www.theregister.com
Open in
urlscan Pro
104.18.4.22
Public Scan
URL:
https://www.theregister.com/2023/02/24/russian_cybercrime_economy/
Submission: On February 27 via api from TR — Scanned from DE
Submission: On February 27 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
POST /CBW/custom
<form id="RegCTBWFAC" action="/CBW/custom" class="show_regcf_custom" method="POST">
<h5>Manage Cookie Preferences</h5>
<ul>
<li>
<label>
<input type="checkbox" disabled="disabled" checked="checked" name="necessary" value="necessary">
<strong>Necessary</strong>. <strong>Always active</strong>
</label>
<label for="accordion_necessary" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_necessary">
<p class="accordion_info"> These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="tailored_ads" value="tailored_ads">
<strong>Tailored Advertising</strong>. </label>
<label for="accordion_advertising_tailored_ads" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg"
class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_advertising_tailored_ads">
<p class="accordion_info"> These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers,
and in some cases selecting advertisements that are based on your interests. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="analytics" value="analytics">
<strong>Analytics</strong>. </label>
<label for="accordion_analytics" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_analytics">
<p class="accordion_info"> These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our
sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. </p>
</div>
</li>
</ul> See also our <a href="https://www.theregister.com/Profile/cookies/">Cookie policy</a> and <a href="https://www.theregister.com/Profile/privacy/">Privacy policy</a>. <input type="submit" value="Accept Selected" class="reg_btn_primary"
name="accept" id="RegCTBWFBAC">
</form>POST /CBW/all
<form id="RegCTBWFAA" action="/CBW/all" method="POST" class="hide_regcf_custom">
<input type="submit" value="Accept All Cookies" name="accept" class="reg_btn_primary" id="RegCTBWFBAA">
</form>Text Content
Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”. REVIEW AND MANAGE YOUR CONSENT Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer. MANAGE COOKIE PREFERENCES * Necessary. Always active Read more These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. * Tailored Advertising. Read more These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests. * Analytics. Read more These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. See also our Cookie policy and Privacy policy. Customize Settings Sign in / up TOPICS Security SECURITY All SecurityCyber-crimePatchesResearchCSO (X) Off-Prem OFF-PREM All Off-PremEdge + IoTChannelPaaS + IaaSSaaS (X) On-Prem ON-PREM All On-PremSystemsStorageNetworksHPCPersonal Tech (X) Software SOFTWARE All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization (X) Offbeat OFFBEAT All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us (X) VENDOR VOICE Vendor Voice VENDOR VOICE All Vendor VoiceAmazon Web Services (AWS) Business TransformationDDNGoogle Cloud for Startups (X) Resources RESOURCES Whitepapers Webinars Newsletters CYBER-CRIME 18 UKRAINE INVASION BLEW UP RUSSIAN CYBERCRIME ALLIANCES 18 STUDY: OLD PACTS DITCHED THE MOMENT MOSCOW MOVED IN Jessica Lyons Hardcastle Fri 24 Feb 2023 // 05:00 UTC The so-called "brotherhood" or Russian-speaking cybercriminals is yet another casualty of the war in Ukraine, albeit one that few outside of Moscow are mourning. As the illegal invasion hits the one-year mark, new research suggests the conflict also disrupted Russia and the former Soviet Union's criminal ecosystem, which has "far-reaching consequences affecting nearly every aspect of cybercrime," according to Alexander Leslie, associate threat intelligence analyst for Recorded Future's Insikt Group. Leslie, the lead researcher of the report published today, told The Register that these fractures can be felt across all parts of the Russian-speaking underground: digital fraud, dark web forums and marketplaces, ransomware gangs and hacktivists. "The consequences of Russia's war against Ukraine have ushered in a new era of volatility and unpredictability for global cybercrime that carries a multitude of implications for defenders," Leslie said. Russian cybercrime, per the report, refers to a diverse group or Russian-speaking miscreants located in Russia, Ukraine, Belarus, the Baltics, the South Caucasus, and Central Asia. Before the war, all of these criminal elements were bound by a common purpose, Leslie said: "Refrain from targeting entities located in the Commonwealth of Independent States, so as to not draw the attention of law enforcement." The day after the ground invasion began on February 24, 2022, however, the Conti ransomware gang declared its "full support of the Russian government" and pledged to use "all possible resources to strike back at the critical infrastructures of an enemy." Later it did "condemn" the war, but at that point the damage was done. By February 27, 2022, a Ukrainian security researcher leaked hundreds of Conti's internal files. The so-called Conti Leaks then led to the Trickbot leaks, which used information disclosed in the Conti data dump to reveal Trickbot's senior leadership. In the weeks that followed, Conti reportedly closed up shop. "We do not believe that Conti's dissolution was a direct result of the leaks, but rather that the leaks catalyzed the dissolution of an already fracturing threat group," according to the Recorded Future report. In contrast, some of Conti's rival gangs including ALPHV (BlackCat) and LockBit didn't declare their loyalty to the Kremlin. "We believe it is possible that ALPHV and LockBit both could have avoided initial insider leaks through their quickness to declare neutrality in the war," the researchers wrote. THE FIRST RULE OF RUSSIAN DARK WEB FORUMS… Ransomware gangs weren't the only criminals whose faults lines the war exposed, and the invasion also trampled an unwritten rule on Russian-language dark web forums that criminals on these marketplaces wouldn't target organizations located in the former Soviet Union. "We argue that the first major disruption related to Russia's war against Ukraine is the breaking of this taboo, which has established a new precedent of targeting Ukraine and other 'hostile nations' (e.g. Georgia, Estonia, Latvia, among others) of the CIS on Russian-language dark web forums, as well as openly targeting Russia and Belarus on the mid-tier BreachForums," the report authors wrote. Looking ahead, the researchers expect to see cybercriminal groups becoming more geographically decentralized, Leslie said. The growth of pro-Russian hacktivist groups also coincided with the start of the kinetic war. While the first wave included both pre-established groups like the Stormous ransomware gang and new crews founded to support the Russian war effort, the "second wave" of hacktivism began around March 22, 2022 with Killnet's campaign against the Latvian government. RISE OF KILLNET In fact, Killnet dominated this second wave, according to Recorded Future, and the gang and its subgroups' targets have since extended beyond Europe, targeting the Americas, Asia, and elsewhere in their subsequent attacks. While security researchers including @Cyberknow20 put the total number of pro-Russian hacktivist groups active since the war began at 70 or more, Recorded Future says the most of these are now inactive. "As of February 10, 2023, we believe that the majority of public-facing pro-Russian hacktivist activity falls under the umbrella of "Killnet nexus" activity — meaning that Killnet and its allies, such as Anonymous Russia, Anonymous Sudan, INFINITY Hackers, and others, claim responsibility for more than 50 percent of all pro-Russian hacktivist activity tracked by Recorded Future analysts," the report says. The authors add that, while they identified about 100 of these groups between February 24, 2022 and February 10, 2023, only five major ones remain active. And the ones that are still around, aren't very good. The FBI recently described Killnet's distributed denial of service attacks as having "limited success" and, as the researchers note, the impact on the overall war effort "has been negligible" at best. WHAT'S NEXT IN 2023? Looking ahead to the war's second year, the security researchers expect to see more of the same: more insider criminal gang leaks, more unimpressive hacktivist attacks in the headlines, more database dumps for sale on dark-web forums — potentially with an increase in Russian and Belarusian leaked databases — and more credential leaks targeting .ru and .by domains. * Russian authorities claim Ukraine hackers are behind fake missile strike alerts * FBI: Russian hacktivists achieve only 'limited' DDoS success * Analysis of leaked Conti files blows lid off ransomware gang * US, UK slap sanctions on Russians linked to Conti, Ryuk, Trickbot malware "Volatility and instability" across the Russian-speaking dark-web economy will continue into 2023, as the malware-as-a-service threat landscape and criminal forums remain in flux," the report predicts. However, Ukraine's cyber effort will likely get a boost in 2023, Leslie told The Register. "The public-private partnership has fostered greater intelligence sharing and active defensive support, which we believe will only become more effective in 2023," he said. "With regards to offensive operations, we believe that the majority of this activity will be attributed to the IT Army of Ukraine, which will continue to attract the support that enables their method of crowdsourced hacktivism." Leslie said his team expects to see more hack-and-leak operations from the IT Army of Ukraine, but DDoS and website defacement will likely remain the dominant method of attack. NO MORE PLAUSIBLE DENIABILITY The security shop also suggests that Russia is likely to abandon all pretenses of cracking down on