Russian-speaking cybercrime evolution: what has changed in recent years?
October 2021 by Kaspersky
For almost ten years, the Kaspersky Computer Incident Investigation Department researched various cybersecurity incidents, most of which are related to the activity of Russian-speaking cybercriminals. In recent years, Kaspersky security experts have observed several important changes to how these cybergangs operate and who they usually target.
Understanding how cybercriminals operate and evolve in regard to tactics, techniques, and procedures is very important for the cybersecurity community and helps corporate defenders to better prepare for protection against possible incidents. With that in mind, Kaspersky’s Computer Incident Investigation Department experts prepared an overview of the major changes over the last six years – it turned out a lot has changed.
For example, so-called client-side attacks, where in the past victims were massively infected with money-stealing malware through various security holes in popular browsers, are no longer typical. Several years ago, this infection vector was often used by Russian-speaking cybercrime gangs to infect relevant targets among commercial and financial organisations (usually accounting employees). However, since then, browser and other previously vulnerable web technology developers have made a noticeable effort to improve the security of their products and implement automatic system updates. As a result, it is now hard for criminals to set up an efficient infection campaign. Instead, they try to utilise spear-phishing emails, luring targets into opening malicious attachments that would exploit a vulnerability in popular software which – as criminals hope – hasn’t been patched on the targeted computer in a timely matter. The other important change is that unlike several years ago, cybercriminals no longer tend to develop their own malware, but instead use publicly available penetration testing and remote access software. Organisations might use these tools for legitimate purposes and that is why security software doesn’t automatically detect them as malicious. This is what criminals hope for when using such tools. Using pentesting tools also allows them to save a lot of resources on development.
The list of important changes include criminals:
• Actively using public cloud infrastructure instead of building and supporting their own.
• No longer needing to create large groups of partners in crime. Also, no longer needing to create their own malicious tools together with active usage of cloud infrastructure, allows them to conduct malicious activity in much smaller groups than was previously possible.
• Dramatically changing their targeting, from financial attacks against organisations and financial institutions to ransomware and data stealing attacks. Additionally, considerably large numbers of cybercriminals are no longer working in Russia and CIS territories but attack overseas targets.
“Back in 2016, our primary focus was on big cybergangs that targeted financial institutions, especially banks. Big names such as Lurk, Buhtrap, Metel, RTM, Fibbit, and Carbanak, boldly terrorised banks nation-wide, and in some cases internationally. Yet, they have eventually fallen apart or ended up behind bars – with our help. Other cybercriminal conjunctions such as Cerberus, left the ‘game’ and shared their source code with the world. These days, the industries attacked are not limited to financial institutions and major attacks as the ones we investigated in the past are thankfully no longer possible. Yet we can hardly say there is less cybercrime out there. Last year the total incidents we investigated was around 200. This year hasn’t concluded yet, but the count is already around 300 and keeps going. In this situation, we think it is extremely important to share relevant information on cybercrime activity with the cybersecurity community which we do with help from our report,” said Ruslan Sabitov, security expert at Kaspersky.