Russia brings down prolific threat group as tensions with Ukraine reach boiling point
Ukrainian gov't websites hacked a day before Russia announces arrests of REvil ransomware gang, and following a week of failed diplomacy
The websites of the Ukrainian Foreign Ministry, Cabinet of Ministers, Security and Defense Council and dozens of other government sites were breached in the early hours of Friday, as tensions with Russia near their boiling point, and the US warns of a possible imminent Russian military invasion.
“All your personal data was uploaded to the public network. All data on the computer is destroyed…All information about you has become public, be afraid and expect the worst. This is your past, present and future,” said the message visible on the hacked websites. Yet, the government later said it had managed to restore most of the affected sites, and that no personal data had been stolen.
“99.9% that Russia is behind this”
Ukraine’s State Security Service were cautious, stating on Friday there “there are some signs of involvement of hacker groups associated with the special services of the Russian Federation.” Ukrainian Secretary of the National Security and Defense Council, Oleksiy Danilov, was more adamant in a Sky News interview, in which he claimed to be 99.9% sure that Russia is behind the attack, which he referred to as a “textbook move ahead of real-world military action.”
“This is not the first or second time that Ukrainian internet has been attacked since the start of the Russian military aggression,” noted the Ukrainian Information Ministry in a written statement. Since the Russian annexation of Crimea in 2014, the Ukraine has suffered various cyberattacks attributed to Russia, with Moscow repeatedly denying involvement.
The Russia-Ukraine escalation dominated the diplomatic scene all of last week, with separate talks held in Brussels (NATO-Russia council meeting), Vienna (Russia and the Organization for Security and Cooperation in Europe, OSC), and Geneva (US and Russia) – all of them hitting a dead end.
While the West has accused Russia of being the aggressor, Foreign Minister Sergei Lavrov had argued the opposite, saying that Moscow refuses to accept “the appearance of the North Atlantic Alliance on our borders”. And though tens of thousands of Russian troops have amassed on the border, President Vladimir Putin has denied invasion plans.
Last week the FBI, CISA, and the NSA issued a joint advisory warning against Russian state-sponsored cyber operations against US critical infrastructure and provided examples of previous attacks against Ukraine.
In a press briefing on Friday, White House Press Secretary Jen Psaki (who discussed at length potential Russian groundwork ahead of an invasion) was careful not to point fingers, despite repeated questions. “We don’t have attribution at this time, and I can’t point to any more specifics,” Psaki said.
(NOTE: That's not all the weekend cyber news from Ukraine: on Saturday, Microsoft's Threat Intelligence Center (MTIC) announced it has "identified evidence of a destructive malware operation targeting multiple organizations in Ukraine." And Bleeping Computer reported that Ukrainian police arrested 51 suspects believed to have been selling stolen personal data, also seizing databases which contained information on more than 300 million people.)
The end of REvil
And while the crisis with the Ukraine (and US-led NATO) is close to full eruption, Moscow lowered the flames at another front, demonstrating close collaboration with the US on another explosive matter.
On Friday, following information from “competent US agencies”, the Russian Federal Security Service (FSB) reported that it had conducted a joint operation with the Interior Ministry in several Russian regions to detain members of the REvil ransomware group, after raiding 25 addresses belonging to 14 suspects.
One day later, a Moscow court said that at least eight of them have been presented with charges in a criminal probe. The security forces also seized 426 million rubles (some in cryptocurrency), $600,000 and €500,000 in cash, cryptocurrency wallets, computer equipment, and 20 luxury cars.
REvil, also known as Sodinokibi, is viewed as of the most prolific and successful cybercrime groups, generally considered to be financially motivated and not state-backed. Just last year, it has been linked to major attacks such the one on JBS Foods and IT provider Kaseya – from which it demanded $70 million in ransom.
A senior US administration official has told reporters during a briefing that one of the arrested individuals was responsible for the attack against Colonial Pipeline last spring, which is attributed to Russian speaking group DarkSide. The groups have been linked in the past.
The announcement said that all members of the group had been identified and that the group, along with its IT infrastructure, has ceased to exist.
During 2021, law enforcement authorities in the US and around the world have already managed to place several REvil-linked hackers behind bars and seize millions of dollars. Following the Biden-Putin summit in June, a joint White House-Kremlin expert group on ransomware was set up. In July, REvil shuttered operations (there was wide speculation regarding possible governmental involvement), only to return in September.
In October, the US exploited a server vulnerability (ironically) and took the REvil network offline. In November, the US announced an up to $10 million reward for relevant information.
“January 14th, 2022, will be remembered as a milestone in the cyber world, the day one of the most active and violent groups in the past three years has ceased from action,” said cyber resilience expert Einat Meyron, who is also a contributing author for Cybertech Insider.
“REvil is known as the leader of the integrated ransomware-date theft and encryption attack, and has greatly expanded global Ransomware-as-a-Service, raking huge sums from each attack,” said Meyron. She estimates that there will be a significant decrease in ransomware attacks, but warns of an increase in other forms of cyberattacks such a spear phishing, crypto mining, DDoS attacks, supply chain attacks and more.
Ukraine and REvil – where is the connection?
Officially, there is none – at least not yet. As abovementioned, the Kremlin firmly denies involvement in the cyberattack against the Ukrainian websites – and the US has been treading lightly, refraining from any attribution. And regarding REvil, both countries are boasting about their cooperation.
“In our mind, this (REvil, MK) is not related to what’s happening with Russia and Ukraine. I don’t speak for the Kremlin’s motives, but we’re pleased with these initial actions,” said the US official, reiterating Psaki’s line of not having an attribution to the cyber attack at this time.
“These are our first — these are very important steps, as they represent the Kremlin taking action against criminals operating from within its borders.” said the official, “and they represent what we’re looking for with regard to continued activities like these in the future.”
“As the President has said, cyber criminals are resilient and we will continue to take action to disrupt and deter them while engaging in diplomacy, as we have with Russia, allies, and partners around the world.”
Update: On Sunday Serhiy Demedyuk, Deputy Secretary of the National Security and Defense council, told Reuters that the attack might have been perpetrated by a group known as UNC1151, which is linked to Belarusian intelligence, and was just a "cover for more destructive actions taking place behind the scenes."