The Truth About Russian Hackers

“Russian hackers” is a meme that became popular in the West a couple of decades ago. Their trail is found in the most high-profile cybercrimes and attacks on the United States, and Washington often accuses them of working for the Russian special services. At the same time, the Russian darknet speaks very carefully about the existence of separate criminal cyber units working for intelligence. Hackers from Europe also agree with this point of view: they call the position of official Washington convenient and admit that it is much easier to push problems aside than to admit their own shortcomings. 

Experts from a fintech software development company Boosty Labswill help us understand whether Russian hackers from influential groups could be in the service of the state and stand behind the largest cyberattacks on the United States.

Who are The Russian special services working with?

To understand that cyber espionage exists in the modern world, you don’t need to stay on hacker forums for days. But it is difficult to imagine a situation in which employees of the FSB, SVR and other structures recruit members of well-known groups or hire them for a contract. 

The majority of average hackers will not even be interested in an attack on US government agencies. The pay for such work is probably good, but the consequences for a specialist can be the most unpleasant. In addition, most cybercriminals simply lack the qualifications for such attacks.

Most likely, the Russian special services are working with serious hackers, who can be counted on one hand. These should be real intellectuals, professors of cybercrime, in whose interests a kind of research institutes work, developing more and more new types of programs. 

The interest of Russian hackers in the objects of the American economy is not dictated by the desire to annoy the West. Hackers do not divide victims according to their ethnicity, for them the economic component of the issue is more important. That is why the infrastructure of the United States attracts them more often: it is just that there you can steal more.

Participants in the political struggle

The English-language part of Wikipedia contains several articles about Russian interference in the US elections. Their names are almost the same, and the years of publication are different: 2016, 2018, 2020 . It was these attacks, regardless of who was behind them and whether they were in reality, that began the modern stage in America’s relations with “Russian hackers.”

In the United States, it is argued that the targets of attacks by Russian specialists have changed over time. Prior to the 2016 election, which was won by Donald Trump, the goal was allegedly the attempts of the Chief Intelligence Directorate of the General Staff (GRU) to support Trump and vilify his Democratic rival Hillary Clinton. At that time, documents and correspondence of Democrats obtained in the course of phishing attacks were leaked to the network. They portrayed in a negative light either Clinton, or her fellow party members, or the internal party situation in general.

The key moment of Operation Project Lakhta (this name was given to the operation of interference in elections in the USA ) is the attack on the National Committee of the Democratic Party of the USA . It was allegedly turned over by the Cozy Bear and Fancy Bear groups, and they did it independently of each other. This means that the committee’s system was infected with two types of malware at the same time. The first, the X-Tunnel, remotely executed cracker commands through a NAT system. The second – X-Agent – also transmitted files of interest to cybercriminals and kept logs of keystrokes.

The volumes of stolen data turned out to be colossal. The first batch of incriminating evidence was leaked to the Internet three days before the Democratic Party convention. The information in the public domain discredited the National Committee of the party: it seemed that it was initially biased towards Bernie Sanders, Clinton’s main competitor in the Democratic camp. The matter ended with the resignation of the chairman of the committee. 

The second batch of leaked data was made public in a matter of hours after Barack Obama officially accused Russia of cyber espionage, and the American media posted compromising evidence on Trump, in which he boasted of his methods of communicating with women.

In the first case, the stolen documents and correspondence were posted by Guccifer 2.0, who introduced himself as a lone hacker, and in the second – by WikiLeaks . A month later, the Democrats lost the election.

Could an attack of this size have been carried out without the help and order of an entire state? Of course. True, it is difficult to believe that in 2016 everything was done by a lone hacker.

Two years later, the accusations of the American side that hackers connected with Russia were arranging attacks on the systems were based on one fact: after the site of one of the candidates for the US Senate was hacked, its visitors were redirected to a resource with Cyrillic letters. Those elections were held against the backdrop of constant accusations against Russia.

In 2020, new charges followed. They could be attributed to the election campaign between Democrats and Republicans: Joe Biden partly based his campaign on the fact that Trump became president only thanks to Russian interference. At the same time, according to some representatives of the American side, on the eve of the next elections, in addition to “Russian hackers”, Chinese and Iranian cybercriminals also began to interfere in the internal politics of the United States. At the end of 2020, there were powerful attacks on US government departments, during which several government agencies were affected at once.

By this time, the American media wrote about the involvement of Russians in all these attacks as a proven fact. They backed up their position with intelligence data, but for five years not a single unequivocal proof was provided: all information that could confirm the facts of interference by “Russian hackers” in the elections continued to be called classified. As a result, American intelligence admitted that there was no direct evidence of the influence of “Russian hackers” on the voting results.

The position of the American authorities turned out to be quite convenient for their Russian colleagues: it is not at all difficult to refute the statements of a rival who has no proof. For several years, the Russian side limited its responses to the accusations to biting phrases, which sounded either from the press secretary of the President Dmitry Peskov , then from the official representative of the Ministry of Foreign Affairs Maria Zakharova , then from the Russian leader Vladimir Putin. But why all of Washington’s statements remained unfounded is more difficult to understand.

Where the Russians really left behind is in incidents with American companies in 2021. First, the largest US pipeline, the Colonial Pipeline, came under attack (the hackers received at least $ 5 million as a ransom), which is why four American states declared a state of emergency. The attack was blamed on cyber intruders from the DarkSide group. This was followed by an attack on the IT company Kaseya, which supplies and remotely manages software. Hundreds of her clients were in the affected area. The US authorities blamed the REvil hacker group for the incident.

The attacks resulted in Biden’s phone call to Putin asking him to punish the criminals, followed by the sudden disappearance of the best Russian groups from the darknet. Then the US President gave his Russian counterpart a list of those sectors of the US economy that should not be attacked. At the same time, Western media do not believe that REvil and DarkSide are connected with the Russian special services.

The first “Russian hacker”

Real hackers today are members of serious organizations with a clear structure, a built-up vertical of management, reliable sources of funding, and their own sales, development and development departments. But it all began, as in any dangerous business, with lonely romantics. Many of them ended up in prison, but individual adventurers managed not only to get on the lists of the most wanted criminals, but also to remain free for many years.

However, the first known (convicted) Russian hacker is not a cybercriminal, but a hooligan-saboteur, offended by the leadership of AvtoVAZ for breaking a promise to raise his position and raise his salary. In 1983, Murat Urtembaev deliberately changed the settings of the program that controls the conveyor, which made the Togliatti giant stand up for three days. Urtembaev received a 1.5-year suspended sentence and a fine. In addition, the organizer of the successful attack was demoted from programmer to locksmith.

The first high-profile hack, in which the Russians were involved, occurred shortly after the collapse of the Soviet Union. St. Petersburg microbiologist Vladimir Levin was able to hack into the corporate accounts of the American Citibank and, within three months of 1994, withdraw from there, according to various estimates, from 2.8 to 10 million dollars. Almost everything stolen was eventually returned to the bank, and Levin, after unsuccessful attempts to get lost, was found and convicted in New York , sentenced to imprisonment, which he had practically served by the time the court’s decision was announced. In 1998, Levin was deported from the United States, and his traces were lost. However, “Russian hackers” years later admitted that in fact Levin could become a toy in the hands of more serious professionals from international groups.

Evgeny Bogachev, who worked under the nickname lucky12345, is called the main Russian hacker of the heyday of computer crimes that came a little later. He and his accomplices from Ukraine and the UK created the infamous Gameover ZeuS virus that has attacked American businesses and citizens in the past decade. The total amount of losses has not yet been calculated, but it almost certainly exceeds $100 million.

The ransomware infected the victim’s networks, after which it demanded a ransom: individuals could get off with hundreds of dollars, for financial corporations the rate was several times higher. The hacker still is the owner of your own pages in the section most wanted FBI criminals, and for information about his whereabouts offer of three million dollars.

Lucky12345 disappeared from the darknet in the middle of the last decade. It cannot be said that he was an active user of some forums, but under various nicknames, some of which were known only to a select few, he periodically appeared. Of course, Bogachev is an elite, the methods he used were quite new for that period. Some people believe that he was caught in Russia and agreed to cooperate with intelligence to avoid punishment. It is quite a working version. 

The FBI has been looking for Evgeny Bogachev for many years. Even the promised reward of three million dollars does not help.

In the distant 90s

The first big attack by “Russian hackers” on the United States happened a couple of years after Levin’s tricks on Citibank networks. The incident was romantically named Moonlight Maze. For several years, unknown criminals have stolen data from the Pentagon, NASA , the US Department of Energy, military and civilian scientists. According to the aggrieved party’s estimates, in total, the attackers stole so much data that in the printed form it would look like a half-kilometer stack of paper. In the attack, they found a “Russian trace”: the hackers did not effectively encrypt one of the IP addresses – it belonged to a user from Russia.

This attack was one of the first in the world classified as APT (Advanced Persistent Threat): its essence is precisely to penetrate the victim’s networks and quietly survive in them for several years. Today in the United States it is believed that in the 90s only one organization in the world was capable of this – the Russian Foreign Intelligence Service.

Over the next two decades, the methods (and even specific software tools, albeit modified), which were used during the Moonlight Maze incident, surfaced in several more attacks, the most significant of which was Turla, organized by the group of the same name. Kaspersky Lab specialists and British scientists were able to prove this. In the United States, keeping in mind the same Russian IP-address in Moonlight Maze, they made an unambiguous conclusion about the involvement of Russians in dozens of attacks on American government facilities.

What’s ahead?

 It looks like the relations between Russian hackers and official Washington are getting warmer given the recent entry into the public space of the BlackMatter group, which is positioning itself as the new leader of the darknet.

BlackMatter carefully selects targets and does not plan attacks on US critical infrastructure so as not to attract too much attention to itself, although it is ready to resist American offensive operations in cyberspace. It can be interpreted by many as a recognition of the hackers’ ties with the GRU, SVR and other Russian government agencies. It really looks like a command from above that it’s time to lag behind the Americans. This option is also supported by the fact that too little time has passed between the disappearance of elite Russian groups and the appearance of BlackMatter. Perhaps this is just a rebranding.

PKI-Security Engineer & security blogger at gbhackers.com. She is passionate about covering cybersecurity and Technology.

Leave a Reply