IntelBroker

Last updated
IntelBroker
IntelBroker profile picture.webp
The profile picture commonly used by IntelBroker
Nationality Serbian (self-reported)
Known forHacking corporations and government agencies

IntelBroker is a black hat hacker active who has committed several high-profile cyber attacks against large corporations and government agencies, with over 80 sales and leaks of compromised data having been traced to them.

Contents

IntelBroker first began activities in October 2022, hacking minor organizations, but gained notoriety in 2023 after an attack on the food delivery service "Weee!". [1] [2] They have been active on BreachForums, an online cybercrime forum, and became its owner in August 2024.

Personal details

After their initial string of attacks, IntelBroker was speculated to be a highly skilled team, possibly an Iranian Persistent Threat Group; however, an interview with The Cyber Express revealed that they were a single person. [2] In another interview with the German podcast Inside Darknet, [3] IntelBroker shared several personal details, including that they are Serbian and currently reside in Russia for safety reasons. [4]

IntelBroker has expressed that law enforcement assigns national affiliations to independent actors too quickly and that the media often cover or overlook cyberattacks selectively. [2] In their interview with Inside Darknet, IntelBroker expressed a desire to one day manage a cybercrime forum. [3] They told The Cyber Express that one of their hobbies is drinking and that "exploiting digital vulnerabilities" can be lucrative "all while operating within ethical and legal boundaries". [2]

BreachForums

In 2023 IntelBroker joined the racist hacking group CyberNiggers on BreachForums and orchestrated the group's most significant cyberattacks during their tenure there. [2] Similar attacks continued to be carried out by other members of the group before it became inactive. [4] In August 2024 IntelBroker became the owner of BreachForums. [5]

Modus operandi

IntelBroker has used a wide range of tactics to enter secured systems. After breaching their target, IntelBroker tries to establish persistent access by running unauthorized commands and manipulating system accounts. They may obfuscate malicious files or escalate their access privileges to make it difficult for security software to defend the compromised network effectively. IntelBroker typically tries to sell this access first, which can be used to facilitate other malicious activities. Eventually they may also attempt to expand their access using compromised credentials, discover and extract more of the victim's data in order to sell them on the black market such as BreachForums. [6] [4]

Ransomware

IntelBroker created a unique ransomware strain written in C# known as Endurance, and published its source code publicly on their GitHub page. While labeled as ransomware, the software overwrites and then deletes all targeted files. [6] Endurance was confirmed by the Department of Defense Cyber Crime Center (DC3) to have been used by IntelBroker to hack several U.S. government agencies. [7] They speculated that Endurance was related to the Shamoon wiping software sometimes used by Iranian Hackers, which IntelBroker has denied. [4] After 2023 IntelBroker no longer appears to be engaged in ransomware activities. [4]

Reported attacks

As of June 2024, IntelBroker had posted over 80 separate leaks and sales of compromised information on BreachForums and claimed that they had sold the information of over 400 organizations. Most of their targets are U.S.-based. [4]

IntelBroker infiltrated a database containing 2.5 million records and 1.9 million emails via the Los Angeles International Airport's customer relationship management system. They also accessed data from the U.S. Immigration and Customs Enforcement and the United States Citizenship and Immigration Services, including information of more than 100,000 U.S. citizens. Other targets of IntelBroker included Hewlett Packard Enterprise,Verizon, HSBC, Accor, Home Depot, Facebook, Tech in Asia, and various U.S. government agencies. [4]

In early 2023, IntelBroker infiltrated the U.S.-based grocery chain Weee! and exposed the personal information of more than one million delivery order customers, including names, phone numbers, email addresses, and building entry codes, but not financial and payment data according to the company. [8] In March of the same year, they breached DC Health Link, an American health insurance marketplace, and exposed the contact information and Social Security numbers of some members of the United States Congress. [9] In December 2023, IntelBroker claimed to have obtained sensitive information about communications between the Pentagon and the United States Army's Chief Information Officer (CIO) and Deputy Chief of Staff (DCS/G-6 at the time). [10]

In May 2024, IntelBroker claimed that they had compromised employee information, FOUO source code, and operational guidelines of Europol and had breached the computer networks of Zscaler. [4] In June they claimed to have extracted data such as client names and policy numbers from IT company Cognizant. [11] In November 2023, IntelBroker and EnergyWeaponUser reportedly breached a third-party contractor for Nokia, but the company denied that its system or data had been compromised. [12] [13]

General Electric

In November 2023, IntelBroker claimed to have broken into General Electric and stolen data belonging to DARPA. They shared images of what appeared to be GE's military projects but did not share any sample files. They asked for $500 on BreachForums, an Internet discussion site, for the stolen data as well as access to GE's development and software pipelines, but there were no takers at the time. There were doubts about IntelBroker's claims, but it was also possible that GE had accidentally left parts of its network misconfigured or exposed to the intrusion. [9]

