Nation states buying hacking tools from underground Russian cyber forums

Nation states have been identified shopping on Russian cyber crime forums for malware they can use to wipe computers of data in hostile hacking attacks.

Russian-speaking hacking forums, including Exploit and XSS, run black markets in tools and services used by cyber criminals intent on making money by hacking computer systems and stealing data.

According to Sergey Shykevich, a threat intelligence expert at cyber security company Check Point Software, nation states are increasingly using underground cyber crime forums to pose as cyber criminals and hackers.

“Nation states understand that to pretend to be involved in hacktivism allows them deniability,” he told Computer Weekly. “They don’t want to be accused, even if everyone knows it’s Russia, or Iran.”

Russian forums

Some of Russia’s cyber crime forums have been in operation for more than 20 years.One of the oldest Russian-speaking forums is Exploit, which was established in 2000 and contains one million messages on over 200,000 topics, said Shykevich.  

“They offer everything you could imagine,” he told Computer Weekly. “It starts with software vulnerabilities. You can rent malware, ransomware as a service and spam as a service to distribute fake phishing emails and currently even AI [artificial intelligence]-related services, and deep fake platforms.”

The forums generally exist on the deep web and don’t require a specialist Tor browser to access. But they are strictly members only.

Iran suspected of buying wiper software

Check Point discovered last year that Russian underground forums were offering wiper software, which is designed to destroy computer data irreversibly.

Wiper software is of no interest to cyber criminals who normally inhabit Russia’s hacking forums – strongly suggesting nation-state involvement.

“We saw someone, probably the Iranian government, looking for wiper software,” said Shykevich.

State-sponsored hacking groups are better funded than typical cyber criminal groups, and are not shy of advertising their spending power, said Shykevich.

They typically pay larger deposits to the administrators of cyber crime forums than other members of the hacking community.

“From all these, we can assess with relatively high confidence, those are not regular cyber criminals,” said Shykevich.

They spend money building up (banking) stocks of valuable zero-day exploits that can be used to break into target computer systems.

“We see threat actors who say they are banking exploits. Their budgets are unlimited,” said Shykevich.

Nation-state hackers frequently add another layer of cover by using legitimate cyber security testing tools – which are readily available on Russian cyber crime forums – to probe the networks of vulnerable computer systems.

They are less likely to arouse suspicion than custom-made hacking tools.

Shykevich estimates that only one in 10 people using pen-testing tools are genuine security experts. “Most of the tests are bad actors,” he said.

Forums run like a business

Members of Russian underground forums operate like typical businesses and are concerned with profits and monthly revenues from selling their exploits and hacking services.

In Russia, they display their wealth openly. One of Russia’s most famous cyber criminals, for example, reputedly spent over half a million dollars on an ostentatious wedding in Moscow.

Anyone applying to join a forum can expect to undergo vetting to ensure they are a genuine cyber criminal rather than law enforcement or a security researcher. Membership fees range from £50 to several thousand.

The forums have systems of rules and arbitrators who can issue verdicts when parties are in dispute over payments.

Visitors can expect to find a complete “kill chain” of hacking services.

Initial access brokers

The chain starts with initial access brokers. They sell credentials to access companies’ IT systems, through VPNs or commercial remote access tools, such as AnyDesk, for relatively small sums.

Check Point, for example, identified one broker selling access credentials for an anonymous Japanese company that used AnyDesk remote access tools for $3,000.

Such advertisements do not name the target companies to protect their identities from security researchers and undercover police. But they do indicate the target’s revenues – an important metric for ransomware attackers that know they can secure higher ransoms from richer companies.

“They evaluate the value of specific access based on the revenue of the company and how much they can extort the company. The bigger the company or the wealthier the industry, the more they can extort,” said Shykevich.

Spam and zero days

Services on offer include spam servers that distribute spam emails for a fee. Many are turning to AI to craft emails that will not be detected by Spam filters and are seeing success rates of 70%.

Some criminals specialise in developing exploits from newly discovered zero-day vulnerabilities within a few days of their publication – much more quickly than companies can patch.

Other services allow people to take existing malware and change the code so it can avoid detection by antivirus software.

“One of the things that are important for cyber criminals is that their malware is not detected,” said Shykevich. Modified malware is able to survive undetected for years.


In most Russian underground forums, ransomware is prohibited, but at least one Russian forum offers ransomware as a service, according to Shykevich’s research.

Services are provided by groups that develop the ransomware code and criminal penetration testers that do the hard work of accessing company networks.

Ransomware developers typically take a cut of 20% to 30% of the revenue from a successful ransomware attack. With some ransom payments running to tens of millions, the fees are significant.

The underground Russian marketplaces have a rule that users are not expected to attack other Russian-speaking countries. To do so would likely result in arrest or imprisonment, said Shykevich.

“As long as they don’t target those countries, they can do what they want,” he said. “It is a double win. They earn money for Russia and they show that the West is vulnerable to cyber attacks.”


Shopping Cart
Shopping cart0
There are no products in the cart!
Continue shopping
Scroll to Top