MOSCOW — The ransomware hackers suspected of targeting Colonial Pipeline and other businesses around the world have a strict set of rules.
First and foremost: Don’t target Russia or friendly states. It’s even hard-wired into the malware, including coding to prevent hacks on
Moscow’s ally Syria, according to cybersecurity experts who have analyzed the malware’s digital fingerprints.
They say the reasons appear clear.
“In the West you say, ‘Don’t . . . where you eat,’ ” said Dmitry Smilyanets, a former Russia-based hacker who is now an intelligence analyst at Recorded Future, a cybersecurity company with offices in Washington and other cities around the world. “It’s a red line.”
Targeting Russia could mean a knock on the door from state security agents, he said. But attacking Western enterprises is unlikely to trigger a crackdown.
The relationship between the Russian government and ransomware criminals allegedly operating from within the country is expected to be a point of tension between President Biden and Russia’s Vladimir Putin at their planned summit in Geneva on Wednesday. The United States has accused Russia of acting as a haven for hackers by tolerating their activities — as long as they are directed outside the country.
Biden and allies have said Russia appears to be the base for the masterminds of DarkSide and REvil, the cybercriminal groups linked to recent high-profile ransomware attacks on Colonial Pipeline and the U.S. operations and other markets of JBS, a Brazil-based company and the world’s largest meat supplier. There is no clear evidence the Kremlin was directly involved.
But Moscow has “some responsibility to deal with this,” Biden said last month.
The Biden administration seeks to rally allies and the private sector against the ransomware threat
But with other hackers, there appeared to be a sort of handshake deal, cybersecurity experts speculate. As long as hackers left alone Russia and selected friendly countries, they could largely do as they wished without fear of a crackdown or extradition, the analysts said.
“If you look at the ransomware code for most of these actors, it will not install on systems that have a Russian-language keyboard, are coming from Russian IP addresses or have the Russian-language packs installed,” said Allan Liska, Recorded Future’s ransomware expert.
“In these underground forums, they explicitly say there’s no going after Russian targets,” he added. “And that allows them to operate with impunity. . . . They are not operating at the behest of Russia, but they’re operating with the tacit acknowledgment of Russia.”
The Kremlin has been dismissive of U.S. complaints that Russia is harboring cybercriminals. Spokesman Dmitry Peskov said last week that hackers exist everywhere. In an apparent reference to the ransomware attack on JBS, Putin told state television that Russia does not “deal with some chicken or beef. This is just ridiculous.”
'Underground is just growing'
Smilyanets said that it was money that pulled him into hacking. When the Soviet Union collapsed in 1991, Russia inherited a top-tier educational system, but the country was broke and there were few job opportunities.
The son of a teacher and a police investigator, the 37-year-old former hacker said he was just a “regular kid.” He studied at the information security department at Moscow State Technical University.
“Even with this diploma, I couldn’t find a job,” said Smilyanets, who was
extradited to the United States in 2012 after being arrested in the Netherlands. In 2015, he
pleaded guilty to conspiracy to commit wire fraud and was sentenced to four years in prison for his role in one of the largest credit card data breaches to be prosecuted in the United States. (U.S. authorities spelled his name Dmitriy Smilianets.)
“I had to find money,” he said of his years after university. “Somebody showed me the way [into hacking]. I believe that happens to a lot of young, smart kids in Russia.”
Smilyanets said the draw to cybercrime is now stronger than ever “because there is so much money to be made.”
Andrei Soldatov, a Russian Internet analyst and author of “
The Red Web: The Struggle Between Russia’s Digital Dictators and the New Online Revolutionaries,” said an entire generation of Russia’s skilled hackers grew up in the ’90s and blamed the West for Russia’s hardships after the Soviet Union unraveled.
That made them happy to comply with the unwritten hacking rule of operating in Russia: Do not to target Russia or any of the former Soviet Union. Of DarkSide’s 99 known ransomware targets, 66 were based in the United States, according to a list provided by Recorded Future. Most of the rest were in Europe.
Feds recover more than $2 million in ransomware payments from Colonial Pipeline hackers
Hackers in Russia feel that they have “nothing to worry about,” Smilyanets said. For cybercriminals, the country is like a greenhouse, he said.
“If you wanted to pretend to be Russian and jump on these forums, I think they would notice any peculiarities in the language,” Liska said. “A nonnative speaker would have trouble kind of fitting in naturally.”
Dmitry Galov, a security researcher at Kaspersky, a top Russian cybersecurity firm, said the evidence is weak to definitively trace the ransomware attacks back to Russia.
“It’s pretty tricky because when someone is speaking English on dark net forums, no one says that it is England behind the attacks,” Galov said. “They might be afraid that Russian cybersecurity experts will find them and catch them or whatever. There can be so many different reasons.”
In 2015, the FBI and the State Department announced a $3 million reward for information leading to the arrest of Russian hacker Evgeniy Bogachev, making him the most-wanted cybercriminal in the world. He was charged with conspiracy, money laundering and various fraud charges after allegedly siphoning more than $100 million from American bank accounts.
It would be a similar approach to how the Kremlin uses mercenaries from the shadowy paramilitary group Wagner, according to Western intelligence agencies, to represent its interests in Syria and several African hot spots while allowing Russian officials to deny any involvement.
Last month, the Treasury Department stated that the Russian internal security service, the FSB, “cultivates and co-opts criminal hackers, including” a group called Evil Corp., “enabling them to engage in disruptive ransomware attacks.” Treasury sanctioned Evil Corp. in late 2019.
JBS, world’s biggest meat supplier, says its systems are coming back online after cyberattack shut down plants in U.S.
Connections to the state come at different levels, Arena said. Once your identity is known to Russian law enforcement, you may get a knock at the door from the local police saying they know you are stealing money and want a cut, he said.
“It starts at that kind of level, up until the point where you have nation states leveraging cybercrime,” Arena said.
In an
interview with the Russian OSINT blog posted June 4 on the Telegram messaging app, REvil said that another attack on the United States had been avoided “at all costs.” But the rule was lifted after U.S. officials became “outraged” at the ransom attack on JBS last month.
“We do not want to play politics, but since we are being drawn into it, it is good,” the ransomware group was quoted as saying.
“Even if they pass a law prohibiting the ransom payments in the United States or put us on a terrorist list, this will not affect our work in any way.”