Ukraine invasion blew up Russian cybercrime alliances
Study: Old pacts ditched the moment Moscow moved in
The so-called "brotherhood" or Russian-speaking cybercriminals is yet another casualty of the war in Ukraine, albeit one that few outside of Moscow are mourning.
As the illegal invasion hits the one-year mark, new research suggests the conflict also disrupted Russia and the former Soviet Union's criminal ecosystem, which has "far-reaching consequences affecting nearly every aspect of cybercrime," according to Alexander Leslie, associate threat intelligence analyst for Recorded Future's Insikt Group.
Leslie, the lead researcher of the report published today, told The Register that these fractures can be felt across all parts of the Russian-speaking underground: digital fraud, dark web forums and marketplaces, ransomware gangs and hacktivists.
"The consequences of Russia's war against Ukraine have ushered in a new era of volatility and unpredictability for global cybercrime that carries a multitude of implications for defenders," Leslie said.
Russian cybercrime, per the report, refers to a diverse group or Russian-speaking miscreants located in Russia, Ukraine, Belarus, the Baltics, the South Caucasus, and Central Asia.
Before the war, all of these criminal elements were bound by a common purpose, Leslie said: "Refrain from targeting entities located in the Commonwealth of Independent States, so as to not draw the attention of law enforcement."
The day after the ground invasion began on February 24, 2022, however, the Conti ransomware gang declared its "full support of the Russian government" and pledged to use "all possible resources to strike back at the critical infrastructures of an enemy." Later it did "condemn" the war, but at that point the damage was done.
By February 27, 2022, a Ukrainian security researcher leaked hundreds of Conti's internal files. The so-called Conti Leaks then led to the Trickbot leaks, which used information disclosed in the Conti data dump to reveal Trickbot's senior leadership. In the weeks that followed, Conti reportedly closed up shop.
"We do not believe that Conti's dissolution was a direct result of the leaks, but rather that the leaks catalyzed the dissolution of an already fracturing threat group," according to the Recorded Future report.
In contrast, some of Conti's rival gangs including ALPHV (BlackCat) and LockBit didn't declare their loyalty to the Kremlin. "We believe it is possible that ALPHV and LockBit both could have avoided initial insider leaks through their quickness to declare neutrality in the war," the researchers wrote.
The first rule of Russian dark web forums…
Ransomware gangs weren't the only criminals whose faults lines the war exposed, and the invasion also trampled an unwritten rule on Russian-language dark web forums that criminals on these marketplaces wouldn't target organizations located in the former Soviet Union.
"We argue that the first major disruption related to Russia's war against Ukraine is the breaking of this taboo, which has established a new precedent of targeting Ukraine and other 'hostile nations' (e.g. Georgia, Estonia, Latvia, among others) of the CIS on Russian-language dark web forums, as well as openly targeting Russia and Belarus on the mid-tier BreachForums," the report authors wrote.
Looking ahead, the researchers expect to see cybercriminal groups becoming more geographically decentralized, Leslie said.
The growth of pro-Russian hacktivist groups also coincided with the start of the kinetic war. While the first wave included both pre-established groups like the Stormous ransomware gang and new crews founded to support the Russian war effort, the "second wave" of hacktivism began around March 22, 2022 with Killnet's campaign against the Latvian government.
Rise of Killnet
In fact, Killnet dominated this second wave, according to Recorded Future, and the gang and its subgroups' targets have since extended beyond Europe, targeting the Americas, Asia, and elsewhere in their subsequent attacks.
While security researchers including @Cyberknow20 put the total number of pro-Russian hacktivist groups active since the war began at 70 or more, Recorded Future says the most of these are now inactive.
"As of February 10, 2023, we believe that the majority of public-facing pro-Russian hacktivist activity falls under the umbrella of "Killnet nexus" activity — meaning that Killnet and its allies, such as Anonymous Russia, Anonymous Sudan, INFINITY Hackers, and others, claim responsibility for more than 50 percent of all pro-Russian hacktivist activity tracked by Recorded Future analysts," the report says.
The authors add that, while they identified about 100 of these groups between February 24, 2022 and February 10, 2023, only five major ones remain active.
And the ones that are still around, aren't very good. The FBI recently described Killnet's distributed denial of service attacks as having "limited success" and, as the researchers note, the impact on the overall war effort "has been negligible" at best.
What's next in 2023?
Looking ahead to the war's second year, the security researchers expect to see more of the same: more insider criminal gang leaks, more unimpressive hacktivist attacks in the headlines, more database dumps for sale on dark-web forums — potentially with an increase in Russian and Belarusian leaked databases — and more credential leaks targeting .ru and .by domains.
- Russian authorities claim Ukraine hackers are behind fake missile strike alerts
- FBI: Russian hacktivists achieve only 'limited' DDoS success
- Analysis of leaked Conti files blows lid off ransomware gang
- US, UK slap sanctions on Russians linked to Conti, Ryuk, Trickbot malware
"Volatility and instability" across the Russian-speaking dark-web economy will continue into 2023, as the malware-as-a-service threat landscape and criminal forums remain in flux," the report predicts.
However, Ukraine's cyber effort will likely get a boost in 2023, Leslie told The Register.
"The public-private partnership has fostered greater intelligence sharing and active defensive support, which we believe will only become more effective in 2023," he said. "With regards to offensive operations, we believe that the majority of this activity will be attributed to the IT Army of Ukraine, which will continue to attract the support that enables their method of crowdsourced hacktivism."
Leslie said his team expects to see more hack-and-leak operations from the IT Army of Ukraine, but DDoS and website defacement will likely remain the dominant method of attack.
No more plausible deniability
The security shop also suggests that Russia is likely to abandon all pretenses of cracking down on cybercriminals operating inside its borders.
Earlier this month, Russian State Duma deputy Alexander Khinshtein told local news outlets that the Kremlin is considering granting legal immunity to "hackers acting in the interest of Russia."
Leslie said this move to absolve Russian criminals of any liability could happen "within the next few months."
"We believe that the current status quo of Russian Intelligence Services collaborating with cybercriminals or masquerading as cybercriminals for plausible deniability has not produced the disruptive results that the Russian state has expected," he said, noting that these miscreants have served little purpose beyond pushing disinformation campaigns and propaganda operations," he added.
"We believe that recognizing pro-Russian hackers as an extension of Russian foreign policy and absolving them of criminal liability will open the door to public, open collaboration between cybercriminals and the Russian state." ®