The Aspen Institute

THE RISE OF THE REST: Maturing Cyber Threats Beyond the Big Four

Aspen Institute Cyber Threat Assessment: November 2019

By Zach Dorfman and Breanne Deppisch

EXECUTIVE SUMMARY: One of the most pronounced trends in recent years is the democratization and spread of cyber capabilities—the rise and maturation of high-level threats from the developing world and countries beyond the four main hostile nation-states typically identified with offensive cyber-operations: China, Russia, North Korea, and Iran.

Whereas these “Big Four” states attract the most coverage and have been responsible for the majority of notable recent global incidents, industry research and comments from government officials show that the cyber realm is seeing a rapid democratization of tools, capabilities, and actors on nearly every continent, from Asia to Europe to South America.

This important but little-understood trend—effectively the “rise of the rest” in cyberspace—manifests itself online in a number of specific, identifiable ways as organized criminal groups seek profit and intelligence services attempt to advance their national strategic interests.

Overall, this trend encompasses four key developments, including (1) the rise of new nation-state threats like Vietnam, who are modeling their tactics on the successful playbooks of members of the “Big Four,” like China; (2) the rapidly enhanced capability of state intelligence services and hacking-for-hire groups operating in the Middle East, where countries have effectively purchased advanced cyber tools and teams on the open market to advance national strategic interests; (3) the growth of new distinct online organized crime syndicates in countries like Brazil; as well as (4) the emergence of hacker havens in Eastern Europe, like Romania.

Collectively, these rising threats, which are as often internally-focused as they are external, represent a new—but long-predicted—era for cybersecurity, following a familiar pattern of trickle-down proliferation of new tools that have long occurred with other military technologies (including, notably, the recent proliferation of drones). At the same time, while these evolutions have been long anticipated, a clear assessment and recognition of these rising threats is critical to enhancing our understanding of the rapidly changing cyber landscape.

CASE STUDY #1: COPYING THE BIG GUYS
Vietnam

THREAT SUMMARY: After watching China’s success with its unparalleled economic espionage efforts online, as well as China’s success in online monitoring and discouraging internal dissent, Vietnam—which finds itself at odds with China in southeast Asia and the South China Sea—has moved aggressively in recent years to copy that playbook regionally and domestically. Researchers have seen a surge since 2018 in threat activity from both state-sponsored hackers and independent actors tied to Vietnam. State-sponsored hackers typically target corporate competitors in the region—largely in automobile, manufacturing, and hospitality industries—and have also drastically expanded their attacks on media companies and dissidents in the region.

While Vietnam has witnessed a major digital boom in recent years, most of its citizens still lack basic technical skills or basic cyber hygiene and education, making them easy prey for malign cyber actors. Recently, Vietnam’s one-party communist government also passed a repressive cybersecurity law that drove thousands of citizens to the dark web—inadvertently creating an underground network of “hacktivists” who share tips and tricks via various hard-to-track online forums.

KEY PLAYERS:

• APT32: Known also as the OceanLotus Group and Buffalo, APT32 is Vietnam’s main state-sponsored hacking group. APT32 targets both foreign governments and corporations with ties to Vietnam in order to advance their own economic interests. Other researchers have suggested a second state-sponsored group, APT-C-01, could also be operating out of Vietnam, though this hasn’t been verified by larger threat intelligence firms.
• Independent actors: The rise of online censorship laws have driven thousands of Vietnamese people to the dark web, where large underground “hacking groups” have formed. The groups serve as an unregulated online “underground” of forums for hackers to collaborate, share ideas, and share information about conducting malicious activity. One major group, the 14,000-member Hacker Vietnam Association, was shuttered last year. Researchers say other groups have undoubtedly formed in its place.

