Holding Moscow Accountable for its Criminal Networks

The administration last week announced its preliminary response to the Colonial Pipeline attack: new requirements for pipeline companies to report cyberattacks to the Department of Homeland Security. This is an important step for better defense, but it will not deter future attacks. To deter—and prevent—ransomware attacks, the United States must hold accountable the countries that allow criminal groups to operate from their territory.

The Biden administration recently took one tentative step toward greater deterrence. Shortly after the attack on Colonial, President Biden made a simple, but pivotal, statement. He said that Russia has “some responsibility to deal with this.” The statement is unusual because the FBI attributed the attack not to the Russian government, but to DarkSide —a criminal group based in Russia that in essence helps paying clients conduct ransomware attacks. Demanding that Russia “deal with this” is calling the Kremlin out on its false, but repeated, assertion that it holds no sway over criminal actors. No other president has been so direct with Moscow about a purportedly criminal cyber enterprise.

Russia is perhaps the most skilled in the world at hiding its hand behind purportedly private entities. From the Wagner Group, which serves as a private army, to the Internet Research Agency, which spread disinformation in the 2016 and 2018 U.S. elections, the Kremlin has made extensive use of groups that give it an arm’s length separation from malicious activity. So, too, in the cyber domain, it has often used criminal networks to advance its interests. Kremlin endorsement of such gray zone activity falls on a continuum from tacit approval to direction, and it is often difficult to determine if purportedly criminal gangs are picking their own targets or the Kremlin’s.

For U.S. policymakers seeking to retaliate for the pipeline attack and deter any future attacks, understanding the Kremlin’s level of involvement is critical. While the public may never know for sure, enough information exists to assess that DarkSide likely was operating with the tacit approval of the Kremlin but that Moscow most likely did not pick this target. Further, that tacit approval likely evaporated when the consequences of the Colonial Pipeline ransomware attack became clear.

DarkSide was a Russia-based entity, and no cyber group operates there without Moscow’s knowledge. This permissive environment comes with limits: Moscow at a minimum disapproves of thievery in its sphere of influence. DarkSide fits that pattern. It only attacked for-profit businesses located outside the Commonwealth of Independent States. Indeed, according to FireEye, most of DarkSide’s victims were based in the United States and spanned multiple sectors, including financial services, legal, manufacturing, retail, and technology.

It is safe to assume, then, that Moscow was aware of DarkSide and had not taken steps to shut it down. But was DarkSide operating at the request of the Kremlin? DarkSide launched in August of 2020, so maybe it was too new to have attracted the Kremlin’s attention. This is highly unlikely, given the group’s quick rise to both riches and prominence. (It should be noted that Kremlin spokesman Dmitry Peskov vehemently denied any ties between the Russian government and DarkSide. Such denials mean little.)

On the other end of the spectrum, DarkSide could be a front for Russian intelligence—a fully-owned and operated element of the Main Intelligence Directorate (GRU), Federal Security Service (FSB), or Foreign Intelligence Service (SVR). These types of arrangements are rare, more easily tied back to Moscow, and riskier.

The most likely option is between the two. DarkSide is probably a largely entrepreneurial criminal group that the Kremlin does not direct but can co-opt at will. Perhaps the cadre was threatened with criminal charges, then informed that those charges will be held in abeyance, if the group agrees to do some occasional work for its new masters. That means DarkSide could operate, with the Kremlin’s tacit approval, as long as it observes the above restraints and complies when Moscow asks for the inevitable favor. As one purportedly Russian member of a ransomware forum put it, “Mother Russia will help . . . Love your country and nothing will happen to you.”

This type of arrangement could explain one of the odder elements of the Colonial Pipeline story. Four days after the attack, DarkSide issued a semi-apology, saying, “We are apolitical. We do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives (sic) . . . Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

Perhaps DarkSide really had a crisis of conscience, or suddenly realized shutting down gas stations on the East Coast is bad PR. A better explanation is that Moscow was unhappy with the high-profile attack, the diplomatic heat turned in its direction, and the extent of the disruption. Perhaps Moscow informed DarkSide that the group needed to distance itself from the government of Russia or from any perceived political angle to the attack, or suffer the wrath of the Kremlin. It was time to rein in the troublesome upstarts.

Further, within a week of the Colonial Pipeline attack, DarkSide disappeared. Press reports speculate that someone hacked back —took the estimated $4.4 million ransom and blocked access to some servers, prompting the group to shutter operations. Most likely, the press reports are based on speculation and DarkSide shut itself down, following a known pattern for hacking groups. Groups that gain undesired notoriety sometimes disappear after a big score, only to reconstitute shortly thereafter under a different name. However, perhaps the odd apology was not enough, and the GRU ended the crisis by ending DarkSide—a poetic punishment for a criminal gang that outstripped the Kremlin’s risk tolerance.

Deniable relationships like the Kremlin’s varied ties to cyber gangs severely complicate an adversary’s response, by design. If one cannot definitively prove that an entity is operating on behalf of any government, it becomes harder to justify punishing that government and harder to craft what will be interpreted as a proportional response. Biden’s statement suggests that his administration may be comfortable operating within that uncertainty and holding Moscow responsible when it tacitly permits disastrous criminal activity. This would be a welcome development—with cyberattacks, certain attribution is exceedingly rare. The choice will almost always be to either wait for a smoking gun that will never come or get comfortable retaliating in the gray space.

The United States should abandon the fiction that Moscow has no control over these criminal hacking syndicates and hold them to account. If Moscow does not take steps to shut down groups like DarkSide, it is in essence approving activity that could lead to dramatic effects on the world economy, physical damage to infrastructure, and possibly injury or death. The United States and like-minded nations should continue to press Putin to prosecute criminal syndicates of all stripes, perhaps pointing to Russia’s reaffirmation in March of the report of the United Nations’ open-ended working group, which laid out norms for operating in the cyber domain. When Moscow fails to prosecute those behind DarkSide, the United States should be ready to pursue criminal charges on its own and to state unequivocally that future such events will meet a specific response.

Emily Harding is deputy director and senior fellow with the International Security Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2021 by the Center for Strategic and International Studies. All rights reserved.

Emily Harding
Director, Intelligence, National Security, and Technology Program and Deputy Director, International Security Program