While the Russian invasion of Ukraine has typically been met with a response of horror and condemnation across the globe, the conflict has also proven highly divisive among the world’s cybercriminal community. Opinions on Russian President Vladimir Putin’s so-called ‘special military operation’ depend on several factors, notably the cybercriminal’s background, political beliefs, or other nationalistic drivers. As we’ve reported in previous blogs, some internet users have taken it on themselves to take an active role in the conflict, targeting Russian organizations with targeted data breaches, distributed denial of service (DDoS) attacks, and defacement activity. A new, pro-Ukrainian and anti-Russian and anti-Belarus forum has since been identified, allowing users to get involved in the fight. Check out the details for “DUMPS Forum” in our blog below.
What is the forum’s goal?
DUMPS Forum appears to have been established in late May 2022, with its membership unknown but likely not more than 100 at the time of writing. At first glance DUMPS Forum appears to be the same as every other run-of-the-mill Russian language cybercriminal forum. There’s a section for trading illicit material, carding, malware, and establishing accesses to targeted networks. At present this forum is open to members without any vetting or registration process, however, there is an ongoing request for an invite system that may become the main method of gaining access if the forum builds its notoriety. What separates DUMPS Forum is the forum’s goal of supporting the Ukrainian war effort against Russia. Within the opening statement of the forum, this intent is made clear:
“Information services / leaks or other services on our forum are allowed in relation to only two states, these are the Russian Federation and Belarus. Topics that mention other countries are not allowed. This is the main rule of our forum”
The forum’s intent is also expressed through a Russia-Ukraine war information and pro Ukraine charities page redirect, which can be seen when clicking the support button in DUMPS Forum’s header.
This is the only forum we’re aware of that is taking such a stance, which puts DUMPS Forum in a unique position, whilst also painting a target on its own back; if the forum develops into a well-known and successful project, it will likely become a target of counter activity from Russia-supporting cyber criminals. The brazen nature of the forum is perhaps best emphasized by the forum administrator actually posting their location, which points to a residential apartment in Kyiv. The roof of the building contains an insult towards Vladimir Putin, which if you want to run through Google translate, go right ahead: “путин хуйло”. We’ve no idea if this location is actually the admin’s home, however it emphasizes the spirit of defiance and resistance in which the forum is built.
Heads above the parapet: Taking an active role in the conflict
All topics within the forum must be aimed towards activity directed against Russia and/or Belarus. Much of the activity centers towards sharing data leaks, advertising DDoS attack services, forged and stolen identity documents, and anonymous and bulletproof hosting services. The forum contains sections for the trade of initial accesses, carding, instant messaging and social networks, and spam, but these remained empty at the time of writing. By far the largest section of the forum is the Leaks section, in which users shared data stolen from Russia-based government and private institutions. This includes several well known and important Russian government institutions and utilities providers.
The DDoS-as-a-service advertised on the site allows users to order DDoS attacks on any network resource “quickly, qualitatively, effectively”. The power of these DDoS attacks ranged up to 500gbps, with a one hour attack priced at $80 per hour or $500 for 24 hours at layer 4. Layer 7 DDoS attacks were priced at $600 for 24 hours. DDos attacks and defacement activity have returned in a major way since the onset of the war, which has largely been committed by an army of hacktivist actors operating on behalf of both sides of the conflict. DUMPS Forum— and indeed similar forums in the future—have a big role to play in this hacktivist resurgence, with hacktivism having significant success in causing disruption and sabotage at Russian entities.
Probiv and encouraging partisans:
Another large focus of the forum is advertising information services—also known as probiv—for Russian and Belarussian government agencies, financial institutions, and mobile network carriers. We’ve previously mentioned Probiv on previous blogs, which is a Russian-language slang term best translated as “look-up”. It describes a service offered mainly on Russian-language cybercriminal platforms in which a user provides a piece of personal data belonging to an individual and—in return for a fee—receives other information associated with this target. Think quid pro quo, scratch my back and I’ll scratch yours (for a fee), that sort of thing.
Some of the items identified in the probiv section of the forum include Russian passport details, data from local wanted lists and criminal records, data regarding suspects or persons of interests, migrant information, and information related to buying tickets for transportation out of Russia. Lists of citizens convicted of possessing illegal weapons were also mentioned. In addition to Ukrainian patriotic hackers, this list also suggests that the administrators and users of DUMPS Forum are also highly interested in Russian partisans, or individuals within Russia who are sympathetic to their cause. Of course, Russia naturally wants to keep its citizens from accessing such content, you’ve likely read about how Russia has really intensified their efforts at internet censorship and stifled any potential criticism of the conflict. According to DUMPS Forum, the forum has been banned for any individual within Russia; within the post below, the forum administrator uses the word “Rashka”, a derogatory term for Russia. The term is derived from the English pronunciation of Russia, complete with the diminutive suffix to convey extra venom. Just using this word would be sufficient to gain a ban within a typical Russian cybercriminal forum.
One challenge facing the forum is that the content is almost exclusively written in Russian, which in itself is odd given the forum’s nature as a pro-Ukraine forum aimed at targeting Russian entities. This however likely represents the forum’s goal of targeting members within the Russian federation—who likely do not speak Ukrainian—while also appreciating that almost every Ukrainian will speak Russian either fluently or to a good level. While there are some posts translated to English, the contents of the site will likely not be accessible to non Russian speakers.
The recency of the forum’s creation may also limit the amount of activity being permitted on the site, with time required to allow its membership to grow. Raising the membership will of course increase the forum’s profile, which in turn could represent a risk; we’ve seen previously rival cybercriminal forum’s attempting to take each other down through targeted data breaches or DDoS activity. While some content is reportedly hidden from public view, all content can be viewed if you have an account and “like” the post if you want to view a download link. The forum is also currently open for any individual to join, which could represent an operational security risk. Some users have expressed concerns over this system and requested an invite only system.
What comes next:
DUMPS Forum likely has an important role to play in the ongoing Russia-Ukraine war; as a hub for hacktivists and patriotic cyber threat actors, as a symbol of resistance, and making a demonstrable difference on the cyber battlefield. Any success achieved by DUMPS Forum will however attract unwanted attention; the ban on Russian citizens visiting the forum highlights that the forum is already on the radar of the Russian state. It is also realistically possible that the success of DUMPS Forum may inspire other services looking to play a part in the ongoing conflict.
Here at Digital Shadows (now ReliaQuest), we think it’s important to monitor the latest developments in the cybercriminal landscape to keep abreast of the threats to our customers emanating globally. To ensure we’re providing the best possible intelligence for our customers, we need to keep our finger on the pulse of developments, and if we can predict new forum movers and shakers, all the better. We feed these observations into Digital Shadows (now ReliaQuest)’ SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) service, which features a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. If you’d like to access the library for yourself, you can sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.