Expert Commentary

Crimicon Valley: Russia’s Cybercrime Underground

Ed Cabrera
Chief Cybersecurity Officer, Trend Micro

Understanding the Russian criminal underground is essential when discussing Russian proxies in cyberspace. How do cybercriminal entities interact with each other and what is their relationship with the Russian government? The Cipher Brief spoke with Ed Cabrera, the Chief Cybersecurity Officer at Trend Micro and the former Chief Information Security Officer for the U.S. Secret Service, about how the Russian cybercriminal underground functions and the blurry distinction between criminal and state-sponsored activity in cyberspace.

The Cipher Brief: How would you characterize the Russian criminal underground?

Ed Cabrera: In the mid-1990’s, the perfect storm occurred in Russia with the fall of the Soviet Union. It fostered the creation of the criminal underground, as unemployed and under-employed IT professionals had different opportunities to make a living. Coupled with the globalization of the Internet, and the rise of e-commerce provided them great opportunities to conduct cyber attacks for financial gain. The carding market was the first criminal enterprise to be born from within this marketplace, and over the last 15 years it has substantially expanded its criminal services and offerings.

The Russian cybercriminal underground is essentially an ecosystem. When people talk in terms of the criminal underground, they talk in terms of groups, when it is really the marketplace that gives rise to these groups. Similar to the mid-1990s, when Silicon Valley saw the growth of eBay and Amazon, there was a parallel ecosystem of e-commerce being developed out of Eastern Europe with the same skillsets and cultural norms. Instead of Silicon Valley, it is “Crimicon Valley.”

It was the same type of tech startup feel, where individuals come together to communicate, collaborate and conduct attacks. This has been occurring for the last 15 years in the Russian underground, driving an evolution toward crime-as-a-service. Now everything is so automated that a budding criminal can use one of these ransomware-as-a-service entities and start conducting attacks and making money fairly easily.

There is, however, still the top-tier of highly capable individuals who essentially interact similarly to a social network where the individuals that are most connected, are usually the most successful. They function similar to the movie Ocean’s Eleven, where everybody has a role to play, each with expertise ranging from money laundering and malware development to exploit and kit development. So depending on what type of attack it is, and what is needed to conduct those attacks, they will have individuals that specialize doing each step.

In the early 2000s, Russian criminal groups operated in open forums and English-speaking sites that were essentially one-stop shops. But then the Secret Service took down criminal forums like Carder Planet and Shadow Crew, causing groups to become much more fractured with highly specialized Russia-speaking forums and a lot of operational security around them.

There are two main reasons why attacks are becoming more prevalent: Russian criminals operate in both physical safe havens and virtual safe havens. The physical safe haven is a result of Eastern European countries, particularly Russia, not having extradition treaties with the West. This allows criminals to operate fairly easily within Russia as long as they don’t attack Russian infrastructure. The virtual safe haven is essentially that criminals operate with anonymous nicknames. Law enforcement, particularly the FBI and the Secret Service, have been able to match up some of these nicknames and personas with their true identities. This is largely because the Russian criminal underground is a reputation economy, much like the surface economy, but instead of rating shoes and hats, criminals are rating each other on their ability to actually conduct these types of crimes. They essentially have developed “cyber cred” in the criminal underground, allowing individuals to ascend in these forums, get more connected, and become more successful. The Russian criminal underground is driven by market forces—supply and demand.

TCB: Why is Russia hesitant to cooperate with law enforcement on cybercrime? Is it a matter of proxy relationships between criminals and the government?

EC: The Russian proxy discussion has gotten really complicated as of late. Traditionally, there has been an unwritten understanding between cybercriminals and the Russian state that as long as they don’t attack Mother Russia, they are left alone to operate freely. Whether that is based on some acknowledged agreement between criminals and the Russian government from either a corruption or direction standpoint is unknown. It is too much of a gray area and we get into a trap by saying all these cybercriminals and all this activity is all state-sponsored. The capability of the cybercriminal underground is so strong that it is hard to say who is who based solely on the level of capability involved in an attack.

The growth of the criminal underground has been a rising tide that has lifted all boats, including the Russian government’s. No matter if they are a hacktivist, a patriotic hacker, or a regular cybercriminal, collaboration that goes on in the criminal underground essentially increases the capacity of all actors, including the government. One could point to a lot of breaches in the past that were thought to have been the work of nation-states, but after looking deeper, it was probably a cybercriminal group based on the motivation behind the activity. One problem we have as an industry is that we categorize groups based on capability as opposed to motivation and result. The capacity and sophistication found in the criminal underground, albeit not everybody, can be just as sophisticated as a nation-state.

TCB: If criminal groups are commonly portrayed as state-sponsored when really they might be acting solely in their own capacity, wouldn’t the state be motivated to clamp down on them so their name does not essentially get dragged through the dirt?

EC: This is more of a geopolitical discussion of what could be Russia’s motivation for allowing criminal groups to operate. Maybe they encourage this gray area because it creates a level of doubt for those that might be attacked by Russian cyber espionage groups. In other words, keeping their adversaries on their toes. If they feel there is a gain in keeping that the line between criminal activity and nation-state activity blurry—giving them the ability to quickly move from one to the other—then there might be some kind of geopolitical benefit to it from their perspective.

Ultimately, asking who is working for whom is the better question. With the amount of money being made by these cybercriminal groups, it could be a corruption issue as well as a political and espionage issue.

TCB: Is the use of proxies fairly common among other states, even in the West?

EC: There have been proxies from a physical espionage perspective for years – either through companies, criminal groups, or other countries – it’s normal. It appears, however, to be a newer phenomenon to work with or through proxies in cyberspace. The question is: Where are the biggest distinctions; and who are the biggest users of proxies?

The Author is Ed Cabrera

Ed Cabrera is the Chief Cybersecurity Officer at Trend Micro. He is a 20-year veteran and former CISO of the U.S. Secret Service with experience leading information security, cyber investigative, and protective programs in support of the Secret Service integrated mission. He started his career investigating transnational cybercriminal groups and served on the Presidential Protective Division for President George W. Bush before transitioning to lead cyber forensic operations in support of... Read More

Learn more about The Cipher's Network here