In last week’s blog, LookingGlass Cyber Threat Intelligence Group (CTIG) Senior Threat Analyst Emilio Iasiello and LIFARS Marketing Manager Michal Nemcok* provided a general overview of the global cyber crime underground, as well as a more in-depth look at the Chinese criminal underground. Today, they focus their discussion on the Russian and Eastern European criminal marketplaces.
Perhaps no underground marketplace is as notorious as the Russian underground, setting the bar for all other criminal undergrounds. The Russian criminal marketplace consists of Russian language speakers, but is not Russia-specific. The actors operating in this area are reputed to be among the most sophisticated in both creating new tools and offering services for other criminals. Many of the more news garnering criminal-related endeavors such as 2013 ATM Casher Crew, an international group of thieves targeting ATMs, or the group that targeted the NASDAQ, have involved Russian-speaking actors. These actors are so prevalent that from 2013-2015, several international law enforcement organizations arrested over 160 Russian-speaking cybercriminals who were members of small, medium-sized, and large criminal groups with an estimated damage of $790 million, according to Kaspersky Lab.
Perhaps more telling is Kaspersky Lab’s belief that up to 1,000 cyber-specialists have been recruited by Russian cyber gangs in the past three years and that only around 20 individuals are at the core of these gangs and the tools they use. This suggests that the seemingly disparate cybercriminal enterprise in this region may be more centralized than previously anticipated.
Unsurprisingly, approximately 95 percent of Russian cyber crime revolves around the theft of money, and the Russian underground features some of the more sophisticated and advanced products and services offered in the Deep Web. Prices can vary and range from cost effective to very expensive depending on the type of tool being solicited. Some products and services offered are:
- Programming services and Software: These are the most popular cyber crime services and activities, according to Kaspersky Lab’s findings, which provides a glimpse into the underground activity in Russian-speaking forums and cybercriminal circles. The sale of off-the-shelf malware programs like Trojans, spammers, distributed denial of service (DDoS) bots, and banking Trojans are also among the hottest markets.
- According to Trend Micro, aside from programming and software sales, other popular services sought out by criminal actors in this space include hacking services; dedicated server sales and bulletproof hosting services; spam and flooding services; download sales; DDoS services; traffic sales; file encryption services; Trojan sales; and exploit-writing services and sales.
While it has largely been theorized that the one major rule of Russian cybercriminals is to avoid targeting Russian organizations, this may not be a hard rule. “Paunch”, the Russian author of a prominent Blackhole malware kit, was arrested in 2013 by Russian authorities after it was determined that he and some associates had gone after Russian targets. Two Russian brothers were also arrested by Russian authorities for targeting Sberbank Rossii, the largest bank in Russia and Eastern Europe, of which the Russian government is a majority shareholder.
Not unlike its regional counterparts, the European cyber crime underground operates like a legitimate business marketplace, becoming increasingly more commercialized and services oriented. As a result, this crime-as-a-service business model drives innovation and sophistication, and provides access to a wide range of services that facilitate almost any type of cyber crime, according to a 2014 European Cybercrime Centre Internet Organised Crime Threat Assessment (IOCTA) report. The IOCTA report’s findings show that European cybercriminals are able to reduce their risk by operating outside the jurisdictional boundaries of the European Union (EU). These locations typically have insufficient legal or law enforcement means to mount effective investigations into these types of activities.
Eastern Europeans and Germans are some of the more active individuals in the European cyber crime eco-system. According to 2015 Interpol findings, Eastern European cybercriminals were among the most sophisticated. Notably, they highlighted the fact that while they may use exploits created by other hackers, they implement customized tools designed for the specific operation. These actors typically work in small teams focused on the projects at hand and are extremely cautious about preserving their anonymity.
According to a 2015 Trend Micro report, the German cyber underground market is robust with forums and marketplaces that serve as repositories for stolen data and trading venues for crimeware. Five of the forums cited in the report sold hacking tools, credit cards, stolen credentials, narcotics, and fake documents—stuff that any cybercriminal wannabe would love to get his hands on. According to the same report, locally developed tools crafted by German cybercriminals also abound in the underground. Popular crimeware like Sphinx and Cube in Russian forums were, in fact, first made available (and are still heavily advertised) on German forums. German-made Triple CCC is also widely available.
Six of the top 10 countries that experienced the most Internet fraud were located in Eastern Europe and the former Soviet Union, according to one Interpol official in 2015. Some of the more pertinent criminal activities transpiring in the European underground include:
- Malware: As of 2015, the three principal malware types that have been leveraged extensively by European cybercriminals are ransomware, remote access Trojans (RATs), and info stealers. Ransomware was the top threat for law enforcement, as two-thirds of the EU member states were conducting some level of investigations of incidents that used this malware type. CryptoLocker and CTB-LOCKER were the two most prevalent. RATs remained a favorite tool by malicious actors, with BlackShades and DarkComet being the most commonly used by criminals implementing RATs into their operations. Finally, info stealers such as Zeus, Citadel, Dridex, Tinba, and IC-X were among the most common info stealers, particularly against financial targets.
- Markets for Goods and Services: According to a RAND Corporation study in 2013, stolen credit card data from Europe was financially more lucrative than those from the United States. This comes as little surprise given the fact that from 2004-2005 the carding market grew significantly, in large part due to Russian and Eastern European groups increasing activity in cyber crime. According to one source, goods and services offered in the European underground include e-mail spam, child pornography, fraud and phishing, cyber extortion, disclosure of personal and confidential data, compromise of resources and web defacements, compromise of network systems and websites, denial of service, and unlawful e-commerce and services.
- Bitcoin: Cybercriminals from Eastern Europe are also active in hacking Bitcoin, an untraceable crypto currency used online.
*Michal Nemcok is the Marketing Manager at LIFARS, an international Incident Response And Digital Forensics firm. His background is in IT and IT security with focus on security-related marketing and content editing. He’s done extensive research into topics such as Hacking-as-a-Service and APT campaigns. He works directly with the Incident Response team to keep his hand on the pulse of the latest trends in real-world investigations.