Russia’s war in Ukraine has shaken cyberspace at every level, from nation-state advanced persistent threats (APTs) on down to low-grade carders on Dark Web forums.
A new report from Recorded Future highlights the many effects that the Russian invasion of Ukraine, now one year past, has had in cyberspace. Threat actors have been pulled away from their computers. Allies have become enemies. Cybercrime activity has shifted and power structures have been reorganized, not least because people have been physically moving.
It all amounts to a kind of grand, multifaceted dissolution. A breakdown of the cybercrime state of affairs. Will the digital underworld ever be the same again?
Cybercriminals Are Moving
The internet breaks down barriers. Even thousands of miles can’t prevent a hacker in Russia or Ukraine from breaching the database of a corporation in France or Canada. And yet, physical movement in the wake of the war has had lasting impacts on how cybercriminals are operating.
On one hand, of course, Ukrainians have emigrated from their country en masse.
“We believe that some threat actor groups based in Ukraine also fled when the war began, similar to their Russian counterparts,” Alex Leslie, associate threat intelligence analyst at Recorded Future, tells Dark Reading.
The report refers to the case of Mark Sokolovsky, core developer for Raccoon Stealer — an information-stealing malware — who fled Ukraine to avoid conscription.
“While this is only one case study,” Leslie says, “we believe it is indicative of a larger trend in which threat actors have fled Russia, Ukraine, and even Belarus to avoid conflict.”
Meanwhile, Russia has been experiencing, as the authors say, a “brain drain,” with IT and cybersecurity professionals leaving the country for neighboring Georgia, Kazakhstan, Finland, and Estonia. Further, the drafting of young men of fighting age has led threat actors from behind screens to the front lines.
As a result, the country “has begun to deplete its hacker reserves,” Leslie explains. “What we identify is that the overall volume of activities, particularly on Russian cybercriminal forums, marketplaces, and social media channels, has decreased dramatically in waves. These waves being immediately before and after the war began, during waves of mobilization, and coinciding with Russians leaving the country.”
The reordering of so many lives has led to “a bit more decentralization, both geographically and in terms of hegemonic groups and sources of activity,” Leslie says.
Cybercriminals Are Fighting One Another
Cybercriminals come from every corner of the world, but no corner more than in Russia and Eastern Europe. Many of the great cyberattacks of history have come courtesy of criminals in Russia and Ukraine. Russian APTs have become notorious for their attacks against Ukraine but this represents a change: Russian cybercriminals have historically worked hand-in-hand with their comrades across the border.
This kumbaya attitude was quashed on Feb. 24, 2022, when Russia invaded Ukraine and those on both sides were inspired to pledge allegiances. Most famously, the Conti group fully backed the Putin regime, then retracted, then halfway retracted its retraction. This support for the invasion was perhaps uncoincidentally attended by a giant leak of the Conti source code, tipping over a slow demise for Russia’s most prominent ransomware gang.
“We do not believe that Conti’s dissolution was a direct result of the leaks,” the authors wrote, “but rather that the leaks catalyzed the dissolution of an already fracturing threat group.”
Far beyond just Conti, cybercrime elements which once worked together have since split over political differences, according to Recorded Future. The authors wrote that “the so-called ‘brotherhood’ of Russian-speaking threat actors located in the CIS [Commonwealth of Independent States] has been damaged by insider leaks and group splintering, due to declarations of nation-state allegiance both in support of and opposed to Russia’s war against Ukraine.”
All the uprooting and fighting has caused fractures in the very structure of the cybercrime underground, researchers concluded.
“Russian-language Dark Web marketplaces have taken a major hit,” Leslie claims. “These marketplaces have also fractured and become more diffuse,” a trend compounded by the seizure of the world’s No. 1 cybercrime forum, Hydra.
He adds, “We speculate that the epicenter of cybercrime may shift to English-speaking Dark Web forums, shops, and marketplaces over the next year.”