Cyberthieves say they have ‘moral principles’

An illustration of a bulgar wearing a striped shirt using a vacuum to pull data from a computer, illustrating an article about cyberthieves who steal data.An illustration of a bulgar wearing a striped shirt using a vacuum to pull data from a computer, illustrating an article about cyberthieves who steal data.

They openly admit to hacking companies’ IT systems, stealing their sensitive data, and leaking it and putting it up for sale if they aren’t paid. But there are some red lines that the operators of the Marketo stolen-data marketplace say they won’t cross.

They claim they don’t do ransomware — that they neither conduct the attacks, which encrypt victims’ data, nor benefit from data harvested in attacks by others.

“We don’t have the goal of destroying other people’s businesses,” the group told FreightWaves. “We reserve the right to sell or publish private information that is not properly handled by companies.”

FreightWaves spoke to Marketo in a series of chats on its site after the group posted data stolen from heavy truck and military vehicle manufacturer Navistar in late June. The site, which isn’t accessible through conventional web browsers, has posted data from more than 30 victims, providing what it bills as a sample for larger archives it sells through auctions.

Group claims it stole Navistar data in cyberattack lasting over a month

Marketo said it stole the data during a cyberattack that it claimed “lasted more than a month.” The group said it was the same attack that Navistar disclosed in a Securities and Exchange Commission filing in June.

“Navistar has network security geeks on their staff and their leaked data is a problem with their leaky network security perimeter,” the group said. “They blocked our attacks several times and as many times we reentered their network.”

The group did not provide any proof to back up its claims, and Navistar did not respond to FreightWaves’ request for comment. But in an earlier statement, the company said it was investigating a security incident “that an unauthorized third party accessed and took certain data from our IT System.”

A screen shot from the dark web leak site of Marketo.
Marketo’s site, located on the dark web, advertises stolen data from over 30 companies.

Marketo emerged earlier this year, billing itself as a “leaked data marketplace.” Its logo features a bird resembling a stork holding a circle containing a triangle bearing the letter i. The site resembles the leak sites operated by some ransomware gangs who attempt to pressure their victims through the added threat of posting stolen data.

The group has also posted data from companies that were targeted in ransomware attacks. Brett Callow, a threat analyst with the cybersecurity software firm Emsisoft, said that likely isn’t a coincidence, suggesting Marketo may cooperate with ransomware gangs, or has purchased data taken during attacks.

Marketo pushed back at the suggestion that it has any relationship with ransomware groups or has benefited from any such attacks, saying “it goes against our moral principles.”

“We have nothing to do with ransomware attacks and work independently of them. We never cooperate with ransomware and position ourselves against them,” Marketo said, adding that any member that provides data stolen during a ransomware attack would be expelled from the group.

Marketo isn’t the first cybercriminal group to profess to have a moral compass. DarkSide, the ransomware gang behind the Colonial Pipeline attack, famously claimed that it wouldn’t attack some entities, including hospitals, schools and government agencies. 

“We do not encrypt any data,” Marketo said. “We do not block the work of networks and do not seek to cause damage and shut down the company.”

Seeking payments for ‘network security lesson’

If Marketo is to be taken at its word — and doesn’t engage in ransomware attacks — data breaches themselves can nonetheless be incredibly costly and can expose companies to expensive lawsuits. The data that’s sold or posted can also potentially be used by other criminals who can exploit the personal information of employees.  

It’s unclear what, if any, limits Marketo puts on whom it targets. The latest data leak it posted came from a large provider of mental health services. 

The group also paints its efforts to extort companies in more benign terms. 

“We don’t try to get paid, we offer the client to pay for the network security lesson by buying back their data,” Marketo said, likening the practice of some tech companies of paying “bug bounties” for identified flaws and vulnerabilities. 

“We think it is common practice, we just put it in a slightly different form,” the group added.

Selling a ‘guarantee’ never to post or sell stolen data

The trouble with the claim is that Marketo’s victims — which it calls “clients” — aren’t asking to have their networks breached and their data stolen. 

Marketo wouldn’t detail how much money it attempts to get in return, saying, “Payment depends on the company’s turnover and the criticality of network perimeter faults.” 

And what does that payment buy, exactly?

“We delete all information and guarantee that it will never be sold or published anywhere,” the group said.

Unfortunately for victims, there is no way to ensure that the data is deleted or that it won’t get posted elsewhere, though it would seem to be bad for business.

As for the network security lesson promised, Marketo is vague.

“We do not set a goal to protect the network perimeter of the company. For this, most of them have a staff of paid professionals,” the group said. “We only draw the attention of companies to their existing security problem, whether they will draw conclusions and take further action depends only on them.”

Read more

Click for more FreightWaves articles by Nate Tabak