The idea of the “Russian hacker” has become firmly embedded in our national discourse, as cybercrime and incidents of hacking attributed to criminals within the country’s borders have reached their peak.
With memories of the Cold War and Russia’s reputation for simmering tension and espionage still apparent, the nation seems to have found a new speciality when it comes to intervention in foreign affairs.
Why are there so many Russian hackers?
Russia produces so many hackers partly because the country puts a far greater emphasis on computer science and IT education than the US does.
Students are introduced to these subjects at a young age and courses available to middle and high school pupils go above and beyond the basic curriculums offered in other countries.
There is no Silicon Valley equivalent in Russia that is able to provide the high paying software development jobs needed to alleviate the overall economic challenges faced by Russian citizens.
This results in a large population of highly educated people in need of IT work.
Cybercrime gangs are happy to fill the void, providing developers with gainful employment.
Moscow allows these gangs to operate within the country’s borders. Generally, as long as no Russian entities are hacked or compromised, ransomware and extortion gangs are free to bring foreign money into the country.
Additionally, the Russian government often collaborates with these gangs to spy on other countries, thus creating an environment in which cybercrime is not just tolerated, but used for military and intelligence collecting campaigns.
However, as is often the case when it comes to those under authoritarian rule, protection is only guaranteed until you become a liability or are more valuable given up than you are sheltered.
Researchers believe that Moscow gave up the notorious REvil ransomware gang as a means to stifle the US government’s growing discomfort with Russia’s buildup of troops along the border to Ukraine.
Russian hacker history
Russia has a long and storied history when it comes to their hacking and cyber espionage campaigns.
In 1996, the country was responsible for the Moonlight Maze attack, which resulted in the theft of classified information from a number of US government agencies, defense contractors and private organizations.
Moonlight Maze is regarded as one of the first highly sophisticated instances of state-sponsored hacking. The tactics it employed were observed in subsequent hacking episodes over the next 20 years.
In 2017, a server procured by cybersecurity researchers at Kaspersky Labs and Kings College in London was determined to have been used in Moonlight Maze and connected to a Russian hacker group called Turla.
These findings made it clear that Russia’s state-sponsored cyber meddling had been consistently ongoing for decades and that Moscow maintained a cold war-era suspicion of adversaries, as well as a desire to sew chaos and confusion amidst them.
Today’s global climate sees Russia continuing to both harbor and fund illegal hacking activity. A number of especially destructive gangs find refuge within the country’s borders where they are free to commit their crimes with impunity.
Noteworthy Russian hacker gangs
APT29
Also known as “Cozy Bear,” APT29 is an intelligence gathering group primarily focused on collecting data to support Moscow’s policy making and security decisions.
Active since 2008, APT29 is known to utilize exploits and large scale phishing campaigns to steal credentials from a pool of victims across government agencies and healthcare organizations.
APT29 is believed to retain login credentials from seemingly unimportant accounts in case they become relevant to Russia’s interests at a later date.
Through 2020, APT29 targeted organizations responsible for the development and deployment of COVID-19 vaccines, most likely in search of intellectual property and vaccine data.
Conti
Conti is a ransomware group that is believed to have been formed in December of 2019.
Using phishing schemes and known vulnerabilities to penetrate targeted networks, Conti engages in double extortion efforts which see victims forced to pay a ransom to reclaim encrypted data or have it released to the public.
A recent leak of chat logs detailing the gang’s inner workings revealed that Conti operates as efficiently and nonchalantly as any standard software company. Between the workplace banter and the fact that Conti hires new talent using job boards and forums, it’s easy to forget that the organization carries out illegal activity on an international level.
Initially, the leak seemed to have an effect on the group’s confidence, stalling their activity. However, it appears that Conti has weathered the storm, as their leak site has resumed operation.
APT28
Commonly known as “Fancy Bear,” APT28 is a hacking group associated with Russian military intelligence.
APT28 is responsible for a 2015 hack of Germany’s Parliament, as well as for the creation and deployment of 2020’s “Drovorub,” a Linux malware that allows for remote access into a victim’s system.
2020 also saw APT28 targeting NATO members as well individuals and organizations associated with the US presidential election. Researchers believe that APT28’s intent was to steal credentials, gather intelligence and create chaos and distrust with regard to the election’s integrity.
Evil Corp
Evil Corp has a reputation for committing banking fraud, with their estimated stolen funds coming in at more than $100 million.
Beginning as an unremarkable black hat hacker group, Evil Corp has grown to become a heavy hitter in the Russian cybercrime world.
Evil Corp’s ransomware-as-a-service (RaaS) model made it easy to spot the proprietary malware used in their schemes. However, recent US sanctions making it illegal for companies to pay Russian gangs a ransom has caused Evil Corp to change their tactics and use software that does not bear their hallmarks.
Evil Corp deploys a wide range of malware to commit their crimes. Some are created in house and others are taken off the shelf, making the group agile and adaptable.
Some researchers suspect that Evil Corp has moved beyond their financial motivations and is now also operating on behalf of the Russian government. It is theorized that they are using ransomware attacks as a means to disguise cyber espionage efforts that provide Moscow with valuable data that can be used against rival nations.
Sandworm Team
Sandworm Team is known for targeting foreign government organizations and the individuals within them to steal information or engage in destructive cyberattacks.
The group has been identified as a component of Russia’s military intelligence agency.
Recently, Sandworm Team has been responsible for attacks on Ukraine’s power grid, attempting to create blackouts as Russia continues its military operations within the country.
The gang engaged in similar activity in 2016, causing a power shortage in Ukraine’s capital.
Sandworm Team uses malware called “Industroyer” that allows for deep access into the systems that control electrical grid operations. The malware can even shut off safety protocols that prevent damage to power grid hardware, resulting in the physical destruction of critical infrastructure components.
All signs point to Sandworm Team continuing to operate on behalf of Russia’s ceaseless efforts to infiltrate, disrupt and weaken their adversaries.