STRATEGIC INTERESTS: Like all nation-states, Vietnam primarily seeks to advance online the same goals that it pursues offline; notably, boosting the country’s economic growth and competitiveness—critical both to its GDP and helping counterbalance China—as well as discouraging dissent of its one-party Communist government rule. In these respects, Vietnam bears some key online similarities to China, albeit operating at a smaller and largely regional scale. Vietnam’s strategic interests can be seen as advancing at least three distinct national strategic interests, notably:

• Spreading Regional Influence: APT32 has launched a wide range of attacks in the public and private sector in order to extend political and corporate reach across Southeast Asia. Their targets have been largely regional, with hackers focusing on Philippines, Laos, and Cambodia.
• Economic Espionage: APT32 attempted to infiltrate the networks of multinational car companies earlier this year—just months before the launch of Vietnam’s first domestic car manufacturer, VinFast, which is expected to help spur the country’s economic growth. It’s unclear what the aim of APT32’s attacks was, or if it was successful in its mission.
• Stifling Internal Dissent: Since 2013, APT32 has targeted multiple dissidents, journalists and political activists living in Vietnam and abroad. In 2014, the APT32 launched a spear-phishing attack on the Vietnamese diaspora across Southeast Asia, and, the following year, launched attacks on two of its own media companies. According to a report from FireEye, APT32 “continues to threaten political activism and free speech in Southeast Asia and the public sector worldwide. … Governments, journalists, and members of the Vietnam diaspora may continue to be targeted.” Relatedly, Vietnam passed an internet censorship law in 2018 that restricts social media activity and posts, and requires major companies such as Facebook and Google to turn over data to the government, and it has announced a new 10,000-strong military cyber unit to counter “wrong” views.

CYBER LANDSCAPE: A digital boon in Vietnam has driven more people online than ever. But it has also prompted a flurry of restrictive new actions from Vietnam’s communist government—whose leaders have ratcheted up attempts to restrict its citizens’ conduct and speech online.

According to Bloomberg, Vietnam boasts one of the fastest-growing digital economies in Asia, thanks largely to a youthful middle class and the rise of cheap smartphones and internet-accessible devices. As of 2018, almost half of Vietnam’s population had internet access, and more than 60 million Vietnamese had Facebook accounts. In the past year, Vietnam has seen a 16 percent increase in social media usage and a 72 percent increase in smartphone usage.

But the rapid digital growth in Vietnam means many of its citizens lack basic cyber hygiene or education, making them easy prey for both foreign and domestic hackers. In fact, a 2018 Kaspersky report found that Vietnam continues to suffer the most offline cyberattacks in Southeast Asia—that is, attacks and malware that spread through media like corrupt USB drives, DVDs, or CDs. In the first six months of 2019, 19 million Vietnamese users (or 27.7% of the population) were victims of online cyberattacks, while 99 million people (59.9% of internet users) were the victims of offline attacks. And in the first three months of 2019, Vietnam was the victim of 4,770 cyberattacks—more than half the total number of attacks they suffered in the whole of 2018. (Vietnam’s government is not a particularly strong picture of cyber health online either: As of April 2019, zero Vietnamese government ministries, provincial, or municipal departments had received an “A” rating for cyber safety, according to cyber analysts. And a whopping 50 percent of Vietnamese government agencies do not employ a cyber specialist, leaving those agencies extremely vulnerable to a major breach.)

Meanwhile, the more digitally-savvy internet users in Vietnam have been driven to the dark web by the government’s new internet regulations, including the 2018 passage of a “Stalinist” cybersecurity law. The law—which took effect on January 1, 2019—restricts social media activity and posts and requires major companies such as Facebook and Google to turn over data to the government and to remove any content deemed by the government to be “toxic.” Social media companies must also hand over user data at the government’s request and will be required to open representative offices or branches in Vietnam within the year—a move that amounts to something like hostage diplomacy, ensuring that the tech companies have local employees who can be pressured to comply with the sweeping system of regulation and monitoring. Opponents of the law says it has “potentially devastating consequences for freedom of expression” in the country and also fear it could damage Vietnam’s economic prospects. “These provisions will result in severe limitations on Vietnam’s digital economy, dampening the foreign investment climate and hurting opportunities for local businesses and [small-to-medium-sized enterprises] to flourish inside and beyond Vietnam,” warned Jeff Paine, who serves as managing director of the Asia Internet Coalition.

