Thieves and geeks: Russian and Chinese hacking communities

Original author: Winnona DeSombre and Dan Byrnes
  • Transfer
The Insikt Group team (project Recorded Future) explored the possibilities, culture and principles of organizing Chinese and Russian hacking communities. To do this, the guys analyzed the ads, created fake accounts and talked to the participants of the hacking forums.

Recorded Future - the company tracks everything that happens on the Internet in real time. Predicts and analyzes cyber threats. Works with the support of the CIA and Google.

If you are interested in the culture of hackers: what drives their actions, how communities are organized and where to expect threats - read our squeeze from the Insikt Group study. Squeezed the most interesting + our thoughts on this matter.

As noted by Insikt Group, most often we speak of hackers as an abstract mass. But in fact, in this environment there are several very different communities with their own history, motives and, if you wish, a code. Hackers of each country are unique. Often, researchers do not take this into account - they talk about everyone at once or single out Russians.

Employees of the Insikt Group compared the leaders of the cyber-crime world: Russians and Chinese. And they began with their story.

Patriotism or money - history and motives

Russian hackers - the spirit of theft

According to the Insikt Group: although both Chinese and Russian hacker groups originate from similar authoritarian states, the history of their emergence and motives are different.
Russian-speaking cybercriminals value money in the first place, although the phenomenon of financially motivated hacking originated in the United States.
One of the first hacking forums - Counterfeit Library - appeared in 2000 and was focused on the English-speaking community. In response, 20 Ukrainians created the "Odessa Summit", which then grew to the Russian-speaking "Alliance of Carders" or "Planet of Carders." The forum was distinguished by a strict hierarchy of moderators, who carefully checked all suppliers of CVV ​​codes, eBay accounts, skimmers, etc. Western fraudsters adopted this experience of community organization and created ShadowCrew. A few years later (in 2005), the Carders Market appeared, where western and eastern hackers could trade with each other.
Home page of Counterfeit Library, one of the first forums of carders and other fraudsters

When cybercriminals of Russia and China were just beginning to unite in communities, the FBI hunted for them in America. Evidence of this - high-profile operations such as Shrouded Horizon, Firewall and the elimination of DarkMarket.

High technologies reached Russia and other countries of the former USSR by the beginning of the 2000s. Then there was the boom of Internet fraud. Due to low wages, educated, tech-savvy people became hackers.
Peter Levashov, aka Severa - distributed fake antivirus software. He turned the victim's computer into a part of the notorious botnets Waledac and Kelihos.

Evgeny Bogachev developed a special Trojan ZeuS. With his help, JabberZeuS, Business Club and other criminal communities managed to steal more than $ 200 million from US and UK financial institutions.

Chinese hackers - the spirit of patriotism

If the Russians were motivated by money, then the Chinese were united against the background of patriotism. Lest the “century of humiliation” be repeated - a period when the great foreign powers forced China to sign unequal treaties, concessions and provoked opium wars (XIX - early XX century).

Against the background of the anti-Chinese unrest in Indonesia in the 1990s, users created forums, groups in social networks and electronic bulletin boards. They discussed the defaults against Indonesian government sites ( Defeis is a type of attack that causes the contents of the home page of the site to be replaced, and access to the rest of the pages is blocked. Approx. Transl.). As a result, the first groups of Chinese hackers appeared: the Green Army, China Eagle Union and Hongke (or Honker) Union. They also participated in the first attacks on the United States and other opponents of China.
One of the famous: DDoS-attack on the sites of the White House and large American corporations - one month after the collision between the American reconnaissance aircraft and the Chinese fighter over Hainan Island.

