How Russia's Ukraine War Disrupted the Cybercrime EcosystemWar Upended Russian Brotherhood, Supply, Demand and Pricing, Says Intel Analyst Mathew J. Schwartz (euroinfosec) • March 20, 2023
Russia's invasion of Ukraine in 2022 threw Russia’s cybercrime ecosystem into a state of upheaval that still exists to this day.
"We identified disruptions to literally every single form of commodified cybercrime," said Alexander Leslie, associate threat intelligence analyst at Recorded Future.
In a new report, Leslie detailed how divided loyalties over the war resulted in an IT brain drain. An estimated 250,000 cybercriminals left Russia and Belarus. Ecosystem changes have reshaped the types of cybercrime at play, upended supply and demand for illicit goods and services, and driven pricing instability.
"Whether that be dark web shops and marketplaces, like your traditional cyber-dependent or cyber-enabled crime; the payment card fraud landscape; the willingness for threat actors to leak databases and sell initial access sales - we've seen price fluctuations in marketplaces across the board," Leslie said.
In this video with Information Security Media Group, Leslie also discusses:
- The most significant and surprising changes to the cybercrime ecosystem;
- The dividing lines, and how the "brotherhood of Russian-speaking threat actors has largely been broken";
- The overstated impact of Russian hacktivists and how they are playing into the hands of Russian disinformation operations.
Leslie, who supports threat intelligence for Recorded Future's Advanced Cybercrime and Engagements team, focuses his research on Russian cybercrime.
TranscriptMathew Schwartz:How has the Russian and Ukrainian cybercriminal ecosystem evolved over the past year I, am Mathew Schwartz, with information Security Media group, and that's one of the big questions since Russia intensified his invasion of Ukraine on Feb. 24, 2022. Joining me to discuss this in depth is Alexander Leslie, an associate threat intelligence analyst with Recorded Future. Alexander Great to have you in the studio today.
Alexander Leslie: Thank you for having me. I'm very excited to talk to you about this.
Mathew Schwartz:It's an exciting topic. Thank you for being here, and you have just written an in-depth report recapping this question of how cybercrime and the ecosystem around it evolved. Obviously there is a lot happening last year. What have been some of the most significant changes you've seen, especially around the Russian, and I guess also the Ukrainian cybercrime ecosystem?
Alexander Leslie: Yeah. So in this report we identified disruptions to literally every single form of commodified cybercrime. Now, whether that be dark web shops and marketplaces, like your traditional cyber-dependent or cyber-enabled crime, the payment card fraud landscape, the willingness for threat actors to leak databases and sell initial access sales, we've seen price fluctuations in marketplaces across the board.
So it's kind of crazy when we think about cybercrime as a whole, and how it is so geographically centralized around Russia in our public consciousness. What we've seen is over the last year, in waves, significant brain drain out of Russia, Ukraine, Belarus and other states of the CIS, or the Commonwealth of Independent States, which has led to kind of this dispersed decentralization and destabilization of the Russian cybercriminal ecosystem. We've seen disruptions to culture on dark web shops, on darknet forums, Telegram channels, social media, it's kind of crazy.
So this report delineates at least 10 different disruptions that we identify to the cybercriminal ecosystem and economy - not limited to just forms of cybercrime, but also the demand, the supply of goods and price across the board.
Mathew Schwartz:So one of the things it's a lot to unpick there, but one of the things you've just mentioned is brain drain. So are you seeing hardened Russian cybercriminal emigrating, or where are they going? What seems to be the flow or the problem, and we've definitely seen some interesting arrests of Ukrainians, of Russians, who have left the relative safe haven where they may have been previously located. I don't know if it's more than usual. But where is this brain drain happening? How is it happening?
Alexander Leslie: Yeah. So depending on the sources you look at, whether it's Western sources or Russian independent sources, there's roughly 250,000 IT professionals that have left Russia and Belarus. That number could be overestimated or underestimated, depending on how much you trust Russian statistics and that kind of reporting.
