Before Adam Darrah spent his days scouring the internet for security breaches, the director of dark ops at ZeroFox, a cyber firm specialising in the dark web, was a US government employee. The work, he explains, involved a fair amount of speaking Russian and conducting “Russian analysis”.
His move to dark web surveillance made sense, then, because the “kings and queens” of the dark web are Russian speakers, according to Darrah. “Nobody rules the dark web like the Russian-speaking world,” he says.
The dark web – a group of websites only accessible via special routing software, usually Tor – has a bad reputation. The phrase has long been synonymous with a brisk illegal trade in pornography, weapons and drugs, and an ecosystem of hackers and illegal data dumps.
The reality is far more nuanced, however. For each nefarious use “we can find beneficial” ones, says Robert W Gehl, an academic from Louisiana Tech University. “The New York Times set up anonymous whistle-blowing systems for people to point out government and corporate malfeasance. The Times also mirrors its content as a Tor hidden service, as does the non-profit news organisation ProPublica.”
As Darrah explains, the potential user should think of the dark web as a “big city”. “You know where you belong and don’t belong… If you stay in the places where you belong, you’re fine,” he says.
Since the outbreak of the Russia-Ukraine conflict this year, Darrah tells Spotlight he has not seen anything quite like it: the geopolitical tensions that have changed the world are also changing the dark web.
Russian-speaking dark web forums for hackers might often be accessible through criminal means, but they have always had what Darrah calls a “code of criminality”. Under that unofficial code “you’re not allowed to develop tools, or sell embarrassing information, that could hurt any nation in the CIS [Commonwealth of Independent States, a group made up of former Soviet republics]”, he says.
But after Russia invaded Ukraine that code was broken when the Conti ransomware group posted on the dark web announcing their “full support of Russian government” If anybody will decide to organise a cyber attack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy,” said the group, which has in the past carried out attacks on organisations including the Scottish Environment Protection Agency and clothing retailer FatFace.
According to Darrah, the move was unprecedentedly provocative – running counter to what he calls the “gentleman’s agreement” of the dark web. This led to retaliation from Ukraine-aligned actors both on the dark and clear web. In what cyber security news site The Record has dubbed the “Panama Papers of ransomware”, leaks of Conti’s private chat logs were publicly dumped on the internet, with the Twitter handle @ContiLeaks laying bare “everything from the mundane details of how Conti is organised to new anecdotes about the group’s possible links to the Kremlin”.
This shows “cracks appearing in the order”, says Darrah. “The rate at which data is being dumped by both sides is something I’ve never seen before. It’s constant.”
The conflict is playing out on the dark web in other ways, too. In March, a blog from Trustwave, a cyber security provider, reported that it had noticed a “wide variety of attempts by dark web forum members to influence the conflict from the cyber side”.
Groups have been set up on both sides specifically for cyber warfare, such as the “IT Army of Ukraine”, which rallies hackers together to launch cyber attacks against Russian businesses and institutions.
These calls to action have changed since the Russian invasion of Crimea in 2014. At that time, for instance, Russian hackers disrupted Ukrainian telecoms, including the personal phones of Ukrainian MPs. But, as Politico has noted, those attacks were “nothing compared to what a full-blown physical invasion coupled with cyber warfare would look like”. And experts say we are starting to see what that might look like. Trustwave said that cyber activity has become “more destructive and organised”, with Ukrainian government officials calling for individuals to come and “fight on the cyber front” as part of the war effort.
Businesses too are seeing the impact of the conflict. Since the start of the Russia/Ukraine conflict, Help Net Security have reported that “66 per cent of organisations have changed their cybersecurity strategy as a direct response to the conflict between Russia and Ukraine, while 64 per cent suspect their organization has been either directly targeted or impacted by a nation-state cyber attack”.
The reason for the shift, Darrah believes, is the shock of the “unprovoked carnage”, as well as the deep cultural and emotional ties between Russia and Ukraine.
“We all know how deep those ties are, historically, culturally, linguistically, everything,” he says. In February, even the hacker collective Anonymous declared it was “officially in cyber war against the Russian government”. On 26 February the group announced that it had hacked a number of streaming services and live TV channels in Russia to broadcast war footage from Ukraine. The footage showed a message reading “Ordinary Russians are against the war”.
Could the dark web exacerbate the conflict, drawing more actors in and paving the way for increasingly destructive cyber attacks? Arguably, the dark web is amplifying some of the “background malicious cyber activity”, says Eric Jardine, an assistant professor in political science at Virginia Tech, specialising in the dark web. He explains that this is because it allows the spread of tools and training. It also allows actors to “communicate with less risk of detection”.
But both Jardine and Darrah believe that this activity is a direct result of the Russia-Ukraine conflict, rather than the inevitable evolution of technology and warfare.
“Understanding the political antagonisms that exist independent of the dark web helps you understand the way in which the dark web might get used in that nexus. Because if it can amplify, say, cyber attacks or cybercrime between countries, and you have pre-existing tensions, then it makes sense that it would,” says Jardine.
But it was the “shock value” of this invasion that shook the foundations of the dark web, according to Darrah. The dark web does not always represent and amplify all that is bad in the world; it would be far more accurate to see the dark web as a reflection of the world outside, he says. “The dark web is a mirror of the clear web, and now the dark web is a mirror of the aboveground geopolitics”.