A New Darknet Platform Publishes a Huge Amount of Data, from Around the World
In the past few months, an alleged group of transparency advocates, headed by activist Emma Best (@NatSecGeek), created an online repository of leaked data similar to WikiLeaks, named “Distributed Denial of Secrets” (@DDoSecrets).
Our initial examination revealed that the repository includes a great volume of data aggregated from past leaks, but also several new ones. The data is extremely diverse and consists of documents, hacked emails, leaked credentials, and other data, which has been leaked over the years, by a variety of actors (hacktivists, APTs, etc).
The platform was established in late 2018 and became public on November 19th, 2018. Its Twitter account was opened on December 3, 2018, and since then, it has been tweeting every few days, about new data published on the platform, and additional information regarding revealing information.
The platform received most of its publicity after it published a Russian data leak dubbed “Dark Side of the Kremlin.” The leak was published on January 25, 2019, and dealt with different aspects of Russian operations internally and externally. This includes Russia’s involvement in the fighting in Eastern Ukraine, its ties with the Russian Orthodox Church, and more.
The files included in the “Dark Side of the Kremlin” data leak
Although many view the platform as a payback for Russia’s involvement in the 2016 US presidential elections, the website denies this and claims it is working to uncover information from all over the world. At this time, there has been no official comment by the Russian government about the website, but the owners claim they suffered a cyber-attack against one of their servers.
The platform is a Darknet website, accessible only from a Tor browser. The main reason for this, is to maintain the anonymity of the website’s owners, and it also makes it difficult to take the platform down. Of note, even though this is a Darknet website, the Torrents from which the data can be downloaded are accessible from the Clearnet.
Here is what our researchers discovered while analyzing the platform and its contents.
DDoSecrets – what’s in it, who’s behind it?
The home page of the platform states it aims to “enable a free transmission of data.” The “Collective” behind the platform claims they are not backed by any government or corporation, and their only intention is to provide accessibility to the people.
In the “About” section of the platform, the “Collective” is briefly described, claiming it was formed in 2018, by a group of people, with experience in information-gathering, research and more, who wish to enable the general public to witness their findings. Of note, only two people are actually mentioned – Emma Best, and “The Architect,” who is the group’s technical advisor. Emma Best is a well-known transparency advocate and a journalist, who has been active for a long time, publishing confidential data and helping whistleblowers.
The data on the website is organized into categories, according to geographical areas and sectors. Some of the categories are empty, which may indicate what else is of interest to the group and to expect next.
Example of the Asia section
Below is a short overview of the different categories and subcategories, and what can be found under each section:
- Asia – Contains three subcategories:
- Cambodia – contains leaked documents from the Ministry of Foreign Affairs.
- China – the only data leak taken from the Ministry of Commerce. It contains information about deals with Eastern European countries, such as Russia, Belarus and Ukraine.
- Russia – this subsection includes six data leaks. The first four deal with information stolen both from governmental organizations, such as the Interior Ministry, and the Russian defense exporter Rosoboronexport. The second part, which gained most of the media interest, is “Dark Side of the Kremlin,” described above.
- Europe – contains two subsections:
- Germany – the data comes from the German Chambers of Commerce and was stolen from their offices in Eastern Europe, including Azerbaijan and Ukraine.
- Italy – the data contains documents taken from the Italian Police, about several of their operations, as well as private emails of Deputy Prime Minister Mateo Salvini that were already published in the past.
- Middle East/North Africa – includes three subsections:
- Azerbaijan – the data leaks are from two government organizations: The Ministry of Communications and IT, and the Special State Protection Service of Azerbaijan.
- Turkey – the leaked data was stolen from the Turkey National Police (EGM) and from the ruling Justice and Development Party (AKP.)
- Syria – contains mostly governmental emails, some of which were released previously.
- South America – includes two subsections:
- Argentina – two leaks released by LeakyMails regarding private communications of Argentinean officials.
- Brazil – includes documents about a government corruption investigation that involved the CIA.
- North America – contains 35 different data leaks, from government agencies and private companies. Most of these organizations and companies are connected to surveillance programs and operations, and therefore this platform targets them specifically.