But with that, what we've identified is, there's moments of brain drain. So we identify a lot of Russians leaving the country just before the invasion occurs on Feb. 24, 2022, and then immediately after, and then with waves of offensives, with waves of partial mobilization orders, we identify even more waves of brain drain. Now, these Russians are going to, not only, you know, Belarus, but they're going to the Baltics, particularly Estonia. They're going to Finland, Georgia and Kazakhstan, and
and other States in Central Asia that you know, still speak Russian, for members of the CIS, it's relatively easy for Russians to navigate to.
And in these moments what we identify is, we can see in real time dark web Russian language forum activities decreasing right? So the total number of threads, posts, total contents, total active users, new users across the board on Russian language sources decreases in waves exactly corresponding with these events, and … in this brain drain, in this exodus of Russian cybercriminals and it professionals, we have seen arrests of Russian cybercriminals that then cross into Poland, Estonia. Or even like Mark Sokolovsky, who developed Raccoon stealer, finds himself in the Netherlands, where he's arrested by international law enforcement.
So this relative safe haven of Russia, right, there's an unwritten rule in the cybercriminal underground that if you are a Russian threat actor and you don't target Russia, you won't b investigated, prosecuted, etc., etc. This unwritten rule is kind of broken when you cross over to other States in the CIS or to Russia's near abroad. So this is what we're starting to see, and we see it in waves absolutely corresponding with forum activity. Total number of active listings on marketplaces, total number of active marketplaces, because a lot of things have gone down in the last year, but we can see the data happening in real time with Russians leaving the country and the number of activities decreasing in waves.
Mathew Schwartz:And do you have a sense of, if they are attempting, or might attempt, based on chatter, to set up a shop in their new location, or would it be too soon to tell?
Alexander Leslie: It might be too soon to tell. Like, a year is a long time, especially in the cybercriminal ecosystem, like a lot can change in a week, let alone a year. But just because of the geopolitical circumstances, and because of this new territory, and this volatility and unpredictability that a lot of Russian cybercriminals find themselves in. We see a lot of them laying low. So a lot of the major like initial access brokers data leak brokers, the big guys that worked with ransomware gangs to publicize leaks. A lot of them have gone offline since Feb. 24, 2022. And whether that's because they're adopting new monikers for operational security purposes, or they're just offline, whether they're laying low in Russia or in Russia's near abroad.
We don't really know yet, because we haven't really seen enough resurface, and we don't really have that human elements like we don't have a whole lot of human intelligence, whether proprietary or in open sources of Russian cybercriminals discussing their actual circumstances on the ground. I think maybe over the next 6 months to a year a lot of those anecdotes will start to become more public and we'll be able to determine whether or not this period of inactivity was because of the brain drain, is because of arrests, or is because, hey, there's a lot of volatility right now. There are active conscription orders happening across Russia. There's an active, full-scale war happening in Ukraine with, you know, speculation about Belarus's involvement speculation about unrest in Moldova, in Georgia. I think there are a lot of threat actors right now, who, just like actual human beings, are watching the news very closely, and are very nervous about the scale of this war and the future.
Mathew Schwartz:And maybe they've decamped and they're taking intensive Dutch. As you say, we don't quite know, but we'll find out soon.
Alexander Leslie: Absolutely.
Mathew Schwartz:So of the things that we do know. You mentioned so much upheaval in terms of the markets, the market prices. I know at the beginning of the all-out invasion, there was a lot of chatter about hacktivists in their impact. For example, what are some of the biggest surprises for you in what we've seen in terms of beyond all of the tumult? What do you think has been most interesting about it all?
Alexander Leslie: Yes, so with regards to hacktivism, the thing that's the most interesting by far is the national security risk that disinformation poses when it comes to hacktivism. So you know, we track between 50 and 100 hacktivist groups at any given time. Over the course of the year we identified over 200 independent hacktivist groups. Whether that be pro-Ukrainian, pro-Western, pro-Russian Belarusian opposition groups, and we monitored their activities very closely, and what we ended up finding was that the overwhelming majority of claims made by these groups were false, they were misleading or they were exaggerated in impact.
