RIP REvil

Speaker 1: So that is the sound of a money counting machine. It's from a ninety five second video published by the FSB, Russia's Federal Security Service. And, like, this moment, when they're counting up all the money, these, like, fat stacks of paper cash, comes at the very end of the video. It's kind of the, like, climax of the whole thing. The bulk of the video is essentially, like, a very high stakes, very Russian episode of cops. And it's the same like cop style scene playing over and over again. Some people in uniform, some in plain clothes with their faces blurred, approach like a door in an apartment block and they knock the door down, they go in and they drag out whoever's inside. Their faces also bark and they arrest them. One after another we see person after person get picked up by the security forces team. And the back half of the video is everything they find in these apartments. It's like the looped computers, laptops, a screenshot of like a crypto wallet with a 7 figure balance, and a ton of cash. So much so that they needed this machine to count it, which is how the video ends. That Russia's FSB is arresting people isn't really that interesting. That they posted like a victory lap video on social media isn't that unique. But who they arrested? I think we gotta talk about that, Scott.

Speaker 2: Let's talk about it.

Speaker 1: Because this arrest, like, marks potentially the end of, like, a very notable era in the world of international cybercrime, at a very relevant moment in global geopolitics. For years, there's been, like, this sort of, like, meta narrative in news media about cybercrime, and it's that Russia is home to a lot of the world's cybercrime, and the Kremlin turns a blind eye to it as long as those hackers' targets aren't Russian. And as, like, international most wanted list just got fuller and fuller of hackers from that part of the world, it got harder and harder to believe that Russia was at all interested in stopping it. And if you were to look at that list of most wanted cyber criminals, if you were to really look for one of the apex predators in terms of, like, hacking gangs in that ecosystem, you'd find this group called are evil. Areval is short for ransomware evil. It's like a private ransomware as a service operation. The ransomware software was behind the Microsoft Exchange server hack last year, the infamous beef plant hack at JBS, and this one other hack we're gonna talk about from last year that you've almost certainly heard of. And this month, some comms person at the Russian Federal Security Service sat down at their computer and uploaded this video, announcing to the world that after years in operation, our evil had finally been arrested. One person at a time, doors get knocked down in their apartment, all the rubles get counted up by a machine. The end of our evil. So this is I think we treat kind of like our post mortem episode where we're gonna reflect on one of these, like, really prolific actors in the world of Russian cybercrime over the last couple years, their greatest hits, and then, like, speculating wildly why they finally got taken down. You're on hacked. How's your day, Scott?

Speaker 2: My day is great, Jordan. How's your day?

Speaker 1: My day's pretty good. Pretty pretty wild time to be making an episode talking about talking about this part of the world.

Speaker 2: Talking about Russia. Why? What's Russia up to? I haven't seen them in the news at all.

Speaker 1: I haven't been on the Internet in two weeks.

Speaker 2: Being of, a moderate amount of Ukrainian descent, There's some Ukraine enemy somewhere. I have no idea what they're up to.

Speaker 1: Well, I have terrible news. This is a weird one because, like well, for obvious reasons. Researching it even, like, seven days ago, writing it over the last week and now, in that stretch of time, a whole bunch of stuff has changed. And almost guaranteed by the time anyone listening to this, more will have changed. Hopefully better. Who knows? But it makes talking about some of this tricky. Yep. What isn't tricky is, like, the core story here that isn't gonna change because we're looking backwards. The story of this group, Our Evil, what they did, and and why they finally went down. So I think we can talk about that.

Speaker 2: Let's let's not talk about what they're up to, and let's talk about what they've been up to.

Speaker 1: Yeah. 100%. Let's look backwards at a time when forwards looks weird. Yeah. Scott, you've worked in software. When you make software, shipping it is only part of the battle. Right? Because then you have to update it over time. You have to, like, keep the thing going, and that's a lot of the work. Right?

Speaker 2: Oh, maintaining something? Yeah. It's like you've seen the entire software industry shift from, you know, walking into a Best Buy or a a store and buying a piece of software off the shelf for $49.99 to $6 a month because

Speaker 1: Sure.

