Full Report
Chapter II. Russian language cybercriminal forums – not always underground but always aiming at generating maximum profits. Welcome to...
Analysis Summary
# Threat Actor: Mikhail Matveev (wazawaka, Orange)
## Attribution & Identity
* **Identification:** Mr. Mikhail Matveev, a Russian national and prominent threat actor.
* **Aliases:** "wazawaka", "Orange".
* **Known Associations:** Involved in at least eight Ransomware as a Service (RaaS) groups; prominent member of the "Babuk" Ransomware group.
## Activity Summary
* Active to the date of the article (August 2022 interview context).
* Was a prompt actor in the "Babuk" RaaS group.
* Babuk's main activity included the hacking of the Metropolitan Police Department in April 2021.
* The Babuk group purportedly disbanded following internal disputes involving Mr. Matveev.
* The actor is discussed in the context of managing and building cybercriminal forums, suggesting involvement in the maintenance or administration of RLCFs.
## Tactics, Techniques & Procedures
* Involvement in Ransomware operations (as part of Babuk RaaS).
* Participation in the hacking and exfiltration of data from law enforcement agencies.
* Activity within the Russian Language Cybercriminal Forum (RLCF) ecosystem, potentially related to forum management and monetization.
* *(No specific MITRE ATT&CK IDs were mentioned in the source text.)*
## Targeting
* **Sectors:** Law Enforcement/Government (specifically mentioned: Metropolitan Police Department).
* **Geography:** Russia (Actor nationality) and implicitly associated with targets relevant to Russian-language forums (CIS countries mentioned in advertising context).
* **Victims:** Metropolitan Police Department (UK, based on context of hacking in April 2021).
## Tools & Infrastructure
* **Malware Families Used:** Associated with the "Babuk" Ransomware.
* **Infrastructure:** Involved with Russian Language Cybercriminal Forums (RLCFs), which utilize services like Xenforo (forum software) and Cloudflare (CDN) for administration and defense against DDoS/hacking attempts. (Specific C2s/IPs for Matveev/Babuk were not detailed in this excerpt).
## Implications
Matveev represents a high-profile cybercriminal who participated in significant ransomware activity against critical entities (law enforcement) before potentially pivoting or engaging in the management/maintenance aspects of the cybercriminal underground ecosystem via RLCFs. His activity highlights the significant threats posed by actors leveraging RaaS models.
## Mitigations
Since the focus is on an established threat actor and the forum ecosystem:
* Implement robust defenses against ransomware strains associated with prominent RaaS groups.
* Monitor RLCF discussions (where Matveev was active) for early indicators of new operations or vulnerability sales, especially concerning services like escrow and advertising.
* Organizations should be aware of the risks posed by actors moving between direct attack operations and underground forum administration/participation.