On the darknet – a hidden anonymous network used by hackers from around the world to coordinate – Russian remains the primary language. Perhaps this is why there are many myths around cybercriminals from Russia in Western media: they are accused of large-scale attacks on the United States and of working for Russian special services – the latter statement is supported by the fact that the actions of the security forces almost do not prevent successful attacks on companies from all over the world. “Lenta.ru” managed to get in touch with one of the so-called “Russian hackers” who worked with the largest world communities. On condition of anonymity, he talked about how influence is distributed between groups today, how the tactics of cybercriminals have changed, as well as the complexity of life outside the law.
“The practice of the US authorities amuses many”
“Lenta.ru”: Our conversation is taking place against the background of reports about the resurrection of the REvil group, which in the West is categorically linked with Russia. She is credited with attacks on large American companies, and with this – cooperation with Russian special services. Have you collaborated with REvil? Are these accusations justified?
Antivirus: In a normal world, I would be called a freelancer: I am not a permanent member of any association, but I do some tasks for many communities that journalists consider famous. The very fact that I am giving an interview to someone is unlikely to please my customers, which is why I hide behind a non-speaking nickname. Among such customers was the REvil group.
When doing some work, you do not always know who is actually setting the task. But the practice of the US authorities to appoint the culprits amuses many. There are Chinese groups that for years pass in all media as connected with the authorities of the country, which allegedly almost physically sit on their Chinese Lubyanka. But inside the crowd, everyone guesses that these are simple guys scattered all over the world, who even have difficult communications with each other, let alone with the government.
Of course, nothing can be ruled out. But personally, I have no feeling that the Russian special services are planning any attacks.
Attempts by Western countries to “appoint the culprits” for cybercrimes amuse many inhabitants of hacker forums. Photo: Tom Westbrook / Reuters
Another source of mine believes that REvil disappeared from the radar due to increased interest from the US authorities.
Many in one way or another came across the user Unknown, who was the official mouthpiece of the group on the darknet. He disappeared this summer, nothing is known about his fate. There is a version that the Americans managed to find out who it was, after which these data were transferred to the Russian security forces. It is possible.
But sometimes a banana is just a banana. A person could fall ill with a coronavirus, get into an accident, or simply go out of business.
Are they leaving this business?
This is not the mafia. Plus you are anonymous. When you want to go out of business, you simply press the shutdown button on your laptop.
“I don't feel like Robin Hood”
Let's figure it out: how profitable is cybercrime and what must happen in a person's life for him to decide to leave it?
Let's put it this way: this is a very time-consuming job. And if you've earned enough, then you can quit the game. Chronic fatigue, burnout, deadlines – all these words from the life of ordinary office workers are relevant for malware developers.
Cybercriminals admit that they are making good money, but they are still unhappy with the working conditions. Photo: Steve Marcus / Reuters
And here two factors play a role. On the one hand, you are afraid all the time. You wake up in fear, you go to bed in fear, you hide behind a mask and a hood in a store, you even hide from your wife or girlfriend. I'm younger than you, but I've already earned for the rest of my life. Not millions, but enough to live in peace and never work. And here is the second factor: how to quit a job that brings such earnings in a country where you cannot be said that they are looking for you?
LockBit representatives said in interviews that they cannot sleep properly. This is true?
Yes, the dream is very bad. I've been sleeping four to five hours consistently for years. But here the problem is more that during the day you have a family, and all work is at night, plus time zones.
In the dock time, was there no temptation to move to Europe or somewhere else?
If there comes a moment when I need to pack my backpack and leave the country on the first flight, I will do it. But now I'm comfortable.
Is patriotism a common story among cybercriminals?
This is not a community to survey. It is clear that there are some platforms for hiring freelancers and exchanging opinions, where they also post news. But every person in my profession lives without any connection with the community. I don’t know what’s in my employer's head, just as he doesn’t know what’s in mine.
But if you try to answer globally, then I see that in the interviews of many associates, even from the same LockBit group, the topic of social equality appears rather. If you go to the Italian forums on the darknet, they write more about socialism than about hacks.
