decided to do something similar for other nation-state actors with multiple intelligence organizations performing offensive cyber operations. So, I picked the United States as the second one, and hopefully will continue with more of these in the future.

In the case of the US it was harder since there are very limited details publicly available. The main sources that I used for this one were (full list of sources used below the diagram):

  • Government leaks (E. Snowden, Wikileaks, Shadow Brokers, etc.)
  • Statements from government officials in reputable news outlets

You might notice that I didn’t expand the CYBERCOM (which is massive) and the reason is that although it’s publicly known that it now performs offensive cyber operations, there is no publicly known APT association. So, I decided to avoid making this a huge diagram for no reason. Same with the NSA that has multiple other divisions/offices performing cyber operations but there is no publicly known APT associated with them either.

I hope I got it right, but if you notice any mistakes, missing details or incorrect information please let me know to update it accordingly.

Last update: 29 APRIL 2021



  • Version 1.0 (18 April 2021): First publication.
  • Version 2.0 (18 April 2021): Update SLINGSHOT attribution (thanks to Midwest and @slaeryan)
  • Version 2.2 (23 April 2021): Add APT-C-39 to CCI and remove Vault 7 from TAO
  • Version 2.5 (29 April 2021): Kaspersky Labs correlated Lamberts with Longhorn APT group. Added it.

Written by xorl

April 18, 2021 at 11:53

Russia’s Cyber Operations Groups

leave a comment »

Some time ago I published a post where I was briefly discussing some of the most well known APT aliases associated with specific government organizations of the Russian Federation. Since recently we had lots of additional information being released from official sources (US and UK governments), I decided to make this into a more thorough diagram.

The sources used are listed below.

I hope that they weren’t wrong, but if you notice any mistakes, missing details or incorrect information please let me know to update it accordingly.

Last update: 25 APRIL 2021



  • Version 1.0 (16 April 2021): First publication.
  • Version 2.0 (19 April 2021): Separate 6th Dir. centers (thanks to @WylieNewmark)
  • Version 2.2 (24 April 2021): Added the missing flag
  • Version 2.5 (25 April 2021): Added the missing parent organizations
  • Version 3.0 (25 April 2021): Reorder the diagram to be easier to read

Written by xorl

April 16, 2021 at 15:31

Why tasking is important in a threat intelligence team (using NSA’s UTT as example)

leave a comment »

Following the theme of my previous posts, I have published an educational video that goes through the well known PRISM slidedeck from the NSA. That slidedeck has tons of useful information for anyone working in threat intelligence, but I’d like to focus on one area only to make this blog post quick and comprehensive. I want to focus on the Unified Targeting Tool (UTT) that was mentioned and explained there.

What I liked about UTT was its pure focus in tasking (meaning assigning intelligence tasks such as collection, exploitation, etc. when the information is not readily available to analysts), something that in the private sector we tend to usually ignore. The job of your analysts isn’t to go out and chat with cyber-criminals, create sock puppet accounts, negotiate with vendors, etc. it is to use all the available information to build intelligence. The above operations are part of the tasking & collection.

Here is a screenshot of the UTT slide I reconstructed for my video and in summary what it says is that the analyst uses UTT to fill in a web form with the information they need from PRISM (but for the sake of this blog post assume your own threat intelligence data lake). Then UTT had two paths, one was for searching in records it already had and the other was for searching for near-realtime information (AKA surveillance). This distinction is CRUCIAL in tasking as intelligence gathering is usually not as time-sensitive as surveillance. Then it does a series of checks (like is this for a U.S. citizen) and if the information wasn’t available the FBI was tasked to go the relevant companies and get/collect that data and feed them back to PRISM.

Now if I had to redesign this for a private entity, what I would do is something like what you see below. Having a solid tasking process for threat intelligence is extremely beneficial for the entire intelligence function. But before going there, what I wrote is basically… First someone needs to review the analyst(s)’ request in case they try to access something which they are not allowed. Then, if it’s something you already have you pass it and if it isn’t, you open a ticket to your collectors to find it. If it’s a near-realtime (AKA surveillance) request, then you need to create the equivalent tracking rules and alerts. The great part is that most of that can be automated with modern TIP and SOAR solutions out there.

So what’s the value of a concrete tasking process (ideally accompanied with a tool like UTT)? Here is what:

  • Provides visibility on what analysts are interested in (AKA helps develop/improve PIRs)
  • Helps identify the best vendors/sources to focus on
  • Create/maintain only alerting for threats the analysts care about
  • Ensures analysts cannot just “read everything” which could result in serious privacy violations
  • Useful to prioritize the intelligence collection and technical requirements
  • Removes the need for analysts to get familiar with all the tools/vendors used (and change over time)
  • Can help in deduplication of work when multiple identical requests are issued
  • Analysts use their time to do analysis, not collection

Written by xorl

February 1, 2021 at 15:50