While the cybercrime tsunami is punishing, it’s far from inexorable. However, the foundations of the digital breakwater are futile without a commitment from countries where criminals concentrate.
Even though cybercrime is a global issue, Russia does stand out of the crowd. From nation-state threat actors concocting complex supply chain attacks to prolific ransomware gangs, a wide variety of criminals can be found in Russia. Research shows that a staggering 74% of all ransomware revenue went to threat actors affiliated with the Kremlin last year.
While arrests of ransomware operators slip in the frontpages from time to time, retired FBI Special Agent Darren Mott, who worked on cybercrime prevention with Russia’s Federal Security Service (FSB), thinks it’s a gigantic task to combat crime in the country that actively supports it.
“Law enforcement in Russia doesn’t care about cybercrime. Some of the illegal activity supports national goals. Russia uses proxies within their criminal community to do some of their cyber nation-state-related activity,” Mott told Cybernews.
Mott’s two-decade experience shows that Russian law enforcement might even be in cahoots with cybercriminals. The bond is strengthened by a mutual interest in breaching organizations in the West. We sat down to discuss Russia’s cybercrime addiction and how political differences hinder operations even in less tumultuous times.
Canadian authorities recently arrested a supposedly high-ranking affiliate of the LockBit ransomware cartel. However, pundits say that individual arrests have little effect on the gang structure. Given your experience in the field, could you shed some light on what impact, if any, these arrests have?
The main impact it’ll have is a change in the groups, tools, techniques, and protocols. In other words, they’ll change the way they do their business. The group will not necessarily be impacted because they’re not just going to stop and be concerned about law enforcement. However, whatever this guy did incorrectly to allow identifying him, they will change it so that that attribution becomes even more challenging.
Following what you’re saying, don’t arrests like these hinder the further investigation of the group?
Oh, it absolutely does. It’ll make it very hard for law enforcement to continue doing that. You still have to try to arrest these guys when you can. But in my experience, every single time we indicted a Chinese cyber actor and an Iranian cyber actor, it had little impact on the groups themselves simply because they knew that the risk was still worth the reward.
Because if one person gets arrested, it will not change their methodology, because the group is still there. They’re going to continue what they’re doing, and they’re just going to make it harder for law enforcement to find the guys that are left afterward.
“Law enforcement in Russia doesn’t care about cybercrime. Some of the illegal activity supports national goals. Russia uses proxies within its criminal community to do some cyber nation-state-related activity.”
Mott explained.
Don’t get me wrong, but that paints a bleak picture of combating cybercriminals. What’s the point of making the arrests at all?
Well, ideally, there are several reasons for doing it. Making the arrest public indicates the LockBit affiliate that Canadian authorities arrested was not willing to help them. Success in law enforcement comes if you arrest the guys in the group and convince them to work with you as confidential informants inside the group. Then you can lead yourself to other group members and take the group down.
Ultimately, the goal is to find one of these guys and flip them. Keep them engaged in the group so they can get more information on the group members, which will lead to the arrest of most of them.
There’s an anecdotal maxim that most ransomware operators come from outside the West. This would suggest it’s impossible to prevent cybercrime in countries like Russia. What’s your take on that? Do you think it’s possible to shut down ransomware without, let’s call it, ‘boots on the ground’?
Most ransomware groups are in Eastern Europe, primarily Russia and Russia-affiliated countries. And I’ve directly worked with Russian law enforcement myself. They are really not interested in assisting the West in prosecuting their criminals. The Russians will become interested if Russian criminals do ransomware against Russian assets.
I had that success when we had an actor engaged in a botnet ring. We gave the Russian FSB a disk with 400,000 compromised Russian IP addresses, and that guy got arrested. So, if you can find victims in their countries, then they’ll be interested. But from the West’s standpoint, chances are that they will not have a problem with the crimes committed.
But that doesn’t mean there aren’t other ways to disrupt their activity. They still require specific monetary financial technology resources that may be located in Western countries that you could then dismantle, take apart and gather for intelligence.
As you’ve said yourself, a lot of cybercrime comes from Russia. Why do you think that is?
Law enforcement in Russia doesn’t care about cybercrime. Some of the illegal activity supports national goals. Russia uses proxies within its criminal community to do some cyber nation-state-related activity. Be it political misinformation, hacking of companies, and things like that.
The reason that you see so many ransomware actors in Russia is that they were able to proliferate there. There indeed were ransomware actors in the US, but they are not allowed to proliferate because US laws are stricter. The victims come forward, and threat actors get arrested. However, if you hack the US with ransomware from Russia, Russia doesn’t care because the victims are in the US.
You touched a little bit on this earlier, but in the FBI, you’ve been responsible for building a working relationship with the FSB to combat the cyber threat collaboratively. Could you share how Russians approached the cybercrime problem and what has changed since then?
When I was working with the FSB, we tried to have some ‘give and take,’ where we knew threat actors operated from Russia. The main one we were looking at was the Russian Business Network (RBN). They were a big bulletproof hosting site in the mid-2000s that many cyber criminals were using. We had evidence about it, and we were working with the FSB, and they claimed to have identified the location where the RBN was hosting all of their infrastructure in St. Petersburg.
When we went there for a meeting, they were getting ready to do a takedown of the RBN. The Russians got there, and everything was gone. We thought they probably told the Russian Ministry of Internal Affairs (MVD) that this was happening and that we were interested in them. They probably worked together to get the RBN elsewhere.
However, we did have some success in cooperating. There were a couple of US cases in which the Russians actually arrested someone and gave us some restitution to Apple and American Express. Got a couple of thousand bucks back from this particular cyber actor. It was a minimal success, but it was a success, nonetheless.
“With Colonial Pipeline, was it a test to see how the US would deal with some kind of critical infrastructure attack? Absolutely. Why would it not be?”
Mott said.
But I think the relationship between the countries in 2007-2010 was different than it is now. It’s much more frigid now. There’s certainly not going to be any cooperation. The relationship that I had built up with the FBI and the FSB no longer exists in that same manner.
We met with them several times a year to come up with common ground from a cyber perspective. And it was always hard because they would contact us asking for information about Russian citizens in the US that were posting anti-Russian rhetoric on websites.
We had the same situation where the crime that the Russians were concerned about was not a crime in the US. When we go the other way, the crimes we’re worried about from a cyber perspective are not a crime in Russia because, as I assume, it’s not illegal to hack the US from Russia.
There were several large ransomware attacks against critical infrastructure in the US. Could attacks, such as against Colonial Pipeline, be a test of Western infrastructure?
There is this combination now of criminal and nation-state actors who use each other to further their own goals. With Colonial Pipeline, was it a test to see how the US would deal with some kind of critical infrastructure attack? Absolutely. Why would it not be? And by using a third-party, financially-oriented ransomware group, you isolate yourself from the US retaliating.
Your email address will not be published. Required fields are markedmarked