What Russia's crackdown on infamous REvil hackers means to US

Russia's action against a notorious hacking group called REvil has been described as the largest operation carried out by Moscow from January 14 onwards to counter ransomware. 

The arrest of REvil representatives spanned 14 cities, with the Russian federal security service (FSB), and the Ministry of Internal Affairs reporting investigative actions in Moscow and St Petersburg, as well as in Leningrad, and Lipetsk regions. 

Searches were conducted at 25 addresses belonging to 14 group members. Law enforcers seized more than 426 million rubles, including cryptocurrency, along with $600,000, 500,000 euros, 20 luxury cars and computer equipment.

Everyone targeted by law enforcement officers is charged with an unusual crime: the illegal turnover of funds as part of an organised group. This means that the detainees will be prosecuted for the creation, acquisition, and sale of counterfeit payment cards, the accompanying documentation, and the means of receiving, issuing, and transferring funds. 

Illegal intrusion into the computer infrastructure and distribution of malicious software is a punishable offence in Russia, involving penalties ranging from the imprisonment of up to four years to a jail term plus a fine of 100,000-200,000 Russian rubles. 

The FSB claims to have established the full membership of REvil. 

According to Russian special services, after the arrests, the hacker group, which can be considered one of the most "profitable" in the criminal world, has now simply "ceased to exist" and its information infrastructure was "neutralised". 

But the official position on the investigation suggested that those arrested were only the nominees - the lowest level of the criminal network, which generally carries out the transfer of funds.

The investigation came on the heels of recent US-Russia talks. The bi-lateral channel between the two countries became active after Vladimir Putin and Joe Biden met in Geneva last summer, where cybercrime dominated their respective agendas. 

According to some US officials, Washington passed REvil's information to Moscow as part of this communication.

Now US officials are expressing hope that Russia will take "legal action" that will put an end to regular attacks. The arrests were taken as a positive political message.

Hacking the hackers’ wallets

In November, the FBI made its intentions clear. The agency put Russian cybercrime boss Yevgeny Polyanin, 28, on the wanted list of alleged REvil participants, and the US State Department promised up to $10 million for any data that could help identify REvil executives and up to $5 million for any information that would lead to the arrest of participants. 

In late September, the Biden administration made a generous gift to the Kremlin by deporting a well-known Russian hacker, Alexander Burkov, and they might have been expecting some reciprocation.

The REvil group, also known as Sodinokibi, is considered one of the largest and most active groups in the world. US intelligence estimates that the cybercriminals carried out at least 15 attacks per month. The US, whose infrastructure has been one of the most frequent targets of cyberattacks, was convinced that the criminal network could be directly linked to Russian officialdom. However, Moscow traditionally denied having any knowledge about the group's activities.

There was nothing special about REvil’s toolkit: the group performed its actions with the help of programmes that encrypted data, and after the implementation demanded a ransom for the "decryption". 

The victims of REvil were one of Apple's main partners Quanta Computer, global meat producer JBS Foods, IT giant Acer, and Kaseya, which manages the computer networks of thousands of small companies without their own IT departments. 

The criminal network's revenues for 2020, meanwhile, reached $100 million, according to their calculations.

According to Alexei Malnev, head of the Jet CSIRT IS incident monitoring and response centre at Infosystem Jet, REvil members were very "careful in their choice of victims". Thus, the main blow tended to come to large companies that were "able to pay a ransom of several dozens or hundreds of millions of dollars". According to estimates by the Russian company Group IB, it was the activity of this hacker group that "was one of the main reasons for the impressive growth of the ransomware market" around the world.

Signal to the Biden’s administration

The arrests signalled a rare positive moment in US-Russian relations amid an alarming concentration of Russian forces near Ukrainian borders and discussions at the White House about the need to expand the sanctions against the Kremlin.

As Russian cybersecurity expert David Warshawski explained, some serious changes came to light after Biden handed over a list of 16 industries that under no circumstances can be attacked by hackers during face-to-face talks with Putin. After that, Warshawski said, the groups began shifting their activity to other regions, such as Latin America or Asia-Pacific. The expert does not consider the current arrests a coincidence: It could be an attempt by the Kremlin to assert a positive agenda.

"The timing is not coincidental," Dmitry Alperovich, a leading expert on Russian cyberactivity in Washington, agrees with these assumptions. 

According to him, the leadership in Moscow, through investigative actions, has for the first time openly admitted that "major criminal extortionists reside in Russia". And this can be considered a certain precedent, which, however, will impose certain obligations and responsibilities on the Kremlin in the case of the continuation of cyber-attack campaigns.

Nevertheless, despite the positive nature of the signals, experts fear that the arrests were intended to demonstrate to US officials, among others, that attacks by Russian hackers on US strategic infrastructure may continue if Washington and its European allies take the way of an extension of the sanctions against the Kremlin. 

Suggestions that some top REvil officials are still at large only elevate these fears.