Full Report
"IntelBroker" allegedly hacked dozens of companies around the world and caused over $25 million in damages, the Justice Department said Wednesday.
Analysis Summary
# Threat Actor: IntelBroker (Kai West)
## Attribution & Identity
**Attribution:** A British national, identified as Kai West, age 25.
**Aliases:** IntelBroker.
**Known Associations:** Linked as an administrator and owner of the illicit forum BreachForums. Associated with other suspected BreachForums administrators, including ShinyHunters, Hollow, Noct, and Depressed.
## Activity Summary
The actor is charged with hacking dozens of companies globally, stealing and selling sensitive data, and causing over $25 million in damages. Activities primarily involve data exfiltration and subsequent sale on underground forums. This activity is strongly tied to the operation and revival of the BreachForums marketplace.
## Tactics, Techniques & Procedures
- Network infiltration (implied access to victim networks).
- Data exfiltration (customer data, corporate marketing materials, patient health records).
- Data sales on illicit forums (BreachForums).
- Use of cryptocurrency (Coinbase account) for transactions.
- Operational security failures leading to attribution (re-use of IP addresses for both personal and threat actor profiles; traceable cryptocurrency payments).
## Targeting
- **Sectors:** Telecommunications (U.S.-based telecom firm), Healthcare (healthcare provider, organization administering health plans for U.S. House of Representatives members), Internet Service Providers (ISPs).
- **Geography:** Global ("dozens of companies around the world"). Specific victims mentioned include US-based entities (U.S. telecom firm, healthcare provider, US House health plan administrator, U.S. state agencies) and a high-profile European body (Europol website).
- **Victims:** A U.S. telecom firm, a U.S. healthcare provider, an internet service provider, the organization administering healthcare plans for U.S. House members, several U.S. state agencies, and Europol.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly detailed in the context provided.
- **Infrastructure:** Operated on the illicit forum BreachForums (which was taken down and attempted to be revived). Used a Coinbase account for cryptocurrency payments traceable to the actor. Used consistent IP addresses for login activity which aided attribution.
## Implications
The primary implication is the significant risk posed by sophisticated financially-motivated actors operating within established cybercriminal marketplaces like BreachForums. The successful attribution via traditional methods (IP tracing, crypto tracing) highlights that even seemingly anonymous forum operators can be compromised. The breach of extremely sensitive sectors (healthcare, government-affiliated healthcare services) demonstrates a high-impact focus.
## Mitigations
- Enhance monitoring for data listings on underground forums, specifically monitoring for data tied to sector-specific sensitive records (e.g., patient health information, SSNs).
- Implement strict network segregation and access controls, especially for sensitive data repositories.
- Review and harden operational security procedures regarding infrastructure usage (e.g., strict separation of IP addresses and logging profiles for different personas).
- Enhance cryptocurrency transaction monitoring related to known illicit activity flows.