Russian Intelligence and Ransomware Gang Lines Continue to Blur


July 12, 2023

World map

Microsoft researchers identified a phishing campaign by the threat actor Storm-0978 (aka RomCom) targeting defense and government agencies in North America Europe in intelligence operations. The group also observed conducting ransomware and straight data extortion attacks, offering further evidence of the cross-over between Russian cybercriminal and state-sponsored attacks.

“Storm-0978 has conducted phishing operations with lures related to Ukrainian political affairs and targeting military and government bodies primarily in Europe. Based on the post-compromise activity identified by Microsoft, Storm-0978 distributes backdoors to target organizations and may steal credentials to be used in later targeted operations,” the report states.

“The actor’s ransomware activity, in contrast, has been largely opportunistic in nature and entirely separate from espionage-focused targets. Identified attacks have impacted the telecommunications and finance industries.”

Takeaway: Back in May of this year, the U.S. government indicted and issued sanctions against a Russian national for his role in ransomware attacks against U.S. critical infrastructure targets including law enforcement agencies.

Mikhail Matveev, aka “Wazawaka” and “Boriselcin,” had been identified as a key player in the development of the Hive, LockBit, and Babuk ransomware variants, as well as being connected to the Conti ransomware gang. While we have seen some arrests here and there of affiliates and other low-level threat actors in the space, Matveev was on another level, having been connected to some of the most prolific ransomware operations.

One thing these groups have in common is their propensity to hit targets in key critical infrastructure sectors. A wide variety of industries fall under the critical infrastructure umbrella, some with the potential to cause widespread disruptions if successfully targeted by these threat actors, as we saw with the DarkSide attack on Colonial Pipeline back in the spring of 2021 that shut down fuel supplies on the East coast of the US for several days.

The Colonial attack apparently crossed a line with the ransomware operator's Russian-aligned overlords, and the DarkSide operation was quickly shuttered. But this outcome was likely only because it turned up the heat on the Putin regime, and Putin probably did not like to hear his name invoked in the same news conference that was discussing the attack. It's likely that the Russians did not want to reveal just how disruptive a ransomware attack can be - yet.

As Cyber evolved into a theater of operations militarily, conventional thinking is that a major attack on critical infrastructure would likely only come as part of a larger operation that included traditional kinetic warfare. But this is in the context of nation-to-nation conflicts at the direction of governments.  

This overlap of cybercriminal activity with nation-state-supported operations we see with the Russian ransomware model - that conveniently allows for plausible deniability on the part of the nation-state actor - means we have elements acting that are likely under the direct control of a hostile government.

In the case of Colonial Pipeline, it may well have been an affiliate actor who conducted the attack, subsequently getting slapped down by the Russian government for overreach in their targeting. Nonetheless, the attack demonstrated that our nation's critical infrastructure is extremely vulnerable to such disruptions, to the benefit of Russian government interests.

The US government is in a tough position regarding what actions to take to stem this wave of ransomware attacks, namely because there is so much ambiguity in determining root attribution for the attacks. Ultimately, it's the Russian government that is both providing safe harbor for criminal elements conducting ransomware attacks with impunity and is very likely influencing some of their targeting.

Until the US government directly sanctions the Putin regime for their direct or tacit support for this onslaught of ransomware attacks, we will not see attacks abate any time soon. It's only a matter of time before we see another massively disruptive attack against a critical infrastructure target. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.