The Symbolic Relationships Between Russia And Cybercriminals

 

ASSESSMENTS

The Symbiotic Relationship Between Russian Officials and Cybercriminals

10 MIN READJun 16, 2021 | 09:00 GMT

Fuel holding tanks are seen at Colonial Pipeline's Linden Junction Tank Farm on May 10, 2021, in Woodbridge, New Jersey.

(Michael M. Santiago/Getty Images)

Editor's Note: This security-focused assessment is one of many such analyses found at Stratfor Threat Lens, a unique protective intelligence product designed with corporate security leaders in mind. Threat Lens enables industry professionals and organizations to anticipate, identify, measure and mitigate emerging threats to people, assets, and intellectual property the world over. Threat Lens is the only unified solution that analyzes and forecasts security risk from a holistic perspective, bringing all the most relevant global insights into a single, interactive threat dashboard.

As illustrated by recent cyberattacks, Russia maintains a mutually beneficial strategic relationship with cybercriminals to exploit their comparative advantages and minimize the fallout from their actions, giving Russia an asymmetric means to punch above its weight and complicate a Western response. Since May, criminal groups allegedly based in Russia carried out two major ransomware attacks against private U.S. critical infrastructure companies Colonial Pipeline and JBS Foods, the latest in a much longer string of cyberattacks against private and government targets worldwide. These operations frequently enjoy Moscow's tacit toleration and unspoken assurance that perpetrators are protected from Western law enforcement, and in some cases they enjoy its direct support.

• Russian authorities' collusion with cybercriminals dates back to the fall of the Soviet Union, when a combination of factors — including the almost nonexistent rule of law, the emergence of a highly skilled but underemployed or unemployed technical workforce, frustration among rank-and-file intelligence officers, and a need to find new means to project power abroad — provided a permissive environment for opportunistic cooperation. Over time, this ad hoc collaboration became more routine, and in some cases even formalized.
• Russian cybercriminals have come to be seen as some of, if not the most, technically proficient, tactically aggressive and monetarily successful malign cyber actors. U.S. cybersecurity firm Recorded Future estimates that of the 25 ransomware groups it tracks, 15 — including the five largest — are believed to be based in Russia or elsewhere in the former Soviet Union. A 2017 survey by the well-known Russian cybersecurity company Kaspersky Lab found that Russian-speaking cybercriminals were behind three-quarters of ransomware strains active at the time.
• The current relationship between state officials and criminals is opaque and muddied by the fact that Russian cyber operations can often serve both criminal and strategic ends. For instance, in 2014 Russian intelligence officers recruited a cybercriminal, Aleksey Belan, to help steal information from more than 500 million Yahoo accounts; the officers then exploited the data for intelligence value while Belan profited from selling it on online criminal marketplaces.

Russian security services directly co-opt, implicitly condone and/or forcibly coerce cybercriminals' activities to facilitate their complicity and redirect the potential threat they pose domestically. In Russia and other former Soviet states, there is a mismatch between the high number of technically proficient individuals and the low number of legal jobs offering adequate pay. Recognizing that having a large group of frustrated workers with cyber skills poses a domestic threat, the Kremlin is widely acknowledged as condoning cybercriminals so long as they do not target Russian citizens or interests — explaining why Russian cybercriminals frequently use malware that will not install on computers with Russian-language keyboards — thereby shifting abroad the risk they might otherwise pose at home. As part of this bargain, there are three main ways in which Russian authorities facilitate cybercriminals' connivance:

• Directly co-opting. In some cases, as in the Yahoo attack, there is direct collusion between the two groups. In 2019, U.S. authorities accused Maksim Yakubets, the co-leader of a cybercriminal group known as Evil Corp, of directly working with Russian intelligence agencies that tasked him with projects for the Russian state, including acquiring confidential documents and conducting criminally lucrative cyberattacks.
• Implicitly condoning. More frequently, there is no direct collaboration between the two, but an implicit understanding that cybercriminals can operate and will be protected from the reach of foreign authorities so long as they do not cross certain "red lines" — chiefly, not targeting Russian citizens or interests — and act in ways that support or dovetail with Kremlin priorities. U.S. cybersecurity firm Advanced Intelligence revealed a chat made on the dark web from a user who apparently is Russian that "Mother Russia will help you. Love your country and nothing will happen to you."
• Coercing. Russian authorities also allegedly at times force criminals to work on their behalf or face some penalty. In most cases, this transpires when Russian authorities offer a criminal a chance to avoid prison in exchange for conducting work on behalf of the state. According to rumors, in some cases Russian officials have even exerted physical or extralegal pressure on criminals and/or their families.

Supplementing security services' internal capabilities with those of criminals gives authorities an asymmetric means to sustain the Kremlin's perceived great power status and undermine the West. Russian officials' widespread corruption, politicized enforcement of laws, connections to criminal organizations and at times direct engagement in criminal activities enable and even encourage security services to work with cybercriminals. This collaboration, which would be impossible in Western countries that are the primary targets of their malign activities, gives Russian intelligence agencies a way to overcome strategic disadvantages and conduct more effective foreign cyber operations that support the Kremlin's sense of great power standing and ultimate foreign policy priority of weakening the West.

