By Anastasia Sentsova and Yelisey Boguslavskiy
On January 1, 2021, the Russian authorities introduced a new law regulating cryptocurrencies. This law may be a manifestation of the Russian government’s desire to seek control over the DarkWeb markets and its ransomware sector that became extremely prolific over the past two years. The criminal business that runs on cryptocurrency flows is likely to become more loyal to the government, in turn, destructive for those who oppose the regime.
The new Russian crypto law requires all cryptocurrency holders including individuals, companies, and Russian authorities to report their crypto transactions and wallet balances if the transaction amounts exceed 600,000 Rubles (approximately $8,124 USD) in a calendar year. The law intends to prevent illegal cryptocurrency transactions and money laundering.
In reality, the crypto law might be part of a Russian Sovereign Internet bigger plan and pursue hidden goals:
1) to monopolize the DarkWeb market, including the ransomware sector by excluding its competitors who interfere with government plans and take away the profit.
2) recruit new hackers to enlarge the cyber army and fulfill existing ransomware syndicates, including REvil that can be utilized as an efficient APT group.
By establishing the crypto law, the Russian government built a legal base to take over ransomware “businesses”. Tightened on cryptocurrency flows and obligated to report their balances, hackers will no longer be able to “legally” stay in the shade. The criminal enterprise might be easily taken away completely or more likely to be obligated to cooperate with the government for its financial and national good.
Such rearrangement of underground forces is likely to increase Russian state-sponsored cyber warfare thus an increase of cyber espionage and targeted ransomware attacks. Powered with a strong cyber army and large amounts of cryptocurrency, Russia will raise its ability to “eliminate” those who are at odds with the government's interests.
Image Source: www.bitbank.one
Starting January 1, 2021, according to the newly established crypto law, all cryptocurrency holders including individuals, companies, and government officials are obligated to report their crypto transactions and wallet balances to tax authorities if the transaction amounts exceeds 600,000 Rubles (approximately $8,000 USD) in a calendar year. DFAs (digital financial assets) can be sold, purchased, exchanged, and pledged but cannot be used as a means of payment. The deadline to report is set to be April 30, 2022. Failing to report twice in three years or providing inaccurate information will result in monetary fines, forced labor, and imprisonment.
Regulation of cryptocurrency is not something new and unusual for Russia. The technological development brought many opportunities, but also set the stage for new kinds of war with the use of seemingly invisible but powerful weapons. Many of these weapons are not controlled and regulated by states as they exist in the cybercrime domain, which has its own politics and economy. As a result, the nation-states are trying to gain higher authority, control, and surveillance over this nascent domain.
Russia is not an exception. For years, the Russian government has been calling for the creation of a Sovereign Internet - a so-called “RuNet” which will be hosted on domestic infrastructure and consist of networks and systems located on Russian territory.
For Russia, this issue of centralization of government authority over the digital space has been a highly political matter. The Internet and digital spaces were actively used by political groups, including non-state and anti-state actors. For instance, the anti-corruption platform of one of the leaders of Russian opposition - Alexy Navalny - was prioritizing cyberspace specifically. Navalny was able to win over a part of the electorate through his investigations denouncing the corruption of government officials and their pro-regime allies published via YouTube, Telegram, social media, and other digital platforms.
The timing of the crypto regulation laws discussed in this research and a new attempt to establish control over the digital space is not coincidental. Currently, the Kremlin faces a new round of exacerbation of its relationship with the Russian opposition: primarily Navalny, whose detainment on January 20, 2021, led to massive protests that are currently ongoing. Advancing the regime’s ground and establishing control over the digital space can help the Kremlin to turn this space against the internal opposition. However, as illustrated by the Kremlin’s strategies in 2012 and 2016, the tools which the Russian government test and calibrate in this domestic fight for cyberspace can be used against the international competitors of Russia as well.
If successfully developed, the state-controlled and technologically independent RuNet - an infrastructure initially imagined for inhibiting the opposition - can likely change the geopolitical balance of power, create a competitive advantage for Russia in possible future state-to-state conflicts, and even provoke a bigger cyber arms race. By using its own independent network closed from the rest of the world, Russia will still have access to the global Internet and its critical information infrastructure. The dominance of its own digital grounds gives the regime the capability to successfully develop and implement a range of tools equally efficiently against domestic opponents and geopolitical competitors.
And what could be the most effective tools that the regime may add to its cyber arsenal while unifying the Russian-speaking cyberspace? The emergence of the “ransomware pandemic” during 2019 and 2020 suggests an obvious answer.
