Russian Thugs Make Splendid Hackers
WHY YOU SHOULD CARE
Do not ever open that weird attachment, especially if it has an alluring Slavic accent!
No one was surprised when China recently admitted to having armies of hackers. But the People’s Republic is not the only cyberthreat to Western nations: Russia might be just as scary. A number of high-profile convictions lately shows that the ex-USSR is a fertile playground for commercial hackers, who target checking accounts instead of government databases. American law enforcement is cracking down — including by offering up to $3 million rewards for arrests — but the attacks keep coming. The worst may be yet to come.
So warns Arkady Bukh, a New York City attorney with about a dozen years’ experience defending Russian cybercriminals in U.S. courts. Bukh is also considering opening a cybersecurity firm. OZY caught up with him between court sessions to talk about the Russia’s new hacking hordes, and an edited version of our conversation follows.
What’s the current profile of Russian hackers?
They are mostly male and under 28. Unlike in China — where hackers do mainly government-sponsored commercial espionage — Russian hackers’ main goal is making money. They mostly steal credit card numbers, millions of them, they cash them, they buy some electronics, and then they resell them. There’s a big difference between being a thief and being a spy.
What makes them so dangerous?
The number of successful attacks almost doubles every couple of years, and their style is changing. Before, hackers were well-educated. They were gentlemen. Now many drug dealers and gangsters are starting to cash credit cards, because this is just wiser. For a couple of kilos of cocaine you can be dropped for life in jail. If you steal a million from credit cards, you might not even face 10 years.
They are also starting to be used as political tools. Russian hackers are not only about the credit card numbers, they are trying to access critical infrastructure in America — information that can easily be sold to ISIS or al-Qaida. If their relationship with Russia worsens, they could sell information to the Russian government for sabotage purposes. They could switch off electricity in some towns, even raise the dam on a river and get a village flooded. And this information is cheap. With just $5,000, you can get access to electric or the gas grid. This is a huge problem for the U.S. government.
What is Russia doing about these hackers?
In most cases, it turns a blind eye to the situation. Russia does arrest hackers, but sentences are usually minimal and custodial in nature — meaning they’re not going to jail. They’re either not being punished enough or not punished at all, which is another invitation to steal.
How effective is the recent U.S. law enforcement crackdown?
Well, they’re fighting hard, but the number of hackers is humongous, and the number of law enforcement agents is very limited. They have difficulty dealing with every single attack, and anyway, most hackers do not travel outside of Russia, so they can’t be arrested. Arrests may actually provoke them more. There already have been attacks in retaliation for what they’re doing. There have been attacks on NASA. A client of mine attacked the FBI website and its databases.
So what can be done?
Well, unless the Russian government conducts a very strict crackdown on its hackers for some extended period of time, I see no way that we’ll have a reduction in the number of attacks. And I don’t think Russia will do that in the near future, because its relationship with the U.S. is worsening, and Russian media is promoting very anti-Western sentiments.
What can ordinary people do to protect themselves?
Private companies should be strengthening their cybersecurity because the government cannot protect every single company from every single attack. And much of the infrastructure is owned by private firms. As for individuals, I wouldn’t recommend to investing too much time into this. Their credit cards will get stolen from Chase Bank or Target. Avoiding it is close to impossible.