Russian intelligence services are colluding with ransomware gangs, report

Russian intelligence services are collaborating with notorious ransomware groups in a bid to compromise US government affiliated organisations, a new research from cybersecurity firm Analyst1 has claimed.

The report states that two Russian intelligence bureaus – the Foreign Intelligence Service (SVR) and the Federal Security Service (FSB) – worked with individuals from multiple cybercrime gangs to create and use custom malware targeting the networks of US government agencies.

“Multiple individuals who conduct ransomware attacks and are affiliated with Russian-based criminal organisations do in fact have alliances with the Russian government,” the report says.

“The Russian Federal Security Service employed individuals responsible for running multiple criminal organisations. One group conducted ransomware attacks, while the other specialized in banking malware operations.”

The researchers say they found a variation of the Ryuk ransomware strain – called Sidoh – which was used by hackers to attack government-affiliated entities in the US.

The malware enabled cyber actors to harvest keystrokes and confidential documents for espionage purposes.

Sidoh malware was likely deployed at some point between June 2019 and January 2020, according to the report.

Jon DiMaggio, author of the Analyst1 report, told CBS News that Sidoh can hide itself in the background of Windows machines. It crawls documents for specific keywords such as ‘weapon’ and ‘top secret,’ before quietly sending the information to the hackers.

“Sidoh’s creators also purposed it to target financial institutions searching for SWIFT and IBAN-related data. This could indicate a desire to target financial institutions,” the report states.

In one specific attack, the members of the EvilCorp gang targeted a US-based organisation in October 2020, and just two months later, the same victim was targeted by another group known as SilverFish, using the same hacking tools, infrastructure and malicious scripts.

DiMaggio said his team used open-source and proprietary information to identify individual members of ransomware gangs with known ties to Russian intelligence services.

“We took a lot of data and hunted for new malware, analysed it to see how it worked and what it did, and researched connections to the names and handles of the individuals and gangs, dark web, and hacker forum activity,” DiMaggio said.

The report claims that the attacks conducted using Sidoh bear all the hallmarks of a cyber operation carried out by the SVR. The researchers strongly believe that the Russian government is involved in the Sidoh attacks, although requires more evidence to prove it conclusively.

The Russian government has long been accused of protecting cyber criminals based in the country, so long as they do not target Russian organisations.

In April, the US Treasury Department sanctioned six Russian technology firms for allegedly aiding government hackers engaged in “dangerous and disruptive cyber attacks”.

The Department said that those firms were developing infrastructure and tools, providing expertise, and carrying out malicious cyber activities on behalf of Kremlin Intelligence Services.

Last month, a joint advisory by the US security agencies warned that hackers with links to Unit 26165 of Russia’s GRU (military intelligence agency) were engaged in an ongoing global campaign that was targeting government entities, energy firms, media houses, think tanks and political parties in the US and Europe.

As part of the campaign, threat actors were observed trying to compromise passwords by repeatedly attempting different password combinations until they achieved access.