Editors Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.
Executive Summary
Russias war against Ukraine has disrupted the cybercriminal ecosystem. On February 24, 2022, Russia launched a full-scale invasion against Ukraine. As outlined in the recent Recorded Future report Themes and Failures of Russias War Against Ukraine, Russia likely remains intent on seizing Kyiv, dismantling the government of Ukraine, and securing a decisive military victory despite compounding strategic and tactical failures. Russias offensive cyber operations have been unable to substantively augment Russias conventional military progress and will likely shift to targeting civilian infrastructure in an attempt to degrade Ukraines morale ahead of an upcoming, renewed offensive. Russias continued reliance on leveraging proxy groups to achieve its objectives in Ukraine while maintaining plausible deniability has further illuminated the links between Russian Intelligence Services (RIS) and non-state actors, evidenced by Russias direct, indirect, and tacit relationships with cybercriminal and hacktivist groups as outlined in our report, Dark Covenant 2.0: Cybercrime, the Russian State, and the War in Ukraine.
The so-called brotherhood of Russian-speaking threat actors located in the Commonwealth of Independent States (CIS) has been damaged as a result of political disagreements among threat actors in the context of the war. This damage has established a new norm of internal instability, as evidenced by a continued wave of insider leaks. Additionally, as Russia experiences a brain drain of IT professionals, these now-fracturing organized cybercriminal cartels will likely become more geographically decentralized, in turn making their relationships more diffuse.
The resurgence of crowdsourced hacktivism, an international phenomenon previously limited to the late 2000s, will likely create a new generation of non-state threat actors who are both politically and financially motivated. These so-called hacktivist groups, while their impact has been limited, have become symbolic in the publics perception of the cyberwar raging parallel to the war in Ukraine.
The economic consequences of the war in Ukraine are likely creating conditions conducive to an increase in the value of payment card fraud on the dark web, despite an overall slump in carding volume in 2022. Regardless of frauds reputation as an unsophisticated form of cybercrime, it is likely becoming less a crime of opportunity than of survival. International arrests, seizures, and disruptive actions have destabilized the business model associated with commodified cybercrime, leading to wide-ranging and rippling effects on the malware- and ransomware-as-a-service (MaaS, RaaS) threat landscapes. These disruptions have also spread to the dark web shop and marketplace ecosystems, leading to price fluctuations and newfound competition among market administrators. Cybercrime, both based in the CIS and globally, is entering into a new era of volatility as a result of Russias war against Ukraine.
Key Takeaways
- We did not identify any direct links between credential leaks preceding Russias war against Ukraine; however, we believe that these credential leaks could have been leveraged by threat actors seeking to exploit geopolitical tensions prior to the war. We also note that some of the database breaches we identified have since been attributed to nation-state actors.
- The so-called brotherhood of Russian-speaking threat actors located in the CIS has been damaged by insider leaks and group splintering, due to declarations of nation-state allegiance both in support of and opposed to Russias war against Ukraine.
- Russia is experiencing a wave of IT brain drain that will likely decentralize the organized cybercriminal threat landscape. In addition to brain drain, waves of military mobilization of Russias citizens are resulting in decreased activity on Russian-language dark web and special-access forums.
- The resurgence of crowdsourced hacktivism will likely create a new generation of non-state threat actors. The impact of hacktivism has been limited, but its role in enabling information operations (IOs) remains vital. Hacktivism has become symbolic in the publics perception of the cyberwar raging parallel to Russias war against Ukraine.
- Russian law enforcements seizure and closure of several top-tier carding shops in January and February 2022 severely disrupted the payment card fraud ecosystem until April 2022. Since May 2022, the emergence of new carding shops has driven a partial rebound in the volume of compromised card-not-present (CNP) data posted for sale on the dark web.
- International arrests, seizures, and disruptive actions have destabilized the business model associated with commodified cybercrime.
- Russias war against Ukraine has disrupted the dark web shop and marketplace ecosystems. International supply-chain disruptions and border closures have made the shipping of physical contraband impractical for Russia-based threat actors.
Background
On February 24, 2022, Russia began a full-scale invasion of Ukraine that was supported by ground and aerial bombardment, surface-to-surface and surface-to-air missiles, cyberattacks, electronic warfare, information warfare, and more. Almost immediately, the Russian cybercriminal underground reacted with declarations of allegiance from forum administrators, threat actors, and threat actor organizations. Hacktivist campaigns, coordinated distributed denial-of-service (DDoS) attacks, doxxing activities, trolling, website defacement, ransomware infections, and more began within hours of the invasion.
While the vast majority of non-state cybercriminal and hacktivist activities in the early days of Russias war against Ukraine targeted Russian and Belarusian entities in retaliation for the invasion, opportunistic threat actors sought to exploit the tensions by leveraging vulnerabilities in the cyber infrastructure of Russian, Belarusian, and Ukrainian entities and selling leaked information or unauthorized access for financial gain and publicity. Declarations of allegiance also prompted internal unrest within certain threat actor organizations, leading to hostile activities and schisms between threat actors.
Since February 24, 2022, we have been actively monitoring the daily activities of cybercriminal and non-state hacktivist entities that have been involved directly or indirectly in the Russian war against Ukraine.
Source: RecordedFuture
Source Link: https://www.recordedfuture.com/russias-war-against-ukraine-disrupts-cybercriminal-ecosystem