Though much of the attention on Russian cyber threats has been focused on state-level activity in recent months, a top Department of Justice official said that the threat is much broader than that and is made even more serious by the Kremlin’s cooperation with and tacit support of the cybercrime groups inside Russia.
“We know they’re very focused on being able to establish persistent access to United States critical infrastructure and they have a very sophisticated set of actors in their foreign intelligence service,” said Matt Olsen, assistant attorney general for national security, during a talk at the RSA Conference here Tuesday.
“They also have a force multiplier in the way they’re able to co opt the criminal groups.”
A significant portion of the world’s cybercrime activity emanates from or is in some way connected to Russia, and that has ben true for many years. Many of the busiest underground forums, carder markets, exploit forums and other gathering places are operated by Russian groups, and much of the ransomware ecosystem has Russian origins and uses Russian infrastructure. The Kremlin has historically ignored these groups, if not been outright supportive of them, as long as they’re not targeting Russian companies or citizens. Olsen, who has worked in a number of high-level government positions, including as general counsel of the National Security Agency, said Russian leadership has shown a willingness to use the cybercrime groups inside its borders to its advantage.
“We’re still seeing that trend of Russia cooperating with the criminal groups,” he said.
The state-level actors in Russia are some of the more capable offensive teams operating anywhere, and include units from the SVR, the main foreign intelligence service, and GRU, the military intelligence service. Those teams have carried out many of the more disruptive and sophisticated attacks in recent years, including the SolarWinds attack and the attack on the Viasat satellite network in the run-up to the invasion of Ukraine.
“They’re definitely using cyber-enabled means to assist in the invasion and have shown historically the capability and intent to carry out attacks against the US,” Olsen said.
“It’s a time of intense focus. I’m most concerned about state-level activity but the threat of a ransomware attack could be existential for some companies. What we’re seeing from GRU and SVR is the biggest concern.”
Olsen cited the ongoing economic and legal sanctions against the Russian government and some of the larger state-controlled or supported companies as examples of how the U.S. and other western nations can respond to cyberattacks and other aggressions.
“It’s great to get a $400 million super yacht, but the real goal is to pressure the Kremlin and the scores of oligarchs who support the regime,” he said.