The United States, internet companies, and cybersecurity firms in Ukraine have been working together to combat Russian cybertroops. This joint effort has resulted in an increased number of manhunts and arrests of notorious gangs like Hive, Conti, Trickbot, and DoppelPaymer since January. These gangs were behind attacks like the one on the Düsseldorf university hospital, and reports show their ties to the Russian military. Some attacks, like the one on the Colonial Pipeline in the USA and the burglary of a partner company of SpaceX, are targeted military actions against critical infrastructure. The Lockbit gang is now threatening Elon Musk’s broadband company, Starlink, and the FBI and BKA recently announced the closure of the Chipmixer money laundering service.
The Ukrainian authority’s report reveals that these respective attack targets and priorities are determined directly from Putin’s presidential office and implemented by the curators of the domestic secret service, FSB. These curators protect cybercriminals from prosecution and issue guidelines to the criminals on current attack waves. Deploying malware is likely less of a problem for Ukrainian defenders. The attackers primarily use spear-phishing and other methods to steal login data, then try to gain administrator rights, and only then is malicious software such as destructive “wipers” used. Reports from cybersecurity firms working in Ukraine confirm the sheer number of these attacks on Ukrainian networks.
The main question is how the Russian secret services keep getting hold of so much valid log-in data, the answer of which is Ransomware as a Service or RaaS. Criminals work on a division-of-labor basis and are very flexible when they need to regroup. The log-in data dealer is key. The US authorities have accused a Russian citizen of hoarding 350,000 valid login data and selling them to other criminals on the dark web. In addition, these key players have only been caught rarely to date, and they are right at the beginning of the criminal chain and have nothing to do with the subsequent crime.
Direct transactions by actors who make money from child abuse to Russian “high-risk” crypto exchanges could be observed when the Russian invasion became increasingly clear from December 2021. The bulk of these dirty funds ended up on the crypto exchange nexchange.ru. According to TRM, the trading volume on the Russian high-risk exchange Garantex from February 2022 is more than $18 billion. This is in striking contrast to politicians’ statements and plans regarding this issue. The responsible EU Commissioner Ylva Johansson and a chorus of conservative politicians are not demanding that illegal trading places be switched off to get a grip on the trade in depictions of child abuse online. Instead, they are conducting preliminary searches of all private chats of all users on different platforms without cause. Putin takes every opportunity to address the alleged moral depravity of the West, while his domestic secret service, FSB, has put up a protective shield over a criminal scene where pictures and videos of children being raped are just normal commodities.
