New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research

Search

Russia may be Pressing Arrested Cyber Criminals into Service

Since early 2022, events have been changing dramatically in cyberspace. We can divide these events into before and after February 24, the date Russia invaded Ukraine. Before the Russian invasion, there was improved cyber cooperation between Russia and the West which resulted in several key arrests of accused cyber criminals. After the attack, the situation changed significantly. Now, there is the possibility that the same arrested cyber criminals are being pressed into the service of the government of Russia, using their skills to conduct operations against Ukraine and other countries.

The Success of the Russian Security Service in January and February 2022

The beginning of 2022 started with the arrests of various hacker groups in Russia. On January 14, the Russian Federal Security Service (FSB) arrested 14 members of the REvil ransomware gang linked to the Colonial Pipeline attack in May 2021. That same month, the FSB arrested Andrey Sergeevich Novak, the leader of the “Infraud Organization,” a hacker gang that caused $560 million in losses over seven years. The “Infraud Organization” was involved in acquiring and trading stolen Credit Cards (CCs) and Personally Identifiable Information (PII). These arrests were possible due to the cooperation between FSB and U.S. Law Enforcement.

At the beginning of February , the Ministry of Internal Affairs (MVD) ordered the arrest of six hackers involved in selling stolen credit cards. Later in the month, employees of Department K, a division of the Russian MVD that focuses on computer crimes, and the Investigation Department of the MVD suppressed activities of other hacking groups. The threat actors created online platforms for purchasing and selling PII and CCs of citizens living abroad and accessing servers via the Remote Desktop Protocol (RDP). From January to February 2022, Russian authorities also concentrated on major online dark web fraud shops. Department K seized the domains of UniCC, LUXSOCKS, Trump’s Dumps, Ferum Shop, Sky-Fraud, and U-A-S. Afterward, Department K placed a banner on the homepages of these websites, which asked, “Which one of you is next?” According to Elliptic, a company specializing in blockchain analysis, the above-seized fraud shops represent 50% of all stolen CC sales on the dark web.

class=

These types of arrests were unusual for the Russian Federation. “It’s not in their business to be taking down Russian card shops… unless those shops were somehow selling data on Russian cardholders, which they weren’t,” stated Stas Alforov, a Director of Research and Development at Gemini Advisory. Arrests sparked fear among cybercriminals in Eastern Europe.

Fear Among Hackers

Panic and paranoia have spread on Russian criminal forums. Hackers have begun offering tips on how to avoid law enforcement by employing tools like Tor, deleting old messages, encrypting data, and not storing all stolen data on a single device. There were even concerns that one of the forum’s administrators was secretly collaborating with law enforcement. His account was eventually suspended.

With the fear of being arrested high, users began debating if Russia was still a haven for cybercriminals. One of the criminal forums’ administrators stated in his message that he had received multiple requests to erase previously published data: “Recently, situations have become more frequent when people send 100,500 reports, demanding to delete posted messages… objections that the “cops” are closely watching the account, and that’s why the messages must be deleted are not accepted.”

The Russian Invasion of Ukraine

Shortly after the war began, the panic faded as attention turned to the war in Ukraine. The Russian invasion of Ukraine started on February 24 and the battlefield has rapidly expanded into cyberspace. According to the Ukraine Global Cyber Coordination Center (GC3), during the three months of the war, Russian hackers launched 620 cyberattacks against Ukraine. Russian hackers have focused their activities not only on Ukraine but also on disrupting countries provide support to Ukraine.

As a result of the war in Ukraine and continued Russian aggression, the United States suspended its cooperation with Russia on cybersecurity and closed the communication channel. According to Oleg Khramov, the Deputy Secretary of the Security Council of the Russian Federation (SCRF), a joint Kremlin-White House group had been previously created under the auspices of the SCRF and the US National Security Council (NSC) to develop measures to protect against hacker attacks on the critical infrastructure of both countries.

REVil’s Case Reached a “dead end.”

Meanwhile, REvil’s lawyers took advantage of the current global political climate and petitioned Oleg Khramov to assist in changing the preventive measure for Dmitry Korotaev (a member of the REvil gang) and stopping his criminal prosecution. The move comes after Oleg Khramov’s announcement about suspended communication between the U.S. and Russian governments on cybersecurity with a claim that the U.S. government had not shared information necessary to prosecute the defendants.

According to REvil’s lawyer, transferring a criminal case to court without victims and damage is futile. A proposal was offered to make an agreement with the Prosecutor General’s Office: to free the gang and donate REvil’s seized assets as “humanitarian aid” to people living in the Russian-occupied areas of eastern Ukraine (Note: FSB seized about $1 million in U.S. dollars, euros, bitcoin and rubles, as well as 20 luxury cars and different computer equipment).

“The unique experience of the former defendants would certainly be useful to the Russian special services in the fight against Ukrainian hackers that have become more active lately,” REvil’s lawyer said.

Hackers Asking for Freedom

At the beginning of June 2022, twenty-four hackers led by Alexei Stroganov (nicknamed Flint24) asked to be released from custody. The gang was arrested for cybercrimes against the U.S. and EU. They demanded to change the punishment to any non-custodial arrangement. Lawyers will send a petition to change the measure of restraint at the trial in mid-June. According to their lawyers, the hackers, in fact, “helped” Russia because they got information from Western countries, which are now considered unfriendly.

Russia Searching Prisons for IT Professionals

On April 27, several Russian news outlets reported that the Russian Federal Penitentiary Service (FSIN) had announced a strategy to hire IT professionals from Russian prisons to work remotely for domestic businesses. ​​Alexander Khabarov, the deputy head of FSIN, said that his office had received proposals from businesses around the country to have IT specialists serving sentences in correctional centers to work remotely for commercial companies. The initiative is still under development.

Are the “Good Old Days” Back in Russia?

The situation in which Russian hackers find themselves is not clear. On the one hand, participants in hacking forums are talking about new opportunities in the current political situation for Russian hackers. On the other hand, the Russian authorities may arrest hackers and use them for their own purposes. The only real consensus from the hacker community emphasized that the situation is ambiguous and may change dramatically.

Enterprise security teams should continue to prioritize early detection of cyber threats associated with Russian criminal hacking groups, and be aware that the same tools and techniques that have been part of cybercriminal tactics in the past could be re-purposed to support Russian government-sponsored hacking goals.

Analysts at Binary Defense will continue to monitor forums and other sources for new developments in the topic.