Russia-linked ransomware attacks

Show Notes

In this episode, I spoke to Karen Nershi, an Assistant Professor of Political Science at IE University and a former Postdoctoral Fellow at Stanford University's Stanford Internet Observatory and the Center for International Security and Cooperation (CISAC). 

Karen's research examines questions of international cooperation and regulation within international political economy, including challenges emerging from the adoption of decentralized digital currency and other new technologies. 

Karen recently published a research paper titled "Assessing the Political Motivations Behind Ransomware Attacks". Her research led her to the conclusion that "the Russian government maintains an informal cooperative relationship with (ransomware) groups by providing safe harbor from prosecution and receiving plausible deniability for attacks and access to skilled cyber actors".

We spoke about Russia's weaponising of private ransomware groups against Europe and the United States, the sanctions imposed on those groups, general regulation of the cybercrime space, and the role of cryptocurrency and anti-money laundering regulation. 

You can also find our recent publication on the subject here: https://www.globalriskaffairs.com/2024/01/when-ransomeware-strikes-navigating-risks-and-regulatory-responses/ 

Connect with Us:

• LinkedIn: https://www.linkedin.com/showcase/integrity-insights/?viewAsMember=true
• Berlin Risk Linkedin: https://www.linkedin.com/company/berlinrisk/?viewAsMember=true
• Website: https://berlinrisk.com/

Transcript

Hi Karin. Welcome on the podcast. Hi. Thanks for having me. Right. So can we, um, start with a brief introduction. Can you tell us a little bit about your. Career history or background? Yeah, of course. So I'm Karen Nhi. I'm an assistant professor at IE. University, which is in Madrid. And, uh, my background or, or my research is in political science.

And generally I look at questions, uh, that pose international cooperation and security challenges emerging from new technologies. So in the past I've researched, uh, countries enforcement of anti-money laundering laws in the crypto sector. And more recently I did this project, uh, big project related to ransomware groups and trying to assess to what degree some of the attacks may be politically motivated.

Uh, so this is generally the area of research that I'm interested in. Very nice. And the, and the, your research on ransomware. That's, uh, it's also the reason why I invited you on the podcast because I've been working recently on an article myself about ransomware attacks. And I came across your study, which I found.

Super interesting. And so I'm really grateful that you, uh, you could join me here today. Uh, this study is titled, uh, assessing the Political Motivations Behind Ransomware Attacks, uh, that you published in July, 2023. So it's relatively recent. Um, do you think, uh, you could maybe try to kind of briefly summarize the main findings, uh, of the study and maybe tell us a little bit about like the context in which you undertook this, this study.

Yeah, of course. So, uh, so when I was starting my postdoc at the Stanford Internet Observatory, I was interested in looking at this topic of ransomware and uh, generally it's been thought of as a form of crime at least, especially in the past where we're told that it's cyber crime. But there are some developments that suggest that there may be political aspects behind some of the attacks.

So that's what I was interested in studying, whether or not we can find any kind of proof of political connections between some of the groups and the types of attacks that they're carrying out. So we collected a data set. We created a data set of, uh, over 4,000 victims of ransomware attacks, which are companies, uh, occasionally government organizations, uh, but no individuals are included in this victim dataset.

We primarily collected the dataset by going to sites on the dark web where some of these groups post about their victims as part of the extortion process. Uh, these particular type of attacks are called double extortion attacks. So we collected this dataset, uh, over a period about, of about six months.

Or, or actually, sorry, I think it, uh, more like, uh, four months. Maybe not, not positive, but. So we have this data set and then, uh, what we've looked at is differences in the timing of attacks between different types of ransomware groups. And what we find ultimately is that there is an increase in the number of ransomware attacks before elections in several major democratic countries, including the US and Germany and, uh, a couple of other countries.

So there's an increase by these groups that have core members operating from Russia, but there's no similar increase in the number of attacks by other groups where we don't know that they have any particular connection to Russia. So that's really the main finding. We do also do some other, uh, tests as well.

And we also analyze, uh, a set of leaked chat logs from one of the major ransomware groups called Conti. And that provides some insight into how the group is structured, how it functions. We find evidence of some conversations between the group's top members and uh, parts of the Russian government, like the FSB, the security services.

