Untold history of today’s Russian-speaking hackers Essay by The Financial Times
The Financial Times newspaper has published an essay arguing that Russian hackers hold global businesses to ransom and seem to act with impunity but behind them lies a tangled geopolitical web. Caliber.Az reprints the article.
Clop, a Russian-speaking hacking group specialising in ransomware, has its own website. Yes, this is a thing — criminals openly encouraging their victims to negotiate a ransom for the return of their data as though it were a legitimate commercial deal.
Using language that is both business-like and chilling, it urges users to open a dialogue, stating they have a three-day window to discuss price. It promises that the Clop team will provide some specimen files they have encrypted “as proof we are not lying”. Failure to comply means all the stolen data will be published.
As with other ransomware groups, Clop’s webpage is only accessible on the dark web via Tor (“The Onion Router”). If that sounds challenging, these days a seven-year-old would be able to access it for you in a couple of minutes. The homepage includes an indignant rant at the BBC for allegedly misreporting Clop’s activities. It finishes with an exhortation to the mainstream media: “Stop creating propaganda by crafting interesting stories. Only story is we want money for our work. If we have your business files you have to pay. Speak and be reasonable and we shake on agreement.”
According to Mikko Hypponen, chief research officer at WithSecure in Helsinki and one of the most celebrated hunters of Russian cyber gangs, Clop “is a Russian-speaking crime group operating out of Russia and Ukraine”. Hypponen notes that since Russia’s invasion of Ukraine, the number of ransomware attacks against companies and institutions in Europe and the US that emanate from Ukraine has dropped, while those launched from inside Russia have increased.
It’s been a busy few months for Clop. In June, the group announced that it had found a vulnerability in a software product called MOVEit. This file-transfer software in turn allowed the hackers from Clop access to the digital payroll provider Zellis.
Although Boots, British Airways and the BBC were reported by the BBC itself to be among the hundreds of companies that fell victim to the massive ransomware attack that month, Clop denied harvesting data from them — hence the acrimonious exchanges with the broadcaster. Zellis issued a press release, admitting that “a small number of our customers have been impacted by this global issue”, but would not be drawn on their identities. Meanwhile, Clop has started receiving payment or publishing material from other victims of the MOVEit hack.
Unable to access their own data, many victims turned to Clop’s website to follow the helpful instructions on how to pay in bitcoin. The threat was clear: failure to comply by a specific date meant confidential data, including names and details of clients and personnel, would be released.
The material and reputational damage in such cases can be huge and some companies pay up, despite governments often advising them against it.
One reason for the increase in the activity levels of Clop and other ransomware groups is the war in Ukraine. The link is obscure. But you can’t understand Russian cyber crime without appreciating its relationship to Russian national security interests.
There is a clue in an intriguing short note halfway down the Clop homepage: “PS. If you are a government, city or police service, do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”
One might hope that there is some honour among cyber thieves, and that Clop does not expose governments or cops because of a belief in public service. I’m confident Clop would spin it that way, but the real reason is more complicated. The roots of the story go back to 2002, the Ukrainian port of Odesa and one of the most extraordinary public conferences ever held.
In normal times, the Hotel Odesa is the best place from which to view the city. The joke goes that it’s not because it looks out on to the steps where Sergei Eisenstein filmed his most famous scene in his early masterpiece, Battleship Potemkin. Rather, it’s the only spot from where you can’t see the brutalist Hotel Odesa, incongruously situated on one of the port’s working quays. For reasons of Ukrainian national security, neither the hotel nor the Potemkin Steps are currently accessible to the public.
But in late May 2002, the 400 guests who gathered there were interested neither in the hotel nor the steps. Drawn from across the world, they had come for one of the most remarkable if little-known events in post-cold war history: the first and, to my knowledge, the last publicly organised conference of avowed criminals.
From New Zealand, from Canada and from Brazil they came, to exchange ideas and information about the latest developments in the world of cyber crime. Plenary sessions were held at the hotel, while breakout groups dispersed across the city to various bars for panels on topics such as, “Why focus on Mastercard and Visa? Developing the niche markets of Diners, American Express.”
The First Worldwide Carders Conference was the brainchild of the administrators of a landmark website, carderplanet.com. Known as “the family”, this was a mixed group of young men, both Ukrainians and Russians, who had spent the previous 10 years growing up in a lively atmosphere of gangster capitalism.
During the 1990s, conventional law and order in the former Soviet Union had broken down. The collapse of the communist system had left a vacuum in which new forms of economic activity were emerging.
The young criminals who signed up for the Odesa conference were no gun wielders. They boasted a different talent: advanced computing ability. They were honing their skills at the same time as Western businesses had begun experimenting with buying and selling stuff over the internet. In this brave new world of Internet commerce, security occupied only a small territory.
