Russia influences hackers but stops short of directing them, report says

The report concludes that the relationship between criminal hackers and Russian intelligence services is unlikely to weaken.
The report concludes that the relationship between criminal hackers and Russian intelligence services is unlikely to weaken.PHOTO: REUTERS

WASHINGTON (NYTIMES) - Moscow's intelligence services have influence over Russian criminal ransomware groups and broad insight into their activities, but they do not control the organisations' targets, according to a report released Thursday (Sept 9).

Some US officials said there had been a lull, at least for now, in major ransomware attacks against high-profile American critical infrastructure that were attributed to Russian criminal groups - a pause that reflects Moscow's ability to partly check the criminal networks operating in the country.

But a ransomware group that faded away after attacks over the summer, REvil, appears to have returned this week to the dark web and reactivated a portal victims use to make payments.

While attacks have fallen off, "it's a fair bet" that the criminal networks are looking for signals from the Russian government about how they can restart their attacks, said Mr Chris Inglis, national cyber director.

"What I think will make the difference is whether Vladimir Putin and others who have the ability to enforce the law, international law, will ensure that they don't come back," Mr Inglis said Thursday during an event hosted by the Reagan Institute. "But it is too soon to say we are out of the woods on this."

The report, by cyber-security company Recorded Future, backs up the assessments of US officials who have said Russia does not directly tell the groups what to do but is aware of their activities and asserts influence.

Russian intelligence agencies both recruit talent from the groups and can set some limits on their activities, some US officials said.

Russian intelligence officials have long-standing ties to criminal groups, the report found. "In some cases, it is almost certain that the intelligence services maintain an established and systematic relationship with criminal threat actors," it said.

In recent months, Recorded Future has also published interviews with Russian hackers involved in ransomware attacks against the United States.

The Russian government's relationship with criminal hackers is different than that of other adversarial powers, like China or North Korea.

Justice Department officials have accused the Chinese government of exerting control over some of the criminal hacking gangs operating in its territory by directing them to carry out assignments. In return, China's intelligence services give the criminal groups leeway to attack American businesses.

China's control of its hackers is similar to the kind of tight restrictions it places on society, business and its propaganda efforts.

But the Russian government has a different approach. Moscow allows oligarchs and criminal groups to follow their own plans, so long as they do not challenge the Kremlin and are generally working toward President Vladimir Putin's goals, according to US government officials.

As a result, Russian control of hackers is often looser, giving Mr Putin and other Russian officials a degree of deniability. But the risk is that the criminal groups can go too far, provoking a strong response from the United States, US. officials said.

Mr Putin's preferred strategy is to allow hackings that cause trouble for the United States, but stop short of setting off an international crisis.

"The government guys do not instruct who to hack, but over a long period of time there is really interesting connective tissue between the government and the criminal networks," said Mr Christopher Ahlberg, chief executive of Recorded Future.

Russia's Federal Security Service, the intelligence agency known as the FSB, has cultivated hackers specialising in ransomware, Mr Richard Downing, a deputy assistant attorney-general, said at a Senate hearing in July.

"As we know, Russia has a long history of ignoring cybercrime within its borders so long as the criminals victimise non-Russians," Mr Downing said.

The Russian government gives the hackers a measure of protection, and in return occasionally taps their expertise - and a cut of the money the ransomware groups earn flows to officials, Mr Ahlberg said.

Experts at Recorded Future and US government officials have argued that pressure the Biden administration applied on Russia to control the criminal groups that in May attacked a major American energy provider, Colonial Pipeline, and other companies has at least put Mr Putin on the defensive.

But Mr Ahlberg said the lure of the big returns from ransomware attacks may be too hard to ignore over the long term.

DarkSide, the Russian hacking group whose breach of Colonial Pipeline led to gasoline shortages on the East Coast, dissolved shortly afterward, under pressure from US and Russian officials. Recorded Future experts believe members of the group are becoming active again.

"Once you have made 500 million and it's fairly easy to make it, you're going to keep doing it," Mr Ahlberg said.

The report concludes that the long-standing relationship between criminal hackers and Russian intelligence services is unlikely to weaken.

"The current Russian government is not likely to crack down on cybercrime in the near future beyond taking some limited steps to appease international demands," the report found.

With the exception of a few prosecutions of people who have targeted Russian entities, Moscow has done little to disrupt criminal hackers, the Recorded Future report argued.

"The Kremlin's muted response to cybercriminal activities originating from within Russia has nurtured an environment where cybercriminal organisations are well-organized enterprises," the report found.