top of page

Article 2 | Cyberbazaars of Eastern Europe

Cyber Mercenaries and Underground Markets: Eastern Europe's Role in Global Cybercrime

Makenna Petersen

8-10 Minutes

Article 2 | Cyberbazaars of Eastern Europe

For a number of years, bad cyber actors have been routinely harbored in cyberbazaars throughout Eastern Europe, particularly post-Soviet states. In Europe, it is important to  note that countries tend to have lower standards and weaker economic prosperity the further east they are located. This is seen clearly when countries in Eastern Europe are compared to countries in Western Europe, particularly when looking at cybercrime activity rates and the factors that contribute to these said hubs. 


This article delves into Romania and the post-Soviet states of Belarus, Ukraine and Moldova for a more focused analysis. This focus is due to their scores on the Cybersecurity Exposure Index (CEI) 2020, and the fact that six states in this region – Romania, Poland, and the post-Soviet states of Belarus, Latvia, Ukraine and Moldova –  are among the top 20 cyber hotspots worldwide.1 


Experts evaluated these countries based on their “technical products and services (malware coding, access to compromised systems, and botnet access), attacks and  extortion (denial-of-service attacks and ransomware), data and identity theft (phishing, hacking, account compromises, and credit card compromises), scams (advance fee fraud, business email compromise, and online auction fraud), and cashing out/money laundering (credit card fraud, money mules, and illicit virtual currency platforms).”2 


The CEI, which calculates the level of exposure to cybercrime per country, concluded that the level of exposure in Eastern European countries presents a significant difference than that of the West.3 This distinction is crucial, as high exposure to cybercrime indicates that these states are more susceptible to cybercrime activities such as system penetration via unauthorized access, data theft, extortion through the obstruction of computer systems or files, and compromising and weaponizing virtual machines through cloud attacks.4 Belarus, for example, is ranked with a high exposure classification score of 0.614 and is home to threat actor group Ghostwriter/UNC1151 among others. Moldova, Romania and Ukraine, on the other hand, are all ranked with a moderate score.5 For Ukraine, however, the CEI score would arguably be higher now considering the cyber dimensions of the Russia-Ukraine war from 2022.  


See Europe’s CEI 2020 below: 


<div class="infogram-embed" data-id="f7f3c158-4f1c-4db6-971a-6543f5a27f7c" data-type="interactive" data-title="Europe Cybersecurity Exposure Index 2020 - PasswordManagers.co"></div><script>!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");</script><div style="padding:8px 0;font-family:Arial!important;font-size:13px!important;line-height:15px!important;text-align:center;border-top:1px solid #dadada;margin:0 30px"><div style="color:#989898!important;text-decoration:none!important;">Source:<a href="https://passwordmanagers.co/cybersecurity-exposure-index/" target="_blank">PasswordManagers.co</a></div></div>


Source: PasswordManagers.co


It may be important to note that all Western European nations are ranked in the low exposure classification with scores below 0.399.6 This is because the West benefits from  a considerably stronger economic system, laws and regulations. Notably, many of the countries that are part of the European Union (EU) also have well-structured cybersecurity regulations, law enforcement and extradition treaties. In contrast, many states outside the EU, particularly post-Soviet states in Eastern Europe including Belarus, Moldova and Ukraine, lack these critical factors.7 Emphasizing post-Soviet states is essential, as the dissolution of the Soviet Union in 1991 may have contributed to  the absence of these factors and the emergence of a cybercrime culture. 


