From meddling in presidential campaigns, to targeting power grids, Russia has exercised its use of intangible capabilities to influence and disrupt its adversaries.  Russia understands, perhaps more than the vast majority of nations, that politics is an  integral part of war and that weaponized information can have a drastic impact. This ideology is encoded into Russian grand strategy making its use of cyber activity a perceived subsection within the information environment. Using this insight, we can better understand Russia’s approach to cyber activity, its targeted disinformation campaigns, ransomware and malware attacks and ultimately, why it’s a hub for malicious cyber actors. 

According to Tim Maurer, cybercrime began to flourish, evolving into a popular and incredibly profitable business after the 1998 economic crisis. Despite Russia’s status as  one of the most literate and educated societies globally, unemployment spiked as the economy was unable to take in its tech-savvy workforce and an estimated 50 percent of Russian software companies did not survive. 

Today there is no labor shortage in hacking and information technology. This is because the potential earnings from a single cyberattack, which can reach thousands or even millions of dollars in some cases, far exceed the typical salaries of legitimate employment in Russia. To give perspective, in 2013 Target suffered from a data breach where millions of shoppers’ credit-card details were compromised. This cyberattack was traced back to a 17-year-old hacker from St. Petersburg named Sergey Taraspov who sold a program he developed for $2,000 on a Russian-language website. This code was then used by at least 40 cybercriminals, primarily from the former Soviet Union, to target American retailers.

This can be attributed to the legal loopholes in Chapter 28 of the Criminal Code of the Russian Federation and the nested tech and hacking culture within Russian society. After reviewing Chapter 28 of the Criminal Code of the Russian Federation, Articles 272,  273 and 274 in particular can be perceived as relatively weak. For example, Paragraph I of Article 273 Creation, Use, and Dissemination of Harmful Computer Programmes states: 

Creation of computer viruses for the introduction of changes to existing programmes, which knowingly leads to the unsanctioned destruction, blocking, modification, or copying of information, the disruption of the work of computers,  computer systems, or their networks, and also the use or dissemination of such viruses or machine-readable media with such viruses, shall be punishable by deprivation of liberty for a term of up to three years, with a fine in the amount up to 200 thousand roubles, or in the amount of the wage or salary, or any other income of the convicted person for a period up to 18 months.

The criminal code leaves plenty of room for interpretation as does the terminology, ‘computer information’ used repetitively within the mentioned articles.  The punishment for cybercriminals in Russia is also seemingly less significant than for those of the West and likely contributes to bad cyber actors’ favorability of Russia over other countries in the region. To put things into perspective, the fine mentioned above of 200,000 RUB is equivalent to 2,249.12 USD; just over the amount Taraspov (the 17 year-old hacker) made from developing one code. 

As the amount of money at stake is increasingly higher, corrupt local officials are influenced to work alongside those technically skilled enough to conduct cyberattack after cyberattack. Hackers act strategically and avoid targeting businesses as well as individuals within Russia by focusing on targets in Europe and the United States (U.S.)  instead. This often plays into the political sphere as Russia and the U.S. have long been adversaries.  The Russian government often protests when its citizens are arrested abroad and it also routinely fails to respond to foreign law enforcement requests for actors of cybercrime. This is because Russia is one of few nations worldwide that refuses  to extradite their own citizens. Moscow also lacks an extradition treaty with the U.S., therefore, hindering American prosecution. An example of this is Edward Snowden, a former contractor for the U.S. National Security Agency, who sought asylum in Russia after he “leaked classified information about global surveillance programs.” Therefore, between the quick cash opportunities, the refusal to extradite actors of cybercrime, and the seemingly lax law enforcement within its borders, Russia serves as a prime location for bad cyber activity. 

It’s also worth noting that Russian hacking culture has grown exponentially in the past years, particularly since 2011 when the Russian cybersecurity company, Positive Technologies, founded the ‘Positive Hack Days’ hacking conference which was ultimately sanctioned by the U.S. government in April 2021 for “supporting Russian government cyber operations.” This hacking conference grew from 500 attendees the first year to 8,700 leading hackers, developers, and cybersecurity firms by May 2022 and is now known for leading recruitment events for Russia’s Federal Security Service (FSB) and military intelligence agency (GRU). 

As mentioned in the introduction article, nation-state actors like Russia often sponsor cybercriminals and hackers to carry out nefarious cyber operations such as disinformation campaigns, ransomware, malware attacks and more benefitting Moscow’s political agenda. Keep in mind that, “cybercriminals who operate without state backing and inject money into the Russian economy; patriotic hackers and criminal groups recruited by the state on an ad hoc basis; and proxy organizations and front companies created solely for the purpose of conducting government operations,” offer the Kremlin plausible deniability, thereby making Russia a supreme location for bad cyber actors.

Shifting focus to two examples of Russian cybercrime will highlight the importance of protecting digital assets and will demonstrate the extensive reach of Russian cyber actors. Both LockBit, a ransomware group, and Sandworm, a state-sponsored APT group, will be discussed below. 

LockBit (previously “ABCD” ransomware)

LockBit, first observed in 2019 as ABCD ransomware, is known to have executed numerous cyberattacks in the U.S. and around the world. For years, LockBit was  considered one of the most prolific ransomware operators due to its ability to infiltrate  systems and wreak havoc on its victims. The group has targeted everything from hospitals and healthcare systems to educational and financial institutions, affecting thousands of individuals, making no less than “hundreds of millions of U.S. dollars in ransom demands and receiving over $120 million in ransom payments.” As “74 [percent] of ransomware revenue goes to Russian-linked hackers,” it is no surprise that  Russian nationals have been proven to be behind LockBit operations.

For example, LockBit attacked the Canadian drug store London Drugs, stole electronic files from the company's head office in early 2024 and demanded  $25 million within 48 hours. London Drugs announced they were “unwilling and unable to pay ransom to these cybercriminals” and there has been no indication of exactly what data the group uncovered. LockBit also took responsibility for a ransomware attack that severely debilitated the Township of Union School District in New Jersey, U.S. in May 2024. The group demanded an undefined sum of money, caused network disruption and stole confidential data. This attack impacted students and staff of the district. The group targeted another city in the U.S. during the month of May 2024 in Wichita, Kansas.  This attack significantly impacted a water utility, a municipal court, and cultural and public transportation payment systems. As the investigation continues, it is still unknown what information the group has stolen. 

Meanwhile, the Federal Bureau of Investigation (FBI) conducted an operation against LockBit to disrupt and take down their servers. Unfortunately, a new LockBit website was up and running again in less than a week. This highlights the vast network and broad capabilities cybercrime actors such as LockBit have. On 8 May 2024, however, the  alleged leader of a LockBit, Dimitry Yuryevich Khoroshev (Дмитрий Юрьевич Хорошев) was identified and sanctioned by the United Kingdom, U.S., and Australia following an international disruption campaign led by the United Kingdom’s National Crime Agency. 

Although the U.S. officially indicted Khoroshev through a "grand jury in the District of New Jersey," the indictment has limited reach, as Khoroshev is likely residing in Russia. Due to Moscow's extradition policies, he remains beyond the reach of American prosecution. 

To further understand the complexities of LockBit, the U.S. Department of Justice uncovered steps of LockBit’s ransomware operations in an effort to educate individuals and institutions about the tactics used by the said threat actor. Furthermore, the U.S. Department of Justice reports: 

The LockBit ransomware variant, like other major ransomware variants, operates in the ‘ransomware-as-a-service’ (RaaS) model, in which administrators, also called developers, design the ransomware, recruit other members — called affiliates — to deploy it, and maintain an online software dashboard called a  ‘control panel’ to provide the affiliates with the tools necessary to deploy LockBit. Affiliates, in turn, identify and unlawfully access vulnerable computer systems, sometimes through their own hacking or at other times by purchasing stolen access credentials from others. Using the control panel operated by the developers, affiliates then deploy LockBit within the victim computer system, allowing them to encrypt and steal data for which a ransom is demanded to decrypt or avoid publication on a public website maintained by the LockBit developers, often called a data leak site. 

To summarize, Lockbit is a threat actor that provides an example of how quickly a cybercrime group can relaunch itself after being shut down. It is a group who has benefitted from Russia being a suitable hotspot for bad cyber actors. LockBit’s attacks highlight how vast capabilities can be and how important securing digital assets truly is.  Next, Sandworm will be discussed, calling attention to the significance of Russia’s most active state-sponsored APT group. 

Sandworm (Aliases: ELECTRUM, IRON VIKING, BlackEnergy, Voodoo Bear, IRIDIUM, APT44, GRU Unit 74455)

Sandworm, known as the GRU’s cyber unit, is the leading threat actor for APT Russian cyber operations. Sandworm is believed to have been active since 2009, significantly impacting Russian adversaries over the past decade and has employed a significant amount of attacks in Ukraine since Russia’s invasion in February 2022. In fact, from February 2022 to September 2023, the CyberPeace Institute recorded that Sandworm was responsible for 21 attacks on Ukrainian infrastructure.

Sandworm’s objectives are outstandingly political, aiming to disrupt democracies through sabotaging networks, conducting information campaigns and collecting intelligence. According to Google’s Mandiant, Sandworm alone has “played a more central role in shaping and supporting Russia’s military campaign” than any other state-sponsored cyber group. Therefore, it is important to note, this APT actor is starkly different from LockBit’s ransomware group on a variety of levels, particularly since LockBit is not believed to be ‘state-sponsored’ and is financially motivated. 

Sandworm has employed a number of sophisticated operations over the years. One notable incident includes interference in the 2016 U.S. election. Members were part of a “computer hacking conspiracy” which involved “gaining unauthorized access into the computers of U.S. persons and entities involved in the 2016 U.S. presidential election, stealing documents from those computers and staging releases of the stolen documents.” The 2017 NotPetya outbreak, is another incident where a malicious malware was employed to target Ukrainian computer networks. It spread across the world crippling “multinational companies including Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, food producer Mondelēz and manufacturer Reckitt Benckiser. In each case, it inflicted nine-figure costs.” NotPetya has since been regarded as the most devastating cyberattack of all time.

In 2018, Sandworm hit again with the Olympic Destroyer worm in South Korea which targeted the Pyeongchang Winter Olympics and infected computer systems with the intent to spread to other computer networks. Additionally, this state-sponsored APT group is responsible for a cyberattack on Ukraine's power grids with a malware framework named Industroyer, causing a blackout in Ukraine’s capital city Kyiv for several hours, denial of service to operators and a Telephone Denial of Service (TDoS) attack directed toward civilians in December 2016. Industroyer2 was a second cyberattack on Ukraine's power grids by the Sandworm group, this time in 2022, utilizing a similar malware framework to the first attack. Sandworm is also responsible for the Viasat attack on the first day of Russia’s invasion of Ukraine in 2022 which disabled Ukraine’s and other European nations’ satellite internet network. The named incidents only scratch the surface of Russia’s Sandworm operations. 

These two cybercrime groups provide examples of the broader capabilities of bad cyber actors. LockBit highlights the significance of safeguarding against ransomware attacks to protect digital assets, while Sandworm signifies the incredibly vast reach bad cyber actors can have when sponsored by nation-state actors. 

Article 2 will shed light on Eastern European hotspots for malicious cyber actors, the factors European Union (EU) membership plays into cybersecurity regulation and law enforcement, and more. 

Notes

1 Maurer, Tim, “Why the Russian Government Turns a Blind Eye to Cybercriminals,” Carnegie Endowment for International Peace, February 2, 2018. https://carnegieendowment.org/posts/2018/02/why-the-russian-government-turns-a-blind-eye-to-cybercriminals?lang=en. 

2 Ibid.

3 “Skilled, Cheap Russian Hackers Power American Cybercrime,” NBC News, February 5, 2014. https://www.nbcnews.com/news/world/skilled-cheap-russian-hackers-power-american-cybercrime-n22371. 

4 Ibid.

5 “The Criminal Code of the Russian Federation,” United Nations: Office on Drugs and Crime, n.d. https://sherloc.unodc.org/cld/uploads/res/document/rus/1996/the_criminal_code_of_the_russian_federation_english_html/the_Criminal_Code_of_Russian_Federation_English.pdf. 

6 Maurer, Tim, “Why the Russian Government Turns a Blind Eye to Cybercriminals,” Carnegie Endowment for International Peace, February 2, 2018. https://carnegieendowment.org/posts/2018/02/why-the-russian-government-turns-a-blind-eye-to-cybercriminals?lang=en. 

