Top Russian official cites REvil arrests as sign of cooperation, says Moscow is awaiting reciprocation

The Russian government’s Jan. 14 takedown of suspects associated with the notorious REvil ransomware group was an example of increasing cooperation between the U.S. and Russian governments on cybersecurity matters, a top Russian official said Friday, but the Russian government is still waiting for U.S. reciprocation on its own cyber requests.

In a wide-ranging interview, Dmitry Medvedev, the former president and prime minister of Russia and currently the deputy secretary of the country’s Security Council, called the REvil arrests a “joint operation” and “perhaps one of the few areas where, despite very problematic relations with the United States, our cooperation has intensified.”

Nevertheless, he added, the Russian government is waiting for definitive answers on what the Russian government considers distributed denial-of-service (DDoS) attacks on components of its remote election infrastructure during the September 2021 State Duma elections. The U.S. government has rebutted any notion of outside interference in those elections.

Russian government officials at the time said the “attacks were planned and organized, which indicates the intention to purposefully prevent the normal operation of services and an attempt to block the operation of electronic voting services.” One government official said the attacks came from the U.S., Netherlands, Ukraine, Canada, Germany and South Korea. Another described four attacks that “ran in parallel” targeting domain name services for various party websites as well as loading “network channels with junk traffic.”

Russian Ambassador Anatoly Antonov reportedly raised the issue with the White House. His contacts there “were very attentive to these reports and asked … [for] more specific information.”

During Friday’s interview, Medvedev said 50% “of these attacks went through the United States of America,” but added that it’s “very difficult to keep track of because there are different ways to confuse it all.”

Medvedev didn’t supply evidence for his claims. It’s not uncommon for DDoS attacks to originate from many countries as the hordes of compromised computers used are often part of a botnet.

A message sent to the National Security Council was not immediately returned Friday. The U.S. and many other nations have accused Russia of election interference around the globe.

The comments come as military tensions heighten between Russia and Ukraine, with the U.S. government claiming the Russian government is planning to move troops into Ukraine. Malign cyber activity aligned with Russian government interests have been directed toward Ukraine has been near constant since 2014, and have ranged from attacks on the power grid to website defacements to election interference.

Recent attacks not yet attributed to Russia wiped some government systems and posted a warning to the Ukrainian public: “Be afraid and expect the worst.”

While cyber operations alone won’t achieve Russia’s goals in Ukraine, they will be a key part of intelligence gathering, disrupting Ukrainian military capabilities and psychological operations aimed at the public, cybersecurity policy expert Dmitri Alperovitch wrote Friday.

The REvil ransomware takedown factors into all of this, according to experts. After the REvil arrests, Alperovitch called it “ransomware diplomacy,” arguing that it was a signal from the Russian government that highly destructive ransomware gangs operating within the Russian government’s reach can be controlled — but only if the U.S. government does deter Russian goals in the region.

“It was interesting that Medvedev now mentions this,” said Oleg Shakirov, an international security expert at the PIR Center, a Russian policy think tank. At the time the issue was discussed by top Russian officials publicly, but there was very little after that.

The timing of the comments could also be coincidence, Shakirov said, noting that ransomware conversations came up during meetings between Russian President Vladimir Putin and U.S. President Joe Biden in June 2021, and it took a while for the Russian government to take action. There are a lot of issues beyond the cyber realm that are more regularly discussed by Russian officials, he added, but cyber cooperation and reciprocation is important and could suffer if the situation with Ukraine devolves.

“My personal opinion is if there is some kind of heightened tension, this cooperation on cyber crime might not survive,” Shakirov said.