The year 2020 was swept by a destructive wave of ransomware attacks with the observed shifting of cybercriminals' focus towards commercial and public sector companies. A high number of Russian-speaking ransomware syndicates were identified as being responsible for numerous ransomware attacks resulting in significant financial losses. Moreover, a new trend evolved - the participation in the ransomware "business" of Russian-speaking groups engaging in cyber espionage. In 2019, one of the biggest ransomware syndicates, REvil, added a new technique to their extortionist arsenal: they exfiltrated victims' data before encrypting it, and threatened to publish this data if the ransom was not paid. It took REvil less than a year to begin using these tactics against political entities - including the former US President Donald Trump.
Can the Russian government canvass the increasing power of this potential ally? Possibly not voluntarily - REvil (the physical location of the group is still questionable), as well as their cybercrime colleagues, claim that they are apolitical in nature and aim only for profits. But what if these profits were threatened, such as with extended regulation of cryptocurrencies in which ransoms are paid? By adding a singular law, the Russian state can flip the board of threat actor motivations. Now, if a syndicate accepts the ransom in cryptocurrency and this ransom is bigger than a symbolic number of $8,124 USD a year, this syndicate is essentially challenging the Russian state. The ransom business suddenly becomes political, whether the syndicates want it to be or not - and this adds an entirely new layer for the “cryptolocker pandemic” which, until these days, was explicitly about money. By enforcing crypto law, the Russian government builds the legal base for overtaking the power and establishing total control over the DarkWeb market, including the ransomware sector.
Restricted on cryptocurrency flows and obligated to report their balances, ransomware operators will no longer be able to “legally” stay in the shade. The criminal cyber business might be taken away completely or, more likely, be obligated to cooperate with the government for its financial and economical good. For instance, the REvil ransomware syndicate might be the one that was already recruited by the Russian government during one of the hunt operations. However, before diving into an analysis of REvil recruitment, let’s take a look at the core of the underground community.
The Hidden Allies - A Peculiar Relationship Between the Russian State & the DarkWeb
In December 2019, AdvIntel published observations regarding DarkWeb and political cyberattacks. We identified that when it comes to the Russian-speaking DarkWeb, almost any for-profit service can be utilized for the needs of political or geopolitical operations. This results from a complicated relationship between the Russian-speaking cyber underground and the Russian state.
In the ever-continuing great power struggle, Russia broke world records countless times. In the summer of 2019, Russia broke the record of becoming the world leader in the number of Tor browser users, overtaking Iran and the United States. On July 11, 2019, about 600,000 Russians entered Tor, which is twice as many as previously recorded. Many of these users fall into various categories like hackers, carders, and drug dealers who operate in more than 2,500 shops. Such a number demonstrates not only high interest from regular users but also the amount of criminal activity within the Russian DarkWeb sector.
This underground community started to form in the late ‘80s. Most of the hackers who operate today were born in the Soviet Union and appeared on the cybercrime stage at the beginning of the ‘90s. These individuals were simultaneously empowered by one of the world's strongest schools of Soviet mathematics but faced dire social, economical, and political instability, so naturally, they joined the cybercrime community. Quite soon, this community attracted the attention of the government’s security apparatus. This resulted in a long and complicated relationship between the state and the DarkWeb in which the primary paradigm was set through the following rule - as long as the Russian-speaking threat actors target Russia’s foreign adversaries, the government ignores their criminal activity.
This bizarre relationship started with the massive spike of carding activities against US and EU targets in the early 2000s. DarkWeb marketplaces operated on selling drugs, guns, fake documents, and other prohibited goods and services. In the late 2000s, botnets developed by Russian speakers and citizens of the CIS (the Commonwealth of Independent States) even further advanced the development of cybercrime. And, in 2019, ransomware syndicates joined the elite club of cyber threats originating from this region. Today, the Russian-speaking segment of the DarkWeb evolved to nearly 40% of the global market share.
The DarkWeb offers unique capabilities and opportunities for the Russian state intelligence as it spreads beyond Russian jurisdictions. This space exists beyond borders and relies only on skills and the shared language - Russian. These individuals can operate from Israel, Turkey, Iran, Azerbaijan, Poland, Hungary, Bulgaria, China, Korea, Thailand, USA, Canada, UK, Netherlands, Greece, Italy, Kazakhstan, Belarus, Finland, and Sweden.
Moreover, secretly using the services from the members of this community can be more secure and easy to conceal. Russian threat actors mostly communicate through private messages. Discussion of the deals or other related information are usually performed through Jabber or Telegram, as well as in exclusive forums. This way the risks of attribution and discovery of a deal between the state and for-profit hackers are minimized.
