For some time now, intelligence services in countries such as Russia, North Korea, and China have used ad hoc relationships with cybercrime groups inside their borders to insulate their organizations from the repercussions of their actions, but some recent successes by authorities in the United States and elsewhere have shown that even that tactic doesn’t put actors out of reach.
“One thing that we’re seeing is this blended threat between state actors and cyber criminals forming marriages of convenience. The intelligence services use those criminal groups for deniability,” said Deputy Attorney General Lisa Monaco during an online forum sponsored by The Washington Post Tuesday.
Those relationships aren’t necessarily formal or well-defined, but they can be quite important for both parties. Using cybercrime groups as fronts or cooperating partners in, say, a massive cryptocurrency theft, provides foreign intelligence services with a modicum of deniability while also allowing them to direct the operation and benefit from it. On the other side of the coin, the cybercrime groups get to do their thing with the blessing, whether tacit or explicit, of the national authorities in their country.
In general, most of these countries where this happens have less than zero interest in cooperating with Western authorities, so the cybercriminals essentially work with impunity. One of the few exceptions to this rule is the FSB’s arrest in 2022 of several members of the REvil ransomware gang, a group that was based in Russia. The group had become quite a nuisance, even to Russian authorities, and had drawn intense scrutiny from international law enforcement after conducting a number of high-profile intrusions, including attacks on software maker Kaseya and food producer JBS.
The REvil arrests came after months of pressure and lobbying from U.S. law enforcement and government officials, but at the time of the operation the REvil group had been inactive for some time. Still, the takedown showed the general approach that U.S. officials want to take in going after ransomware groups.
Monaco has led the effort by the Department of Justice in recent years to target cybercrime groups–and specifically ransomware gangs–by disrupting the payment and financial ecosystem that underpins the cybercrime operations. That effort has had some notable successes, reclaiming ransom payments in some high-profile cases such as the Colonial Pipeline attack, indicting alleged members of several ransomware groups, and distributing decryption keys to victims, obviating the need for them to pay ransoms. The Department of the Treasury also has sanctioned a number of foreign individuals and entities that have been involved in the processing of ransomware payments, preventing U.S. organizations and people from sending any payments to them.
It’s all part of a strategy to attack the roots of cybercrime and ransomware.
"Unfortunately, it's cybercrime that’s the threat that faces every single organization. If you're connected at all as an organization or individual, you’re on the playing field."
“We had to pivot to a focus on prevention and disruption, putting victims at the center of our approach. Yes we want to continue to arrest and extradite those behind the keyboard, but also we are constantly looking for ways to disrupt the next attack. So we can go and claw back ransom payments. So we can get into and literally hack the hackers, and as we did with the Hive group, swipe those decryption keys and give them out to victims,” Monaco said.
The Hive ransomware takedown in January is one of the bigger successes of the Biden administration’s efforts, and involved authorities gaining access to the group’s backend control panel for several months. That access allowed them to find the decryption keys and distribute them to affected organizations.
While the successes have become more frequent in recent years, the threat from cybercrime and ransomware groups has in no way diminished. The risks for those groups are relatively low and the rewards can be astronomically high.
“We talk a lot about the APTs, we talk about Russia and China. Unfortunately, it's cybercrime that’s the threat that faces every single organization. If you're connected at all as an organization or individual, you’re on the playing field,” Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency and a partner at the Krebs Stamos Group, said during the online forum Tuesday.
“You’re an opportunistic target. The reason ransomware exists is threefold. We have vulnerable, misconfigured systems. The second is they have figured out how to monetize those vulnerabilities and extract value in the form of Bitcoins, and third generally they work from safe harbors like Russia. And until we address all three of those factors, cybercrime is here to stay.”