Offensively, Vietnam’s main (and only well-known) state-sponsored hacking group has been dubbed APT32 by industry researchers. Researchers say APT32 boasts impressive in-house capabilities, but—like many state-sponsored hacking groups—primarily relies upon deploying readily available tools, such as Cobalt Strike. According to FireEye, APT32 employs a “combination of custom and open-source tools” to breach companies with ties to the manufacturing, hospitality, and auto industries. They also rely heavily on social engineering tricks, such as targeted spear-phishing attacks, and watering-hole attacks, in which hackers compromise legitimate websites and replace the content with phishing information.  “They tend to hold the more complex remote access trojans quite close to their chest and will only deploy them later on, once they’ve established a good foothold [in networks],” BlackBerry Cylance analyst Tom Bonner told CyberScoop News. “They’re really getting very creative in the way that they try to bundle their malware together and deploy their attacks,” he added.

APT32, which has been primarily associated with Vietnam’s economic espionage campaigns, doesn’t just target companies. Since at least 2013, threat intelligence firms have reported attacks on dissidents and political activists in the region. In 2015 and 2016, APT32 is believed to have targeted two Vietnamese media outlets; and in 2017, researchers found they were targeting various target members of the Vietnam diaspora in Australia, as well as multiple government employees in the Philippines.

“While actors from China, Iran, Russia, and North Korea remain the most active cyber espionage threats tracked and responded to by FireEye, APT32 reflects a growing host of new countries that have adopted this dynamic capability,” researchers said. “APT32 demonstrates how accessible and impactful offensive capabilities can be with the proper investment and the flexibility to embrace newly-available tools and techniques.”

CASE STUDY #2: PURCHASING CYBER ARSENALS
The Gulf States of the United Arab Emirates, Saudi Arabia, and Qatar

THREAT SUMMARY: Middle Eastern countries like Saudi Arabia, the United Arab Emirates, and Qatar—all of whom find themselves locked in complicated regional geopolitics with each other and with Iran and Israel—have rapidly matured their cyber-capabilities within the last half-decade, thanks largely to their deep national pockets. Whereas traditional cyber powers like the U.S., Russia, and China have painstakingly developed their online toolkit and law enforcement, intelligence, and military cyber capabilities over more than a quarter-century, the Gulf States have showcased a new model: Buying advanced cyber capabilities on the open market. Foregoing the lengthy endogenous model of workforce education, technical training, and tool development, these Middle Eastern monarchies have largely instead embarked on a strategy of importing technical experts and tools from the United States, Europe, and Israel.

Once acquired, these so-called “hackers-for-hire” and their teams and tools are put to work advancing traditional national interests—most notably through the development of comprehensive domestic electronic surveillance programs and the specific targeting of political dissidents and journalists. Among other activities, actors working for these states have compromised the communications devices and accounts of government officials and businessmen—later dumping some of this data online and feeding it to journalistic outlets—as well as tracked dissidents and broke into their phones, and hacked into a media website and altered its content.

Although all three countries are U.S. security partners, Saudi Arabia and the UAE have acutely antagonistic relations with Qatar, and operations from both sides have targeted the other state or states. Saudi Arabia and UAE in particular also remain nervous about Iran, a longtime regional antagonist that has engaged in proxy battles with the Gulf states in places like Yemen and, most recently, appears to have directly attacked Saudi Arabia’s Aramco this summer using drones and cruise missiles.

The willingness of these states to undertake aggressive international hacking and surveillance campaigns could—and arguably has—helped further destabilize the Middle East. The alleged weaponization of purloined data from both countries to alter U.S. foreign policy also undermines American democracy by subjecting it to pernicious covert influence campaigns. Additionally, in the absence of tighter legal and normative controls, the hiring of former U.S. (and other Western) intelligence officials by these authoritarian states creates serious conflict-of-interest, human rights, and national security issues.