As a result, each major addition to the DarkWeb domain naturally attracts the attention of the state. This was seen in cases of high-profile Russian carders like Vladislav Khorokhorin or Alexey Burkov. Russia initiated a harsh diplomatic and legal fight in order to prevent these individuals from imprisonment in the US, despite the non-diplomatic and nonpolitical nature of their crimes. When Russian-developed botnets began to proliferate, certain DarkWeb forums and Telegram channels held discussions where they speculated that Evgeniy Bogachev - the creator of GameOverZeus - works for the Russian government. According to them, Bogachev was the main IT organizer of a pro-regime financial transfer network. This network was allegedly involved in the massive money transfers sent to pro-government groups established by the Kremlin during 2011-2012 in order to counterbalance the mass protest movement originating after the 2011 election falsifications.
The ransomware market was the most recent addition to the DarkWeb ecosystem, and it may be only a matter of time until the state intelligence starts perceiving it as its new strategic frontier.
The Unconquered Domain - Russian State & the Ransomware Market
The Russian-speaking syndicates are clearly dominating the ransomware market these days. REvil, Ryuk, Egregor, Nephilim, and numerous others are estimated to be the major force behind today’s ransomware operations.
There is only one rule which defines this completely chaotic space, not controlled neither by legal, nor ethical means. This main rule is to not attack the CIS countries - Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, and, of course, Russia. Russian authorities conduct arrests of those who break this rule on a daily basis, but at the same time turn a blind eye to those attacking foreign entities (especially the United States and Western Europe).
Operationally and economically, the market operates on cryptocurrencies. Ukraine and Russia currently have the biggest cryptocurrency adoption index, indicating high streams of cryptocurrency inside of these countries. A large part of this crypto flow activity is connected to the ransomware market consisting of large amounts of ransoms obtained from victims. By utilizing the scheme of exploiting the victim’s network vulnerabilities and then exfiltrating and locking it up, ransomware operators demand tens of millions of USD for the decryption key on a weekly basis.
Ransomware Deployment Scheme
(Image Source: AdvIntel)
As a result of the new law, the ransomware sector can face a radical shift. The law may become a game-changer by building a legal ground for auditing, disrupting, and inhibiting the main financial artery of the ransomware blood flow. By implementing a crypto law, Russian authorities are providing themselves with the legal base to hunt down ransomware operators and force them into recruitment and allegiance, monopolizing this market.
It also became known that on February 2, 2021, Russian digital regulatory agency Roskomnadzor blocked xabber[.]com registered in Estonia and belonging to Redsolition OÜ company. Xabber (widely called Jabber) is the anonymized messenger that is actively being used by ransomware operators for communication purposes. According to Roskomnadzor, Xabber failed to comply with Russian government regulations and refused to register in the ORI list (register of information dissemination organizers) which requires its members to provide access to users’ data. Ransomware operators still might find different ways of communications, however, this step taken by the government once again indicates its seriousness to establish control overshadow parts of the Internet.
“Ransom Bear” - REvil-as-a-New-APT28/9 Scenario Analysis
This scenario analysis is meant to illustrate what can be potential consequences of the crypto law implementation, and subsequent pressure on ransomware syndicates to ally with the government.
REvil is chosen as a case study for this research and a feasible recruit for Russian offensive operations due to several reasons.
First - it is one of the most prolific and effective syndicates of our time.
Second - while being a ransomware gang, it is also a well-established collective of elite cyberspies. Emerging in the first half of May 2019, REvil started to quickly recruit a handful of affiliates to run their criminal machine.
Very soon, REvil established itself as one of the most dangerous and prolific ransomware syndicates, as their affiliate model attracted elite actors. This group of elite affiliates consisted of sophisticated network intruders - individuals who knew how to silently hide within the target’s environment. With elite affiliates on board, REvil suddenly started to operate in an APT-style manner. High-profile targets were taken down during a well-thought-out and well-planned secretive operation while stealing sensitive information was the main operation of the attack.
Such strategy became REvil’s signature craft when the syndicate started to entirely rely on ransomhack attacks. In this attack, a threat actor steals sensitive information and blackmails the victim by threatening to share it online if the ransom is not paid.
REvil’s network of DarkWeb affiliates includes individuals who are ideal for state-sponsored cyber attacks. These elite actors employed by the syndicate are able to perform secretive espionage operations and hit targets within the energy and other critical infrastructure industries.
(Source: AdvIntel Research Blog)
Third - REvil victimology seems especially appealing for the purposes of offensive geopolitical operations. With their elite team, REvil used various techniques to distribute ransomware through unprotected RDP configurations, phishing emails, spoof downloads, exploits, malicious ads, web injections, fake updates, and infected installers. Many of their victims were political targets. The syndicate gained its initial fame in August 2019 by disrupting the work of 23 Texas local government units, or in other words, hitting an important US national security target.
