Russian intelligence officers collaborated with ransomware criminals in a bid to breach US government organizations, a new report from cybersecurity firm Analyst1 claims.
The report states that two specific Russian intelligence bureaus, the Federal Security Service (FSB) and Foreign Intelligence Service (SVR), colluded with individuals from "multiple cybercriminal organizations" to develop and utilize custom malware targeted at compromising the software of US government agencies as well as that of government-affiliated firms.
Harvesting sensitive US government documents
The hackers used an iteration of a ransomware called "Ryuk" to spy on large US government agencies, as well as government-affiliated corporations. The version of "Ryuk", called "Sidoh", was developed specifically to harvest keystrokes and documents for espionage purposes. It is believed that the "Sidoh" malware was deployed at some point between June 2019 and January 2020. "We believe Sidoh was created specifically for data exfiltration," Jon DiMaggio, the Analyst1 report's author, told CBS News in an interview. "It crawls documents for specific keywords, like 'weapon' and 'top secret,' then quietly sends the info back to the attacker."
In order to reach the findings for the report, DiMaggio and a team traveled the dark web, hacker forums, and FBI records to help them analyze the malware, as well as those connected to its development. "We took a lot of data and hunted for new malware, analyzed it to see how it worked and what it did, and researched connections to the names and handles of the individuals and gangs, dark web, and hacker forum activity," DiMaggio said. The results led them to focus on a group of known ransomware groups, including one dubbed EvilCorp, and another called SilverFish. The Analyst1 team states that members from these groups have known ties to Russian intelligence services.
A smoking bullet casing
Ransomware is a type of malware designed to harvest files on a computer and encrypt them so they are no longer available to the original owner. Typically, ransomware attackers will seize a person or organization's important or sensitive files before asking for a ransom in order not to release those files to the public. A recent high-profile example includes the cyber attack on the US's Colonial Pipeline in May, which led to an entire fuel pipeline being shut down for days — Colonial Pipeline is believed to have paid the hackers responsible for the attack $5 million shortly after it took place.
In its report, Analyst1 states that it "strongly believes" the Russian government is involved in the "Sidoh" attacks on US organizations. DiMaggio stated that he and his research team discovered a figurative bullet casing surrounded by smoke and the smell of gunpowder. While he is almost certain that the Kremlin colluded with the cybercriminals — the attacks carried out using "Sidoh" bear all the hallmarks of a surveillance operation conducted by the SVR — he does concede that he and his team need the final bit of evidence to prove it conclusively.