Sound of the Underground: How the Russian-speaking underground is driving global cybercrime
New research shows expanding reach of criminal networks
Research published by Trend Micro explores the Russian-speaking underground and finds a shadowy ecosystem that rivals legitimate enterprise in its expertise and organisational structure.
Trend Micro has launched a new research paper,delivering a comprehensive analysis of the Russian-speaking cyber underground, an ecosystem that has shaped global cybercrime over the past decade.
The research paper explores major trends reshaping the underground economy: the long-term impacts of Covid, the fallout of mass data breaches and double extortion ransomware, the explosion of accessible AI technologies and the widespread exposure of biometric data.
As the level of sophistication of both cyber criminals and cyber security has evolved. new tools, tactics, and business models are driving unprecedented levels of specialisation within underground communities.
Evolution of the underground
The Russian-speaking underground is a network that extends far beyond Mother Russia. The Russian language is widely spoken and understood in many territories of the former USSR area and is also understood by many speakers of other Slavic languages such as Polish or Croation. Russian is still spoken by minorities in countries which border Russia such as Finland, Romania and Moldova.
During a virtual press conference to launch the report, one of the report’s authors, Fyodor Yarochkin, a researcher with TrendMicro Taiwan, summarised the evolution of the Russian- speaking underground.
“Technical education in the former USSR was quite good. I grew up at that time and many of the people who I studied with went into trading of computer hardware. That was the closest people could get to software development jobs locally. You ended up having a large number of highly educated individuals and not enough proper jobs for them.”
So, they started being creative. According to Yarochkin, many early members of the Russian- speaking underground evolved from this activity targeting grey areas.
“They were not necessarily going after committing pure crime, but they were basically just getting, creating and expanding the level of acceptable activities that they could do without getting caught, “ he explained. “A lot of de facto rules that we observed in the Russian-speaking underground also evolved here, for example, not targeting users in our territories.”
This wasn’t due to an honour amongst thieves’ rule, more the fact that the criminals targeting local user territories were more likely to get arrested.
Yarochkin’s colleague and co-author, Vladimir Kropotov pointed out that the process of democratisation that the former USSR went through in the 80’s and 90’s concentrated what was centuries of democratic evolution in the West into less than two decades. He said:
“With this level of change of trust, with this level of economic change, people have to find creative ways to survive and think outside the box.”
Today the Russian-speaking underground is a uniquely organised, highly collaborative, and deeply cultural network of actors operating with their own internal codes of ethics, vetting processes, and reputation systems.
“This isn’t just a marketplace, it’s a structured society of cybercriminals where status, trust, and technical excellence determine survival and success”, said Kropotov.
Circle of crime and corruption
The Trend research examines at length criminal operations including ransomware-as-a-service schemes, phishing campaigns, account brute forcing, and monetising stolen Web3 assets. Intelligence gathering services, privacy exploitation, and the merging of cyber and physical domains are also examined in depth.
According to Kropotov, we’re enduring the perfect storm for cybercrime because cybercriminals have been able to leverage more flexible work patterns and the huge increase in electronic money transfers. Just as it has in every other area of life, AI has created challenges by means of making cybercrime more accessible to less technically skilled people. But what really turbo charged the Russian-speaking underground according to Yarochkin, is cryptocurrency, specifically, Bitcoin,
“Bitcoin one of the was one of the revolutionary tools that shifted the Russian speaking underground one step further, “ he said. “They could technically target anyone globally, because Bitcoin was pretty much accessible in any part of the world, and they could demand Bitcoin for whatever underground purposes.
“With the involvement of ransomware, it created the ecosystem flow of the Bitcoin, where Russian criminal groups were getting inflow of Bitcoin through ransomware and similar attacks from the West. Then the Bitcoin was heavily used in China to bypass the state restrictions on money transfers. A lot of Chinese companies were actually exchanging goods for Bitcoin so they could bypass those restrictions. And then Western companies would start buying Bitcoin again to pay for the ransomware activity. You can see how it would create the global circle of the Bitcoin flow. I believe that was one of the reasons for a lot of Russian-speaking originating criminal activity in Europe.”
Russia Ukraine War
The Ukraine war has changed the shape and the impact of the Russian-speaking underground. Yarochkin explains how groups initially operated across the border, with minimal ideological differences. The war changed that.
“Whether people were in Ukraine, Russia, Kazakhstan, they would collaborate as a group. But when the war started, you could see that already obvious ideological split, and some of the groups started trading on supporting Russian agenda and some of the groups would operate on the Ukrainian side and consider Russia as a legitimate target for foreign attacks.
“Another interesting thing is that when the war started, a lot of data that was not useful to those criminal groups now will actually be weaponised by military intelligence and secret services. like all the all the agencies that operate during the military conflict. There is now a customer for that data.”
Yarochkin also said that the war has increased the use of masking and proxies so it’s getting harder to attribute attacks. Russia is considered a terrorist state by Ukraine and vice versa. If a Ukrainian business makes a payment to a Russian crime group you’re sponsoring an enemy of the state, as you are as a Russian if you pay a ransom to a Ukrainian group.
“You can be prosecuted,” he says. “There is more motivation to use masking and mimicry to pretend attacks are coming from a different state. It’s not just about hiding your tracks, it’s about getting paid.”
Want to know more? Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.