According to new report from cybersecurity firm Analyst1, Russian intelligence services are partnering with prominent ransomware groups in an attempt to hack US government-affiliated organisations.
According to the study, two Russian intelligence agencies, the Foreign Intelligence Service (SVR) and the Federal Security Service (FSB), collaborated with members of several cybercrime gangs to develop and deploy proprietary malware targeted at US government networks.
“Multiple individuals who conduct ransomware attacks and are affiliated with Russian-based criminal organisations do in fact have alliances with the Russian government,” the report says.
“The Russian Federal Security Service employed individuals responsible for running multiple criminal organisations. One group conducted ransomware attacks, while the other specialized in banking malware operations.”
According to the experts, a variant of the Ryuk ransomware strain known as Sidoh was utilised by hackers to assault government-affiliated entities in the United States. For espionage purposes, the software allowed cyber criminals to gather keystrokes and confidential data. According to the research, the Sidoh malware was most likely distributed between June 2019 and January 2020.
Sidoh can hide itself in the background of Windows workstations, according to Jon DiMaggio, author of the Analyst1 study. It searches documents for keywords like ‘weapon’ and ‘top secret,’ then sends the data to the hackers in a stealthy manner.
“Sidoh’s creators also purposed it to target financial institutions searching for SWIFT and IBAN-related data. This could indicate a desire to target financial institutions,” the report states.
In one particular incident, EvilCorp members attacked an American organisation in October 2020, only two months later targeting the same victim with the same hacking tools, infrastructure and malicious scripts, as was the case with another group called SilverFish.
DiMaggio told his team to use open source and propriety material to identify individual members of the Russian intelligence services ransomware groups.
“We took a lot of data and hunted for new malware, analysed it to see how it worked and what it did, and researched connections to the names and handles of the individuals and gangs, dark web, and hacker forum activity,” DiMaggio said.
According to the research, the attacks carried out with Sidoh have all the characteristics of an SVR cyber operation. The researchers are convinced that the Russian government is behind the attacks in Sidoh, but they need additional proof to establish it definitely. The Russian government has long been accused of shielding domestic cyber criminals as long as they do not attack Russian businesses.
Six Russian technology companies were sanctioned by the US Treasury Department in April for allegedly assisting government hackers engaging in “dangerous and disruptive cyber assaults.” According to the Department, such companies were constructing infrastructure and tools for Kremlin Intelligence Services, offering expertise, and carrying out hostile cyber actions on their behalf.
Last month, US security agencies issued a joint report warning that hackers linked to Russia’s GRU (military intelligence agency) Unit 26165 were waging a global campaign against government bodies, energy companies, media outlets, think tanks, and political parties in the US and Europe. Threat actors were spotted as part of the effort attempting to compromise passwords by continually attempting different password combinations until they gained access.
