Russian cybercriminals are no longer just tolerated by the country’s government, but managed by it, a fresh report from cybersecurity firm Recorded Future reveals.
It has been long known that Russian cybercriminals could operate unhindered by the country’s authorities, as they often maintained relationships with the state’s intelligence services, providing information and performing various cyber activities on their behalf.
The connection between the state – especially intelligence and law enforcement services – and the cybercrime ecosystem in Russia was reinforced during the 2022 invasion of Ukraine, which also led to a relationship shift, with multiple threat actors pledging allegiance to the Kremlin, while others turned away from it.
In this context, international law enforcement efforts such as Operation Endgame, which has targeted botnets, malware loaders, money laundering services, and other infrastructure linked to various ransomware and malware operations, have put increased pressure on the state-cybercriminal interaction in Russia, which is no longer a safe haven for cybercriminals.
In response to the international takedowns, Russian authorities have taken a more aggressive stance, making high-profile arrests and seizures, turning cybercrime into a tool of influence and information acquisition, in addition to a commercial enterprise, but also into a liability when the country’s interests are threatened.
“Russian services recruit or co-opt talent when useful, look the other way when activity aligns with state aims, and selectively enforce laws when threat actors become politically inconvenient or externally embarrassing,” Recorded Future says in its third installment of the Dark Covenant report.
“The trajectory of this ecosystem will depend on how Russian authorities balance external pressure, domestic political sensitivities, and the enduring strategic value derived from cybercriminal proxies,” the report reads.
The shift, Recorded Future says, occurred in 2023, and has involved choreographed arrests and public examples through which the state has been seeking to reinforce its authority. It also resulted in Russia leveraging cybercriminals as geopolitical instruments.
The threat actors, on the other hand, have turned to decentralized operations to evade surveillance, but the Russian cybercriminal underground has been fracturing, and ransomware affiliates have become increasingly paranoid, dark web intelligence has revealed.
Leaked communication, however, has shown direct task coordination between cybercrime groups and Russian intelligence, as the core construct of the Russian government-cybercriminal ties has remained unchanged, and shed light on Russian authorities’ actions against domestic cybercriminals.
The Operation Endgame takedowns have resulted in Russian law enforcement targeting key services used by ransomware operators, such as Cryptex and UAPS, and conducting raids, mass arrests, and asset seizures. However, these actions mainly targeted low-utility enablers, and not senior operators, which maintain ties with the security services.
For threat actors that maintain a strategic utility to the state, Russia remains a ‘safe haven’. However, the underground behavior has changed, with cybercriminals implementing stricter vetting and adopting closed channels.
Russian authorities’ selective targeting of the cybercrime landscape appears to be the result of cost-benefit calculus: high-value ransomware ecosystems persist while cash-out infrastructure is taken down, Recorded Future notes.
This selective pattern is demonstrated by the Russian authorities’ lack of action against individuals associated with the Conti and TrickBot groups, which have been targeted in Operation Endgame and added to Europol’s most wanted list.
Leaked BlackBasta chats showed that cybercriminals are aware of the connections that Conti and Trickbot senior members have with the Russian intelligence service, and leaked chats from within these groups appear to confirm that. Additionally, some of Conti’s victims align with Russian intelligence’s interests.
On the other hand, shortly after Cryptex and UAPS were disrupted in Operation Endgame and the US announced sanctions against them, Russian authorities announced an investigation into both services, the arrest of roughly 100 individuals, and the seizure of $16 million, in addition to various vehicles and property.
“The choice of target (financial facilitators rather than core operators) and the lead agency (Investigative Committee rather than security services) align with an equilibrium: money services are expendable when foreign pressure is high and their intelligence value is low, whereas threat groups with alleged service ties retain relative insulation,” Recorded Future’s report reads.
According to the report, the relationship between the Russian cybercriminals and security services is influenced by multiple variables. Cybercriminals likely pay for protection and answer when called to support the state, a reciprocal arrangement influenced by political cost, external pressure, and usefulness.
“If the threat actor becomes too significant or does not provide enough support, security services will leverage their legitimate powers to target or harass the victim with their legitimate policing powers. Such episodic enforcement is best read as governance of the market, not its eradication,” the report reads.
Since the beginning of Operation Endgame, there has been a decrease in ransomware-as-a-service (RaaS) affiliate program announcements on the dark web, although roughly a dozen such operations have emerged in the meantime, and they mainly prefer Russian-speaking affiliates instead of English-speaking ones, who are more likely to be researchers or law enforcement agents.
“Fewer open advertisements and a pivot toward semi-closed recruitment are rational adaptations to perceived infiltration and selective domestic enforcement. Operators try to keep the revenue engine running while shrinking their exposure surface. The continued emergence of new programs, despite headline pressure, shows the underlying business remains attractive, but the bar for trust is higher and more culturally gated,” the report reads.
Over the past year, Recorded Future has observed an increased distrust among RaaS members and affiliates, the emergence of impersonators, and various data resale schemes, as well as underground chats recommending operational security changes following law enforcement actions, and adaptation from cybercriminals in response to these actions.
Related: SIM Farm Dismantled in Europe, Seven Arrested
Related: Spanish Authorities Dismantle ‘GXC Team’ Crime-as-a-Service Operation
Related: VerifTools Fake ID Operation Dismantled by Law Enforcement
Related: German Authorities Take Down Crypto Swapping Service eXch