Uh, so that's a bit of a high level overview, but I'm happy to jump into any part of this that might be interesting. I mean, what I, what my, maybe my first question is, was your intention to all, uh, was your intention always to look at links between these groups and Russia specifically? Uh, or did it just kind of like looking at the, the groups and the prevalence of their links to Russia kind of, uh, present itself this option?

Kind of. Yeah. That, that, so it's more of the second, uh, the second point. So I was interested in studying this topic and I. I ended up doing a lot of research, looking at cybersecurity blogs, learning more about the space, how the attacks are carried out, and the dynamics of all out this. And so, uh, it just sort of turned out after studying this, that, uh, many of the groups were operating from, from Eastern Europe, from Russia, and, uh, so they're kind of in this space geographically.

So there are also some ransomware attacks by, by other groups by. In Iran, uh, and, uh, North Korea has carried out some ransomware attacks, but just based on the data that we collected, the, the vast majority of them seemed to fall into, uh, either groups that were somewhat connected to Russia or groups that we couldn't ascertain what connections they might have, if any.

So it was more of a feature of, of what we saw in the ransomware space. Of course, other states are also engaging in cyber crime, sometimes in, in different, uh, aspects of cyber crime. But yeah, it's just really what we saw out there in the data. Mm, I mean, what I found really fascinating was that you kind of, I mean, I don't know if you can, if you would say that you kind of conclusively proved the connection between those groups and the Russian, Russian government or like at least showed a very strong uh, kind of.

Plausible connection, which I had never seen like that anywhere else. I mean, there's a lot of like media speculations about these connections, but from what I've seen, what I've like from what my research, I haven't really seen anyone else kind of providing this kind of like detailed of evidence on this.

Yeah. So I'll wear a bed. Careful in saying that our data is consistent with a model where there may be these types of connections. So, uh, besides the, the evidence that we find in these chat logs where there are direct communications between this one particular group's, leaders and the Russian government, we can't really, uh, you know, it's.

Evidence of a direct connection, but it's evidence that suggests that there is some type of cooperation or collaboration that happens, which we suspect is, uh, not, not super institutionalized by any means. So our analysis of the chat logs show that they seem to be independent criminal groups. So they're not just like a division of the Russian government or the Russian cyber forces.

Uh, but yeah, the, the evidence that we find suggests to, to us, and we think it supports the conclusion that there's this sort of loose collaborative relationship between the Russian government and some of these cyber criminal, uh, ransomware groups. And, and another interesting point is that, I mean, you, you even mentioned, uh, now Eastern Europe and, and then Russia, but there is a, I mean, reading your paper, you kind of, uh, talk about how there's a clear, uh, very important distinction between countries like for instance, Ukraine and Russia, especially when it comes to, uh, the countries like relevant authorities, uh, cooperating with the Western authorities.

Can you talk a little bit about that? Yeah, of course. So. In general, uh, Webster law enforcement, including the us, including Interpol, Europol, all of these law enforcement services have gotten a lot better over the last five years, and even within the last few years. At really identifying some of the criminal actors behind these cyber criminal operations and, uh, in many cases arresting them.

So we see this happen in Western countries. Uh, some of these major cyber criminals have been arrested, but, uh, the, one of the big problems for the West is that, uh, the Russian government has generally provided safe harbor to cyber criminal actors operating within the country. Uh, especially these ransomware groups.

So even across, uh, eastern European countries that may not have such active police forces themselves looking for these cyber criminals, we've seen cases of cooperation between the governments and Poland and the Ukraine with these, uh, um, law enforcement organizations to arrest some ransomware operators and other criminal actors.

Whereas Russia has really, for the most part, or, or has refused to cooperate with Western law enforcement. So, and this is something that I think a lot of people have talked about anecdotally in the field for a long time. So you have cases where the US government find, talk to their Russian counterparts and notify them about cyber criminals that they think are operating within the country.

Then, uh, notably the Russian enforce, uh, authorities are not arresting them. Uh, but also sometimes there are definitely stories that there are recruiting these people to help Russian government do certain activities or they're sort of, uh, holding things over their head to try to influence these actors because, uh, anecdotally and from these stories in the field, it seems like.

The Russian government is using this information to identify some of the really skilled hackers and cyber actors in space. So, uh, what makes Russia unique from, from other countries for most other countries is the fact that they've really provided the safe harbor and haven't, they've first of all, refused to cooperate with, uh, Western law enforcement agencies.

