China is the country that is most often blamed by U.S. authorities for hacking attacks against American corporate and government targets. The recent intrusion at United Airlines is only the latest case in point.
But in reality, in terms of sheer sophistication and professionalization, there is nothing to match the Russian cyber underground. That’s the assessment of the Forward Looking Threat Assessment Team at security firm Trend Micro in a report released this week.
The report is a follow up on two previous ones released by Trend Micro that examined the state of the Russian underground and the manner in which it operates. This one examines the increased professionalism of the Russian hacker business, the growing use of automated sale process and the significant division of labor within its ranks. What Trend Micro researchers discovered is a level of sophistication that resembles a legitimate business implementing a strategic consulting plan.
“The Russian underground has become an economy of scale,” says Tom Kellermann, Trend Micro’s chief cyber security officer.
The country’s arsenal of illicit cyber capabilities has expanded significantly in recent times and the manner in which hacking tools and services are delivered has become very professional. Prices for most malware and exploits have declined even as myriad new tools and capabilities have become available since Trend Micro last looked at the Russian underground, Kellermann says.
“These guilds of thieves are also being called upon to act as an online militia supporting Russia during times of geopolitical tension,” he said. “This allows them to become untouchable from US and European law enforcement.”
For the report, Trend Micro observed the activity and transactions being carried out in 70 Russian underground forums. The security firm’s researchers also tracked marketplaces, forums and known hackers to get a feel for the scope and sophistication of the Russian cyber underground. The exercise revealed several disturbing new trends.
Shell Scripts uploads
Russian hackers have increasingly begun exploiting vulnerable Web servers then scanning them for known file names so they can upload specific shell codes or iframes for the purposes of delivering targeted exploits. “This is a new development that we expect to see a lot more of in the near future,” the Trend Micro researchers noted in their report.
Language translation services
Underground forums have popped in Russia that offer professional translation services for targeted email spamming and typing support. The trend towards targeted attacks against specific individuals has spawned demand for individuals capable of writing grammatically correct, credible sounding emails in the target’s preferred language. Many Russian underground forums have special groups on hand that can prepare attack emails on demand.
Fake identity approval services
Fake identity vetting services are now available to Russian hackers who run into problems when doing money transfers or laundering illicitly obtained money in foreign markets. When banks, or online service providers make proof-of-identity calls to verify the identity of an individual conducting a transaction with them, these fake identify services vouch for the individuals.
Log processing services
Some cybercriminals in Russia’s underground market have begun offering log-processing services to help other threat actors extract information from stolen system logs. In some cases, such services process logs on a regular basis from servers that they have previously compromised and sell the data for a fixed price. In other cases, the log processing services buy stolen log data in packets of 1GB or more and then process and sell any interesting information they might be able to extract from the data.
Money laundering with corporate accounts
For a fee of around $50,000 or so, some services help cybercriminals do large money laundering using bank accounts belonging to US and UK-based corporations.
The growing sophistication of the Russian underground has serious implications for enterprises, Kellermann says. Prices for advanced and custom-hacking capabilities have declined even as availability of such tools have increased. “The criminal community of the world is now heavily armed,” he said.
Kellerman noted that Trend Micro’s analysis shows the Russian underground to be the most organized and advanced of the world’s cyber undergrounds with more than 78 forums and more than 20,000 active members.
It specializes in selling traffic direction systems and offering traffic direction and pay-per-install services, Trend Micro said in its report. “Traffic-related products and services are becoming the cornerstone of the entire Russian malware industry,” it noted
According to Kellermann, the American and Chinese undergrounds do not compare well with the Russian underground. The Chinese underground for instance specializes in mobile malware development and DDoS services, but the Russian underground takes this one step further by offering these capabilities as custom tailored services for a low price.
“The only underground community that lights a candle to the Russian underground is that of the Brazilian underground,” he said.