Cyber Intelligence: HUMINT Operations

How to engage Threat Actors during undercover operations in the cyber-crime battleground

Bank Security
8 min readJan 25, 2021

Introduction

Monitoring cyber crime forums is certainly very important but when information arrives on a forum it is often already too late or has already been exploited by some Threat Actor previously who exchanged it or sold it privately with his most trusted contacts or buyers.

To be able to get this privileged information in advance, fully understand fraud life-cycles and discover new vulnerabilities & malware that can be used against your organization, HUMINT activities during undercover operations are fundamental as a part of Cyber Intelligence activities.

This topic is poorly documented online and help on how to do it right it’s very rare. Let’s try to give some answers…

What is HUMINT in the Cyber field?

HUMINT, in the Cyber field, means interact directly and privately with Cyber Criminals through various messaging platforms, Forums and Marketplaces.

This means building virtual trust with cyber-criminals, entering their world of fraud, and trying to think like them. This process can take a long time and often takes years.

HUMINT is a branch of cyber intelligence and dealing with it right can literally save your company from the next cyber attack or fraud.

Anonymization & Privacy

Anonymize yourself in the cyber space means use different tools that hide the user’s personally identifiable information from websites, forums and chat used or visited. The privacy’s topic and being anonymous on the internet is hotly debated lately and is crucial during undercover operations involving the virtually human interaction with criminals.

Anonymous web browsing, chatting or simply stay online can be achieved mixing different configurations of OS like Tails and Qubes OS; decide whether to use Tor browser or a VPN + Brave Browser and choose the right tool for sharing a file like OnionShare or encrypt communications via XMPP + OTR tool like Pidgin or a GPG/PGP tool like gpg4usb.

What’s the best option? → There are many technical discussions about how to approach anonymity topic and everyone is free to choose the one they think is best and safest with its pros and cons. It all depends on your threat model and varies according to the levels of paranoia and confidentiality you want to keep during these operations.

What are the most used platforms for chatting in the underground communities?

First, you need to be prepared on the main communication methods used by cyber criminals. For example, during an incident, if you need to investigate a criminal or profile a Threat Actor you will need to have the whole environment ready to start a conversation on one of the opponent’s used platforms.

What does it mean? → Usually the first direct approach with a Threat Actor is via Direct/Private Message (DM/PM) in a forum or market. If you are interested in asking or exchanging information with a user you will first have to write to him privately. After a few messages, you exchange contacts to bring the conversation to another platform.

Why? → Using a more secure platform avoids that private conversations in a forum are stolen by other criminals as often happens, thus discovering the activities of Threat Actors with the risk of burning your cover.

What are the most used platforms? → Generally cyber criminals communities who attend Russian or English forums prefer to use Jabber (XMPP) as the main method of private communication followed by Telegram, ICQ, Discord, Skype and emails.

Some contact examples by Threat Actors

What is Jabber/XMPP? → Jabber is the IM service based on one of the key nodes on the XMPP network. To log in, use an IM client like Adium, ChatSecure, Conversations, Gajim, Jitsi, Messages, Pidgin, Psi, or Swift (a full list is here).

If you want to test the easiest way to create a Jabber account, you can create one here and download Pidgin client here. As a second step remember to have installed an OTR (Off-the-Record Messaging allows you to have private conversations over instant messaging) which is mandatory for some Threat Actors to start a conversation and also ensure your self. At this link you can find the Pidgin OTR and here a guide on how to configure it on Linux.
Once installed you can add Jabber contacts that are shared by the Threat Actors and once accepted on both sides it will be possible to start a conversation.

Telegram groups, channels and private chats are the daily businesses for some criminals who choose this platform as a means of exchanging and selling private or stolen information.

Being an app associated with a phone number, always remember that it can be associated to you otherwise follow security procedures to avoid being identified. Also here there are many approaches that can be used like the anonymous virtual numbers or an anonymous sim with a disposable cell phone from a ISP cell away from home and proceed using only telegram web via VPN. Also in this case the best approach depends on your threat model.

Go undercover

When you go undercover and start different operations or investigations you should need to create a background and parallel stories to real life, using different nick names, aliases and contact information.

It is necessary to be very clear what kind of person you want to be and what attitude you want to have during different discussions. This will surely be influenced by your culture, your country of origin and your knowledge of languages.

You may need to have different personalities and stories that you can adapt to the situations and people you interact with.

Before creating your avatars, you should reply to these questions:

  • What is my goal?
  • What is the sector in which I want to specialize and investigate?
  • Where do I think the Threat Actors that interest me come from? What is their mother tongue?
  • What information do I want to get from the actors I’m talking to?
  • What is their background?
  • How long will I have to interact with the Threat Actor? Do I need to establish a long-term relationship or do I just need a spot information?

