15 minute read
The Russian-Speaking Underground
immediately generated significant attention. The day after the presentation, the One Night in Norfolk blog flagged a Vietnamese government APT alert from three months earlier that included indicators of compromise associated with both North Korean groups and TA505.101 Then, in December 2019, the well-known researcher Vitali Kremez issued a report through Sentinel Labs tying North Korean actors to the Russian-speaking group known as Wizard Spider, which operates a prolific Malware-as-a-Service called TrickBot.102 “Is Lazarus using TrickBot infections,” Kremez wondered, “or is this simply a case of mistaken identity?”103 Mark Arena, the CEO of Intel 471, later published a detailed blog post weighing public reporting on the topic. Initially quite skeptical, Arena ultimately assessed a connection between North Korean threat actors and Russian-speaking cybercriminals to be “very likely.”104 Even CISA has warned that financially motivated North Korean actors “may also be working with or contracting out to criminal hacking groups, like TA505, for initial access development.”105
In the world of high cybercrime, the Russian-language ecosystem is dominant. Experts describe it as “robust,” “prolific,” and “highly active.”106 A former U.S. Attorney for the Western District of Pennsylvania, whose office has taken a leading role in prosecuting computer crime, says it is home to some “of the most sophisticated transnational cybercrime syndicates in the world.”107 According to a Kaspersky report, between 2012 and 2015 – before the terms cryptocurrency and ransomware had entered common parlance – U.S. and European authorities arrested more than 160 Russian-speaking
101 “OSINT Reporting Regarding DPRK and TA505 Overlap,” One Night in Norfolk, April 10, 2019, https:// norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/; “Cảnh Báo Mã Đô APT Tấn Công Có Chủ Đích,” Vietnam Computer Emergency Response Team, January 31, 2019, http://www.vncert.gov.vn/baiviet. php?id=109. Translated via Google from Vietnamese.
102 For more on TrickBot, see United States of America v. Alla Witte, No. 1:20CR440 (Northern District of Ohio).
103 Vitali Kremez, Joshua Platt, and Jason Reaves, Trickbot Project “Anchor:” Window Into Sophisticated Operation, Sentinel Labs (December 2019), 20, https://assets.sentinelone.com/labs.
104 Mark Arena, “Partners in Crime: North Koreans and Elite Russian-Speaking Cybercriminals,” Intel 471, September 2020, https://intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/; Mark Arena, interview by Alex O’Neill, April 28, 2021.
105 “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.”
106 These quotations are drawn from conversations with experts conducted in the spring of 2021.
107 “Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses Resulting in Tens of Millions in Losses and Second Russian National Charged with Involvement in Deployment of ‘Bugat’ Malware,” news release, December 5, 2019, https://www.justice.gov/opa/pr/russian-national-charged-decade-long-series-hacking-and-bank-fraud-offenses-resulting-tens.
cybercriminals alleged to have caused over $790 million in damage.108 Since then, the number of active cybercriminals operating from the CIS surely has only grown, as have their profits. The Treasury Department estimated in 2019 that a group calling itself Evil Corp, which overlaps with TA505, alone had “through their use of the Dridex malware… illicitly earned at least $100 million, though it is likely that the total of their illicit proceeds is significantly higher.”109 Other groups, from hacking collectives and ransomware groups like REvil to carding-marketplace administrators, have also achieved striking financial outcomes.110 Their success has earned the Russian-speaking underground global prestige.
Online forums represent the heart of the underground, connecting users for business and knowledge-sharing. According to the firm Digital Shadows, as of November 2019 the prominent Russian-language platform Exploit counted 47,347 registered users and 1,012,575 cumulative posts since 2005.111 Other notable forums like Verified, Antichat, Maza, and XSS (formerly known as DamageLab) boast comparable user bases.112 Russian-language platforms tend to specialize across fields: whereas hacker forums focus more on malware and exploits, carding marketplaces like Omerta host sales of stolen payment data.113 High-level platforms tend to impose access restrictions, requiring invitations for new members or prohibiting outside registrations altogether,
108 Ruslan Stoyanov, Russian Financial Cybercrime: How It Works, Kaspersky (2015), https://securelist.com/ russian-financial-cybercrime-how-it-works/72782/.
