Russian Cyber-Crooks ‘Stole £522m Over Past Three Years’

Russian Federation-based cybercriminals have stolen $790m (£522m) from businesses and individuals, mostly in the US and Western Europe, since 2012 according to a new study.

Moscow-based Kaspersky Lab found that 160 Russian-speaking cybercriminals have been arrested by US and European law enforcement agencies over the past three years.

The majority – $509m – of the estimated takings were from outside the Russian Federation, Kaspersky said in its report, The Russian Cybercrime Underground: How it works. Kaspersky said its figures are based on confirmed losses, but the real amounts stolen could be much higher.

In more than 330 of the incidents investigated by Kaspersky Lab over the past three years, more than 95 percent were connected with the theft of funds or financial data. Criminals initially targeted individuals, but have more recently targeted banks directly, according to the report.

While the number of arrests of Russian-language cybercriminals has increased this year, cybercrime groups of Russian origin have managed to recruit up to a thousand people over the past three years, many from areas such remote areas of Russia and the Ukraine, where labour is cheaper, the report found.

“These include people involved in the creation of infrastructure, and writing and distributing malware code to steal money, as well as those who either stole or cashed the stolen money,” said Ruslan Stoyanov, Kaspersky’s head of computer incidents investigation, in the report.

Ringleaders

Such hires play roles similar to those found in any legitimate IT company, Soyanov said. Meanwhile, Kaspersky identified about 20 highly skilled hackers who appear to be the ringleaders of most financially motivated hacking activity of Russian origin.

“Kaspersky Lab experts have collected a considerable amount of information that suggests that these 20 people play leading roles in criminal activities that involve the online theft of money and information,” Soyanov wrote.

The cyber-gangs’ operations are highly sophisticated, he said.

“Cybercriminal system administrators configure management servers, buy abuse-resistant hosting for servers, ensure the availability of tools for anonymous connection to the servers (VPN) and resolve other technical challenges, including the interaction with remote system administrators hired to perform small tasks,” he wrote.

Witchcoven

Soyanov said the rise of Russian-origin cybercrime has been facilitated by the lack of qualified staff in law enforcement agencies, inadequate legislation and a lack of established procedures for international coordination between law-enforcement bodies in different countries.

“The lack of established mechanisms for international cooperation… plays into the hands of criminals: for example, Kaspersky Lab experts know that the members of some criminal groups permanently reside and work in Russia’s neighbors, while the citizens of the neighboring states involved in criminal activity often live and operate in the territory of the Russian Federation,” he wrote.

Separately, FireEye said it has identified a campaign to track the web-browsing activity of government workers using a malicious script called Witchcoven, saying the campaign appears to have been orchestrated by the government of a large nation-state, probably that of Russia.

“Witchcoven executes in the background without the user’s knowledge, capturing the visitor’s computer and browser configuration and placing a highly persistent tracking cookie on their computer,” FireEye said in the report.

Are you a security pro? Try our quiz!