One of the best cyber defense lines in the country runs through this company in Davis Square
In May, when DarkSide, a Russian cyber hacking group, shut down a major oil pipeline for ransom, U.S. officials asked Recorded Future to help them figure out who orchestrated the attack, employees said.
And on July 2, when another group of cybercriminals launched what may be the biggest ransomware attack in history, affecting hundreds of companies, analysts at Recorded Future began counseling their many industry clients. on how to protect yourself against similar hacking. They also confirmed to their clients that the Russian group REvil was behind the attack and was charging a ransom of $ 70 million.
These episodes highlight how Recorded Future, which was awarded a $ 50 million contract last year to advise US Cyber Command, has seen demand skyrocket for its intelligence products. And now, as President Biden seeks to bolster U.S. cyber defenses and companies seek to protect their networks and supply chains, Recorded Future seeks to consolidate its own dominance in the market.
“We are trying to be the Bloomberg of cyber,” said Christopher Ahlberg, chief executive of the company, referring to Bloomberg LP, the data and news organization that is the primary source of financial information for the markets. global trade. “It’s a huge opportunity.”
Recorded Future was created in 2009 to predict important events, such as civil unrest, for defense and financial analysts by analyzing social media and other public forums. It was backed by GV, formerly known as Google Ventures, and the In-Q-Tel, the venture capital arm of the CIA, among others. But the company caught on after focusing on cybersecurity.
In 2019, Recorded Future was acquired by Insight Partners, a New York-based venture capital firm, for $ 780 million. The company has nearly 600 employees, with satellite offices in Washington, DC, Sweden, London and Singapore. Prior to launching Recorded Future, Ahlberg ran Spotfire, a business intelligence company that was acquired by TIBCO in 2007.
The premise of Recorded Future is to use analysts and software to browse the dark web, chat rooms and social media, and provide a real-time view of cyber attacks and other events. (The dark web hosts websites that require special software to be found.)
When connected to the company’s platform, its customers, which range from financial institutions to manufacturers government intelligence entities – access a wide range of cyber intelligence, searchable through various modules.
Customers can read research reports, access intelligence data on hacking groups, and visually track emerging cyber threats around the world. In many cases, customers can see the IP addresses used by cybercriminals, the domains from which they launch their malware, and even their physical locations. Access to the platform can cost between $ 100,000 and $ 5 million per year, Ahlberg said.
Lauren Zabierek, executive director of Cyber Project at the Belfer Center at Harvard Kennedy School, said having this level of intelligence prevents US officials from having to “start from scratch” or spend time finding solutions. essential information to defend against cyber threats.
“It is important that you free yourself … so that you can do higher order analysis,” said Zabierek, a former US Air Force intelligence officer and former employee of Recorded Future.
Roman Sannikov, director of cybercrime and underground intelligence at Recorded Future, said that in recent months, as cyber attacks have escalated, the company has “seen an increase in inquiries” from the federal government.
Around May 7, when DarkSide shut down Colonial Pipeline – one of the nation’s largest fuel suppliers – federal officials contacted Recorded Future to find out if the ransomware attack was carried out by a foreign government, Sannikov said. .
Based on the research Recorded Future had done on the hacking group, they knew Russia was hosting its operations. But it was not clear whether the attackers were based in the country or did so with Kremlin support, he added.
Analysts took to the dark web, Telegram channels, and the private chat rooms of ransomware attackers they had previously infiltrated to see what was being said. If there was government coordination, it would probably be talked about there, Sannikov said, but nothing of the sort was mentioned.
“We were able to quickly determine” that a nation state, like Russia, had not orchestrated the attack, he said, adding that it was “clearly carried out for profit”. (In the following days, Biden mentionned that Russia did not orchestrate the attack, but still bore the responsibility of hosting the group’s operations.)
The company also tracks cyber activity, in real time, related to attacks and other events as they unfold.
On January 6, as the crowd of pro-Trump insurgents moved from the White House to Capitol Hill, Recorded Future analysts followed their every step. Sannikov snuggled up with his team – spread across Massachusetts, New York, and Washington, DC – to roam the dark web. They also scanned public forums such as 4chan, 8kun, Gab, and Twitter for clues as to what might happen next.
They found Russian media, such as RT and Sputnik, integrated into the Capitol crowd and reporting live. Soon, the team began to hear “chatter” from Russian sources on various forums that protesters wanted to bring USB drives to the Capitol and remove laptops from lawmakers, Sannikov said.
Recorded Future provided this information “in near real time” to customers, including intelligence officials in Washington, Sannikov said. “It seemed to me that they were not yet aware of this,” he added.
Months later, after the office of the director of national intelligence published his report Documenting the Jan.6 attack, the group’s findings were presented, employees said. The report described how the rioters used social media platforms to plan and carry out the violation. And sources familiar with the situation said intelligence from Recorded Future informed the U.S. government’s response to the threats.
While much of the information Recorded Future obtains is accessible on the dark web or through publicly accessible forums, its business model can be ethically tricky. To keep abreast of enemy technology, the company creates fake aliases to collect intelligence from potentially nefarious actors, such as North Korean hackers.
The privacy of U.S. citizens is also a concern, experts say.
Tom Davenport, professor of information technology and management at Babson College, said that while Recorded Future’s products are “valuable enough” to the intelligence community, “there is a potential danger” that people innocently do something. thing on their computer and unknowingly looks like a cybersecurity threat.
“There should be a way to appeal to organizations like Recorded Future and say, ‘This is proof that I was not doing anything wrong or dangerous,'” he added.
Despite these concerns, Recorded Future has accumulated nearly 1,000 customers. Last year it generated over $ 140 million in revenue, a 50% increase from 2019. Recorded Future plans to become a public company within eighteen months, Ahlberg said.
The firm ambitions are also broadening. Last year, he launched an information-gathering operation, called the record, to disseminate news about cyber intelligence. In March, he acquired Gemini Advisory, a dark web intelligence firm, for $ 52 million. In June, the group poured $ 20 million into a venture capital fund to support startups in cybersecurity. And last week, Sir Alex Younger, the boss of UK spy agency MI6 until last September, joined its board.
It all comes down to one thing, according to Ahlberg: “We want to be the intelligence platform of the free world. “