Notes from Black Hat USA 2024: “I hate to report it, but the Russian underground is as strong as ever”


Cut off one head, and two more take its place. It might seem that fighting cybercriminals is an uphill battle. But one expert we met at the Black Hat USA 2024 in Las Vegas appears hopeful.

“I don't think that you'll be happy with the answer,” Intel 471 Chief Intelligence Officer Michael DeBolt, a former law enforcement officer, told Cybernews when asked to share the latest cyber underground trends.

Why? The current trends just aren’t that sexy, he elaborated. Organizations are still mostly dealing with the same issues, such as ransomware. And the “password problem,” as DeBolt put it, is still a major headache.

ADVERTISEMENT

However, some things seem to be changing. For example, the underground sub-economies, such as the initial access brokers (IABs), have solidified. IABs – threat actors specializing in breaching and selling access to various companies – leverage “partnerships with existing ransomware groups because these ransomware groups have realized that they're a resource that they can use.”

Is there hope?

IABs are nothing new, and when Cybernews started reporting more consistently on the market a few years ago, the industry seemed hopeful that underground might be disrupted. And yet, cybercrime gangs indeed resemble a Hydra – if you cut off one head, two more quickly appear.

We’ve seen repeatedly how, after a successful law enforcement operation, a certain targeted cybercrime ring rises like a phoenix from the ashes. Even after their infrastructure is taken down, cybercriminals manage to get back to their dirty business operations, given they are not handcuffed. And most of them are not, since they aren’t operating from US soil.

Many operations are orchestrated by crooks residing in unfriendly nations like Russia, where the government turns a blind eye to cybercriminals as long as they attack a common enemy.

However, DeBolt is hopeful – even if law enforcement operations don’t actually put an end to cybercrime, it imposes costs on the underground operations.

“So what if it doesn't create these long-term effects that everybody wants, right? I mean, it'd be great if we could go and put handcuffs on all these people, and that would be like the ultimate deterrent. But if we can just impose costs, [...] The underground is all based on reputation, brand, and reputation. It's not unlike, you know, Fortune 500 companies that build their business on brand reputation,” DeBolt said.

Let’s take a public bust of LockBit’s operation as an example.

ADVERTISEMENT

“I love what law enforcement did with LockBit, where they kind of turned the tables a little bit. [...] Law enforcement really was loud about it, and as they should have been. And it caused a lot of chaos and uncertainty for potential partners and affiliates that LockBit was trying to work with.”

DeBolt believes there’s a lot of untapped potential in what law enforcement can achieve in disrupting the underground, especially when in partnership with the private sector. Law enforcement capability, he believes, is getting better and better, and it will “make the world a better place.”

The untouchables

Russia doesn't penalize cyberattacks against the West and even incentivizes them in a way. Is it possible to fight against such a cyber power as the Russian underground?

When Russia invaded Ukraine in February of 2022, there was a lot of movement in the underground, and there was a dip in activity. However, “I hate to report it, but it's as strong as ever,” DeBolt said.

The Russian underground seems to be, at least from what we gather, a stronger player than the Chinese one.

First of all, as per DeBolt, China, another (cyber) power in the world, seems to be less of a threat if “as a Chinese national if you're conducting cybercriminal attacks, you're not immune like you are in Russia.”

What is more, the establishment of cybercrime forums is all Russian speaking.

“Russian-speaking actors have a lot more opportunity, a lot more forums that cater to Russian-speaking actors,” DeBolt explained.

ADVERTISEMENT