MOSCOW -- When it comes to finding original ways of virtually stealing real money, Russian criminals are in a class of their own. With an estimated annual turnover of more than $2 billion a year, the Russian cybercrime industry is the source of at least a third of all viruses, Trojans and other malicious software, or malware, sent around the world.
"In terms of sophisticated types of malware, Russia leads the way,” according to Kyle Wilhoit, an American cyber-security expert.
Take, for example, the recent data breach at Target. Investigators have traced the software that was used to steal millions of shoppers’ credit-card details back to a 17-year-old hacker from St. Petersburg named Sergey Taraspov. He allegedly wrote the program and then sold it for $2,000 on a Russian-language website. At least 40 different criminals, most from the former Soviet Union, used the code to attack American retailers. So far, at least 110 million American shoppers had their credit card numbers stolen with his software.
Wilhoit says this type of hit, known as a point-of-sale attack, shows serious skill.
“Russia is where they develop most of these types of attacks,” he said. “It’s a technology that not many other virus writers would understand. They go to the trouble of figuring it out because they know that’s where the money is.”
There are a number of reasons why Russia is the leading producer of malicious software. While universities here still produce highly trained engineers and mathematicians, the legitimate economy is offering them jobs that pay very little by western standards. An average Russian computer engineer earns about $24,000 a year, which doesn’t buy much in Moscow, the world’s most expensive city. The other resource Russia seems to have in unlimited supply is organized crime with strong ties to the government, which tends to look the other way when it comes to cybercrime.
“Hackers only really get prosecuted when they attack targets inside Russia,” said Wilhoit.
Wilhoit, a senior researcher at Trend Micro, an internet security company, tries to figure out where hackers might strike next and close the loopholes in customers’ systems before they do. The attackers are always developing things and we’re trying to develop things that will cut them off at the pass,” he said. The stakes are enormous. The global computer-security market is worth $60 billion and is expected to grow tenfold by the end of the decade. It’s surprising, perhaps more than it should be, to discover that both sides in this global game of cat-and-mouse are prominently represented in Moscow.
In 1989 a young Russian intelligence officer, Eugene Kaspersky, discovered a virus on his computer. Fascinated, he started tinkering with the code to see how the virus worked. That is the origin myth of Kaspersky Lab, the company he founded in 1997, which is now the world’s third-largest antivirus company.
Most Americans have probably never heard of Eugene Kaspersky, but there is a fair chance that your computer is regularly sending and receiving updates to an office building in Moscow, where Kaspersky’s virus-hunters are trying to figure out how to protect it. Sergei Novikov, one of the top experts there, says the company also draws on the talent pool of well-trained engineers. “That’s one of the reasons why we have our headquarters in Moscow,” he said. “Russia’s still a great place for mathematicians and technical education and great, really good technical universities.”
Increasingly, the work of catching everyday viruses and sending patches to subscribers’ antivirus software is done automatically by computers, which frees up the virus-hunters to focus on more sophisticated attacks. Engineers at Kaspersky even use models that allow them to predict and block some viruses before the hackers even invent them.
Still, like terrorists, cybercriminals have an advantage over those who are trying to stop them: they only need to find one loophole to wreak havoc. That’s how one 17-year-old programmer caused millions of dollars’ worth of damage to Target, Neiman Marcus and other American retailers and shook the confidence of millions of American shoppers.
Which brings us back to the $2000 dollars price tag for the piece of software that caused all that damage. In the war on terror they call this sort of ratio – thousands for a weapon that causes millions or billions of dollars’ worth of damage – “asymmetrical”. What makes matters worse is that hackers from Russia, unlike terrorists, can buy their weapons on the Internet. A recent investigation by Trend Micro found that the going price for an attack that could bring down a website is $10 an hour. Software designed to steal customer information is selling for $200-$500. Wilhoit says that, of the ten malware marketplace websites he regularly follows, five are Russian. “It’s like a normal online marketplace,” he says, “it’s all about supply and demand.”
So what can the US do to curb the rise of cybercrime from Russia? The short answer is: not much. Companies are going to have to spend more and more resources to protect themselves and learn to be more open about attacks when they happen. The longer answer is that international cooperation and better law enforcement could drive the cost of malware up and deter some of the criminals. Sadly, the relationship between the US and Russia, which was never very close, has deteriorated even further since Russia took in Edward Snowden. The scale of the damage done at Target might help explain why the FBI’s new director, James Comey, told a congressional committee that cyber threats are eclipsing terrorism as the main threat we face as a nation.