Speaker 2: Companies realize that software requires perpetual, you know, updating maintenance to keep it kind of alive and going. And you're seeing that shift across pretty much all software and video games now, any kind of living game environments. You know? They might make a ton of money on day one, ton of preorders and stuff. But if there's an expectation of a constantly delivered service, that's why we're seeing things like microtransactions and software as a service and things like that. So I think it's a I think it's a logical step. But, yes, to answer your original question, software requires maintenance often.

Speaker 1: Which brings us pretty nicely to the start of rEvil, back before they even were called rEvil. Back in 2018, one of the first big stories of, like, ransomware as a service was this strain of ransomware called G and C wrap. Like most ransomware, G and C would, you know, hold a file on an ineffective system hostage unless you paid a ransom. But the thing that made G and C different, and maybe the thing that kinda led it to eclipse the success of other competing ransomware like affiliate style programs, was that, as you said, its authors worked like a software company to update the malware over time so that it could evade antivirus and, like, security software. Mhmm. G and C approached ransomware as a service way more like a software company, way more in the business of updating than most of their competitors at that time. They were in the business of patching this stuff. If you're buying ransomware, I would imagine that's pretty compelling. Right? Like, because otherwise, you don't know if what you're buying has been, like, addressed by the other side. Mhmm. In the fifteen month span of GNC's, like, affiliate style business, starting in January 2018, its curator shipped five major revisions to the, like, the base code, essentially, each lining up with some, like someone on the defensive side's attempt to, like, build up a wall around it, the sort of, like, arms race that they're engaged in. And they were they did a pretty good job of it. Brian Krebs from Krebs on Security, gangster on his worst day, managed to follow the breadcrumbs of GNC's posts on the cybercrime forum exploit.in, concluding that he'd he thinks he'd figured out who one of the hackers behind it was, someone named Igor Prokopenko, whose name wasn't in the list of people who were arrested, which raises all sorts of interesting questions. But as quickly as g and c burst onto the scene, it seemed as though it had shuttered in 2019. In a post on exploit.in, the user that Krebs identified wrote a post that read, quote, we ourselves have earned over a $150,000,000 in one year. This money has been successfully cashed out and invested in various legal projects, both online and offline. It was a pleasure to work with you, but like we said, all things come to an end. We're getting a well deserved retirement. We are living proof you can do evil and get off scot free. We have proved that one can make a lifetime of money in one year. We've proved that you can become number one by general admission, not in your own conceit. In one year, people who worked with us have earned over $2,000,000,000. Our name became a generic term for ransomware in the underground. The average weekly income of the project was $2,500,000. Russian security firm Kaspersky Lab estimated by the time the program wrapped up, GNC made up half of the global ransomware market. And this was, like, three years ago.

Speaker 2: Yeah.

Speaker 1: So this is a story of, like, a runaway success. Right? Like, you just retire at the height of your power. Sure.

Speaker 2: This is a Forbes article about, you know, Mark Zuckerberg walking away from Facebook.

Speaker 1: This is, this is Myspace Tom checking out at his peak and just traveling the world. Oh, man. God. What a hero. Right?

Speaker 2: Those are those are some crate those are some crazy numbers. Like, we should talk about the size of those numbers. Like, Insane. Like, a $150,000,000 in take home profit is like you know, say a company averages eight to 10% net income or profit. You'd you'd have to be doing billions of dollars in revenue. Granted, they're all profit. Right? Like, they don't really have big overheads. They would have overheads, but they wouldn't be huge. So it's madness to think that, like, you know, that little ransomware company was essentially a billion plus dollar enterprise.

Speaker 1: 100%. Like the Yeah. These companies would be on forums. For.

Speaker 2: Yeah. Exactly. Like, they'd be a big deal. They'd be publicly traded.

Speaker 1: Yeah. You could buy, like like, they're almost a blue chip. Like, you could buy you could responsibly buy shares that are evil if you wanted to. Yeah.

Speaker 2: Like, I'm just trying to think, like, for, like like, the shares have been beaten up a little bit right now, but I'm trying to think what Peloton's gross revenues are. Like, they're probably probably in kind of that realm of, like, a medium medium sized tech start up.

