Thieves and geeks: Russian and Chinese hacking communities
The Insikt Group team (project Recorded Future) explored the possibilities, culture and principles of organizing Chinese and Russian hacking communities. To do this, the guys analyzed ads, created fake accounts and communicated with participants of hacking forums.
Recorded Future - the company tracks everything that happens on the Internet in real time. Predicts and analyzes cyber threats. Works with the support of the CIA and Google.
If you are interested in the culture of hackers: what drives their actions, how communities are organized and where to expect the threats - read our squeeze from the Insikt Group study. Squeezed the most interesting + our thoughts on this matter.
As noted by the Insikt Group, most often we speak of hackers as an abstract mass. But in fact, in this environment there are several very different communities with their own history, motives and, if you wish, a code. Hackers of each country are unique. Often, researchers do not take this into account - they speak about everyone at once or single out Russians.
')
Employees of the Insikt Group compared the leaders of the cyber-criminal world: Russians and Chinese. And they began with their story.
According to the Insikt Group: although both Chinese and Russian hacker groups come from similar authoritarian states, the history of their emergence and motives are different.
Russian-speaking cybercriminals value money primarily, although the phenomenon of financially motivated hacking originated in the United States.
Homepage of Counterfeit Library, one of the first forums of carders and other scammers
When the cybercriminals of Russia and China were just beginning to unite in communities, in America the FBI was already after them. Evidence of this - high-profile operations such as Shrouded Horizon, Firewall and the elimination of DarkMarket.
High technologies reached Russia and other countries of the former USSR by the beginning of the 2000s. Then there was the boom of Internet fraud. Due to low wages, educated, tech-savvy people became hackers.
If the Russians were motivated by money, then the Chinese were united against the background of patriotism. So that the “century of humiliation” does not happen again - a period when the great foreign powers forced China to sign unequal treaties, concessions and provoked opium wars (XIX - early XX century).
Against the background of the anti-China riots in Indonesia in the 1990s, users created forums, groups in social networks and electronic bulletin boards. They discussed the defaults against Indonesian government sites ( Defeis is a type of attack that replaces the contents of the main page of the site, and access to the other pages is blocked. Approx. Transl. ). As a result, the first groups of Chinese hackers emerged: the Green Army, China Eagle Union, and Hongke (or Honker) Union. They also participated in the first attacks on the United States and other opponents of China.
The result of the deface of the American website by the Hongke (Honker) Union group
Today, Russian hackers are also important money, and Chinese - patriotism. But since the emergence of these communities, much has become more complicated: the organization of forums, promotion abroad and relations with the authorities. We grouped the main conclusions of the Insikt Group by items - this is what happened:
For the Russians , of course, money. In their forums there is little room for friendship. These are more business resources than platforms for communication. Respect and trust win the most successful hackers: more deals - higher rating. No in this corner of the darknet and the institution of mentoring - to teach someone without a clear financial motivation?
But if Russian hackers are businessmen, then businessmen are good, customer-oriented. Wholesale carders return funds for declined cards. Trojan sellers and spam e-mails arrange holiday discounts and sales. And abuzoustoychivye hosters transfer remuneration to their customers for attracting referrals. They learn marketing from the largest corporations, which then attack.
Chinese hacking forums, on the contrary, are permeated with community spirit. This culture is well conveyed by the term "spirit of geek" (极 客 精神) - refers to the technically educated people who hope to create an ideal society. Perfect? More just society? The context is small, but the idea how much Chinese are gay in the community is understandable.
People on the forums sincerely praise the wonderful skimmers, coders and sniffers. They write heartfelt thanks to sellers personally and actively share feedback to improve products. In order to maintain communication, the Chinese set special requirements. Decided to buy or sell malware - contact the counterpart through a comment or a personal message. Want to keep your membership - be an active user and communicate daily with other members. Such activists are even encouraged by intra-forum currency. And also the gamification system works for involvement in the community.
Post on the forum. To access software that copies digital signatures, you need to answer
Supporting posts on the forum: the authors thank the user for sharing access to the program he created
With training here, too, everything is in order. The Chinese are promoting special programs: experienced hackers teach newbies for money, and they also take care of themselves for more community involvement.
