Get 40% Off
🤯 This Tech Portfolio is up 29% YTD! Join Now to Get April’s Top PicksGet The Picks – Just 99 USD

Analysis: Murkiness of Russia's ransomware role complicates Biden summit mission

Published 06/14/2021, 02:19 PM
Updated 06/14/2021, 05:41 PM
© Reuters. U.S. President Joe Biden listens during a plenary session at a NATO summit in Brussels, Belgium, June 14, 2021. Brendan Smialowski/Pool via REUTERS

© Reuters. U.S. President Joe Biden listens during a plenary session at a NATO summit in Brussels, Belgium, June 14, 2021. Brendan Smialowski/Pool via REUTERS

By Joseph Menn

(Reuters) - As U.S. President Joe Biden prepares to confront Russian President Vladimir Putin over ransomware gangs in his country that twice recently targeted critical American infrastructure, his administration is publicly blaming the Russian government for allowing those criminals to profit without prosecution.

The FBI and private cybersecurity companies have not disclosed any evidence showing Russian government involvement in the ransomware attacks on U.S. fuel transporter Colonial Pipeline Co and meatpacker JBS SA (OTC:JBSAY) of Brazil. Putin has called the idea that Russia was responsible absurd.

But as the cyber operations of Russian intelligence agencies have evolved, it has become harder for the U.S. government to distinguish alleged Russian intelligence operatives from ordinary cyber criminals stealing secrets in ransomware forays and threatening to publish them, according to more than a dozen U.S. intelligence, national security and law enforcement officials and experts outside of government interviewed by Reuters.

"It's a combination of tasking and turning a blind eye, but there's always a plausible deniability," said cybercrime expert John Bennett of corporate risk consultancy Kroll.

As the top FBI agent in San Francisco, Bennett oversaw an investigation of a massive breach https://www.reuters.com/article/yahoo-hack-indictments-fsb-idINKBN16N0K4 of 500 million Yahoo email accounts that led to 2017 U.S. charges against two officers of Russia's FSB security agency accused of instructing outside criminal hackers. A Canadian defendant pleaded guilty to nine felony counts in the case, while charges against three Russians remain pending because they are outside of America's grasp.The White House said Biden will bring up ransomware attacks emanating from Russia when he meets Putin in Geneva on Wednesday in the wake of forced shutdowns at Colonial Pipeline and meatpacker JBS, which has extensive U.S. operations.

Putin told Russian state television that Moscow would be willing to hand over cybercriminals to the United States if Washington reciprocates. Biden on Sunday called that statement a sign of progress. White House and State Department officials declined to elaborate or say what Biden would seek from Putin.

Russian officials have denied control of criminal groups while calling hackers whose activities fulfill Kremlin objectives "patriotic." In public statements and private forums, major criminal groups warn affiliates not to attack targets in Russia. Many ransomware programs will not execute on devices that have keyboards set for the Russian language.

In another U.S. criminal probe, Evgeniy Bogachev, a Russian national, was charged https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware in 2014 with running GameOver Zeus, a variant of sophisticated bank-fraud software, and distributing early ransomware called Cryptolocker.

Though it was not part of the indictment, GameOver Zeus' pattern of data collection - searching infected computers for banking passwords and phrases including "top secret" - indicated a relationship with Russian intelligence, according to senior U.S. Justice Department official John Carlin, who oversaw the case during the Obama administration.

Increasingly, ransomware has moved toward bigger targets and toward stealing secrets instead of just encrypting them inside the targets. Both trends could fit with Russian government goals, said analyst Craig Williams (NYSE:WMB) of Cisco Systems (NASDAQ:CSCO)' Talos threat intelligence unit.

Evil Corp, a group that the U.S. Treasury has said is led by a Bogachev associate named Maksim Yakubets, became the first ransomware gang to focus on "big game" targets likely to pay more, said Adam Meyers, senior vice president of cybersecurity technology company CrowdStrike.

A 2019 U.S. Treasury Department sanctions order https://home.treasury.gov/news/press-releases/sm845 accused Yakubets both of carrying out large-scale crimes and taking FSB directions, "acquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations on its behalf."

Yakubets was indicted https://www.justice.gov/opa/pr/russian-national-charged-decade-long-series-hacking-and-bank-fraud-offenses-resulting-tens in the United States in 2019 for alleged hacking, wire fraud and bank fraud. The United States has offered millions of dollars in reward money for information leading to the arrests of Bogachev and Yakubets and published photographs of them, but they have not been apprehended by Russian authorities.

Analysts told Reuters Yakubets is married to the daughter of a former senior FSB operative. Reuters was unable to reach either man for comment.

© Reuters. U.S. President Joe Biden attends a meeting with NATO Secretary General Jens Stoltenberg during a NATO summit, at the Alliance's headquarters in Brussels, Belgium, June 14, 2021. Stephanie Lecocq/Pool via REUTERS

Because the Treasury sanctions forbid U.S. ransomware targets from paying Evil Corp, the group keeps renaming its encryption software.

One of the new variants is called Hades, according to CrowdStrike https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker. As of March, the Hades variant had been found in multiple companies with more than $1 billion in annual revenue, according to incident responders at Accenture (NYSE:ACN) https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware, including in the transportation and manufacturing sectors.

Latest comments

1) the world giggled at Biden and the USA for this embarrasment. 2) “ransomware attacks were not russian
Can i get an amen that frail joe biden is going to ********this up with russia. Putin like the rest of the world is going to laugh at him.
Amen
Risk Disclosure: Trading in financial instruments and/or cryptocurrencies involves high risks including the risk of losing some, or all, of your investment amount, and may not be suitable for all investors. Prices of cryptocurrencies are extremely volatile and may be affected by external factors such as financial, regulatory or political events. Trading on margin increases the financial risks.
Before deciding to trade in financial instrument or cryptocurrencies you should be fully informed of the risks and costs associated with trading the financial markets, carefully consider your investment objectives, level of experience, and risk appetite, and seek professional advice where needed.
Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. The data and prices on the website are not necessarily provided by any market or exchange, but may be provided by market makers, and so prices may not be accurate and may differ from the actual price at any given market, meaning prices are indicative and not appropriate for trading purposes. Fusion Media and any provider of the data contained in this website will not accept liability for any loss or damage as a result of your trading, or your reliance on the information contained within this website.
It is prohibited to use, store, reproduce, display, modify, transmit or distribute the data contained in this website without the explicit prior written permission of Fusion Media and/or the data provider. All intellectual property rights are reserved by the providers and/or the exchange providing the data contained in this website.
Fusion Media may be compensated by the advertisers that appear on the website, based on your interaction with the advertisements or advertisers.
© 2007-2024 - Fusion Media Limited. All Rights Reserved.