Russian IT “Brain Drain” Decentralizes Cybercrime

Written by

Russia’s invasion of Ukraine has disrupted the vast cybercrime underground operating from the country, thanks to mobilization of some threat actors and the emigration of others, according to Recorded Future.

The threat intelligence firm’s new report, Russia’s War Against Ukraine Disrupts the Cybercriminal Ecosystem, is compiled from analysis of dark web sources.

The cybersecurity vendor claimed that mobilization and emigration of cyber-criminals have prevented compromised card volumes from fully rebounding to 2021 levels, and also led to decreased activity on Russian-language dark web and special-access forums last year.

“Anecdotally, we have observed significant decreases in the number of new threads and posts — as well as the total number of all Insikt Group threat leads – related to content on Russian-language dark web forums since September 2022,” Recorded Future said.

“We believe that the partial mobilization orders issued by Russia may have conscripted several threat actors. We also believe it is possible that Russian-speaking threat actors have been part of the ‘brain drain’ of Russian IT and cybersecurity professionals to Georgia, Estonia, Finland, and Kazakhstan. We believe that this could explain the decrease in activity on Russian-language sources, beginning in September 2022."

The war has also undermined the solidarity of Russian-speaking threat actors as a result of disagreements over support for the war and the Putin regime. More leaks of the sort which exposed the Conti and Trickbot groups will likely occur in 2023.

“This damage has established a new norm of internal instability, as evidenced by a continued wave of insider leaks,” the report noted.

However, those hoping the war will fatally undermine the Russian cybercrime economy will probably be disappointed. The report argued that threat actors will merely become more geographically decentralized and their relationships more diffuse.

It also warned of a surge in nationalist “crowdsourced” hacktivism, although its impact may be limited.

Going forward, Recorded Future warned that the Kremlin might soon absolve Russian cyber-criminals of their crimes, in a move which will likely draw state-backed and cyber-criminal activity even closer in its aims and targets.

However, there could also be bad news on its way for Russian organizations, with an anticipated increase in data breaches affecting Russia and Belarus making their way onto the dark web.

“With an increase in Russian and Belarusian leaked databases, we will also see a correlation in the increase of credential leaks on dark web forums targeting .ru and .by domains,” the report concluded.

“We believe this will happen because of the overwhelming amount of Russian databases that have been leaked since the beginning of #OpRussia, which has yet to enter into public circulation.”

What’s hot on Infosecurity Magazine?