Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
The fallout of the recent Optus breach got me thinking about a common occurrence: seller’s remorse… Most of us have experienced it. You feel like you’re getting a good deal, and then bang! You realize you could have got more for your money if you’d only just waited that extra day. Although this might be a normal feeling for the average citizen, there’s an additional dimension involved when a threat actor demonstrates remorse. Is this morality kicking in? Or, more likely, is this genuine fear of being captured by the feds?
This second option might be at play with the recent Optus data breach. The suspected perpetrator advertised the stolen Optus data for an extortionate amount of money one day, then did a complete 180 a few days later. They withdrew the data set from sale to protect those affected by the breach, and apologized for their initial actions.
Here at Digital Shadows (now ReliaQuest), we have been closely following the fallout from the breach and the behavior of the threat actor involved. This led us to review past examples of similar changes of heart, in which threat actors attempted to sell data following a successful breach only to retract the offer after some sort of morality intervention or attempt to go “good”.
On 22 Sep 2022, the Australian telecommunications company Optus announced it had been the victim of a cyberattack and was “investigating the possible unauthorized access of current and former customers’ information”. Although Optus claimed it had shut down the attack upon discovery, this did not stop those responsible from accessing all sorts of customer information, including: “names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s license or passport numbers”. Optus stressed that neither payment details nor passwords had been accessed.
While we don’t know the exact date the cyberattack occurred or the amount of time the threat actor had access to the target system, we do know that customer information was exposed. Those whose data was exposed should maintain increased awareness across their accounts for fraudulent or suspicious behavior.
On 23 Sep 2022, a user going by the moniker “optusdata” announced on the cybercriminal forum BreachForums that they were responsible for the Optus breach. They promised to sell the customer data in two parts. The first part would be composed of data affecting 11.2 million users of the telecommunication provider, while the second part would reveal 10 million addresses. The threat actor issued a warning to Optus, attempting to extort USD 1 million to prevent the sale, and issued a deadline of one week from the date the thread went live. The announcement indicated the lucky buyer would receive a USD 700,000 discount for purchasing both parts, but a sale wouldn’t be sanctioned until Optus had been given the chance to reply.
Unsurprisingly, due to the high asking price and the BreachForums administrator verifying the data, the thread garnered significant attention from the wider forum community. We’re not necessarily talking about forum members chomping at the bit to be the lucky buyer. It was more chatter about the high-profile victim, and the significance of such a high-value sale being conducted on the forum, which would likely result in the forum’s reputation in the cybercriminal world skyrocketing.
No sooner had the threat actor announced the sale of the Optus data, they appeared to change their mind. A few days later, they updated their original post to say that the data was no longer for sale and that the only copy of the information in existence had already been destroyed. What’s more, the threat actor issued a direct apology to both the Optus customers implicated and the telecommunications company itself, admitting that scraping the data was wrong in the first place. They added that they would have reported the exploit they used to compromise the system if Optus had had a bug bounty program in place.
Interestingly, the threat actor indicated that their thread had attracted “too many eyes,” likely intimating that something else was afoot and spooked those involved. Although we can hazard a guess and say this was likely the result of law enforcement intervention, the move does raise a few eyebrows. It’s made us, and many other dark web watchers, wonder whether a threat actor can suddenly feel a bout of remorse when the reality of their criminal actions hit home. That got us thinking, which threat actors have also pulled similar maneuvers in the past, when the gravitas of an event they were responsible for suddenly hit the headlines?
Unsurprisingly, instances of threat actors showing remorse are few and far between, but we identified a few examples. The first is the infamous Conti ransomware group leaking thousands of files belonging to the UK-based jewelry store Graff back in October 2021. The group proudly exposed the files across the Internet, but quickly saw the error of their ways when it was revealed that information pertaining to members of the royal families of the UAE, Qatar, and Saudi Arabia was also leaked. This led the group to publicly apologize and promise to review its internal processes to avoid similar occurrences in the future. Ultimately, an embarrassing event for a group that obviously feared consequences from Arab states.
Another example is the Ziggy ransomware collective, which transitioned away from a life of crime in February 2021. In an effort to make a fresh start and prevent future law enforcement action due to their past criminal endeavors, they promised to refund ransoms paid by each of their victims. While the sentiment was appreciated, the actions appeared to come on the back of an unrelated international law enforcement operation investigating ransomware activity. So in a sense, Ziggy jumped, rather than waiting to be pushed. Similar circumstances concerning law enforcement disruption saw the ransomware-as-a-service group Fonix move away from cybercrime around the same time, proclaiming that their abilities should be used for good rather than bad. Cue the slow clap at this point!
While it would be nice to think such threat actors genuinely could show remorse, in reality, this is unlikely. Ultimately, acts of remorse in these instances usually boil down to self-preservation and fear of prison time. However, if this results in less customer data being exposed to the Internet, then so much the better. Just remember that these examples are a drop in the ocean, and some date back to early 2021. While the few may seek redemption, there are a whole lot more out there who are thriving on quick pay days and finding your data to sell for profit.
If you’d like to stay on top of the latest developments for similar data breaches, including criminal insights and actions, then why not access our considerable library of material by taking a free seven day trial of Searchlight. You can additionally get a customized demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to gain visibility of your organization’s threats and potential exposures.