Belarus, Moldova and Ukraine –  the three post-Soviet states named in the previous paragraph –  all lack extradition agreements with the United States (U.S.).8 Countries with the absence of extradition treaties hinder governments’ ability to prosecute fugitives from abroad which provides a safe haven for criminals. It is also worth mentioning that all three of these countries rank as some of the poorest in Europe.9 Romania, on the other hand, is part of the EU and has an extradition treaty with the U.S. However, it lacks agreements with post-Soviet Eastern European countries and many other European nations. According to various studies, Romania is one of the EU countries that is most vulnerable to cybercrime and it has the “fifth fastest internet speed in the world.”10 


These cyberbazaars host cybercrime actors who not only have the potential to exploit network vulnerabilities and commit data theft from across the globe, but also to target  Eastern European governments and influence the political environment. They have mastered techniques, leading to more pervasive and sophisticated cyberfraud. For example, advanced schemes like cyber extortion, distributed denial-of-service (DDoS) attacks, and hijacking people’s searches and clicks require a significant level of strategic  planning, advanced technology, processes and skilled individuals.11 In fact, cybercrime groups in this region “are well known for their efficient global teams and supply chain management best adaptive global strategies” and collaborations including adequate incentive structures.12 


Rubycarp and Ghostwriter/UNC1151 are two prominent examples of the types of threat actors within this cyberbazaar. Rubycarp is a malicious Romanian cyber group that is motivated by financial gain. Ghostwriter/UNC1151, on the other hand, is a Belarusian threat actor group whose main objective is nation-state information gathering as a post-Soviet state. These two examples will provide a wider perspective and context for the capabilities and activity of nefarious Eastern European cyber actors. 

Rubycarp

Rubycarp is a cyber actor group originating in Romania and believed to have been in operation for more than a decade. The group operates a “botnet using public exploits and brute force attacks” targeting “vulnerabilities in frameworks like Laravel and WordPress, as well as conducting phishing campaigns to steal financial assets.”13 Furthermore, Rubycarp uses a number of tools such as Perl Shellbot (a type of malware)  for “post-exploitation activities” and receives income from a variety of illegal streams.14 


What is a botnet? According to Malwarebytes, a “botnet, a blend of ‘robot’ and ‘network,’ is a network of computers infected by malware and under the control of a single attacking party known as the ‘bot herder.’ Each infected machine, referred to as a bot, works in unison with others within the botnet. The bot herder orchestrates the interconnectedness of these compromised computers, utilizing them to carry out various  cyber activities, such as executing automated scripts across the network.”15 In other words, botnets are used to control and manipulate multiple systems and machines remotely. 


Therefore, since Rubycarp is a financially motivated group, they utilize DDoS and phishing attacks along with cryptomining to target credit cards.16 They do this by leveraging “ShellBots and brute force attacks to gain internal access to their targets.”17  They are known, however, for their use of botnets in particular. 


A key takeaway from Rubycarp’s story is the heightened awareness companies and individuals need when it comes to botnets and safeguarding data, particularly financial  information, since “93 [percent] of data breaches are motivated by financial gain.”18 As we explore various hotspots around the world and look at specific malicious cyber actors, it is worth noting how complicated the cyber landscape truly is. 

Ghostwriter/UNC1151

Ghostwriter/UNC1151 is a Belarusian threat actor who has been active since 2016, is believed to be government-sponsored and some say that it has members from not only Belarus, but also from Russia.19 This highlights the influence post-Soviet states and ideologies have on operators of cyber activities in these countries. Their targets are often  German, Lithuanian, Latvian, Polish and Ukrainian governments, politicians and military officials.20 It is worth noting that the group has also targeted “Belarusian dissidents, journalists and media entities.”21 


Ghostwriter has participated in activities such as “hacking news sites to post fabricated stories, planting manufactured documents on government websites and leaking doctored evidence across social media.”22 This group operates at a high level with sophisticated operational capacity to execute a mission. According to Beres, their operations are tactfully timed and orchestrated “to coincide before or during important  political events or military exercises, often requiring public rebuttals and clarifications from the targeted governments or politicians.”23 


Furthermore, it is important to note this threat actor’s recent activities, as they have played a large role in the Russia-Ukraine war since February 2022. The group has been  using “a mix of traditional hacking and information manipulation” and, according to Ukrainian authorities on 22 April 2022, it is “now one of the most aggressive online groups.”24 It can be inferred that malicious cyber activity that is state-sponsored or government-linked conducts more intelligence-gathering, political, influence and military-based operations. Meanwhile, malicious cyber groups who are independent from the government often claim financial motivations and conduct DDoS attacks, phishing campaigns, cryptomining and more.


