Are the hackers all Russian?
Results of a 1 year espionage operation in the Top-tier Russian underground communities
Top 10 Key Takeaways
- Analyzed traffic data comes from exclusively private Russian underground communities where various accounts with different backgrounds persuaded Threat Actors to click on specific links;
- During about 1 year of undercover operation, data from 550 unique hosts was collected;
- In total, connections from 68 different countries were collected;
- US is in first place while Russia is only in 4th place in the ranking of raw collected IP geo-locations;
- 57% use known VPN services, hosting providers, proxies or onion routing (of which only 13% use TOR);
- 43% use good IPs (no vpn or anonymization services). In first place there is Rostelecom, the largest internet services provider in Russia;
- To anonymize their presence on the web, criminals mainly use VPN services that use the M247 ISP (most used internet egress point);
- 55% use updated Chrome Browser;
- Only 9% use Linux, 68% use Windows and 8% use MacOS;
- 8% use mobile phones (4% iPhone - 4% Android).
This is an analysis of IP addresses and user agents collected during months of undercover operation in different Russian-only cyber-crime forums.
The main goal of this research is to understand which anonymization services, VPN or hosting providers are the most used by cyber criminals who frequent Russian underground communities. Also this research wants to answer the fateful question that any friend would ask you during a barbecue … Are the hackers all Russian?
The answers are astounding…
Information was collected for research purposes only through social engineering techniques. Various accounts with different backgrounds and reputations were used to persuade users of the forums or during direct conversations to click on specific links.
These links redirect to the destination by collecting all the information of the browser, operating system and public IP address (like all the shortners out there). Based on this information, statistics and analyzes were then made to reach the goal.
If you are interested in knowing which are the most used platforms by cyber criminals, I suggest to read my previous article about HUMINT Operations here.
For security reasons I will not share the forums, groups, chats or the markets where these links have been exchanged but I can tell you that the selection was very careful in trying to avoid open or badly attended forums in order to have higher quality results.
The research that has been going on for about 1 year and has been able to collect 550 unique hosts with 694 hits (this means that the same person clicked on multiple links)
Here you can find the main raw IP geo-locations. In total, connections from 68 different countries were collected:
Here the top 24 involved countries (RAW results):
In first place is the United States, in second the Netherlands (known for hosting various VPN services), followed by Germany in third place and Russia in fourth.
You can immediately notice that although the navigation came from exclusively Russian communities, Russia is only in 4th place in the rankings thus raising several questions about the origin of users in the forums and the services used for navigation.
Among the top countries there are also Asian countries like Korea, Hong Kong, Singapore and Japan.
Analyzing the 550 unique collected IPs and relative info I found interesting data and statistics that generate a lot of intelligence for Cyber Threat Intelligence analysts and Intelligence agencies around the world.
57% use known anonymization services like VPN services, hosting providers, proxies or onion routing to hide their identities (based on IPHub APIs) of which only 13% use TOR (based on TOR exit node here)
To analyze the data collected, I divided the list of IPs into two sets: one relating only to anonymization services while the other related to clean IPs (belonging to known ISPs and which apparently do not use anonymization techniques). I then analyzed the top 10 ISPs of the two groups. Here are the results:
- IPs anonymization services only:
VPN providers usually use data center connections. IPHub has accumulated a vast array of non-residential Autonomous Systems with the help of contributors, robots and their team. Tor Exit Nodes are also detected.
Top 10 ISP related to IPs anonymization services only:
→ As you can see among the most used ISPs to anonymize their presence on the web, criminals mainly use VPN services that use the M247 ISP. The company M247 Ltd is the most used internet egress point all over Europe. It is used by nearly all VPN providers at least once.
→ In second place we find OVH, a well-known provider of Virtual Private Servers (VPS). The same goes for the third and fourth place where Microsoft and Amazon are respectively located.
→ Then we find CDN77 or a Content Delivery Network with over 32 points of presence all over the world and ASMK based in the Netherlands.
→ In seventh place we find PONYNET. Its datacenters are known for being used as a VPN or Proxy to anonymize traffic. The same is true for ZWIEBELFREUN, HERNLABS and F3NETZE.
- Clean IPs only:
By removing all IPs related to VPN services, hosting providers, proxies and Tor exit nodes what remain are the famous “clean IPs”. This list represents the IP addresses related to connections coming from good IPs (residential or business) like home ADSL without intermediaries and therefore are very useful raw data for the purpose of discovering if all the hackers who frequent Russian communities are actually Russian. Let’s see the results of the top 10 ISP:
Top 10 ISP related to clean IPs Only:
→ In first place there is ROSTELECOM, the largest digital services provider in Russia. It appears that when hackers don’t use a VPN they are presumably located in Russia, a country known for not prosecuting cyber criminals as long as they don’t target Russia itself. With this in mind, some of the Russian criminals probably feel safe browsing without protection.
→ In second place there is BHARTI-MOBILITY (Bharti Airtel) an Indian ISP, at third the German ISP Deutsche Telekom AG (DTAG). The Spanish ISP Telefonica at 7th place and the South Korean KIXS at 9th place.
→ The other IP addresses/ISP still seem to belong to trusted cloud or VPN services that refer to clean services and or therefore identified as such by IPHub APIs.
→ Interestingly the 10th place with the largest independent infrastructure in Iraq, is IQNETWORKS. For this case the same considerations made for Russian hackers apply.
What do you think about these results? Are these related to OPSEC fail, compromised hosts, or users who knowingly accept the risk?
Here is a percentage breakdown of the results above:
- 68% use Windows
- 9% use Linux
- 8% use MacOS
- 4% use Android
- 4% use iPhone
- 4% are bot-like (telegram, yandex, bing, slack, api, curl)
→ Only 9% of collected criminals use Linux! Didn’t you expect it from “geeks”?
→ 8% allegedly use mobile phones… the same percentage as those who use Linux. Isn’t it amazing?
Here is a percentage breakdown of the results above:
- 65% use Chrome Browser (55% use updated Chrome Browser — versions from 86 to 89 with 34% using version 87.00)
- 31% use Firefox
- 3% use Opera
- 3% use Safari
- 0,5% use Edge
Thanks to this active monitoring and the analysis carried out, it was possible to know which technologies the various cyber criminals use in the day-by-day to commit their illegal activities. The analysis was carried out on a relatively small number of hosts with a specific target in the Russian communities compared to the total number of criminals out there. However it was relevant to carry out in-depth analyzes and it highlighted many interesting points.
This kind of data is very difficult to collect because hackers and cyber criminals are very smart and it is very hard to fool them. Thanks to this long intelligence operation on the various forums and chats, government agencies and LEAs could benefit from the key takeaways in order to invest the correct resources in their counter intelligence or espionage operations against cyber criminals, APT or Nation state hackers.
So, are the hackers all Russian? Given the high amount of traffic coming from the US, we can probably begin to assume that Russian threat actors are not using internet services located in or passing through the US so a conclusion can be drawn:
Not all the threat actors on top-tier Russian hacking forums are Russian.