From the editor:
Pro Chinese, of course, sounds super cool. Even somehow you forget that they also earn money by hacking. And about the payment of education, the authors of the study mention somehow casually. Compare: about learning from Russians - “ ... few Russian forum members. ", And the Chinese have Chinese" hackers advertisements for the apprenticeship program. ". That is, “Russians do not teach beginners (for free)”, and “Chinese teach beginners (for money)” - hmm ... Well, the context forces them: Russians make money, Chinese build a community.
Although the first groups of Chinese hackers fell apart, their cyber-patriotism laid the foundation for close relations between the state and hackers. Some forum participants were even hired to work in government structures. Now some of them are working in the government, and some of them are leading IT corporations.
Many patriotic hacking sites subsequently transformed into cybersecurity forums. But not all. As recent events show, when what happened in the East Asian region causes a public outcry - Chinese hacktivists once again take the stage.
As for the rest of the cybercriminals, both Russian and Chinese , in order to remain free, they must abide by one unwritten law: do not go against their own. For Russians, this includes residents of the CIS. And test development on fellow Russians is possible. ( It’s not very clear what the authors meant: can you write a trojan and test it on Yandex? Or are we talking about small companies and private owners? In any case, there are not enough proofs. Ed. )
From the text, we see that the Chinese are reluctant to close their hackers - more often when they appeared in major international scandals. It seems that this is due to the concept of a person (面子).
Russian criminal forums are well structured: fraudsters and hackers operate at different sites. The Chinese are not so - at most different sections. This once again confirms that the Russians are focused on making a profit, and the Chinese are focusing on creating a community.
The menu of the site for the sale of drugs with the section "Hacking", next to the sections "Mushrooms" and "LSD"
There is a division into open, semi-private and closed forums in both countries. The inaccessible resource - the harder and better the goods on it. In open areas, just register. In semi-private - to pay an entrance fee of about $ 50 or confirm membership on other resources. To access private forums, find a guarantor among current members and / or confirm the authenticity of their products.
kidala.info is a website dedicated to kidal hackers. There are 15.839 on the site, and this number is growing
Access to most Russian forums is open. When you need tools to bypass locks, most often use Tor-mirrors. In China, the regime of strict censorship - since 2000, the project operates Golden Shield or "The Great Chinese Firewall". First, the goal of the project was to introduce the latest technologies to combat crime, then to limit access of Chinese citizens to content that the state considers inappropriate or offensive.
The Great Firewall even knows how to identify and interrupt outgoing connections to the Tor network - and this complicates access to international forums and cybercriminal marketplaces. The last way to jump over this wall is to use a VPN. But since 2017, the state has introduced compulsory licensing of VPN services, and many of them have closed. Visiting international hacking portals has become even more difficult.
From the editor:
In general, the organization of the community among Russians and Chinese is very similar. But the Great Firewall - sad irony - hits the Chinese hackers, despite their hacktivism and state loyalty.
As we remember, Russian hackers are primarily interested in money. There is no Great Firewall, and they are actively selling their services abroad. They post posts in Russian and English, sell databases and credit cards of residents from all countries.
It is not easy for Chinese hackers to break through with their products abroad because of the Great Firewall. Therefore, they develop their own communities: create more open hacking forums that are easily accessible on the local Internet, and develop groups based on the first patriotic forums. Also they actively use closed chat rooms and forums in popular messengers and social networks: QQ, Baidu and WeChat.
If Russians sell data of people and companies from all countries, then there is much more Chinese data on Chinese forums. And you will not find them on foreign sites.
Why the Chinese do not merge data abroad? There are several suggested reasons:
So, the Chinese love to develop their community, and when the Great Firewall came and they had difficulties with entering the foreign market, they began to develop their community more actively. All right, but now researchers note a reverse trend. The Great Firewall does not allow to sell services in its own country - the Chinese are trying to break through abroad. The evidence of this is the Chinese posts in the Russian and English forums.
It turns out that the government literally pushes Chinese hackers abroad. And, as we remember, they go there with unique data of Chinese citizens and companies, as well as means of hacking Chinese resources. Well, now the international cybercriminals community has more opportunities to attack targets in China, steal accounts and other data.