KEY PLAYERS:

• NESA/SIA: The UAE’s signals intelligence agency
• The Center for Studies and Media Affairs: A Saudi intelligence cut-out run by Saud Qahtani, a close advisor to Saudi Crown Prince Mohammed Bin Salman, responsible for hacking and surveillance of dissident communications.
• DarkMatter: A UAE-based firm that, according to credible reporting, has served as a cut-out for NESA, offering plausible deniability to the UAE for its offensive cyber-operations and surveillance activities. DarkMatter has also supported Saudi efforts.
• CyberPoint: A Maryland-based firm that supplied personnel and training to NESA and DarkMatter.
• NSO Group: an Israeli cybersecurity firm closely connected to that country’s military establishment, which sold hacking and surveillance technology to both Qatar and the UAE, according to reporting and court documents.
• Global Risk Advisors: A U.S. and Qatar-based firm led by former U.S. and British intelligence officials that oversaw Qatar’s hacking operations, according to court documents filed by Elliot Broidy, a former pro-UAE lobbyist who claims Qatar operatives hacked his emails.
• Hacking Team: An Italian company that worked for the Saudi government on its cyberespionage projects.
• Unidentified “Hackers for Hire”

STRATEGIC INTERESTS: As they have matured their capabilities online, these Gulf states have centered their goals in cyberspace on advancing three traditional strategic interests:

• Regional power and supremacy: On one side of the regional divide, Saudi and the UAE accuse Qatar of supporting terror groups and Islamists like the Muslim Brotherhood. These states dislike Qatar’s popular “Al-Jazeera” TV network, which they accuse of fomenting anti-regime sentiment. Saudi and Qatar have supported different factions in post-revolutionary Egypt and warring militias in post-revolutionary Libya. Since June 2017, Saudi, UAE, Egypt, Jordan, and Bahrain have led an ongoing blockade of Qatar, severing diplomatic ties with it.
• Influence over U.S. policy: The conflict between the UAE, Saudi, and Qatar has involved proxy cyber-actions aimed at influencing U.S. politics or discrediting perceived regime foes in Washington.
• Tracking and silencing dissidents: Saudi Arabia, the UAE, and Qatar are all tightly-controlled authoritarian states that have sought to stamp out dissent. Some actions have aimed at surveilling and intimidating dissidents abroad. These efforts notably included the murder of Washington Post contributor Jamal Khashoggi by Saudi officials in Turkey in October 2018.

CYBER LANDSCAPE: The story of DarkMatter—the UAE-based firm that has served as a secret offensive signals intelligence bureau for that country—illustrates the many serious dangers, pitfalls, and ethical issues surrounding the rise of Gulf State cyber-actors.

The veil surrounding DarkMatter’s activities was first pulled back by a 2016 story in The Intercept, where an Italian security researcher disclosed that DarkMatter had approached him with an offer to build surveillance “listening posts” all over Dubai for the Emirati government. The close relationship between DarkMatter and the UAE government was clear, with the headquarters for the nominally independent DarkMatter located in the same building as NESA, the UAE’s official signals intelligence agency.

According to prior reporting, DarkMatter had been engaging in a recruiting spree, offering yearly salaries of up to $500,000, and luxurious housing and cost-of-living subsidies, to European and American cybersecurity experts—including former NSA and DOD employees. More than a dozen former U.S. intelligence community officials worked for DarkMatter as part of a secret unit, called “Project Raven,” that targeted dissidents and regime foes abroad, according to Reuters. Many of these former U.S. intelligence officials were first recruited by CyberPoint, a Maryland-based firm that contracted to work with DarkMatter.

These relationships were built atop the close security partnership between the United States and UAE. According to a 2017 article in Foreign Policy:

“In late 2011, U.S. government advisors and contractors helped set up the UAE’s equivalent to the National Security Agency in the United States, whose name changed to the National Electronic Security Authority, and now the Signals Intelligence Agency. The United States was involved in everything from helping select a safe site with access to power and fiber connectivity to determining which buildings would be public and which classified.”

Furthermore, according to Reuters, while not involved in “day-to-day operations,” the U.S. National Security Agency “approved of and was regularly briefed on [Project] Raven’s activities.”