Founded a year before the conference, CarderPlanet revolutionised web-based criminal activity, especially the lucrative trade in stolen or cloned credit card data, by solving the conundrum that until then had faced every bad guy on the web: how can I do business with this person, as I know he’s a criminal, so he must be untrustworthy by definition?
To obviate the problem, the CarderPlanet administrators created an escrow system for criminals. They would act as guarantor of any criminal sale of credit and debit card data — a disinterested party mediating between the vendor and the purchaser. This mirrored the emergence of the Sicilian mafia in the early 1860s after the Italian War of Independence. The mafia did not start as criminals, but as the independent mediators of unregulated cattle and fruit markets.
The 21st-century version involved the vendor of, say, 5,000 stolen credit card details sending these digitally to the escrow officer in Odesa. Meanwhile, the purchaser sent a stack of e-gold, a digital currency that was a forerunner of bitcoin. The escrow officer would test a few of the cards randomly in ATMs around the world using “carder” friends. If the credit cards worked, CarderPlanet would keep the money from the ATMs as its escrow fee, before releasing the digital cash to the vendor and the card details to the purchaser.
The escrow system led to an explosion of credit card crime around the world in which many criminal fortunes were made.
I interviewed one carder in New York in 2010 who was renting an apartment on the Upper East Side that he stuffed full of cash extracted from ATMs with cloned credit cards. “I literally had piles of $100 and $50 bills stacked in every room of the apartment,” he said. The US was and remains the favourite target of carders because of the refusal of American banks and card issuers to invest in chip-and-pin technology, which European banks introduced early on as a very effective tool against fraudulent activity.
Trawling the deepest recesses of the web while researching my book Dark Market: How Hackers Became the New Mafia, I was thrilled to find the press release issued by the FWCC. But one thing struck me as odd about the first paragraph: “Conference considered the critical issue of the inadmissibility of any action against the billing system, banks or any other financial institution in Russia, Ukraine and Belarus. Furthermore, the family will deal ruthlessly with any carder found engaging in such activity.”
I was surprised that CarderPlanet had gone to all the trouble of organising the unique event of a criminal conference in public, only to warn the attendees in the first paragraph against committing crimes. What was the point?
When the First Worldwide Carders Conference took place in 2002, relations between Russia and Ukraine were much closer. Borders between the two countries were not just porous, they barely existed. And both countries belonged with several other former Soviet republics to a confederation called the Commonwealth of Independent States. Roman Stepanenko Vega, a Russian-speaking Ukrainian national who was one of the founders and administrators of CarderPlanet, explained to me how “two days before the FWCC’s opening, we received a visit from an FSB [Federal Security Service] officer in Moscow. He explained that Moscow had no objections to us cloning credit cards or defrauding banks in Europe and the United States but anywhere within the CIS was off limits.”
In addition, the FSB officer let CarderPlanet know that if the Russian state ever required assistance from criminal gangs, it would be expected to co-operate. Six years later, a massive cyber attack on one of the Baltic states revealed the nature of that collaboration between Russian national security interests and criminal hackers.
The former Soviet republic of Estonia had infuriated the Kremlin by moving a memorial to the Red Army from the centre of the capital, Tallinn, to a cemetery 3km away (where, incidentally, it looks rather dignified). In 2007, Estonia — the most digitally sophisticated country in Europe — suffered what its government believes was a massive Russian state-sponsored distributed denial of service attack against the government, media and banking system. A DDoS attack is an automated attack where tens or hundreds of thousands of computers request access to a website at the same time. In this case, the co-ordinated assault overwhelmed Estonia’s systems and the country felt compelled to cut itself off from the internet beyond its own borders for four days.
American, Israeli and Estonian cyber-security experts traced the attack back to servers in Russia. According to McAfee’s François Paget, part of the attack likely came from the Russian Business Network, now defunct but at the time the largest cyber criminal group in Russia, based in St Petersburg.
Members of criminal gangs were later recruited into notorious state-backed hacking teams such as Advanced Persistent Threat 28. Spawned by the GRU, Russian military intelligence, APT28 was given the nickname Fancy Bear by Western cyber-security engineers. Another group, APT29, known as Cozy Bear, is believed to be the brainchild of the SVR, the Russian equivalent of MI6.
APT28 is best known for causing havoc with its Sandworm campaign, brilliantly described in the book of the same name by journalist Andy Greenberg. And in 2015, a year after Russia’s first invasion of Ukraine, it brought down part of the electric grid in Ivano-Frankivsk, western Ukraine. This attack on Ukraine’s critical national infrastructure represented an escalation in cyber espionage and sabotage tactics.
It was the Americans and the Israelis who fired the starting gun for cyber attacks on critical national infrastructure. Sometime before 2010, they infiltrated Stuxnet, the most powerful virus ever created, into the network at the Iranian nuclear enrichment facility in Natanz. But the disabling of the Ukrainian electric grid was the first time an attack had a direct impact on civilians, with some 200,000 people deprived of power.
