Why we are losing the battle in cybersecurity: Part One - Russia

The year 2021 has continued to experience increased cybercrime, especially ransomware attacks. Ransomware has steadily increased over the past few years with bigger targets and bigger payouts. That is not to say small and medium-sized businesses need not worry. Smaller attacks are also on the rise according to recent reports. Everyday we see more hacks and more headlines and we seem impotent to stop them.

Even as I wrote this article new information and hacks were being reported making it very difficult to provide up to date information. Just this last weekend (July 4th, 2021) a massive supply chain attack on Kaseya, a system admin tool used by IT pros, was hacked and the tool was used to spread ransomware malware to up to thousands of small businesses. According to reports this is, to date, the largest ransomware attack in history.

Why are we losing the battle in cybersecurity? In this multi-part series we will look at some of the key reasons why we do not seem to be making headway in this battle. We’ll see how the deck is stacked against us in this war on cybercrime. Along the way we will share the good news of progress we have made and also make sure we are doing everything we can to protect ourselves and our businesses from this scourge. Our first segment deals with the number one reason we are fighting an uphill battle… Russia.

Why Russia?

Volumes could be, and in fact have been, written on Russia’s political ambitions and it’s use of information operations and cyber espionage as devices to challenge its rivals. While not doing a deep dive on Russian politics we can fairly say that Russian President Putin views cyber tactics as a key method to sway world politics in his favor. While their economic power in Russia is wanting, their cyber prowess levels the playing field in their favor. There have been dozens of cases of government sponsored cyber offense against its global competitors. The big ones were the 2016 US election interference and the recent SolarWinds attack, both attributed squarely to Russia.

But many countries are involved in cyber espionage at some level. What makes Russia unique? It’s the flagrant practice of not prosecuting cyber criminals as long as they don’t target Russian interests. In fact, in many cases they piggy-back on the efforts of the hackers to gain intelligence. A couple of examples...

Bogachev and CryptoLocker

In late 2013 the world was in the throes of a massively successful organized cyber attack known as Zeus GameOver. At it’s peak it was a ‘botnet’ that controlled up to a half million computers. Once the malware was surreptitiously installed on a machine… it was controlled. From there the bad guys could install software, log keystrokes or a host of other nefarious things… and the victims had no idea. The mastermind of the project was not known. He was a mystery... a phantom known only by the handle ‘Slavik’. He had written the original version of Zeus in 2006 and had been leveraging it for many years, with great success. He led a team of elite Russian-speaking hackers that ultimately siphoned upwards of 100 million from targets all over the world.

The original purpose of GameOver was to find big ticket victims with access to huge bank accounts and then fraudulently move the money. This worked, however most computers in the botnet did not have access to fat bank accounts. So, in a stroke of criminal genius the organized gang delivered a nasty piece of software called CryptoLocker to all the zombie machines on their network. Slavik and his minions found a use for the tens of thousands of idle machines they controlled. Once installed all the data on your computer was encrypted and a payment of $300-500 was required to unscramble the data. In 2013 CryptoLocker was a household name and as many as 250,000 computers were infected with ransomware.

Law enforcement around the world scrambled to take down this sophisticated and resilient botnet, yet as of late 2013 they did not even have a real name for the mastermind behind it. Finally though, with unprecedented international cooperation, headway was made in early 2014 when an email used by Slavik was traced to a Russian social media site and the crook was identified as Evgeniy Mikhailovich Bogachev. Not just that but they discovered a highly detailed ledger tracking the group’s various ongoing frauds. The investigators got to work analyzing the information, but the investigation took a very interesting turn when they found something they were not expecting to find. 

What they found was that in amongst all the expected activity around bank fraud, there were search queries for classified documents. The wide-spread botnet was searching computers for intelligence useful to Russia. Emails belonging to intelligence leaders from Georgia and Turkey. Documents containing classified secrets from Ukraine. Material linked to the Syrian conflict and Russian arms dealing. Indeed, GameOver was much more than an effective virus for stealing money, it was a sophisticated espionage device orchestrated with government involvement.

While progress had been slow with the investigation of GameOver, after the discovery of the ledger in 2014, it culminated that spring with the dramatic take down of the botnet. The bank frauds all but stopped after the takedown, but Bogachev remains at large to this day with a 3 million dollar bounty on his arrest. 

Most Wanted Cyber-criminal and wannabe Bond villain, Evgeniy Mikhailovich Bogachev with his cat.

Evil Corp

The cybercrime reprieve was short-lived though. One individual by the name of Maksim Yakubets, who evidently was a part of the Bogachev crew as a money launderer, started using malware very similar to Zeus GameOver. He is now the leader of a criminal organization called Evil Corp, one of the largest and most successful cybercrime gangs around. Bank accounts from dozens of counties have been fraudulently siphoned to the tune of tens of millions of dollars.