cybercriminals operating inside its borders. Earlier this month, Russian State Duma deputy Alexander Khinshtein told local news outlets that the Kremlin is considering granting legal immunity to "hackers acting in the interest of Russia." Leslie said this move to absolve Russian criminals of any liability could happen "within the next few months." "We believe that the current status quo of Russian Intelligence Services collaborating with cybercriminals or masquerading as cybercriminals for plausible deniability has not produced the disruptive results that the Russian state has expected," he said, noting that these miscreants have served little purpose beyond pushing disinformation campaigns and propaganda operations," he added. "We believe that recognizing pro-Russian hackers as an extension of Russian foreign policy and absolving them of criminal liability will open the door to public, open collaboration between cybercriminals and the Russian state." ® Get our Tech Resources Share SIMILAR TOPICS * Cybercrime * Russia * Security More like these × SIMILAR TOPICS * Cybercrime * Russia * Security NARROWER TOPICS * 2FA * Advanced persistent threat * Application Delivery Controller * Authentication * BEC * Black Hat * Bug Bounty * Common Vulnerability Scoring System * Cybersecurity * Cybersecurity and Infrastructure Security Agency * Cybersecurity Information Sharing Act * Data Breach * Data Protection * Data Theft * DDoS * Digital certificate * Encryption * Exploit * Firewall * Hacker * Hacking * Identity Theft * Incident response * Infosec * Kenna Security * NCSAM * NCSC * Palo Alto Networks * Password * Phishing * Quantum key distribution * Ransomware * Remote Access Trojan * REvil * Roscosmos * RSA Conference * Spamming * Spyware * Surveillance * TLS * Trojan * Trusted Platform Module * Vulnerability * Wannacry * Zero trust BROADER TOPICS * APAC * EMEA * Europe SIMILAR TOPICS Share 18 COMMENTS SIMILAR TOPICS * Cybercrime * Russia * Security More like these × SIMILAR TOPICS * Cybercrime * Russia * Security NARROWER TOPICS * 2FA * Advanced persistent threat * Application Delivery Controller * Authentication * BEC * Black Hat * Bug Bounty * Common Vulnerability Scoring System * Cybersecurity * Cybersecurity and Infrastructure Security Agency * Cybersecurity Information Sharing Act * Data Breach * Data Protection * Data Theft * DDoS * Digital certificate * Encryption * Exploit * Firewall * Hacker * Hacking * Identity Theft * Incident response * Infosec * Kenna Security * NCSAM * NCSC * Palo Alto Networks * Password * Phishing * Quantum key distribution * Ransomware * Remote Access Trojan * REvil * Roscosmos * RSA Conference * Spamming * Spyware * Surveillance * TLS * Trojan * Trusted Platform Module * Vulnerability * Wannacry * Zero trust BROADER TOPICS * APAC * EMEA * Europe TIP US OFF Send us news -------------------------------------------------------------------------------- OTHER STORIES YOU MIGHT LIKE GODADDY JOINS THE DOTS AND REALIZES IT'S BEEN UNDER ATTACK FOR THREE YEARS In brief Also: Russia may legalize hacking; Oakland declares ransomware emergency; the CVEs you should know about this week Security7 days | 18 'ETHICAL HACKER' AMONG RANSOMWARE SUSPECTS CUFFED BY DUTCH COPS Beware the Dark Side Security2 days | 8 INTRUDER ALERT: FBI TACKLES 'ISOLATED' IT SECURITY BREACH Move along, totally nothing to see here Security9 days | 11 WHAT DOES IT REALLY TAKE TO BE A LEADER WHEN IT COMES TO CLOUD DATABASES? Here’s what the AWS customer obsession means to you Sponsored Feature TELUS SOURCE CODE, STAFF INFO FOR SALE ON DARK WEB FORUM $50k buys you '1,000 unique repositories' that may or may not be legit Security2 days | 7 DOLE PRODUCTION PLANTS CRIPPLED BY RANSOMWARE, STORES RUN SHORT Yes, we have no bananas, and things aren't looking peachy on the salad front Security3 days | 14 PEPSI BOTTLING VENTURES SAYS INFO-STEALING MALWARE SWIPED SENSITIVE DATA That's not what I like Security13 days | 6 'RUSSIAN HACKTIVISTS' BRAG OF FLOODING GERMAN AIRPORT SITES In other words, script kiddies up to shenanigans again Cyber-crime9 days | 4 ROMANCE SCAM TARGETS SECURITY RESEARCHER, HILARITY ENSUES Happy Valentine's Day! Now don't get fooled Security13 days | 36 US, UK SLAP SANCTIONS ON RUSSIANS LINKED TO CONTI, RYUK, TRICKBOT MALWARE Any act that sends so much as a ruble to seven named netizens now forbidden Cyber-crime17 days | 8 RANSOMWARE CROOKS STEAL 3M+ PATIENTS' MEDICAL RECORDS, PERSONAL INFO All that data coming soon to a darkweb crime forum near you? Cyber-crime16 days | 21 ROMANCE SCAMMERS' FAVORITE LIES COST VICTIMS $1.3B LAST YEAR Don't trust your super-hot military boyfriend you've never met. He doesn't exist Cyber-crime17 days | 18 The Register Biting the hand that feeds IT ABOUT US * Contact us * Advertise with us * Who we are OUR WEBSITES * The Next Platform * DevClass * Blocks and Files YOUR PRIVACY * Cookies Policy * Your Consent Options * Privacy Policy * T's & C's Copyright. All rights reserved © 1998–2023