This repository aggregates publicly available resources related to the collection, sale, and implications of netflow data.
"Netflow data" refers to metadata about network traffic. Usually, it contains source/destination IPs, ports, protocols, timestamps and packet counts of internet connections (source). While it (allegedly) does not include the contents of the traffic itself, this metadata can still reveal detailed patterns of online behavior.
Over the past decade, data brokers such as Team Cymru have collected netflow data from numerous Internet Service Providers (ISPs) around the world. Access to this data is then sold to private companies and government agencies in the name of "threat intelligence".
Access to netflow data poses significant risk to internet privacy. By analyzing patterns in timing, frequency, and destination of connections, adversaries can perform correlation attacks that can aid in identifying users behind VPNs or Tor and tracking their activity online—potentially enabling mass surveillance. The limited amount of public information around this topic allows such companies to operate in a legal "gray zone", where much of the data is collected without informed consent from the end users.
Team Cymru calls the claims above "statistically inaccurate", arguing that their service "enables the mapping of malicious devices, not people." They say netflow data can’t track individuals because many websites use CDNs and shared infrastructure, making it "impossible" to identify visited sites. Of course, their view is biased: many sites aren’t behind CDNs and remain identifiable by IP. Plus, from a netflow perspective, legitimate users are often indistinguishable from malicious actors. How do you tell the difference between a ransomware operator SSH'ing into a C2 server through a VPN and a journalist doing the same to update their personal blog?
Team Cymru is the most known aggregator/broker of netflow data. They sell access to such data through the "Pure Signal Recon" platform, previously known as "Augury".
The data collected by Team Cymru comes from "Partner ISPs", likely through its Nimbus Threat Monitor product, a "no-cost" platform that "cross-references your network flows" with their IP Reputation database for threat detection. Since this product ingests netflow data, it's highly likely that it's the source of most of the data in their "data ocean".
The extent of the netflow logs collected by Team Cymru is not very clear, but it probably hovers around 90-100% of all internet traffic. This article by Vice published in 2022 cites this now deleted webpage, which claimed that Augury had "visibilty into 93% of internet traffic". Their website claims that they help protect 142+ CSIRTs, "representing approximately 52% of IPV4 and 75% of IPV6".
Team Cymru sells access to their Pure Signal platform to private companies and government agencies. They claim that the platforms are identical and no additional access is provided to government clients.
U.S. Government Agencies:
- U.S. Navy: This procurement record shows that the has purchased access to the platform in the past (Vice).
- Naval Criminal Investigative Service (NCIS): This complaint letter points out that this agency has purchased and used netflow data from Team Cymru (Vice).
- FBI: In 2023, Vice published an article, along with one of FBI's contracts with Team Cymru, specifically for it's "Cyber Division", which investigates cybercrime.
- Secret Service: Vice: "Although they don’t explicitly mention Augury, Motherboard found multiple contracts between Argonne Ridge Group and the FBI and Secret Service."
- IRS: In 2023, Vice published an article with references to this procurement document, in which the IRS seeked to obtain a subscription on Team Cymru's platform.
- Defence Counterintelligence and Security Agency (DCSA): 404media: "the DSS lays out what it believes is one alternative to buying access to Augury—placing sensors across the world to collect such data itself." (document).
- Defense Threat Reduction Agency (DTRA): 404media: "the Defense Threat Reduction Agency (DTRA) says it is using the data to perform vulnerability assessments of U.S. and allied systems.".
This section contains threat intelligence articles that reference the use of Netflow Data for investigation.
- Recorded Future - North Korea’s Ruling Elite Are Not Isolated
- Recorded Future - Malicious Android Applications Raise Concerns for Enterprises
- SecurityScorecard - Operation Phantom Circuit: North Korea’s Global Data Exfiltration Campaign
- Citizenlab - Hooking Candiru
- Sekoia - Raspberry Robin’s botnet second life
- Silent Push - Raspberry Robin: Copy Shop USB Worm Evolves to Initial Access Broker Enabling Other Threat Actor Attacks
- Silent Push - FIN7: Silent Push unearths the largest group of FIN7 domains ever discovered
- Proofpoint - Latrodectus: This Spider Bytes Like Ice
- Dragos: Lessons Learned from Telemetry Analysis of DarkSide Affiliate Exfiltration Operations
This section is a list of ISPs suspected of sharing Netflow data with companies like Team Cymru. This list might be innacurate. It is the result of assumptions made based off of public records, for which the thought processes are described under each entry.
The Phantom Circuit Report by Recorded Future details a timing analysis used to deanonymize connections between North Korean IP addresses and C2 servers hosted by "Stark Industries". The connections were made through Astrill VPN and "Oculus Proxies" tunnels.
Looking at the connections between North Korean IPs and Astrill VPN servers, we can assume that the AS that is uploading netflow data to Cymru is the company behind the infrastructure for the VPN servers, as NK is obviously not a Cymru client. The VPN ips listed in the report are 70.39.70.196, 204.188.233.68, 45.58.143.196, 70.39.70.197, and 199.115.99.62. All of these IPs are owned by AS46844/Sharktech.
Sharktech is also fairly public about their relationship with Team Cymru. Here's a linkedin post from their CEO about how they reached out to Cymru back in 2005.
This report also refereces North Koreans connecting to Sharknet servers.
This report on the FIN7 Campaign by Team Cymru states: "we have been working directly with Stark for several months to assist in their objective of identifying and reducing abuse activity on their networks".
Stark's Website explicitly mentions that they are a Nimbus Threat Monitor client.
The Phantom Circuit Report by Recorded Future mentions Stark Industries and includes netflow data to and from their servers.
The Malicious Android Applications report by Recorded Future mentions observed traffic between Aria Shatel Company and IP addresses owned by Telegram (AS62041). It also mentions communication with IPs owned by "XTIDC", a chinese company. XTIDC's range has apparently been transfered to Sharktech. Assuming Telegram and XTIDC were not sharing data with Cymru, we can guess Aria Shatel is.
Team Cymru's Nimbus webpage contains a testimonial made by Francisco Badaró, Telecommunications and Training Manager, ITS Brasil.
Francisco has also published documents on the usage of Nimbus:
- https://www.lacnic.net/innovaportal/file/5959/1/ftl-lacnic-37-vfinal.pdf (Portuguese);
- Practical ISP CSIRT Incident Handling with NIMBUS from Team Cymru
The publication in english contains a screenshot of the Nimbus dashboard that outlines communications with a Mirai botnet IP (89.187.171.77). The IPs on the other side of the connection are:
- 187.44.188.254 (AS28186 - ITS TELECOMUNICACOES LTDA )
- 168.205.36.135 (AS263880 - WANTEL TECNOLOGIA LTDA. EPP)
- 168.195.252.190 (AS262373 - CONECT TELECOM)
- 177.200.117.84 (AS263636 - CALLNET TELECOM)
- 191.242.177.14 (AS263151 - CONECT TELECOM)
- 187.44.193.90 (AS28186 - ITS TELECOMUNICACOES LTDA)