Breakdown of posts of separate forums by languages, data Recorded Future
From the editor:
Do you see the yellow bars on the right? And I do not see, but they are there.
Insikt Group researchers believe that the Russians will continue to focus on money, and the Chinese will react sharply to political events.
Most of all it is worth being afraid of Russians with their sophisticated methods and peculiar tactics. These guys want to earn all the money in the world, and at the eye of the organization of all countries.
As for the Chinese, Insikt Group believes that the government will not be able to shut down all the hacking resources. And thanks to the growing activity of the Chinese in international forums, they will learn from the experience of their colleagues.
Authors are advised to keep track of events in underground forums, look at what products are currently popular, and monitor the political situation (especially if your business is in East Asia).
From the editor:
If it is interesting to read about Russian hackers, in 2016 a study about them was published by Kaspersky Lab - “Russian hackers: what they break, how much and why they are the best in the world” .
As for the work of the Insikt Group , most of all I remember “the Chinese are a community, the Russians are money”. The thought passes through the entire text, and this is not a bias in the pressing - you can be sure of reading the full translation (carefully, you have kept the pseudo-scientific style of the original). I do not know about you, but I still have the feeling that the Chinese do not earn at all by hacking. Perhaps you have this feeling even more, because we threw out a piece about the content on the forums (what they sell) and the payment methods (not very interesting, but there is at least China and money in one sentence).
In general, the authors do not say why it is Chinese and Russian (Russian-speaking) hackers who are considered. About the fact that the issue of leadership in the cybercrime market is editorial liberty. But with this imbalance of the Chinese from money to the community, the question “how did they get into the top hacker powers” becomes even more relevant. Or not - what do you think?
Recorded Future - the company tracks everything that happens on the Internet in real time. Predicts and analyzes cyber threats. Works with the support of the CIA and Google.
If you are interested in the culture of hackers: what drives their actions, how communities are organized and where to expect the threats - read our squeeze from the Insikt Group study. Squeezed the most interesting + our thoughts on this matter.
As noted by the Insikt Group, most often we speak of hackers as an abstract mass. But in fact, in this environment there are several very different communities with their own history, motives and, if you wish, a code. Hackers of each country are unique. Often, researchers do not take this into account - they speak about everyone at once or single out Russians.
')
Employees of the Insikt Group compared the leaders of the cyber-criminal world: Russians and Chinese. And they began with their story.
Patriotism or money - history and motives
Russian hackers - the spirit of theft
According to the Insikt Group: although both Chinese and Russian hacker groups come from similar authoritarian states, the history of their emergence and motives are different.
Russian-speaking cybercriminals value money primarily, although the phenomenon of financially motivated hacking originated in the United States.
One of the first hacking forums - Counterfeit Library - appeared in 2000 and was focused on the English-speaking community. In response, 20 Ukrainians created the "Odessa Summit", which later grew to the Russian-speaking "Alliance of Carders" or "Planet of Carders." The forum was distinguished by a strict hierarchy of moderators who carefully checked all suppliers of CVV codes, eBay uchetok, skimmers, etc. Western fraudsters adopted this experience of community organization and created ShadowCrew. A few years later (in 2005), the Carders Market appeared, where western and eastern hackers could trade with each other.
Homepage of Counterfeit Library, one of the first forums of carders and other scammersWhen the cybercriminals of Russia and China were just beginning to unite in communities, in America the FBI was already after them. Evidence of this - high-profile operations such as Shrouded Horizon, Firewall and the elimination of DarkMarket.
High technologies reached Russia and other countries of the former USSR by the beginning of the 2000s. Then there was the boom of Internet fraud. Due to low wages, educated, tech-savvy people became hackers.
Peter Levashov, aka Severa - distributed fake anti-virus software. He turned the victim's computer into the part of the notorious botnets Waledac and Kelihos.
Evgeny Bogachev developed a special Trojan ZeuS. With his help, JabberZeuS, Business Club and other criminal communities managed to steal more than $ 200 million from US and UK financial institutions.
Chinese hackers - the spirit of patriotism
If the Russians were motivated by money, then the Chinese were united against the background of patriotism. So that the “century of humiliation” does not happen again - a period when the great foreign powers forced China to sign unequal treaties, concessions and provoked opium wars (XIX - early XX century).
