An Interview With RedBear: A Hacker Training the Next Generation of Cybercriminals
Editor’s Note: In the interest of exploring the untold stories of cybersecurity, The Record is publishing a recent interview between a grey-hat hacker and a Recorded Future threat intelligence analyst.
The subject of the interview, RedBear, is a Russian-speaking self-described researcher and penetration tester. He has become popular on the dark web in recent years for operating a website where he analyzes malware and provides tutorials and training courses for cybercriminals. Topics RedBear has covered include SQL and XSS injections, remote and local file inclusion attacks, and cross-site request forgery attacks. Little is known about RedBear’s identity, but he has been active on several hacking forums since at least 2013.
The interview was conducted over Telegram by Recorded Future expert threat intelligence analyst Dmitry Smilyanets, and was translated to English with the help of a professional translator. The conversation below, which has been lightly edited for clarity, took place on Thursday, August 20.
Dmitry Smilyanets: How did you get into information security?
RedBear: Years ago, my acquaintance endorsed me as a "computer specialist" to some businessmen. I came to the meeting and I lied a lot about what I knew and could do. They didn’t have much work for me — they asked me to make a website and update it with info. I studied the topic, made a site using a free engine, filled in the info, and slightly changed the design. I knew HTML and CSS back from school.
The client liked it so much that they agreed on a salary. They sold meat, but in reality they were just smart-ass middlemen.
I periodically rolled out patches, and then I noticed that there was an exploit for the same CMS that we had. I checked, and it worked. How it worked — I had no clue. So l slowly began to study PHP, SQL, etc.
By the time they hired me, I had already managed to work as a system administrator for a while, brute some RDPs and even sell some of them.
DS: What is your favorite web vulnerability?
RB: RCE.
DS: Describe the hacking scene in 2020 — what are the big trends?
RB: What do I know? The trends are still the same — locking networks, sniffing credit cards, sending spear phishing emails, carding iPhones.
DS: Is the hacking scene getting less talented? Or are there still strong people in the industry?
RB: There is no drop off in skill, just more new faces. The whole world is being digitized, new people are coming in. Many methods are so well described and automated that any beginner can achieve some results simply by knowing in which sequence to click buttons and type commands. This may give the impression that the "scene" (if it can be called that) is degrading. But that would be wrong. There are many strong people. Many, I'm sure, can bench 10 times their own weight (lol).
DS: Have you ever worked for a Western company? If not, would you be interested?
RB: Officially... I definitely did not. Unofficially... I don’t know, anyone can request and use my services, I don’t ask for a passport. KYC [know your customer], that's not about me.
Would I be interested? The only question is the level of pay grade and ethics, if this term can be used at all.
DS: Do you think Western intelligence services may be interested in you?
RB: In my opinion, there should be at least some selection process for employees in the intelligence services. And these selected personnel should carry out at least some kind of analysis. Based on these two judgments (possibly unfounded), I assume that after conducting a minimal analysis of my "creativity", even for an analyst not schooled in IT (if there are any) it will be clear that I am of no interest at all.
DS: What is one line that you will never cross?
RB: There is a concept in psychology — a fundamental attribution error. It’s the tendency to explain other people's actions to their personal qualities, and your own to external circumstances. I don’t know what life circumstances I can find myself in, and therefore I don’t know what red lines I will or will not cross. Answering such a question, it is easy to say something that then turns out to be empty nonsense. Someone may think that I did something wrong because I am bad or that I am unprincipled. But in reality, the point is simply that I found myself in certain circumstances. You know, now I see that my answer would have been the same. I.e. of course, if I have the know how to work with networks,- then who the fuck knows, what I’d be doing. Maybe I would be working. And maybe I’d be looking for some other way to make money.
But all in all, my actions have rarely been motivated by profit, mostly by curiosity and fun.
DS: What worries the intelligence and law enforcement services in the CIS [Commonwealth of Independent States] most of all?
RB: If we are talking about the FSB, then probably the opposition, Islamic and right-wing radical terrorists. If we’re talking about the GRU / SVR — I don't know.
DS: Do you follow the Asian / Latin American infosec scenes?
RB: In general, no. I only poked around some Chinese sites. Well, sometimes I read what Orange Tsai writes.
DS: Are you a member of the long-standing Chinese hacking forum t00ls?
RB: I remember surfing from this site to the blog, but I did not go to the forum itself.
DS: What do you think of Group-IB and their public research “fxmsp” and “redcurl”? [Editor’s note: Group-IB is a security threat intelligence firm and Recorded Future competitor founded by Russian native Ilya Sachkov]
RB: I do not think that it is worth focusing on any specific studies of Group-IB, then the response will become less applicable, but if we talk about Group-IB in general, we will have to talk about Ilya Sachkov, and he is an ambiguous character. I don’t want to draw his attention to myself, he might shoot me.