All of these questions will help you create a credible profile who can connect with your targets. Remember to have everything written and very clear in your mind to avoid contradicting you or changing your attitude during a chat.

Threat Actors are very intelligent and skilled people. It is essential for your safety not to make mistakes.

Reputation and credibility

Having a good reputation and credibility is key to surviving in communities. Before you have a good reputation on a forum or make yourself known in underground communities a lot of time has to pass and requires a lot of accreditation work and vetting processes.

Take your time!

As soon as you start a conversation with a certain level Threat Actors they will ask you what your story is, which users are ready to sponsor you, what activities you have done in the past etc.

Create your own credible story with the right amount of effort and time. Lie and be convincing and patient.

How to gain reputation? → In some forums it’s necessary to help users and provide them with useful information. In other cases, you need to prove your technical skills through personal researches or you are asked to demonstrate a real compromise in order to confirm the user’s attitude. Creating honeypots, fake sites, and pretending to have stolen data that never existed is a great way to defraud the fraudster without committing illegal activities.
Any information you share must not be able to be used to commit illegal acts. It is not easy to respect this bullet but we do not like easy things right?

Top 10 advantages of HUMINT operations

Here the main advantages of these operations:

  1. Obtain sensitive information before is posted on even closed forums.
  2. Prevent any future attacks before other threat actors find out or fix it before it’s too late.
  3. Get victims of attacks that would never be posted on any forum. Knowing if your company, a third party supplier or a company in the same industry is among the victims of an attack which will not be published is very crucial information.
  4. Understand how fraud schemes are composed. Fully understand these processes is essential to avoid getting blown away during an investigation or a vetting process for closed communities.
  5. Obtain information on money laundering schemes such as bank accounts and companies used to carry out the fraud. This info is almost never shared in the forums. Only with the right engagement is it possible to discover them.
  6. Obtain information on Bank drop services and money mule accounts.
  7. Discover new vulnerabilities or malware that can be used against your organization.
  8. Discover new sources to be monitored such as new forums, markets, telegram or discord channels or private groups.
  9. Study Threat Actors and their backgrounds in depth.
  10. Protect your company like no tool can.

Tips & Tricks

Some tips & tricks to survive:

  • Don’t improvise Russian if you are not. You cannot use Google Translate during a conversation. If you are confident in English, so speak English otherwise you will only make a bad impression. There are a lot of people who don’t know Russian out there, so if you ask to speak in English you are often satisfied.
  • Start from your home country by meeting criminals who speak the same language as you to fully understand the patterns they use to commit illegal activities.
  • Be wary of payments in any form. Everything can be tracked and even a small mistake can be decisive for your safety and integrity.
  • Be wary of any information given to you. You are the first one who is faking it and whoever is on the other side of the keyboard can do the same by causing you to make mistakes.
  • Beware of typo or acronyms and during a conversation. They may reveal your native language or the country you come from.
  • Initially set yourself specific goals. Look for information that is relatively easy to obtain so that you can practice. Only when you are confident you can try to get more relevant information.
  • Don’t disappear once you get the information or reached your goal. Always try to leave an open communication channel so that you can return to the person if necessary and avoid suspicions that you are just a cop.
  • Study as many acronyms as you can. In forums and during a conversation you will often struggle to understand what they are writing to you. Knowing the slang and terms used by the attackers is essential to avoid being caught unprepared.
  • Out there you can be anyone like a group, a researcher, a hacker or an insider. Evaluate who you want to be based on what your goal is.
  • Engage Threat Actors before they publish confidential information and are contacted by others, allows you to gain credibility with the TA and doesn’t arouse suspicion.
  • Engage actors before an incident or relevant post, will create a preferential channel that will require no introduction.
  • Study how fraud works and the mechanisms that fuel cyber-crime. There are many papers and lectures about it.
  • Always remember that when you look deep, the deep looks at you.
  • Try to be present on various forums in order to be ready to interact in case of incident and gain credibility without ever committing illegal acts.
  • Think like a criminal act like a cop and use all the information you get for benevolent and ethical purposes.

Conclusion

Human interaction with cyber-criminals is not easy, but if managed in the right way it can lead to strategic and fundamental findings for your company or sector.

Always use your mind and be careful. Share always what you find in right way, only then you can make the world a safer and better place.

Follow me on Twitter and remember:

“Cyber Intelligence is not a hobby. It is not a subset of Cyber Security one can easily pivot into.

It’s a passion and no matter how much you invest in access, tools, or cutting-edge technologies, intelligence is still about people.”

--

--