Researchers at Digital Shadows’ Photon Research Team have this week published information on an underground Russian language cyber criminal forum that stands out from the crowd for a new, but not altogether surprising, reason – it explicitly targets only victims in Russia and Belarus.
The Dumps Forum seems to have been established within the past three months, and, according to the Photon team, it has a small membership of around 100 individuals – it does not yet appear to vet them. Like most of its peers, it contains sections offering cyber attacks as a service, data leaks, illicit materials, carding support, malware and access to compromised networks.
But unlike its peers, that Dumps’ actual goal is to support the Ukrainian war effort is made abundantly clear from the get-go; its mission statement translates as: “Information services/leaks or other services on our forum are allowed in relation to only two states, these are the Russian Federation and Belarus. Topics that mention other countries are not allowed. This is the main rule of our forum.”
This intent is also expressed redirect links to information on the ongoing conflict in Ukraine, and Ukrainian and pro-Ukraine charity organisations.
The Photon team said that while Russia’s invasion of Ukraine has been condemned around the world, the conflict has proven very divisive in the cyber criminal community – which is, of course, heavily influenced by Russian actors.
“Opinions on Russian president Vladimir Putin’s so-called ‘special military operation’ depend on several factors, notably the cyber criminal’s background, political beliefs or other nationalistic drivers,” they wrote.
“As we’ve reported in previous blogs, some internet users have taken it on themselves to take an active role in the conflict, targeting Russian organisations with targeted data breaches, distributed denial of service [DDoS] attacks and defacement activity.”
However, they went on, Dumps appears to be the only cyber criminal forum to have adopted a pro-Ukraine stance. “[This] puts Dumps Forum in a unique position, whilst also painting a target on its own back; if the forum develops into a well-known and successful project, it will likely become a target of counter activity from Russia-supporting cyber criminals,” the Photon researchers added.
“The brazen nature of the forum is perhaps best emphasised by the forum administrator actually posting their location, which points to a residential apartment in Kyiv. The roof of the building contains an insult towards Vladimir Putin.
“We’ve no idea if this location is actually the admin’s home, however it emphasises the spirit of defiance and resistance in which the forum is built.”
The researchers said that the forum’s rules state all topics must be aimed towards anti-Russian or Belarussian activity, and much of what is going on within its confines relates to sharing leaked data, advertising DDoS attacks, forged and stolen ID documents, and ‘bulletproof’ hosting services. Some sections of the forum, such as those relating to carding or initial access brokers [IABs], are in fact devoid of activity.
By some margin, the largest active section of Dumps is devoted to leaked data stolen from Russian government bodies and private sector companies, including a number of utilities providers.
Dumps’ DDoS-as-a-service section, meanwhile, enables users to call in a DDoS attack on any network resource, starting at $80 for an hour-long bombardment or $500 for 24 hours at Layer 4, with up to 500Gbps of firepower. A Layer 7 DDoS attack runs about $100 more expensive.
The third most active section, referred to as ‘probiv’ (a Russian slang term that loosely translates as ‘look-up’) which is aimed at advertising information services where cyber criminals can find information on their potential targets, for a price. Some of the items currently available include Russian passport information, criminal records including convictions for possessing illegal weapons, and information related to people buying tickets to leave Russia.
The Photon Team postulated that this might suggest that Dumps’ admins and users are particularly interested in Russian citizens sympathetic to Ukraine’s cause, some of whom may be inclined to attempt to travel to Ukraine to act as mercenaries or partisans. One may also infer this from the fact that the forum content is almost entirely written in Russian (which many Ukrainians speak) and not Ukrainian (which most Russians do not). Dumps claims, incidentally, to be blocked in Russia.
The Photon team said Dumps was likely still trying to establish itself, hence it remains relatively easy to find and join, although this presents an operational security risk to its admins should it become too well-known, particularly in the pro-Russian underground.
“Dumps Forum likely has an important role to play in the ongoing Russia-Ukraine war; as a hub for hacktivists and patriotic cyber threat actors, as a symbol of resistance, and making a demonstrable difference on the cyber battlefield,” they said.
“Any success achieved by Dumps Forum will however attract unwanted attention. The ban on Russian citizens visiting the forum highlights that the forum is already on the radar of the Russian state. It is also realistically possible that the success of Dumps Forum may inspire other services looking to play a part in the ongoing conflict.”