Security experts trace many of the world's cybercrime attacks to Russia, as well as other former Soviet bloc countries. But they say the challenge with battling Russia-based criminals has long been two-fold: Russian hackers are allowed to operate with impunity, and Russia rarely - if ever - extradites any of its citizens (see How Do We Catch Cybercrime Kingpins?).
But while Russia might seem to offer an anything-goes environment for homegrown cybercriminals, the reality is a bit more nuanced. For years, I've been hearing from security experts that there are two unwritten cybercrime rules for Russians, plus another one I'll throw in for good measure:
Rules For Russian Cybercriminals
- Rule No. 1: Russians must not hack Russians, or anyone else in a nation that formerly was part of the Soviet Union.
- Rule No. 2: If a Russian intelligence service asks for your help, you provide it.
Rule no. 3: Watch where you vacation.
The third rule is a reference to the seeming blanket prohibition on Russian authorities ever extraditing Russians. As a result, when another country - say, the United States - wants to bust an alleged Russian hacker, it tends to wait until they pass through a friendly country. Witness the arrests of suspects in the Maldives, Frankfurt, Cyprus and Amsterdam.
As cybercrime continues to get worse - and more players enter the field - it's notable that at least one of the above rules is no longer unwritten, Max Goncharov, a threat researcher at the security firm Trend Micro, says in a recent update on the Russian cybercrime underground (see Why Russian Cybercrime Markets Are Thriving). "The underground market isn't very articulate about the ends toward which products sold should be used, but sometimes, users find a disclaimer stating that Russia shouldn't be a target of any malicious activity," he says.
Peril for Rule Breakers
Russian authorities do not tend to comment on the Russians who are allegedly responsible for so much of the world's cybercrime. But in the past couple of years, authorities do appear to have begun demonstrating the perils for anyone who violates the aforementioned first or second cybercrime rules.
In October 2013, for example, Russian police arrested "Paunch," who was named in some press reports as 27-year-old Dmitry E. Fedotov (see Banking Malware: New Challenger to Zeus?). Paunch allegedly created the automated Blackhole Exploit Kit - a now-defunct crimeware-as-a-service offering, available on a subscription-only basis for $500 per month - plus the Cool Exploit Kit, as well as the malware obfuscation service Crypt.am, according to Russian computer-forensics and investigation firm Group-IB, which says it assisted Russian police with their investigation.
At the time, the very fact of Paunch's arrest suggested that he - or his associates - may have hacked Russian targets. And sure enough, in December 2013, Russia's Ministry of Internal Affairs said that the Blackhole cybercrime gang had been tied to attacks against banks in Russia, causing 70 million Russian rubles - or more than $2.1 million, at 2013 exchange rates - in related fraud.
It's not clear exactly what Group-IB's relationship is with Russia's government, intelligence services or law enforcement agencies. But the fact that the group was allowed to publicize Paunch's arrest likely speaks to the government either wanting to appear tough on cybercrime, or else wanting to send a warning to cybercriminals who don't play by its rules.
More recently, Group-IB reported in April 2015 that a "cyberfascist" malware developer had been arrested in March by Russian authorities on charges that he and four others built "Svpeng" malware used to steal almost $1 million from victims in Russia, as well as Europe, the United Kingdom and the United States.
The malware was reportedly used to carry out a variety of attacks, ranging from locking the device and demanding victims pay a "fine" to unlock it, to placing a fake window over the Google Play interface, so that users would enter their payment credit card data into the attacker-controlled interface, thus allowing them to drain victims' accounts.
Accused Hackers Hide Behind Armored Door
In the annals of Russian cybercrime, however, my award for the most dramatic arrest goes to twin brothers, who were on probation, and who were charged and arrested by Russian police on suspicion of using malware to steal bank account credentials from Russians, and then phoning victims and pretending to be bank employees to trick them into sharing the SMS confirmation code, according to - yes, again - Group-IB, which released video from the men's May 20 arrest in St. Petersburg.
The brothers "were well prepared for the appearance of law enforcement: the apartment had an armored door, electromagnetic transducer to destroy computer equipment; the brothers also prepared special SMS alerts to secretly tell other members of the group to destroy evidence," Group-IB says. "In [a] panic, the twins tried to destroy all the evidence and flushed down the drain all their money, USB storage devices and mobile phones." But the cybersecurity firm says that a substantial amount of related evidence - not to mention two of the Guy Fawkes masks beloved by Anonymous members - was nevertheless collected by police, not all of whom are pictured in the video filming the forced entry on their smartphones.
Since the twins were arrested, perhaps it's no surprise that their alleged malware victims included customers of Sberbank Rossii, which is not only the largest bank in Russia and Eastern Europe, but which features the Russian government as its majority shareholder.
The case is a reminder that while cybercrime can pay - and by many reports, pay handsomely - even the notorious Russian cybercrime underground must apparently still play by some ground rules, or else. For criminals who do so, however, little else except their choice of vacation destination seems to stand in the way of their cybercrime spoils.