President Joe Biden says that while “we do not believe the Russian government was involved” in the ransomware attack on Colonial Pipeline, there is “strong reason to believe that the criminals who did the attack are living in Russia.” This coincides with reports that DarkSide advertised its ransomware-as-a-service business on Russian-language criminal forums to find partners and spared entities based in former Soviet countries by avoiding Russian-aligned languages. A spokesman for Russian President Vladimir Putin was quick to state that “Russia has nothing to do with these hacker attacks.”
Maybe so. But as a scholar of Russian cyber operations, I know Russia benefits politically from the chaos of this attack and Russia has the power and duty to do something about such attacks, even if the weapon is in someone else’s hands.
Geopolitical motivation
The Russian Federation’s 2015 National Security Strategy asserts that its “implementation of an independent” foreign policy “is giving rise to opposition from the United States and its allies.” In response, Russia has sought to weaken the West, in part by using cyber operations to diminish democracy and sow civil discord.
After the Colonial attack, DarkSide stated, “We are apolitical, we do not participate in geopolitics, [you] do not need to tie us with a defined government.” And yet the effects of the Colonial Pipeline shutdown did align with Russian objectives. The perceived shortage of gasoline on the East Coast caused chaos as panicked motorists rushed to fill up their vehicles. Skyrocketing prices for gasoline, which reached the highest levels in six and a half years, undermined confidence in the US government to deal with the situation.
State responsibility
Biden says that, regardless of whether or not it was involved in the Colonial Pipeline hack, Russia “has some responsibility” to deal with ransomware emanating from its soil. Based on a general international-law principle, legal experts argue that states “must exercise due diligence” to not allow their territory to be used for “cyber operations that affect the rights of, and produce serious adverse consequences for, other states.” Russia, in fact, has even joined other countries in submitting a resolution to the United Nations stating as much. If the Russian government knew the identity and location of DarkSide, or its affiliates, the Kremlin would have been obliged to take all feasible measures to put an end to the Colonial Pipeline operation.
The problem is that the Russian government actively protects hackers living within its borders, including suspects wanted by Western law enforcement and intelligence agencies. US authorities have arrested more than a dozen Russian hackers in various countries over the course of several years, prompting Moscow to accuse the United States of “hunting” Russian citizens across the world—a charge Washington denies. Russia has refused to support investigations or extraditions in such cases, either to protect its citizens from what it claims is unjust US prosecution or out of fear that such processes will reveal Russian state involvement in their crimes.
The Russian Foreign Ministry, for instance, claimed that the Czech Republic’s extradition of Yevgeny Nikulin to the United States was a “conscious, politically-motivated step” designed to undermine bilateral cooperation between Moscow and Prague. Last year, a US judge sentenced Nikulin to more than seven years in prison for hacking into three Silicon Valley tech companies. Filings in federal court during the Nikulin trial reveal how Russian intelligence uses criminal hackers. An indicted acquaintance of Nikulin named Nikita Kislitsin told FBI agents “how another Russian hacker” obtained “‘compromising information’ on unnamed individuals” for the Russian Federal Security Service (FSB), according to Radio Free Europe/Radio Liberty.
Direct benefit
Instead of turning over cybercriminals to face prosecution, the Russian government might even recruit them. As detailed in a 2017 US indictment, the FSB hired Aleksei Belan, who is on the FBI’s “Cyber Most Wanted” list, to hack Yahoo and steal a database for 500 million email accounts, including those of Russian journalists and government officials from the United States and Russia. The FSB also helped Belan avoid detection by giving him “sensitive FSB law enforcement and intelligence information,” according to the indictment.
US authorities allege in legal indictments and Treasury sanctions that Maksim Yakubets provides direct assistance to the FSB. Yakubets is the leader of the Russia-based cybercrime syndicate named Evil Corp, which has deployed Dridex malware to transfer more than $70 million from compromised bank accounts. Yakubets was tasked by the FSB to acquire “confidential documents through cyber-enabled means,” according to the US Treasury Department.
The Russian government could benefit from collaboration with other criminals who deliberately distribute ransomware in the United States. Just prior to the 2020 US presidential election, US Cyber Command took down the TrickBot infrastructure used for global ransomware attacks. Officials were concerned that the Russian-speaking group could use its surveillance capabilities to identify infected computers belonging to election officials. It would have been easy for the Russian government to contract with TrickBot to freeze US election systems.
Implicit encouragement
DarkSide lost access to its infrastructure a week after striking Colonial Pipeline, when its service provider took down its promotional site and payment server. Robert Lee, CEO of the security firm Dragos, wrote that “I sincerely hope the Infosec community and media don’t lose their mind over thinking DarkSide is actually shutting down when it’s almost certain a rebranding attempt to avoid the heat.” According to internal messages revealed by the New York Times, DarkSide is offering its tools for sale so others can relaunch the business.
Joseph Blount, the CEO of Colonial Pipeline, has stated that his decision to pay DarkSide a ransom of $4.4 million was the “right thing to do for the country.” But the payment, which came within hours of the ransomware attack, will embolden other cybercriminal groups to attack the energy and utility sectors, which are sensitive targets.
The Russian government’s tolerance of criminal hacking within its borders that targets foreigners guarantees a safe haven for more ransomware attacks. In not taking decisive action to stop harmful ransomware operations, such as arresting the actors and obtaining decryption tools, the Russian government appears to be at least encouraging such activity in order to weaken the West. The Colonial disruption won’t be the last.
Scott Jasper teaches at the Naval Postgraduate School and is the author of Russian Cyber Operations: Coding the Boundaries of Conflict. You can follow him @ScotJasper.