Advertisement
Advertisement
Computer hackers
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
Fuel tanks are seen at a Colonial Pipeline breakout station in Woodbine, Maryland, in May. Photo: EPA-EFE

Russia arrests hacker in US Colonial Pipeline cyberattack

  • The individual was detained when officers raided the homes of members of ransomware gang REvil, seizing nearly US$7 million in currencies and 20 luxury cars
  • The arrests mark a rare example of cooperation between Moscow and Washington, as tensions run high over a build-up of Russian troops near the Ukraine border

In a sweeping operation, Russia detained members of a notorious ransomware gang at the request of the US, including a hacker behind last year’s attack on the Colonial Pipeline.

Law enforcement raided the homes of 14 members of the gang REvil and seized currencies worth nearly US$7 million, cryptowallets and 20 luxury cars, according to a statement on Friday by Russia’s Federal Security Service, known as FSB. Authorities in the US have been informed that the group was shut down, it said.

REvil, short for Ransomware-Evil, has been among the most prolific cyber gangs and was accused of leading a flurry of attacks last year against companies and organisations, including one last May on plants in North America and Australia for meatpacker JBS SA, which eventually paid an US$11 million ransom.

In a call Friday with reporters, a senior Biden administration official said it welcomed the actions taken by the Kremlin. The US and Russia had set up a experts group on ransomware in June and have been sharing information, including about attacks on American critical infrastructure, the official said.

The Colonial Pipeline cyberattack in May led to panic buying of fuel in the US. Photo: Reuters

Among those arrested was an individual responsible for the May hack of Colonial Pipeline Co., the official said. That attack led to panic buying of petrol across the US East Coast and a major US government response.

The arrests mark a rare example of cooperation between Russia and the US at a time when tensions are high over a mass build-up of Russian troops near the border with Ukraine.

The US is putting pressure on Europe to agree on potential sanctions amid concerns President Vladimir Putin could soon invade Ukraine, according to people familiar with the discussions. Russia denies it plans any invasion of its neighbour.

It also came as Ukraine sustained its worst cyberattack in four years, which it dozens of government websites. While Ukraine has previously accused Russia of waging major cyberattacks against its digital infrastructure, it was not yet clear who was behind the recent intrusions.

US says Russia preparing ‘false-flag’ operation for Ukraine invasion

The senior administration official said they did not believe the arrests were related to the events in Ukraine and that the White House would impose severe costs on Russia if it invades. Responding to a question, the official also said the White House expected the ransomware suspects to be prosecuted.

REvil was one of the most successful cyber gangs to conduct what’s known as “ransomware as a service.” In most cases, “affiliates” of REvil would break into companies, while the REvil gang provided the encryption software and customer support for a cut of the illicit proceeds.

REvil has received more than US$200 million in ransom payments, paid in cryptocurrencies bitcoin and Monero, according to the US Treasury Department.

“REvil were probably the most brash and attention-seeking of the ransomware gangs, which may have contributed to their demise,” said Brett Callow, a threat analyst at the cybersecurity company Emsisoft. “Threat actors who acted as affiliates or were associated with the gang in other ways will, I suspect, be very concerned at this point.”

Roman Muromsky, detained on suspicion of the illegal circulation of means of payment as a member of the REvil hacking group, stands inside a defendants’ cage during a court hearing in Moscow on Friday. Photo: Press Service of Tverskoy District Court of Moscow via Reuters

REvil, also known as Sodinokibi, was also accused of ransomware attacks on more than 20 Texas municipalities, in addition to the computer giant Acer Inc. and the software provider Kaseya.

While the attack on Colonial Pipeline was linked to the ransomware group DarkSide, cybersecurity experts said there was overlap between that group and REvil.

Russia-linked ransomware groups were so disruptive that President Joe Biden pressed Putin to act during a call in July. REvil vanished from the dark web for nearly two months before reappearing in September.

The suspects will not be extradited to the US, Russia’s Interfax news service reported, citing an unidentified person familiar with the case. The US does not have an extradition treaty with Russia.

Why the US Colonial Pipeline hack is a big deal

The Biden administration has called it a priority to curb cyberattacks, particularly against critical infrastructure in the US.

The REvil arrests are part of a series of disruptive actions taken against ransomware members by the US and other nations, including the recovery of stolen funds and actions against cryptocurrency exchanges that allegedly enabled laundering of illicit funds.

“Although 2021 may have been the worst year from a cyberthreat perspective, we’ve had more notable wins by the good guys than in any previous year,” said Charles Carmakal, senior vice-president at the cybersecurity firm Mandiant.

Post