Cybercriminals: Frenemies China, Russia, North Korea

  • None--Security Boulevard
  • published date: 2021-11-29 08:31:00 UTC


<p>The age-old adage that “Criminals crime” is proving true when it comes to the transnational cybercriminals at play. The cybercriminals associated with the forum RAMP (Russian) have reached out to China’s cybercriminals in a somewhat ham-fisted manner to invite their participation in both the forum and their collaboration in criminal activity.</p><p>According to <a href="" target="_blank" rel="noopener">Flashpoint Intelligence</a>, who first noticed this outreach in late October 2021, the admins behind RAMP (version three; versions one and two were rendered inoperable after sustained <a href="" target="_blank" rel="noopener">DDoS</a> attacks) have updated their supported languages to now include Mandarin Chinese. Previously, the forum supported only the Russian and English languages—the latter being tolerated, the former preferred. Furthermore, according to Vlad Cuiujuclu, team lead, global intelligence at Flashpoint, Russian forums generally eschewed engagement with parties who weren’t conducting their business in Russian. Cuiujuclu noted that this stance appears to have softened with RAMP’s overtures to entice Chinese participation.</p><div class="code-block code-block-4" style="margin: 8px 0; clear: both;"> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="" target="_blank"><img src="" alt="FinConDX 2021"></a></div> <div class="clear-custom-ad"></div> </div></div><p>Andras Toth-Czifra, a senior analyst at Flashpoint, noted that the “Chinese language engagement on the forum appears to be conducted by individuals whose first language is not Chinese.” He added that RAMP is currently one of the only forums accepting ads for ransomware collaboration following the flexing of U.S. and European cybersecurity assets as a result of ransomware attacks on United States infrastructure.</p><p>Interestingly, Flashpoint’s analysis remains ambivalent as to the rationale for this action and its timing. Cuiujuclu and Toth-Czifra both opined that it may be an entrepreneurial trial balloon to determine if Chinese cybercriminals are interested in collaboration and a means to effect an exchange of modus operandi and tools.</p><p>Toth-Czifra noted how the Russian cybercriminals preferred method is to size up a target’s fiscal situation, calculate what level of <a href="" target="_blank" rel="noopener">cyberinsurance</a> the entity might have and then proceed to engagement and extortion of a ransom payment with a specific target amount which they intend to extract from the victim. He explained that China is different; beginning with the lack of attention paid to cyberinsurance and the notable level of effort required to engage a target in Chinese when you lack linguistic skills. The former is a data point/calculation about the amount of ransom to pursue and the latter is a real barrier to entry.  This outreach on the RAMP forum may be an effort to bridge these linguistic and corporate fiscal knowledge barriers.</p><p>The Flashpoint analysts were unambiguous, however, when stating that they’ve not seen any positive results of this effort by RAMP nor have they seen any inkling of Chinese or Russian nation-state involvement (or interest).</p><p>With the blossoming geopolitical collaboration of Russia and China in its nascent stages, it will be interesting to determine what, if anything comes out of the July 2021 agreement between <a href="" target="_blank" rel="noopener">Putin and Xi to deepen cooperation in cyberspace</a> and the impact that has on this criminal foray into collaboration between Russia’s and China’s cybercriminals.</p><p>Similarly, given the global dynamics, might we see China and/or Russia (or both) step up and take down the RAMP forum, especially if/when a forum participant engages an entity with Chinese or Russian roots.</p><p>From the Russian cybercriminals’ perspective, the current state of play between two nations with a mature geopolitical and economic relationship, China and North Korea, is of the utmost interest. According to <a href="" target="_blank" rel="noopener">Crowdstrike, North Korean state hackers launched a surreptitious attack on China’s cybersecurity researchers</a> in an effort to purloin Chinese hacking techniques. It is believed China detected the attack and allowed the theft of tools—which themselves were surreptitiously carrying a payload—back to North Korea to wreak havoc on the North Korean cybersecurity team.</p><p>Time will tell. At the moment, it looks like the RAMP effort is a bit of a “field of dreams” play in the entrepreneurial spirit of “If we build it, they will the come.”</p>