The Washington PostDemocracy Dies in Darkness

Ransomware’s suspected Russian roots point to a long detente between the Kremlin and hackers

A filling station at a Sam’s Club in Morrow, Ga., is closed on May 13 as demand for gasoline surges following the cyberattack on Colonial Pipeline. (Dustin Chambers for The Washington Post)

MOSCOW — The ransomware hackers suspected of targeting Colonial Pipeline and other businesses around the world have a strict set of rules.

First and foremost: Don’t target Russia or friendly states. It’s even hard-wired into the malware, including coding to prevent hacks on Moscow’s ally Syria, according to cybersecurity experts who have analyzed the malware’s digital fingerprints.

They say the reasons appear clear.

“In the West you say, ‘Don’t . . . where you eat,’ ” said Dmitry Smilyanets, a former Russia-based hacker who is now an intelligence analyst at Recorded Future, a cybersecurity company with offices in Washington and other cities around the world. “It’s a red line.”

Targeting Russia could mean a knock on the door from state security agents, he said. But attacking Western enterprises is unlikely to trigger a crackdown.

The relationship between the Russian government and ransomware criminals allegedly operating from within the country is expected to be a point of tension between President Biden and Russia’s Vladimir Putin at their planned summit in Geneva on Wednesday. The United States has accused Russia of acting as a haven for hackers by tolerating their activities — as long as they are directed outside the country.

Biden and allies have said Russia appears to be the base for the masterminds of DarkSide and REvil, the cybercriminal groups linked to recent high-profile ransomware attacks on Colonial Pipeline and the U.S. operations and other markets of JBS, a Brazil-based company and the world’s largest meat supplier. There is no clear evidence the Kremlin was directly involved.

But Moscow has “some responsibility to deal with this,” Biden said last month.

The Biden administration seeks to rally allies and the private sector against the ransomware threat

In a 2016 interview with NBC, when asked why Russia was not arresting hackers believed to have interfered in the U.S. election, Putin hinted at the hands-off approach: “If they did not break Russian law, there is nothing to prosecute them for in Russia.”

As Russia became fertile ground for skilled hackers, it recruited some to work for its state security agencies, including the military intelligence service, the GRU, allegedly responsible for damaging cyber-campaigns against U.S. institutions, according to Western intelligence agencies.

But with other hackers, there appeared to be a sort of handshake deal, cybersecurity experts speculate. As long as hackers left alone Russia and selected friendly countries, they could largely do as they wished without fear of a crackdown or extradition, the analysts said.

“If you look at the ransomware code for most of these actors, it will not install on systems that have a Russian-language keyboard, are coming from Russian IP addresses or have the Russian-language packs installed,” said Allan Liska, Recorded Future’s ransomware expert.

“In these underground forums, they explicitly say there’s no going after Russian targets,” he added. “And that allows them to operate with impunity. . . . They are not operating at the behest of Russia, but they’re operating with the tacit acknowledgment of Russia.”

The Kremlin has been dismissive of U.S. complaints that Russia is harboring cybercriminals. Spokesman Dmitry Peskov said last week that hackers exist everywhere. In an apparent reference to the ransomware attack on JBS, Putin told state television that Russia does not “deal with some chicken or beef. This is just ridiculous.”

'Underground is just growing'

Smilyanets said it was money that pulled him into hacking. When the Soviet Union collapsed in 1991, Russia inherited a top-tier educational system, but the country was broke and there were few job opportunities.

The son of a teacher and a police investigator, the 37-year-old former hacker said he was just a “regular kid.” He studied at the information security department at Moscow State Technical University.

“Even with this diploma, I couldn’t find a job,” said Smilyanets, who was extradited to the United States in 2012 after being arrested in the Netherlands. In 2015, he pleaded guilty to conspiracy to commit wire fraud and was sentenced to four years in prison for his role in one of the largest credit card data breaches to be prosecuted in the United States. (U.S. authorities spelled his name Dmitriy Smilianets.)

“I had to find money,” he said of his years after university. “Somebody showed me the way [into hacking]. I believe that happens to a lot of young, smart kids in Russia.”

Smilyanets said the draw to cybercrime is now stronger than ever “because there is so much money to be made.”

Andrei Soldatov, a Russian Internet analyst and author of “The Red Web: The Struggle Between Russia’s Digital Dictators and the New Online Revolutionaries,” said an entire generation of Russia’s skilled hackers grew up in the ’90s and blamed the West for Russia’s hardships after the Soviet Union unraveled.

