ArchiveOODA Original

Cybercriminals as the Russian State’s Deniable Proxies

Putin’s Russia has demonstrated a penchant for relying on proxies to provide a degree of deniability while pursuing its military objectives. As noted in Christoph Zürcher’s book The post-Soviet wars: Rebellion, ethnic conflict and nationhood in the Caucasus, Putin’s popularity emerged in large part due to his successful resolution of the conflict with Chechnya, which he achieved by co-opting the Kadyrov warlords. More recently, Putin has relied on not only deniable Russian forces, but also proxies within Ukraine. Still, blunders by Russian private military companies like the Wagner Group and Slavonic Corps in Syria have demonstrated how this deniability can backfire.

Russia has applied this proxy approach to cyberspace. As noted by OODA in “The Russian Threat”,  “the U.S. Intelligence Community annual threat assessment for 2019 underscored that Russia is more frequently collaborating with China”, so the two greatest cyber threats to America may begin to act on behalf of each others interests, in effect acting as mutual proxies. The same OODA report further noted that the cyber threat posed by Russia is most dangerous as a dovetailing component of a larger, politically oriented, information campaign. However, criminal organizations may pose a standalone cyber threat, just as these criminals have been known to work with the state to achieve its political objectives. This integration of state and non-state cyberattacks on foreign businesses featured in a campaign of Russian attacks against Estonia in 2007, and Russia’s 2008 war with Georgia.

An article by investigative journalist Daniil Turovsky in the outspoken online Russian media outlet Meduza made the case that the independent actions of Russian criminal hacking organizations 11 years ago in support of Russia’s Georgian War, helping the Russian state to cement its control over South Ossetia, inspired the Russian state to compel cyber-criminals to serve as proxies for achieving its geopolitical aims. However, Turovsky suggests that “patriotic” cybercriminal support for Russian military objectives predates the Georgian conflict by 9 years, dating back to the earliest days of the Second Chechen War. Russian cybercriminal support for the Chechen war began to organize on online forums in 2005, but the state only began to actively utilize them after the conflict with Georgia over South Ossetia.

Turovsky details the rise and fall of Dmitry Dokuchaev as a case study of FSB recruitment. Also known by his hacker moniker “Forb”, he was arguably the first criminal hacker to become a full time employee of a Russian intelligence agency, and was responsible, for recruiting hackers from his criminal network to positions within the Russian intelligence community.  As a criminal hacker, Dokuchaev took great pride in attacking American government cyberinfrastructure, until a rebellious stunt vandalizing a security camera in Moscow resulted in his capture by an FSB agent, and ultimately Dokuchaev’s own career as a high ranking agent within the FSB’s information security center. However, demonstrating the perilous life of a deniable operative, Dokuchaev was arrested as a “double agent” in Russia after being implicated for his involvement in the 2016 DNC hack. Dokuchaev was implicated not just by the FBI, but also the confession of his hacker acquaintance, Konstantin Kozlovsky.

Today, when patriotic sympathies are not enough to compel service from the hackers, the Russian state is able to turn these hackers through the threat of prosecution for their crimes. According to Turovsky’s anonymous sources, Russian intelligence agencies are peculiarly lacking in technical specialists, instead relying on freelancers largely recruited from hacking forums and targets of the state’s own criminal investigations. As a consequence of this, criminals pursued by Russia’s Interior Ministry are being sheltered by the Defense Ministry in special safe houses.

Still, Russia’s cybercriminal community is not entirely lawless.   Firstly, there is some measure of self-policing, because a modicum of trust is critical for these criminals to organized and collaborate in sophisticated ways. As noted by the Insikt Group, negative ratings lead fraudulent malware suppliers to be blacklisted from forums, and/or develop a reputation as a “kidala”, a rip off artist. In the cybercriminal community, trust is critical to the operation of “patnerkas”, allowing malware developers to maximize their profits by providing the malware—though not the source codes—to affiliates in exchange for a share of their profits. The Russian state has also incentivized geographic limitations on unsanctioned cybercrimes. Those Russian cyber criminals committing serious crimes, as opposed to merely testing malware, in the Commonwealth of Independent States—comprising Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan—without the state’s approval are likely, though not certain, to face prosecution by Russian authorities.

International law enforcement may also take action against cybercriminals, even if they abide by the Kremlin’s rules. As noted in OODA’s Russian Threat Report, the United States Department of Justice (DOJ) formally indicted not only deniable Russian cybercriminals, but also two of their FSB handlers for economic espionage and theft of trade secrets back in early 2017. And the United States has not contented itself with symbolic denouncements, seizing whatever opportunities it may to extradite Russian cybercriminals back to the United States to stand trial. Another article by Turovsky in Meduza focused on Russian cybercriminals apprehended by American authorities, noting that from 2010 to 2017 more than a dozen such arrests had been made. Roman Seleznev, who used the pseudonym ‘nCux’ when committing crimes, first attracted the attention of the FBI in 2005, but they made the mistake of informing the FSB when they were able to confirm his identity and location four years later. Seleznev—a self proclaimed asset of the FSB—was warned of the FBI’s investigation by the Russian agents, and took precautions accordingly, shutting down his illicit business and adopting two new pseudonyms—Track2 and Bulba—before embarking on an even more ambitious criminal enterprise, an innovative “online store for selling stolen credit cards” which would remain active for the next three years, as a better alternative to the disparate forum threads serving as an online marketplace. Seleznev was wary enough to limit himself to non-extradition countries in his travels abroad, but he was nevertheless apprehended by the FBI—after having switched to yet another pseudonym, 2pac—in the Maldives in 2014, after the State Department successfully negotiated with the non-extradition country’s chief of police to make an exception in Seleznev’s case. Russian authorities decried this operation as a “kidnapping”, but Seleznev nevertheless remains in prison, serving a 28 year sentence.

Nor is American law enforcement alone in countering state sponsored cybercriminals. As reported in de Volkskrant, the Netherlands’ General Intelligence and Security Service  managed to aid the FBI by infiltrating one of Russia’s foremost state sponsored hacking groups, Cozy Bear, back in 2014, and thereby inform American intelligence in advance of a cyberattack on the State Department, as well as confirm Russian involvement in the DNC hack. However, Dutch intelligence may be more reticent about sharing intelligence now that it has been made public.

Tyler Robinson

Tyler Robinson

Tyler Robinson is an OODA analyst currently based in Colorado Springs, Colorado. He holds an undergraduate degree in International Relations and a Master of Letters in International Security Studies from the University of St Andrews. His research interests include political psychology, deniable actors, gray area phenomena, and privatized security.