109 “Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware,” news release, December 5, 2019, https://home.treasury.gov/news/press-releases/sm845. Analysts are split on how to characterize the relationship between TA505 and Evil Corp. Many treat the two as largely the same and use their monikers interchangeably. See, for example, “Dridex Malware,” Cybersecurity and Infrastructure Security Agency, December 5, 2019, https://www.cisa.gov/uscert/ncas/alerts/aa19-339a; Brian Krebs, “Ransomware Gangs and the Name Game Distraction,” Krebs on Security, August 5, 2021, https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/; Ionut Arghire, “Russia-Linked TA505 Back at Targeting Financial Institutions,” Security Week, October 15, 2021, https://www.securityweek.com/russia-linked-ta505-back-targeting-financial-institutions. Others treat Evil Corp as a TA505 subgroup or as a new venture staffed by former TA505 associates. “Without further evidence,” analysts at the French National Cybersecurity Agency have written, “it is only possible to confirm a close relationship between these different groups.” The Malware Dridex: Origins and Uses, Agence Nationale de la Sécurité des Systèmes d’Information (July 2020), 11, https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008. pdf. CrowdStrike tracks TA505 as Graceful Spider and Evil Corp as Indrik Spider. 110 Gemini Advisory estimates that Joker’s Stash, a leading carding marketplace, took in more than $1 billion in revenue between its 2014 launch and its administrator’s retirement in early 2021. “Joker’s Stash, the Largest Carding Marketplace, Shuts Down,” Gemini Advisory, January 15, 2021, https://geminiadvisory.io/jokersstash-shuts-down/.
111 The Modern Cybercriminal Forum: An Enduring Model, 8. 112 The Modern Cybercriminal Forum: An Enduring Model, 9.
113 Winnona Desombre and Dan Byrnes, Thieves and Geeks: Russian and Chinese Hacking Communities, Recorded Future (October 10, 2018), 10, https://go.recordedfuture.com/hubfs/reports/cta-2018-1010.pdf. For more details on forums’ product and service offerings, see pp. 16-18 and Stoyanov, Russian Financial
Cybercrime: How It Works.
while others choose to remain open. Besides facilitating transactions, many forums offer space for participants to exchange ideas and know-how. Veteran cybercriminals, some of whom have spent more than a decade frequenting the same platform, occasionally hold tutorials for less experienced users. The Digital Shadows research team notes that avoiding law enforcement is an especially common theme in Russian-speaking circles. “In dedicated sections,” the researchers write, “users discuss the fate of fellow members who’ve fallen foul of the police or intelligence services, sharing as many details about their story as they can find, so the community can learn from that user’s mistakes.”114 Reflecting on the value of underground platforms, the researchers conclude that “cybercriminals can’t find such continual insight anywhere online except a forum.”
An important element of the Russian-speaking ecosystem’s appeal is its forums’ financial orientation. The Kaspersky report on Russian-language cybercrime observes that “over time, the range of ‘products’ and ‘services’ available through this underground market has evolved, becoming more focused on financial attacks, and with an ever-increasing level of sophistication.”115 Researchers at Recorded Future have remarked that Russian-language forums embody a “thief spirit,” in that they are “more tailored to business transactions” and serve users who “hold one thing above all else: money.”116 The Chinese underground, in contrast, has tended to embrace a “geek spirit,” placing greater emphasis on patriotic hacktivism and social engagement.117 The English-language ecosystem hosts plenty of financially motivated actors but has “experienced remarkable instability in recent years.”118 For these reasons, foreign actors have flocked to Russian-language forums, leading sites like Exploit to experiment with launching registration portals in languages besides Russian.119 The Russian-speaking underground’s financial orientation and global accessibility is naturally attractive to North Korean financially motivated actors.
