Financially motivated actors appear to have stayed out of the Russia-Ukraine tensions—so far.
Those actors “have yet to show their inclination to leverage the conflict for personal gain,” according to researchers at Intel471 who have been monitoring how the current conflict between the two countries is affecting the cybercriminal underground.
But it’s too early to tell how long that stance will hold. “The recent change of course from Russian law enforcement in the form of arrests and takedowns show that the country will leverage the underground for diplomatic advantage in the same way it does for its intelligence purposes,” the researchers wrote in a blog post.
The group noted that the last month saw a number of cyberattacks against Ukrainian targets, such as a January attack “in which Ukrainian websites were defaced as a cover to launch destructive malware known as WhisperGate.” But even that “has not attracted much attention from underground actors,” Intel471 said.
Researchers observed only a handful of actors discussing how the attacks were committed as well as weaknesses in Ukrainian critical infrastructure. “The lack of discussion fits the methodology of financially-motivated actors: Attacks like WhisperGate are difficult to monetize,” Intel471 wrote. “Additionally, a good portion of these forums are pro-Russian in nature, with forum moderators frequently discouraging or outright banning discussion threads that discuss politics.”
The researchers also don’t believe that bad actors using “current Russia-Ukraine tensions as a motivator” are behind “a small concentration of advertisements and offers related to data tied to Ukrainian government organizations,” despite the timing. “This assessment comes as the volume of Ukrainian government data mirrors other instances we’ve observed over the past five years when geopolitical tensions were calm,” they wrote.
The observations are in agreement with those from other security researchers. “For years, Russia-based cybercriminals have widely believed that they can avoid law enforcement attention by not targeting victims in former Soviet Union (FSU) nations. Because of this sentiment, we have rarely seen content on higher-profile cybercriminal forums that mentions attacking Ukraine-based victims,” said the Photon Research Team at Digital Shadows.
“We have not noticed a significant change in forum content since the latest Russia-Ukraine tensions began—the trickle of Ukraine-related content is consistent with pre-2022 levels,” the team said. “The only major new development has been a data-leak site called Free Civilian, which shared information relating to Ukrainian government-linked entities, although this site is in English and was first advertised on an English-speaking forum.”
Instead, there has been more activity from Russian law enforcement, which has more recently arrested an array of cybercriminals, resulting in three underground stores that move compromised payment card data going offline. A note indicated they were seized by Russia’s Ministry of Internal Affairs (MVD). “Later the same day, the Russian TASS press agency reported six individuals were arrested in Russia on cybercrime charges,” Intel471 researchers said.
“While it’s unclear how everyone arrested is tied to the affected forums, one of those men—Andrey Novak—has been linked to UNICC, another carding forum” that shut down last month. He was also charged in absentia in 2018 by the U.S. Justice Department “for allegedly working with notorious malware and carding forum Infraud,” Intel471 said.
“These arrests, combined with the actions taken against the REvil ransomware gang, are an unprecedented development in how Russian law enforcement deals with cybercriminals within its own borders,” they wrote.
Russia has a long history of being “extremely lenient with cybercriminals that have shown ties to Russia and a modus operandi of targeting countries that don’t belong to the Commonwealth of Independent States (CIS), an intergovernmental organization which includes Russia and former Soviet states,” the researchers said. “Cybercriminals have long developed their techniques, tactics and procedures (TTPs) in order to purposely avoid targeting CIS countries and businesses that operate within them, while forum admins and other organized groups have banned any activity aimed at these countries.”
While the Russian government may have authorized these law enforcement actions “as a diplomatic gesture to Western governments,” Intel471 researchers said, “given that Russia’s domestic security agency, the Federal Security Service (FSB), has publicly said some of the arrests were conducted in conjunction with U.S. law enforcement.”
The country has made these actions public through both domestic and international channels and on social media, perhaps to show cooperation with the west. “Should tensions cool between Ukraine and Russia, we assess it is possible that Russian law enforcement will return to status quo leniency for these cybercriminals,” researchers wrote. “Until then, Russian-based threat actors could see their country’s law enforcement’s recent actions as a deterrent to conducting cybercrime activities, which would prove a worthy cause benefiting organizations around the world.”
The Intel471 researchers are “saying out loud what many have been thinking: The notable shift in Russia’s approach to domestic cybercriminals, combined with the timing of Ukrainian military build-up and increasing tensions, is at least partly motivated by the diplomatic value of being a ‘good citizen’ on the internet,” said Casey Ellis, founder and CTO at Bugcrowd.
“If Russian policy has shifted toward using the cybercriminal underground as an international relations tool, it does raise the question of whether or not the relative quiet on the internet at the moment is organic or an extension of this strategy,” said Ellis. “The Russia/Ukraine conflict is a particularly noisy one given its international significance and the number of stakeholders it influences and involves, so I’m intrigued but not that surprised to hear that nation-state actors in the mix appear to be treading fairly carefully,” Ellis said.
While financially motivated threat actors haven’t made a meaningful foray into the Russian-Ukraine situation, it’s likely that they will wade in more fully as Ukraine’s network infrastructure becomes increasingly overburdened and understaffed—and is perceived to be more vulnerable. “Criminal actors may seek to purchase access credentials, personally identifiable information (PII) or intellectual property to capitalize on the distractions, and financially motivated actors could act as suppliers to fill that gap,” researchers wrote.
“Whether the recent arrests are part of a diplomatic initiative remains to be seen, but it’s hard to see how anyone serious would think Europe would tolerate an invasion of Ukraine in exchange for a few cybercrime arrests,” said Netenrich principal threat hunter John Bambenek, who noted that the situation between Ukraine and Russia is fast-moving. “It’s hard to tell, really, what the endgame is.”