The result of the deface of an American website by the Hongke (Honker) Union group

Modern hackers are still money and patriotism

Today, Russian hackers are also important money, and Chinese - patriotism. But since the emergence of these communities, much has become more complicated: the organization of forums, promotion abroad and relations with the authorities. We grouped the main conclusions of the Insikt Group by items - that's what happened:

Money or community

For the Russians , of course, money. In their forums there is little room for friendship. These are more business resources than platforms for communication. Respect and trust win the most successful hackers: more deals - higher rating. No in this corner of the darknet and the institution of mentoring - to teach someone without a clear financial motivation?

But if Russian hackers are businessmen, then businessmen are good, customer-oriented. Wholesale carders return funds for declined cards. Trojan sellers and spam mailings arrange holiday discounts and sales. And abuzoustoychivye hosters transfer rewards to their customers for attracting referrals. They learn marketing from the largest corporations, which then attack.

ChineseHacking forums, on the contrary, are permeated with community spirit. This culture is well conveyed by the term "spirit of the geek" (极 客 精神) - refers to the technically educated people who hope to create an ideal society. Perfect? More just society? The context is small, but the idea how much Chinese are gay in the community is understandable.

People on the forums sincerely praise the wonderful skimmers, coders and sniffers. They write heartfelt thanks to sellers personally and actively share feedback to improve products. To support communication, the Chinese set special requirements. Decided to buy or sell malware - contact the counterpart through a comment or a personal message. Want to keep your membership - be an active user and communicate daily with other members. Such activists are even encouraged by intra-forum currency. And the gamification system works for engagement in the community.

Post on the forum. To get access to software that copies digital signatures, you need to reply

Supporting posts on the forum: the authors thank the user for sharing access to the program he created

With training here, too, everything is in order. The Chinese are promoting special programs: experienced hackers teach beginners for money, and also take care of themselves - for greater community involvement.

From the editor:
About the Chinese, of course, it sounds super cool. Even somehow you forget that they also earn money by hacking. And about the payment of education, the authors of the study mention somehow casually. Compare: about learning from Russians - “ ... few Russian forum members. ", And the Chinese have Chinese" hackers advertisements for the apprenticeship program.". That is, “Russians do not teach beginners (for free)”, and “Chinese teach beginners (for money)” - hmm ... Well, the context is pumping: Russians make money, Chinese build a community.

Hacktivism and power relations

Although the first groups of Chinese hackers fell apart, their cyber-patriotism laid the foundation for a close relationship between the state and hackers. Individual forum participants were even hired to work in government structures. Now some of them are working in the government, and some of them are leading IT corporations.

Many patriotic hacking sites were later transformed into cybersecurity forums. But not all. As recent events show, when what happened in the East Asian region causes a public outcry - Chinese hacktivists once again take the stage.
In 2012, China proclaimed sovereignty over the Diaoyu Islands. After active diplomatic disputes with Japan, the country needed support. And on the Hongke Union forum (8 years after the official dissolution of the group), a publication appeared with potential goals for deface, all 300 are Japanese organizations.

In 2014, China delivered a drilling rig in the territorial waters of Vietnam, followed by a series of Chinese pogroms. In response, a new group of hacktivists 1937CN compromised a number of Vietnamese sites. In 2016, they also broke into the registration systems of Vietnamese airports and published personal data of more than 400 thousand passengers. Presumably because Vietnam has placed rocket launchers on disputed islands in the South China Sea.

It is difficult to determine for sure how independent the actions of these hackers are. The malicious code used in the attack of the 1937CN group on Vietnamese airports was also involved in a larger campaign - cyber espionage against Vietnam. The alleged sponsor is the Chinese government.
In general, many Chinese hackers admitted to providing services to national intelligence agencies and military organizations (such as the Ministry of State Security and the People’s Liberation Army).
However, the 1937CN group definitely demonstrated elements of hacktivism. For example, 1937CN has its account on the Zone-H portal portal, accounts in various social services. networks associated with their site, and even the promo video uploaded to the popular video hosting in July 2017: a few people in hoods and masks of Guy Fawkes.
Russian, too, more than once played the role of people's avengers. The victims of such attacks were Estonia, Georgia and other states / officials and individuals who were seen in the unfriendly attitude towards the Russian Federation.
When a monument to Soviet soldiers was dismantled in Estonia, the pro-Kremlin youth group “Nashi” posted a DDoS bash script on LiveJournal, which attacked a certain list of Estonian aypishnikas. Due to this, any caring citizen could take part in the fight.

