WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Most readers will be aware of the threat posed by Russian-speaking cybercriminals, be that big players in the ransomware game, the metaphorical mountain of initial accesses traded on Russian-language forums, or the sophistication of Russian APTs. But Ukrainians are heavily involved too. Many a cyber police raid has taken place on Ukrainian soil in recent years. From creating extremely dangerous malware to bulletproof hosting, Ukrainian cybercriminals have proven themselves to be highly capable adversaries. In this blog, we’ll take a look at the use of Ukrainian on the dark web and why Ukrainian-language cybercriminal platforms differ from their Russian-language counterparts.
Our search for Ukrainian-language cybercriminal platforms did not uncover any prominent or active sites. Law enforcement took down the last such example, xDedic, in 2019. xDedic was a fairly successful marketplace selling hacked remote desktop protocols (RDPs) and dedicated servers that could be used to carry out further attacks. hackerst0wn and HackUA were other Ukrainian-language “hacking forums” that went down in 2016 and 2012, respectively. There are still some Ukrainian-language forums online, but these either appear to have been abandoned or never got off the ground in the first place. One forum we found last saw activity in 2010 and currently only has five registered users and two posts across the whole site. The lights are on, but nobody’s home. News reports indicate that many now-defunct Ukrainian platforms catered to more traditional offline crime like credit card theft and money laundering and were linked to crime syndicates in Odessa and Kyiv.
As it turns out, we aren’t the only ones wondering where all the Ukrainian-language platforms are. Ukrainians themselves have been searching for years. One user of a Ukrainian-language programming forum lamented: “I had a look for Ukrainian-language [hacking] forums, I didn’t find a single one” (see Figure 2). But we know the demand is there – we observed another threat actor commenting: “If there were a Ukrainian-language hacker forum, I would hang out there.”
While we didn’t discover a whole swathe of Ukrainian-language cybercriminal platforms during our research, Ukraine remains a hotbed for so-called bulletproof hosting, despite numerous law enforcement campaigns against this industry. These hosting firms afford their customers considerable leniency in the kinds of material they may upload and distribute without getting taken down due to complaints and abuse reports. Many sites advertising bulletproof hosting feature the ability to toggle the site language to Ukrainian, and others use “Ukraine-based” as shorthand for quality and security.
In the absence of currently active, high-profile Ukrainian-language cybercriminal platforms, we turned to “gray hat” Ukrainian-language programming sites to obtain some insight into what the now-defunct Ukrainian-language cybercriminal sites might have been like. These forums are characterized by a sense of community and widespread Ukrainian patriotism. Users frequently discuss Russo-Ukrainian issues, such as the use of Ukrainian at work, Stalin’s policies toward Ukraine, the disputed status of Crimea, and the ongoing war in Donbass–not necessarily topics you’d expect to see on a programming forum.
Users on these sites are really not receptive to the use of Russian. This is perhaps not surprising, given the treatment of those daring to use Ukrainian on Russian-language cybercriminal forums. Ukrainians who use their native language, which is similar to but not mutually intelligible with Russian, are almost universally met with hostility and ridicule. The status of Ukraine as a sovereign nation is commonly disputed in Russia, where a sizable portion of the population holds negative views of their neighbor. Racial epithets, which mock the way Ukrainians speak and the food they eat, are frequently thrown around. Instructing “Kholkhols” (Russian slur for Ukrainians) to go and eat “salo” (cured fat, popular in Ukraine) is a typical response to a Ukrainian attempting cybercriminal discourse in their mother tongue. And these are some of the tamer insults. One Russian-speaking user wrote that they would “cry tears of joy” if Ukrainians were banned from the Internet.
Ukrainian-speaking forum users are well aware of how their former Soviet compatriots perceive them. One remarked, “I know what kind of response [my post] will get… so go get the popcorn” – predicting the flow of insults they would receive following their Ukrainian-language post. However, Ukrainian cybercriminals are also acutely aware of their significant presence on Russian-language platforms, with one responding to anti-Ukrainian insults: “without Ukrainians this forum would be quiet”.
We’ve also noticed that some Ukrainian speakers themselves look down upon their own language. In a thread on one Russian-language forum in which users discussed why Ukrainian-language hacking forums do not last, one user argued that the Ukrainian language was “not up to the task,” stating that “all ‘projects’ end where the Ukrainian language begins.” Another self-professed Ukrainian speaker said that “technical literature in Ukrainian is always either funny or incomprehensible”.
Cybercrime shows no signs of slowing down in Ukraine, and Ukrainian cybercriminals have expressed a desire for platforms using their own language. Moreover, we know there’s a sizable number of Ukrainians on existing Russian-language cybercriminal forums. So why have they not created their own? Well, while we can’t say for sure, we do have a few theories.
First, Ukrainian-speaking cybercriminals are highly likely to speak Russian too. As a result of Soviet policies, by the late 20th century, almost all Ukrainians were fluent in Russian. But this fluency is asymmetrical: While most Ukrainians know Russian, most Russians can’t speak Ukrainian. Ukrainians’ fluency in Russian probably meant that when Ukrainian-language sites were taken down, Ukrainian cybercriminals likely migrated to existing Russian-language platforms.
If the linguistic reasons weren’t enough, the changing political situation in Ukraine might also make Russian-speaking cybercriminals wary of using Ukrainian-language platforms, even if they did speak Ukrainian. Cooperation between Ukrainian and Western law enforcement, which has increased as the current Ukrainian administration seeks closer ties with Europe, has led to multiple takedowns of Ukrainian-language sites. This has caused many Russian-speaking cybercriminals to perceive their Ukrainian counterparts as untrustworthy. One thread discussing a joint operation between the FBI and Ukrainian cyber police on a prominent Russian-language forum saw users labeling Ukrainians as “rats.” Others advised not hosting illicit infrastructure in the country due to the threat posed by Ukrainian law enforcement.
So Ukrainian cybercriminals do not need Ukrainian-language platforms to facilitate their malicious activity, and many users of Russian-language forums couldn’t use Ukrainian ones, even if they wanted to (which they don’t). In a world principally motivated by making fat stacks of cash, if it doesn’t make money, it doesn’t make sense. Why should site administrators limit themselves to potential customers from only Ukraine when they could also collect revenue from both Ukraine- AND Russia-based users?
The cybercriminal forum and marketplace scene is fluid and fractured. Given the role played by Ukrainian nationals in international cybercrime and an ever-changing political relationship between Ukraine and its closest neighbor, it’s possible that a successful Ukrainian-language platform may emerge in the coming years. If it does, Digital Shadows (now ReliaQuest) will be there to keep you in the know. With in-depth linguistic and cultural knowledge of Russian and Ukrainian, we give our clients unique insights into the cyber threats emanating from these geographies.
If you’d like to learn more about monitoring the Russian- and Ukrainian-language dark web for potential leaked databases, compromised accounts, exploits, target attacks and more, get a free copy of our Dark Web Monitoring Solutions Guide here. Alternatively, you can access a constantly updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Get a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.