Many hacker groups are international, and accusations of connection with specific states on the darknet are often denied. Photo: Valentyn Ogirenko / Reuters
This idea is close to me. The world is unfair to the weak, everything is built on financial gain. There are people who lead the largest corporations by birthright. At best, they throw off hundredths of a percent of their super profits to charity, for which they are deified by the hands of their personal PR specialists. At worst, they hide their billions from the tax authorities. This should not be so, but this is happening not only in the USA or Europe, but also in Russia.
Do you feel like Robin Hood?
Honestly? No. And I am against romanticizing my work. They also steal or extort money with my hands. But I'm not ashamed of what I do. I sincerely try to find at least something bad in this and cannot. Probably, my concepts of what is good and what is bad are somehow shifted. But in this case, they are biased for many in this profession.
Many groups declare on their blogs that they do not attack social objects. Have your designs ever been used for similar purposes?
As far as I know, no.
“For point attacks, they sometimes come up with elegant solutions.”
You, like many of your colleagues, have a bright socialist rhetoric. Is it possible to assume that, even if not always, but at least occasionally, American companies attack precisely because they are capitalists?
First, they are attacked because they are rich and have a lot of money. It is difficult for me to imagine an attack dictated by ideological reasons. Second, cybercrime is an international phenomenon and the communities themselves are international. This year I worked with code snippets commissioned by the community, with whom I corresponded in Russian. And the code had comments in French.
If we go a little deeper into the specifics of attacks, what areas are now considered the most promising and what protective tools cause the greatest inconvenience to malware developers?
It seems to me that I will not tell you anything new here. The bulk of attacks can be compared to automated spam mailing. Whoever gets hooked will be “milked”. That is why each group has such a geography of defeat: from strong European companies to Vietnamese or Cambodian medium and even small businesses.
Hackers claim that they attack for money and not for political reasons. Photo: Valentyn Ogirenko / Reuters
Sometimes a specific company is attacked. Here, tactics change depending on the goal. I read somewhere a story about how the guys a few years they could not get inside the security perimeter (notional boundary between the external world and the internal systems of the company -. Comment “Lenta.ru”) of a large corporation and have come up with an elegant solution. They began tossing flash drives with its logos to the office of this company so that one of the employees thought that his colleague had lost important documents, and inserted the flash drive into the computer in an attempt to find out whose it was. After that, malicious code should have been launched, which instantly spread over the internal network. I don't remember how the story ended.
In such situations, in the modern world, it is not the company itself that is attacked, but small organizations from its supply chain. For example, it is not a bank that is attacked, but a manufacturer of minor software that closes a minor problem. It is now the most popular point-to-point attack method that bypasses traditional defenses and penetrates the security perimeter.
The strategy of our conditional adversaries – information security departments – network segmentation according to the principle of zero trust (with this approach, the infrastructure is divided into many isolated small parts. If one of them is infected, the rest of the network elements remain safe. None of these elements considered safe in the company – approx. “Lenta.ru” ). All the security forces are now talking about this, but the tactics have not yet been brought to the ideal.
Does the service model of malware consumption (in which it is possible to rent the development of hackers, which makes cybercrime a more accessible and widespread type of activity – approx. “Lenta.ru” ) already dominates the dark web?
Not yet, but it's a matter of time. Convenient approach.
“Attacks on corporations can provoke geopolitical conflict”
BlackMatter hit the Japanese giant Olympus a few days ago. Before that, they said that they considered themselves the leaders of the hacking community. Will the revival of REvil interfere with their plans?
To be honest, I don't make those [leadership] ratings for myself. And no one is. How do you imagine it?
Together with REvil, the DarkSide group, responsible for the attack on the Colonial Pipeline, disappeared from the darknet. There is a theory that BlackMatter and DarkSide are one and the same community. This is true?
I think yes. Although I am not sure that for someone other than journalists and security officials, this is of principle.
For the DarkSide hackers, the attack on the Colonial Pipeline was the last big crime. Photo: Kevin Lamarque / Reuters
Many noticed that in the very first interview, BlackMatter promised not to attack American infrastructure facilities. It looked like a white flag – they say, guys, we won't be like this anymore.
Perhaps so, but it doesn't matter. BlackMatter is just making money and they don't want to draw attention to themselves. You can hit the jackpot once, but provoke such a geopolitical conflict that you will be quickly found. It is better to quietly receive stable small sums from mid-sized companies, only occasionally entering corporations such as Olympus.