Evil Corp was also in the franchise business. Evidence suggests that they provide the code in exchange for a ‘franchisee fee’ and support other hackers to find new targets.

In most countries Yakubets would be on the ten most wanted and eagerly sought out by the feds. Not so in Russia. In fact he has security clearance with the FSB (Russian Intelligence). According to the FBI indictment document he: “provides direct assistance to the Russian government’s malicious cyber efforts”.

Yakubets is also at large with the largest bounty ever offered by the FBI, 5 million dollars.

Maksim Yakubets

As long as Russia continues to brazenly turn a blind eye to these criminal gangs, there is little hope for reprieve. And lets face it, why would they. Their cyber operations give them a huge leg-up in global politics and influence. Like modern day digital privateers, as long as these criminal groups target non-Russian interests they operate with implied impunity. The government has enlisted these underground hacker superstars to provide important intelligence and interfere with enemy governments. Can we really expect the Russian government to start cooperating?

Why Russia is so Good at Hacking

To exasperate the problem of Russian cybercrime, there is a very large pool of unused expert computer talent there. Russia does very well at providing information technology education to its kids. Compared to western countries, there is a far greater emphasis on IT in the middle and high schools and per capita, a lot more students continue that learning track. Unfortunately though, there is nowhere for them to go. There is no ‘Silicon Valley’ in Russia and prospects for skilled IT workers getting a good paying job are slim.

According to current online statistics, an entry level position in IT will earn a Russian the equivalent of about US$ 8000/year. And there are just not enough jobs to go around. So overall the IT sector is neither large enough nor attractive enough to absorb the available skilled labour. As one hacker put it: “I’ve got no money, a strong education and law enforcement’s weak. Why not earn a bit on the side?’

When compared with the thousands (and millions) made from cybercrime, getting a legit job pales in comparison.

Low Barrier to Entry

Another factor is that the barrier to entry is very low to get started in cybercrime. Established ransomware gangs such as DarkSide, Evil Corp and REvil offer Ransomware-as-a-service (RAAS) kits to others. The organization provides a range of tools and services such as handling negotiations and processing payments. They advertise, just as you would any other franchise. “We created DarkSide because we didn’t find the perfect product for us,” one announcement read. “Now we have it.”

It’s all very organized. The rookie finds new targets and gets to keep the lions share of the ransom. He gives a hefty cut of proceeds back to the mothership.

There is some evidence that the recent Colonial Pipeline ransomware attack (attributed to DarkSide) shook things up in the Ransomware-as-a-service arena as such a debilitating and public attack caused much unwanted attention on them. So much so that Putin himself had to make a statement that ‘Russia had nothing to do with this’. The last thing Russian hackers want is to create problems for the Kremlin. There have been repercussions against DarkSide. According to the New Yorker: “Russian-language cybercrime forums that historically functioned as a marketplace for DarkSide have banned the group from their portals.” It is too early to tell what the implications will be. Other RAAS gangs have announced that they are operating in ‘private’ mode and are not advertising on the Dark Web for new talent, but only accepting affiliate hackers whom they know and trust. In all likely hood DarkSide will rebrand and do the same. So we take take solace in a little good news that perhaps the barrier to entry into cybercrime is a little bit higher now.

No Extradition

It’s not surprising to learn that Russia is not willing to have its citizens extradited to other countries for prosecution. Until very recently Russia flat out refused to extradite known criminals. In 2016, commenting on the election hackers, Putin said: "Never. Never. Russia does not extradite its citizens to anyone.”

However, there is increased pressure from the international community. At the recent G7 Summit the powerful group of 7 were aligned in their stance towards Russia’s tacit unwillingness to cooperate in the battle against cybercrime. They issued a statement specifically calling Russia to action:

In particular, we call on Russia to urgently… identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes. 

Putin appeared on Russian TV the same day to claim that Russia takes cybercrime seriously and IS prepared to extradite criminals if the US was prepared to release corresponding criminals to Russia (based on history these are mostly political dissidents who have fled Russia to avoid persecution). US President Biden and Putin met on June 16th with cyberattacks on the agenda. It’s early to say whether all this will make a difference, but the facts noted in this article suggest not. 

Cyber espionage is being used to some extent by countries all over the world. China, North Korea and Iran are known to use state sponsored cyber espionage. However, none are as brazen as Russia in their attitude. Cyber criminals work with impunity bilking millions from other nations. Even worse, the government piggy-backs on the widespread criminal activity to gather intelligence for their own benefit.

There are few signs of this situation easing up. At the end of this series we will be discussing ideas, both inside and outside the box, to protect your business from ransomware and other hacks. Before we do that, in our next segment we will discuss another key reason the battle against cybercrime is stacked against us… people.

Sources