From carders to cryptographers: how the media image of "Russian hackers" has changed

[Father]

The media image of" evil Russians "in the West was formed in the 20th century, during the Cold War, and was often used not only in movies (the same "cranberry"), but also in public policy. The image itself has been transformed more than once, preserving its semantic core. If before the collapse of the USSR, it had a pronounced military connotation, then in the 90s it was replaced by the" Russian mafia", which meant all the diversity of immigrants from the post-Soviet space.

Instead of the inhabitants of "Russian Brighton", there were new "evil Russians" - hackers. Over the past twenty years, they have been accused, truthfully or falsely, of multi-million dollar theft, influencing US elections, and even blackmailing top officials of states.

This article will analyze the main changes that have occurred with "Russian hackers", both from the point of view of their media image, and from the point of view of objective factors.

National question​

All cybersecurity experts, without exception, emphasize that it is wrong to say "Russian", since cybercrime is basically transnational, and it is correct to say "Russian-speaking".

Indeed, the composition of Russian hacker groups is very different, and representatives of the entire post-Soviet space can be found in them. Since a hacker's language makes it as likely to identify a country as a baseball bat in a car makes it possible to identify a baseball player, modern researchers and cybercriminalists use a set of metrics and attributes.

Alexey Drozd
Head of the Information Security Department at Serchinform

Recently, it is customary to draw conclusions about the identity of hackers based on a set of features (tools used, ip addresses, language of communication, comments in the code, public statements, etc.). But all these features can either be forged or mimicked for them. In general, you need to understand that the public has a misconception about Russian hackers. If the hacking occurred from a Russian IP address, it does not mean that Russian hackers attacked. And, for example, if chats with correspondence in Russian have been drained, this does not mean that Russian hackers are corresponding there.

Now, in my opinion, the main export media image of cybercriminals is government hackers. If earlier hackers were "on their own" and the state was on its own, then the rapid growth of digitalization has made adjustments. With the help of "hacking", it became possible to influence entire states (for example, to attack CII objects). As a result, government hacking groups began to form.

Modern forensic analysis is at such a level that experts can not only identify attacks as the activity of a particular group, but also record the transitions of groups or individual attackers from one group to another.

But all this has no meaning in the media environment, since the definition of "Russians" in Western society has been fixed since the days when all Russians were Soviet. It has become a media image that is used to attract the audience to the material and promote certain ideas.

Therefore, despite the best efforts of cybersecurity specialists, Russian-speaking hackers will remain "Russian", since the major media will use this stable narrative as long as it is clear to their target groups.

How hackers themselves and their principles have changed​

The frontmen of "Russian hackers" in the two thousandth were the so-called" Russian carders", whose activities formed the basis of a number of books and documentaries. At the same time, two stereotypes have become stronger in the mass consciousness:

• they "robbed the rich";
• they didn't attack their own people.

They serve as the foundation of the foundation that allows us to interpret the activities of criminals as a combination of circumstances, and in some cases-as a form of struggle: class, national, social or any other.

In practice, it turns out that everything is simpler. For example, you can compare any carder with the odious Johnny Dillinger. It's hard to imagine that Dillinger would have walked past a bank and gone to rob, for example, a laundry worker. Although if he had been a small – time crook instead of a Dillinger, it was possible that he would have robbed her as well, since the bank was simply too big for him. The same is true for the hacker – he always wants to hit the maximum possible "jackpot".

Along with the profitability of an attack, the level of its danger is also important. Dillinger often moved from state to state, which, at that time, led to a change in the jurisdiction of the law lords who dealt with him. Therefore, his capture became possible only after the formation of a special group, whose powers extended to the entire territory of the United States.

With hackers, the story is the same – targets that are located in the jurisdiction or countries of their residence are more risky. Because, in those days and now, the statement of a resident of St. Petersburg will be investigated faster and more likely than the statement of a resident of conditional Buenos Aires, provided that the attacker is located in Russia.

From the point of view of principles, modern hackers are not much different from their predecessors, but the external environment has undergone major changes. First of all, the segmentation of the CIS countries and the post – Soviet space as a whole has significantly increased. Secondly, there are more advanced mechanisms of international cooperation in the field of information security, which, if we turn to the case of catching REvil, can be very effective if the group crosses some invisible line. However, in the current conditions of the geopolitical crisis, this cooperation practically does not work.