But the caveat there is that a lot of these groups have very suspicious relationships with Russian state media, and the ability for them to proliferate a discourse that they are actually augmenting Russia's cyber capabilities is the national security risk, because what we end up seeing is most attacks claimed by, for example, HackNet, KillNet, any of KillNet's followers, are largely mitigated. They largely have no impact whatsoever. Recorded Future analysts are not able to cite, identify and verify and reproduce any of the errors that they claim to have resulted in, for their attack to have resulted in. And, you know, they then go on Russian state media and say, hey, we took down Sweden's entire civil air transportation system. That's just like not true, right? But when Russian state media proliferates that discourse, and then it gets into Western media, what you have is a fear and a panic and a disinformation campaign that inflates the damage of these groups. But makes them a very serious national security risk, because policymakers, decision-makers, end up making decisions and assessments based on the activities of these hacktivist groups.
So that is by far the biggest surprise is that what we determined in this report is that hacktivist groups really have failed to augment Russia's cyber capabilities. Even given some attribution of these groups to Russian nation state hackers, whether that be through tacit agreement or through collaboration, we don't really know. But what we've identified really is that these hacktivist groups have been largely information operations and not impactful anything beyond that.
Mathew Schwartz:That's a great cautionary note you're sounding because we've seen some security alerts from the U.S. government that say, KillNet has claimed to do XYZ. And as you say, if there's if that's only something that they're doing as a PR offensive sort of thing that we need to take those claims with a massive grain of salt.
Alexander Leslie: Absolutely, and you know the U.S. government, as well as the Ukrainian GOVERNMENT and governments around the world have been very clear that we need to keep monitoring these groups and their discourse, their targeting lists, because often their targeting correlates with geopolitical events that are important to contextualize these campaigns in kind of a broader hacktivist or broader information operations sphere, but really be on studying them and actively monitoring them, w e do need to take their correct claims with the grain of salt, because in this report what we identify is, you know, we run sample sizes of between 100 and 300 random attacks that we have identified in the Recorded Future platform. Over 90% of these attacks claimed by kill nets that we randomly identify, we cannot verify whatsoever and likely did not result in any impact.
So, you know, the problem for us is that we have to try to dispel this narrative because it's no longer just hacktivist groups claiming things for their own personal PR purposes or for ego-driven publicity. Now we know it is likely part of a much larger information operation. Whether that is state-sponsored or not, we don't know, but it is a big campaign that we need to actively dispel in order to prevent spreading fear and panic around their campaigns.
Mathew Schwartz:So, so many changes as you have been as you rounded up in your report. one of the other ones I'd like to talk about is the change in the darknet market landscape. No matter how many take downs we see by law enforcement, be it Western, be it Russia, these darknet markets seem to keep popping back up. There's been a lot of analysis published about how sometimes they'll go to chat apps for a little while, but they always seem to be getting drawn back to this market sort of approach for ease of use, I guess, and the ability of buyers and sellers to find each other. What have you seen happen as a result of the war, or in spite of the war, in the darknet marketplace? And also has there been a shakeout in terms of the Russians versus the Ukrainians, who may have formerly been working together.
Alexander Leslie: Yes, so there are two great questions in there, the first being for the dark web marketplaces. So what we identify, at least not only in this report, but in open sources, is that the traditional economic model of the dark web marketplace, particularly the sale of contraband - so physical goods, right, these being drugs, guns, whatever can't be exported into a country. This has largely been destabilized as a result of two things: not only the war, but the takedown of Hydra market, which has really destabilized the marketplace landscape in general, and this is created a ton of splinter groups that we that we talk about.