Acuity

In April 2024, IntelBroker announced that they and the black hat hacker Sanggiero had hacked Acuity, a technology contractor for the U.S. government, and subsequently obtained confidential information belonging to the Five Eyes intelligence organization and the United States military. A vast majority of the information had been stored in a GitHub repository by Acuity, which IntelBroker was able to access. [14] [15] The information included confidential communications and documents between Five Eyes members, and the contact information for several U.S. government and military officials. [16] Sanggiero claimed that the breach had taken place on March 7, a month before the information was leaked. [17] After an investigation, Acuity determined that the leaked data was old and non-sensitive. [18]

Pandabuy

On March 31, 2024, IntelBroker assisted Sangierro in a hack of the Chinese e-commerce website Pandabuy, with user data sold on BreachForum for a small "symbolic" bitcoin payment. [19] [20] The information had been initially ransomed to Pandabuy for an unknown amount of money, but after it was paid, the leak was still released. [21] [22] IntelBroker and Sangierro claimed that the leak contained the names, contact details, orders, and addresses of over 3 million Pandabuy customers, while an analysis by "Have I Been Pwned?" creator Troy Hunt found that only approximately 1.3 million user entries were real, while the rest contained fake email addresses. [20] [23] Pandabuy attempted to censor posts on its Discord and Reddit pages to cover up the leak, before offering a "10% freight subsidy" to users as compensation. Both actions were received negatively by Pandabuy customers. [24] [25]

On June 3, 2024, Sanggiero posted on BreachForums that they were going to sell all information from the data breach, containing over 17 million user entries, for $40,000. They had again ransomed the information to Pandabuy, who refused to pay as the two had violated the original ransom and sold the information. [21] [22]

Europol

On May 10, 2024, IntelBroker announced on BreachForums that they had gained access to 9,128 confidential records from the European Union's law enforcement agency Europol, including employee information, source code, and guideline documents. Most of the records came from the Europol Platform for Experts, a discussion platform for law enforcement, and the electronic evidence program SIRIUS. Europol confirmed that the leak was real, but claimed that it only contained information from Europol Platform for Experts and SIRIUS, and did not contain any operational information. [26] [27] IntelBroker announced that they would be accepting offers for the data in Monero, [28] which was sold on May 11. [29]

Apple

In June 2024, IntelBroker claimed on X that they had acquired source code for several internal Apple tools, including AppleConnect-SSO, Apple-HWE-Confluence-Advanced, AppleMacroPlugin, before releasing the code on BreachForums. These tools were related to internal Apple processes, such as authenticating users and sharing information within Apple's network. [30] [4] Later analysis revealed that leaked code was not source code, but instead plugins for internal tools. However, the code still was a security risk, and could potentially be used by malicious parties. [31] [32]

AMD

On June 17, 2024, IntelBroker claimed on BreachForums that they had breached semiconductor giant AMD, and were selling the compromised data. Samples provided by them included data on future products, employee information, customer information, source code, and financial records. [33] AMD quickly contacted law enforcement agencies to investigate the breach. [34] Soon after, AMD claimed that the breach was limited in scope, would not impact the business, and implied that it did not include employee or customer information, conflicting with the initial report by The Cyber Express. [35] Bloomberg correlated the attack with a 2.4% fall in AMD stock soon after the breach was announced. [36]

Cisco

On October 14, 2024, it was reported that IntelBroker and another hacker called EnergyWeaponUser had pilfered data from Cisco. [37] The haul included Cisco's source code from GitHub, GitLab, and SonarQube, hard-coded credentials, confidential files, SSL certificates, private and public keys, API tokens and storage buckets, Jira tickets, and Docker builds, as well as production source codes from Microsoft, AT&T, Bank of America, Barclays, Dignity Health, and other companies. In response, Cisco removed public access to its DevHub resources but said that its internal systems had not been breached. [38] IntelBroker told Hackread.com that they had access until October 18 by exploiting a JFrog token. To prove the legitimacy of their claim, IntelBroker released 2.9 out of the 4.5 TB data in December. [39]

Related Research Articles

Fortinet, Inc. is an American cybersecurity company with headquarters in Sunnyvale, California. The company develops and sells security solutions like firewalls, endpoint security and intrusion detection systems. Fortinet has offices located all over the world.

An internet leak is the unauthorized release of information over the internet. Various types of information and data can be, and have been, "leaked" to the Internet, the most common being personal information, computer software and source code, and artistic works such as books or albums. For example, a musical album is leaked if it has been made available to the public on the Internet before its official release date.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

Cyberwarfare by China is the aggregate of cyberattacks attributed to the organs of the People's Republic of China and various related advanced persistent threat (APT) groups.

