Criminal Proxies Offer ‘Perfect Cover’ for Russian Cyber Offensive
As the West warns of imminent Russian assaults against critical infrastructure, cybersecurity researchers say the Kremlin is likely to rely on criminal rather than state hackers in launching such attacks.
“We’re not going to see the GRU or the FSB using their own assets, which can be traced back to them, as this would be considered an act of war,” Jon DiMaggio, chief security strategist at threat intelligence platform Analyst1, told OCCRP.
Instead, it is probable Moscow will utilize ransomware gangs and networks of other malicious actors to pursue highly disruptive campaigns against crucial sectors like finance, health, communications and energy.
“The criminal aspect provides the perfect cover, because it gives them plausible deniability,” DiMaggio said. “I strongly believe this is going to happen, and that it’ll be through criminal entities.”
Earlier in April, the Five Eyes intelligence alliance advised that the Kremlin is “exploring options for potential cyberattacks,” and urged “critical infrastructure network defenders to prepare for and mitigate potential cyber threats” following the Russian invasion of Ukraine.
Assaults on critical sectors may be launched in retaliation for unprecedented international sanctions against the Putin regime, and the provision of materiel support to Ukraine by Western governments amid the ongoing war, the group said.
Gavin Wilde, a senior fellow at the Carnegie Endowment for International Peace, said that while the most destructive cyberweaponry will remain in exclusive custody of the Russian state, there’s “every incentive” for the Kremlin to mobilize criminal groups, partly because of the added chaos it creates.
“When these proxies are used, it raises a lot of questions — is it a new group, is it an old group in a new wrapper — and that confusion sucks up far more resources in the target country than when there’s a clearer picture of the state nexus,” he said.
Russia’s market for cybercriminal services is widely considered one of the strongest in the world. “They’ve been perfecting the business of disrupting systems for years,” according to John Hultquist, vice president at Mandiant Threat Intelligence. “You have a criminal marketplace that’s not only available, but very, very good at what they do.”
For Hultquist, it’s also no coincidence that the authorities in charge of prosecuting cybercrime in Russia are the same that oversee intelligence activities in this area, meaning they have “a readily available bullpen of talent they can lean on.”
“To some extent, in some cases the options are work on behalf of the security services, or go to jail,” he added.
There are added financial reasons Moscow may turn to criminals. Depending on the nature of their relationship with security agencies, proxies don’t necessarily require funding, and successful ransomware attacks provide an influx of capital at a time when Russia being increasingly isolated from the global economy.
“By allowing Russia’s cybercriminal apparatus to grow, the Kremlin is bringing money into Russia and giving itself a wide network of hackers to draw upon as needed, without necessarily having to constantly supervise and finance those people and groups,” said Justin Sherman, a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative.
OCCRP previously reported that more than half of energy professionals believe cyberattacks against that sector would result in a loss of life, as well as significant damage to property and the environment, according to a survey by Norwegian risk management firm DNV.
Wilde explained it’s not just the IT systems at these organizations that need to be protected, but also the often far more vulnerable technology used to operate the different functions of the infrastructure they oversee.
“You’re talking about the actual software that’s turning gears and moving wires. That’s right on the border with physical space in a way that IT systems maybe aren’t, and so the cascading effects can be catastrophic,” he said.
Nor are industrial systems the only potential targets. Hultquist points out that supply chains are widely reliant on complex systems of transport and logistics, and “if those things start going down, you can have a situation where you’re looking at something that reverberates across the entire economy.”
Hybrid warfare has been crucial to the Russian offensive in Ukraine, where an April report by Microsoft found at least six Russian state-backed groups had launched 240 cyber operations against both public and private entities since the invasion began.
But an uptick in malicious and disruptive activity has also already been detected further afield, in many cases linked to criminal groups with suspected ties to the Kremlin.
On May 8th, Costa Rica declared a state of national emergency after weeks of sustained attacks against state institutions by the Conti ransomware gang, which have since broadened to target hospitals and medical clinics.
Having initially demanded US$10 million for the return of stolen Ministry of Finance data, the group has now published the information online and doubled its ransom, threatening an attempt to overthrow the country’s government if they fail to pay up.
The Killnet hacker group has been similarly active launching multiple DDoS (Distributed Denial of Service) attacks in Romania, Moldova, the Czech Republic and Italy -- including during the Eurovision Song Contest, hosted in Turin, in which Russia was barred from competing.
Though there’s little publicly available information to concretely tie active syndicates to the Russian state, researchers say there’s more than enough to suggest the more powerful groups operate with at the very least implicit license from intelligence agencies.
“The constellation of circumstantial evidence certainly points towards, if not just tacit approval, then even loose coordination with the security structures in Russia,” Wilde said.
Perhaps one of the world’s most notorious cybercriminal syndicates, Evil Corp is known for using malware to steal banking credentials, and has been responsible for the theft of more than US$100 million from businesses and consumers.
The U.S. Treasury Department claims that since 2017, the group’s suspected head, Maksim Yakubets, has also been working for the FSB, where his father-in-law is believed to have formerly been a high-ranking official.
Meanwhile, a February leak from one of the Conti group’s internal chat servers revealed messages between members discussing the organization’s day-to-day operations, including talk of Liteyny Avenue in St. Petersburg, home to local FSB offices.
DiMaggio and Wilde both point to the return of the REvil ransomware gang as another case in point. Since 2019, the group has been responsible for a number of significant attacks in the U.S., including attempts to blackmail public figures such as then-President Donald Trump and celebrities like Bruce Springsteen and Madonna.
Following the U.S.-Russia summit in Geneva last June, where Biden raised the group’s activities as a point of concern with Putin, the FSB arrested more than a dozen members of the syndicate. However, security analysts have confirmed that REvil actively resumed operations in April of this year.
Russian authorities have also since declined to press charges for attacks on U.S. entities, leading to speculation in online criminal forums that the group may now be operating with the blessing of the country’s intelligence agencies.
“That the charges against REvil are not going ahead, I see in that a potential signal that the gloves are off as far as these proxy actors are concerned,” Wilde said.