That made them happy to comply with the unwritten hacking rule of operating in Russia: Do not target Russia or any of the former Soviet Union. Of DarkSide’s 99 known ransomware targets, 66 were based in the United States, according to a list provided by Recorded Future. Most of the rest were in Europe.

Feds recover more than $2 million in ransomware payments from Colonial Pipeline hackers

Hackers in Russia feel that they have “nothing to worry about,” Smilyanets said. For cybercriminals, the country is like a greenhouse, he said.

“A place where you grow your vegetables, where you have perfect sunlight, perfect humidity and absolutely no wind,” he said. “That’s what happens in Russia: You have great education, you have great Internet, and absolutely nothing disturbs them. They flourish, they grow. They learn a new way to hack. They teach their friends and that whole underground is just growing.”

Ransomware in Russia

Ransomware is the region’s specialty, analysts said.

DarkSide and REvil are both ransomware-as-a-service outfits, meaning they don’t carry out the attacks themselves but work as intermediaries by providing the tools and affiliated services to hackers. Liska, of Recorded Future, said DarkSide’s hackers were originally part of REvil before spinning out on their own.

They won’t work with just anyone. The groups interview their potential partners and ask for proof of bona fides out of paranoia that Western intelligence agencies might be trying to infiltrate them, analysts said. All communication is done in Russian.

“If you wanted to pretend to be Russian and jump on these forums, I think they would notice any peculiarities in the language,” Liska said. “A nonnative speaker would have trouble kind of fitting in naturally.”

Dmitry Galov, a security researcher at Kaspersky, a top Russian cybersecurity firm, said the evidence is weak to definitively trace the ransomware attacks back to Russia.

“It’s pretty tricky because when someone is speaking English on dark net forums, no one says that it is England behind the attacks,” Galov said. “They might be afraid that Russian cybersecurity experts will find them and catch them or whatever. There can be so many different reasons.”

In 2015, the FBI and the State Department announced a $3 million reward for information leading to the arrest of Russian hacker Evgeniy Bogachev, making him the most-wanted cybercriminal in the world. He was charged with conspiracy, money laundering and various fraud charges after allegedly siphoning more than $100 million from American bank accounts.

He is believed to be living in Russia, apparently safe from capture as long as he doesn’t leave the country.

Kremlin buffer

In addition to Bogachev’s alleged schemes, cybersecurity firms Fox-IT and CrowdStrike, in collaboration with the FBI, noticed bots in his network were engaged in cyberespionage against countries including Russia foes Georgia and Ukraine and NATO member Turkey.

The bot probes were detailed, including searches for documents with certain levels of government secret classifications and for specific government intelligence agency employees.

“What kind of cybercriminal cares about that?” said Mark Arena, founder of the Intel 471 cybersecurity firm.

Bogachev has become the go-to example for those in cybersecurity circles who suspect Russia isn’t just allowing cybercriminals to launch attacks from the country, but could be, in some cases, working with them.

It would be a similar approach to how the Kremlin uses mercenaries from the shadowy paramilitary group Wagner, according to Western intelligence agencies, to represent its interests in Syria and several African hot spots while allowing Russian officials to deny any involvement.

Last month, the Treasury Department stated that the Russian internal security service, the FSB, “cultivates and co-opts criminal hackers, including” a group called Evil Corp., “enabling them to engage in disruptive ransomware attacks.” Treasury sanctioned Evil Corp. in late 2019.

JBS, world’s biggest meat supplier, says its systems are coming back online after cyberattack shut down plants in U.S.

Connections to the state come at different levels, Arena said. Once your identity is known to Russian law enforcement, you may get a knock at the door from the local police saying they know you are stealing money and want a cut, he said.

“It starts at that kind of level, up until the point where you have nation states leveraging cybercrime,” Arena said.

In an interview with the Russian OSINT blog posted June 4 on the Telegram messaging app, REvil said that another attack on the United States had been avoided “at all costs.” But the rule was lifted after U.S. officials became “outraged” at the ransom attack on JBS last month.

“We do not want to play politics, but since we are being drawn into it, it is good,” the ransomware group was quoted as saying. “Even if they pass a law prohibiting the ransom payments in the United States or put us on a terrorist list, this will not affect our work in any way.”

Morris reported from Berlin. Mary Ilyushina in Moscow contributed to this report.

Russian government hackers target civil society groups after compromising USAID email marketing account

U.S. government denies disrupting Russian ransomware ring that hacked Colonial Pipeline

Ransomware is a national security threat and a big business — and it’s wreaking havoc