STOLYPIN: Putin’s cybercrime challenge

STOLYPIN: Putin’s cybercrime challenge
The US has been hit by a wave of ransomware attacks that came from Russia and US president Joe Biden is holding Vladimir Putin responsible.
By Mark Galeotti director of the consultancy Mayak Intelligence and also an honorary professor at UCL School of Slavonic & East European Studies July 12, 2021

Following recent cases of Russian-linked cyberespionage and ransomware attacks. President Joe Biden has cranked up the pressure on Vladimir Putin to act. Despite easy stereotypes that the Kremlin is behind, or at least passively sanctions every act of Russian cybercrime, though, this is actually a thorny problem for the Russian government. It is not just how far it really can police its own online space, but also whether it is willing to give up on its use of ‘patriotic hackers’ as a deniable tool of political war.

When the two presidents met in Geneva, matters cyber were high on the agenda. The Russians have long been pushing for a comprehensive cybersecurity treaty, and while this would not be a bad thing, it would take years to conclude. It is hard not to see this as a gambit by Russia at once to present itself as a ‘good guy’ and world leader, to make sure it can control or influence the terms of any international accord, and to lobby to sanctify its claims to ‘sovereign internet’ – that every country ought to be able to control what is available online within its borders. The Kremlin, after all, is more concerned with information and agitation from abroad than hacks.

The Americans had a much more immediate and pragmatic set of concerns. Biden and the Democrat Party is still angry at the interference in the 2016 elections that many believe (in defiance of most evidence, it has to be said) handed the presidency to Trump. More immediately, US corporations and its online infrastructure is being battered by a series of ransomware attacks, of which Russians are deemed the most serious practitioners, and the extremely sophisticated SolarWinds hack in 2020 had also just opened up numerous government departments to Russian cyberespionage.

So Biden was there to communicate a simple message: back off. He expected Putin to act more decisively against Russian hackers targeting the United States and even handed over a list of 16 critical infrastructure targets to be considered off limits (presumably not so much particular companies or agencies as the 16 sectors identified as ‘so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof’ by CISA, the Cybersecurity and Infrastructure Security Agency). He warned that attacks on them would lead to direct and indirect retaliation, but also implied that progress on this would unlock opportunities for greater cooperation.

Overall, Biden’s approach is pragmatic, and Moscow appreciated that behind-the-scenes threats were matched with warm public words about Russian-US relations. The main value of the summit was in unlocking the door to, at the very least, talks about talks between experts on both sides, but this ought not to be underestimated.

Cyberattacks vs cyberespionage

However, since then two high-profile incidents have again raised the stakes on cybersecurity and its role in US-Russian relations. The first is the $70mn ransomware attack on IT service provider Kaseya, claimed by REvil, a group believed to be based in Russia. The second is the hacking of a contractor for the Republican National Committee, which has been blamed on the group known as APT 29, or Cozy Bear, the cyberespionage arm of Russia’s Foreign Intelligence Service (SVR), and the unit behind the SolarWinds hack.

The first problem for the Kremlin is essentially political. In the current fervid atmosphere, genuine ‘cyberattacks’ are being conflated with intelligence-collection operations. The first cause or threaten actual damage: the ransomware criminals, for example, block access to critical data and systems to extort money. The second is just a question of intrusion. The RNC hack, like the much more serious SolarWinds one before it, may be embarrassing, especially for third-party commercial providers, but they are within what one could call the ‘etiquette’ of international espionage. If one looks at the 2016 US elections case, for example, the initial penetration of Democrat servers by GRU (military intelligence) Units 26165 was simply a cyberespionage operation. The point when someone decided to seek to bring about a direct effect, by leaking selected emails, it became a cyberattack.

