Russia Influences Hackers but Stops Short of Directing Them, Report Says

WASHINGTON — Moscow’s intelligence services have influence over Russian criminal ransomware groups and broad insight into their activities, but they do not control the organizations’ targets, according to a report released on Thursday.

Some American officials said there had been a lull, at least for now, in major ransomware attacks against high-profile American critical infrastructure that were attributed to Russian criminal groups — a pause that reflects Moscow’s ability to partly check the criminal networks operating in the country.

But a ransomware group that faded away after attacks over the summer, REvil, appears to have returned this week to the dark web and reactivated a portal victims use to make payments.

While attacks have fallen off, “it’s a fair bet” that the criminal networks are looking for signals from the Russian government about how they can restart their attacks, said Chris Inglis, the national cyberdirector.

“What I think will make the difference is whether Vladimir Putin and others who have the ability to enforce the law, international law, will ensure that they don’t come back,” Mr. Inglis said on Thursday during an event hosted by the Reagan Institute. “But it is too soon to say we are out of the woods on this.”

The report, by the cybersecurity company Recorded Future, backs up the assessments of American officials who have said Russia does not directly tell the groups what to do but is aware of their activities and asserts influence. The Russian intelligence agencies both recruit talent from the groups and can set some limits on their activities, some American officials said.

Russian intelligence officials have longstanding ties to criminal groups, the report found. “In some cases, it is almost certain that the intelligence services maintain an established and systematic relationship with criminal threat actors,” it said.

In recent months, Recorded Future has also published interviews with Russian hackers involved in ransomware attacks against the United States.

The Russian government’s relationship with criminal hackers is different than that of other adversarial powers, like China or North Korea.

Justice Department officials have accused the Chinese government of exerting control of some of the criminal hacking gangs operating in its territory by directing them to carry out assignments. In return, China’s intelligence services give the criminal groups leeway to attack American businesses.

China’s control of its hackers is similar to the kind of tight restrictions it places on society, business and its propaganda efforts.

But the Russian government has a different approach. Moscow allows oligarchs and criminal groups to follow their own plans, so long as they do not challenge the Kremlin and are generally working toward President Vladimir V. Putin’s goals, according to American government officials.

As a result, Russian control of hackers is often looser, giving Mr. Putin and other Russian officials a degree of deniability. But the risk is that the criminal groups can go too far, provoking a strong response from the United States, American officials said. Mr. Putin’s preferred strategy is to allow hackings that cause trouble for the United States, but stop short of setting off an international crisis.

“The government guys do not instruct who to hack, but over a long period of time there is really interesting connective tissue between the government and the criminal networks,” said Christopher Ahlberg, the chief executive of Recorded Future.

Russia’s Federal Security Service, the intelligence agency known as the F.S.B., has cultivated hackers specializing in ransomware, Richard W. Downing, a deputy assistant attorney general, said at a Senate hearing in July.

“As we know, Russia has a long history of ignoring cybercrime within its borders so long as the criminals victimize non-Russians,” Mr. Downing said.

The Russian government gives the hackers a measure of protection, and in return, it occasionally taps their expertise — and a cut of the money the ransomware groups earn flows to officials, Mr. Ahlberg said.

Experts at Recorded Future and American government officials have argued that pressure the Biden administration applied on Russia to control the criminal groups that in May attacked a major American energy provider, Colonial Pipeline, and other companies has at least put Mr. Putin on the defensive.

But Mr. Ahlberg said the lure of the big returns from ransomware attacks may be too hard to ignore over the long term.

DarkSide, the Russian hacking group whose breach of Colonial Pipeline led to gasoline shortages on the East Coast, dissolved shortly afterward, under pressure from American and Russian officials. Recorded Future experts believe members of the group are becoming active again.

“Once you have made 500 million and it’s fairly easy to make it, you’re going to keep doing it,” Mr. Ahlberg said.

The report concludes that the longstanding relationship between criminal hackers and Russian intelligence services is unlikely to weaken.

“The current Russian government is not likely to crack down on cybercrime in the near future beyond taking some limited steps to appease international demands,” the report found.

Russian intelligence began recruiting skilled computer programmers beginning nearly 30 years ago. After being arrested on suspicion of hacking-related crimes, some claimed that they had been approached by people with links to intelligence services, a practice that has continued in more recent years, according to the report.

But in addition to such coercive recruitment, some hackers voluntarily seek to support Russian strategic goals.

Among the most prominent is Dmitry Dokuchaev, according to the report. He is a former major in the F.S.B., a successor to the K.G.B. and the main security and intelligence agency in Russia.

A criminal hacker specializing in stolen credit cards, he was hired by the F.S.B. by at least 2010 and worked with them through 2016, according to American law enforcement.

In 2017, American prosecutors accused Mr. Dokuchaev of directing and paying criminal hackers. He and other were accused of gaining access to some 500 million Yahoo accounts both for espionage and personal gain.

Mr. Dokuchaev came under suspicion in Moscow as well, and he was eventually arrested, accused of being a double agent of the United States. Mr. Dokuchaev was released from prison in May after serving just over four years of a six-year sentence.

With the exception of a few prosecutions of people who have targeted Russian entities, Moscow has done little to disrupt criminal hackers, the Recorded Future report argued.

“The Kremlin’s muted response to cybercriminal activities originating from within Russia has nurtured an environment where cybercriminal organizations are well-organized enterprises,” the report found.

Andrew E. Kramer contributed reporting from Moscow.