News about arrests of cybercriminals in Russia appears in the media with enviable regularity. The headlines are loud, but it is impossible to understand from them what exactly the detainees are accused of and what crimes they have committed. This article will tell you about how cyber villains are judged in our country and how strict our judicial system is towards them.
As you know, in Russia, the main fighters against cybercrime are specialized units of the FSB and the Ministry of Internal Affairs. Based on their materials, criminal cases are initiated, which are subsequently transferred to the court, where a court decision is made. To assess the effectiveness of combating crimes in the field of computer technology, I analyzed court decisions for 2019 on hacker articles of the Criminal Code based on open data. This information is posted on the network in accordance with the Federal Law of December 22, 2008 No. 262-FZ "On providing access to information on the activities of courts in the Russian Federation." In some cases, the texts of judicial acts were absent (without explaining the reasons) - I did not consider them in the study.
Attacks on state facilities of the information infrastructure of the Russian Federation
You could see news about these crimes in the media under the headline "Condemned hacker who tried to hack the website of the Government, Administration, Ministry ...". The loud headline, the words "hacker" and "hacked" create the impression for the average reader that a hardened criminal has been detained. But this is not always the case.The scheme for committing the crime is as follows: an attacker installs hacker software on his computer and breaks with it remote servers, among which a resource belonging to a state body is found. In such cases, there are three types of computer attacks: SQL injection, Bruteforce and DDoS. According to court decisions, cybercriminals use the following programs recognized as malicious when carrying out computer attacks: ScanSSH, Intercepter-NG, NLBrute 1.2, RDP Brute, Ultra RDP2, sqlmap, Netsparker, SQLi Dumper.
At the same time, many texts of court decisions indicate that computer attacks were carried out from real IP addresses. That is, law enforcement agencies can easily identify the villains and prove their involvement in illegal activities.
- The real term is imprisonment for a certain period.
- Other types of punishment are anything that does not entail real imprisonment.
- The criminal case was terminated due to the reconciliation of the parties, the imposition of a court fine or active repentance. The fundamental difference from other types of punishment is that a person is not considered to be convicted.
Such computer attacks rarely lead to real hacking of the system, and most often they are carried out by "novice hackers". This explains the relatively "soft" sentences of the courts: out of 27 cases, only three were given real terms - in relation to repeat offenders previously convicted under various articles of the Criminal Code. In thirteen cases, the defendants were subjected to other types of punishment, not related to imprisonment. In ten cases, the criminal case was dropped.
A very curious case was when a citizen who was already serving a sentence in a correctional colony appeared before the court. Correctional staff provided him with access to a computer in the security department to prepare reference and documentary materials, as well as create a 3D model of the colony. The defendant found the prisoners' files on the network and copied them for further study. Then, using IPScan from an automation engineer, he found a proxy server on the local network. Having connected to it, the villain downloaded the Intercepter-NG and NLBrute 1.2 malware from the Internet, with which he tried to hack another computer. All this sounds funny, but the level of information security in the security department of the penal colony is still surprising.
Embezzlement of money
In the 21st century, money is kept not only in a savings bank, but also in the accounts of electronic payment systems. Cybercrimes associated with theft of money are considered to pose a high degree of public danger, which is why the punishment for them is more severe.Hacking ATMs
In 2019, three court decisions were made on this type of crime. You probably heard about the first of them thanks to the loud headlines in the media: "In Russia hackers from the international criminal group Cobalt have been sentenced." Under this name, a well-known news site published an article about the conviction of two "mules" involved in the theft of 21.7 million rubles in 2017 from the Yakut bank Almazergienbank.Here is how it was. Representatives of the Cobalt hacker group hacked into the work computer of a bank employee by sending fake letters allegedly from Microsoft support. Having established themselves in the network, the hackers increased their privileges to the level of a domain administrator, connected to ATMs via RDP and, using malware, sent commands to issue banknotes. The two brothers who appeared before the court were engaged in collecting funds. For their work, they received 10% of the stolen amount.
The court sentenced them to six and a half and five and a half years in prison. It is noteworthy that they have already managed to transfer the stolen money to the organizers, leaving themselves two million rubles. They used this money to pay off the material damage caused to the bank. The remainder of the claim was also extinguished, including at the expense of one of the brothers' apartment.
In the second case, a group of four was brought before the court. The criminals opened ATMs and connected to USB ports, and then, using the Cutlet Maker malware, started issuing banknotes. At the same time, an unidentified group member remotely activated the program, who received 30% of the stolen amount for his "services".
The criminals made several attempts to break into ATMs, but only one was successful. The amount stolen was from 250 thousand to 1 million rubles. The villains were detained during another attempt to open the ATM. The court sentenced them to sentences ranging from one and seven months to four years in prison.
The third case is similar to the second. The same Cutlet Maker, the same 30% for remote activation. The perpetrator acted alone. From the ATM of PJSC "MinBank" he unloaded about four million rubles and was caught during the second attempt to break into the ATM. The court did not accept the arguments of the defense about the difficult financial situation of the defendant and sentenced him to four years in prison.