Moreover, REvil themselves identify geopolitical or national-security related institutions as their priority targets. In an interview given on October 23, 2020, “Unknown” - the group’s representative claimed that the syndicate’s top three achievements were Travelex (January 2020), Grubman Shire Meiselas & Sacks (May 2020), and 23 Texas Municipalities (August 2019). It is noteworthy that Grubman Shire Meiselas & Sacks was a political case as REvil demanded ransom for exposing documents related to President Donald Trump. In this sense, three out of three of REvil’s cases are political. In the same interview “Unknown” named the agricultural industry as their next sector-target. This sector has a top priority of national security, especially during the pandemic. AdvIntel has identified that the syndicate indeed aims at this sector and is increasing the number of attacks against it.
The account of REvil’s representative “Unknown” demonstrates a large BTC deposit which they paid to prove syndicate credibility
It is noteworthy that in summer 2020, we have already observed Belarus - Russia’s ally - cracking down on its ransomware groups in times of domestic political conflict. In July 2020, it became known that one of the GandCrub affiliates, a 31-year-old man, was arrested in Belarus (the exact date of arrest is unknown) by the Department "K" of the Ministry of Internal Affairs. The arrested member of the GandCrab was an affiliate of the syndicate and was responsible for distributing ransomware. Due to the close relationship of Russia and Belarus, countries might have combined their resources to arrest him.
Timeline of GandCrab retirement and regrouping to REvil
This story is particularly interesting as REvil originated as a continuation of GandCrab after the latter’s retirement - and the gangs may have the same affiliates in their ranks. Moreover, the arrest occurred at a point when REvil started to engage in political activities by blackmailing Donald Trump (for more information on this matter, please read).
It may be possible that the Trump blackmail case and the branding of REvil as a terrorist organization in May 2020, brought them to the attention of the regional intelligence and security leaders. It may be even possible that the GandCrab-affiliate arrest was an act of intimidation, however, we currently do not have enough evidence to develop this hypothesis.
As of today, REvil publicly denies all allegations in cooperation with the Russian government claiming the syndicate to be absolutely apolitical and entirely monetary motivated. However, with the new crypto law, it can naturally fit in the current infrastructure of the Russian state-backed cyber operations - as a group that is capable of secretive espionage attacks against highly political targets and as a group that can efficiently target critical infrastructures of Russia's geopolitical adversaries.
There are at least five major avenues of offensive political operations through which REvil can utilize its capabilities in order to advance Russian geopolitical interests:
Cyber espionage. As a group that perfected the art of ransomhack, REvil is used to silently enter a network, investigate it, identify the most important information, and exfiltrate it. The syndicate’s proven experience in hitting healthcare and research centers may become especially relevant in operations related to obtaining research and development data regarding COVID-19 research.
Political Delegitimization. REvil has experience in identifying politically and reputationally damaging information and publishing it. This tactic is common for the Russian cyber offense, as demonstrated by the 2016 Podesta emails leak.
Disrupting Critical Infrastructure. REvil has proven experience in shutting down essential nodes, including hospitals, governments, and production lines. This is in line with some of the previous cases of Russian state-backed actors successfully targeting infrastructural centers in Ukraine and abroad.
Financial Damages. The use of cyberattacks to inflict financial and economic damages against a geopolitical adversary has been an established practice of state-backed hacker groups. North Korea, for instance, uses state hackers to obtain additional funds and sabotage the international sanctions.
Blackmail. Finally, blackmail is an efficient political tool that the syndicate has been actively using.
REvil’s experience and strategic approaches naturally fit in the current infrastructure of the Russian state-backed cyber operations
U.S. National Security Comment: (By Brandon Rudisell - U.S. Navy Intelligence veteran, M.S. in Criminal Justice Advanced Counterterrorism)
According to U.S. government national intelligence strategy reports and other federal agency reports, one of the leading threats to the U.S. government are cyber-related threats from state and non-state actors. The Russian government in particular has been signaled out as one of the leading threats from a non-state actor standpoint. Recent social engineering campaigns that were conducted to influence U.S. elections, suspected to be operated by the Russian government or by their affiliated groups, highlight recent malicious cyber threat activity being conducted against the U.S. government and their citizens by a foreign government.
APT groups, both affiliated and unaffiliated, have long been an essential tool utilized by foreign governments to conduct cyber operations against unprepared governments and businesses in the private sector. The Russian government implemented a new crypto law that allows them to monitor the way top tier ransomware groups have been receiving their monetary compensation from their ransomware victims, enabling them to consolidate and control these APT groups not originally under their control.