114 The Modern Cybercriminal Forum: An Enduring Model, 25. 115 Stoyanov, Russian Financial Cybercrime: How It Works. 116 Desombre and Byrnes, Thieves and Geeks: Russian and Chinese Hacking Communities, 2. 117 Desombre and Byrnes, Thieves and Geeks: Russian and Chinese Hacking Communities, 9. 118 The Modern Cybercriminal Forum: An Enduring Model, 3.
119 The Modern Cybercriminal Forum: An Enduring Model, 8. According to Recorded Future, “Chinese speakers are active on Chinese, English, and Russian forums, while few to no Russian or English speakers use Chinese forums.” Desombre and Byrnes, Thieves and Geeks: Russian and Chinese Hacking Communities, 2, 23.
The case of a Kazakh national named Andrey Turchin (see Box on next page) helps illustrate the Russian-language underground’s appeal. Turchin led a group that compromised hundreds of commercial and government networks, then listed access to those networks for sale on forums. In October 2017, when Turchin initially advertised on Exploit, selling accesses to corporate networks was “a rare underground service,” researchers say.120 “For the first time,” according to a Group-IB report, “a user with an unusual nickname was offering access to all critically important network segments of compromised organizations and announced that a bank was among his victims, which back then was a unique lot.”121 The novelty of Turchin’s offerings is emblematic of the advanced products and services available for purchase on Russian-language forums. Moreover, the Turchin case study underscores the value of marketplace security features such as product sampling, escrow systems, public third-party arbitration, and blacklists, which protect the integrity of forum users’ anonymous transactions.122 Paying through escrow helped reassure Turchin’s clients that his accesses were genuine.123 Public arbitration later confirmed allegations that Turchin had started selling the same accesses to multiple buyers, which prompted major platforms to ban him.124 Without mechanisms to guarantee payment and product delivery, identify non-trustworthy users, and resolve disputes, problems of credibility would severely undermine the forum ecosystem. Their common usage makes forums a reliable source of tooling and access for financially motivated actors.125
120 Fxmsp: “The Invisible God of Networks”, Group-IB (June 2020), 4, https://www.group-ib.com/resources/ threat-research/fxmsp-report.html.
121 Fxmsp: “The Invisible God of Networks”, 4. 122 The Modern Cybercriminal Forum: An Enduring Model, 22.
123 Even so, some potential clients found Turchin’s listings too good to be true. One forum user admittedly “chickened out” of a purchase agreement in January 2018, skeptical that Turchin’s group would really sell accesses that could be “easily monetized x10 yourself.” The user sought reassurance from the community at large that Turchin’s accesses were genuine. “As soon as someone posts that they bought a real, good deal from you, I’ll be the first in line.” Fxmsp: “The Invisible God of Networks”, 26.
124 Fxmsp: “The Invisible God of Networks”, 33-34.
125 Forums have developed a number of other tools to enhance their reliability. Faced with heavy turnover and constant law enforcement attention, some administrators have developed intricate contingency plans in case of interruption or takeover. Digital Shadows reported in 2019 that Dread, an English-language platform, implemented a “Canary” feature to warn users if its administrator was arrested or if servers were compromised. The Modern Cybercriminal Forum: An Enduring Model, 29.
Box: The Case of Andrey Turchin
Prosecutors in the Western District of Washington allege that Turchin was “a member of a prolific, financially motivated cybercriminal group composed of foreign actors that hacks the computer networks of a broad array of corporate entities, educational institutions, and governments throughout the world, including the United States, and thereafter advertises and sells such unauthorized access to its victims’ protected systems to interested buyers.”126 Turchin’s fuckav.ru profile history suggests he initially joined seeking advice on monetizing networks he had already compromised. One early post offers that “I’m a newcomer, not a programmer, but I have some experience and a great desire to study all this from different angles.”127After an abortive search for tools that could instruct infected machines to mine cryptocurrency, Turchin decided to list his accesses for sale across several platforms. A few early hiccups notwithstanding, the operation quickly took off. Turchin hired a sales manager to help facilitate transactions and eventually began to favor private sales to more established clients.128 Between the fall of 2017 and late 2019, Turchin’s gang advertised more than 300 corporate accesses at prices ranging from a few thousand dollars to hundreds of thousands of dollars, selling access to at least 135 networks in 44 countries on every inhabited continent.129 The threat intelligence firm Group-IB estimates the scheme generated more than $1.5 million, although the real figure is likely higher because of private transactions outside Group-IB’s visibility.130Exploit ultimately banned Turchin and his associates for having sold the same accesses to multiple buyers, and Turchin appears to have retired shortly thereafter.
