Analysis: murky Russian ransomware role complicates Biden summit mission
(Reuters) – As US President Joe Biden prepares to confront Russian President Vladimir Putin over ransomware gangs in his country that have recently twice targeted critical US infrastructure, his administration is publicly accusing the Russian government of allowing these criminals to profit without prosecution.
The FBI and private cybersecurity companies have not released any evidence showing Russian government involvement in ransomware attacks against US fuel carrier Colonial Pipeline Co and Brazilian meat packer JBS SA. Putin called the idea that Russia was responsible was absurd.
But as the cyber operations of Russian intelligence agencies have evolved, it has become more difficult for the U.S. government to distinguish suspected Russian intelligence agents from ordinary cybercriminals who steal secrets from ransomware incursions and threaten to release them, according to more than a dozen US intelligence, national security and law enforcement officials and experts outside the government interviewed by Reuters.
“It’s a combination of tasks and closing the eyes, but there is always a plausible deniability,” said cybercrime expert John Bennett of enterprise risk consultancy Kroll.
As the main FBI agent in San Francisco, Bennett oversaw an investigation into a massive breach of 500 million Yahoo email accounts that led to US charges in 2017 against two Russian security agency FSB agents accused of ‘instructing outside criminal hackers. A Canadian defendant has pleaded guilty to nine felony counts in the case, while charges against three Russians remain pending as they are out of America’s reach. The White House said Biden would discuss ransomware attacks emanating from Russia when he meets Putin in Geneva on Wednesday in the wake of the forced shutdowns of Colonial Pipeline and meat packer JBS, which has large operations in the United States. .
Putin told Russian state television that Moscow would be willing to hand the cybercriminals back to the United States if Washington reciprocates. Biden on Sunday called the statement a sign of progress. White House and State Department officials declined to elaborate or say what Biden would ask Putin.
Russian officials have denied control of criminal groups while calling hackers whose activities meet the Kremlin’s objectives “patriotic”. In public statements and private forums, major criminal groups warn their affiliates not to attack targets in Russia. Many ransomware programs will not run on devices with keyboards configured for the Russian language.
In another US criminal investigation, Evgeniy Bogachev, a Russian national, was charged here in 2014 with running GameOver Zeus, a variant of sophisticated bank fraud software, and distributing early ransomware called Cryptolocker.
While not part of the indictment, GameOver Zeus’ data collection model – searching for infected computers for bank passwords and phrases including “top secret” – indicated a relationship with Russian intelligence services, according to senior US Justice Department official John Carlin, who oversaw the case under the Obama administration.
Increasingly, ransomware is geared towards larger targets and stealing secrets instead of just encrypting them inside targets. Both trends could match the Russian government’s goals, said analyst Craig Williams of Cisco Systems’ Talos Threat Intelligence Unit.
Evil Corp, a group that the U.S. Treasury says is led by an associate of Bogachev named Maksim Yakubets, has become the first ransomware gang to focus on “big game” targets that may pay more, Adam said. Meyers, senior vice president of the cybersecurity technology company. CrowdStrike.
A 2019 U.S. Treasury Department sanctions order charged Yakubets with both committing large-scale crimes and following FSB instructions, “to acquire confidential documents through cybernetic means and to conduct cybernetic operations on its behalf “.
Yakubets was indicted here in the United States in 2019 for alleged hacking, wire fraud and bank fraud. The United States offered millions of dollars as rewards for information leading to the arrest of Bogachev and Yakubets and published photographs of them, but they were not apprehended by Russian authorities.
Analysts told Reuters that Yakubets was married to the daughter of a former senior FSB official. Reuters could not reach either man for comment.
Because Treasury sanctions prohibit US ransomware targets from paying Evil Corp, the group continues to rename its encryption software.
One of the newer variations is called Hades, according to CrowdStrike here. As of March, the Hades variant had been found in several companies generating more than $ 1 billion in annual revenue, according to Accenture stakeholders here, including in the transportation and manufacturing sectors.
Report by Joseph Menn in San Francisco; Editing by Will Dunham and Edward Tobin