Speaker 1: 100%. And people don't keep writing television scenes where people die on our evil ransomware. Yeah. Yeah.

Speaker 2: Yeah. So so Peloton makes $800,000,000 in revenue last year

Speaker 1: Oh.

Speaker 2: And had a net income of minus 400,000,000, where these guys these guys made a hefty profit of 150,000,000. So, you know, just saying. Which one would you rather invest in?

Speaker 1: In one year, people who worked with us have earned over 2,000,000,000 US. Like, their business model's really good. It's this affiliate thing where, like, they make the product, and they use it, and they use it in their own hacks. Yeah. But then they'll license it to other people, and they get a cut of those profits too. It's like, this is is very well considered.

Speaker 2: It's like it's like a it's like an affiliate marketing scam except for that it's criminal. You know? It's the same kind of principle. It's a, a pyramid scheme. It's a Melaleuca or an Amway or whatever. That's that's fascinating. Good for them. Good business model. They've taken it taken taken peer to peer marketing or whatever that stuff's called, multilevel marketing, and applied it to the criminal world.

Speaker 1: And they got out, like, on top.

Speaker 2: Yeah.

Speaker 1: But in the months that followed as, like, new strains of ransomware started emerging in that same ecosystem, this theory starts to kinda bubble up based on a growing body of evidence suggesting that, like, maybe the people behind GNC who'd, like, famously checked out right at the top, maybe they hadn't actually retired. Maybe they'd done that publicly while they turned on to this, like, new project. Bringing our attention to this new piece of ransomware that was making the rounds in 2019. At first, like, a far more, like, behind closed doors bespoke private ransomware as a service offering. In late April, researchers at Cisco Talos spotted a new ransomware strain dubbed SODANOKBI, which eventually took on, like, another name in the community, the name that its creators would adopt as their own, REvil. And the REvil strain was a hit. It was like another hit, a hit after a hit. It was the iPhone, like, right after the iPod, Lion King right after Aladdin, are evil right after GNC.

Speaker 2: If you're a, you know, if you're, say, you're a musician, it's gonna be hard to be a creator, you know, and create something that's so impactful and so amazing.

Speaker 1: How do you follow it?

Speaker 2: And, like, granted that it's a bunch of evil. And then to walk away and retire young and be like, you know what? I'm gonna, you know, spend more time with my family, and I'm out of here. And then to sit every day being like, I've achieved greatness, and I can achieve it again.

Speaker 1: Totally.

Speaker 2: You know? It's gotta be You know I

Speaker 1: have the ability.

Speaker 2: Yeah. The trials and tribulations of the the human psyche.

Speaker 1: If you were interested in tracking, their process throughout all this, like, what hacks, rEvil's products were behind, what groups they were working with, you had to go no further than the Happy Blog. Happy Blog was REvil's official, like, almost, like, PR page. And for roughly the next two years, REvil's Happy Blog is just knocking out press release after press release, naming and shaming all of these, like, new victims every single week. And it's it's a pretty impressive run because out of these hacks, you will recognize a lot of them. So it's worth talking briefly about some of their big hacks before we get to really the big one. Do you remember the JBS meat packing supply hack, Scott?

Speaker 2: I do not.