Against the background of the anti-China riots in Indonesia in the 1990s, users created forums, groups in social networks and electronic bulletin boards. They discussed the defaults against Indonesian government sites ( Defeis is a type of attack that replaces the contents of the main page of the site, and access to the other pages is blocked. Approx. Transl. ). As a result, the first groups of Chinese hackers emerged: the Green Army, China Eagle Union, and Hongke (or Honker) Union. They also participated in the first attacks on the United States and other opponents of China.
One of the famous: DDoS-attack on the sites of the White House and large American corporations - a month after a collision between a US reconnaissance aircraft and a Chinese fighter over Hainan Island.
The result of the deface of the American website by the Hongke (Honker) Union group
Modern hackers are still money and patriotism
Today, Russian hackers are also important money, and Chinese - patriotism. But since the emergence of these communities, much has become more complicated: the organization of forums, promotion abroad and relations with the authorities. We grouped the main conclusions of the Insikt Group by items - this is what happened:
Money or community
For the Russians , of course, money. In their forums there is little room for friendship. These are more business resources than platforms for communication. Respect and trust win the most successful hackers: more deals - higher rating. No in this corner of the darknet and the institution of mentoring - to teach someone without a clear financial motivation?
But if Russian hackers are businessmen, then businessmen are good, customer-oriented. Wholesale carders return funds for declined cards. Trojan sellers and spam e-mails arrange holiday discounts and sales. And abuzoustoychivye hosters transfer remuneration to their customers for attracting referrals. They learn marketing from the largest corporations, which then attack.
Chinese hacking forums, on the contrary, are permeated with community spirit. This culture is well conveyed by the term "spirit of geek" (极 客 精神) - refers to the technically educated people who hope to create an ideal society. Perfect? More just society? The context is small, but the idea how much Chinese are gay in the community is understandable.
People on the forums sincerely praise the wonderful skimmers, coders and sniffers. They write heartfelt thanks to sellers personally and actively share feedback to improve products. In order to maintain communication, the Chinese set special requirements. Decided to buy or sell malware - contact the counterpart through a comment or a personal message. Want to keep your membership - be an active user and communicate daily with other members. Such activists are even encouraged by intra-forum currency. And also the gamification system works for involvement in the community.
Post on the forum. To access software that copies digital signatures, you need to answer
Supporting posts on the forum: the authors thank the user for sharing access to the program he created
With training here, too, everything is in order. The Chinese are promoting special programs: experienced hackers teach newbies for money, and they also take care of themselves for more community involvement.
From the editor:
Pro Chinese, of course, sounds super cool. Even somehow you forget that they also earn money by hacking. And about the payment of education, the authors of the study mention somehow casually. Compare: about learning from Russians - “ ... few Russian forum members. ", And the Chinese have Chinese" hackers advertisements for the apprenticeship program. ". That is, “Russians do not teach beginners (for free)”, and “Chinese teach beginners (for money)” - hmm ... Well, the context forces them: Russians make money, Chinese build a community.
Hacktivism and power relations
Although the first groups of Chinese hackers fell apart, their cyber-patriotism laid the foundation for close relations between the state and hackers. Some forum participants were even hired to work in government structures. Now some of them are working in the government, and some of them are leading IT corporations.
Many patriotic hacking sites subsequently transformed into cybersecurity forums. But not all. As recent events show, when what happened in the East Asian region causes a public outcry - Chinese hacktivists once again take the stage.
In 2012, China proclaimed sovereignty over the Diaoyu Islands. After active diplomatic disputes with Japan, the country needed support. And on the Hongke Union forum (8 years after the official dissolution of the group), a publication appeared with potential goals for deface, all 300 are Japanese organizations.In general, many Chinese hackers admitted to providing services to national intelligence agencies and military organizations (such as the Ministry of State Security and the People’s Liberation Army).
In 2014, China delivered a drilling rig in the territorial waters of Vietnam, followed by a series of Chinese pogroms. In response, a new group of hacktivists 1937CN compromised a number of Vietnamese sites. In 2016, they also broke into the registration systems of Vietnamese airports and published personal data of more than 400 thousand passengers. Presumably because Vietnam has placed rocket launchers on disputed islands in the South China Sea.