- Australia – contains one leak, “Australia Queensland,” which incorporates different files stolen from Australian organizations. Much of the leak comprises of financial and commercial data about Australian companies.
- Africa – includes one data leak named “Chamber of Mines of South Africa”, which contains data regarding the mining industry in the country.
- International – includes two data leaks: one of documents leaked by the famous American whistleblower, Edward Snowden, and the other, from the organization of Security and Cooperation in Europe, discussing operations and sections in regard to different issues, such as the Ukrainian
- State-Sponsored – information about data leaked by state-sponsored APT groups and other information connected to their operations. This includes emails of officials from the Democratic Party, allegedly stolen by Russian state sponsored groups, or internal data stolen by North Korean hackers from Sony.
- Corporations – this subcategory includes two types of data leaks. The first contains intellectual property stolen from private companies, such as Hacking Team, Gamma, Stratfor, Time magazine, and more. All of this data was previously published online and gained much media attention. The second contains different credentials’ data leaks from companies such as LinkedIn, Dropbox, Ashley Madison and more. All of these are well-known leaks, and all are more than two years old.
- Insurance releases – information stolen from insurance firms.
- Research – the data includes interviews and research on CIA operations, such as an assassination program in Vietnam and Project MKUltra (a CIA experiment that took place in the 1950s and 60s.) Most of this information is very old and was already published.
- WikiLeaks – includes internal information and correspondence of WikiLeaks.
- MISC – contains different leaks from various sources that do not fall under any other category. For example, one data leak includes documents confiscated after the Iranian revolution in 1979, talking about American espionage operations in the country. Further leaks contain information obtained by the notorious Darknet marketplace, Silk Road, etc.
DDoSecrets – what’s the real value of the data leaked – the researchers’ view
After analyzing the platform, we can say that most of the information there is not new and is at least a few years old. The platform includes even older data leaks, such as the takeover of the American Embassy in Teheran in 1979. Much of the data has been previously leaked by WikiLeaks, or on other data-sharing platforms, and does not provide any new information. In addition, the credentials data leaks included on the platform, are also old and most of them were published at least two years ago. Naturally, this lowers the value of the published data.
With regard to the material itself, it seems they have a specific interest in Eastern Europe and former USSR countries. It appears they especially want to expose information that @wikileaks avoided publishing about Russia, and Russian cyber operations against other countries around the world. Click To TweetThey also have a specific interest in countries, parties and politicians that appear to be on the right side of the political map. This includes, for example, files connected to Donald Trump and the Lega Nord party and its leader, Matteo Salvini, from Italy.
In terms of leaks from the private sector, the platform focuses mostly on companies that deal with intelligence-gathering and surveillance. This also applies to some governmental organizations, whose data was published on the platform, that are connected to intelligence-gathering and surveillance. The motivation behind targeting such organizations is the desire of the platform’s manager to promote the value of privacy and human rights issues.
To conclude, the DDoSecrets platform has already amassed a substantial amount of data, and continues to add more and more data over short periods of time. Even though much of the information published on this platform is old and was previously published on other platforms, it still represents a large repository comprising of many leaks from different places. That said, the sheer number of documents and the not very user-friendly platform, make it difficult to analyze the information. We estimate that more interesting information will be found as we and other security researchers, continue to investigate the information it contains.
Author: Verint Cyber Threat Intelligence Research Team
Verint’s Cyber Threat Intelligence (CTI) research team (formerly SenseCy) is comprised of handpicked expert analysts, many of whom are ex-military intelligence, with years of experience in cyber threat intelligence and analysis.
Our research team monitors, analyzes and validates threat actors’ malicious activities on platforms such as social networks, mobile applications, Deep Web sites, Dark Web marketplaces, hacker forums, IRC channels, global CVEs and external threat intelligence generated by leading security providers. The Research team regularly produces threat alerts and intelligence reports based on region, industry and organization-specific threats, including in-depth analysis, actionable recommendations, IoCs and more, to proactively identify and mitigate threats before they materialize, to enhance resilience and prevent future attacks