Valery Baulin
CEO of Group-IB in Russia and the CIS

In order to draw a certain "export image" of Russian-speaking cybercrime, it is necessary to start from current cyber threats. According to our Group-IB analytical report " The Evolution of Cybercrime. Analysis, trends and forecasts 2022/2023", the # 1 cyber threat is ransomware. In 2022, the most active groups were Lockbit, Conti, and Hive, with most ransomware attacks coming from US companies. The structure of criminal groups continues to become more complex and more closely resembles the structure of legal IT startups with their hierarchy, recruitment, training, motivation and vacations.

The most serious reasons for the success of cryptographers in the world are their use of Dedicated Leak Sites (DLS) resources, where attackers publish stolen company data to more effectively pressure victims, as well as working with partners in the scheme (Ransomware-as-a-Service, RaaS). Developers sell or rent out malware to their partners to further hack the network and deploy ransomware. During the analyzed period (H2 2021 — H1 2022), Group-IB discovered 20 new public partner programs.

Stylers became the second most important cyber threat of 2022 after ransomware. In 2022, data stolen with the help of stylers entered the top 3 of the best-selling "goods" on the darknet, along with the sale of accesses and text data of bank cards (owner's name, card number, expiration date, CVV). Also, Russian-speaking scammers who previously worked in 2019-2021 under the "Mammoth" scheme with courier delivery, rental, fake dates in 2022 switched to attacks using stylers to steal data for the purpose of subsequent monetization.

We note that the growing demand in the market for selling access to compromised networks of companies is fueling the ransomware industry with renewed vigor. During the period analyzed in the report, the market for sellers of access on the darknet has more than doubled, while the average price of access has decreased by half compared to the same period earlier. Most often, attackers sell their" product " in the form of access to VPN and RDP (Remote Desktop protocol). In total, Group-IB found 380 brokers selling access to the compromised infrastructure of companies that published more than 2,300 offers on darknet forums. The most active attackers were Novelli, orangecake, Pirat-Networks, SubComandanteVPN, and zirochka-their offers totaled 25% of the total access sales market.

Cyberspace has changed significantly in 20 years. First of all, in terms of its size and saturation. The same thesis is also typical for hacking methods – they have become more diverse and "deeper", and are constantly updated. Accordingly, if earlier the "face of Russian hacking" was carders, now they are pro-state APT groups, cryptographers and hacktivist communities, whose names appear in the headlines of world publications.

At the same time, it is important to understand that a stable media image has the opposite side of the coin, since both political actors and the media can use it for a variety of purposes. For example, covering up their failures or in order to call into question the security of a particular process, or to compromise the opponent.

So what changed in the end?​

It is important to understand that each region has its own "evil hackers", usually with their own territorial affiliation. However, those who attack the so-called developed countries have gained the greatest fame, due to their economic aspects and large media resources.

Mikhail Prokhorenko
Head of the Department for Combating Cyber Threats, BI. ZONE

Now the most terrible media cyber threat is ransomware attacks, that is, attacks with ransomware programs that encrypt data. They are used to get a ransom for unlocking devices or systems. Without encryption technologies, privacy and anonymity are impossible, even though they are used by criminal groups around the world.

The media image of the Russian-speaking hacker has also changed. Today, compared to the zero years, hackers have become more organized, professional and calculating. These are no longer hooligans who hack out of curiosity, but criminals with proven theft schemes. Anonymity on the Internet gives them a free hand, and strained relations between countries complicate international investigations, which leaves attackers out of control.

It so happens that the term "hacker" is associated with illegal activities, extortion of money, etc.And cybersecurity specialists — with those who are on guard of order. The world romanticizes the image of hackers a little, as it once romanticized pirates. In my opinion, the word "hacker "will never be associated with" white " offensive security specialists. And why: rather, the "white hats" will stop calling themselves white hackers. They will simply be either security specialists, researchers, or bug hunters. And the word "hacker "will remain for the"black hats".

"Russian hackers" remains a media brand that has a strong historical and factual foundation, as Russian "black hats" remain a significant threat to foreign companies. However, they are actively being squeezed by their Asian "colleagues", primarily representing China.

From the point of view of the world community and the "broad masses", the attitude towards hackers remains gray. Many continue to see them as "Robin Hoods", fighters for social justice or the interests of the state.

And only the professional community remains a bulwark of common sense, realizing that anyone who puts on a "black hat" is a criminal. And its activities should be evaluated strictly from the point of view of the law, and not from the point of view of nationality, principles or territorial affiliation.