A rift has formed in the cybercrime underground: one that could strengthen, rather than cripple, the cyber-onslaught of ransomware.
According to a report (PDF) published Monday, ever since the outbreak of war in Ukraine, “previously coexisting, financially motivated threat actors divided along ideological factions.”
“Pro-Ukrainian actors are refusing to sell, buy, or collaborate with Russian-aligned actors, and are increasingly attempting to target Russian entities in support of Ukraine,” wrote researchers from Accenture’s Cyber Threat Intelligence (ACTI). “However, pro-Russian actors are increasingly aligning with hacktivist-like activity targeting ‘enemies of Russia,’ especially Western entities due to their claims of Western warmongering.”
The Russia-Ukraine Cyber Warzone
Historically, the world’s foremost cybercrime forums have been Russian language. These dark web marketplaces bring together a complex network of advanced persistent threat (APT) and ransomware groups, botmasters, and malware authors – a range of cybercriminals that includes even low-level carders, scammers and script kiddies.
Together, threat actors can do more than they otherwise could on their own. For example, botmasters offer access to already compromised devices, software developers improve the malware, and initial access brokers specialize in providing network access via backdoors or security vulnerability exploits for things like Remote Desktop Protocol (RDP).
This productivity is underpinned by not only a shared language, but a shared cultural and political alignment. As ACTI noted in its report, “these forums previously employed a strict, ‘no work in CIS’ policy.” The CIS – Commonwealth of Independent States – is a post-Soviet conglomeration of Russia and central Asian states.
With the outbreak of war, however, this harmony is fracturing.
One poll, published to a cross-site scripting (XSS) forum on March 2, posed the question: “Are you against work on RU and CIS?” 82.6 percent of respondents responded “Yes,” but, a surprisingly large minority – 17.4 percent – responded “No.”
No Love For Moscow
On Feb. 27, an admin from RaidForums – an online marketplace for trafficking data from high-profile database leaks – published a statement titled “RAIDFORUMS SANCTIONS ON RUSSIA.”
ANY USER FOUND TO BE CONNECTING FROM RUSSIA WILL BE BANNED! THIS IS NOT A JOKE, WE DO NOT SUPPORT THE KREMLIN.
Shortly after the statement was published, RaidForums’ main server was taken down by unknown enemies. It remained down as of March 4, according to ACTI.
The same is true in the opposite direction. The conflict “has led some actors to exclusively sell their services, such as network accesses, to pro-Russian actors,” researchers wrote, and inspired increased attacks against Western targets.
How This Will Hurt the West
It might appear, at first glance, that civil war in the cyber underground is a good thing. After all, if they’re fighting each other they won’t have time to annoy the rest of us, right?
In fact, the exact opposite is true.
“The primary effect of this political divide so far,” the researchers observed, “is an increased and prolonged threat from underground actors aimed at Western targets, owed to the galvanization of pro-Russian actors and their targeted efforts that focus on ‘enemies of Russia.'”
Nationalist fervor is even motivating cybercriminals to open their arms and welcome previously shunned ransomware groups.
In response to the Colonial Pipeline attack last May, Western governments and law enforcement began cracking down harder than ever on ransomware groups. In response – to avoid getting the stink on them, too – underground admins banned those groups.
“While ransomware actors did not disappear from the underground,” wrote the researchers, “the ban did make it harder for them to acquire tools, recruit affiliates, or gain exploits or accesses, thereby reducing ransomware actors’ abilities to scale their operations.”
Now, “many underground actors call for the return of ransomware groups to the mainstream underground.”
The consequence of bringing ransomware groups back into the fold “would not only enable those actors to target Western organizations more efficiently but also embolden them, as other underground actors would likely herald ransomware actors’ return and give those ransomware actors perceived moral reason to conduct attacks,” the report concluded.
Increasingly Targeting Critical Infrastructure
The report described an increasing volume of attacks against the West, “especially in the resources, government, media, financial and insurance industries,” the report said. “The targeting of financial and insurance entities is due to the perception that they are the working arms of Western financial sanctions, whereas the targeting of utilities and resources entities is due to those organizations’ importance as critical national infrastructure.”
Critical infrastructure will be of particular concern, especially if ransomware groups have the political motive – plus the tools of the rest of the underground community at their disposal.
“Organizations within telecommunications, IT, government and critical infrastructure are no doubt on a heightened level of security with the current events in the geopolitical environment,” James McQuiggan of KnowBe4 told Threatpost via email, but “cybersecurity is finally becoming an important topic for the government, considering the number of attacks the various agencies have dealt with over the past number of years.”
If the cyber onslaught in Ukraine extends West, will the United States and the European Union be ready?
The answer to that question may arrive soon.
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.