– that is, cybercriminals.144 Russian authorities, then, have an interest not only in shielding their citizens from foreign courts but in preserving the Russian-speaking underground for use in state endeavors. Foreign actors who partner with rule-following CIS hackers benefit from the reduced law enforcement attention.145 The totality of these elements – highly active forums, advanced offerings, sophisticated groups open to collaboration, and near-free rein from the state – has made the Russian-language cybercriminal underground a desirable space for foreign actors seeking partners.
Partnership in Action North Korean financially motivated actors have made extensive use of the Russian-speaking underground’s offerings. Sworn U.S. legal filings indicate that North Korean threat actors have been active on foreign-language forums since at least 2015, and their operational history has involved a wide array of goods and services likely purchased from underground vendors.146 Investigators have detected CIS-origin malware in several intrusions attributed to Pyongyang, such as the FEIB heist. North Korean actors have availed themselves of monetization services accessible through forums, namely, for-hire mule networks and marketplaces for stolen payment data. Moreover, as Naumaan, Kremez, and others have reported, actors associated with APT38 look to have obtained access to multiple bank networks from the Russian-speaking cybercriminals in TA505 and the TrickBot gang. Visibility into the activities of state actors and elite cybercriminals remains limited, but the number of overlapping infections makes cooperation of some nature a more compelling explanation than pure coincidence. Together, these interactions comprise a multi-layered relationship between North Korean financially motivated actors and the Russian-speaking cybercriminal ecosystem. 144 Aleksey Ramm, “Russian Information and Cyber Operations,” Moscow Defense Brief, no. 1 (2017): 16, https://dlib-eastview-com.ezp-prod1.hul.harvard.edu/browse/doc/48361188. For details on another case involving malware known as “BlackEnergy,” see United States of America v. Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin; Ben Buchanan and Michael Sulmeyer, Russia and Cyber Operations: Challenges and Opportunities for the Next U.S. Administration, Carnegie Endowment for International Peace, https://carnegieendowment.org/files/12-16-16_Russia_and_Cyber_Operations.pdf. 145 After this report was completed, but before publication, reports emerged that Russian authorities had arrested a group of hackers associated with REvil. See Joe Tidy, “REvil Ransomware Gang Arrested in Russia,” BBC, January 14, 2022, https://www.bbc.co.uk/news/technology-59998925. 146 United States of America v. Park Jin Hyok, 97.
30
Cybercriminal Statecraft
