Cyjax operates within the dark web and ‘hidden service’ spaces to ensure a rich and current intelligence picture for its clients, enabling them to understand the changing threat landscape and prepare for incoming attacks and mitigate existing ones.
Predicting an attack can be difficult, but fun! Monitoring the landscape for threat actor (TA) requests and advertisements form a key part of understanding how this fits into the reconnaissance phase of an attack, as highlighted in the MITRE ATT&CK framework or the Cyber Kill Chain.
The reconnaissance phase of an effective attack is hard and time consuming. Understanding the technical attack surface and Layer 8 (people!) weaknesses takes a significant amount of time and capability. It is a different capability to ‘Weaponisation and Delivery’, ‘Resource Development’, and ‘Initial Access’. This is partially why a multistage attack may be conducted by different threat actors, and why Initial Access Broker (IAB) communications are such an interesting and vital part of any Cyber Threat Intelligence (CTI) provision.
Exploring the MITRE ATT&CK reconnaissance phase, defenders are familiar with the following Tactics, Techniques, and Procedures (TTPs):
- T1589 – Gather Victim Identity Information including (.001) credentials and (.002) employee email addresses and (.003) Employee Names.
- T1591 Gathering Victim Org Information including (.001) physical locations, (.004) Identify Roles.
- Leading to increased knowledge assisting and enabling further research with T1593 Search open websites / domains including Social Media (.001) and Code Repositories (.003).
The criminal landscape is dynamic with new opportunities for knowledge building, including through credential capture, changing constantly. Consequently, more and more facilities are being opened up by threat actors for each other. Compromising the human layer is key, which is why “People are the new Perimeter”. Malware continues to provide opportunities including specialist information stealers, leading to threat actors from a wider skill range being provided with a chance to compromise the human layer of defence or infrastructure.
Telegram remains an active source of information for threat actors, with dedicated channels being created and maintained solely for the purposes sharing tools, tactics, and most notably credentials. Cyjax’s automated processes monitor a number of these channels and alert clients when there is a relevant change to their level of threat and risk.
Changes in January 2025: what stirred the hornets’ nest?
In January 2025, Cyjax noted a significant lift in the number of threat actor requests for credentials to a dedicated Telegram channel. The timing of this is interesting, with January containing the inauguration of President Trump; the release of prisoners in the Middle East; the Chinese New Year; the Iranian president being set to visit Moscow; the World Economic Forum (WEF); and TikTok’s short-term ban in the US. All these significant events have stirred the hornets’ nest and threat actors including hacktivist have been highly motivated to make their mark on the landscape, or coordinate through bigger motivated groups to empower and enrich their attack capabilities. There have also been changes to the capability of some Telegram channels, creating an information rich reconnaissance area.
The National Cyber Security Centre (NCSC) confirmed Cyjax’s belief of an expected rise in hacktivist, IAB activity, breaches, and ransomware, including the further development and deployment of Ransomware-as-a-Service (RaaS) operations. activity, breaches, and Ransomware including the further development and deployment of Ransomware as a Service (RaaS).
Conclusion
Looking further into 2025, the year ahead will likely bring a vast number of geopolitical and technological changes which will begin to seriously impact the wider cyber landscape. Many of these will be at the forefront of threat actors’ minds, as they look to capitalise either with a financial or political motive. Thanks to Cyjax’s advanced insight into threat actor spaces, industry leading analytical knowledge, and fast-moving team; it remains ahead of the curve on understanding the wider impact these changes may have.
To better understand the changing threat landscape and how Cyjax can proactively help defend your people and business, contact us. We are here to help.
Receive our latest cyber intelligence insights delivered directly to your inbox
Simply complete the form to subscribe to our newsletter, ensuring you stay informed about the latest cyber intelligence insights and news.