The cybercrime underground has fractured into pro-Ukraine and pro-Russia camps, with the latter increasingly focused on critical national infrastructure (CNI) targets in the West, according to a new report from Accenture.
The consulting giant’s Accenture Cyber Threat Intelligence (ACTI) arm warned that the ideological schism could spell mounting risk for Western organizations as pro-Kremlin criminal groups adopt quasi-hacktivist tactics to choose their next victims.
Organizations in the government, media, finance, insurance, utilities and resources sectors should be braced for more attacks, said ACTI.
“This targeted intent has led some actors to exclusively sell their services, such as network accesses, to pro-Russian actors; it has led other actors to extend discounts to pro-Russian actors interested in buying their accesses but has also caused those same actors to refrain from selling accesses associated with Russian entities,” the report continued.
“Moreover, it is likely that pro-Russian actors are foregoing available attacks against non-Western entities to centralize their focus and resources.”
Attacks on CNI had fallen out of favor on the cybercrime underground after high-profile outages at companies like Colonial Pipeline attracted the attention of the US government. However, threat actors are now likely to feel emboldened to go after such targets as they seek to punish ‘enemies of Russia,’ according to ACTI.
It may also lead to a return of ransomware groups to the mainstream underground after some admin forum administrators banned them following the Colonial breach. This could further help them scale, acquire tools, recruit affiliates and buy access, ACTI argued.
However, it’s not all one-way traffic. The report cited a poll on one forum asking if members were now prepared to attack Russia-aligned Commonwealth of Independent States (CIS) countries. While 83% said no, a surprisingly large 17% said they were, indicating pro-Ukraine sentiment.
One popular site, RaidForums, expressed its support for Ukraine and promptly had its main domain seized.
“Pro-Ukrainian actors are refusing to sell, buy, or collaborate with Russian-aligned actors and are increasingly attempting to target Russian entities in support of Ukraine,” ACTI said.