A new report from threat intelligence firm Recorded Future reinforces what many in the cybersecurity, threat intelligence and national security spaces have been saying for years: that while the Russian government almost certainly doesn’t exert direct control over ransomware groups inside its borders or guide them to individual operations or targets, there is strong evidence that these two parties do enjoy a symbiotic relationship that incentivizes Moscow to look the other way as these groups wreak havoc overseas.
These relationships between the Russian government and the ransomware criminal ecosystem are, the report notes, indirect, amorphous and “based on spoken and unspoken agreements” as well as “fluid associations.” While President Vladimir Putin has dismissed claims that such a relationship exists, the Russian government’s robust surveillance system gives it visibility over ransomware operations taking place within their borders, and they are also able to exercise a substantial amount of control over the resources – like local servers, hosting and other infrastructure – that these cybercriminal groups rely on to survive.
That these groups are permitted to operate more or less autonomously (while often studiously avoiding Russian targets) points to deliberate tolerance, if not “tacit approval” on the part of the Russian government.
These relationships tend to come in three different flavors: direct, a “see no evil” posture towards cybercriminal groups whose work overlaps with or is beneficial to Russian state interests, and demonstrable associations – such as recruitment – between Russian intelligence or law enforcement operatives and the cybercriminal underworld. the latter often involves operations where such associations are not visible, but where the two entities are clearly sharing tools or personnel. For example, ransomware groups disrupting the IT ecosystem of geopolitical rivals like the U.S. and its critical infrastructure, or serving as a proving ground for Russian intelligence agencies to recruit talent into their own ranks, are just some of the benefits this position creates.
However, despite the widespread idea that Putin simply doesn’t care or is immune to international pressure on this issue, Recorded Future believes there are signs that he is starting to feel more pressure on the international stage. Attacks on Colonial Pipeline, JBS and Kaseya all conducted by ransomware groups believed to be based in Russian, as well as the Biden administration’s renewed public emphasis and efforts to specifically call out the Russian government and Putin for their role protecting these cybercriminal groups on the world stage – may be putting increased pressure for a response. Some of the groups behind these attacks have gone underground or claimed to have disbanded.
While “new” (or more likely rebranded) groups have emerged to take their place, it is notable that a number have explicitly pledged to avoid attacking targeted viewed as critical infrastructure.
“It is widely known that the groups behind these attacks are located in Russia; the lack of action by the Russian government only highlights the apparent complicity of the Kremlin in these efforts,” according to the report. “This pressure already appears to have yielded statements that indicate a potential change in relation to ransomware operations, such as the recent BlackMatter ransomware gang’s pronouncements that it will not target critical infrastructure.”
This week, when asked directly whether the U.S. government had noticed any changes in behavior from ransomware groups following the summit with Putin, U.S. National Cyber Director Inglis said the jury is still out on whether those discussions have moved the needle.
“With respect to whether there’s still a permissive atmosphere in the places that essentially have been responsible for the ransomware attacks we’ve seen in the last year or two, and whether there’s been a material change in what the future of that may hold, I think it’s too soon to tell,” said Inglis. “We have…observed in the public domain seeing that those attacks have fallen off, we’ve seen that those kind of syndicates have to some degree deconstructed, but I think it’s a fair bet that they’ve essentially self-deconstructed, that is they’ve essentially gone cold and quiet, to see whether the storm will blow over and whether they can come back.”
Utlimately, he said, combining public and private resources to create ironclad attribution to link these attacks inside Russian borders, break the plausible deniability that the Russian government uses as a shield and rallying international pressure is key to the U.S. long-term strategy.
“There’s got to be some kind of strong intelligence that comes to both public and private sources, and hopefully like-minded nations can assist in that regard, maybe Vladimir Putin can help in that regard. We then need to align actions to consequences,” said Inglis. “There are bad actors we need to bring them to justice in whatever ways are appropriate, using all the legal means before us. What the President has asked [Putin] to do is to assist in that, to essentially clean up the mess on his aisle nine, but it remains to be seen if he will.”