The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "Equation Group" who are widely suspected to be a branch of the National Security Agency (NSA) of the United States. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, the operating systems of most smartphones including Apple's iOS and Google's Android, and computer operating systems including Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the CIA.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in the private and public sector. This is a list of some of the biggest data breaches in the country.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

ShinyHunters is a black-hat criminal hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

<span class="mw-page-title-main">Health Service Executive ransomware attack</span> 2021 cyber attack on the Health Service Executive in Ireland

On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.

Conti is malware developed and first used by the Russia-based hacking group "Wizard Spider" in December, 2019. It has since become a full-fledged ransomware-as-a-service (RaaS) operation used by numerous threat actor groups to conduct ransomware attacks.

The 2021 Air India cyberattack was a cyberattack that affected more than 4.5 million customers of Air India airlines.

Lapsus$, stylised as LAPSUS$ and classified by Microsoft as Strawberry Tempest, is an international extortion-focused hacker group known for its various cyberattacks against companies and government agencies. The group was active in several countries, and has had its members arrested in Brazil and the UK in 2022. According to City of London Police at least two of the members were teenagers.

<span class="mw-page-title-main">BreachForums</span> Cybercrime forum

BreachForums, sometimes referred to as Breached, is an English-language black hat–hacking crime forum. The website acted as an alternative and successor to RaidForums following its shutdown and seizure in 2022. Like its predecessor, BreachForums allows for the discussion of various hacking topics and distributed data breaches, pornography, hacking tools, and various other services.

The 23andMe data leak was a data breach at personal genomics company 23andMe reported in October 2023. The cyberattack gathered profile and ethnicity information from millions of users. The affected customers were reported as primarily Ashkenazi Jews but also including hundreds of thousands of ethnically Chinese users. The hacker(s) stole information customers had chosen to share with their DNA matches, which could include name, profile photo, birth year, location, family surnames, grandparents' birthplaces, ethnicity estimates, mitochondrial DNA haplogroup, Y-chromosome DNA haplogroup, link to external family tree, and any text content a customer had optionally included in their "About" section. On October 6, 2023, the company confirmed that the hacker(s) had illicitly accessed data on approximately 6.9 million users.

Pandabuy is a Chinese e-commerce shipping agency website that ships manufactured products from China to the outside world. They are primarily known for shipping counterfeit consumer goods of designer clothing brands as well as expensive shoes made by companies such as Nike.

References

  1. Khaitan, Ashish (8 February 2023). "Weee! Data Breach: 11M User Records Leaked By Unknown Threat Actor". The Cyber Express. Retrieved 14 August 2024.
  2. 1 2 3 4 5 "Exclusive IntelBroker Interview: Inside The Mind Of A Hacker". The Cyber Express. 14 March 2024. Retrieved 14 August 2024.
  3. 1 2 "Inside Darknet Podcast - Episode 9 - IntelBroker". YouTube. 2024. Retrieved 14 August 2024. Also available on Spotify: https://open.spotify.com/show/5RHKRk7awU2SFPq2VCwpLi
  4. 1 2 3 4 5 6 7 8 9 "Dark Web Profile: IntelBroker". SOCRadar. 28 June 2024. Retrieved 14 August 2024.
  5. Melillo, Pietro (2024-08-22). "IntelBroker Takes Control of BreachForums: A New Chapter in Cybercrime Management". RedHotCyber. Retrieved 2024-08-29.
  6. 1 2 The Intelbroker Data Leak Threat Actor (PDF) (Report). Mphasis. 2024-06-21.
  7. DIB-REPORTED CYBER THREATS (PDF) (Report). Vol. CY2022. Department of Defense Cyber Crime Center. December 2022. Retrieved 2024-08-14.
  8. "Weee! Grocery Service Hacked, 1.1m Accounts Leaked". hackread.com. 2023-02-09. Retrieved 2024-07-10.
  9. 1 2 Ikeda, Scott (November 30, 2023). "Threat Actor Claims to Have Stolen DARPA Files From GE, Data Theft Remains Unconfirmed". CPO Magazine.
  10. "Hacker IntelBroker Leaks Alleged Sensitive US DoD Documents". hackread.com. 2023-12-07. Retrieved 2024-06-25.
  11. Croft, Daniel (2024-07-01). "IntelBroker leaks alleged Cognizant data". www.cyberdaily.au. Retrieved 2024-07-17.
  12. Winder, Davey. "As Hacker Gives Stolen Data Away, Nokia Issues New Denial Statement". Forbes. Retrieved 2025-01-09.
  13. "Nokia breached? IntelBroker claims haul of source code". Archived from the original on 2024-11-19. Retrieved 2025-01-13.
  14. Sergiu Gtalan (3 April 2024). "US State Department investigates alleged theft of government data". BleepingComputer. Retrieved 14 August 2024.
  15. Sergiu Gatlan (5 April 2024). "Acuity confirms hackers stole non-sensitive govt data from GitHub repos". BleepingComputer. Retrieved 14 August 2024.
  16. Jessica Lyons (4 April 2024). "Feds investigates alleged classified data theft". The Register. Retrieved 14 August 2024.
  17. Jon, Quincy (5 April 2024). "Federal Contractor Acuity Confirms GitHub Breach: What Did Hackers Steal?". Tech Times. Retrieved 14 August 2024.
  18. Kovacs, Eduard (5 April 2024). "Acuity Responds to US Government Data Theft Claims, Says Hackers Obtained Non-Sensitive Info". SecurityWeek. Retrieved 14 August 2024.
  19. Sead Fadilpašić (2 April 2024). "Chinese ecommerce giant PandaBuy hit by cyberattack, data breach". TechRadar. Retrieved 14 August 2024.
  20. 1 2 Bill Toulas (1 April 2024). "Shopping platform PandaBuy data leak impacts 1.3 million users". BleepingComputer. Retrieved 14 August 2024.
  21. 1 2 Paganini, Pierluigi (7 June 2024). "Pandabuy was extorted twice by the same threat actor". Security Affairs. Retrieved 14 August 2024.
  22. 1 2 Bill Toulas (6 June 2024). "PandaBuy pays ransom to hacker only to get extorted again". BleepingComputer. Retrieved 14 August 2024.
  23. Ashish Khaitan (25 April 2024). "PandaBuy Leak List: 1.3M Users' Info Exposed In Cyberattack". The Cyber Express. Retrieved 14 August 2024.
  24. Hope, Alicia (8 April 2024). "Data Breach Impacts 1.3 Million Pandabuy Customers; Company Apologizes After Apparent Cover-Up - CPO Magazine". CPO Magazine. Retrieved 14 August 2024.
  25. Sead Fadilpašić (2 April 2024). "Chinese ecommerce giant PandaBuy hit by cyberattack, data breach". TechRadar. Retrieved 14 August 2024.
  26. Sead Fadilpasic (14 May 2024). "Hackers claim to have breached Europol web portal, but force says no significant data stolen". TechRadar. Retrieved 14 August 2024.
  27. Antoaneta Roussi (13 May 2024). "Cybercriminals claim hack of EU police agency, posting data online". POLITICO. Retrieved 14 August 2024.
  28. Sergiu Gatlan (11 May 2024). "Europol confirms web portal breach, says no operational data stolen". BleepingComputer. Retrieved 14 August 2024.
  29. Kovacs, Eduard (13 May 2024). "Europol Investigating Breach After Hacker Offers to Sell Classified Data". SecurityWeek. Retrieved 14 August 2024.
  30. Anton Shilov (21 June 2024). "Intelbroker claims they hacked Apple in the same week as AMD". Tom's Hardware. Retrieved 14 August 2024.
  31. Winder, Davey (20 June 2024). "Has Apple Been Hacked? June 2024 Breach Exposes Source Code, Hacker Claims". Forbes. Retrieved 14 August 2024.
  32. Andrew (19 June 2024). "Technical Analysis of Apple Internal Source Code Leak - AHCTS, LLC". AHCTS, LLC. Retrieved 14 August 2024.
  33. Ashish Khaitan (26 June 2024). "Intelbroker Advertises Massive AMD Data Breach On Dark Web". The Cyber Express. Retrieved 14 August 2024.
  34. Anton Shilov (19 June 2024). "AMD working with law enforcement after reports of massive data breach — hack may have uncovered future product details". Tom's Hardware. Retrieved 14 August 2024.
  35. Jeff Butts (20 June 2024). "AMD provides update on data breach — says it won't 'have a material impact' on business". Tom's Hardware. Retrieved 14 August 2024.
  36. Ian King (18 June 2024). "AMD Is Investigating Claims That Company Data Was Stolen in Hack". Bloomberg.com. Retrieved 14 August 2024.
  37. Klappholz, Solomon (2024-12-20). "IntelBroker leaks 2.9 TB of exposed Cisco records – and there's more to come". ITPro. Retrieved 2025-01-13.
  38. "Cisco claimed to be compromised by IntelBroker". SC Media. 2024-10-15. Retrieved 2025-01-13.
  39. "Hackers Leak Partial Cisco Data from 4.5TB of Exposed Records". hackread.com. 2024-12-17. Retrieved 2025-01-24.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.