Russian intelligence services and law enforcement have a longstanding, tacit understanding with criminal threat actors; in some cases, it is almost certain that the intelligence services maintain an established and systematic relationship with criminal threat actors, either through association or recruitment.
This is stated in research conducted by the private cybersecurity company Recorded Future, which specializes in collecting, processing, analyzing and disseminating threat information.
The intersection of individuals in the Russian cybercriminal world and officials in the Russian government, typically from the domestic law enforcement or intelligence services, is well established yet highly diffused. The relationships in this ecosystem are based on spoken and unspoken agreements and comprise fluid associations.
Recorded Future identified 3 types of links between the Russian intelligence services and the Russian criminal underground based on historical activity and associations, as well as recent ransomware attacks: direct links, indirect affiliations, and tacit agreement.
According to analysts, the Kremlin's top leadership is not just aware, but perhaps also controls many resources used by hackers.
Even in cases with discernible, direct links between cybercriminal threat actors and the Russian state, indirect affiliations suggest collaboration and a lack of meaningful punitive actions shows either a tolerance for, or tacit approval of, these efforts. This assessment takes into account that the Russian government possesses a robust surveillance apparatus and interfaces with cybercriminal elements and therefore has visibility into, if not control over, many of the resources used by these threat actors and can shut them down if they so desire.
Russian special services began recruiting qualified programmers about 30 years ago. Some hackers sought cooperation with the Russian Federation, and others were approached by the people associated with the special services.
It is emphasized that the Kremlin's restrained reaction to hacker attacks coming from Russia has created an environment in which criminal hacker groups have become"well-organized enterprises".
According to the research, precedent suggests that such activities and associations will almost certainly continue for the foreseeable future; however, these associations will likely adapt to provide greater plausible deniability and fewer overt, direct links between both groups.