The revelation that an Eastern European group is responsible for the massively disruptive ransomware attack on the Colonial Pipeline should spur U.S. policymakers to confront Russia’s brazen enabling of cybercrime. Russian authorities and top-level cybercriminals have long shared an informal understanding, buttressed by state co-optation and coercion, that criminal hackers occasionally lend security services their expertise in exchange for a near-free rein to hack, extort, and steal from foreign entities, especially those in the West—just not any in Russia or the near abroad. The fuel crisis the Colonial Pipeline shutdown has caused underscores the serious, real-world consequences that bargain has for Americans. As the Biden administration begins to implement its national cybersecurity strategy, it must take steps to address Russia’s strategic negligence toward cybercrime.
Russian authorities have leaned repeatedly on cybercriminals for help conducting complex operations. In 2014, Russia’s security service officers, known as the FSB, enlisted a pair of criminal hackers to compromise Yahoo’s email service—one of whom was the subject of an Interpol Red Notice for illegal hacking—and provided “sensitive” information “that would have helped him avoid detection by law enforcement, including information regarding FSB investigations of computer hacking and FSB techniques for identifying criminal hackers.” In 2017, the New York Times reported that the FSB was “grafting an intelligence operation onto a far-reaching cybercriminal scheme” orchestrated by Evgeniy Bogachev, then the world’s most wanted cybercriminal. As Bogachev pursued financial gain, the FSB was “piggybacking” on his intrusions, scouring the millions of computers he had compromised for valuable intelligence.
More recently, U.S. prosecutors brought charges against Maksim Yakubets for a “decade-long cybercrime spree,” first as a money launderer for Bogachev’s crew and later as the leader of a prominent gang called Evil Corp. The State Department’s $5 million reward for Yakubets’ capture now exceeds the one for Bogachev. In a sanctions announcement, the U.S. Department of the Treasury noted that “in addition to his involvement in financially motivated cybercrime” Yakubets “provides direct assistance to the Russian government’s malicious cyber efforts” and even holds an FSB security clearance. Yakubets’s government ties go beyond business: in 2017, he reportedly married the daughter of a former officer in the FSB’s Vympel special forces.
Russian-language cybercriminals have taken full advantage of the state’s blind eye. The most successful groups, like those led by Bogachev and Yakubets, have stolen hundreds of millions of dollars and caused even more in damage. Criminals who cooperate with the security services may use their state mandate for personal enrichment, as one of the Yahoo hackers did by manipulating search-engine traffic. Moreover, leading Russian-language forums like Exploit have emerged as go-to platforms for sophisticated actors around the world to exchange products, services, and know-how for financial operations. Cybersecurity firms have estimated that the Russian e-crime market alone is worth billions of dollars.
Russian criminal hackers generally take care to configure their tools and platforms so that they only target foreign machines. Russian-origin malware often includes a function that checks the native languages of infected computers and passes over those found to operate in Russian, Ukrainian, or Belarussian. Many services that pay people to install adware and spyware on their computers refuse to purchase Russian or Commonwealth of Independent States traffic. Some prominent Russian cybercriminal forums even ban users just for advertising services targeting the near abroad. When self-regulation doesn’t work, Russian authorities use intimidation to keep non-compliant criminals in check. For instance, in 2012 police arrested a cybercriminal gang that stole from a range of global targets, including Russian banks, and later released a video of one member loudly sobbing in a clear message to would-be domestic hackers. Nearly all cybercrimes prosecuted in Russia involve attacks on internal networks.
Plenty of other factors also account for the robustness of Russia’s cybercriminal ecosystem. One is that Russia has more technically skilled workers than high-quality information technology jobs, which tend not to pay well anyway. As Tim Maurer and Garrett Hinck have pointed out, “government salaries of a few thousand dollars a year pale in comparison to reports of thousands or millions made in the latest cyber heist.” Another is endemic corruption in Russian law enforcement, which undermines the pursuit of criminal justice and presents a channel through which hackers can easily access valuable personal data. A third is Moscow’s strong inclination against extraditing Russian nationals abroad. Yet another is that tracking anonymous cyber criminals is difficult, and authorities lack the capacity to go after every single one. Nonetheless, it is the state’s willful ignorance that has most enabled Russian cybercriminals’ ambitions.
Earlier this month, President Joe Biden acknowledged that Russia bears “some responsibility” for cybercrime staged within its borders and suggested he would raise the issue in his upcoming summit with Russian president Vladimir Putin. But his administration should go further. Until policymakers take more direct action, Russian authorities will continue providing cover to friendly cybercriminals who prey on targets in the United States and around the globe.
Alex O’Neill is coordinator of the Harvard Kennedy School’s Korea Project, where he heads a research initiative on Russian-North Korean cyber relations and co-leads its North Korea Cyber Working Group. He is the author of a forthcoming report on the ties between North Korean state hackers and Russian cybercriminals.