During the brief Russian-Georgian war, simultaneously with the advancement of Russian tanks, a DDoS attack (BlackEnergy botnets) was launched. According to a certain source, hacker Peter Levashov (Severa), sent spam with unconfirmed information that the Kremlin, Mikhail Prokhorov and hackers from the community of “Civilian anti-terror” attacked the sites of Chechen militants and Islamists.

Data from the study "Politically motivated DDoS-attacks" from Arbor Networks (a large American company, sells protection against DDoS and other security solutions. Approx. Trans.).
The relationship of power to hackers in Russia, as in China, is quite loyal. Arbor Networks even identified Kremlin-backed hackers: Karim Baratov and Alexei Belan. The researchers believe that these hackers were recruited by the FSB to lead the hacking of Yahoo in 2014.

As for the rest of the cybercriminals, both Russian and Chinese , in order to remain free, they must abide by one unwritten law: do not go against their own. For Russians, this includes residents of the CIS. And test development on fellow Russians is possible. ( It’s not very clear what the authors meant: can you write a trojan and test it on Yandex? Or are we talking about small companies and private owners? In any case, there are not enough proofs. Ed. )
So Dmitry Fedorov aka "Paunch" distributed malware around the world through Blackhole - a program of its own design. However, he was detained only after the sale of Blackhole for use in Trojans Carberp, the victims of which became the Russians.

Pavel Wroblewski, owner of the ChronoPay Russian processing service, provided services for money laundering from the sale of illegal drugs and fake antiviruses. The Russian government did not object at all. But when he ordered a DDoS attack on Assist (the domestic payment system), he was immediately arrested.
From the Editor:

From the text, we see that the Chinese are reluctant to shut down their hackers - more often when they appeared in major international scandals. It seems that this is due to the concept of a person (面子).
- includes the conquest and retention of respect for others. A lot of China’s culture revolves around this concept, especially when it comes to family and business. “Face loss” is so terrible for the Chinese that they would rather be deceived than honestly tell about their failures and shortcomings. For example, single Chinese women, going to their parents for the holidays, often order the service “hire for hire” to disguise the failures in their personal lives.
Researchers consider the concept of a person, but in the context of why the Chinese buy fake diplomas and business licenses. It seems that in the attitude of the state towards hackers this concept also works.

Community organization

Russian criminal forums are well structured: fraudsters and hackers operate at different sites. The Chinese are not so - the maximum is different sections. This once again confirms that the Russians are focused on making profit, and the Chinese are focusing on creating a community.

The menu of the site for the sale of drugs with the section "Hacking", next to the sections "Mushrooms" and "LSD".

The division into open, semi-private and closed forums is in both countries. The inaccessible resource - the harder and better the goods on it. In open areas, just register. In semi-private - to make an entrance fee of about $ 50 or confirm membership on other resources. To access private forums, find a guarantor among existing members and / or confirm the authenticity of their products.
There are specific requirements. In some Russian forums, for example on Exploit, only users with a certain number of posts get access to more valuable content. And some Chinese hacker groups in QQ and WeChat move only in semi-private forums. So, to get into the group, you must first get to the forum.
Both Russian and Chinese forums support blacklist functionality. Users provide evidence that they have received poor-quality or frankly fake material, and administrators, after checking this information, add the supplier to the ban list. is a website dedicated to kidal hackers. Their website is 15.839, and this number is growing.

