While official governments generally are smart enough not to directly employ attackers to carry out their missives, none of the researchers discovered smoking guns linking criminal operations to official governments.
Still, intermediaries typically contact “hackers for hire engaged with bodies potentially representing nation states,” McAfee’s Raj Samani says.
It’s only “logical for any nation state to leverage criminal hackers to carry out illicit deeds, as it further obfuscates the states from the crimes,” agreed Flashpoint’s David Shear.
In its study of the Russian and Chinese hacking communities, Recorded Future found that “hackers in both countries have a history of being recruited by their country’s intelligence services,” explains Winnona DeSombre, the firm’s threat intelligence researcher and co-author of the report. “The level of separation between government-sponsored and criminal activity is hazy at times,” she adds.
Her co-author and colleague at Recorded Future, Dan Byrnes, also a threat intelligence researcher, notes key distinctions between the two countries’ cyber undergrounds. The financially motivated Russians to “focus on doing business internationally, while the Chinese underground emerged out of a sense of patriotism, and thus focus more internally on building community.”
Apparently, language also divides the two powerhouses so there’s little chance of Sino-Russian cybercrime collaboration.
DeSombre traced the roots of today’s Chinese hacking community to patriotic hacking groups in the 1990s. More recently, patriotic hacking activity against Vietnam were linked to wider state-sponsored espionage campaigns. Additionally, it has been reported that hackers were coerced or recruited by Russian intelligence to orchestrate the Yahoo breach beginning in 2014.
Both the Russian and Chinese governments use various mechanisms to keep their hacking communities in check: China has instituted a tightly controlled censorship regime to prevent excessive anonymity on the Internet, while Russia has simply arrested any individual who conducts cybercrime against its domestic populace.
The “hacker community” is not an amorphous collective of individuals transcending borders and cultures, found Recorded Future’s Insikt Group, which analyzed advertisements, posts, and interactions within hacking and criminal forums to explore the capabilities, cultures, and organization of Chinese and Russian hacking communities.
On the contrary, each country’s hackers are unique, with their own codes of conduct, forums, motives, and payment methods.
The recent rise in cryptocurrency supplanted WebMoney as the go-to method of payment used for well over a decade on Russian underground forums. Recorded Future observes Bitcoin, Monero, and other cryptocurrencies instead being widely adopted, supported by a recently emerged cottage industry of cashout services to exchange those coins into dollars or rubles.
Apparently, the difference in language leaves little chance of Sino-Russian cybercrime collaboration.
“We believe that if there is a necessity or incentive for cybercriminals from China or Russia to work with their foreign counterparts, they will do so,” pointed out DeSombre. However, it is less common because the abundance of more local hacking forums in the cybercriminals’ native languages eliminate the need for actors to search for other forums, she added.