The official said the administration did not believe the arrests were related to Russia’s apparent preparations to invade Ukraine. But, the official added, “we have also been very clear: If Russia further invades Ukraine, we will impose severe costs on Russia in coordination with our allies and partners.”
Analysts nonetheless said that the arrests, while significant, seem aimed at sending a signal that such cooperation would cease if the United States and Western allies impose sanctions in the event of a Russian invasion of Ukraine.
“The timing here is not an accident,” said Dmitri Alperovitch, chairman of the Silverado Policy Accelerator think tank.
The arrests also set an important precedent with Moscow admitting for the first time that "major ransomware criminals reside in Russia,” he said.
The administration official did not identify the hacker who was arrested but said that the individual was “responsible for the attack” on the Colonial Pipeline, which led to panic buying of gasoline and long lines at gas stations on the East Coast.
“Our expectation," the official said, "is that … Russia will be pursuing legal action within its own system” to bring the defendants to justice “not only for their past crimes but for preventing future ones as well.”
A second U.S. official said that the person arrested was “an affiliate” of the gang that created the ransomware. That gang, DarkSide, disappeared shortly after the attack amid a huge outcry and after facing pressure from the U.S. government. The affiliate then switched to work with REvil, the official said.
The Russian Federal Security Service (FSB) said it raided 25 addresses in Moscow, St. Petersburg and several regions, seizing more than $1 million in U.S. currency, euros, bitcoin and rubles, as well as computer equipment and 20 luxury cars.
The Russia-based REvil gang has carried out numerous attacks on major global companies, including the July attack on software provider Kaseya and the May attack on the world’s biggest meat-processing business, JBS.
The arrests marked a rare positive moment in U.S.-Russia relations after a flurry of diplomatic efforts in Europe this past week failed to deter Russia’s military buildup near Ukraine and persuade Moscow to de-escalate.
President Biden asked for President Vladimir Putin’s cooperation to fight cyberattacks and ransomware when the two met in Geneva in June, but Friday’s arrests are Russia’s first major operation to halt Russia-based ransomware attacks around the globe.
Since the June summit, senior U.S. and Russian officials in an “experts group” have held at least a half-dozen calls in which the Americans have sought Moscow’s cooperation on cybercrime. The individuals arrested were discussed on those calls, with the United States passing information about them to the Russians so they could act, said people familiar with the matter. “This is really a credit to Biden’s approach,” said one person.
“This is a significant action by Russian law enforcement against one of the most prominent ransomware gangs in the world,” Alperovitch said. “It also serves as a signal — amidst potential significant deterioration of relations over Ukrainian conflict — to showcase the type of meaningful help Russia can provide to the U.S. if it chooses to — or not.
“Putin has already warned Biden that in the event of severe sanctions over invasion of Ukraine, there could be a full break in diplomatic relations, meaning that cooperation like today’s action on ransomware, among other things, would cease,” Alperovitch added.
The FSB said U.S. law enforcement provided detailed information about the gang leader’s identity and criminal activities.
“The FSB of Russia established the full composition of the REvil criminal community and the involvement of its members in the illegal circulation of means of payment, and documented illegal activities,” an FSB statement said.
Russian television showed FSB agents clad in black bursting into apartments, wrestling suspects to the ground and handcuffing them behind their backs, and searching apartments and computers. One suspect had dozens of thick bundles of ruble bills in a compartment under his bed, according to the video.
The hacker involved in the Colonial Pipeline incident was one of those shown in the video, according to a U.S. official.
It is not uncommon for hackers to work for more than one group, said Allan Liska, intelligence analyst at the cyber firm Recorded Future. For instance, it is likely that the leader of DarkSide started off by working as an affiliate for REvil, he said. There is also a good deal of overlap between the malware DarkSide and REvil use to lock up victims’ computers, he said.
A Moscow court jailed two suspects, Roman Gennadyevich Muromsky, 33, and Andrei Bessonov, in connection with the allegations, Russian news agencies reported.
A Justice Department complaint filed last month in the Northern District of Texas named Aleksander Sikerin of St. Petersburg as a member of REvil. According to the complaint, U.S. law enforcement seized $2.3 million of cryptocurrency in August tied to ransomware attacks that U.S. officials say Sikerin carried out.
The FSB arrests of alleged REvil gang members sent a message of the benefits of cooperation with Russia, while at the same time underscoring the potential costs to the United States if relations worsen.
Diplomatic efforts to ease the crisis over Ukraine appeared to founder Thursday. Russian officials said there was no point in continuing security talks after U.S. and NATO officials ruled out Russia’s key demand that Ukraine, Georgia and other nations, including Sweden and Finland, be barred from ever joining NATO.
Russian officials have threatened to cut all ties with Washington if the Biden administration carries out its threat to impose sweeping sanctions on Russia should it launch a new attack on Ukraine.
The REvil arrests also came as unknown hackers targeted Ukrainian government websites early Friday, blocking access and warning Internet users to “expect the worst.”
Viktor Zhora, deputy head of Ukraine’s state agency of special communication and information protection, said that “close to 70” federal and local government websites were attacked, many of which were swiftly restored.
Dixon reported from Belgrade, Serbia, and Nakashima reported from Washington.