It is difficult to determine for sure how independent the actions of these hackers are. The malicious code used in the attack of the 1937CN group on Vietnamese airports was also involved in a larger campaign - cyber espionage against Vietnam. The alleged sponsor is the Chinese government.
However, the 1937CN group definitely demonstrated elements of hacktivism. For example, 1937CN has its own account on the Zone-H portal portal, accounts in various social services. the networks associated with their website, and even the promo video uploaded to the popular video hosting in July 2017: a few people in hoods and masks of Guy Fawkes.Russian, too, more than once played the role of popular avengers. The victims of such attacks were Estonia, Georgia and other states / officials and individuals, who were noticed in a hostile attitude towards the Russian Federation.
When a monument to Soviet soldiers was dismantled in Estonia, the pro-Kremlin youth group “Nashi” posted a DDoS bash script on LiveJournal, which attacked a certain list of Estonian aypishnikov. Due to this, any caring citizen could take part in the fight.The relationship of power to hackers in Russia, as in China, is quite loyal. Arbor Networks even identified Kremlin-backed hackers: Karim Baratov and Alexei Belan. The researchers believe that these hackers were recruited by the FSB to lead the hacking of Yahoo in 2014.
During the brief Russian-Georgian war, simultaneously with the advancement of Russian tanks, a DDoS attack (BlackEnergy botnets) was launched. According to a certain source, hacker Peter Levashov (Severa), sent spam with unconfirmed information that the Kremlin, Mikhail Prokhorov and hackers from the community of “Civilian antiterror” attacked the sites of Chechen militants and Islamists.
Data from the study "Politically motivated DDoS-attacks" from Arbor Networks (a large American company, sells protection against DDoS and other security solutions. Approx. Trans.).
As for the rest of the cybercriminals, both Russian and Chinese , in order to remain free, they must abide by one unwritten law: do not go against their own. For Russians, this includes residents of the CIS. And test development on fellow Russians is possible. ( It’s not very clear what the authors meant: can you write a trojan and test it on Yandex? Or are we talking about small companies and private owners? In any case, there are not enough proofs. Ed. )
So Dmitry Fedorov aka "Paunch" distributed malware around the world through Blackhole - a program of its own design. However, he was only detained after the sale of Blackhole for use in the Carberp Trojans, the victims of which were Russians.From the editor:
Pavel Wroblewski, owner of ChronoPay, a Russian processing service, provided money laundering services for sales of illegal drugs and fake antiviruses. The Russian government did not object at all. But when he ordered a DDoS attack on Assist (the domestic payment system), he was immediately arrested.
From the text, we see that the Chinese are reluctant to close their hackers - more often when they appeared in major international scandals. It seems that this is due to the concept of a person (面子).
- includes the conquest and retention of respect for others. A lot of China’s culture revolves around this concept, especially when it comes to family and business. “Face loss” is so terrible for the Chinese that they would rather be deceived than honestly tell about their failures and shortcomings. For example, single Chinese women who are going to their parents for the holidays often order the “hire service” service in order to mask the failures in their personal lives.Researchers consider the concept of a person, but in the context of why the Chinese buy fake diplomas and business licenses. It seems that in the attitude of the state to hackers this concept also works.
Community organization
Russian criminal forums are well structured: fraudsters and hackers operate at different sites. The Chinese are not so - at most different sections. This once again confirms that the Russians are focused on making a profit, and the Chinese are focusing on creating a community.
The menu of the site for the sale of drugs with the section "Hacking", next to the sections "Mushrooms" and "LSD"
There is a division into open, semi-private and closed forums in both countries. The inaccessible resource - the harder and better the goods on it. In open areas, just register. In semi-private - to pay an entrance fee of about $ 50 or confirm membership on other resources. To access private forums, find a guarantor among current members and / or confirm the authenticity of their products.
