Russia’s domestic security service, the FSB, has arrested numerous members of the REvil hacking group at the request of the US government, the FSB said on Friday. The move, which marks an unusual degree of cooperation between Russian and US agencies, comes amid increasingly aggressive Russian military activity on the Ukrainian border and tense diplomacy as the United States attempts to prevent armed conflict.
Reporting by the Russian Interfax news agency claimed that the FSB seized 426 million rubles ($5.6 million) in a raid against 14 members of the group, along with more than $600,000 worth of cryptocurrency and 20 luxury cars. The FSB told Interfax that it was acting at the request of US authorities and had informed them of the results of the operation. The operation effectively dismantled REvil as an entity, the FSB said.
The Biden administration has long called on Russia to do more to crack down on ransomware gangs operating within the country, though with limited success until now. Analysts have tied Russian groups to extensive ransomware operations in Europe and the US, often without interference from local law enforcement. With no extradition treaty in place, the Russian government has been accused of sheltering cybercriminals provided they do not attack domestic targets.
US agencies have intensified their pursuit of REvil after the FBI linked it to the hack that shut down the Colonial Pipeline in May 2021. REvil was also behind a cyberattack against meat supplier JBS, also in May 2021, which shut down the company’s meat processing plants across the US.
One alleged member of REvil was arrested by Polish authorities in November 2021 after being indicted by the US. According to reporting in Reuters, a source close to the case said that the FSB would not hand over REvil group members with Russian citizenship to the United States after the latest arrests.
The US Department of Justice had not responded to a request for comment by time of publication.
The news of the operation against REvil comes on the same day that the government of Ukraine suffered a major cyber attack. Many government websites were disabled Friday morning, with spokespeople for both the Ukrainian government and the EU pointing the finger toward Russia.
As the US continues to negotiate with Russia over its military activities on the Ukraine border, the FSB’s actions could be an offering linked to the talks, said Nina Jankowicz, a global fellow at the Wilson Center and specialist in Russian affairs.
“The FSB’s takedown of REvil might be Russia trying to throw the US a bone after negotiations on the mounting tensions on Ukraine’s border this week,” Jankowicz said. “But it doesn’t mean much when the rubber hits the road — Russia still has over 100,000 troops on the border and this morning, Ukraine’s government experienced a massive cyberattack.”
Though the Ukraine cyberattack has not yet been attributed to Russia, Jankowicz said, the mode of operation was similar to attacks carried out in advance of conflict in Georgia in 2008 and the annexation of the Crimean peninsula in 2014.