Unveiling the Dark Web’s Massive Military Data Leak

Introduction to Spectre

Several threat groups and actors exist in online cybercrime communities with the express goal of hacktivism, which is defined as the use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change. These groups are not financially motivated, and are seldom seen extorting their victims or selling stolen data, but rather giving it away to the world. Historically, the same could be said for a threat actor known as Spectre (often seen going by spectre123, spectre05, and intelbroker online), a likely leader of a hacktivist group known as CyberGuerilla. Spectre maintains a telegram group and website where they publish typically government targeted leaks regularly, often containing files related to human rights or military activities.

Spectres Priorities Shift Financially

In Spectres telegram group, they have not once listed files for sale. Always publishing leaks for free, as is consistent with the motives of a hacktivist. However, earlier this month Spectre offered several gigabytes of the Italian Police’s data for the price of $5,000.

Fig 1 – Spectre listing Italian Federal Police files for sale

Last week, Spectre offered 20 gigabytes of Sri Lankan Naval and Operational data and documents for sale on a popular clearnet and darkweb cybercrime forum, for the price of $5,000, claiming to have sourced the data from a Sri Lankan military insider.

Fig 2 – Spectre claiming Sir Lankan military files were sourced from an insider

Spectres Massive Military and Law Enforcement Data Sale

Fig 3 – Spectre posting from June 29th, 2023 of 16 sets of classified military documents.

This recent interest in commodifying their hacktivist activities culminated in Spectre offering a massive collection of government documents, covering a wide variety of military and commercial targets, for sale. This includes classified schematics, drone system software, and even remote access to the Philippines military systems.

The victims, the files for sale, where the data was sources from and the leak prices are as follows:

Automate Your Threat Exposure Management

Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.

Leak Bundle Source Size of Bundle Price
Raytheon files regarding confidential and proprietary defense technology Not listed 200 MBs $10,000
Detailed schematics of ITAR controlled Elbit Systems Aircraft Not listed 300+ files $2,000
DARPA Drone and Missile System Documents (several hundreds gigabytes of files covering 9 DARPA products including blueprints, documentation and software) Not listed 200+ GB $80,000

OR

$8,000 per product

Military exercise files marked as SECRET//REL TO FIVE EYES Military Insider Single file $300
Air Force files regarding development of a ‘certain material’ Not listed 150 MBs $150
Philippines Navy and Coast Guard Not listed 15,000 files, 3 GBs $3,000
Philippines Armed Forces Documents and Databases Not listed 15,000 files, 8 GB, database backups $3,000
Remote access to Philippines Armed Forces System via Shell Not listed 1 Shell Included in above package
Indian Artillery Operations Military Insider 3.5 GBs $2,500
India and Pakistan Battle Plans Not listed 1.5GBs $2,000
Indian Army Files Not listed 21,000 files, 44 GB $10,000
Blueberry aviation files regarding military and commercial aircraft Not listed 20GB $8,000
Italian Federal Police Documents Compromised email 5.5GB $5,000
Ecuador Military and Presidency Files Compromised government systems 28,000 files, 6 GB $5,000
Sri Lankan Navy Military Insider 1 GB $1,000
Sri Lankan Naval Intelligence Military Insider 19.5 GB $1,000
British Armed Forces Special communications replacement programme (regarding military ATC, Tactical Data Links, and a variety of aircraft and weapons systems.) Not listed 210 MB $6,000
HJSC – South Korean Naval Assault Ship Manufacturer files Compromised company system 10+ GB $8,000

Authenticity of The Leak

With previous leaks by Spectre covering typically politically motivated actions against targets like the Russian Government, this leak appears to be all over the place, covering a truly wide range of targets and programs. The most notable being the DARPA project blueprint, documentation, and software. For virtually all of these leaks, Spectre posts samples of each bundle for the potential buyer to verify its authenticity. Foretraces threat research team confirmed the files appeared to be authentic, though they continue to investigate for confirmation. Some analyzed samples are included below, which we have blurred to obfuscate sensitive content:

Fig 5 – Sample files from British Armed Forces special communication program

Fig 6 – Sample of files from Sri Lankan Military Insider

Fig 7 – Sample of Files from Italian Federal Police

Fig 8 – Sample of Files from the Philippines Armed Forces

Fig 9 – Sample of U.S. Military file marked as ‘SECRET’

Aside from the authenticity of the current files listed for sale, Spectre has a long history of posting military files for free online, often prompting response and investigation from the affected entities. Spectre does not maintain a reputation online as a scammer or a fraud, but rather an active and passionate hacktivist. Let’s take a look at his history online so far:

Spectres History of Online Hacktivism

Fig 10 – Spectres role in CyberGuerrilla

Spectre came to prominence in March of 2019 with the publishing of his darkweb repository for stolen military intelligence documents and data, appropriately titled ‘Intel Repository’. Spectre, even as recently as this year, continues to post and purchase leaks from a variety of sources including cyber criminals, other hacktivists, and personnel within the military and post them to his telegram group and darkweb intel repository.

While very occasionally offering data for sale on the now defunkt RAID forums and the recently restored Breach forums, this is the first occurrence of Spectre listing a massive marketplace style post of new leaks for sale. Typically, Spectre simply posts leaks for free under the ‘Confidential/Sensitive Intel’ section of his website.

Fig 11 – The ‘Intel Available For Sale’ tab on Spectres Intel Repository – a free repository for data leaks sourced from military insiders, hackers, and hacktivists.

The increasing commodification of compromised military data represents an interesting shift in hacktivist goals. Typically, hacktivists rely on donations or simply act without compensation. The listing of this data for sale rather than free publication represent an interesting sign – potentially that even hacktivists are not immune from economic downturns, resorting to selling their compromised data instead of the usual publication.

Follow-Up with Spectre

Fig 12 – Screenshot of recent communication with Spectre

In exclusive communication with Spectre obtained by Foretrace’s Data Leak Research Team, Spectre explained their political motivations extend so far as to “have an effect of any kind on the larger and oppressive nations in addition to spreading the knowledge I have”. And to answer why these bundles are for sale, whereas Spectre typically releases for free – “I already have a large number of leaks available for free on my website. And I use the money I earn from this to sustain myself and my operations while also using the funds to acquire more intel to give away for free.”

Impacts and Trends

Victims

The victims in a sale like this are primarily those impacted by leaked intelligence, including the U.S, British, Indian, Philippine, South Korean, and Sri-Lankan militaries, as well as Raytheon, Elbit, Blueberry aviation and HJSC. In this case, documents related to a variety of classified sophisticated weapons systems, drone technology, manned aircraft, and military intelligence files are now available for a price. Specifically, a price that is likely pretty digestible for a government who benefits from simply buying schematics of their enemies systems and plans, rather than spending millions of dollars and countless man hours reverse engineering those systems and running espionage operations to capture additional intel. Now, they simply swipe their card and the hard work is done.

Insider Threats

More than one of Spectres data leaks are claimed to have been sourced from insiders. Typically, this means a military member or contractor who has privileged access to such data, is willingly handing it over to Spectre, or other groups who then share this data with Spectre, for either perceived greater good or some financial benefit. Insider threat has always been a priority for organizations and militaries, and despite increased efforts to address that risk, continues to cause massive incidents like this one.

Recommendations

Understand External Points of Contact

Contact with insiders was required to obtain several collections this confidential, and at times classified and proprietary, data. Understanding the footprint of contact points within your organization, including publicly enumerable emails, phone numbers, and social media profiles, are critical to understanding the full footprint of your exposure. Understanding the most accessible accounts and points of contact, and applying strict security configurations or enhanced logging policies to them, will enable you to keep tabs on the locations where people within your organizations are most often receiving communications and sending data.

Proactive Monitoring

Leverage automation to scour files, storage locations, and forums online for the presence or discussion of your organization’s data.

Foretrace provides data exposure detection capabilities to help our customers detect data leaks and exposures before they become costly data breaches. Follow Foretrace on Twitter and Linkedin to stay updated on our data leak research.

 

Share This Article

Related Content