Cybercriminals are back in the USSR

It seems that a new home for cybercrooks has established itself at ‘.su’, the country-code top-level domain (ccTLD) of the former Soviet Union. The ‘.su’ TLD, which was assigned in 1990 and endured in spite of the dissolution of the Soviet Union in 1991, has seen an explosion of growth in recent years due largely, it seems, to the patronage of hackers, spammers and other assorted online fraudsters. The administrators of the ‘.su’ registry have acknowledged the problem publicly and have vowed to tackle it by rolling out a new, stricter policy later this year.  

The ‘.su’ TLD was retained after the collapse of the Soviet Union for ‘patriotic’ reasons; it plays home to websites such as ‘www.stalin.su’, dedicated to the memory of Stalin. It is one of the 19 ccTLD extensions that Google currently treats as generic TLDs and, in this respect, sits alongside an odd selection of geographical bedfellows such as ‘.tk’ (Tokelau), ‘.tv’ (Tuvalu) and ‘.la’ (Laos). The TLD is administered by the Moscow-based non-profit Foundation for Internet Development on the basis of a memorandum of understanding with RIPN, the registry for ‘.ru’, the ccTLD extension for Russia. In 2007 the price for registrations was cut in order to make them more accessible. At around the same time, there were discussions on whether to do away with the ‘.su’ TLD, but this only seemed to result in an explosion in its popularity with a 600% increase in registrations (taking the total number to 80,000) in 2008.

Group-IB, which describes itself as a "global cyber security company" and runs one of Russia's two official internet watchdogs, recently stated that the number of malicious websites hosted across the ‘.su’ TLD doubled in 2011, and then doubled again in 2012. It seems that much of this growth was fuelled by the migration of scammers from ‘.ru’, after the registry tightened up its rules in November 2011, allowing it to terminate registrations found to be associated with malicious conduct pursuant to a complaint from a "competent" organisation.

Roman Huessy, who runs the security blog ‘www.abuse.ch’, maintains that ‘.su’ is home to "a series of sites actively working in the online equivalent of broad daylight, ransacking bank accounts and holding hard drives hostage in return for ransom" and that the hackers that control these so-called botnets "can operate with impunity for months at a time".

The most well-known incident involving a ‘.su’ domain name occurred when the credit records and, in some cases, Social Security numbers of celebrities and public figures such as Michelle Obama, Beyoncé, Donald Trump and Paris Hilton were posted on the website ‘www.exposed.su’ earlier in 2013. This prompted an investigation by the FBI and, although the website now appears to have been shut down, the domain name registration behind it still appears to be operational.

Sergei Ovcharenko of the Foundation for Internet Development acknowledges that the TLD has a problem with cybercriminality, saying that "we realise it's a threat for our image", but he put it down to weak Russian legislation and outdated terms of service. In order to address the latter of these two issues, Ovcharenko has stated a new policy for the ‘.su’ TLD with tougher rules is due to be rolled out this summer. It will be interesting to see whether this new policy will have the necessary muscle to induce cybercrooks to pack up their bots and move on to less well-regulated internet territory.

David Taylor and Cindy Mikul, Hogan Lovells LLP, Paris