Another appealing characteristic of the Russian-language underground is that many elite groups, which tend to maintain less visible forum presences, have relationships with each other. Maksim Yakubets, the leader of Evil Corp, cut his teeth managing wire transfers for Evgeniy Bogachev, a Russian cybercriminal who developed the Zeus and GameOver Zeus malware.131
126 United States of America v. Andrey Turchin, No. CR18-303, 2 (Western District of Washington).
127 Fxmsp: “The Invisible God of Networks”, 21. 128 United States of America v. Andrey Turchin, 2. 129 United States of America v. Andrey Turchin, 2; Fxmsp: “The Invisible God of Networks”, 8. 130 Fxmsp: “The Invisible God of Networks”, 6.
131 “Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware.” For more on Bogachev, see United States of America v. Evgeniy Bogachev, No. 2:14-CR-14-00127-AJS (Western District of Pennsylvania).
Yakubets’ “primary role,” according to a criminal complaint, “was to provide money mules and their associated banking credentials in order to facilitate the movement of money which was withdrawn from victim accounts by fraudulent means.”132 Evil Corp’s Dridex malware incorporates elements of the GameOver Zeus code, and when authorities took down GameOver Zeus in 2014, an early version of Dridex stopped working.133 During the summer of 2020, a handful of ransomware groups reportedly established a formal partnership called the Maze Cartel, telling Bleeping Computer that “We all see in this cooperation the way leading to [a] mutual beneficial outcome.”134 CrowdStrike reports that from June through September, the partners pooled stolen data on one group’s leak site and shared tactics constituent members had pioneered.135 Yet another prominent group, which firms track as TA542 and Mummy Spider, would often transfer accesses it amassed using the Emotet malware to other actors, like TA505 and the operators of TrickBot, who could then deploy their own malware onto the compromised networks.136 These relationships suggest an openness among top Russian-language groups to collaboration with trusted, like-minded actors.
A final, critical element of the Russian-speaking underground’s allure is authorities’ strategic negligence toward cybercriminal activity whose victims lie outside the CIS. The British journalist Misha Glenny, an expert on Russian cybercrime, believes “Russian law enforcement and the FSB in particular have a very good idea of what is going on and…are monitoring it but as long as the fraud is restricted to other parts of the world they don’t
132 United States of America v. Maksim Viktorovich Yakubets, No. 4:19MJ3142, 19 (District of Nebraska). 133 Nikita Slepogin, Dridex: A History of Evolution, Kaspersky (May 25, 2017), https://securelist.com/dridex-a-history-of-evolution/78531/; Brian Krebs, “Inside the $100M ‘Business Club’ Crime Gang,” Krebs on
Security, August 5, 2015, https://krebsonsecurity.com/2015/08/inside-the-100m-business-club-crimegang/. See also The Malware Dridex: Origins and Uses.
134 Lawrence Abrams, “Maze Ransomware Shuts Down Operations, Denies Creating Cartel,” Bleeping Computer, November 2, 2020, https://www.bleepingcomputer.com/news/security/maze-ransomware-shuts-down-operations-denies-creating-cartel/. 135 CrowdStrike Services Cyber Front Lines Report, CrowdStrike (2020), 21, https://www.crowdstrike.com/ resources/reports/cyber-front-lines/. 136 CrowdStrike Services Cyber Front Lines Report, CrowdStrike (2019), 14, https://www.crowdstrike.com/ resources/reports/crowdstrike-services-cyber-front-lines-2020/; The Malware Dridex: Origins and Uses, 12. An international law enforcement operation disrupted the Emotet infrastructure in January 2021. For more, see “Emotet Botnet Disrupted in International Cyber Operation,” news release, January 28, 2021, https:// www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation. In late 2021, Emotet reportedly came back online. See “Emotet Is Back. Here’s What We Know.,” Intel 471, November 16, 2021, https://intel471.com/blog/emotet-is-back-2021.
