Building of FSB on Lubyanskaya square showing Russian intelligence agencies working with ransomware gangs

Russian Intelligence Agencies Enrolled Ransomware Gangs To Attack US Government Agencies, Report Finds

Russian intelligence agencies worked with ransomware gangs to compromise various US government agencies, Analyst1 cybersecurity firm found.

The firm’s “Nation-State Ransomware” report says that advanced persistent threat actors assisted the Russian intelligence agencies to develop and deploy malware against US government targets.

The ransomware groups used a Ryuk ransomware variant called “Sidoh” launched between June 2019 and January 2020 to collect sensitive information.

The variant, capable of targeting financial institutions, operated in the Windows background collecting keystrokes and searching documents for sensitive keywords.

The report also reveals the real identities of several individuals associated with the campaign, some of whom were indicted in the United States.

Russian intelligence agencies used ransomware gangs’ infrastructure

Analyst1’s report discovered cooperative efforts between two Russian intelligence agencies, Federal Security Service (FSB) and Foreign Intelligence Service (SVR), and ransomware gangs to compromise US government-affiliated organizations between October and December 2020.

According to Analyst1 security analyst Jon DiMaggio, the Russian intelligence agencies used ransomware gangs’ cybercrime infrastructure to monitor victims and share the information with other directorates. According to the researchers, the attacks were carried out in various stages.

The report highlighted an incident in October 2020, when EvilCorp executed a ransomware attack on a victim only for the SilverFish gang to compromise the same victim two months later.

The subsequent attack used the same infrastructure, hacking tools, malicious scripts, and domain fronting to conceal the gang’s activity.

The report found that the ransomware gangs deployed the “Sidoh” malware variant that searches for keywords like “weapons” and “top secret” to identify sensitive documents and exfiltrate them to the command-and-control servers run by the ransomware gangs.

The Sidoh malware also searches for the words “document” and “Microsoft” in various directories but does not search directory paths for any keywords. It also analyzes Microsoft event logs and transmits the data through FTP in cleartext format, making it “noisy.”

Analyst1 researchers believe that Sidoh was not purposely developed for cyber espionage. They suggested that someone obtained Ryuk source code and did a “terrible job of repurposing it as espionage malware.”

Russian intelligence agencies hired people to run cybercrime gangs

The report also found that the Russian Federal Security Service hired people to run multiple cybercrime gangs.

The research team used proprietary and open-source information to reveal the identities of ransomware gang members affiliated with the Russian intelligence agencies.

They searched for new malware, analyzed its signatures, and associated them with gang members’ online handles and hacker forum activity. They then created relationships between the individuals using FBI law enforcement records and cybercrime groups’ profiles.

The report found that most members of the ransomware gangs resided in Eastern Europe, mostly Russia, Ukraine, and Moldova.

Some individuals include Evgeniy Bogachev, who allegedly developed the Zeus banking trojan and worked with other cybercrime gangs like RockPhish and Avalanche, before forming his cybercrime gang, “The Business Club.” Ukraine says that Bogachev works under “supervision of a special unit of the FSB.” Allegedly living in Anapa, Russia, Bogachev was allegedly known using online monikers like “Slavik”, “Lucky 12345”, “Monstr” among others. A 2009 criminal complaint filed in United States District Court in Nebraska mentioned Bogachev while the FBI tracked him as “John Doe #1.”

Other suspected ransomware gang members allegedly working with Russian intelligence agencies include Maksim Yakubets tracked by the FBI as John Doe #2 and using the online handle “aqua.”

Yakubets, Igor Turashev, and other cybercriminals who worked with Bogachev formed another gang known as EvilCorp that uses Bugat malware built from the Zeus source code. The group was responsible for high-profile attacks like the Garmin ransomware attack, demanding a $10 million ransom. The group also faced U.S. sanctions before adopting other names like Wasted Locker, and Babuk. The U.S. Treasury also designated Yakubets as an agent of the Russian FSB.

Ukrainian officials have arrested several members of the Russia-affiliated ransomware gangs, but those inside Russia are untouchable.

The report notes that despite indictments in the United States, “Russia had no interest” in cooperating with the US to apprehend the criminals.

The report could not, however, directly associate the increased ransomware activity to the Kremlin or the Russian president Vladimir Putin, using the currently available evidence.

“We have smoke, the smell of gunpowder, and a bullet casing,” DiMaggio said. “But we do not have the gun to link the activity to the Kremlin.”

“Despite President Biden’s meeting with Vladimir Putin attempting to subside the nations’ tensions with one another and reduce the organized cyberattacks upon the United States, Russia is clearly unabated and relentless,” Richard Blech, CEO, and Founder, XSOC Corp, said. “While Putin may not be the party behind this organized crime, his country is saturated with malicious cyber groups who are relentless with their attacks on the United States cyberinfrastructure.”