Recorded Future scours the Web for potential cyberattacks and terrorist activity. Business is booming

Think of Recorded Future as a mashup of Google and Jack Ryan — a search engine focused on nasty stuff transpiring or being planned around the world. Whether a criminal gang or a hostile government is plotting a cyberattack, or terrorist groups or military contractors are moving around somewhere, Recorded Future aims to “index all this stuff and make it analyzable,” Ahlberg says.

By “all this stuff,” he means discussions happening and stolen data being posted in public Web forums and on the “dark Web,” hidden Internet servers that, by design, are difficult to access.

With more than 500 employees “who do nothing but intelligence,” as Ahlberg puts it, the company, founded in 2009, generated nearly $150 million in revenue last year. Last February, it inked a $50 million contract with the US Cyber Command to provide an array of federal agencies access to the company’s software platform.

Ahlberg says the company has “actively worked on analysis” for its clients related to the violent attacks at the US Capitol, this week’s inauguration, and what might come next — though he declines to supply specifics.

A big chunk of Recorded Future’s business is providing information about cyberattacks targeting government agencies or companies — including troves of stolen data that may be for sale in underground marketplaces. That has been a busy landscape recently, with the hack of network management software from the Texas company SolarWinds that may have purloined sensitive data from a range of federal agencies and major tech companies. (US intelligence agencies have pinned it on the Russians.) Ahlberg refers to it as a “supply chain hack,” in which the bad guys seek access to a system or piece of software used by a supplier to the company or agency they’re trying to hack.

The SolarWinds hack “was likely happening throughout 2020, even though it came out toward the end,” says Roman Sannikov, director of cybercrime and underground intelligence at Recorded Future. “People are posting [data] they purport to be from SolarWinds, and we are trying to ascertain that this is legitimate,” or whether it is fake information being posted to “mask involvement by nation-states,” Sannikov continues.

But beyond compromised networks and credit card theft, Recorded Future is increasingly finding that its customers want to know about what is being said in online forums that attract neo-Nazis, other extremist groups, and conspiracy theorists. As an example, Ahlberg says that telecommunications companies that use Recorded Future are interested in tracking online discussions that falsely link the emergence of the COVID-19 virus with 5G wireless communications. In Britain, the conspiracy theory led people to set fire to dozens of wireless towers last year.

Over the past year or two, Ahlberg says, Recorded Future’s customers, largely those in law enforcement and at intelligence agencies, are increasingly concerned about “threats that can lead to violence and disruption. So yes, we’re going to be doubling down on that.”

Where Recorded Future gets cagey is about how its product works. It does a lot of gathering (or “scraping”) of content from around the open Web, using software and humans to analyze it. But it also sometimes creates fictional personas to infiltrate closed groups and forums. That can get dicey, Sannikov explains, because “sometimes you have to make it seem you’re involved in criminal activity — like buying or selling” stolen information.

(Last year, the Department of Justice published some helpful guidelines on this kind of cloak-and-dagger activity: “Legal Considerations When Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources.”)

But when it comes to gaining entry to groups organized around political activity, Sannikov says it can be easier, because “they’re trying to bring in as many people as possible” and “foment as much anger and chaos and violence on as grand a scale as possible, so you can’t create something that’s too locked-down.”

Sannikov says that Recorded Future is seeing from its own data sources that “some of these groups are organizing further demonstrations and protests. There’s certainly still a lot of anger.” He says the company is also noticing that foreign adversaries are doing what they can to amplify the discord. And they are seeing conspiracy theory-oriented groups like QAnon expanding digital footprints across Europe. “Unfortunately, this is not something that’s going to go away anytime soon,” he says.

Bad news for society, but good news for Recorded Future’s continued growth. Ahlberg says the company is closing in on 1,000 clients; it has chosen not to sell its product to US adversaries such as China, Russia, and Venezuela — and embargoed countries already included North Korea, Cuba, and Iran.

John Robb, an Acton security analyst who has consulted to the chairman of the Joint Chiefs of Staff, says there are lots of home-brewed tools for analyzing online information about terrorism, extremism, and other threats — and lots of “heavy lifting” that is done by law enforcement officials, contractors, and volunteer groups to infiltrate these online groups and discover what they’re discussing. But those conversations, Robb observes, sometimes lacks “actionable info” about the groups’ preparations or capabilities to execute an attack.

Robb says he’s “not sure there is a dominant commercial player in the space” that Recorded Future operates in. That creates an opportunity for the company. It was acquired in 2019 by Insight Partners, a private equity firm, for $780 million. Ahlberg predicts that an initial public offering of stock could happen “within the next two years.”

Scott Kirsner can be reached at kirsner@pobox.com. Follow him on Twitter @ScottKirsner.