Series of strikes against cybercriminals as a result of the Ukraine war
The concerted action of the US services together with internet companies and cyber security companies in Ukraine against the Russian cyber troops is showing increasing effectiveness against ransomware extortionists. Since January there has been a wave of manhunts and arrests in Europe and the USA against notorious gangs such as Hive, Conti, Trickbot and DoppelPaymer, who are responsible for the attack on the Düsseldorf university hospital.
Virtually all recent reports from security firms and government agencies highlight these criminals’ ties to the Russian military. Numerous attacks, such as the one on the Colonial Pipeline in the USA, which resulted in acute fuel shortages on the East Coast for weeks, looked far more like targeted military actions against the critical infrastructure.
This also applies to the burglary in the IT of a partner company of SpaceX, which only became known on Tuesday, from which alleged thousands of construction plans were stolen. The blackmailer gang Lockbit is now threatening to publish. Elon Musk’s broadband company Starlink plays a critical role in Ukraine’s defense. On Wednesday, the FBI and BKA announced the closure of the Chipmixer money laundering service. Russian secret services are also said to have laundered illegal funds there.
This passage comes from the report Russia’s Cyber Tactics – Lessons Learned 2022 of the “State Service for Special Communications and Information Protection” of Ukraine.
(Image: “State Service for Special Communications and Information Protection” of Ukraine)
Majority of attacks without malware
The respective attack targets and priorities at all levels are determined directly in Putin’s presidential office, and they are then implemented by “curators” of the domestic secret service FSB. These curators are also responsible for protecting cybercriminals from prosecution, the Ukrainian authority’s report said. They would then issue the targets and general guidelines for the current attack wave to the criminals as well. Deploying malware is likely to be less of a problem for the Ukrainian defenders.
The enormous number of attacks on Ukrainian authorities, military facilities and important companies, namely more than 2,000 in the second quarter of 2022 alone, are primarily due to “spear phishing” and other methods to steal login data. This means that the attackers usually penetrate the networks with real log-in data, then try to gain administrator rights and only then is malicious software such as destructive “wipers” used. This is not only claimed by the Ukrainian authorities, pretty much all reports by cyber security companies working in Ukraine come to very similar conclusions.
In view of the sheer number of such attacks on the Ukrainian networks, the question naturally arises as to how the Russian secret services keep getting hold of so much valid log-in data. A very plausible answer can be found in the currently prevailing business model of criminals. Based on the definitions of legal cloud services, it is often called “ransomware as a service” (RaaS).
Note the figure on the top left, she has a key role that not only criminals depend on.
Stolen login credentials for the cyber troops
In the criminal field, a kind of extreme form of modern capitalism has prevailed. The criminals work on a division of labor basis and are therefore very flexible when they have to regroup, as is often necessary. The log-in data dealer (top left) plays a key role here. One such criminal has been on trial in the United States since the end of February after being extradited from Georgia. The US authorities have accused the Russian citizen of using self-developed malware to hoard 350,000 valid login data and sell them to other criminals on the so-called dark web.
Here you can already guess from which pools the Russian military intelligence service GRU and its civilian counterpart, the FSB, draw. In addition, these key players have only very rarely been caught to date. You are right at the beginning of the criminal chain and have nothing to do with the subsequent crime. Since the connections between the actors are very often only temporary and nothing more is actually exchanged than information and hashes, namely so-called “cryptocurrencies”, they are difficult to grasp.
And in these circles, which gamble quite legally with digital assets, people are obviously worried about the rampant crime – namely primarily about their own business. The problem for these speculators are the so-called cryptomixers and the “high-risk exchanges”, with most of the leads in turn leading to Russia.
The image comes from the consulting firm TRM, which specializes in risk analysis and “business intelligence” for investors in the crypto market. TRM has written a kind of market study on the impact of the war in Ukraine on the “illegal blockchain ecosystem”. Not really surprising, the hubs of criminals in Russia.
All tracks lead to Russia
As the Russian invasion became clearer from December 2021, direct transactions from actors who make money from child abuse to Russian “high-risk” crypto exchanges could be observed for the first time, according to the market study (see chart above). The comparatively low observed volumes bear no relation to the actual amounts being moved to Russia, as such transactions are usually only processed through cryptomixers. The operators of this dirtiest of all imaginable illegal businesses obviously wanted to get their profits to safety quickly in view of the threat of sanctions.
The bulk of these dirty funds ended up on the crypto exchange nexchange.ru, which is classified as a “high-risk exchange” along with 95 percent of all exchanges in Russia. “High risk” simply means “hands off” for anyone who invests in such virtual assets, because these exchanges openly do business with all forms of organized crime on the Internet.
After one of the first big strikes by the FBI and BKA against cybercriminals during the Ukraine war against the then largest Darknet trading exchange Hydra, Russian trading centers also took over this business. Together they are bigger than Hydra ever was. In December alone, 130 million dollars were turned over by Russian Darknet markets. According to TRM, the trading volume on the Russian high-risk exchange Garantex from February 2022 to more than $18 billion.
Striking contrasts to politics
All of these events stand in stark contrast to the relevant statements and plans on the political stage. In order to get a grip on the trade in depictions of child abuse online, the responsible EU Commissioner Ylva Johansson (Social Democrats) and a chorus of conservative politicians are not demanding that these illegal trading places be switched off. Rather, Johansson conducts preliminary searches of all private chats of all users on completely different platforms without cause.
And while Russia’s head of state, Vladimir Putin, takes every opportunity to address the alleged moral depravity of the West, his domestic secret service, the FSB, has put up a protective shield over a criminal scene in which pictures and videos of children being raped are just normal commodities.
Meta-criticisms and useful information sent directly to the author can be securely encrypted using this form.
To home page
Leave a Reply