Speaker 1: It was one of the first ones in 2020 that, like it was part of this, like, pattern of, like, oh, we're actually seeing disruptions in North American supply chains. They went after a meat packing supplier called JBS, and ended up making them, I think, $11,000,000 off this one hack alone. And it and it genuinely did disrupt a small corner of the food supply chain. It wasn't ginormous, but we saw there's certain people who aren't able to buy certain products because of some hackers from another country, and that was pretty novel at the time in North America. Two months later, they put another post up on their happy blog explaining how they'd incapacitated thousands of small and medium sized businesses in North America after exploding a vulnerability in the update mechanism of a piece of IT management software called Kaseya. Mhmm. Kaseya had made this IT management software, and our evil used it as, like, an attack vector for a supply chain attack, which we've talked about before on this show. Mhmm. So they're posting about all these different, you know, multimillion dollar hacks weekly, sometimes daily for this whole run of, like, time. And at at this point, everyone online knows that g and c had become our evil. And at this point, people are going, this is just more of their uninterrupted success. First, they were doing it under that name, now they're doing it here, but, wow, this crew of people cannot be stopped. A February 2020 analysis from researchers researchers at IBM found that Areval had earned more than a $120,000,000 in 2020 alone. They were doing food stuff. They were doing IT stuff. There was really nothing they wouldn't go after or empower their affiliates to go after as long as they were getting a cut of the profits. Mhmm. 2020 was just sort of a warm up. The products were out in the world. They're raking in the cash. And this is where I'm gonna speculate a little here. But I think between the, like, hit that was g and c, like, that feeling you talked about, Scott, where they're sitting there in retirement reflecting on, you know, what they can do and wondering why am I not seeing how far I can go? I think that this is when they kinda started to get a little bit cocky by the standards of an already really cocky crew. Sure. And, like, the retirement post for GNC sort of showed that a little bit. Do you know that they they really acknowledge the scale of what they'd achieved, but they start to go a little bit further here in this, like, Jay z and Kanye watch the throne type moment. They start looking around for who's the other big dog that we could collaborate with? Like, who can we drop a record with? And they start looking around for the other big player on the scene, a collaborator worthy of their clout. And they found that collaborator for their next hack, the one where they maybe fly a little close to the sun with a hacking group called Darkseid. I'm not sure if you remember hearing about Darkseid, Scott, but they were a hacking group that showed up in 2020, and they kind of like I feel like the headline we might have bumped into was that they fashioned themselves as sort of like a Robin Hood hacking crew at first. Sure. Do you remember hearing about that? Yeah.

Speaker 2: Yeah. This this rings bells.

Speaker 1: Yeah. They're the ones that donated, like the story that kinda came up was, I think Children's International and, like, like, a water nonprofit had both gotten Bitcoin donations.

Speaker 2: From them that they'd stolen from someone else?

Speaker 1: From them that they'd stolen from somebody else. So these charities had to be like, we are not keeping this money. It was a very confusing situation. There's been some speculation that Darkseid has relationship with Areval. They're both like, point being is that in the summer of twenty twenty one, Areval and Darkseid decide they're gonna do this collab, and it's gonna be a big one. Like, a very, very flashy one.

Speaker 2: I love the idea of talking about it like it's a collab. Like, it's two artists meeting up to, like, jam out and make, like, you know, it's, you know, it's John Lennon and, you know, Nas, and they're gonna make some insane, you know, genre bending album. I love this. I love this. I love the way you talk about it.

Speaker 1: It's a they're they're they're gonna drop the record of the year song this summer.

Speaker 2: Yeah. Exactly.

Speaker 1: You know, top 10 bop that went by the name, you may have heard it, of Colonial Pipeline.

Speaker 2: Yeah. It sounds familiar.

Speaker 1: Yeah. Sure does. Colonial Pipeline was kind of a watershed moment in, like, recent cyber diplomacy, and it all turned on one single password. Colonial Pipeline chief executive Joseph Blount told US senate committee that the attack factor for the Colonial Pipeline hack was, and we've talked about this before, an out of date VPN that didn't have multifactor authentication in place, which meant that the way you could control and shut down this entire pipeline hinged on one single password.

Speaker 2: That was written on a sticky note and hadn't been changed between the 300 employees that had come and gone.

Speaker 1: The result of that vulnerability was a ransomware attack that shuttered 5,500 miles of pipeline stranding. We still don't know how much, like, untold barrels of gasoline, diesel, and jet fuel all along the Gulf Coast, like a major supply chain disruption to the transportation industry. The Colonial Pipeline hack followed the, like, still very common practice of double extortion, which is a phrase I hadn't really heard before, which involves you demand separate sums for the digital key needed to unlock the files and then another sum for the promise to destroy everything you took. Like, you're gonna have to pay if you want your stuff back. And then if you want us to not have it, you're gonna have to pay again.

Speaker 2: That is the genre bender right there. Yeah. That is the

Speaker 1: that's what Fusion.

