Russia arrests hacker in US Colonial Pipeline cyberattack
- The individual was detained when officers raided the homes of members of ransomware gang REvil, seizing nearly US$7 million in currencies and 20 luxury cars
- The arrests mark a rare example of cooperation between Moscow and Washington, as tensions run high over a build-up of Russian troops near the Ukraine border
In a sweeping operation, Russia detained members of a notorious ransomware gang at the request of the US, including a hacker behind last year’s attack on the Colonial Pipeline.
Law enforcement raided the homes of 14 members of the gang REvil and seized currencies worth nearly US$7 million, cryptowallets and 20 luxury cars, according to a statement on Friday by Russia’s Federal Security Service, known as FSB. Authorities in the US have been informed that the group was shut down, it said.
REvil, short for Ransomware-Evil, has been among the most prolific cyber gangs and was accused of leading a flurry of attacks last year against companies and organisations, including one last May on plants in North America and Australia for meatpacker JBS SA, which eventually paid an US$11 million ransom.
In a call Friday with reporters, a senior Biden administration official said it welcomed the actions taken by the Kremlin. The US and Russia had set up a experts group on ransomware in June and have been sharing information, including about attacks on American critical infrastructure, the official said.
Among those arrested was an individual responsible for the May hack of Colonial Pipeline Co., the official said. That attack led to panic buying of petrol across the US East Coast and a major US government response.
The arrests mark a rare example of cooperation between Russia and the US at a time when tensions are high over a mass build-up of Russian troops near the border with Ukraine.
It also came as Ukraine sustained its worst cyberattack in four years, which it dozens of government websites. While Ukraine has previously accused Russia of waging major cyberattacks against its digital infrastructure, it was not yet clear who was behind the recent intrusions.
US says Russia preparing ‘false-flag’ operation for Ukraine invasion
The senior administration official said they did not believe the arrests were related to the events in Ukraine and that the White House would impose severe costs on Russia if it invades. Responding to a question, the official also said the White House expected the ransomware suspects to be prosecuted.
REvil was one of the most successful cyber gangs to conduct what’s known as “ransomware as a service.” In most cases, “affiliates” of REvil would break into companies, while the REvil gang provided the encryption software and customer support for a cut of the illicit proceeds.
REvil has received more than US$200 million in ransom payments, paid in cryptocurrencies bitcoin and Monero, according to the US Treasury Department.
“REvil were probably the most brash and attention-seeking of the ransomware gangs, which may have contributed to their demise,” said Brett Callow, a threat analyst at the cybersecurity company Emsisoft. “Threat actors who acted as affiliates or were associated with the gang in other ways will, I suspect, be very concerned at this point.”
REvil, also known as Sodinokibi, was also accused of ransomware attacks on more than 20 Texas municipalities, in addition to the computer giant Acer Inc. and the software provider Kaseya.
While the attack on Colonial Pipeline was linked to the ransomware group DarkSide, cybersecurity experts said there was overlap between that group and REvil.
The suspects will not be extradited to the US, Russia’s Interfax news service reported, citing an unidentified person familiar with the case. The US does not have an extradition treaty with Russia.
Why the US Colonial Pipeline hack is a big deal
The Biden administration has called it a priority to curb cyberattacks, particularly against critical infrastructure in the US.
The REvil arrests are part of a series of disruptive actions taken against ransomware members by the US and other nations, including the recovery of stolen funds and actions against cryptocurrency exchanges that allegedly enabled laundering of illicit funds.
“Although 2021 may have been the worst year from a cyberthreat perspective, we’ve had more notable wins by the good guys than in any previous year,” said Charles Carmakal, senior vice-president at the cybersecurity firm Mandiant.