Run through DarkMatter, Project Raven was explicitly focused on “hack[ing] into the phones and computers of [the UAE’s] enemies,” according to the same Reuters report—compromising the devices of “hundreds” of activists and regime foes—including, eventually, Americans. (When a former NSA intelligence officer-turned-DarkMatter employee complained about the targeting of U.S. journalists, she was fired and detained in the country for two months, according to Reuters.)

On behalf of the UAE, DarkMatter hacked into the phones of the Emir of Qatar and other members of the Qatari government and royal family as well as senior government figures in Turkey and Oman; a British journalist; and Emirati dissidents, some of whom were later imprisoned. Former U.S. intelligence officials were intimately involved in these targeting operations, according to Reuters, and “identified vulnerabilities in selected targets, developed or procured software to carry out the intrusions and assisted in monitoring them, former Raven employees said.” According to reporting in Foreign Policy and Reuters, the FBI opened an investigation into whether former U.S. officials working for DarkMatter disclosed classified intelligence techniques or violated U.S. computer hacking laws.

But the UAE didn’t only use DarkMatter to undertake its covert hacking and surveillance offensive—according to court documents filed in 2018 cited by the New York Times, the NSO group, an Israeli security company with close government ties, also worked with the Emirati government to hack the communications devices of rival foreign government figures. According to the report, NSO successfully hacked into the devices of a journalist, as well and targeted nearly 160 Qatari officials and members of the royal family. (In late October, WhatsApp filed a lawsuit against NSO in U.S. federal court, claiming the Israeli company had covertly delivered its malware to 1,400 devices to surveil WhatsApp users. NSO’s targets included “attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials” with “numbers with country codes from several countries, including the Kingdom of Bahrain, the United Arab Emirates, and Mexico,” according to the lawsuit.)

According to U.S. officials cited in the Washington Post, in 2017 the Emiratis also spearheaded the hacking of Al-Jazeera, a Qatari news network, and Qatari government social media, altering their contents to attribute pro-Hamas and pro-Iran statements to Qatar’s emir. This hack, which U.S. officials believed was the work of Russian freelance hackers working for the UAE, precipitated a highly coordinated, punitive blockade spearheaded by Saudi Arabia and UAE that has left Qatar isolated from the pro-Saudi bloc of Sunni Arab states.

Saudi Arabia, for its part, has also undertaken an independent effort to shore up its surveillance and hacking capabilities. According to the Washington Post, beginning around 2013, Saudi officials—led by Saud Qahtani, a close confidant of Saudi ruler Mohammed Bin Salman, worked with an Italian security organization called Hacking Team to purchase exploits that would allow the Saudis to compromise the devices of dissidents and regional political rivals. The Saudis—envious of the advances of the UAE with DarkMatter—also worked with the Israeli NSO Group on purchasing advanced surveillance technology.

Qatar has allegedly employed many of the same tools and tactics in this regional shadow war. According to an investigation conducted by lawyers representing Elliott Broidy—a prominent Republican Party figure close to the UAE—Qatar hacked Broidy’s emails as part of a campaign targeting the communications of over one thousand antagonists of the Qatari regime. This included the devices of Saudi, Emirati, Egyptian, and Bahraini officials, and public affairs officials connected to Washington firms associated with pro-UAE campaigns. Purloined communications from Broidy, Egypt’s intelligence chief, and the UAE’s influential U.S. ambassador have been selectively leaked to prominent media outlets. In one case in 2015, for example, individuals linked to Qatar provided the New York Times emails between UAE officials discussing how their policy of providing weapons to a Libyan militia was explicitly violating UN sanctions.

CASE STUDY #3: THREATS FROM WITHIN
Brazil and its Indigenous Cyber Criminals

THREAT SUMMARY: Far off the international radar, Brazil struggles with one of the world’s largest and most effective communities of cybercriminals. Brazilian cybercriminals overwhelmingly target their own fellow citizens and are focused on that country’s financial sector, which is highly digitized—particularly so for a middle-income country—and while most of the country’s cybercriminals are not considered sophisticated compared to their Russian, North Korean, Eastern European, or Chinese counterparts, small groups have demonstrated advanced hacking capabilities. Notably, Brazil’s recent “Operation Car Wash” scandal, catalyzed by the hacking of senior Brazilian government officials, shows the power of Brazilian cybercriminals to expand beyond their core remit and affect politics at a national level.

