Underground Criminals Selling Stolen Network Access to Third Parties for up to $10,000


Cybersecurity firm Intsights published a new report that highlights the vibrant marketplaces on the dark web where attackers can buy or sell what they needed to target an organization. 

Paul Prudhomme, a cybersecurity advisor at IntSights, analyzed several underground exchanges on Russian and English-language platforms where stolen credentials and network compromises are traded. The underground criminals sell stolen network access to third parties for up to $10,000. The prices are also influenced by location and industry.

“Some cyber-criminals specialize in network compromises and sell the access that they have obtained to third parties, rather than exploiting the networks themselves,” researchers explained. “By the same token, many criminals that exploit compromised networks — particularly ransomware operators — do not compromise those networks themselves but instead buy their access from other attackers.”

According to researchers, cybercriminal groups rarely possess a team of attackers experienced in each stage of an attack, making dark web platforms ideal to sell or buy malware payloads, hosting infrastructure, and access to abused networks. 

“In September 2020, Russian-speaking username “hardknocklife” auctioned off remote desktop protocol (RDP) access to a U.S. hospital. He mentioned as a selling point that this RDP access yielded patient records, in which he reportedly had no interest,” researchers added. 

“US patient records from healthcare organizations are a valuable resource for identity thieves and other fraudsters because they contain dates of birth, social security numbers, and other personal details that they can use for fraudulent credit applications and other malicious purposes,” they went on to say. “This seller could have mined or monetized that data himself but lacked interest in doing so, perhaps because he could be more productive as an intruder than a fraudster, or because he lacked the fraud or criminal business skills to do so.”

This information started at the low price of $500 in the auction but was sold at a ten times higher rate of $5000. Researchers examined a sample of 46 sales of network access on underground forums between September 2019 and May 2021. The sample included 30 offerings from Russian-language forums (65%) and 16 offerings from English-language forums (35%). 

The primary target of underground criminals is the Tech & telecoms industry (22%), followed by Financial Services, Healthcare & Pharma, and Energy and Industrials, all on 19.5%. There is no surprise in these numbers. They match industry risk from other reports. What is perhaps a surprise is the emergence of automotive (9%) in fifth place.

IntSights researchers analyzed 46 separate offers to sell network access. In the majority of cases (40 out of 46), the location was mentioned. North America with 37.5% was at the top of the list followed by Europe, the Asia Pacific and the Middle East/North Africa accounted for 17.5% each, with Latin America just 10%. 

“Criminals typically prefer victims in wealthier countries with advanced economies, as they are generally more lucrative. Prices for access to healthcare organizations also trend lower due to the perception that they are easier to compromise,” researchers concluded.