Why is it always the Russians?

Russian hackers have become a household meme at this point. Hackers from Russia are so prominent, that former Washington Post cybersecurity journalist Brian Krebs learned Russian to read their forums and leaked documents. According to his book Spam Nation, at one point, when a Russian bulletproof ISP that doesn’t respond to complaints was taken down, the amount of spam in the world fell by nearly 70% for the month. The title of the book itself refers to Russia, because at least at the time of its writing, most spam and cybercrime were coming from it. But why is it always the Russians? Thankfully I’m here to answer that question for you by pitching in my anecdotal experiences of growing up in Russia.

Russia is struck with poverty and many people are willing to break the law to get out of it. Because of how the federal system works in Russia, most money flows towards Moscow and Saint Petersburg and the rest of the country is often left to fight economic hardships on their own. It is widely accepted by Russians that the most reliable way to get rich is to either move to Moscow (granted you have skills that you can monetize there, which will yield you 2-3 times the salary you would get in the province) or to become a local politician. When this poverty is combined with technological skills, absence of ethics and permissive laws, the chance of cybercrime popping up is very high. That was the case with Roman Seleznev, the hacker who got sentenced to 27 years in prison for his crimes by the United States. He was born in a dysfunctional family in the port city of Vladivostok. From the age of 2 he lived with his single mother, who worked as a cashier. They struggled with poverty and Roman was ultimately motivated by the desire to get out of it and help his mother out. Over time he realized that he was very good with computers and proceeded to study Computer Science in college. Things got worse for his mother, who succumbed to alcoholism and died when Roman was 17 years old. He ended up homeless and had to quit school to find himself a job. He found a job at a computer club, but that only paid him $5 per day, which is not enough to survive. He started looking for a job on the internet and that led him to start the practice of computer intrusions in search of credit cards and other information he could sell. Imagine how different things would have been if not for Roman’s traumatic childhood burdened by economic hardship? Roman is just one of many thousands of young computer-savvy Russian guys who saw hacking as a way to get out of poverty.

There is a detachment between digital assets and real people because digital ethics aren’t common knowledge. When I took an Ethical Hacking class in the United States, the first thing we were taught was ethics and law concerning cybercrime. Computer crime is a very serious offense in the West and the laws are vague enough to send you to prison for a very long time for a relatively minor intrusion. That isn’t the case in Russia. What is also not the case is the awareness of the real consequences of cybercrime. People often do not consider the dangers of their personal information being leaked or sold because they are already used to being surveilled. A large swath of the population is also technologically illiterate, so they may not even know what a hacker is. Those that are not technologically illiterate often do not have the awareness either, which if coupled with the desire to make money by any means necessary and a permissive legal environment, produces cybercrime. A person committing computer crime in Russia is often not even considering the fact that his actions are hurting real people or if he is, he often thinks that internet is alike to the wild west, where everything goes and everything is fair game.

Russia’s laws are so permissive that cybercrime often goes unpunished, especially if its victims are primarily overseas. Russian constitution was a near carbon-copy of the American constitution and theoretically Russians are protected under it to have the same freedoms as Americans. The only issue is that nobody cares what is written in the Russian constitution and its principles are applied selectively. Same thing is also true for nearly every law in the Russian Federation and cybercrime laws are not an exception. Most local law enforcement do not have the education to deal with any kind of digital crime because of technological illiteracy and they lack the resources to pursue it, if the education is present. The only real threat to hackers in Russia is the Federal Security Service, but it also has limited resources and cannot pursue all the crimes that need to be pursued. They also lack the technological sophistication that their American counterparts - the FBI and DHS, possess. There is a thriving market of Ransomware-as-a-Service, where hackers sell a subscription to their malware and take a cut of all the profits raked from victims that pay up. One interesting thing about this service is that its authors often restrict the geographical areas where it could be spread. There’s also malware in the wild that first checks where the infected machine is located and shuts down in certain countries. What is common between the two is that more often than not, it’s the CIS countries that are off-limits. There is one simple reason for it: Russian authorities are less likely to pursue digital crime that targets Western countries and everyone else who isn’t an ally of Russia. That is due to the hate that Russia has for Western countries and the fact that it has limited resources for pursuing cybercrime, which leads them to pursue that, which has the most impact on themselves and their immediate allies.

To conclude, when you actually consider the reasons behind the prominence of Russian hackers, the meme stops being funny. It is a sad reality of a country that has technology on-par with the rest of the developed world, but is economically, politically and ethically backwards. I’m glad to be living in the United States and studying information security because I could have been yet another Roman Seleznev. I recommend you read the heartbreaking story of his life that he wrote himself to address the US court. His story inspired me to write this.