Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

07:45 AM
Connect Directly

From Russia With Love: A Slew of New Hacker Capabilities and Services

A review of the Russian underground by Trend Micro reveals it to be the world's most sophisticated.

China is the country that is most often blamed by U.S. authorities for hacking attacks against American corporate and government targets. The recent intrusion at United Airlines is only the latest case in point.

But in reality, in terms of sheer sophistication and professionalization, there is nothing to match the Russian cyber underground. That’s the assessment of the Forward Looking Threat Assessment Team at security firm Trend Micro in a report released this week.

The report is a follow up on two previous ones released by Trend Micro that examined the state of the Russian underground and the manner in which it operates. This one examines the increased professionalism of the Russian hacker business, the growing use of automated sale process and the significant division of labor within its ranks. What Trend Micro researchers discovered is a level of sophistication that resembles a legitimate business implementing a strategic consulting plan.

“The Russian underground has become an economy of scale,” says Tom Kellermann, Trend Micro’s chief cyber security officer.

The country’s arsenal of illicit cyber capabilities has expanded significantly in recent times and the manner in which hacking tools and services are delivered has become very professional. Prices for most malware and exploits have declined even as myriad new tools and capabilities have become available since Trend Micro last looked at the Russian underground, Kellermann says.

“These guilds of thieves are also being called upon to act as an online militia supporting Russia during times of geopolitical tension,” he said. “This allows them to become untouchable from US and European law enforcement.”

For the report, Trend Micro observed the activity and transactions being carried out in 70 Russian underground forums. The security firm’s researchers also tracked marketplaces, forums and known hackers to get a feel for the scope and sophistication of the Russian cyber underground. The exercise revealed several disturbing new trends.

Shell Scripts uploads
Russian hackers have increasingly begun exploiting vulnerable Web servers then scanning them for known file names so they can upload specific shell codes or iframes for the purposes of delivering targeted exploits. “This is a new development that we expect to see a lot more of in the near future,” the Trend Micro researchers noted in their report.

Language translation services
Underground forums have popped in Russia that offer professional translation services for targeted email spamming and typing support. The trend towards targeted attacks against specific individuals has spawned demand for individuals capable of writing grammatically correct, credible sounding emails in the target’s preferred language. Many Russian underground forums have special groups on hand that can prepare attack emails on demand.

Fake identity approval services
Fake identity vetting services are now available to Russian hackers who run into problems when doing money transfers or laundering illicitly obtained money in foreign markets. When banks, or online service providers make proof-of-identity calls to verify the identity of an individual conducting a transaction with them, these fake identify services vouch for the individuals.

Log processing services
Some cybercriminals in Russia’s underground market have begun offering log-processing services to help other threat actors extract information from stolen system logs. In some cases, such services process logs on a regular basis from servers that they have previously compromised and sell the data for a fixed price. In other cases, the log processing services buy stolen log data in packets of 1GB or more and then process and sell any interesting information they might be able to extract from the data.

Money laundering with corporate accounts
For a fee of around $50,000 or so, some services help cybercriminals do large money laundering using bank accounts belonging to US and UK-based corporations.

The growing sophistication of the Russian underground has serious implications for enterprises, Kellermann says. Prices for advanced and custom-hacking capabilities have declined even as availability of such tools have increased. “The criminal community of the world is now heavily armed,” he said.

Kellerman noted that Trend Micro’s analysis shows the Russian underground to be the most organized and advanced of the world’s cyber undergrounds with more than 78 forums and more than 20,000 active members.

It specializes in selling traffic direction systems and offering traffic direction and pay-per-install services, Trend Micro said in its report. “Traffic-related products and services are becoming the cornerstone of the entire Russian malware industry,” it noted

According to Kellermann, the American and Chinese undergrounds do not compare well with the Russian underground. The Chinese underground for instance specializes in mobile malware development and DDoS services, but the Russian underground takes this one step further by offering these capabilities as custom tailored services for a low price.

“The only underground community that lights a candle to the Russian underground is that of the Brazilian underground,” he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...