An unusual activity has been brewing on the Russian cybercrime forums on which hackers were observed communicating with Chinese threat actors for collaboration.
Security researchers of Flashpoint, a threat intelligence firm, noticed a significant rise in the activities of Mandarin-speaking threat actors on a Russian hacking forum called RAMP and multiple communities of the Dark Web.
Chinese threat actors were seen being encouraged to share multiple tips, engage in discussions, and collaborate in cyberattacks.
Flashpoint further notified that the Russians have unlocked doors for numerous English and Mandarin-speaking cybercriminals on domains that were once only restricted for them.
Flashpoint’s report further mentioned:
“In October, Ramp administrators made changes to the forum’s interface that make it more accessible to Chinese-speaking and English-speaking threat actors,”
Chinese threat actors present in Russian hacking forums
Russian hacking panels are now also available in Mandarin and English languages, apart from Russian. Also, the forum members are now often addressed in English by the admins.
Comments and content in the English language are becoming more famous among Russian cybercriminals. High-ranking forum members and administrators try to interact with the Chinese-speaking members using the machine-generated Chinese language.
Researchers further identified around 30 Chinese threat actors on the forum. They suggest that a significant probability of Russians doing this is to try and establish an alliance with Chinese hackers to launch various cyberattacks, possibly against Americans, trade susceptibilities, or onboard cybercriminals for Ransomware-as-a-Service (RaaS) operations.
It was notified that this action was initiated by Kajit who is the admin at RAMP, who claimed that he visited China recently and could speak Mandarin.
However, the Russian and Chinese threat actors’ collaboration isn’t just confined to RAMP. A similar collaboration was noted on “XSS forum” by Flashpoint.
New research by Flashpoint explained:
“In the screenshot below, XSS user “hoffman” greets two forum members who revealed themselves as Chinese,”
“The threat actor asks them if they could provide information about ransomware and purchasing various kinds of system vulnerabilities. The language seems to be machine-translated Chinese.”
In the previous month, ‘Orange’ or ‘boriselcin,’ who is a RAMP admin and also runs a site named Groove, called out cybercriminals to target the United States in a post.
After the post was given media coverage, the admin declared it was meant to be a fake operation and was only posted to manipulate the security and media.
Hoax or not the infrastructure linked to Groove hosted data linked to at least a US police department and a NBA baseball team, so the victims are real. As the pressure increases on Ransomware actors we can expect more elaborate excuses, but in the end the evidence remains.
— John Fokker (@John_Fokker) November 3, 2021
Russian threat actors aren’t the only ones desiring to target the US for cyberattacks. Previously, Irani hackers had been targeting American organizations with Ransomware as well.
Cybersecurity researchers of Intel 471 and McAfee mentioned that the threat actor was only trying to cover it up since the endeavored RaaS attack did not go as projected.
A recent post by the Conti ransomware operation on RAMP mentioned the need to hire associates and purchase initial way to networks. The gang mentions that they only prefer working with Russian cybercriminals but are ready to make an exception for the Chinese threat actors.
This ad is in Russian, because we only work with Russian speakers. BUT, out of respect for the admin, we will make an exception for Sino-speaking users and even translate this message in Chinese (you can even duplicate it in Mandarin and Canotonese!)”- Conti ransomware operation.
From this, it seems that the RAMP hacking forum is encouraging Mandarin-speaking users in attacks.