REvil is a sophisticated group that has proven its ability by already targeting local governments in the U.S., along with a variety of businesses. The willingness for REvil to already perform attacks that have political connotations could make the transition to being affiliated with the Russian government seamless and it is probable they could increasingly conduct politically motivated attacks over the long term due to the possible affiliation.
Crypto Regulations: Outcomes & Ripple Effects
REvil, despite all of its significance, is only one syndicate that may be affected by the new law. Such rearrangement of underground forces might potentially create a major shift which may manifest itself into two significant changes:
1) A large concentration of cryptocurrency in the hands of the Russian government
In accordance with the law, legal entities and individuals are not entitled to accept digital currency as a counter-provision for transferred goods, services, or as payment to others in a way that contradicts the recognition of cryptocurrency as a means of payment, thus significantly restricts its use in Russia. It means the ransomware sector that tightened on cryptocurrency flaws no longer has a legal base to run their “business”. Pressured by the harsher framework, ransomware syndicates will be obligated either to share a segment of the profit or to work under the government’s watch.
Taking over the market may result in the Russian government concentrating on large amounts of cryptocurrency. These funds can be used for raising cyber force in support of national interest and to target geopolitical rivals. Cryptocurrency might be spent on various illicit activities such as social media campaigns and high-stake bribes.
Image Source: AdvIntel
2) An increase in Russian state-sponsored cyber-warfare
As a result of enforcing crypto law, a high influx of additional crypto funds, and an enlargement of the cyber army through the recruitment of new hackers, we might see an increase in cybercrime activity towards foreign entities. The main objective of attacks still will be to conduct cyber espionage, sabotage, targeted ransomware attacks, and to seek additional funding through ransom payments. The more the sector grows, the more power it will obtain to “eliminate” entities that are at odds with the government's geopolitical and business interests.
The main areas of interest for cyber espionage continue to be the energy sector, commercial sector, government sector, defense infrastructure, air force infrastructure, nuclear industries, and since 2020, healthcare research. Targeted ransomware attacks on critical infrastructure from the other side might have more devastating outcomes than just espionage. By gaining a foothold in the network of desired targets through supply chain attacks against third-party vendors, it might result in massive business disruption, or in a worst-case scenario, human casualties.
Cyberware has existed for a long time and has appeared in various forms. Today's cyber offense operations rely on cutting edge technologies and provide nations with enormous capabilities due to the interconnectivity of the world. Russia has quickly adapted to meet technological challenges and uses it to fuel its cyberespionage regime. Actors that emerged with a political agenda and ideology in support of malicious intentions became a dangerous weapon in the hands of those who hold it. Ransomware may become a game-changer in the ongoing spyware race. Today, it proves itself as one of the best spying tools to gain intelligence on the corporate enemy. Tomorrow, however, this may be a tool to hit geopolitical adversaries with a high return on resources investment.
The ransomware sector is without a doubt a new battlefield that should be closely monitored to avoid destructive damage it might cause. Russia is aiming to become one of the main players in the ransomware market and her presence is expected to grow even more in the next few years. Russian hackers are vital assets for the government that gather ranks of invisible spies to serve its needs. By enforcing new crypto laws and other regulations, Russian authorities leave almost no choice for techy talents but to cooperate with the government.
Anastasia Sentsova investigates cybercrime at Advanced Intelligence, LLC, with a specific focus on the Eurasian Region's state and non-state threat actor groups. She recently graduated from Zicklin School of Business, Baruch College with a Bachelor's Degree in Computer Information Systems and a minor in communication studies. Anastasia became interested in cybersecurity in school and currently pursuing her career in the field. With a background in journalism and strong intercultural communication skills, she is eager to contribute to the field and to the establishment of a more secure future.
Yelisey Boguslavskiy currently oversees AdvIntel's research and investigative and security operations. He leads AdvIntel's Security & Development Team, conducting advanced HUMINT and SIGINT investigations into cyber fraud, ransomware, APT threats, political manipulation, and violent extremist propaganda conducted through digital infrastructure. Yelisey is an author of "Security Pragmatism: The Peripheral Alliance" – a non-fiction monograph that follows 30 years of security and intelligence cooperation between Turkey, Iran, and Israel from 1947 to 1977 and beyond. Prior to Advanced Intelligence LLC, Yelisey worked as an investigator in the business intelligence community, including Kroll, a division of Duff & Phelps. He holds an M.A. degree in Security Policy Studies from the Elliott School of International Affairs of the George Washington University.