There are specific requirements. In some Russian forums, for example on Exploit, only users with a certain number of posts get access to more valuable content. And some Chinese hacker groups in QQ and WeChat move only in semi-private forums. So, to get into the group, you must first get to the forum.Both Russian and Chinese forums support blacklist functionality. Users provide evidence that they have received poor-quality or frankly fake material, and administrators, after checking this information, add the supplier to the ban list.
kidala.info is a website dedicated to kidal hackers. There are 15.839 on the site, and this number is growing
Access to most Russian forums is open. When you need tools to bypass locks, most often use Tor-mirrors. In China, the regime of strict censorship - since 2000, the project operates Golden Shield or "The Great Chinese Firewall". First, the goal of the project was to introduce the latest technologies to combat crime, then to limit access of Chinese citizens to content that the state considers inappropriate or offensive.
The Great Firewall even knows how to identify and interrupt outgoing connections to the Tor network - and this complicates access to international forums and cybercriminal marketplaces. The last way to jump over this wall is to use a VPN. But since 2017, the state has introduced compulsory licensing of VPN services, and many of them have closed. Visiting international hacking portals has become even more difficult.
From the editor:
In general, the organization of the community among Russians and Chinese is very similar. But the Great Firewall - sad irony - hits the Chinese hackers, despite their hacktivism and state loyalty.
Promotion of services abroad
As we remember, Russian hackers are primarily interested in money. There is no Great Firewall, and they are actively selling their services abroad. They post posts in Russian and English, sell databases and credit cards of residents from all countries.
It is not easy for Chinese hackers to break through with their products abroad because of the Great Firewall. Therefore, they develop their own communities: create more open hacking forums that are easily accessible on the local Internet, and develop groups based on the first patriotic forums. Also they actively use closed chat rooms and forums in popular messengers and social networks: QQ, Baidu and WeChat.
If Russians sell data of people and companies from all countries, then there is much more Chinese data on Chinese forums. And you will not find them on foreign sites.
Why the Chinese do not merge data abroad? There are several suggested reasons:
- difficult to use information - you need to know and understand local realities;
- inconvenient use of products - focused on the Chinese, the functionality and principles of operation differ from their Western counterparts;
- interferes with the language barrier.
So, the Chinese love to develop their community, and when the Great Firewall came and they had difficulties with entering the foreign market, they began to develop their community more actively. All right, but now researchers note a reverse trend. The Great Firewall does not allow to sell services in its own country - the Chinese are trying to break through abroad. The evidence of this is the Chinese posts in the Russian and English forums.
It turns out that the government literally pushes Chinese hackers abroad. And, as we remember, they go there with unique data of Chinese citizens and companies, as well as means of hacking Chinese resources. Well, now the international cybercriminals community has more opportunities to attack targets in China, steal accounts and other data.
Breakdown of posts of separate forums by languages, data Recorded Future
From the editor:
Do you see the yellow bars on the right? And I do not see, but they are there.
findings
Insikt Group researchers believe that the Russians will continue to focus on money, and the Chinese will react sharply to political events.
Most of all it is worth being afraid of Russians with their sophisticated methods and peculiar tactics. These guys want to earn all the money in the world, and at the eye of the organization of all countries.
As for the Chinese, Insikt Group believes that the government will not be able to shut down all the hacking resources. And thanks to the growing activity of the Chinese in international forums, they will learn from the experience of their colleagues.
Authors are advised to keep track of events in underground forums, look at what products are currently popular, and monitor the political situation (especially if your business is in East Asia).
From the editor:
If it is interesting to read about Russian hackers, in 2016 a study about them was published by Kaspersky Lab - “Russian hackers: what they break, how much and why they are the best in the world” .
As for the work of the Insikt Group , most of all I remember “the Chinese are a community, the Russians are money”. The thought passes through the entire text, and this is not a bias in the pressing - you can be sure of reading the full translation (carefully, you have kept the pseudo-scientific style of the original). I do not know about you, but I still have the feeling that the Chinese do not earn at all by hacking. Perhaps you have this feeling even more, because we threw out a piece about the content on the forums (what they sell) and the payment methods (not very interesting, but there is at least China and money in one sentence).
In general, the authors do not say why it is Chinese and Russian (Russian-speaking) hackers who are considered. About the fact that the issue of leadership in the cybercrime market is editorial liberty. But with this imbalance of the Chinese from money to the community, the question “how did they get into the top hacker powers” becomes even more relevant. Or not - what do you think?
Source: https://habr.com/ru/post/430042/
All Articles