For the most part, they haven't arrested these actors either on their own. And another key finding in your study is that the amount of ransomware attacks on Western companies and institutions decreased significantly following the invasion, uh, Russian invasion of Ukraine. And you argue that this is due to the fact that many of those actors have been, um, conscripted by the Russian government to, uh, advance their.

Uh, kind of cyber operations, uh, so that they don't have the time to, uh, for their own commercial activities. Can you elaborate a little bit on this point? Yeah, so this is really from a few reports that I've seen, uh, one of them put out by, by Google. I think that is getting more direct information about what's been happening, especially since the invasion.

They've been following that. So there have definitely been these, uh, a few reports anyway that members of the, of the Conte Yang were recruited to help the Russian cyber forces carry out attacks against Ukraine. There are also a few tools from two ransomware groups, ti and another one Cuba, uh, that were part of their malware arsenal for criminal activities.

Have been repurposed to carry out Russian government cyber attacks against Ukraine. So this is another, uh, part of the paper that we're we're hypothesizing about, which is about a benefit for the Russian government of having these cyber criminal groups within their country, allowing them to operate. And, uh, the fact that these groups overwhelmingly, almost exclusively target companies and actors outside of Russia.

Is that by allowing these cyber criminal groups to function, the government can then draw on these actors that are skilled, that are, that are cyber hackers and have experience here and recruit them for government activities if they need the additional support. Uh, so that's really what we're hypothesizing has happened.

And there, there's some evidence to suggest that, uh, did, did happen, at least to some degree after the invasion. It's fascinating. And, and, uh, I mean, I don't know if you've actually conducted any additional work on this, but, uh, how likely do you think it is that other governments, uh, you know, besides Russia's employ like similar type of, uh, techniques?

Yeah, so I do have a couple of ongoing projects stemming from this. I think we've seen the Iranian government appears to have sometimes collaborated, uh, with, with cyber criminal groups. Uh, North Korea has engaged in lots of cyber thefts and, uh, to some degree ransomware as well, although they don't really, as far as I've seen, don't really seem to be in this double extortion space.

So I would say that a lot of these rogue countries are engaging in cyber crime and have for some time, although the particular activities that they're doing can vary. And, and, and another very interesting aspect, at least from our perspective, uh, of this, this whole topic, is the, the way different authorities, western governments or organizations are dealing with this.

We see that in the, the United States, they have, uh, a very sanctions have a approach where whereby they have been sanctioning a lot of groups. Individuals, uh, uh, related to or linked to those attacks? Uh, how, how, how effective do you think this, this, this approach is? It's a great question. I think, uh, in the past we have seen the, the US Treasury actually sanction a couple of brands who, our groups themselves.

That seemed to be a really ineffective method of trying to address this problem because. In response, you see just some rebranding of the groups. They pop up as new groups with a different name. And, uh, in some cases you even had groups telling their victims, uh, we're not, we're not the sanctioned group.

Like, don't worry, we're, we're not sanctioned. Uh, so, so that has been an approach. Uh, we also see sanctioning of individuals. Of course, there's been a lot of that since, since the invasion for, based on live research and some like prior research into anti-money laundering regulation within the cryptocurrency sector.

I think that the main point at which governments can really manage to address this problem through regulation will be through the antibody laundering regulation within cryptocurrency exchanges. Because this is the, really, the point at which they're, they're converting cryptocurrency to fiat currency so they can use it more widely.

So there are some regulations that, that a lot of countries, FATF countries, OECD countries have adopted in the cryptocurrency space. So I think by, by strengthening those regulations and, and. Trying to prove that that's really the avenue that's gonna prove most effective, in my opinion, for addressing this challenge.

Mm-hmm. And speaking of cryptocurrency, that Senator, uh. Interesting subject. Uh, because basically now the, the, the companies that are affected that are, uh, by the, by ransomware attacks, they not only have to worry about this whole, you know, issue of obviously having their data exposed, potential exposed, but also they have to worry about sanctions, uh, or potential sanction violation if they make those ransomware payments.