All these cases have one thing in common: low-skilled members of criminal groups appeared before the court, and the definition of "thieves" is more suitable for them than "hackers". "Think tanks" and real organizers were out of the reach of law enforcement officers.
Trojans for Android
Two episodes deserve special attention in this section. In one of them, an attacker who committed a crime while already in a penal colony was sentenced to a real term. Using a smartphone, he compiled and distributed an Android Trojan that was installed on the mobile devices of Russian citizens. The villain then transferred money from their bank cards through a remote banking system. One can only guess how he got a smartphone while serving his sentence, as well as how he acquired the necessary skills and knowledge - after all, at the time of the crime he had been in prison for more than ten years.The episode with the detention in the Chuvash Republic of a member of the TipTop hacker group also received wide publicity in the Russian media. For several years, cybercriminals distributed banking Trojans Hqwar, Honli, Asacub.g, Cron, and CatsElite under the guise of various applications and installed them on users' Android smartphones. They used malware to intercept information, steal bank card details and steal money from citizens. And again an ordinary member of the group appeared before the court, performing the role of the flood. For the cumulative crimes he was sentenced to two years of suspended imprisonment.
In the rest of the cases, the punitive hand of justice also fell into the hands of extremely low-skilled members of criminal groups - the dumpers and drop-drivers, who found an offer of illegal earnings on shadow forums and responded to it.
Phishing
With the help of phishing messages, a cyber villain took possession of the accounts from the mailboxes of auto shops. After that, he issued invoices to customers of stores with fake bank details. At the trial, 80 episodes were considered, in total the defendant stole about 3.5 million rubles. It is noteworthy that the expert recognized phishing pages imitating an authorization window in mail services as malicious software. The attacker was sentenced to four and a half years in prison.In another case of theft of money using phishing, the case was limited to a suspended sentence. The criminal forged the login pages of the banking application, thanks to which he took possession of the client's authorization data and transferred 14,800 rubles to a personal account under his control.
A resident of Voronezh also received a punishment not related to actual imprisonment. He offered services to hack e-mail and social media accounts for a modest reward of 2-5 thousand rubles. He stole account data by sending phishing messages on behalf of the administration of the services. He did this for two years until he was caught by law enforcement officers.
Clothes carding
The defendant hacked into the accounts of users of the stores amazon.com, pharmacy.kmart.com, pccomponentes.com and some others and bought goods. He resold things on the hacker forums exploit.in for 60-70% of the face value. Worked through a virtual server purchased from a hosting provider registered in Russia. The villain was sentenced to restraint of freedom.Ransomware
In practice, IT specialists often have to deal with the consequences of this type of crime. Nevertheless, there are only three court decisions for 2019.In the first case, the attacker brute-force the servers of Russian companies and encrypted 1C databases on compromised systems. For the decoder program, he demanded to transfer 3000 rubles to a mobile phone number. A suspended sentence was imposed.
In the second case, the case of encryption of 1,835 computers (all foreign) was considered. For hacking and obtaining accounts, the RDP Brute and mimicatz programs were used. For the purpose of anonymization, the attacker rented foreign servers and stored the malware in cryptocontainers. I went online using the Megafon USB modem, using various SIM cards (I changed them several times a month). I didn't hack computers in Russia because of my “moral convictions”. Having received the required amount in bitcoins, the perpetrator sent the keys to the victims. In total, according to the court, he earned 3,936,091 rubles.
Despite all the conspiracy measures taken, the offender was detained by law enforcement agencies. He was given a suspended sentence of seven months in prison with a probationary period of one year and a fine of 100 thousand rubles. No civil claims were filed in the case.
As a result, the cybercriminal remained free, almost four million rubles remained from the stolen funds, the state received a fine of 100 thousand. If he were in the United States, he probably would have faced a more severe punishment, supported by a more significant fine. Plus, having gone abroad, he can count on one of the principles of international law - Non bis in idem (“A person is not responsible for one offense more than once”). A real happy end for a hacker!
Another case of file encryption and ransom demand is notable for the fact that the criminals were convicted under a relatively new article of the Criminal Code 274.1 - "Unlawful influence on the critical information infrastructure of the Russian Federation." The servers of Vostochnaya Verf JSC, which are considered to be an object of critical information infrastructure, turned out to be encrypted. Not the best target for an attack in terms of potential punishment. The criminals received a two-year suspended sentence.
Bughunter
An unsuccessful case of baghunting occurred in the city of Balakovo, Saratov region. A local hacker hacked into online store and online service accounts using Private Keeper. He threatened to disseminate the obtained data and demanded monetary rewards from service owners for information about the alleged vulnerability. The required amount reached 250 thousand rubles. He asked to transfer the money to a QIWI wallet and a bank card registered to his mother. Among the victims, there were those who agreed to pay the required amount. I am sure you yourself guessed that after the payment of the funds, the victims did not receive any report on the bugs identified.Also, the villain transferred himself bonuses from the hacked personal accounts of users of the utility payment site in the amount of 2,100 rubles. Apparently, he did not adhere to high moral principles and was ready to steal from everywhere. Given his young age and state of health, the villain was sentenced to three years and three months probation.