Speaker 2: That's what John Lennon needed from Nas. He needed that push to go one step further, you know?

Speaker 1: God, I wish John Lennon and NOS could've down a couple, like, a a like, I know you're joking, but I just wanna hear it. You know what I mean?

Speaker 2: Yeah. Yeah. I I think I wanted something here. Too bad it's sadly impossible.

Speaker 1: Yeah. In a negotiation that started at it was, like, a $30,000,000 opening bid, it ended up resolving a little over, like, I think, 11,000,000. Colonial Pipeline eventually did come back online, but it had created this, like, very attention grabbing, supply chain disruption in The United States. They've gotten the, like, there's Russian hackers who the Kremlin keeps tolerating, story in the news in a way that it had never really been before in The States. And it started to become clear that this group of people might have finally found a level of attention that they were uncomfortable with. Like, Colonial Pipeline made news in a way that few hacks do, and you had these, like, these evocative images of people just lined up around the street, at gas pumps trying to fill their cars. And we've seen on this show that you can you can mess with a lot of things, and people will tolerate it. Like, you can flood a small town with sewage, and no one seems to really mind that much. You can shut down a meat packing plant, and it's one story you'll read that day. But if you throttle, like, oil along the entire Eastern Seaboard, you crossed some kind of line.

Speaker 2: Yeah. You're shutting down critical infrastructure.

Speaker 1: You're shutting down critical infrastructure.

Speaker 2: Yeah. The economy needs to keep moving, and it needs oil and gas to do that, Jordan.

Speaker 1: And you have pumped the brakes on that process, and people don't like that. And so Darkseid and Arable at first try and, you know, pump the brakes a little bit. They put out a statement on their site clarifying that infrastructure attacks aren't their business. Quote, we are apolitical. We do not participate in geopolitics. You do not need to tie us with a defined government and look for our motives. Our goal is to make money, not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future. This is our evil kinda trying to distance themselves from Darkseid, Darkseid trying to distance themselves from our evil.

Speaker 2: It's like a PR statement to, like, you know, deal with crisis intervention for a hacking group that's now being dragged into geopolitical things.

Speaker 1: We promise to do better.

Speaker 2: Oh, we we made the tweet. Yeah. We made the tweet, and, you know, we now see the air in our ways. You know, the classic. Mhmm. I said something offensive on the Internet. Now I wanna take it back.

Speaker 1: Yeah. Mistakes were made.

Speaker 2: Mistakes were made. I've I've grown and learned a lot since then. We're sorry. We attached your pipeline. But, also, give me my money.

Speaker 1: But it's too late. Right? And things start to shift. On November 4 of that year, Romanian authorities arrested two individuals suspected of being involved in the our evil ransomware. Couple days later, another five people get arrested in cooperation with, like, France, Germany, Romania, Europol, and Eurojust. So a couple of these people are starting to get picked up. They'd they'd flown a little too close to the sun. They attracted like an irresponsible amount of attention and now they're in trouble. But importantly, and this goes back to those g and c blog posts from years earlier, there was still one place where they proven that, quote, they could do evil and get off scot free. They had a a part of the world, as long as they just stayed there, it kind of functioned as a safe zone. Where even if The US and Interpol and all these groups knew your name, even if your peers in other countries were getting arrested, as long as you stayed here, you could continue to operate. This, like, fortress of solitude, the size of the largest country on Earth. What happened to our evil there after the break? Starting some new isn't just hard. It can be downright terrifying. You put a lot of work into a thing. You're not entirely sure it's gonna work out. You're taking a huge leap of faith. I've started a few things. Now I know I was right for believing in, you know, the idea, the product, despite all of those fears and hesitations. But boy, does it sure help when you have a partner like Shopify on your side. Shopify is the commerce platform behind millions of businesses around the world and 10% of all e commerce in The US. From household names like, well, hacked podcasts merch, to brands just getting started, you can get started with your own design studio with hundreds of ready to use templates. Shopify helps you build a beautiful online store that matches your brand style. Did I mention that that iconic purple shop pay button that's used by millions of businesses around the world? I don't know why I wouldn't. I should. It's why Shopify has the best converting checkout on the planet. It also helps boost conversions, meaning less carts, sort of getting abandoned in the parking lot, and more sales for you. It's time to turn those what ifs into sign up for your $1 per month trial at shopify.com/hacked. Go to shopify.com/hacked. One more time, that's shopify.com/hacked. Zootopia two has come home to Disney plus Let's go. Get ready for a new case.

