Russian intelligence services worked with prominent ransomware gangs to compromise U.S. government and government-affiliated organizations, according to new research from cybersecurity firm Analyst1.
Two Russian intelligence bureaus — the Federal Security Service, or FSB, and Foreign Intelligence Service, or SVR — collaborated with individuals in “multiple cybercriminal organizations,” security analysts with the firm say in the report. The research indicates these cybercriminals helped Russian intelligence develop and deploy custom malware targeting American companies that serve U.S. military clients.
The hacking groups used a variation of the so-called Ryuk ransomware — used for attacks on large enterprises — called “Sidoh,” created specifically for espionage, according to Analyst1. The code was launched sometime between June 2019 and January 2020 and hid in the background of Windows machines, silently harvesting keystrokes and sensitive documents.
One attack described in the report was executed by a group dubbed EvilCorp in October 2020. Another group known as SilverFish targeted the same victim only two months later using the same technical infrastructure, hacking tools and malicious scripts. The groups used a technique called “domain fronting” to hide their activity. They likely relied on a time-tested hacking tool called Mimikatz to infiltrate targeted systems, then distributed malware using a PowerShell Windows application.
“We believe Sidoh was created specifically for data exfiltration,” said Jon DiMaggio, the report’s author and a lead researcher at Analyst1. “It crawls documents for specific keywords, like ‘weapon’ and ‘top secret,’ then quietly sends the info back to the attacker.”
A Russian government spokesperson did not immediately return a call for comment.
“Smoke, the smell of gunpowder and a bullet casing”
DiMaggio said his team used proprietary and open-source information to identify individual ransomware gang members with known ties to Russian intelligence services.
“We took a lot of data and hunted for new malware, analyzed it to see how it worked and what it did, and researched connections to the names and handles of the individuals and gangs, dark web and hacker forum activity,” he said.
The researchers then manually diagrammed connections between individuals, FBI and law enforcement records and high-profile cybercriminal groups.
According to Analyst1, most attacks were executed in several stages. The FSB “employed multiple individuals who conducted ransomware attacks and are affiliated with Russian-based criminal organizations,” the report states.
The attack itself has the hallmark of the SVR, a Russian intelligence service that specializes in surveillance and intelligence gathering. The organization avoids sabotaging its targets, and instead remains “hidden and present on the victim infrastructure,” DiMaggio said. “They monitor victims and share intel with other [intelligence] directorates, which is what we saw here.”
Analyst1 does not attribute the rise in organized criminal ransomware directly to Russian President Vladimir Putin or the Kremlin. But DiMaggio does “strongly believe” the Russian government colluded with cybercriminal gangs to spy on American defense targets.
“We have smoke, the smell of gunpowder and a bullet casing,” he said. “But we do not have the gun to link the activity to the Kremlin. We wanted to have that, but we believe after conducting extensive research we came as close as possible to proving it based on the information/evidence available today.”