KEY PLAYERS:

• Various Domestic Criminal Groups, whose capabilities vary widely in sophistication and reach.

STRATEGIC INTERESTS AND GOALS: The domestic criminal groups targeting Brazilians have focused primarily on two goals—profit and politics:

• Cold, Hard Cash: As characterized in an April 2019 by the threat intelligence firm Recorded Future, Brazilian hackers are best characterized as “pirates,” since they follow few identifiable, long-term patterns of behavior. As Recorded Future wrote, the organized criminal groups in Brazil “are ready to change their TTPs [tactics, techniques, and procedures] and forum platforms at any time, depending on where the easy money is and what law enforcement and security researchers are doing to collect information on them.”
• “Watching the Watchers”: Brazilian cybercriminals and hacktivists have launched campaigns dedicated to penetrating government networks and officials’ devices to gather intelligence on their own potential prosecutions and, in some instances—by their own stated objectives—to expose official corruption.

CYBER LANDSCAPE: Brazil’s uniquely challenging cybercrime environment is the result of a confluence of factors, including pervasive and powerful organized criminal groups, ineffective governmental institutions, and rapidly-growing access to technology in the world’s sixth-largest country by population.

According to a report by the Igarapé Institute, a Brazilian think tank, “Few other countries have been as dramatically affected by digital empowerment as Brazil.” As the think tank wrote in 2014, “Brazil is undergoing a digital revolution with few parallels in the developing world. The rate of digital penetration and social media adoption has risen exponentially over the past decade. During this period, Brazil witnessed a tenfold increase in internet access and mobile phone subscriptions, with more than half of its population of 200 million people currently online.”

The wholesale shift in Brazil toward online banking, assisted by a rise in the use and availability of cell phones and tablet computers, has had a profound effect on cybercrime there. The cost of internet crime in Brazil is estimated at over $8 billion every year—the third highest amount in the world.

Over three-quarters of Brazilian internet users claim to have been victims of some sort of cybercrime; and, alongside China, Brazil suffers from the highest rates of hacking of social media profiles worldwide, with nearly one quarter of social media accounts breached. (As of 2014, Brazil had the second-largest number of Facebook user profiles and the fifth-largest number of Twitter users in the world.)

Phishing schemes sent through social media accounts have infected over 12 percent of Brazilian users’ computers with malware, according to the 2014 Igarapé Institute report. Spam-based attacks using email and SMS are also common in Brazil, as are pharming attacks, according to the 2019 report by Recorded Future.

Brazilian cybercriminals also often engage in “carding”—developing algorithms to harvest credit card numbers, says the 2019 Recorded Future report. In 2016, the Brazilian Bank Tesco said that 20,000 of its accounts had been compromised and nearly $3 million stolen, likely via a carding scheme. The same year, the Brazilian bank Banisrul had all 36 of its online domains redirected to phishing sites; Banisrul’s ATMs were also redirected to criminal groups’ own servers to access customers’ banking information.

Many Brazilian cybercriminals display an amateurism not evinced by their Chinese or Russian counterparts, with hacker forums on social media. Brazilian hackers often communicate via WhatsApp or Telegram, according to Recorded Future. That relative unsophistication, though, belies the scale of their profits: In one infamous case, known in Brazil as “Operation Ostentation,” Brazilian authorities arrested a small cyber gang led by a 24-year-old who had compromised 23,000 bank accounts through malware and phishing attacks and stolen roughly $108 million in just a year and a half.

According to Recorded Future, Brazilian cybercriminal groups have instituted innovative internal procedures to ensure continuity in case their operations are rolled up by Brazilian legal officials, with a structure more akin to “terror cells” than other criminal groups. In Brazil, “Gangs are organized into cells: software development, operations, money laundering — in a way that the disruption of one or more cells does not affect the business.”