Speaker 3: We're gonna crack this case and prove the partners of all time.

Speaker 1: New friends.

Speaker 3: You are Gary Desnake. And your last name? Desnake.

Speaker 2: Dream team. The new habitat. Zootopia has a secret reptile population.

Speaker 1: You can watch the record breaking phenomenon at

Speaker 4: home. You're

Speaker 1: clearly working at it. Zootopia two, now available on Disney plus rated PG.

Speaker 4: You thought this was your run club era. Turns out, it was more of a thinking about run club era. The good news? Someone's marathon training is about to start. Sell your workout gear on Depop. Just snap a few photos, and we'll take care of the rest. They get their race day fit, and you get a payout for trying. Someone on Depop wants what you've got. Start selling now. Depop, where taste recognizes taste.

Speaker 5: Starting a business can seem like a daunting task unless you have a partner like Shopify. They have the tools you need to start and grow your business. From designing a website to marketing to selling and beyond, Shopify can help with everything you need. There's a reason millions of companies like Mattel, Heinz, and Allbirds continue to trust and use them. With Shopify on your side, turn your big business idea into Sign up for your $1 per month trial at shopify.com/specialoffer.

Speaker 6: The White House says that this call between president Biden and Vladimir Putin yesterday lasted for nearly an hour, and that president Biden basically told Putin that he was running out of time. And he needs to help The US crack down on these ransomware attacks now, or The US is going to take action.

Speaker 1: So So there's this press event, right, where it's it's Joe Biden, and he's he's telling the press about this phone call he had where he pressed Russian president Vladimir Putin to take action to try and, like, pump the brakes on ransomware coming out of their country from these private groups. When he says, quote When a ransomware operation is coming from historically, we know it's not not sponsored by the state. We expect them to act. The US and a bunch of countries have been, like, formally asking Russia for quite a while to arrest cyber criminals, specifically ransomware operators whose names they know. For a long time, we've kind of, like, seen the architecture of this unspoken agreement in how ransomware groups like Areval and DarkSide and GNC before that, like how they work. Providing ransomware as a service means giving up a little bit of control over who gets targeted by your software. That's, you know, the nature of any affiliate or franchise style business. Like, you try your best to vet them, but you gotta have some quality controls because who knows who's gonna come knocking looking to open a Subway like sandwich shop. But all of these tools and all these groups, they had certain things in common, certain checks and balances. Importantly, that if the software detected that if your device's default language was Russian, it would not lock down your files. Which means that either these hackers are all very, very patriotic, or there's, like, an unspoken thing here that as long as Russian speaking hackers weren't targeting Russian speaking victims, it was cool. They could proceed.

Speaker 2: Yeah. I remember I remember reading all about this, about how they hit where they were filtering out data, and they were not attacking, like, local targets. I thought that was very fascinating. Mhmm. I it just felt it just felt very Russian to me. You know? It did did feel patriotic to me. Like, it felt it just felt like something that you know? I feel like American greed is American greed, but Russian greed is is Russian greed without wanting to harm ones like the countrymen.

Speaker 1: Stand You know? Russian greed stands in solidarity. Exactly.

Speaker 2: Exactly. Like, I found it I found it very interesting.

Speaker 1: Well, I'm sure I I don't really know the answer to this, but, like, I know the base mechanism has to do with, like, language detection. I'm sure it got more, like, nuanced by the end of this. Right? Like, I'm sure it went just beyond what language a computer was on and, like, got into, like, I don't really know how you would keep track of that.

Speaker 2: Yeah. And, like, all files that have text in them will have a character set coding for for what they're Right.

Speaker 1: What they're using. Cyrillic versus Yeah.