And I, and I wonder how. How do you deal with this as a company if, because obviously I assume that these groups, they don't formally introduce themselves when they, when they attack you, so you don't know who you actually are sending the cryptocurrency to. Uh, so how, how to deal with that? Yes. Yeah, so you definitely won't know the individuals, although the grips themselves, uh, generally are, are promoting their, their, their name and their reputation.

As these criminal actors? Uh, I think, uh, as far as I know, based on the last time I looked at it, we don't really have, uh, we, we don't have laws nationally, uh, within countries, forbidding companies from, from paying these groups, these ransomware actors. So I think we do see an increase in reporting requirements.

Especially, at least within the United States, that if you do pay a ransom to these actors, you need to report it to government agencies. And then for some public companies, they also need to disclose that there's been some sort of cyber breach. But, uh, for the whole, uh, on the whole line, don't think that these, well, I guess I, I can't say because I had, I, you know, I don't know exactly what's going on in the calculus in these companies, but.

At least some of them don't seem so worried about, uh, potential sanction violations if they, if they ultimately, when they ultimately end up paying the ransom. Mm-hmm. I mean, it is also what you, what you just mentioned, the, the, the potential. Uh, for, uh, forbidding of making these ransomware payments. I, uh, I mean, when I was doing my research, I saw that most governments in the UK or the German government, they, they strongly discourage companies from making those payments, but, uh, they don't actually forbid them to do so.

And I, and I read about that was, uh, in November, 2023, there was, uh, the White House in Washington hosted an annual international counter ransomware initiative summit. And one of the. Kind of main outcomes was that the, the, the delegates then expressed their kind of collecting stance against, uh, ransom payments.

So there, there was clearly like a will, uh, expressed that, uh, this should be, this is something that should be banned on a, on a, on a global level. But, uh, like how likely do you think this is, this, is that the, the, the payments will actually be banned? Uh, you know, I honestly, I don't see a, a ban on payments actually, uh, working.

So of course if there was a way to get all these companies in all these countries to stop paying ransoms, then this type of crime would no longer be valuable and, uh, probably these groups would switch to doing something else, some other type of cyber crime. So a, and you know, a big concern here is that there's a, there are really large sums of money going to these criminal actors, which is of course, dangerous and, and a really bad outcome here.

But I think just based on some of these cases, you see occasionally, sometimes there are attacks against hospitals. Sometimes you have actual, actually people's lives sort of hanging in the balance as they're waiting for machines and systems to come back online. Uh, so I think at this point, given how widespread the problem is across many sectors across these, uh, developed countries, I think trying to get this ban in place at this point would probably prove, probably prove too difficult.

So, in my opinion, I feel like the best way for countries to, to work on this or to regulate this is through the, the cryptocurrency exchanges. Mm. And maybe, maybe the last questions regarding crypto, uh, 'cause I mean, as you mentioned, you do also a lot of work on, uh, anti-money laundering and, and crypto. How do you, like, how do you see that all these issues, ransomware, crypto, money laundering, how does it all come together?

Yeah, so, uh. So I, I came at this as we were chatting about a little bit earlier through my interest in anti-money laundering enforcement, and then I listed the introduction of these laws within the cryptocurrency sector, which is very interesting. And actually when I started looking at the ransomware project, I thought I might be looking at, say, like cryptocurrency payments to the groups.

But then it just turned out that looking at the victims provided this, this clearer path. But yeah, cryptocurrency, uh, on, on the whole has really provided an avenue for a lot of these, uh, for the payments related to these primes. So actually, what people think is the first ransomware attack happened in 1989, and there was this researcher that shared floppy disks with, uh, with a malware virus on it.

And the instructions told people to send a, uh, traveler's check to a post office box in Panama. So you can have ransomware attacks without cryptocurrency, but it's just enabled it on a much, much larger scale. And the fact that it's digital and pseudo anonymous has, has given these threat actors a, a way in.

So, uh, so yes, I think that cryptocurrency has played a really important role, uh, of course in this ecosystem of cyber crime by really functioning as the main form of payment. And so I think as countries and especially Western countries, uh, get better at, at really regulating the sector of regulating where it touches the, the traditional economy where it's connected to, to the currencies, uh, that will hopefully really help to over time, uh, makes some of these crimes less profitable and, and hopefully lead to a decrease in these crimes over time.

Hopefully Karen, thank you very much for your time appreciated. Thanks so much. It was great being here. Bye.