Black Hat Illuminates Russian Cybercrime Gangs
Most of the news coming out of the Black Hat conference in Las Vegas focused on the new attack on AES and the bootkit attack on the TrueCrypt full disk encryption product. While these are certainly compelling pieces of research, I also found the reviews of the session on Russian organized crime to be quite interesting. The session was co-hosted by the FBI and McAfee and focused on the causes and consequences of the old line Russian criminal gangs entering the cybercrime business.
Make no mistake, these guys are not hackers that just happen to have turned to the dark side. There's not really a Russian mob so much as there is a mob that happens to be Russian. Russia has a long history of organized criminal gangs that go back to the gulags in which Stalin imprisoned his enemies and perceived enemies. The gangs originally formed in these prisons as a matter of self preservation and branched out into traditional lines of criminal work if and when their members were released. Those of you not familiar with the "Thief in Law" phenomenon should spend a couple of minutes reading this overview piece. These are hardened criminals dedicated to stealing money in any way they can to the point of believing that any other line of work is "dishonorable".
It's little wonder then that in this environment that cybercrime would flourish. The FBI estimates that Russian criminal syndicates extract more than $250m per year just from the U.S. using a combination of hacking financial institutions, identity theft, and other scams. Not only is cybercrime a very lucrative product line extension for the Russian gangs, the penalties if caught are ineffective in the extreme. Jail terms of less than a year are common, which barely causes their skills to get rusty. So, in the Russian criminal syndicates we have the perfect mix of resources, intent, and environment for cybercrime to grow very big, very fast while getting very, very sophisticated.
As ComputerWorld reported, the Clampi botnet is now one of the world's largest. Given it's design and implementation it is extremely difficult to trace, let alone defeat. Not only are Clampi's perpetrators leveraging virtualization to stamp out hundreds of "unique" copies of the virus on which it depends for propagation, they are using quite sophisticated encyrption techniques to secure the communication between infected machines and their command/control center.
If you're not concerned about these developments, you should be. The technologies and approaches the bad guys are taking appear to be moving much more quickly than our ability to contain them as the recent lack of progress in just identifying a national cybersecurity advisor proves. As I've noted before, winning (or at least not losing) this battle is going to take more resources, more skill, and more focus than is currently being applied to it.
UPDATE 8/17/09: Government Computer News ran a story today on organized crime involvement in the cyberattacks against Georgia last year. I can't say I'm surprised, but it does make me wonder just what role the Russian mob is playing in executing Russian foreign policy.