The blunt truth of the matter that, unless they have a treaty explicitly barring it (and not always even then), everyone spies on everyone else. If the US National Security Agency believed that there was potentially valuable political intelligence to be acquired by breaking into United Russia’s mailboxes, it no doubt would. Just as human intelligence case officers, typically working under diplomatic cover, are occasionally expelled when their activities become especially irksome or visible, so too there will be some inevitable breast-beating when cyber intrusions come to light. They are, however, part of the game of international relations.

Cyberattacks are rather different. The Russian government has been implicated in them, especially as part of coordinated political and even political-military campaigns, from the mass DDOS assault on Estonian government systems in 2007 to the 2017 NotPetya attacks on Ukraine that hit everything from the power grid to telecoms. However, these recent ransomware attacks are criminal operations to make a quick and dirty profit, with no evidence of any direct or indirect government role. The trouble is that, not least as a result of known connections between the Russian intelligence agencies and organised crime, as well as the environment created by previous incidents, in political terms, it may not matter: the Kremlin will be regarded as responsible either way.

Can the Kremlin control the hackers?

This is both fair and not. On the one hand, as mentioned, the state has certainly shown itself willing to cut deals with organised crime groups, including hacker collectives. Sometimes, this is a question of corrupt collusion: individuals getting a cut or a fee in return for turning a blind eye. However, it has also been, especially since 2014, the result of deliberate policy, of co-opting ‘patriotic criminals’ – who may well not be that patriotic, but are either paid for their services or given little alternative – as deniable assets when state resources are over-stretched or a particular skill or service is required.

Thus, for example, a contract killer appears to have been engaged by the FSB to murder Georgian Chechen Zelimkhan Khangoshvili in Berlin in 2019, just as other gangsters have been used to kill Chechens in Turkey. Indeed, the FSB appears to be the most frequent such consumer of criminal services, not least in recruiting known hackers into its Information Security Centre (TsIB), the service’s main cyberintelligence unit.

At the same time, there is a burgeoning domestic cybersecurity problem. In the past, there was a tacit understanding that hackers who confined themselves to attacking foreigners would not be pursued, but the rise in online banking, trading and services in Russia have created lucrative new opportunities for both local and foreign criminals. In 2020, Prosecutor General Igor Krasnov reported a 25-fold increase in crimes committed against Russian businesses and government sites over the preceding five years, and this year it was admitted that no more than one in four were ever solved.

The trouble is that while both law enforcement and business lobbies regard this as a serious problem, policy is largely being driven by the security community. They either regard it as part of the price for having a source of ‘patriotic hackers’ or else actually being driven by foreign states. Security Council Secretary Nikolai Patrushev, for example, has pointedly claimed that most attacks on Russian systems come from abroad, although this is quietly disputed by many Russian information security professionals.

Of course, if Putin decided that an example had to be made, there is little doubt that the FSB would be able to collar members of REvil, for example, but this would likely be just a one-off demonstrative act. Just as Western law enforcement finds it difficult to respond to the growing challenge of organised crime that can be conducted remotely, by people who may never even meet each other in the real world, so too we should not minimise the real challenges faced by the Russians.

In any case, the Kremlin continues to demand that the West make specific appeals to the FSB if it wants assistance, rather than launching any comprehensive campaign against the hackers. It puts the desire for a symbolic supplication from the FBI over improving relations – or simply tackling a growing threat also to its own business sector.

Whether it is because of state collusion, corruption, a lack of law enforcement capacity, or simply lack of interest, Russia still seems both unable and unwilling to take its hackers seriously. In his recent call to Putin, though, ‘President Biden underscored the need for Russia to take action to disrupt ransomware groups operating in Russia’ and warned that ‘the United States will take any necessary action to defend its people and its critical infrastructure in the face of this continuing challenge.’ If the USA does decide to go directly after the hackers with its own cyber capacities, it is hard not to believe that the security hawks would not consider this unacceptable interference in Russian affairs. That, in turn, may poison the new relationship that emerged in Geneva.

Whether he realises it or not, Putin is increasingly a hostage to his own underworld – and his own reluctance to crack down on serious crime.