Here, once again, we see an example when a user who does not have deep hacker knowledge, but who has a computer and Internet access, becomes a cybercriminal.
Services
Distribution of malware
You've probably seen advertisements for the sale of malicious software on hacker forums and Telegram channels. Experienced malware sellers and developers use various methods of anonymization or work through intermediaries, which allows them to avoid criminal liability. As a rule, novice hackers appear before the court. The damage from their actions is insignificant, therefore the punishment is not severe.Among the court cases considered last year, hidden miners, a software activator and brute force programs were distributed in five cases using the Telegram messenger. In another case, an attacker created a RAT and sold Skype using it for 1,600 rubles. In all cases, a punishment was imposed that was not related to a real deprivation of liberty.
But the administrator of the Telegram-channel "Dark Side / Manuals / Schemes" was not so lucky. At the time of the crime, he had a suspended sentence under Article 159.1 of the Criminal Code of the Russian Federation ("Fraud in the field of lending") with an unexpired probationary period. On his channel, the admin distributed programs AntiCaptcha Brute and Checker, BigStockPhotos, eBay Checker and PayPal Brute & Checker, for which he was detained by police officers. Taking into account the unserved part of the sentence, he was sentenced to three years in prison.
Stylers
The attacker illegally copied at least 42,371 archives with passwords, credit card data, and Steam accounts using a stealer. He planned to sell the information for at least 4,563,000 rubles, but did not have time. The court assigned him a suspended sentence of two years in prison.In the second case, a resident of Chelyabinsk posted on YouTube a video about the passage of computer games and posted a link to download the stealer under the guise of a patch. The criminal has stolen credentials from the Internet services of several users. He received a punishment in the form of restriction of freedom.
Web shells
One of the convicts was selling web shells and brute force software. Caught selling malware to an FSB officer performing a test purchase. The unlucky merchant was sentenced to restraint of freedom.Selling credentials
Criminals brute-force accounts from popular Internet services and checked their validity, and then sold them. In two cases, a punishment was imposed in the form of restriction of freedom, in one case, the criminal case was terminated and a fine of 10 thousand rubles was imposed.Copyright infringement
This is the most popular article by which law enforcement agencies prosecute IT specialists. The guilt of the accused is easily proven; in most episodes, the collection of evidence was limited to a test purchase.Neutralization of means of protection of licensed software
The scheme for collecting the evidence base is as follows: a test purchase is carried out - the installation of expensive software is ordered from the attacker. Most often "purchased" "Compass-3D", ArchiCAD, Autodesk AutoCAD, Microsoft Office, Microsoft Windows, "ProfStroy". For the installation of unlicensed software, the attackers received a reward from 700 to 5000 rubles.The good news is that in half of the cases the defendants were exempted from criminal punishment, which was replaced by a court fine. But it is not always possible to apply this procedural norm - in some cases, operatives "bought" software, the total cost of which exceeded one million rubles (especially large damage), so the defendants were sentenced to a more severe punishment, up to a suspended sentence.
Game consoles and online games
In a number of cases, the defendants neutralized the protection system of Sony PlayStation game consoles in order to sell them later. One offender was sentenced to restraint of freedom, the second received a suspended sentence of one year. In the case of a computer game, the defendant blocked R2 Online's technical means of protection. The criminal case was terminated, and a fine of 100 thousand rubles was imposed.Mining
Two employees of the state enterprise "Russian Federal Nuclear Center - All-Russian Research Institute of Experimental Physics" decided to use the organization's computers for cryptocurrency mining. They tried to hide their activities, but were caught nonetheless. The damage to the company was estimated at 1,087,448 rubles. One of the miners received three years and three months in prison with a fine of 200 thousand rubles, the second - four years probation with a fine of 250 thousand rubles.Conclusions
The Russian judicial system is soft and lenient towards cybercriminals. Real terms are given to those who are involved in committing socially dangerous crimes related to embezzlement of money, or repeat offenders. Quite often, a criminal case is dropped and a court fine is imposed. This saves budding hackers from life-long criminal convictions and subsequent employment problems.When it comes to catching serious cybercriminals, mules, droppers and cashiers are most often brought to trial, while real organizers avoid punishment. A successful example of the liquidation of the activities of a hacker group can be considered only the detention of members of the Lurk group, the trial over which is still ongoing.
IT-specialists are often prosecuted for installing unlicensed software. Considering the low level of danger of the crime, it would be fairer to terminate the criminal case and impose a fine.
Toolkit for hacking and designing malware is becoming more and more accessible, so we are likely to see even more high-profile headlines in the media about the capture and exposure of tough, formidable hackers, which in most cases are ordinary performers and script kiddies far from IT.