Access to most Russian forums is open. When you need tools to bypass locks, most often use Tor-mirrors. In China, the strict censorship regime - since 2000, the Golden Shield project or the “Great Chinese Firewall” has been operating. First, the goal of the project was to introduce the latest technologies to combat crime, then to limit access of Chinese citizens to content that the state considers inappropriate or offensive.

The Great Firewall even knows how to identify and interrupt outgoing connections to the Tor network - and this complicates access to international forums and cybercriminal marketplaces. The last way to jump over this wall is to use a VPN. But since 2017, the government has introduced compulsory licensing of VPN services, and many of them have closed. Visiting international hacking portals has become even more difficult.

Editor's note:

In general, the community organization of the Russians and the Chinese is very similar. But the Great Firewall - sad irony - hits the Chinese hackers, despite their hacktivism and state loyalty.

Promotion of services abroad

As we remember, Russian hackers are primarily interested in money. There is no Great Firewall, and they are actively selling their services abroad. They post posts in Russian and English, sell databases and credit cards of residents from all countries.

It is not easy for Chinese hackers to break through with their products abroad because of the Great Firewall. Therefore, they develop their own communities: create more open hacking forums that are easily accessible on the local Internet, and develop groups based on the first patriotic forums. Also they actively use closed chat rooms and forums in popular messengers and social networks: QQ, Baidu and WeChat.

If Russians sell data of people and companies from all countries, then there is much more Chinese data on Chinese forums. And you will not find them on foreign sites.

Why Chinese do not merge data overseas? There are several suggested reasons:

  • difficult to use information - you need to know and understand local realities;
  • inconvenient use of products - focused on the Chinese, the functionality and principles of operation differ from their Western counterparts;
  • interferes with the language barrier.

So, the Chinese love to develop their community, and when the Great Firewall came and they had difficulties with entering the foreign market, they began to develop their community more actively. All right, but now researchers note a reverse trend. The Great Firewall does not allow to sell services in its own country - the Chinese are trying to break through abroad. Evidence of this - the Chinese posts in the Russian and English forums.

It turns out that the government literally pushes Chinese hackers abroad. And, as we remember, they go there with unique data of Chinese citizens and companies, as well as means of hacking Chinese resources. Well, now the international cybercriminals community has more opportunities to attack targets in China, steal accounts and other data.

The breakdown of posts of individual forums by language, data Recorded Future

From the editor:

Do you see the yellow bars on the right? And I do not see, but they are there.


Insikt Group researchers believe that the Russians will continue to focus on money, and the Chinese will react sharply to political events.

Most of all it is worth being afraid of Russians with their sophisticated methods and peculiar tactics. These guys want to earn all the money in the world, and at the eye of the organization of all countries.

As for the Chinese, Insikt Group believes that the government will not succeed in closing down all the hacking resources. And thanks to the growing activity of the Chinese in international forums, they will learn from the experience of their colleagues.

Authors are advised to keep track of events in underground forums, look at what products are currently popular, and monitor the political situation (especially if your business is in East Asia).

From the editor:

If it is interesting to read about Russian hackers, in 2016 a study about them was published by Kaspersky Lab - “Russian hackers: what they break, how much and why they are the best in the world” .

As for the work of the Insikt Group , most of all I remember “the Chinese are a community, the Russians are money”. The thought passes through the entire text, and this is not a bias in the pressing - you can be sure of reading the full translation (carefully, you have preserved the pseudo-scientific style of the original). I do not know about you, but I still have the feeling that the Chinese do not earn money by hacking. Perhaps you have this feeling even more, because we threw out a piece about the content on the forums (what they sell) and the payment methods (not very interesting, but there is at least China and money in one sentence).

In general, the authors do not say why it is Chinese and Russian (Russian-speaking) hackers who are considered. About the fact that the issue of leadership in the cybercrime market is editorial liberty. But with this imbalance of the Chinese from money to the community, the question “how did they get into the top hacker powers” ​​becomes even more relevant. Or not - what do you think?

Also popular now: