“We have the smoke, the smell of gunpowder and a bullet casing. But we do not have the gun to link the activity to the Kremlin.” This is what Jon DiMaggio, Chief Security Stretegist for Analyst1, said in an interview with CBS News following the release of its latest whitepaper, entitled “Nation State Ransomware“. The whitepaper is Analyst1’s attempt to identify the depth of human relationships between the Russian government and the ransomware threat groups based in Russia.
“We wanted to have that, but we believe after conducting extensive research we came as close as possible to proving it based on the information/evidence available today.” DiMaggio concluded.
Here are some of the key players and connections identified by Analyst1:
Evgeniy “Slavik” Bogachev
Hailed as “the most prolific bank robber in the world“, Bogavech is best known for creating ZeuS, one of the most prolific banking information stealers ever seen. According to the report, Bogavech created a “secret ZeuS variant and supporting network” on his own, without the knowledge of his closest underground associates—The Business Club. This ZeuS variant, which is a modified GameOver ZeuS (GOZ), was designed specifically for espionage, and it was aimed at governments and intelligence agencies connected with Ukraine, Turkey, and Georgia.
Analyst1, too, believes that, at some point, Bogachev was approached by the Russian government to work for them in exchange for their blessing to have him continue his fraud operations.
The United States officially indicted Bogachev in May 2014. Seven years on, Russia still refuses to extradite Bogachev. The Ukraine Interior Ministry had provided the reason why: Bogachev was “working under the supervision of a special unit of the FSB.” That is, the Federal Security Service, Russia’s security agency and successor to the Soviet Union’s KGB.
The Business Club, the underground criminal gang that Bogachev himself put together, continued their operations. In fact, under the new leadership of Maksim “Aqua” Yakubets, Bogachev’s successor, the criminal enterprise rebranded and started calling themselves EvilCorp. Some cybersecurity companies recognize or name them Indrik Spider. Since then, they have been behind campaigns involving the harvesting of banking credentials in over 40 countries using sophisticated Trojan malware known as Dridex.
Yakubets was hired by the FSB in 2017 to directly support the Russian government’s “malicious cyber efforts”. He’s also the likely candidate for this job due to his relationship with Eduard Bendesky, a former FSB colonel who is also his father-in-law. It was also in 2017 that EvilCorp started creating and using ransomware—BitPaymer, WastedLocker, and Hades—for their financially-motivated campaigns. In addition, Dridex had been used to drop ransomware onto victim machines.
SilverFish was one of those threat actors who were quick enough to take advantage of the SolarWinds breach that was made public in mid-December of 2020. If you may recall, multiple companies that use SolarWind’s Orion software were reportedly compromised via a supply-chain attack.
SilverFish is a known Russian espionage attacker and is said to be related to EvilCorp, in that this group shared similar tools and techniques against one victim: Use of the same command and control (C&C) infrastructure and unique CobaltStrike Beacon. SilverFish even attacked the same organization a few months after EvilCorp attacked it with their ransomware.
Wizard Spider is the gang behind the Conti and Ryuk ransomware strains. Analyst1 has previously profiled Wizard Spider as one of the groups operating as part of a ransomware cartel. DiMaggio and his team believes that Wizard Spider is responsible for managing and controlling TrickBot.
EvilCorp has a history of using TrickBot to deliver its BitPaymer ransomware to victim systems. This suggests that a certain level of relationship is at play between the two groups.
Does it matter?
While the Analyst1 report contains some interesting findings, we agree that it doesn’t deliver a smoking gun. That doesn’t mean there isn’t a smoking gun, somewhere, of course. But even if there is, unless you’re an intelligence agency like the NSA, establishing the intent of a potential attacker can be a waste of time and effort.
Does that mean you shouldn’t care about attribution at all? No. It’s sensible to update your threat model in response to tactics used by real-world threat actors. But it often doesn’t matter who is doing the attacking. Ransomware is well established and well resourced threat to your business whether it’s state-funded or criminal gangs living off several years of multi-million dollar payouts and a Bitcoin boom.
You can read more about attribution in our two part series on the subject, starting with when you should care.