Charitable Hackers Collaborate in Deep Web Forums
19.7.18 securityweek Hacking
Through Multiple Methods and Collaborations, Many Hackers Donate Money to Good Causes
Sun Tzu is a cliche in cybersecurity, but no less valid for that. He wrote, "If you know the enemy and know yourself, you need not fear the result of a hundred battles." Security researchers infiltrate the deep web forums to understand both the enemy and his weapons -- and sometimes they can be surprised by what they find.
Last month, Trustwave's SpiderLabs blog posted a discussion on the cybercriminal members of underground forums with the title, 'Underground Code of Honor'. In this blog is brief mention of hackers' charitable works. Now Ziv Mador, VP of security research at Trustwave, has given SecurityWeek more details of a well-organized charitable element found in numerous deep web forums.
He explained that Trustwave was investigating the modular structure of the underground. Different groups specialize in specific aspects of cybercrime and sell their products or services to other groups. One group might specialize in running botnets and botnet servers. Another might specialize in developing malware -- and each might sell their services to the other to meet a specific demand.
During this research, the researchers came across charity-themed communications; and decided to investigate further. "And the more we delved," said Mador, "the more fascinating it became. We found that through multiple methods and collaborations these hackers actually donate a lot of money to good causes." The most frequent donations, he said, are for orphanages and hospitals (especially children's hospitals).
Trustwave particularly looked at three different forums: two Russian-speaking and one English-speaking. There were immediate differences. In the English-speaking forum, charitable donations tended be from individuals. In the Russian-speaking forums they were collaborative campaigns. This could be partly cultural (individualism versus team working) or partly economic (eastern European hackers really needing to collaborate in order to collect sufficient funds).
Whatever the reasons, however, the Russian-speaking hackers have developed relatively sophisticated 'giving campaigns'. "Near the Russian new year (7 January), they ran a campaign and used the money raised to buy equipment for hospitals and supplies for orphanages." The hospital equipment included stretchers, inhalers, and bacteria-killing lamps." They even have plans to buy heart-rate monitors; and are working with a contractor to remodel a particular department in one particular hospital.
The orphanage supplies included toiletries such as hair brushes, tooth brushes and toothpaste. With money left over, they bought 25 kilos of fresh fruit, since 'sweets are not healthy for the kids'. These supplies were delivered by hand (about 15 bags full), and photographic evidence of the hand-over, and the kids, were posted as proof to the forum.
If all this seems just a little bit 'Robin Hood', it's a comparison not lost to the hackers themselves. "Anyone can become a modern Robin Hood" one hacker posted to the forum. But perhaps the most intriguing charitable act has been the development of a 'needy support' capability. "They have established a process in one of the forums," explained Mador, "where parents of children who are sick and the families are poor, can submit a request for support. So, if a child needs some medication or surgery and the parents cannot pay for it, they can submit a request for support with supporting documents -- and there is a very specific post in one of the underground forums specifying exactly what documents are needed to get support from the forum."
It's not just the members that get involved. One forum promises to donate half the money it collects to the charitable work. It gets this from two primary sources -- using the forum for advertising; and through arbitration services. "If two forum members get into conflict," said Mador; "let's say one bought a service from another one, and promises were not fulfilled, they go to arbitration. Here the forum administrator will work with them to decide on who is right and who is wrong; and to determine any compensation. Part of that compensation goes to the arbitration fund -- and part of that goes to charity."
One of the forums publishes a list of donators and amounts. The names are obviously false or online handles -- but some individuals can still be recognized. Petr Severa donated more than $100. He is now better known as Peter Yuryevich Levashov, after being arrested while holidaying in Spain and extradited to the U.S. He is now awaiting trial in Connecticut on eight charges, and faces 50 years in jail.
As the cybercriminals' charitable work grows, so too does a need for improved administration. "In one of the forums," said Mador, "it was suggested that since this charitable work takes time and effort, it needed a manager to manage the whole process. It was further suggested that they should hire a woman -- and it specifically had to be a woman -- to manage the funds. They also mentioned that their 'punchers' would check the candidates' information." Punchers are people in the criminal underground who have expertise in getting confidential information about people -- so the candidates should expect a pretty invasive background check on their credentials.
The picture painted really is one of the romantic Robin Hood idea: robbing the rich to pay the poor. Mador doesn't accept this, finding the situation to be more ironic than romantic. It would take an analysis by psychologists and sociologists to understand the causes and motives behind the rise of underground charitable work; but Mador does concede that there may be an element of cultural patriotism among some of the Russian and eastern European hackers.
Ilia Kolochenko, CEO of High-Tech Bridge, sees nothing attractive in the phenomenon -- he finds it alarming and an indication of a growing breakdown in government authority and increasing anarchy. "The substance of the charity is certainly laudable and justified. However," he told SecurityWeek, "it also serves as a harbinger of the global cybersecurity crisis. Governments and law authorities are unable to protect their citizens in the digital space anymore. Cybercriminals are undermining governmental authority by helping indigent people abandoned by the state. What will be the next? Cybercriminals offering private protection in the digital space for a reasonable cost affordable to the citizens? Governments will lose their authority and power, and Robin Hoods will reign.”
Chicago-based data security and compliance solutions firm Trustwave was acquired by Singapore Telecommunications (Singtel) for $810 million in cash in April 2015.