According to recent Interpol findings, cybercrime originating from Russia and Eastern Europe continues to increase, as attackers broaden their capabilities and gain technical sophistication. Recent headlines reveal the sophistication and stealth behind the global attacks to financial, government and critical infrastructure organizations.<
Cybercrime in these regions has grown tremendously, thanks to the limited support for law enforcement and prosecution efforts combined with the lucrative profits surpassing those of the drug trade.
One factor at play is the lack of legitimate jobs for some of the more capable IT professionals in the region. According to one Interpol official, six of the ten countries experiencing the most Internet fraud were located in Eastern Europe and regions formerly a part of the Soviet Union. Russia alone is estimated to have nearly 20,000 individuals involved in some facet of cybercrime. They are so committed to the success of their operations that they are known to hire English speakers to improve social engineering efforts.
The growth of the criminal underground marketplace is further testament to this burgeoning industry. Cost for various goods and services are competitive. For example, Trojans that can infiltrate networks have decreased in cost from $250 several years ago to $50. And the professionalization of the criminal underground reflects how it is mirroring practices that exist in the legitimate business world.
Recent reports from the RAND Corporation reveal how cyber crime is becoming more organized, and as a result, engaging in more prolific and profitable operations. What’s more, the actors behind some of the goods and services offered in these dark markets are engaging in this practice, guaranteeing services and customer satisfaction in order to build and protect their “brand.” The result has created a resilience in the marketplace where quality trumps quantity.
Those of us watching closely also worry about the potential for increased cooperation between criminal groups. Recent observations have revealed a crowd-based system of skills-sharing that could lead to more dangerous activity – where, for example, individuals involved in conducting network breaches assume responsibility for a different part of the operation, complicating defender efforts to identify and mitigate the attack.
According to some Google researchers, the ability to purchase or sell infected systems, remote access tools, and user records is transforming crime into a collaborative operation. Some groups are broken down into specific areas of expertise, such as malware creation, network infiltration, and money laundering.
While much of the more prolific cybercrime emanates from this region, there is a generally accepted belief that even Russian threat actors have to operate by a loose set of rules such as, “Don’t steal from Russian businesses” and “Always comply with Russian government requests.” The 2013 arrest of the Russian cyber criminal “Paunch” was believed to be in retaliation for Paunch hacking Russian targets. In early October 2015, five Russian banks were targeted by a distributed denial-of-service attack in an extortion-style attack. Although it is unclear who initiated the attack, odds are that, if identified as Russian, they can expect the same fate as Paunch.
It’s worth noting one possible deviation from traditional criminal activities. Security professionals as well as government officials express consternation about the possibilities of terrorists leveraging cyber attacks against critical infrastructures, or conducting other forms of sabotage. In 2015, Director of National Intelligence James Clapper revealed that Russian hackers penetrated U.S. industrial control networks that run critical infrastructures like the electrical grid.
In 2014, cyber “attacks” against global industrial control systems more than doubled from the previous year, according to one study. While the report did not mention what percentage of the reported activity was believed to be terrorist-related, increased attention on critical infrastructures by hostile actors – whether state or non-state affiliated – has garnered attention at the highest levels.
Despite some notable law enforcement successes such as the “take down” of underground markets, these repositories continue to prosper, applying lessons learned to their subsequent iterations such as more robust vetting of potential new customers and allowing membership-only access.
What has resulted is a more resilient eco-system able to withstand momentary shakeups. In July, the Federal Bureau of Investigation led international law enforcement efforts in taking down members of the Darkode market, but approximately two weeks later, the site was up and running and more secure than ever. This may be indicative of an industry that is not only not going away, but will also continue to thrive as long as the cyberspace environment is one in which the defenders must reactively adjust their security postures in the face of an innovative adversary.