Speaker 2: You'd be able to check-in. Like, there'd be a lot of ways to detect it. But to make a make a a Boolean decision as is this computer Russian or not to within a degree of tolerance that we're willing to you know? It's probably pretty easy.

Speaker 1: Well, then it's still ransomware. Right? So on the far side of that, if it turns out, like, one slipped through and they start talking to you and you realize you're like, okay. Never mind. Have your stuff back. Like, we we we know how this works. Yeah.

Speaker 2: Yeah. If the chat window pops up and the guy's yelling at you in Russian, you just, like, hit the undo button.

Speaker 1: A 100%. Unencrypt. Goodbye. Have a good day.

Speaker 2: Yeah. Yeah. We're sorry about this story, sir. We thought you were

Speaker 1: It won't happen again.

Speaker 2: We your IP address was pinging Washington, DC. You know, we didn't, we didn't think you were potentially. So

Speaker 1: Like, yeah. I was using a VPN. Like the sponsors of this episode. No. Which is what makes all of this is what makes this arrest that happened this last month so notable is that it wasn't INTERPOL. It wasn't The US. It was Russia arresting Russian hackers who had not hacked Russian victims. This is something new. When you talk about, like, Russian hackers, like, you you have to make the distinction between state sponsored and private groups. This has all been the story of a private hacking group, like, they're for profit individuals. And I think we're gonna talk about this week. It's worth worth acknowledging that as this arrest was taking place of this private Russian hacking group, some other hacking in Russia was going on. On January 14, within I think two days of these arrests starting, attacks affecting nearly 80 different Ukrainian government agency sites were taking place, replacing pages with this message written in multiple languages that read, quote, be afraid and expect the

Speaker 2: Oh, my god.

Speaker 1: And that's like a pretty entry level tactic. We've talked about this defacement. It's, you know, it's it's not a high level tactic, but only a day after that defacement, things started escalating. On January 15, a data wiping malware, targeted the internal systems of a dozen or so Ukrainian government agencies, nonprofits, and IT companies. Microsoft spots it first. And according to researchers, it's a malware that's designed to look like ransomware, but was actually the special type of software designed to be, like, just destructive Sure. And render target devices inoperable. This hack, unlike our evil, was not about money. It was just about chaos, and it allegedly and intuitively caused a lot of damage to different government agency websites and infrastructure. And Ukrainian officials have said that the two acts appear to have been coordinated to occur at roughly the same time. And this is just the new stuff. In 2015, hackers disabled Ukraine's power grid, which led to a blackout in Ukraine's capital city of Kyiv. Like, some hackers took control of some SCADA systems. They busted up IT infrastructure, and they used malware to remotely switch off, like, all these electrical substations, which plunged, like, a quarter million people into darkness. There's no Petya in 2017 that did, like, $10,000,000,000 in damage to Ukraine's financial system. As Russia was arresting Russian hackers, Russia be hacking.

Speaker 2: Russia be employing those hackers, maybe, question mark.

Speaker 1: Russia might be hacking. Like, we talk a lot about cyber war here on the show, but I bumped into a phrase while I was reading about this that I hadn't really heard, and it was, I thought was interesting. It's hybrid war

Speaker 2: Oh, yeah.

Speaker 1: Which is when you amass troops in real life and online at the same time against

Speaker 2: the same enemy. Completely cripple a country and then actually go in and attack said country.

Speaker 1: And when I think about that

Speaker 2: I get really scared.

Speaker 1: And it makes you think about our evil in, like, especially the arrest of our evil in kind of different ways.

Speaker 2: This is sad, but my brain goes to every pop culture hacking TV show ever made where it begins with black hat hacker being caught by the FBI, the FBI then offering them an olive branch of becoming a member of the FBI or whatever the, you know, three letter agency name is. And I feel like that's that's probably not untrue what goes on in Russia. Like, when you talk about posturing and war and, you know, you know, aggression, wouldn't you want the best weapons in your Mhmm. In your armor army and, like, in your best tools in your toolbox? And it's like

Speaker 1: Mhmm. If

Speaker 2: you're arresting literally the world's greatest, you know, malware and hacking guys or groups, why would you not offer them an olive branch and be like, actually, hey. We're thinking about invading these countries. Do you wanna come facilitate that with us? So that's where my head goes to is it goes to pop culture TV.