The rise in online targeting of consumers has dovetailed with a spike in cyber attacks on Brazilian public institutions—and operations designed to gather intelligence on Brazilian officials. Brazil traditionally has an active hacktivist community, with “Anonymous” affiliates operating locally, and hacktivists have focused on political institutions and individuals, engaging in DDoSing and other attacks surrounding the 2014 World Cup, 2016 Olympics, and attacks aimed at political candidates and other government figures.

Sometimes—in the case of the seismic Brazilian domestic politics scandal known as the “Operation Car Wash” leaks—the lines between hacktivism and organized crime are blurry in the extreme.

The 2019 “Car Wash” leaks—mostly consisting of extensive Telegram chats between major Brazilian political figures, including current President Jair Bolsonaro—revealed deep improprieties in the relationship between the Brazilian prosecutors and judge overseeing the trial of former Brazilian president Lula di Salvo, who is currently serving a prison sentence on corruption-related charges. The hacked cell phone text conversations were later leaked to The Intercept.

As was revealed after his July 2019 arrest, the source behind the hack was a Brazilian man accused of drug trafficking who initially targeted the phone of the prosecutor overseeing his case. He then accessed the phone numbers in the prosecutor’s device, and, employing a vulnerability in Telegram, hacked into the chats of all those numbers—which included some of the most powerful political figures in Brazil—and allegedly passed this data to The Intercept.

CASE STUDY #4: HACKER HAVENS
Romania

THREAT SUMMARY: While Russia’s ties to transnational organized crime groups are well-known—as is the relative impunity with which criminals there pursue their schemes—there are numerous “safe havens” for ambitious hackers and criminal groups around the world where they operate beyond the arm of western law enforcement. Few beyond Russia, though, have developed the reputation of Romania, which has emerged as the home base of numerous cyber schemes in recent years. In northern Romania, there’s even a town so jam-packed with cyber thieves that it’s earned itself an ominous nickname: “Hackerville.”

Romanian cyber criminals want what most cyber criminals want: money. And their endeavors have proved prolific—in recent years, the United States has convicted Romanian nationals for
harvesting financial informationfrom hundreds of thousands of people; peddling stolen credit card information on the dark web; and taking part in a sprawling malware scheme that resulted in the theft of millions of dollars from American consumers. These disparate schemes demonstrate the ongoing challenge law enforcement faces in capturing criminals and hackers who target victims far from their own homes.

KEY PLAYERS:

• Independent Actors: Motivated largely by financial gain. Over the past decade, Romanian hackers have organized themselves into well-organized hacking rings, which trade tips and tricks. They are largely self-educated, but successful: reports show these hackers are collectively responsible for the theft of millions of dollars from American consumers. The largest hotbed for Romanian hackers is the town of Ramnicu Valcea, also known as “Hackerville,” where some 100 residents are arrested each year on charges related to computer crime.
• Guccifer: Marcel Lazar Lehel, widely known by the nickname “Guccifer,” is a Romanian hacker responsible for targeting multiple high-level U.S. and Romanian officials and their families. Lehel was arrested and charged in Romania in 2014 before being extradited to the U.S. and pleading guilty to aggravated identify theft and unauthorized access of a computer. In 2016, he was sentenced to 52 months in prison.

STRATEGIC INTERESTS AND GOALS: Driven by a potent mix of a well-educated, high-skilled workforce and a lack of opportunity, Romania’s computer crime industry has thrived in economically-depressed areas, allowing hackers to earn a living and driving a massive “hacking-for-hire” industry in which criminals often pilfer personal and financial information to sell elsewhere on the web. “In Romania, you have brilliant minds and excellent universities while, on the other hand, it’s not easy to find a good job,” said Raoul Chiesa, a former Italian hacker-turned IT consultant. One 22-year-old resident there told
USA Today that she once earned $4,100 for a single hacking job—a paycheck amounting to nearly one-third of Romania’s annual per capita income of $13,000. In her telling, “almost everyone” at her high school was hacking for profit the time they reached the 11th or 12th grade. “You rarely feel you’re doing any harm when your victim is across the ocean,” she added.

