Russian Cybercrime Forums Open Door for Chinese Speakers

Security researchers have started to see a thaw in relations between threatening Russian, Chinese and English-speaking actors.

The Russian-speaking world of cybercrime has so far been quite closed to actors from other regions. However, Flashpoint claimed to have seen a more inclusive approach taken recently, particularly on the Ramp forum.

“In October, Ramp administrators made changes to the forum’s interface to make it more accessible to English-speaking and Chinese threat actors,” said the threat intelligence firm asserted.

“The sections of the forum are now in Russian, English and Mandarin; the lead administrator speaks to members in English more often than before; and there is significantly more content and commentary in English – and even coming from some Russian speaking actors. “

There are said to be around 30 Chinese users on the forum so far.

However, while Russian cybercriminals may seek international alliances, Flashpoint warned that the moves could be a smokescreen similar to those surrounding the Groove ransomware gang.

“At the end of October 2021, the Groove ransomware gang called on other ransomware operators to jointly attack US entities; Once it caught the media’s attention, the operator of the Groove public blog claimed it was a media hack, ”he said.

“It’s certainly possible that opening up Ramp to threatening Chinese-speaking actors is part of a similar strategy.”

That said, other Russian-speaking forums also seem to be heating up with international users.

On the famous XSS site, a user apparently replied to a discussion thread with an advertisement in Chinese seeking partners in a ransomware operation. In another case, a Russian member of XSS greeted two Chinese forum members with an automatically translated Mandarin post.

Threat actors are generally more willing to share Tactics, Techniques, and Procedures (TTPs) than their counterparts in the legitimate economy. However, the pooling of capabilities and intelligence in traditionally distinct cybercrime spheres would be a particularly unfortunate development.

Harry L. Blanchard