Increasing awareness about Eastern Europe’s cyber hub for tech criminals proves increasingly important as cybercrime operations in this region have become notoriously complex. Understanding this may entice businesses and individuals to protect their economic interests, perhaps promote international collaboration in combating cybercrime and provide deeper knowledge of the geopolitical factors that drive malicious cyber activities. 


Subsequent articles will include the rise of Chinese cyber espionage, Iran’s cyber environment, and Nigeria’s hub for cyberfraud, among others. 

Notes

1 “World-First ‘Cybercrime Index’ Ranks Countries by Cybercrime Threat,” University of Oxford, April 10, 2024. https://www.ox.ac.uk/news/2024-04-10-world-first-cybercrime-index-ranks-countries-cybercrime-threat-level

2 Ibid.

3 “Cybersecurity Exposure Index (CEI) 2020,” PasswordManagers.co, July 17, 2024. https://passwordmanagers.co/cybersecurity-exposure-index/#europe.  

4 Ibid.

5 Ibid.

6 Ibid.

7 “Eastern Europe,” European Union External Action, December 21, 2021. https://www.eeas.europa.eu/eeas/eastern-europe_en.  

8 “What Are Non-Extradition Countries?: Legal Advice,” Human Rights Lawyers, October 23, 2024. https://humanrights-lawyer.com/blog/non-extradition-countries/

9 “Eastern Europe Countries 2024,” World Population Review, 2024. https://worldpopulationreview.com/country-rankings/eastern-europe-countries

10 Luca, Ana Maria, “Romania Remains Hub for Cyber-Crime Gangs,” Balkan Insight, April 2, 2018. https://balkaninsight.com/2018/04/02/hackers-keep-romania-on-the-cyber-crime-map-03-30-2018/.  

11 Kshetri, Nir, “Cybercrime and Cybersecurity in the Former Soviet Union and Central and Eastern Europe,” Cybercrime and Cybersecurity in the Global South, 2013, 51. https://doi.org/10.1057/9781137021946_3

12 Ibid., 52.

13 “RUBYCARP,” Malpedia: Fraunhofer FKIE, n.d.. https://malpedia.caad.fkie.fraunhofer.de/actor/rubycarp 

14 Ibid. 

15 “What is a botnet?” Malwarebytes, n.d.. https://www.malwarebytes.com/botnet 

16 Lakshmanan, Ravie, “10-Year-Old ‘RUBYCARP’ Romanian Hacker Group Surfaces with Botnet,” The Hacker News, April 9, 2024. https://thehackernews.com/2024/04/10-year-old-rubycarp-romanian-hacker.html

17 Ibid. 

18 “130 Cyber Security Statistics: 2024 Trends and Data,” Terranova Security, August 12, 2024. https://www.terranovasecurity.com/blog/cyber-security-statistics

19 Béres, Katalin, “Summary of Belarusian Threatactor, Ghostwriter Group,” CyberThreat.Report, March 2, 2023. https://www.cyberthreat.report/summary-of-belorusian-threatactor-ghostwriter-group/

20 Arghire, Ionut, “Mandiant Attributes Ghostwriter Apt Attacks to Belarus,” SecurityWeek, November 26, 2021. https://www.securityweek.com/mandiant-attributes-ghostwriter-apt-attacks-belarus/

21 Ibid.

22 Béres, Katalin, “Summary of Belarusian Threatactor, Ghostwriter Group,” CyberThreat.Report, March 2, 2023. https://www.cyberthreat.report/summary-of-belorusian-threatactor-ghostwriter-group/

23 Ibid. 

24 Untersinger, Martin, “‘Ghostwriter’: The pro-Russian Hackers Crashing the War in Ukraine,” Le Monde, May 1, 2022. https://www.lemonde.fr/en/pixels/article/2022/05/01/ghostwriter-the-pro-russian-hackers-crashing-the-war-in-ukraine_5982121_13.html.

bottom of page