By Joseph Menn
(Reuters) - As U.S. President Joe Biden prepares to confront Russian President Vladimir Putin over ransomware gangs in his country that twice recently targeted critical American infrastructure, his administration is publicly blaming the Russian government for allowing those criminals to profit without prosecution.
The FBI and private cybersecurity companies have not disclosed any evidence showing Russian government involvement in the ransomware attacks on U.S. fuel transporter Colonial Pipeline Co and meatpacker JBS SA of Brazil. Putin has called the idea that Russia was responsible absurd.
But as the cyber operations of Russian intelligence agencies have evolved, it has become harder for the U.S. government to distinguish alleged Russian intelligence operatives from ordinary cyber criminals stealing secrets in ransomware forays and threatening to publish them, according to more than a dozen U.S. intelligence, national security and law enforcement officials and experts outside of government interviewed by Reuters.
"It's a combination of tasking and turning a blind eye, but there's always a plausible deniability," said cybercrime expert John Bennett of corporate risk consultancy Kroll.
As the top FBI agent in San Francisco, Bennett oversaw an investigation of a massive breach https://www.reuters.com/article/yahoo-hack-indictments-fsb-idINKBN16N0K4 of 500 million Yahoo email accounts that led to 2017 U.S. charges against two officers of Russia's FSB security agency accused of instructing outside criminal hackers. A Canadian defendant pleaded guilty to nine felony counts in the case, while charges against three Russians remain pending because they are outside of America's grasp.The White House said Biden will bring up ransomware attacks emanating from Russia when he meets Putin in Geneva on Wednesday in the wake of forced shutdowns at Colonial Pipeline and meatpacker JBS, which has extensive U.S. operations.
Putin told Russian state television that Moscow would be willing to hand over cybercriminals to the United States if Washington reciprocates. Biden on Sunday called that statement a sign of progress. White House and State Department officials declined to elaborate or say what Biden would seek from Putin.
Russian officials have denied control of criminal groups while calling hackers whose activities fulfill Kremlin objectives "patriotic." In public statements and private forums, major criminal groups warn affiliates not to attack targets in Russia. Many ransomware programs will not execute on devices that have keyboards set for the Russian language.
In another U.S. criminal probe, Evgeniy Bogachev, a Russian national, was charged https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware in 2014 with running GameOver Zeus, a variant of sophisticated bank-fraud software, and distributing early ransomware called Cryptolocker.
Though it was not part of the indictment, GameOver Zeus' pattern of data collection - searching infected computers for banking passwords and phrases including "top secret" - indicated a relationship with Russian intelligence, according to senior U.S. Justice Department official John Carlin, who oversaw the case during the Obama administration.
Increasingly, ransomware has moved toward bigger targets and toward stealing secrets instead of just encrypting them inside the targets. Both trends could fit with Russian government goals, said analyst Craig Williams of Cisco Systems' Talos threat intelligence unit.
Evil Corp, a group that the U.S. Treasury has said is led by a Bogachev associate named Maksim Yakubets, became the first ransomware gang to focus on "big game" targets likely to pay more, said Adam Meyers, senior vice president of cybersecurity technology company CrowdStrike.
A 2019 U.S. Treasury Department sanctions order https://home.treasury.gov/news/press-releases/sm845 accused Yakubets both of carrying out large-scale crimes and taking FSB directions, "acquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations on its behalf."
Yakubets was indicted https://www.justice.gov/opa/pr/russian-national-charged-decade-long-series-hacking-and-bank-fraud-offenses-resulting-tens in the United States in 2019 for alleged hacking, wire fraud and bank fraud. The United States has offered millions of dollars in reward money for information leading to the arrests of Bogachev and Yakubets and published photographs of them, but they have not been apprehended by Russian authorities.
Analysts told Reuters Yakubets is married to the daughter of a former senior FSB operative. Reuters was unable to reach either man for comment.
Because the Treasury sanctions forbid U.S. ransomware targets from paying Evil Corp, the group keeps renaming its encryption software.
One of the new variants is called Hades, according to CrowdStrike https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker. As of March, the Hades variant had been found in multiple companies with more than $1 billion in annual revenue, according to incident responders at Accenture https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware, including in the transportation and manufacturing sectors.
(Reporting by Joseph Menn in San Francisco; Editing by Will Dunham and Edward Tobin)