Russia’s War Against Ukraine Disrupts the Cybercriminal Ecosystem
Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.
Russia’s war against Ukraine has disrupted the cybercriminal ecosystem. On February 24, 2022, Russia launched a full-scale invasion against Ukraine. As outlined in the recent Recorded Future report “Themes and Failures of Russia’s War Against Ukraine”, Russia likely remains intent on seizing Kyiv, dismantling the government of Ukraine, and securing a decisive military victory despite “compounding strategic and tactical failures”. Russia’s offensive cyber operations have been “unable to substantively augment Russia’s conventional military progress” and will likely shift to targeting civilian infrastructure in an attempt to “degrade Ukraine’s morale ahead of an upcoming, renewed offensive”. Russia’s continued reliance on leveraging proxy groups to achieve its objectives in Ukraine while maintaining plausible deniability has further illuminated the links between Russian Intelligence Services (RIS) and non-state actors, evidenced by Russia’s direct, indirect, and tacit relationships with cybercriminal and hacktivist groups as outlined in our report, “Dark Covenant 2.0: Cybercrime, the Russian State, and the War in Ukraine”.
The so-called “brotherhood” of Russian-speaking threat actors located in the Commonwealth of Independent States (CIS) has been damaged as a result of political disagreements among threat actors in the context of the war. This damage has established a new norm of internal instability, as evidenced by a continued wave of insider leaks. Additionally, as Russia experiences a “brain drain” of IT professionals, these now-fracturing organized cybercriminal cartels will likely become more geographically decentralized, in turn making their relationships more diffuse.
The resurgence of “crowdsourced hacktivism”, an international phenomenon previously limited to the late 2000s, will likely create a new generation of non-state threat actors who are both politically and financially motivated. These so-called hacktivist groups, while their impact has been limited, have become symbolic in the public’s perception of the “cyberwar” raging parallel to the war in Ukraine.
The economic consequences of the war in Ukraine are likely creating conditions conducive to an increase in the value of payment card fraud on the dark web, despite an overall slump in carding volume in 2022. Regardless of fraud’s reputation as an unsophisticated form of cybercrime, it is likely becoming less a crime of opportunity than of survival. International arrests, seizures, and disruptive actions have destabilized the business model associated with commodified cybercrime, leading to wide-ranging and rippling effects on the malware- and ransomware-as-a-service (MaaS, RaaS) threat landscapes. These disruptions have also spread to the dark web shop and marketplace ecosystems, leading to price fluctuations and newfound competition among market administrators. Cybercrime, both based in the CIS and globally, is entering into a new era of volatility as a result of Russia’s war against Ukraine.
- We did not identify any direct links between credential leaks preceding Russia’s war against Ukraine; however, we believe that these credential leaks could have been leveraged by threat actors seeking to exploit geopolitical tensions prior to the war. We also note that some of the database breaches we identified have since been attributed to nation-state actors.
- The so-called “brotherhood” of Russian-speaking threat actors located in the CIS has been damaged by insider leaks and group splintering, due to declarations of nation-state allegiance both in support of and opposed to Russia’s war against Ukraine.
- Russia is experiencing a wave of IT “brain drain” that will likely decentralize the organized cybercriminal threat landscape. In addition to brain drain, waves of military mobilization of Russia’s citizens are resulting in decreased activity on Russian-language dark web and special-access forums.
- The resurgence of “crowdsourced hacktivism” will likely create a new generation of non-state threat actors. The impact of hacktivism has been limited, but its role in enabling information operations (IOs) remains vital. Hacktivism has become symbolic in the public’s perception of the “cyberwar” raging parallel to Russia’s war against Ukraine.
- Russian law enforcement’s seizure and closure of several top-tier carding shops in January and February 2022 severely disrupted the payment card fraud ecosystem until April 2022. Since May 2022, the emergence of new carding shops has driven a partial rebound in the volume of compromised card-not-present (CNP) data posted for sale on the dark web.
- International arrests, seizures, and disruptive actions have destabilized the business model associated with commodified cybercrime.
- Russia’s war against Ukraine has disrupted the dark web shop and marketplace ecosystems. International supply-chain disruptions and border closures have made the shipping of “physical” contraband impractical for Russia-based threat actors.
On February 24, 2022, Russia began a full-scale invasion of Ukraine that was supported by ground and aerial bombardment, surface-to-surface and surface-to-air missiles, cyberattacks, electronic warfare, information warfare, and more. Almost immediately, the Russian cybercriminal underground reacted with declarations of allegiance from forum administrators, threat actors, and threat actor organizations. Hacktivist campaigns, coordinated distributed denial-of-service (DDoS) attacks, “doxxing” activities, trolling, website defacement, ransomware infections, and more began within hours of the invasion.
While the vast majority of non-state cybercriminal and hacktivist activities in the early days of Russia’s war against Ukraine targeted Russian and Belarusian entities in retaliation for the invasion, opportunistic threat actors sought to exploit the tensions by leveraging vulnerabilities in the cyber infrastructure of Russian, Belarusian, and Ukrainian entities and selling leaked information or unauthorized access for financial gain and publicity. Declarations of allegiance also prompted internal unrest within certain threat actor organizations, leading to hostile activities and schisms between threat actors.
Since February 24, 2022, we have been actively monitoring the daily activities of cybercriminal and non-state hacktivist entities that have been involved directly or indirectly in the Russian war against Ukraine.