Initial Access Brokers (IAB) are poised to become a force in 2022, due to a unique skill set that positions them as a valuable commodity for the deployment of hostile cybercrime activity. IABs serve as middlemen, specializing in the exploitation of victims and gaining initial entry. Once achieved and sustained, these actors sell these unique accesses to interested customers on dark web forums and markets. In this capacity, they execute the first phase of a cyber-attack chain, performing the necessary research prior to conducting an operation.

Over the course of 2020, one security company tracked more than 500 cybercriminal listings in the underground in which they advertised network access across several industry verticals. IABs have gained popularity in the cybercrime-as-a-service ecosystem that continues to professionalize their diverse offerings, mimicking the practices of legitimate businesses that include competitive prices, 24×7 customer support, and discounts for return customers.

The value of IABs is that they offer a skill beneficial to all types of actors, from relatively unsophisticated actors who have the money to invest in criminal activities (but the inability to gain entry into targets on their own) to more advanced actors (who purchases these access to facilitate their own cyber malfeasance). For the former, IABs offer a low barrier of entry into cybercrime. For the latter, buying entrance into a target industry of interest provides a proxy if the IABs efforts are detected by a potential victim. Per one cybersecurity online periodical, accesses are advertised for as little as USD 25 up to thousands of dollars, demonstrating IABs’ willingness to court customers at any level.

OODA Loop Sponsor

The more established IABs prefer to develop and sustain relationships with select customers, as they have an already established professional relationship. No better crime offering demonstrates this than ransomware. In late 2020, the DarkSide ransomware group posted in a forum its interest in finding IABs that could provide access to U.S. businesses with at least USD 400 million. Also in 2021, one computer security company analyzed cybercrime forum posts where threat actors sought to purchase such accesses. What the company found is 40 percent of these ads were created by individuals working or associated with ransomware gangs.

The research also revealed that some of these listings can be very specific. One listing cited a willingness to pay USD 3,000-5,000 for access to Australian, Canadian, United Kingdom, and United States companies with revenue of USD 100 million or more. Considering that ransom demands have been as large as USD 70 million (though in that situation the victim reportedly did not comply) and paid ransoms have garnered attacker payouts in the millions, the cost-benefit analysis and potential return on investment of IABs in support of ransomware operations are without question.

It comes as no surprise that some cybersecurity companies have found that the number of offers to sell access to compromised networks tripled between 2020 and 2021. Research provided by one cybersecurity company revealed the diversity of industries that IABs targeted, citing financial services, technology, industrial good and manufacturing, education, and government being among the top ten fetching price points roughly ranging from USD 4,000-13,000 (depending on the target). The company identified the United States, Canada, and the United Kingdom as top geographies exploited. Computer security researcher Brian Krebs profiled a prolific IAB and suspected Russian threat actor “wazawaka,” a major player in the Russian cybercrime underground (Note: the term “actor” can refer to an individual or a group). According to the actor’s postings in at least two underground forums, wazawaka earned approximately USD 500,000 in commissions collaborating with LockBit, and had also worked with DarkSide, the group responsible for the Colonial Pipeline attack, though it was not clear if wazawaka provided the access into Colonial. Wazawaka’s posting in one forum provides insight into how Russian IAB operators view their work, will not target Russian organizations, and never leave the country.

While much attention from IABs has been viewed through the prism of crime, gaining access into prized targeted networks is of interest to state actors as well. As already mentioned, IABs do the research and make the initial inroads into a specific organization or industry vertical. For larger capable states, IABs can provide a level of obfuscation that does not link directly back to them. For smaller, less capable states, IABs can function almost like an independent contractor, serving in a similar capacity as the U.S. hacker contractors helping the UAE or the spyware manufactured by the NSO group. Once initial access is enabled, any follow up activity is up to those who paid for it. Per a 2020 study by IBM, the average time to identify a breach in 2020 was 228 days, which is a significant amount of time for any state actor to operate inside a network for espionage, network enumeration and reconnaissance, or establish and maintain access to be used for further exploitation or a more disruptive attack.

IABs will likely draw more attention from the cybercriminal underground due to their unique and highly sought-after capabilities. However, the more their reputations grow, the more they may find themselves in the crosshairs of law enforcement and intelligence groups, especially if they continue to be linked to larger cybercrime activities and even to nation-state elements. The United States made it known to Russia that it wanted Moscow to reign in its rampant ransomware gangs, and while at first there seemed no headway made, recently Russia “dismantled” the REvil ransomware group, which allegedly has made nearly USD 200 million from its activities. Per one news report, Russia’s Federal Security Service confirmed that the arrest was made at Washington’s request. Whether this is appeasement or a way of Moscow to bring the prolific actors underneath its protective umbrella remains to be seen. There has been no talk of extradition, and these actors remain at Moscow’s disposal, regardless of their “punishment.”

The big question is if Russian IAB actors will be the next group of cybercriminals that Washington requests Moscow target for a shutdown. Certainly, the more accomplished and respected IAB operators will be catering to a specific customer that will be able to afford higher costs, and these are the ones that need to be scrutinized. The more that these IAB activities are exposed, the more we will learn about how hostile actors operate in cyberspace, including who is initiating breaches, who is conducting post-breach activities, and who is truly benefiting further up the criminal food chain.

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

For more information please click here. Thanks!

Already a member? Sign in to your account.

Related Reading:

Black Swans and Gray Rhinos

Explore OODA Research and Analysis

Decision Intelligence

Disruptive/Exponential Technology

Security and Resiliency

Community