Dark Covenant: Connections Between the Russian State and Criminal Actors

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

This report examines the unspoken connections between the Russian Federation (in the form of Russian intelligence services or the Kremlin) and cybercriminals in Russia and Eastern Europe. Sources include the Recorded Future® Platform as well as other dark web and open sources. The report will be of interest to threat researchers, as well as law enforcement, government, and defense organizations.

Executive Summary

The intersection of individuals in the Russian cybercriminal world and officials in the Russian government, typically from the domestic law enforcement or intelligence services, is well established yet highly diffuse. The relationships in this ecosystem are based on spoken and unspoken agreements and comprise fluid associations.

Recorded Future identified 3 types of links between the Russian intelligence services and the Russian criminal underground based on historical activity and associations, as well as recent ransomware attacks: direct links, indirect affiliations, and tacit agreement.      

Even in cases with discernible, direct links between cybercriminal threat actors and the Russian state, indirect affiliations suggest collaboration, and a lack of meaningful punitive actions shows either a tolerance for, or tacit approval of, these efforts. This assessment takes into account that the Russian government possesses a robust surveillance apparatus and interfaces with cybercriminal elements and therefore has visibility into, if not control over, many of the resources used by these threat actors and can shut them down if they so desire.

Key Judgments

• Based on historical activity, it is highly likely that Russian intelligence services and law enforcement have a longstanding, tacit understanding with criminal threat actors; in some cases, it is almost certain that the intelligence services maintain an established and systematic relationship with criminal threat actors, either through association or recruitment.
• Precedent suggests that such activities and associations will almost certainly continue for the foreseeable future; however, these associations will likely adapt to provide greater plausible deniability and fewer overt, direct links between both groups.
• The open assertion made by US President Joe Biden that Russian cybercriminals are protected by the Russian government has placed Russian President Vladimir Putin on the defensive, forcing Russian domestic law enforcement to demonstrate that they are cracking down on ransomware operators.
• Following the disappearance of ransomware operators like REvil, we see other groups emerging in their stead and publicly committing to reforming their operations, including the refusal to attack critical infrastructure targets, which may be seen as a preliminary sign that the Biden administration’s ultimatum to Russia has been successful, but it is still too early to gauge how great its long-term effect will be.
• If the Biden administration can persuade the Kremlin that bringing cybercriminal activity under some form of control is in their best interest — by granting sanctions relief, increased collaboration, or economic agreements — these immediate reforms may be substantive and long-lasting.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.