Analysis of Chinese and Russian Hacking Communities
Recorded future has been actively analyzing forums and markets that are tailored towards the Chinese and Russian audiences over the last annual period and has discovered several differences in the hosted contents within the forums and the differences in the forum conduct and organization.
Recorded Future Insikt group analyzed posts, interactions, and advertisements in criminal and hacking forums to explore various cultures, capabilities, and organizations of Russian and Chinese hacking communities. Sources would include the Recorded Future product and personas that are Chinese and Russian created by the Recorded Future so as to enable interaction with actors on such forums.
Whenever researchers are focusing primarily on items that are being sold on the dark web markets, many people gloss over the different communities which reside in the forums themselves, focusing either on the Russian hacking solely or even completely not talking about the members of the forum. That may cause the readers to make an assumption that the particular hacker community is a collective of people that are transcending cultures and borders.
In contrast, each of the country’s hackers are unique in terms of forums, code of conduct, means of payment and motives.
Both Chinese and Russian Forums are hosting a large variety of content internationally. Malware and data dumps that originate from the Chinese groups often aren’t found on the Chinese forums. It may not be uncommon for the Russian forums to advertise the data bumps from the Russian companies however.
The Chinese speakers are usually active on English, Russian, and Chinese forums whereas only a few or no English or Russian speakers utilize the Chinese forms.
Although the current posts from the Chinese on the non-Chinese forums are usually tailored towards the Chinese buyers, assessment from Recorded Future provides low confidence that the Chinese buyers are starting to bring data, malware, and services that were once unique to the Chinese forums towards more of an international type of audience.
Russian forums would likely keep on providing content to many buyers within the internet so as to generate an optimum amount of revenue.
The Russian forums are usually tailored toward business interactions whereas Chinese forums are more inclined to build upon the hacking community. Both of the communities are selling services and goods for the users found regionally. However, such sales are more prevalent on the forums used by the Chinese.
Hacktivism that originates from China due to events that are politically sensitive, continue to occur even after the original hacker groups dissolved.
Russian and Chinese groups both have different stories of origin and usually operate in various ways. The cybercriminals speaking Russian typically hold a single thing above every other thing, and that is money. Although complex cybercrime is typically a trade of the initial Soviet Bloc, the underground cyber motivated by finance has most of its roots within the United States.
In the year 2000, the Counterfeit Forum Library emerged as one of the first fraud and carding forums for Russian and English speakers. They wanted a unique version of the forum, and they responded with the “Odessa Summit” which brought together a group of 20 Ukrainian premier fraudsters that would later become the founders of the “Carders Alliance” speaking the Russian language.
Carders Alliance was also known as the “Carder Planet.”
The organization implemented a particular hierarchy of moderators which vetted all the vendors before allowing any of them to sell CVVs, dumps, SSNs, dumps, magnetic encoders, eBay accounts or even skimmers.
The western fraudsters, on the other hand, operated with structure and professionalism underground. In 2005, the CardersMarket opening allowed Eastern and Western fraudsters to carry out business with each other within a similar forum.
During its early years of cybercrime, most of the activities that surrounded the credit card fraud, spamming, phishing, etc., were carried out by the Americans. That is evident by the increased number of takedowns and busts like the Operation Firewall, DarkMarket takedown and Operation Shrouded Horizon that dismantled most of the Western communities of carders.
In Eastern Europe, technology utilization spread at a slower rate, and it took people more time to be ubiquitous in the federations and republics of the former Soviet Union.
The underpaid well-educated citizens of the countries turned into the criminals against the Western communities since they had the technical skills, as well as, the need for money. That is evident in the explosion of the kind of scams, malware, and fraud that was launched by the Russian communities within the early years of the 2000s.
Russian forums have been leaving very little space for camaraderie or socialization. The sites are business places but not bastions of community. Trust and respect are both built on successful interaction of finance, as well as, the consistent and reliable rise of the forum members towards the top of their trade. Oppositely, the lesser level of consistency is treated as poorly rated.
Members that have bad reviews or poor ratings usually end up on the blacklist of the forums and could be assigned a role of ripper or “kindala”. In that dark web corner, there aren’t any apprentices, and only a few forum members who are Russian are willing to teach people without a precise financial gain.
Despite focusing on the business, successful members provide useful tools and excellent customer service. Carders that deal in bulk and also provide excellent customer services like refunding the declined cards are usually rewarded and preferred by the local buyers provided the supply lasts.
Trojan sellers, as well as, span services, give people holiday discounts and holsters referral bonus payments for any existing consumers that send them any new business. The actors are operating with a financial mentality of significant corporations that they usually target themselves.
There have been several instances of the engaged Russian hackers in vigilante and patriotic activity like the cyber-attacks launched against Georgia, Estonia and other deemed non-grantee personae by the Russian Federation.