Russian-speaking cybercrime saw changes in recent years

Woburn, MA – October 20, 2021 – Today Kaspersky’s Computer Incident Investigation Department released an overview of the major changes in the last six years in the world of Russian-speaking cybercriminal activity. In recent years, Kaspersky security experts have observed several important changes to the ways these cybergangs operate and who they usually target.

For almost ten years, the Kaspersky Computer Incident Investigation Department has researched various cybersecurity incidents, most of which are related to the activity of Russian-speaking cybercriminals. Understanding how cybercriminals operate and evolve in regard to tactics, techniques, and procedures is very important for the cybersecurity community and helps corporate defenders to better prepare for protection against possible incidents. Kaspersky’s Computer Incident Investigation Department experts prepared the report with this in mind.

The report observed that client-side attacks, in which victims are massively infected with money-stealing malware through various security holes in popular browsers, are no longer typical. Several years ago, this infection vector was often used by Russian-speaking cybercrime gangs to infect relevant targets (usually accounting employees) among commercial and financial organizations. However since then, browser and other previously vulnerable web technology developers have made a noticeable effort to improve the security of their products and implement automatic system updates. As a result, it is now hard for criminals to set up an efficient infection campaign. Instead, they try to utilize spear-phishing emails, luring targets into opening malicious attachments that would exploit a vulnerability in popular software which hasn’t been patched on the targeted computer in a timely matter.

The other important change is that, unlike several years ago, cybercriminals no longer tend to develop their own malware, but instead use publicly available penetration testing and remote access software. Organizations might use these tools for legitimate purposes and that is why security software doesn’t automatically detect them as malicious. This is what criminals hope for when using such tools. Using pentesting tools also allows them to save a lot of resources on development.

Other important changes include criminals:

·       Actively using public cloud infrastructure instead of building and supporting their own.

·       No longer needing to create large groups of partners in crime. No longer needing to create their own malicious tools together with active usage of cloud infrastructure allows them to conduct malicious activity in much smaller groups than was previously possible.

·       Dramatically changing their targeting, from financial attacks against organizations and financial institutions to ransomware and data stealing attacks. Additionally, considerable numbers of cybercriminals are no longer working in Russia and CIS territories but attack overseas targets.

“Back in 2016, our primary focus was on big cybergangs that targeted financial institutions, especially banks,” said Ruslan Sabitov, security expert at Kaspersky. “Big names such as Lurk, Buhtrap, Metel, RTM, Fibbit, and Carbanak boldly terrorized banks nation-wide, and in some cases internationally. Yet, they have eventually fallen apart or ended up behind bars – with our help. Other cybercriminal conjunctions such as Cerberus, left the ‘game’ and shared their source code with the world. These days, the industries attacked are not limited to financial institutions and major attacks such as the ones we investigated in the past are thankfully no longer possible. Yet we can hardly say there is less cybercrime out there. Last year the total incidents we investigated was around 200. This year hasn’t concluded yet, but the count is already around 300 and keeps going. In this situation, we think it is extremely important to share relevant information on cybercrime activity with the cybersecurity community which we do with help from our report.”

Learn more about the evolution of Russian-speaking cybercrime on Securelist.com.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Media Contact

Sawyer Van Horn

sawyer.vanhorn@Kaspersky.com

(781) 503-1866