As Russia’s devastating and protracted war in Ukraine enters its second year with no signs of abating, senior analyst James Tytler takes stock of the links between Russia-based cybercriminal groups and the Kremlin and assesses the impact of the conflict on the cyber threat landscape.
February 2022: Russia’s invasion sparks fears of cyber warfare
As Russian troops amassed on the Ukrainian border last January, the UK’s National Cyber Security Centre (NCSC) warned Western organisations to bolster their cyber defences. The NCSC feared that Russian military action on the ground would be accompanied by malicious activity in cyber space which could have unpredictable spill-over effects. These fears were fuelled by the memory of previous campaigns. The devastating NotPetya attack of 2017 for example, attributed to the ‘Sandworm’ unit of the Russian military intelligence (GRU), caused upwards of USD 10 billion in damages globally, compromising dozens of global companies and crippling international shipping giant Maersk.
When Russia first invaded Ukraine in February last year, the response from one prominent ransomware group, Conti, was particularly striking. On 25 February Conti publicly declared its support for the invasion and went as far as to threaten retaliatory attacks on Western critical infrastructure. These comments added further weight to the widely held view in the cyber security community that there were covert links between Russia-based cybercriminals and the Russian deep state.
However, this public declaration of support was arguably the catalyst for the subsequent collapse of the group, as just two days later on 27 February over 60,000 chat logs between Conti members were leaked by a disgruntled Ukrainian member. Conti publicly disbanded shortly afterwards, following an uncharacteristic and somewhat bizarre ransomware attack against the government of Costa Rica. Other prominent Russian ransomware gangs remained silent on the conflict or presented themselves as neutral. LockBit, another large ransomware group thought to be based in Russia, claimed on their blog that they were an apolitical profit-motivated organisation based in the Netherlands.
All quiet on the Eastern front?
As 2022 rolled on, the initial fears of an uptick in ransomware attacks did not materialise. There are a number of structural and geopolitical factors which likely contributed to this dynamic, including the imposition of sanctions and the consequent increased international scrutiny on financial flows to Russia, volatility in Bitcoin prices, and a decrease in major widely-exploitable technical vulnerabilities.
While some have argued that the Kremlin would benefit from the economic disruption caused by a wave of ransomware attacks on Western targets, there may also have been a strategic decision to reign in some of the more indiscriminate tactics employed by the likes of Sandworm in the past to avoid provoking retaliation. Indeed, Russian cyber activity against Ukraine has been highly targeted. Another factor is that members of ransomware groups appear to have actively shifted their focus at the Kremlin’s behest. For example, in September 2022, Google’s Threat Analysis Group reported that former members of Conti were now going after strategic Ukrainian targets. In October, the Ukrainian government reported that it has was targeted with a tool associated with Cuba, another Russia-linked ransomware group.
"If ransomware attacks on Western targets did not increase following the war in Ukraine, the opposite was true for distributed denial of service attacks"
If ransomware attacks on Western targets did not increase following the war in Ukraine, the opposite was true for distributed denial of service (DDOS) attacks, in which a flood of malicious traffic is directed at a website or network to knock it offline. Since March 2022, the pro-Russian hacktivist group known as KillNet has struck targets across Europe, the United States, and Japan, usually in response to pro-Ukrainian measures from these countries’ governments. Security researchers have described the group as a “fake hacktivist front” designed to give a veneer of plausible deniability for the Kremlin in these operations.
A new era?
2023 has already seen a dramatic increase in Western law enforcement actions against Russia-based cybercriminals. In January 2023, a coordinated international law enforcement operation took down the infrastructure of the Hive ransomware group, a prolific organisation believed to be largely based in Russia which has extorted over USD 100 million from its victims. Just two weeks later, on 9 February 2023, authorities in the UK and US imposed asset freezes and travel bans on seven members of the criminal network responsible for the TrickBot banking trojan and the Conti and Ryuk ransomware strains.
"2023 has already seen a dramatic increase in Western law enforcement actions against Russia-based cybercriminals"
The UK government has long discouraged the payment of ransoms. While this makes strategic sense, businesses hit with ransomware without access to working backups can find themselves in an extremely difficult position. The new sanctions are not targeted at any specific group but will make it illegal to make funds available to the seven individuals. This ambiguous position is sure to cause debate as to the broader applicability of sanctions to various ransomware operations. This will likely further drive the trend of victims refusing to pay ransoms, as highlighted by recent research from Chainalysis. However, it is worth noting that UK officials have clarified that there is no intention to penalize victims that are “forced to make a payment in the face of an existential threat.”
As we reported in our Cyber Intelligence Briefing, authorities in the UK and US have also publicly linked these groups to the Russian intelligence services. This is the first such formal attribution from an official western government body. As the conflict in Ukraine continues, Western governments are becoming more emboldened and aggressive in their targeting of ransomware gangs which have been implicitly protected by the Russian state. It is also highly unlikely that Russia will cooperate with western law enforcement efforts again. The takedown of REvil last January, which at the time was pointed to as a sign of a possible thaw in relations, is set to remain an outlier.
We expect to see further targeted action against Russia-based financially motivated ransomware groups this year in the form of infrastructure takedowns and sanctions, but threat actors will continue to adapt and evade these efforts.