Leading “threat intelligence” firms are creating fake online personas to gain access to every corner of the web.
U.S. intelligence agencies also have a record of coming up empty after infiltrating private, online spaces, raising the possibility that the security justifications for the current incursions are weaker than the agencies are claiming. The documents leaked by former National Security Agency contractor Edward Snowden revealed that FBI and CIA spies had created fake personas to hunt for potential terror plots discussed in online games, such as World of Warcraft and Second Life, as well as on platforms like Xbox Live. Those initiatives fizzled after the intelligence agencies found little to no evidence of terror communications.
https://substack.com/inbox/post/119946213
That anonymous internet persona with an anime cartoon avatar in your Discord chat might actually be a contractor sent to spy on you.
Enter the world of “threat intelligence.”
It’s the term of art for a growing set of surveillance and security firms that create fake online personas to infiltrate and scrape data from private corners of the internet. The industry provides corporate and government clients with insight into conversations on private, invite-only Discord chats, WhatsApp groups, Reddit forums, and dark web message boards to help those powerful customers keep tabs on a variety of potential threats, from political hacktivists to the illegal markets that traffic in stolen passwords and intellectual property.
I spoke to representatives of ZeroFox, DarkOwl, Searchlight Cyber, Recorded Future, CyberInt, Flashpoint, and other threat intelligence firms at RSA Conference 2023, an annual convention for cyber security professionals from across the world that is held in San Francisco.
“We have personnel who already have established credentials in these environments so that we’re able to go in and look for things,” said A.J. Nash, the vice president of intelligence at ZeroFox, a leader in the threat intelligence industry that is based in Baltimore, Maryland.
Nash confirmed that the company is active in Discord, an audio and video group chat app popular among young video-game players.
“We can do the same thing with Discord,” Nash added. “It’s hard to infiltrate a small group because everybody knows everybody. But some of the groups that are larger, yeah, we have the ability to get into some opportunities.”
An executive at DarkOwl, a Denver-based threat intelligence firm that provides clients with a special database of information from its snooping, explained that the company creates fake identities and usernames to gain admission to many of the private platforms and chatrooms that it uses to collect information.
“What we do, we work with personas,” said Magnus Svärd, a director at DarkOwl. “We’ve done this at scale since 2018 so there’s some trust in the personas that we’ve built up, whether they’re on Discord, on Telegram, or wherever.”
Searchlight Cyber, a British firm that specializes in dark web message boards, similarly uses internet personas to gain access to private online forums and chat platforms.
“We actually get invited to those. We have human actors and get invited. We obviously don’t identify as Searchlight on them,” said Peter Ritter, a sales manager at the firm. “Then we see what’s going on there.”
CyberInt, an Israeli threat intelligence firm, advertises how its team of analysts uses fake personas to thwart hackers, retail fraud, hacktivists, and other cyber security threats.
In one video posted by CyberInt, an analyst for the firm discusses her approach to go into online communities and “detect threat actors when they are young or starting out at 14 or 15, that’s when I start observing and documenting their malicious activities.” At that age, they are “more careless and open,” the analyst said.
In another CyberInt marketing video, the firm walks a potential client through the process of using a fake online alias to contact a hacker over the messaging app Telegram and “get as much information as we can.”
Danny Miller, a director of marketing at CyberInt, confirmed to me that his firm has analysts infiltrating Discord servers, among other platforms.
Many of these firms maintain close ties to law enforcement and government agencies. Several are currently under contract with the Federal Bureau of Investigation or military intelligence.
The role of ZeroFox’s collaboration with the FBI, in particular, came to light in documents unearthed by the special House committee investigating the U.S. Capitol riot on Jan. 6, 2021. In a Jan. 3, 2021, email exchange between FBI officials preparing for the right-wing protests slated to occur, one official noted that the FBI team charged with monitoring groups due to assemble at the Capitol had just signed on with ZeroFox days earlier. The official said that the agency was still learning how to use the software to monitor social media posts from political extremists headed for Washington on Jan. 6, 2021.
Be seeing you
MCViewPoint 