WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
In a few previous blogs, we’ve covered how threat actors discuss prison on Russian-language cybercriminal platforms. We’ve touched on high-profile arrests of cybercriminals, their thoughts on the likelihood of ending up behind bars, and how they rate their chances among hardened traditional career criminals. We’ve never really focused on the language used in these forum discussions, but this is crucial for analyzing this chatter. Forum discussions about jail usually showcase a linguistic phenomenon unique to Russia and the former Soviet Union: Феня (Fenya). This slang vocabulary represents a gateway to the murky world of Russian prison culture, where a cell phone is a “pedal”, trouble is “weed”, and to make a promise is to “give someone your tooth”. This blog will explore this fascinating phenomenon and explain why security researchers must have a solid grasp of it to fully understand forum discussions.
Fenya is a secret language used in correctional facilities across Russia and the former Soviet Union. There are competing hypotheses about Fenya’s etymology. Some say it comes from something similar to pig-Latin, in which “fe” and “nya” were inserted between alternate syllables of a word to confuse those unaware of the convention. Another competing theory suggests that Fenya comes from the language of the “Ofenyi”–traveling merchants and icon peddlers in Russia during the Middle Ages and Imperial Russia–who used a secret language when speaking to each other to dupe their victims. Although Fenya’s exact etymology is unknown, its influences are much clearer. It contains a large mix of German, Greek, Georgian, and more recently–owing to mass incarceration of Jews during Stalin’s rule–Yiddish and Hebrew.
Fenya is much more complex than the prison slang seen in the West. It has a rich and varied vocabulary full of double meanings that is incomprehensible to even native Russian speakers. Fenya is a way for prisoners to communicate with others in the criminal community without being understood by those outside it, but it’s also a language of identity. Even the way in which users profess knowledge of the phenomenon is coded: ботать по фене (botat’ po fenye) “to know/speak Fenya” literally translates to “to cram on the hairdryer”. To speak Fenya is to associate yourself with the Russian criminal underworld, its members, and its cultural institutions. To use Fenya is to show others that you are part of a world of extreme and institutionalized violence.
When prisoners were released en masse from Soviet Gulags in the 1980s, wider Russian society encountered Fenya for the first time. Fenya has since permeated government institutions, universities, the military, and even the police. Even Russian President Vladimir Putin has employed Fenya on occasion. For instance, he used the phrase “Ваше место у параши” (vashe mesto u parashi) = “Your place is by the slop bucket” to characterize the West’s treatment of Russia after the collapse of the Soviet Union as degrading. “Parasha” is a Fenya word meaning “slop bucket” or “open toilet”, which prisoners of the lowest ranks must sleep next to.
Although many Russian speakers are aware of Fenya’s existence, strong taboos surrounding its use mean that they are reluctant to admit to understanding it. Fewer still would want to use it — after all, it’s a criminal language. Prison authorities even banned the use of Fenya in jails in 2013. Lexicographers have also noted the difficulties in compiling Fenya dictionaries, due in part to its users’ aversion to outsiders. As a result, few credible resources are available for those who wish to learn it.
Fenya is everywhere on Russian-language cybercriminal platforms. It even made multiple appearances in the chat logs of the ransomware group Conti, which were leaked in February 2022. Despite its ubiquity, it’s hard to spot if you don’t know what you’re looking for. We’ve stressed the importance of understanding technical jargon before, and it’s a similar story here. Many words have a double meaning in standard Russian and Fenya, which causes problems for security researchers who copy Russian-language posts into machine translation software. This often results in a totally incorrect translation or misses a subtle nuance only visible to those familiar with Fenya and its speakers. Russian-speaking threat actors use Fenya in four main ways on forums: normalized terms used unwittingly, to impede researchers’ understanding, for credibility and legitimacy, and for authority.
A few Fenya words have become so widespread and normalized on Russian-language cybercriminal forums that many will not even recognize them as Fenya and may believe they are simply community terms. For example, халява (khalyava), meaning “giveaway”. This word of Hebrew origin appears in titles of forum sections in which users freely share useful items such as mail:pass combolists, email leads, and stolen identity documents.