care.”137 As a result, “Russian cybercriminals operate with relative impunity inside Russia.”138 Yakubets, for his part, drives a multi-colored Lamborghini with a custom license plate that reads “thief” in Russian.139 Under the informal understanding, some non-state CIS threat actors lend support to the security services when asked.140 A number of major operations in recent years, including the FSB’s Yahoo compromise, involved technical collaboration with ostensibly independent criminals.141 The U.S. Treasury alleges Yakubets, whose group seems to have sold network accesses to North Korea, has provided “direct assistance to the Russian government” and as of April 2018 “was in the process of obtaining a license to work with Russian classified information from the FSB.”142 In other cases, authorities appear to have piggybacked on cybercriminal intrusions, including Bogachev’s, for espionage purposes.143 Aleksey Ramm, a military commentator for Izvestia, wrote in the Moscow Defense Brief in 2017 that in order to “pull off some of the trickier technical elements [of their operations], the Russian military probably subcontract to external IT specialists, including ‘black-hackers’”
137 Tim Maurer and Garrett Hinck, “Russia: Information Security Meets Cyber Security,” in Confronting an “Axis of Cyber”?, ed. Fabio Rugge (Milan: Italian Institute of International Political Studies, 2018), 46; “Hackers for Hire: Ex-Soviet Tech Geeks Play Outsized Role in Global Cyber Crime,” NBC News, August 22, 2013, nbcnews.com/technolog/hackers-hire-ex-soviet-tech-geeks-play-outsized-role-global-6c10981346.
138 Sukharenko, Russian ITC Security Policy and Cybercrime. 139 Joe Tidy, “Evil Corp: ‘My Hunt for the World’s Most Wanted Hackers’,” BBC, November 17, 2021, https:// www.bbc.com/news/technology-59297187.
140 Maurer and Hinck, “Russia: Information Security Meets Cyber Security,” 47.
141 Charging documents lay out the ties between Russian security services and private threat actors. In the Yahoo case, FSB officers “conspired together and with each other to protect, direct, facilitate, and pay criminal hackers to collect information through computer intrusions in the United States and elsewhere… One of the criminal hackers, BELAN, has been the subject of an Interpol ‘Red Notice’ and listed as one of the Federal Bureau of Investigation’s (‘FBI’) ‘Most Wanted’ hackers since 2012. BELAN resides in Russia, within the FSB’s jurisdiction to arrest and prosecute. Rather than arrest him, however, the FSB officers used him. They also provided him with sensitive FSB law enforcement and intelligence information that would have helped him avoid detection by law enforcement, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers. It was BELAN who provided his FSB conspirators… with the unauthorized access to Yahoo’s network.” United States of America v. Dmitry Dokuchaev, Igor Sushchin, Alexsey Belan, and Karim Baratov, No. CR17-103, 2-3 (Northern District of California).
142 “Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware.” Notably, Yakubets is reportedly married to the daughter of a former officer in the FSB special forces. Sergei Dobrynin and Mark Krutov, “In Lavish Wedding Photos, Clues to an Alleged Russian Cyberthief’s FSB Family Ties,” Radio Free Europe/Radio Liberty, December 11, 2019, https://www.rferl.org/a/in-lavish-wedding-photos-clues-to-an-alleged-russian-cyberthief-fsb-family-ties/30320440.html.
143 Michael Schwirtz and Joseph Goldstein, “Russian Espionage Piggybacks on a Cybercriminal’s Hacking,”
New York Times, March 12, 2017, https://www.nytimes.com/2017/03/12/world/europe/russia-hacker-evgeniy-bogachev.html. See also Garrett M. Graff, “Inside the Hunt for Russia’s Most Notorious Hacker,” Wired, March 21, 2017, https://www.wired.com/2017/03/russian-hacker-spy-botnet/.
