Removing Risk: Investigating Data on the Dark Web

CACI’s DarkBlue® Intelligence Suite provides secure and safe access to intelligence on the dark web

In February 2024, hackers released data about Russia’s purchase of thousands of Iranian drones. The details were the stuff of a spy novella, including payments of literal tons of gold to shell companies, drone performance specs, bulk discounts, and even a brochure for the drone factory.

For intelligence officials, the data was a virtual treasure, but the dangers of retrieving it were very real. The information lived on the dark web, an unstructured and hidden part of the internet accessible only via special software, unique configurations, or authorizations.

“One major risk is malware. It’s first and foremost, and probably even second and third,” said CACI’s Thomas Groendal of the potential risks to dark web investigators. “The presence of malware is endemic throughout leaked data sets. The data may also be illegal. It may be confidential. There could be all kinds of reasons that just grabbing that data and saving it is a terrible idea.”

Safely finding the right data on the dark web

The DarkBlue® Intelligence Suite was developed to help revolutionize open-source intelligence (OSINT), or the gathering and analyzing of openly available data to produce actionable information.

For an OSINT analyst, the dark web as a resource is as invaluable as it is dangerous. In addition to malware and illegal images, there is the potential that a target may discover the identity of the investigator or their organization via IP or browser information, putting their mission or themselves at risk. In addition, dark web data is usually unstructured and complex in form. For example, files for the same leak might be a mix of CSVs, CAD files, 90-page image-laden PDFs, spreadsheets, and more.

“The lack of interoperability between different types of data just makes it harder and harder to have an algorithm go out and find your insights and clues for you,” Groendal said. “Trying to navigate that kind of data is just messy and laborious, so DarkBlue was built to handle that problem. We have a giant collection of hay, and we differentiate ourselves as the magnet that helps pull the needles up.”

DarkBlue is a SaaS platform that provides analysts with the ability to uncover hidden data, such as the identities behind the monikers of bad actors and build a tailorable collection of data that makes it easier to spot connections and patterns. The platform also prevents exposure to harmful or illegal images on the dark web. Via its intuitive interface and native search capabilities, OSINT analysts can safely navigate and fully exploit open, deep, and dark web data.

DarkBlue works in conjunction with DarkPursuit®, a software solution within the suite that eliminates exposure by providing users with a browser-based single session virtual machine. This allows investigators, analysts, and operators to anonymously access information from TOR, I2P, Hyphanet sites, and dark web marketplaces, and collect contents, page history, and technical selectors in one click for further exploitation in DarkBlue.

Users also benefit from CACI’s Technical Collections Team, which unearths, sorts, and provides carefully curated mission-focused data. For example, the team has downloaded the entire data set of a recent Russian drone leak and has made it available for simplified search and viewing within the DarkBlue suite.

Virtual software that makes a real difference

It is difficult to talk about the dark web without acknowledging it as place where the worst of the worst tend to operate. That’s why CACI has partnered with human rights organizations such as the Anti-Human Trafficking Intelligence Initiative, The Innocent Lives Foundation, and The Asservo Project, and with other top technology companies such as AWS to ensure dark web investigators have secure and effective tools.

“Customers who are the most emotive in how much they loved DarkBlue are those fighting child sexual abuse materials, fighting opioid trafficking, and other trafficking activities on the dark web,” Groendal said. “We provide a very specific service to those people and for those mission sets. It’s safety and anonymity in a single solution.”

Another growing user base of these solutions are special operations forces (SOF). Virtual access to the dark web allows them to prep for missions on a simpler and larger scale than in the past. For example, there traditionally may be only one machine available to a SOF user allowed to access the dark web, but a dozen people on a team. That’s not a problem with a virtual machine because they can just boot up another terminal.