• Reverse tech setbacks. Despite its long-held ambitions, Russia has been unable to develop domestic tech champions that can compete globally, in large part because — aside from a few close allies with small markets — most foreign entities refuse to use Russian tech because they assume it is linked to the country's security services. Using technically adept criminals to conduct operations abroad not only provides an external outlet for their malign skills, but also facilitates industrial espionage operations that Russian authorities see as key to overcoming domestic tech challenges.
• Reduce resource burdens. Effectively outsourcing some of their work to what amounts to third-party subcontractors allows Russian security services to minimize costs, time and other resource outlays. Proxies require little technical support and can mobilize fairly quickly, particularly in comparison to official intelligence officers, who are then freed up to focus on other priorities, including putting cybercriminals' activities to strategic effect.
• Sidestep strategic shortcomings. Engaging with cybercriminals gives Russia a way to make up for its comparatively weaker economic and military position against the West. Economically, Russia's global heft is largely confined to natural resource exploitation and, while its military remains formidable, there are clear limits on its utility, especially outside its regional area of influence. Facilitating cybercriminal activity offers the Kremlin a way to pursue through proxies a range of foreign operations it would otherwise struggle to carry out directly via its traditional levers of national power.
• Provide plausible deniability. Providing a permissive environment for cybercriminals to operate enables Russian officials to portray their purely criminal actions as independent and their more sensitive intelligence-linked activities, such as foreign electoral interference, as "patriotically minded" and of their own initiative. Even in cases where there are more apparent links between the state and cybercriminals, the significant challenge of clearly proving collusion gives the Kremlin just enough space to deny complicity and/or raise doubt about the accusations to avoid accountability.

The symbiotic relationship between the Russian state and cybercriminals will be difficult to counter, requiring the West to consider both more attractive inducements and more aggressive penalties to catalyze Russian action. Given cybercriminals' ability to hide their identities and that they are based in locations beyond the reach of Western authorities, there are relatively few ways to hold them accountable. In fact, the few cases in which Western officials have disrupted a Russian cybercrime group — such as earlier in 2021 when a rare U.S.-Europol sting broke up a ransomware as a service gang known as "Bugatti" — illustrate the challenges. Shortly after the disruption, cybercriminals posting on a Russian-language dark web forum accused Bugatti of poor tradecraft, most notably by working with non-Russian affiliates who could be informants or undercover police and by not sheltering the ransomware servers in Russia, which they said would have protected the group. This clear reliance on, and expectation of, Russian protection suggests that rather than pursuing the criminals themselves, Western authorities could instead concentrate on changing Russian calculations — remaining cognizant that these options are imperfect, present tradeoffs and, even if successful, will take time to play out.

• Agree on clear "red lines." At a minimum, all countries in theory have an interest in preventing ransomware attacks against critical infrastructure. Even if it would not address the still-damaging effects of ransomware attacks against less strategic targets and other criminal-led cyberattacks more generally, coming to an agreement on what constitutes unacceptable behavior in targeting critical infrastructure — which some ransomware groups allegedly have already forsworn — would at least establish a baseline to address the most pressing and debilitating cybercrime threat.
• Link Russian action on cybercrime to reciprocal action on its priorities. Despite significant policy divergences, there are some areas where the White House could agree to act on the Kremlin's priorities in ways that could still serve U.S. interests in exchange for Russia tackling cybercriminals within its borders. Two possible areas include strategic stability and the Arctic, both of which encompass mutual interests but are topics on which Russia has recently sought greater U.S. engagement, which so far has not been forthcoming.
• Collect stronger evidence to force action. Russia is able to shirk responsibility in large part because it can claim, regardless of veracity, that cybercriminals either operate on their own and/or hide their activities so well that authorities cannot crack down on them. Treating cybercrime not only as a law enforcement problem but also as a priority topic for intelligence agencies could uncover more damning evidence of either Russian government complicity and/or the details of cybercriminals' identities and whereabouts. This intelligence, which in some cases probably could use existing technical collection platforms and human assets but inevitably would require resource shifts, could then be used to try to strong-arm — possibly by threatening to "name and shame" — the Kremlin, which ostensibly seeks to portray itself as a responsible global power, to take action.
• Expand recent executive and legislative actions. Recent executive orders open avenues for the Biden administration to impose an array of sanctions against Russian individuals and entities that engage in malign cyber activities. While initially conceived to respond to state-led intelligence operations like the SolarWinds hack and not yet used to target cybercrime, an April 15 executive order gives the White House the ability to take more aggressive measures, including sanctioning wider Russian economic interests, which probably stand more of a chance of forcing the Kremlin to act against cybercriminals than typical individually focused asset seizures and travel bans. Simultaneously, a series of cyber protection bills making their way through Congress — while focused on hardening defenses — may make it easier to attribute attacks and thereby offer more opportunities to collect valuable evidence and increase public pressure on Russia.
• Threaten cyber retaliation. The United States could make it an explicit policy to conduct a proportionate — though not necessarily symmetric — cyber response to cybercrimes in which the hand of the Russian authorities is clear or in which they, through their inaction, enabled the perpetrators. While this option is inherently risky and it would be challenging to find appropriate targets, it could force the Kremlin to abandon the fiction that Russian cybercrime is purely criminal and cannot serve strategic ends. Given such a U.S. policy shift would escalate matters with Russia, it would be more likely to succeed if done in coordination with allies, both to maximize its operational impact and provide legitimacy.