Russia-based cyber criminals who until recently have been reliably able to count on their government turning a blind eye to their activities, are starting to worry that their time in the shadows is up, according to analysis of underground cyber criminal forums conducted by Trustwave’s SpiderLabs unit.
In a newly published report, SpiderLabs’ vice-president of security research, Ziv Mador, said he had observed new communications on a number of forums between cyber criminals based in Eastern Europe following recent dialogue between US president Joe Biden and Russia’s Vladimir Putin.
Based on these conversations, Mador assesses with some degree of confidence that a segment of cyber criminals is worried that the Russian authorities are actively hunting them down.
“After Biden publicly stated he expected to see results from his conversations on ransomware with Putin in June, forum threads dedicated to recent arrests almost immediately began focusing on potential takedowns, and later, the possibility of one of their own cooperating with law enforcement,” said Mador.
“Just months prior, these forum members would joke about being caught and arrested. But now, these same forum members are discussing how to prepare themselves for the possibility of being captured or potential sentences for crimes,” he added.
One dark web posting, made on 10 November to the Exploit forum and translated by SpiderLabs from the original Russian, reads: “Everything is decided on the sly, in the offices.
“And who and which game is actually playing in the backstage… it is pointless to guess. We don’t know (everything).
“Incidentally, there are the recent secret negotiations on cyber crime between the Russian Federation and the United States.”
Another posting to the same forum, two days earlier, reads: “In politics, individuals often become a bargaining chip…. There are no guarantees that Article 272 of the Criminal Code of the Russian Federation will never be applied because of the criminal operations to those who work in the US.
“And yes, Putin is not eternal. Who will replace and what will be the foreign policy agreements, relations, and the internal accents in law enforcement practice, no one knows.”
Some, however, refuse to be cowed. A third poster told fellow forum members not to be scared, and suggested that no ransomware gang members in Russia would be imprisoned – more likely they would be asked to be more circumspect about publicising their attacks, or to bribe the authorities to back off with some of the profits.
SpiderLabs said it was clear that threat actors are keenly aware of the increasing focus on tackling cyber crime from the US authorities this year, which has already resulted in the takedown of the REvil ransomware group, and the possibility of one of its members, having foolishly entered Poland, being extradited to face charges in the US, something few would have thought possible just 12 months ago.
Mador said Eastern European cyber criminals, particularly those based in Russia, are feeling increasingly trapped, particularly because Russia, lacking an extradition treaty with the US, is one of very few “safe havens” for them.
“In just the last few months, we have seen some results of geopolitical collaboration efforts. Getting a handle on ransomware and bringing cyber criminals to justice seems to be becoming a global priority. And this should scare threat actors,” he said.
“We anticipate that these organised gangs will likely physically stay put in their home countries because even though it is not as ‘safe’ as it once was for cyber crime, cyber gang members are still less likely to be caught on their ‘home turf’. Many of these cyber criminals want to stay where they belong, where their families and friends reside, and where the local language is familiar, and many of their contacts exist.”
Mador has spent a long time exploring dark web forums, which he describes as a “window into the soul” of the cyber criminal community, and said that by regularly monitoring the dark web, security professionals can gain valuable insight into new trends, and specific threat intelligence, in effect, exploiting chatty criminals as an early warning system.
For example, talk of credentials for sale, or names of prominent executives appearing in postings, can sometimes be a giveaway for a dark web-savvy security professional that their organisation is being targeted, or is already under attack.
“This early warning gives security professionals time to harden their defences and update their response playbooks, enabling them to mitigate the risk of the threat being used against their organisation or respond more quickly if an attack does occur,” said Mador.
“If they see a discussion of a new social engineering technique or phishing lure, they can proactively update their email security settings and warn employees to be on the lookout.”