But the war itself, the one of the indirect consequences is sanctions. So sanctions, border closures, disruptions to the Russian transportation and logistics industries. And what ends up happening is that for dark web marketplaces, it becomes no longer feasible for sellers in Russia to export physical contraband abroad. So when it comes to dark web marketplaces, some of the biggest consumers of Russian goods are Germany, the United States, and Canada. It's no longer really feasible for Russians to export. So now what Russians are doing is they're relying almost entirely on domestic shipments and dead-drop services. So what we're starting to see is the emergence of dead-drop-only marketplaces.
So we see like BlackSprut, OMG, Kraken, Solaris. A lot of these, like, in order to register you have to put your physical city in Russia, and then you get listings depending on where you are physically located within Russia. Right? So what we're starting to see is this competition between these groups, and PR campaigns - whether that be on social media, or on Telegram, or BlackSprut taking out billboards in Moscow a couple of months ago - we're starting to see this competition, but it is catering almost exclusively to Russian clients, because the shipment of physical goods abroad is no longer a feasible option for them.
And your second question about how the Russian and Ukrainian brotherhood has been, has been dismantled. This is one of the key points of the report, right? So when we talk about the brotherhood of Russian-speaking threat actors, we're not just talking about Russian nationals. We're talking about individuals located throughout the former Soviet Union, who are bound together by a common history and who all speak Russian. So when you look at ransomware gangs, Conti is an example that we talk about. There are Russians, Ukrainians, Belarusians, Estonians, Moldovans, Georgians, Kazakhs. Like there are, the whole breadth of the CIS is represented in these groups, as well as non-CIS states like Romania, Finland, Sweden and so forth.
So when the invasion takes place, what we see immediately is when groups declare allegiance, Conte being the biggest example, when they declare allegiance to the Russian States, the Ukrainian State, the United States, we see destabilization occur immediately, because this brotherhood that was bound together by a common history has now been polarized. So we see groups begin to dox each other, leak their internal Jabber chats and their Tox chats, leak builders of malware, of ransomware, mostly out of political spite. …
There's some destabilization that occurs because of revenue issues, because affiliates are not getting paid, but most of the destabilization that we identify is because of political differences as a result of the war. So this brotherhood of Russian-speaking threat actors, has largely been broken, and that unwritten rule that you can't target entities located in the CIS, that no longer exists on Russian-language forums. So if you go on some of these top-tier forums - RAMP, Exploit, XSS, BHF [Best Hack Forum] - you're going to see databases, initial access sales, payment card data affecting Ukraine, Georgia, Belarus, and so forth. And then as well on English language sources, you're going to see a lot of Russian databases now.
This precedent that we don't target Russia does not exist anymore as a result of the war because there is a new precedent, and that being most of the internet including the cybercriminal side, rallied behind Ukraine when the war kicked off.
Mathew Schwartz:And you see this state of affairs continuing indefinitely so long as the conflict continues?
Alexander Leslie: So we don't really speculate on short term and long term, and I think the reasoning is because we don't really know it's going to happen in Ukraine over the next six months.
There has been a lot of open source reporting about new offensives in the south and in the east of Ukraine, about the potential of opening a front in the north from Belarus.
There's been a lot of talk … in open source intelligence about Moldova and Georgia, and the unrest that's happening there, and the problem that we have is cybercriminals are reading that too.
Cybercriminals also read the news. They're also aware of current events, especially if they're living in that country, and they're aware of the potential for destabilization. So we don't really know what's going to happen in the future. Cybercriminals don't really know what's going to happen over the next couple of months. So we're just kind of in for the ride and going to view trends as they happen contextualized in historical data.
Mathew Schwartz:Fantastic. Well, thank you for putting a line in the sand where we have come so far. I look forward to reconnecting with you in the not just the future, to see what's happened in the interim. But, Alexander, it's great to have you on. Thank you so much.
Alexander Leslie: Thank you so much. Thank you so much for inviting me.
Mathew Schwartz:I've been speaking with Alexander Leslie of Recorded Future. I'm Mathew Schwartz with ISMG, thanks for joining us.