Russian Cybercrime Forums Open Doors to Chinese-Speakers

Security researchers have started to see a thawing of relations between Russian and Chinese and English-speaking threat actors.

The Russian-speaking cybercrime world has hitherto been fairly closed to actors from other regions. However, Flashpoint claimed to have seen a more inclusive approach adopted of late, especially on the Ramp forum.

“In October, Ramp administrators made changes to the forum’s interface that make it more accessible to Chinese-speaking and English-speaking threat actors,” the threat intelligence firm claimed.

“Forum sections are now in Russian, English, and Mandarin; the main administrator is addressing members in English more often than before; and there is noticeably more English content and comments – and even coming from some Russian-speaking actors.”

There are said to be around 30 Chinese users on the forum thus far.

However, although Russian cyber-criminals may seek international alliances, Flashpoint warned that the moves might be a smokescreen similar to those surrounding the Groove ransomware gang.

“In late October 2021, the Groove ransomware gang called on other ransomware operators to jointly attack US entities; once this generated media attention, the operator of Groove’s public blog claimed that it was a media hack,” it said.

“It is certainly possible that Ramp’s overture to Chinese-speaking threat actors is part of a similar strategy.”

That said, other Russian-speaking forums also appear to be warming to international users.

On notorious site XSS, one user apparently replied to a thread with a Chinese-language ad looking for partners in a ransomware operation. In another case, a Russian XSS member greeted two Chinese forum members with a message in machine-translated Mandarin.

Threat actors are typically more willing to share tactics, techniques and procedures (TTPs) than their counterparts in the legitimate economy. However, the pooling of capability and intelligence across traditionally distinct cybercrime spheres would be a particularly unwelcome development.

What’s Hot on Infosecurity Magazine?