Industrial Spy: Selling Stolen Data to Competitors

Industrial Spy is the new marketplace where you can obtain the trade secrets of your competitors for millions of dollars or as little as two dollars.  In this blog we take a look at this new service and discuss how it is changing the way cybercriminals do business.

Among cybercriminals, data-theft extortion has surged in popularity over the past few years and it continues to gain momentum as organizations deploy more effective defenses against ransomware encryption. In fact, some cybercrime groups have publicly declared that they no longer conduct encryption-based ransomware attacks at all. A trend that the Babuk criminal gang started back in April 2021.

Other groups have begun leaning on double-extortion tactics, where ransomware encryption still plays a role but it is only one part of a two-pronged attack. In a double-extortion attack merely paying the ransom doesn’t guarantee that hackers won’t publicly leak stolen data, especially if they know it is sensitive in nature. But as ransomware evolves we’ve seen a a new development in the cybercrime industry that takes this approach even further. Instead of publicly leaking sensitive data, hackers are now looking for opportunities to sell stolen data to private parties. In some cases, they’re marketing this data specifically to their victims’ competitors.

E-commerce marketplaces for stolen data have been around at least as long as the darknet itself. However, these illicit markets typically had a high barrier to entry and were generally only accessible to other hackers. The Industrial Spy marketplace is slightly different.

Instead of trying to sell stolen data to other hackers, Industrial Spy specifically markets its wares to legitimate businesses. Compared to the typical darknet forums of years past, the marketplace is relatively easy to access and sign up to – well within the capabilities of the average executive.

The marketplace uses Bitcoin as its transaction currency and has an automatic fulfillment process that lets users download stolen data immediately after payment is confirmed.

Industrial Spy suggests this data includes trade secrets, manufacturing diagrams, client databases and accounting reports, among other pieces of vital information. It features a few different product tiers based on the relative value and rarity of the data it sells:

• Premium data packages may cost millions of dollars. They typically contain multiple gigabytes of highly sensitive data that would give competitors a clear advantage over the victim.
• Individual low-tier files may sell for as little as $2. These may include certificates, authorizations, credit agreements, or audit reports that contain less sensitive data, but are still useful for corporate espionage.

In between these two extremes there is an entire spectrum of mid-tier data types. The marketplace even offers free stolen data packs to new users. This is likely part of an effort to build a name for itself and bring new threat actors onto the website.

Industrial Spy is trying to build a brand for itself as a source of illicit trade secrets for unscrupulous businesspeople around the world. It is designed for non-technical darknet users and makes itself widely available to people who may not be experienced using darknet technologies.

For example, cybersecurity researchers have found malware executables that contain advertisements for Industrial Spy. In one case, these are found in README.txt files that the malware copies to every folder on the device. The promotional README text describes Industrial Spy as a place where threat actors publish schemes, technologies, and even political and military secrets. It tells victims that these files were collected from the largest worldwide companies and conglomerates.

Industrial Spy’s promotional text tells leads they can “save time” by helping executives refuse partnerships with unscrupulous business partners, reveal competitors’ secrets, and earn millions of dollars using insider information.

Many of the malware executables distributing these promotional materials are disguised as popular software cracks and adware. Security researchers have found them in password-stealing trojan logs, which indicates that Industrial Spy’s owners have partnered with adware and crack distributors to get the word out about their service.

Finding your data on a darknet marketplace can be an incredibly distressing experience as by the time the data has been successfully exfiltrated and published for sale, there is very little you can do.

For this reason, detection-based cybersecurity solutions are generally less effective at preventing this kind of attack. A highly sophisticated managed detection and response solution may help you prevent some of your data from being leaked, but it can only activate after it discovers suspicious activity – not before. When it comes to protecting your company from threat actors seeking to monetize your sensitive data, prevention is key. Only a robust set of prevention-based security technologies and policies including Anti Data Exfiltration can adequately prepare your organization for this kind of risk.

Security professionals should be keenly aware of the threat posed by malicious insiders. They should also scan their networks for technical vulnerabilities related to automated data transfer – like APIs.

Both insider attacks and technical API vulnerabilities rely on hacker’s capturing data and siphoning it away from your corporate network. Sophisticated data exfiltration prevention technology plays a vital role preventing these attacks from being carried out successfully.