Ever since Russia’s invasion of the Donbas and Crimea in 2014, Ukraine has been the object of persistent and widespread Russian cyber attacks. Apart from the impact of the brutal virus NotPetya in 2017, Ukrainians, whose advanced computing skills emerged from the same Soviet education system as those of Russians, have proved very effective at protecting their networks.
Around 2016, ransomware began to dominate the activities of cyber criminal groups. Ransomware is malignant software that enables the attacker to encrypt data in an infected system. In the first three years of ransomware activity, the criminal gangs would simply extort payment from the owner of the data. Once received (usually in bitcoin), the gang would decrypt the data so its owner could access it once more.
Since late 2019, however, failure to pay has led to another tactic. Ransomware groups now publish the data on the internet for anybody to access, which can result in huge material and reputational damage.
It’s not just Russians who engage in ransomware attacks. In 2022, Canada extradited one of its nationals to the US, where he was sentenced to 20 years and forfeited $21.5mn. But since around 2010, Russian gangs have been able to act with impunity — the earlier co-operation between the MVD, Russia’s interior ministry, and European and US law enforcement agencies dried up as relations between Russia and the west deteriorated.
The pandemic accelerated the move among companies that could afford it to outsource networks and data to the cloud. Instead of having to manage complex but cumbersome systems, companies contracted out all the heavy lifting to specialist businesses to manage this remotely. On the whole this arrangement ensured greater security, as it was less reliant on the greatest vulnerability of computers: their human operators.
But in the context of lockdown, when many people were forced to work from home, it was much more difficult to maintain the requisite standards of digital hygiene. In cyber jargon, WFH “broadened the attack surface”. As such, the pandemic was a bonanza for cyber criminals. Ransomware attacks went into overdrive. In December 2020, news filtered out of a successful hack launched by Cozy Bear that took the world of cyber malfeasance to a different level.
The Russian-backed outfit penetrated the network of SolarWinds, a US-based corporation that managed the administration and security of 300,000 separate companies, including Microsoft, the US Treasury and FireEye, a leading American cyber-security company. With this one hack, the Russians suddenly had access to a vast area of sensitive material. Everyone panicked. Cyber security shot up president-elect Joe Biden’s priority list.
Soon after this, another Russian crime group, DarkSide, went a step too far. During an indiscriminate ransomware campaign, DarkSide compromised the systems of Colonial Pipeline, a company that distributes 45 per cent of refined oil to filling stations on the east coast of the US. Although Colonial quickly coughed up, paying some $4.4mn to the hackers, for the Biden administration this was a direct assault on the US critical national infrastructure. Not quite a declaration of war but not far off.
Western intelligence sources say that, after a few calls between Washington and Moscow, DarkSide did a volte-face, restoring all Colonial’s encrypted data. The FBI even claimed to have recovered most of the ransom that Colonial had paid by somehow gaining access to DarkSide’s bitcoin wallet. Nonetheless, the events prompted the White House to arrange a summit between presidents Biden and Putin in Geneva two years ago. Russia’s constant cyber attacks, whether launched by criminals or intelligence, were the top item on the agenda as far as the Americans were concerned.
In warning Putin to call off the digital dogs, Biden presented his Russian counterpart with a list of 16 industrial sectors that the US considers out of bounds for criminal attacks. “We will respond with cyber,” said Biden. “He knows.” This was no empty threat. All countries recognise that the US’s offensive cyber capability outstrips that of all its competitors.
The Biden strategy worked, up to a point. For the first time, Russian police started arresting and imprisoning cyber criminal groups. They ostentatiously filmed the bust of one of the biggest groups, REvil, and released the footage for general consumption.
The hiatus lasted for six months. From early January 2022, however, a raft of powerful attacks against Ukrainian government, military and media networks helped convince the US intelligence community that Russia was about to invade Ukraine.
Since then, Russian-speaking ransomware groups have become highly active once more, seemingly as part of Putin’s war effort. Ukraine’s cyber defences, honed over many years of Russian attacks, are top-notch and supported by the intelligence services of the US, Britain and Canada. But the rest of Europe has been a particular focus of the new wave of attacks. According to cyber-security experts, the Russian government is giving these criminal groups information on potential targets. “These gangs want to make money,” says Hypponen, “but while they are making money, they are also trying to support Mother Russia.”
But once more the hackers have been careful not to cross what the Americans consider red lines, as advised, presumably, by Russia’s security services. Russia is probably confident that disrupting European businesses will be unlikely to provoke a cyber attack. But the US — whether its government, municipalities or police — remains strictly off-limits. In cyber space, the markers separating criminals, the state and military and corporate interests become more blurred every year.