A Look into the Russian Cyber Underworld

Researchers from Trend Micro descended into the of the Russian cyber underworld. There, they encountered a highly organized collective built on status, trust, and technical expertise, which is on the verge of collapse due to the Ukraine war.

Russian cybercriminals pose a real threat to every Western organization. We don’t have to look far for evidence: two weeks ago, the Belgian government faced a wave of Russian cyberattacks. It’s no coincidence that cyberattacks on Western organizations are so often linked to actors from Russia: Oxford University ranks the country number one in its global Cybercrime Index.

Under the principle of ‘Know your enemy’, Trend Micro today publishes a paper providing a unique insight into the Russian cyber underworld. According to Trend Micro, cybercrime is nowhere in the world better organized than in Russia and its surroundings. Researchers Vladimir Kropotov and Fyodor Yarochkin explain their research to the press. “The Russian cyber underworld is more than a marketplace: it’s a structured society based on rules, reputation, and trust,” Kropotov reveals.

Us versus Them

Kropotov and Yarochkin tried to get inside the heads of Russian cybercriminals. They don’t exclusively come from Russia, but also from neighboring countries where Russian is still a dominant language, says Kropotov. “There’s a lot of mutual talent export between Russian-speaking countries. They work as in a professional context with job vacancies and training.”

According to Yarochkin, ideological nostalgia drives the Russian cyber underworld. The spirit of the Soviet Union, which collapsed more than thirty years ago, still lives on in the minds of the hackers. “There’s an ‘us-versus-them’ feeling. Hackers from Russian countries make agreements not to attack each other and only steal money from the ‘rich’ West. This also makes the risk of arrests much smaller.”

This doesn’t mean they necessarily act from political motives. “Actors are technically highly educated, but have few opportunities in the job market. Many therefore push the boundaries of ‘acceptable activities’ to develop their skills,” says Yarochkin. “Inflation puts people in these countries under financial pressure. Cybercrime is then a strategy to survive,” Kropotov adds.

There’s an us-versus-them feeling among Russian hackers: there are agreements to only steal money from the ‘rich’ West.
Fyodor Yarochkin, Senior Threat Solution Architect Trend Micro

Bitcoin Breaks Down the Wall

The globalization of the world that goes against their beliefs has actually helped Russian hackers expand their attack area. Yarochkin: “Payment systems were long an obstacle, but the introduction of bitcoin has removed the borders. Bitcoin is the basis of the cybercrime-as-a-service ecosystem. Ransomware largely determines the global bitcoin flow. Many companies buy bitcoins to be able to pay criminals after an attack.”

In addition to economic barriers, linguistic barriers have also been overcome with the help of technology, Kropotov notes. “If you don’t speak the victim’s language, you can’t create credible phishing emails. With AI, this is now very simple, allowing hackers to reach regions that were previously inaccessible.”

The Era of ‘Pathetic Phishing Attacks’ is Over

Fragile Trust

The paper describes in detail how the cybercriminals interact with each other. Strict rules of conduct and codes apply on the hacker forums, and those who want to gain entry into the group need to know and respect these. “The forums are publicly accessible, but as an outsider, it’s a challenge to understand the culture and interactions,” says Yarochkin.

“It’s really in the details. They immediately spot you if you would just translate messages with Deepl or ChatGPT,” he continues. “Hackers are naturally distrustful of the outside world, but at the same time, they’re open to new ‘workforce’. By building trust and reputation, you eventually get into the groups.”

“Reputation is crucial to build an ecosystem in the digital underworld,” Kropotov chimes in. Building a reputation can take many years, but can be lost with one mistake. “That’s why police actions are very effective. Groups that get caught become laughed stock. Hackers learn from each other’s mistakes. If your reputation is destroyed, it’s over.”

Last year, Lockbit was dismantled, a group that stood at the top of the Russian cyber underworld. At its peak, the Lockbit network was responsible for a third of ransomware attacks worldwide. Kropotov: “Small attacks go unnoticed, but when ransomware costs millions to billions of euros and affects critical infrastructure, it attracts the attention of authorities. This creates tension among actors: on some forums, ransomware is even a forbidden topic of conversation.”

Ideological Divide

The collective feeling that made the Russian cyber underground strong has been crumbling in recent years, Yarochkin observes. The Ukraine war acts as an ideological wedge. “There’s a clear split to be seen: groups express themselves as either pro-Russian or pro-Ukrainian. The ‘other’ country suddenly becomes a legitimate target. In the past, groups would cross borders, now that’s unthinkable.”

“Taking sides in the conflict makes actors more visible. This offers opportunities for police services to locate groups,” says Kropotov. “Yet they still benefit from hiding. Ukraine and Russia consider each other terrorist states. Companies in Ukraine are not allowed to pay Russian hackers. That’s considered sponsoring terrorism and companies can be legally prosecuted for it,” Yarochkin adds.

The geopolitical tensions in the world are blurring the lines between types of cyber attacks and who can fall victim to them. Yarochkin: “Cybercriminals usually look for the weakest link to attack, while ‘hacktivists’ choose their victims more consciously to send a message or obtain information that can’t be monetized. But commercial companies can just as well become targets of hacktivism due to government actions.”

“Before the war began, hacktivism was generally much more amateurish than cybercrime. Now we see multiple levels emerging within hacktivism, and groups are organized much more professionally and complexly. Ransomware is becoming part of hybrid warfare,” says Kropotov.

Cat and Mouse

Yarochkin and Kropotov share in conclusion what Western organizations should take away from their research. “European organizations must recognize the risk and take a technical lead to keep critical infrastructure safe. We may not be able to completely stop cyber attacks, but we can life as difficult as possible for cybercriminals. It will always remain a cat-and-mouse game.”