DS: But they somehow manage to get very unique information — do you think they cooperate with blackhats?
RB: Well, here there are several possibilities:
- Their employees are insiders in different hacking groups, low level, like get me this, get me that, encrypt this, design that.
- They secretly break into botnet admin panels, etc.
- They use the administrative resource like - hey is this hosting[.]ru? You’ve got some crap being hosted here, block the account, and please send us the archive.
- One of the blackhats likes to talk too much, and some of their employees are really good listeners.
- 24/7 monitoring of all activities on public and non-public forums.
- Their own honeypot services for blackhats (VPN, Jabber, etc.).
- Also those options that I have not mentioned, but which are self-evident.
DS: How do you feel about ransomware attacks?
RB: I have nothing to do with them, attempts to connect me with them are demagoguery and lies.
DS: Why do you feel that way?
RB: I have a negative opinion of specific instances of ransomware use. That would be a more accurate statement. For example, when it is used against medical institutions. I remember an incident when a hospital had to cancel operations and to move patients to different rooms specifically because of a Locker attack. Hypothetically, the attack could have occured during an actual operation, which would have had serious consequences. Moreover, for certain patients even being moved to a different building is in and of itself a stressful situation.
Another example would be mindlessly loading it to everyone. For example, an average user loses all of their information (photos, videos, which could be priceless, in some sense). While the price of the ransom can be inaccessible for them. Here you wind up in a lose-lose situation. You ruined things for an individual and you didn’t get any money out of it. Something like that ... from a moral point of view there’s nothing to approve of there. I can somewhat understand when banks get locked, but I cannot understand when hospitals are attacked.
DS: What is your dream car?
A T-34 Soviet tank. Source: Wikimedia Commons
RB: Funny, but I never dreamt of cars. T-34 is a true patriot's choice. :)
DS: Do you think the United States and Russia can cooperate in the field of information security, including cybercrime?
RB: This question cannot be answered briefly. If we discard my speculation, there are facts that indicate that there is cooperation in some sectors, there is no cooperation in other sectors, and in a few sectors there is no cooperation and never will be.
DS: What do you think about cooperation between hackers and the state?
RB: Probably, no matter what definition of the word "hacker" we use, there is definitely cooperation.
DS: How do you think it happens? On whose side is the initiative?
RB: Well, if the state recruits talents to Skolkovo, that is one thing. But if the state recruits "talents" under a criminal charge, then it is completely different.
Skolkovo Innovation Center. Source: Wikimedia Commons
DS: Western researchers distinguish Fancy Bear and Cozy Bear. Do you think that makes sense?
RB: I have not studied this subject and cannot give a competent answer.
DS: But the guys who really perform the tasks, it’s not like they are working through HR, therefore, are not limited to one group?
RB: Well, if we consider all this analysis as a whole, then some are SVR, while others are GRU and these are two completely separate organizations. I think the secrecy there is so great that they don’t even know about each other.
DS: Do you believe that information security exists or is achievable or can anything be hacked?
RB: Information security is a process so achieving it is not really possible. It is an impossible goal, similar to reaching “the end of rainbow” or the horizon.
DS: You published research that potentially identified the person behind the moniker Billar, a Russian-speaking threat actor. Many people from the hacking scene say that you sentenced the guy. What do you think about it?
RB: There was a pretty long backstory with this comrade. I knew that he was up to some bullshit back in 2019. In the article I just described the hacking of his C2 server without disclosing any information about him. Moreover, I deliberately distorted some of the research data so that he had the opportunity to hide his tracks. I was sure that he was going to react the way he reacted. He had already had problems with clients, did a very poor job resolving them, acted really inappropriately. Right now, he writes that "he’s cooperating with the SBU and that everything is peaches and cream.” But I will remind you that he was selling a credit card sniffer (Mr. Sniffa) so if you really think that I doomed one guy, how many did I save?
DS: What books have had the biggest impact on you?
RB: What immediately comes to my mind: Robert Greene (I have almost all in hard copy), Cialdini (4 in hard copy), Machiavelli and Sun Tzu, and a few more. Well, psychology too, I didn’t stop with Cialdini. There are books on mathematics, electronics, programming, logic, philosophy, encyclopedia. There is almost no fiction in my library. Some Solzhenitsyn, but as I read it, I will most likely get rid of it.
DS: What can you say about the Russian-speaking hacker FlatL1ne? Under the tzar in Russia there always was a jester — I have a theory that he is the appointed joker. How far am I from the truth?
RB: Continuing your analogy — for the king's jester, his costume is not good enough.
DS: Tell me a secret.
RB: I'm not really a bear.
DS: Who are you?
RB: Secret.
Dmitry Smilyanets
Mission-driven and Russian-speaking intelligence analyst with type A personality. Dmitry has twenty years of experience and expertise in cybercrime activity that includes being a former member of an elite Russian-based hacking organization.