Ce rapport examine les liens tacites entre la Fédération de Russie (sous la forme des services de renseignement russes ou du Kremlin) et les cybercriminels en Russie et en Europe de l'Est. Les sources comprennent notamment Plateforme d'® s Recorded Future ainsi que d'autres sources ouvertes et du dark web. Ce rapport intéressera les chercheurs en matière de menaces, ainsi que les organismes chargés de l'application de la loi, les gouvernements et les organismes de défense.

Executive Summary

The intersection of individuals in the Russian cybercriminal world and officials in the Russian government, typically from the domestic law enforcement or intelligence services, is well established yet highly diffuse. The relationships in this ecosystem are based on spoken and unspoken agreements and comprise fluid associations.

Recorded Future identified 3 types of links between the Russian intelligence services and the Russian criminal underground based on historical activity and associations, as well as recent ransomware attacks: direct links, indirect affiliations, and tacit agreement.

Even in cases with discernible, direct links between cybercriminal threat actors and the Russian state, indirect affiliations suggest collaboration, and a lack of meaningful punitive actions shows either a tolerance for, or tacit approval of, these efforts. This assessment takes into account that the Russian government possesses a robust surveillance apparatus and interfaces with cybercriminal elements and therefore has visibility into, if not control over, many of the resources used by these threat actors and can shut them down if they so desire.

Key Judgments

• Based on historical activity, it is highly likely that Russian intelligence services and law enforcement have a longstanding, tacit understanding with criminal threat actors; in some cases, it is almost certain that the intelligence services maintain an established and systematic relationship with criminal threat actors, either through association or recruitment.
• Precedent suggests that such activities and associations will almost certainly continue for the foreseeable future; however, these associations will likely adapt to provide greater plausible deniability and fewer overt, direct links between both groups.
• The open assertion made by US President Joe Biden that Russian cybercriminals are protected by the Russian government has placed Russian President Vladimir Putin on the defensive, forcing Russian domestic law enforcement to demonstrate that they are cracking down on ransomware operators.
• Following the disappearance of ransomware operators like REvil, we see other groups emerging in their stead and publicly committing to reforming their operations, including the refusal to attack critical infrastructure targets, which may be seen as a preliminary sign that the Biden administration’s ultimatum to Russia has been successful, but it is still too early to gauge how great its long-term effect will be.
• If the Biden administration can persuade the Kremlin that bringing cybercriminal activity under some form of control is in their best interest — by granting sanctions relief, increased collaboration, or economic agreements — these immediate reforms may be substantive and long-lasting.

Note de la rédaction : Cet article est un extrait d'un rapport complet. Pour lire l'analyse complète, click here to download the report as a PDF.