Flash: First Potential BreachForums Successor Announced
Key Findings
- On May 16, 2024, threat actor “USDoD” announced on X (formerly, Twitter) their intent to launch a new, open-source data breach forum named Breach Nation.
- USDoD stated their intent for Breach Nation to serve as a successor to BreachForums, which was severely disrupted on May 15, 2024, by a law enforcement (LE) operation that seized the forum’s [.]st domain, a [.]onion domain, and a Telegram channel.
- There is a roughly even chance that Breach Nation will become a popular tool for threat actors seeking to discuss techniques, tactics, and procedures (TTPs) related to data breach attacks, publicize results, and sell stolen information.
- It is likely that, in the coming months, other BreachForums members, moderators, and staff will seek to capitalize upon its disruption by creating and advertising new forums.
Details
On May 16, 2024, threat actor USDoD announced on X their intent to launch a new, open-source data breach forum named Breach Nation. USDoD claimed that Breach Nation will use two separate domains, breachnation[.]io and databreached[.]io, with a planned launch date of July 4, 2024.
- USDoD has previously been referred to as “NetSec” in malicious forums and has allegedly been responsible for data breaches targeting numerous, primarily Western organizations.
- The actor had previously announced their retirement from cybercriminal activities in an April 21, 2024, deep and dark web (DDW) post.
USDoD stated their intent for Breach Nation to serve as a successor to BreachForums, where USDoD was almost certainly a prominent figure—despite denying any affiliation with BreachForum moderators.
- BreachForums was a popular forum consisting of open source and DDW domains, as well as an instant messaging platform. It was severely disrupted on May 15, 2024, by a LE operation that seized the forum’s [.]st domain, a [.]onion domain, and a Telegram channel.
- ZeroFox observed unconfirmed reports that the platform’s moderator, known as “Bapohmet”, was arrested.
USDoD claims to be working alone on the production of the new forum, stating that they are not currently seeking to recruit moderators or other staff due to “a limited circle of trust.” This is very likely a reflection of uncertainty amongst DDW communities stemming from recent LE activity, as well as USDoD’s likely limited trusted network.
Further detail surrounding the structure, intent, and use of Breach Nation was provided in a second post on May 20, 2024. USDoD detailed two changes that they deemed significant. The post claimed that regular updates as to the forum’s status will be provided in subsequent X posts.
- Unlike BreachForums, Breach Nation will not include a pornography section.
- To ensure the “best quality” content, “combos, logs, and similar content” will not be allowed—only databases and “leads.” The data breach/leak section will be broken down into two sub-categories: one for high-quality leaks associated with first-world victims and one for all other victims.
- A market section will also be available once an escrow system is established, as well as a threat intelligence section that will reportedly use XenForo software.
USDoD stated that the first 200,000 individuals to become members will receive an upgraded member rank. It is not clear what privileges this will enable. Once the site has a “good amount” of users, the community will transition to an invite-only model. The criteria for granting a member this privilege is unclear at the time of writing.
There is a roughly even chance that Breach Nation will become a popular tool for threat actors seeking to discuss TTPs related to data breach attacks, publicize results, and sell stolen information. It is likely that, in the coming months, other BreachForums members, moderators, and staff will seek to capitalize upon its disruption by creating and advertising new forums.
ZeroFox Intelligence Recommendations
- Adopt a Zero-Trust cybersecurity posture based upon a principle of least privilege.
- Implement network segmentation to separate resources.
- Implement secure password policies with phishing-resistant multi-factor authentication (MFA), complex passwords, and unique credentials.
- Leverage cyber threat intelligence to inform detection of ransomware and digital extortion (R&DE) threats and their associated TTPs and Indicators of Compromise (IOCs).
- Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site or cloud servers at least once per year—and ideally more frequently.
- Develop a comprehensive incident response strategy.
- Configure email servers to block emails with malicious indicators and deploy authentication protocols to prevent spoofed emails.
- Deploy a holistic patch management system and ensure all business IT assets are updated with the latest software as quickly as possible.
- Proactively monitor for compromised accounts being brokered in deep and dark web forums.
- Configure ongoing monitoring for Compromised Account Credentials.
Appendix A: Traffic Light Protocol for Information Dissemination
Appendix B: ZeroFox Intelligence Probability Scale
All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.
Tags: Breaches, Deep & Dark Web, Threat Actor, Threat Intelligence