CYBER LANDSCAPE: The rise of Romania’s underground “hacking networks” first began in the early ’90s, after the country’s 1989 revolution formally ended Communist rule. But like many other nascent democracies in the post-Soviet bloc, Romania suffered from years of economic turmoil following the revolution, as leaders struggled to privatize major industries and shift to a market-based economy. A notable contingent of Romania’s cash-strapped citizens, many of whom already had technical training from previous jobs, turned to hacking in order to make a quick buck. “[Romania] had a lot of technically-trained individuals … and with the job market being what it was at the time they realized that there was more of an effort could be made in making more money by utilizing their skills and turning to hacking,” Peter Traven, an FBI assistant legal attaché at the U.S Embassy in the Romanian capital of Bucharest, told ABC News earlier this year. Romanian hackers have largely focused on stealing financial information from consumers—primarily based in the U.S.—which can be peddled for a high price on the dark web. “When individuals can make more money in the cyber underground compared to using those skill sets to work for private sector, the government, it makes it very hard to compete with the money that these individuals can make,” Traven said. The amount of cyber crime originating from Romania rivals North Korea and other, more well-known threat actors. In fact, police in Romania estimate about 80 percent of cyber attacks from their country target American citizens and companies. And in 2014, the U.S. Embassy in Romania estimated that that country’s cybercriminals steal around $1 billion annually by hacking U.S. companies.

What separates Romania from the rest of the pack—and perhaps keeps them largely out of the headlines—is the degree to which its government readily cooperates with the United States. The FBI has a close partnership with the Romanian police force and CERT, Romania’s national cybersecurity and incident response team, and the two countries regularly work hand-in-hand to respond to alerts and bring rings of cyber criminals to justice. According to the U.S. Embassy, the FBI has also trained some 600 investigators to combat cyber crime.

Still, tracking down sophisticated cyber criminals in the complicated geopolitical climate of Eastern Europe is like playing a years-long game of Whack-a-Mole—for every hacking ring successfully taken down, it seems, countless others instantly pop up to take their place. The sheer number of indictments, extraditions and convictions handed down by the U.S. Department of Justice certainly underscores that phenomenon. In 2014, law enforcement authorities arrested perhaps the most infamous Romanian cyber criminal to date: Marcel Lehel Lazar, also known as “Guccifer.” Beginning in 2012, Lazar hacked into the emails of a bevy of high-profile U.S. and Romanian officials, including former secretary of state Colin Powell and former Clinton aide Sidney Blumenthal. Lazar also targeted U.S. Sen. Lisa Murkowski, members of the Rockefeller family, former FBI agents, and members of the Bush family, among others. He was indicted in the Eastern District of Virginia in 2016 on nine charges including wire fraud, gaining unauthorized access to protected computers, identity theft and cyberstalking. In 2018, Romania’s court of appeals approved an extradition request to allow him to finish the rest of his prison sentence in the United States. Guccifer’s arrest has hardly appeared to be a deterrent—as the years passed, the number of attacks from Romania, especially targeting the U.S., continued to rise. Among the most recent, a U.S. federal court in Northern Ohio convicted two Bucharest residents in April 2019 for infecting and controlling more than 400,000 individual computers as part of a scheme “to steal credit card and other information to sell on dark market websites, mine cryptocurrency and engage in online auction fraud,” according to the U.S. Justice Department.

Romanian national Nicolae Popescu continues to top the FBI’s list of most-wanted hackers. Prior to being indicted by the Eastern District of New York in 2012, Popescu led a sophisticated hacking ring of dozens of cyber criminals, who used well-known online auction sites such as eBay to sell off non-existent cars. The FBI, which now offers a $1 million reward for his capture, once had Popescu in their custody: In 2010, he was one of 70 Romanians hackers arrested in a joint raid by the FBI and Romania’s DIICOT authorities, but he was released due to a technicality.

Romania, for its part, is working to turn its international notoriety to a positive end: It is the home of a growing team of white-hat hackers who scan for vulnerabilities in the networks of private companies such as Google.