Who is IntelBroker?
To this day, the affiliation, geographical location and basic motivations of IntelBroker remain unclear. Is it a cover for a state group leading politically motivated operations against the US government or just a cybercrime gang selling information extracted from famous companies? Is it a “lonely wolf” from Serbia or a Iranian group of hackers? These questions have yet to be answered.
We do know that IntelBroker is an English-speaking threat actor, sometimes operating under the name “Endurance ransomware”. It emerged in 2022 and gained notoriety in early 2023 after breaching the online grocery store Weee! and leaking information pertaining to 11 million customers.
By the end of 2022, IntelBroker became a prominent member of CyberN***s, a racist cybercrime group communicating through the dark web’s “BreachForums”, a known cybercrime forum which has been recently revived after the arrest of its administrators. IntelBroker uses the forum to publish its activities and to recruit hackers, mostly with C# skills.
In the past, the Pentagon hinted at the possibility of Endurance (aka IntelBroker) being an Iranian state entity, drawing parallels between the malware it used and the infamous Shamoon 4 data-wiping tool. IntelBroker, however, denied these allegations, asserting its independence and claiming he is a single person coming from Serbia.
At the end of the day, the enigma surrounding IntelBroker's identity persists. Serbian or not, It is indeed possible that IntelBroker operates independently, even though it might at some point reused a variant of an Iranian malware. On the other hand, the group's relatively sophisticated attacks on high-profile targets and its focus on the US defense apparatus may also support the scenario of it being a front for state-sponsored activities, or at least cooperating with state organizations.
Victimology
IntelBroker has made a name for itself through extensive data breaches targeting prominent entities. Initially, its operations were limited to sporadic attacks on corporations such as Volvo and Hilton Hotels, but recently, there has been a significant escalation of its activities.
To our understanding, IntelBroker shows a marked preference for targeting entities related to national security. It has stolen files from the State and Homeland Security Departments, leaked classified DARPA documents, offered access to a system named “US Army Dashboard” and, more recently, compromised a cybersecurity defense contractor to exfiltrate classified NSA documents related to Five Eyes communications.
Furthermore, IntelBroker's assaults on various other government entities hint at its motivation to undermine the US government. This includes the leakage of 5.8 million flight logs from the US Transportation Department, the breach in Los Angeles airport systems, the compromise of breaches of the US Citizenship and Immigration Services, and the exposure of personal information of congress members through an attack on a health insurer servicing the Capitol.
IntelBroker is also recognized for its incursions into critical infrastructure sectors, particularly IT and telecommunications. It has appropriated login credentials and system configurations from HPE, as well as extracted information on over 37 million AT&T customers and a database of 23 million records from Verizon.
In addition to these exploits, IntelBroker has ventured into ecommerce, targeting platforms like Weee! and PandaBuy; extracted credentials from major banks like Barclays and HSBC; recently attacked large companies such as Accor and Home Depot; and caused embarrassment to Meta by disclosing 200,000 database records from Facebook Marketplace.
Tactics
Originally serving as an initial access broker, it seems that IntelBroker has transitioned into a more comprehensive extortion operation. However, despite adopting the "Endurance ransomware" moniker, the actor has not engaged in traditional ransomware tactics. In most cases it didn’t encrypt the data or contact the victims for extortion purposes. Instead, it opted to sell stolen data online.
Curiously, IntelBroker owns a public github account and a repository named with a C# data wiper tool named “Endurance-wiper”. While there's no concrete evidence to suggest that IntelBroker has ever engaged in data destruction activities, it's conceivable that the malware could have been deployed against certain targets. The tool's public availability might also act as a diversion or simply be one component of IntelBroker’s arsenal.
IntelBroker purports to rely exclusively on exploiting vulnerabilities to secure initial access. Although no specific used CVE have been made public, it’s been noted that the actor has taken advantage of a flaw in a CRM software (in the LAX Airport attack), various web vulnerabilities (seen in PandaBuy, Weee!), a third-party SaaS vulnerability (Home Depot), and misconfigurations in AWS buckets (related to the US Immigration agency), as well as a GitHub zero-day vulnerability (impacting Acuity, Barclays, and HSBC).
For transactions, IntelBroker predominantly accepts payment in XMR (Monero), a cryptocurrency noted for its heightened anonymity. Communications are conducted via the Tox messenger, an end-to-end encryption platform similar to Signal.
Despite the several intelligence gaps, we can list a few possible IntelBroker’s TTPs as follows:
- T1485 - Data Destruction
- T1190 – Exploit Public-Facing Application
- T1203 – Exploitation for Client Execution
- T1041 – Exfiltration Over C2 Channel
- T1083 – File and Directory Discovery
- T1078 – Valid Accounts
- T1005 – Data from Local System
Am I protected against IntelBroker?
IntelBroker presents a challenging case of an emerging and sophisticated threat actor, favoring vulnerability exploitation as a main initial access method and operating against large and high-profile organizations across various sectors in a data exfiltration scheme.
With Zafran, you will be able to:
- Track IntelBroker’s activity and fully assess the risk it might exploit specific vulnerabilities present in your environment.
- Ongoingly monitor the TTPs used by IntelBroker and assess the extent of the protection provided by your existing security controls against this threat.
- Quickly and simply configure your security controls in order to mitigate the threat posed by IntelBroker.
Zafran’s Risk & Mitigation Platform defuses threat exploitation by mobilizing existing security tools, so you can protect your organization against fast-moving threats beyond traditional patching.
Learn more about how Zafran can help. Click here for a demo.