Another important term is мусор (musor). In standard Russian, this means “trash, garbage”, but in Fenya, the word means “cop, police”. So when one forum user asked “форум мусорской?” (forum musorskoy?) they were not inquiring about the quality of the platform’s content. Instead, they were asking whether law enforcement had infiltrated the forum. Other crucial Fenya words are бабки (babky) “money” and красный (krasnyy) “informant” (lit. red).
Forum users are keenly aware of the presence of security researchers on their platforms. Just as initial access brokers often refrain from naming their victims outright to make it harder for researchers to track, forum users may employ Fenya to make it difficult to follow their conversations. For instance, the Greek-origin term пиндос/пендос (pindos/pendos) was the name of a city and mountain range in ancient Greece. In Fenya it is a derogatory term for Americans often used to denigrate “Yanks” during discussions about Western law enforcement policies.
Due to the anonymous nature of cybercrime, a threat actor’s reputation is everything on a forum. No one wants to deal with someone they can’t trust. Concerned for their operational security, many traders on Russian-language forums explicitly state that they do not work with non-Russian speakers, for fear of interacting with researchers or law enforcement. Using Fenya can help users add a bit of credibility to their online accounts. Given the difficulty of learning Fenya as a non-native due to the lack of widespread and up-to-date resources, using it may be one way of proving your Russian-ness. In addition to individual words, Fenya has a rich repository of idiomatic phrases, some of which have spread to colloquial Russian. A few cybercriminal favorites are:
Yet it’s not enough to just learn a bit of Fenya and pepper your forum posts with this vocabulary. Despite its centuries-old history, Fenya is a constantly evolving institution, with new words added every year to keep up with changes in technology and culture, and old words changing in meaning or becoming obsolete. Forum users who want to appear credible must keep up to date. Recent additions include:
In many ways, cybercriminals see themselves as a different breed from their offline counterparts: They inhabit a world where technical knowledge trumps your ability to fight, fire a weapon, or outrun the police. However, when convicted, black hats often end up in the same place as pickpockets, armed robbers, and murderers. Forum users pepper their posts with Fenya when discussing past or potential future stints in the зона (zona), “the zone”, Fenya for high-security prisons in Russia. Using Fenya in this context shows that you know what you’re talking about – that you are part of and comfortable around the extremely violent Russian prison culture. There’s an element of bragging in this, with forum members who have served time–or wish to give this impression–using elements of Fenya as “proof” of their authority to speak about prison experiences.
In instances like this, knowledge of Fenya and prison culture help researchers extract additional context. When discussing the Russian penitentiary system’s recent proposal to “hire out” convicted IT specialists from within Russian prisons, one user asked whether many IT specialists “на нарах парятся” (na narakh paryatsya). Machine translation software will tell you this phrase means “to steam on the bunk beds”, but the user was actually asking whether there are many IT specialists in Russian prisons. And there’s an additional nuance that is lost on the layman. Нары (nary) are the lowest beds in a Russian prison cell, closest to the slop bucket, reserved for the lowest ranks of the six castes in the Russian prison system. This user may be hinting that those convicted of cybercrime in Russian prisons will face a more difficult time.
We’ve barely scratched Fenya’s surface here, but hopefully you now have at least some understanding of its use and importance when researching the Russian-language cybercriminal scene. At Digital Shadows (now ReliaQuest), we understand that knowledge of the linguistic and cultural aspects of cybercrime is just as important as the technical when painting an accurate picture of the threat landscape for our clients. Just as cybercriminals are so keen to exploit it on their end, understanding the “human factor” is vital when trying to understand and defend against threat actors. After all, there is a human behind every attack. Understanding the real meaning behind their language helps to paint a clear picture of a threat actor’s intentions and motivations, which in turn helps defenders counter them.
If you’d like to know more about how threat actors communicate, get a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. You can additionally get a 7-day free trial of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here and receive actionable alerts regarding cyber threat activity.