7 “Russian indictment and extradition,” American Constitution Society, February 28, 2018. https://www.acslaw.org/expertforum/russian-indictment-and-extradition/

8 “Non Extradition Countries in 2024,” Human Rights Lawyers, 2024. https://humanrights-lawyer.com/blog/non-extradition-countries/ 

9 Sherman, Justin, “Russia’s Largest Hacking Conference Reflects Isolated Cyber Ecosystem,” Brookings, January 12, 2023. https://www.brookings.edu/articles/russias-largest-hacking-conference-reflects-isolated-cyber-ecosystem/. 

10 Ibid. 

11 Sherman, Justin, Issue brief, Untangling the Russian Web: Spies, Proxies, and Spectrums of Russian Cyber Behavior, Atlantic Council, September 19, 2022. https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/untangling-the-russian-web/.. 

12 “U.S. and U.K. disrupt LockBit ransomware variant,” U.S. Department of Justice: Office of Public Affairs, February 20, 2024. https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant 

13 Tidy, Joe, “74% of ransomware revenue goes to Russia-linked hackers,” BBC News, February 14, 2022. https://www.bbc.com/news/technology-60378009

14 Lo, Michael John, “London drug ransom demand dropped from dark-web site; meaning unclear,” Times Colonist, May 22, 2024. https://www.timescolonist.com/local-news/ransomware-group-says-it-will-release-stolen-london-drugs-data-if-it-doesnt-get-25m-in-48-hours-8776889

15 Ibid.

16 Bischoff, Paul, “Ransomware gang lockbit claims cyber attack on union, NJ schools,” Comparitech, May 16, 2024. https://www.comparitech.com/news/ransomware-gang-lockbit-claims-cyber-attack-on-union-nj-schools/ 

17 Kovacs, Eduard, “Lockbit takes credit for City of Wichita Ransomware attack,” SecurityWeek, May 9, 2024. https://www.securityweek.com/lockbit-takes-credit-for-city-of-wichita-ransomware-attack/ 

18 Ibid.

19 Vicens, Aj, “Lockbit claims a comeback less than a week after major disruption,” CyberScoop, February 26, 2024. https://cyberscoop.com/lockbit-comeback-less-than-a-week-after-major-disruption/ 

20 “LockBit leader unmasked and sanctioned,” National Crime Agency, May 7, 2024. https://www.nationalcrimeagency.gov.uk/news/lockbit-leader-unmasked-and-sanctioned 

21 “U.S. charges Russian national with developing and operating lockbit ransomware,” U.S. Department of Justice: Office of Public Affairs, May 7, 2024. https://www.justice.gov/opa/pr/us-charges-russian-national-developing-and-operating-lockbit-ransomware 

22 Ibid.

23 “U.S. and U.K. disrupt LockBit ransomware variant. U.S.,” Department of Justice: Office of Public Affairs, February 20, 2024. https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant 

24 Rep. Cyber Dimensions of the Armed Conflict in Ukraine Quarterly Analysis Report Q3 July to September 2023. CyberPeace Institute, December 21, 2023, 3. https://cyberpeaceinstitute.org/wp-content/uploads/2023/12/Cyber-Dimensions_Ukraine-Q3-2023.pdf. 

25 Roncone, Gabby, Dan Black, John Wolfram, Tyler McLellan, Nick Simonian, Ryan Hall, Anton Prokopenkov, Dan Perez, Lexie Aytes, and Alden Wahlstrom, Rep. APT44: Unearthing Sandworm. Mandiant, April 17, 2024. https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf. 

26 “Russian interference in 2016 U.S. elections,” Federal Bureau of Investigation: Most Wanted, n.d. https://www.fbi.gov/wanted/cyber/russian-interference-in-2016-u-s-elections 

27 Greenberg, Andy, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Wired, August 22,2018. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ 

28 Ibid.

29 “Olympic Destroyer,” MITRE Corporation, April 23, 2021. https://attack.mitre.org/software/S0365/ 

30 “Threat Thursday: Malware Rebooted - How Industroyer2 Takes Aim at Ukraine Infrastructure,” BlackBerry, May 12, 2022. https://blogs.blackberry.com/en/2022/05/threat-thursday-malware-rebooted-how-industroyer2-takes-aim-at-ukraine-infrastructure 

31 Ibid.

32 “Case study: Viasat,” CyberPeace Institute, June, 2022.  https://cyberconflicts.cyberpeaceinstitute.org/law-and-policy/cases/viasat