Montri -

Nation states buying hacking tools from underground Russian cyber forums

State-sponsored hacking groups, posing as hacktivists, are using Russian cyber crime forums to stock up on cyber weapons, says Check Point Software’s threat analyst, Sergey Shykevich

Nation states have been identified shopping on Russian cyber crime forums for malware they can use to wipe computers of data in hostile hacking attacks.

Russian-speaking hacking forums, including Exploit and XSS, run black markets in tools and services used by cyber criminals intent on making money by hacking computer systems and stealing data.

According to Sergey Shykevich, a threat intelligence expert at cyber security company Check Point Software, nation states are increasingly using underground cyber crime forums to pose as cyber criminals and hackers.

“Nation states understand that to pretend to be involved in hacktivism allows them deniability,” he told Computer Weekly. “They don’t want to be accused, even if everyone knows it’s Russia, or Iran.”

Russian forums

Some of Russia’s cyber crime forums have been in operation for more than 20 years. One of the oldest Russian-speaking forums is Exploit, which was established in 2000 and contains one million messages on over 200,000 topics, said Shykevich.  

“They offer everything you could imagine,” he told Computer Weekly. “It starts with software vulnerabilities. You can rent malware, ransomware as a service and spam as a service to distribute fake phishing emails and currently even AI [artificial intelligence]-related services, and deep fake platforms.”

The forums generally exist on the deep web and don’t require a specialist Tor browser to access. But they are strictly members only.

Iran suspected of buying wiper software

Check Point discovered last year that Russian underground forums were offering wiper software, which is designed to destroy computer data irreversibly.

Wiper software is of no interest to cyber criminals who normally inhabit Russia’s hacking forums – strongly suggesting nation-state involvement.

“We saw someone, probably the Iranian government, looking for wiper software,” said Shykevich.

State-sponsored hacking groups are better funded than typical cyber criminal groups, and are not shy of advertising their spending power, said Shykevich.

They typically pay larger deposits to the administrators of cyber crime forums than other members of the hacking community.

“From all these, we can assess with relatively high confidence, those are not regular cyber criminals,” said Shykevich.

They spend money building up (banking) stocks of valuable zero-day exploits that can be used to break into target computer systems.

“We see threat actors who say they are banking exploits. Their budgets are unlimited,” said Shykevich.

Nation-state hackers frequently add another layer of cover by using legitimate cyber security testing tools – which are readily available on Russian cyber crime forums – to probe the networks of vulnerable computer systems.

They are less likely to arouse suspicion than custom-made hacking tools.

Shykevich estimates that only one in 10 people using pen-testing tools are genuine security experts. “Most of the tests are bad actors,” he said.

Forums run like a business

Members of Russian underground forums operate like typical businesses and are concerned with profits and monthly revenues from selling their exploits and hacking services.

In Russia, they display their wealth openly. One of Russia’s most famous cyber criminals, for example, reputedly spent over half a million dollars on an ostentatious wedding in Moscow.

Anyone applying to join a forum can expect to undergo vetting to ensure they are a genuine cyber criminal rather than law enforcement or a security researcher. Membership fees range from £50 to several thousand.

The forums have systems of rules and arbitrators who can issue verdicts when parties are in dispute over payments.

Visitors can expect to find a complete “kill chain” of hacking services.

Initial access brokers

The chain starts with initial access brokers. They sell credentials to access companies’ IT systems, through VPNs or commercial remote access tools, such as AnyDesk, for relatively small sums.

Check Point, for example, identified one broker selling access credentials for an anonymous Japanese company that used AnyDesk remote access tools for $3,000.

Such advertisements do not name the target companies to protect their identities from security researchers and undercover police. But they do indicate the target’s revenues – an important metric for ransomware attackers that know they can secure higher ransoms from richer companies.

“They evaluate the value of specific access based on the revenue of the company and how much they can extort the company. The bigger the company or the wealthier the industry, the more they can extort,” said Shykevich.

Spam and zero days

Services on offer include spam servers that distribute spam emails for a fee. Many are turning to AI to craft emails that will not be detected by Spam filters and are seeing success rates of 70%.

Some criminals specialise in developing exploits from newly discovered zero-day vulnerabilities within a few days of their publication – much more quickly than companies can patch.

Other services allow people to take existing malware and change the code so it can avoid detection by antivirus software.

“One of the things that are important for cyber criminals is that their malware is not detected,” said Shykevich. Modified malware is able to survive undetected for years.


In most Russian underground forums, ransomware is prohibited, but at least one Russian forum offers ransomware as a service, according to Shykevich’s research.

Services are provided by groups that develop the ransomware code and criminal penetration testers that do the hard work of accessing company networks.

Ransomware developers typically take a cut of 20% to 30% of the revenue from a successful ransomware attack. With some ransom payments running to tens of millions, the fees are significant.

The underground Russian marketplaces have a rule that users are not expected to attack other Russian-speaking countries. To do so would likely result in arrest or imprisonment, said Shykevich.

“As long as they don’t target those countries, they can do what they want,” he said. “It is a double win. They earn money for Russia and they show that the West is vulnerable to cyber attacks.”

LockBit’s public spat exposed on Russian cyber forum

A remarkable spat on the Russian cyber crime forum XSS between the developer of LockBit ransomware and a new forum member may have contributed to the downfall of the ransomware group.

A newcomer to the forum, described as an initial access broker, provided a means of access to a LockBit affiliate that broke into the network of a company, securing millions of dollars in ransom payments to decrypt its files.

The developer, known as Michon, wanted his share, and made it loudly known in a public spat on the forum at the end of January 2024, according to Sergey Shykevich, threat intelligence expert at security company Check Point Software.

The LockBit cyber crime group, which was taken down in an international police operation in the same month, was responsible for an estimated 30% of ransomware victims worldwide. It published data stolen from 1,600 companies, but the real number of victims will be much higher as LockBit only identifies companies that don’t pay.

Michon asked for a cut of at least 25% but LockBit offered $5,000. With the two at loggerheads, Michon started a chat group attempting to blacklist LockBit from the XSS cyber crime forum.

When LockBit suggested appointing a private arbitrator, Michon instead went public, sparking a debate as hundreds of supporters chipped in to urge the ransomware developer to pay the “boy” for his work.

The administrator of the forum nevertheless came back with a seven-page verdict: LockBit should pay 10% of its profits from the attack to Michon for providing access, Shykevich told a conference in Vienna in February 2024.

When LockBit disagreed, the ransomware provider was banned from the site and accused of stealing money.

LockBit appealed, hoping that another judge would make a different decision. The appeal did indeed exonerate LockBit. “Was any deal made? No. Should LockBit pay out anything? No,” the judge decided.

Two days later, LockBit was taken down in an international police operation. But only two or three of the people who laundered money were arrested. LockBit’s brand is damaged in the criminal world for refusing to pay up, but it is still attempting to re-establish itself.

“LockBit became too rich and became not really connected to the real world,” said Shykevitch.

Read more on Hackers and cybercrime prevention

Data Center
Data Management