As the United States grapples with a sharp rise in cyberattacks, one of the nation’s first lines of defense operates out of an unlikely location: a former laundromat in Somerville, where an army of private-sector analysts track the world’s most notorious hackers and criminals.
Despite their unassuming headquarters in Davis Square, the team at Recorded Future provides the highest reaches of the US government with intelligence on the country’s most prominent breaches, both digital and physical.
The security firm tracked communications from pro-Trump rioters and other sources in online forums during the Jan. 6 insurrection, providing real-time information to US officials about their motivations once inside the Capitol.
In May, when DarkSide, a Russian cyber hacking group, shut down a major oil pipeline for ransom, US officials asked Recorded Future to help figure out who orchestrated the attack, employees said.
And on July 2, when another cyber criminal group launched what may be the largest ransomware attack in history, impacting hundreds of businesses, analysts at Recorded Future set about advising their many customers in the industry on how to protect themselves from a similar hack. They also confirmed for their clients that the Russian group REvil was behind the attack and was charging a $70 million ransom.
These episodes underscore how Recorded Future, which received a $50 million contract last year to advise US Cyber Command, has seen skyrocketing demand for its intelligence products. And now, as President Biden looks to strengthen America’s cyber defenses and corporations look to protect their networks and supply chains, Recorded Future is looking to cement its own dominance in the market.
“We’re trying to be the Bloomberg of cyber,” said Christopher Ahlberg, the company’s chief executive, referencing Bloomberg LP, the data and news organization that is the dominant source of financial information for global trading markets. “This is an enormous opportunity.”
Recorded Future was formed in 2009 to predict significant events, such as civil unrest, for defense and financial analysts by analyzing social media and other public forums. It was backed by GV, formerly known as Google Ventures, and the CIA’s venture arm In-Q-Tel, among others. But the company hit its stride after focusing on cybersecurity.
In 2019, Recorded Future was bought out by Insight Partners, a New York-based venture capital firm, for $780 million. The company has nearly 600 employees, with satellite offices in Washington, D.C., Sweden, London, and Singapore. Prior to starting Recorded Future, Ahlberg ran Spotfire, a business intelligence firm that was acquired by TIBCO in 2007.
The premise of Recorded Future is to use analysts and software to scour the dark web, chat forums, and social media, and provide a real-time view of cyberattacks and other events. (The dark web hosts websites that require special software to find.)
When logged onto the company’s platform, its customers — which range from financial institutions and manufacturers to government intelligence entities — gain access to a vast array of cyber intelligence, searchable through different modules.
Customers can read research reports, access intelligence data on hacking groups, and visually track emerging cyber threats across the world. In many cases, clients can see the IP addresses that digital criminals use, the domains from which they launch their malware, and even their physical locations. Access to the platform can cost anywhere from $100,000 to $5 million per year, Ahlberg said.
Lauren Zabierek, executive director of the Cyber Project at the Harvard Kennedy School’s Belfer Center, said having this level of intelligence prevents US officials from having to “start out from zero” or spend time finding out essential information when defending against cyber threats.
“It’s important to free yourself up... to be able to do higher-order analysis,” said Zabierek, a former intelligence officer in the US Air Force and one-time Recorded Future employee.
Roman Sannikov, director of cybercrime and underground intelligence at Recorded Future, said that in recent months, as cyberattacks have spiked, the company has “seen an increase in inquiries” from the federal government.
Around May 7, when DarkSide shut down Colonial Pipeline — one of the nation’s largest providers of fuel — federal officials reached out to Recorded Future wanting to know if the ransomware attack was carried out by a foreign government, Sannikov said.
Based on research Recorded Future had done on the hacking group, they knew Russia hosted its operations. But it was unclear whether the attackers were based in the country, or doing it with the backing of the Kremlin, he added.
Analysts went onto the dark web, Telegram channels, and private chat rooms of ransomware attackers they had previously infiltrated to see what was being said. If there was government coordination, it would likely be talked about there, Sannikov said, but nothing of the sort was mentioned.
“We were able to narrow down quickly” that a nation-state, such as Russia, did not orchestrate the attack, he said, adding that it was “clearly done for profit.” (In the following days, Biden said that Russia had not orchestrated the attack, but still bore responsibility for hosting the group’s operations.)
The company also tracks cyber activity, in real time, related to attacks and other events as they unfold.
On Jan. 6, as the pro-Trump mob of insurrectionists moved from the White House to the Capitol, analysts at Recorded Future were tracking their every step. Sannikov huddled with his team — spread between Massachusetts, New York, and Washington, D.C. — to scour the dark web. They also scanned public forums such as 4chan, 8kun, Gab, and Twitter for clues of what could happen next.
They found Russian media outlets, such as RT and Sputnik, embedded in the Capitol mob and reporting live. Soon, the team started hearing “chatter” from Russian sources on various forums that protesters wanted to bring USB drives into the Capitol and take lawmakers’ laptops out, Sannikov said.
Recorded Future provided that information in “pretty much real time” to clients, including intelligence officials in Washington, Sannikov said. “It seemed to me that they were not yet aware of that,” he added.
Months later, after the Office of the Director of National Intelligence released its report documenting the Jan. 6 attack, the group’s findings were featured, employees said. The report outlined how rioters used social media platforms to plan and carry out the breach. And sources familiar with the situation stated that Recorded Future’s intelligence informed the US government’s response to the threats.
While much of the information Recorded Future gets can be accessed on the dark web, or through forums accessible to the public, its business model can be ethically tricky. To keep abreast of enemy technology, the company creates fake aliases to gather intelligence from potentially nefarious actors, such as North Korean hackers.
The privacy of US citizens is also a concern, experts say.
Tom Davenport, a professor of information technology and management at Babson College, said that while Recorded Future’s products are “quite valuable” to the intelligence community, “there is some potential danger” of people innocently doing something on their computer and unknowingly looking like a cybersecurity threat.
“There ought to be some way you could appeal to organizations like Recorded Future and say, ‘Here’s the evidence that I wasn’t doing anything bad or dangerous,’ ” he added.
Despite these concerns, Recorded Future has amassed nearly 1,000 clients. Last year, it brought in over $140 million in revenue, a 50 percent increase from 2019. Recorded Future plans to become a public company within eighteen months, Ahlberg said.
The firm’s ambitions are also widening. Last year, it started a news gathering operation, called The Record, to disseminate cyber intelligence news. In March, it acquired Gemini Advisory, a dark web intelligence firm, for $52 million. In June, the group poured $20 million into a venture fund to back early-stage startups in cybersecurity. And last week, Sir Alex Younger, the head of the British spy agency MI6 until last September, joined its board.
It all adds up to one thing, according to Ahlberg: “We want to be the intelligence platform of the free world.”