Speaker 1: Sure. Oh, that's interesting. I didn't even get there. It's like you're you're, you're amassing resources a little bit. Yeah. At first, we gotta pull you off the street, but then we're gonna have a conversation.

Speaker 2: It's like, hey. You got two options here. Gulag or, like, essentially bureaucratic royalty. Which one would you prefer?

Speaker 1: Yeah. You're already independently wealthy.

Speaker 2: Yeah.

Speaker 1: Do you wanna do the same thing you've been doing for that's an interesting take.

Speaker 2: We're gonna let you keep all your money. We're gonna let you live in the nicest Saint Petersburg apartments, and all you have to do is come to work every day and attack who we tell you rather than who you want to. So

Speaker 1: I like I don't like that. I hate that. Yeah. But I I think that's a that's a very interesting take, and it's kinda compatible with, I think, where my brain went to, which is that, like, you're you're you're Russia, and you've got this war that you're interested in right in waging. And you're amassing, like, digital and physical troops at your enemy's borders, so to speak. But at the same time, you've got this, like, digital insurgent group inside your own borders. Picking a fight with an unrelated target, the other, like, big dog in the yard. And while you're trying to wage your war on your barter border, this insurgent group is picking their own fight against this unrelated huge threat. And you start to notice, right, that, okay, these folks inside my borders keep picking this fight. And if they keep doing that, the people they're fighting might take my enemy's side. So you probably wanna shut that insurgency group down so they don't keep attracting any more attention than you're already getting for the war that you wanna be waging. So that you can keep attacking your enemy without all this negative spotlight shining down on you.

Speaker 2: See see, I I I agree with you in, like, a a thing, but I think the where my mind goes is in the world that we live in, where if you're gonna be an aggressive nation state, like, we are so technologically driven as a as a as a globe now, like, every single country. It doesn't matter, you know, first world, second world, third world, whatever. We all have communication networks. We all have computer controlled, infrastructure. We all have etcetera etcetera. Russia being more cool with, hacking and things like that for the last twenty years has led to them now probably truthfully becoming the global specialist at it. You know, they've allowed people to learn and train, sharpen, and tune, and profit from these tools and skills and tactics, which has allowed them to evolve them where you know? Look at the like, two or three episodes ago, we were talking about somebody who viewed the source of their website getting charged

Speaker 1: in

Speaker 2: The United States. Like, I don't think that would happen in Russia. Mm-mm. So it's like, you know, we many nations are now underdeveloped, where certain nations, notably Russia and probably North Korea, are probably overdeveloped. Very developed. So, you know, if you look at it as training and skill development, which is a weird way to look at it, but you're Capacity building. Capacity building for future wars. Russia has been capacity building for a lot longer than a lot of other places. So, you know, we have specialists here, you know, that work for the NSAs and the CIAs and stuff like that. But I don't think it's the same incentive as the profit incentive of No. The way that Russia's been learning it.

Speaker 1: I think it's I think you're totally right. And I think that even if we think of it like capacity building, where by allowing these people to do this for so long unchecked, you've allowed them to develop tools and technology. It's like it's like IP. They've developed all of this great new stuff. You've built this capacity. But I think it's compatible with this idea that you've also, from a diplomatic perspective, you've built a bargaining chip. Like, you've built this thing that you can take on or off the the table, and that has some diplomatic utility. Yeah. During the R evil arrests on Friday, officials from FSB and the Department of Ministry of Internal Affairs seized computer equipment, I think, 20 luxury cars, like, 5 and a half million rubles just sort of laying around, a few million more in crypto. But it's thought that this is just, like, this tiny constitute of what this group had earned over the years. This was what was in their house, essentially. Yeah. Who knows where the rest

Speaker 2: of it is? I only had $10,000,000 in cash sitting under my bed, but the rest is

Speaker 1: 100%.

Speaker 2: Buried in bank accounts and investments around the world.

Speaker 1: Totally. You look at the blog posts, and then you look at what's buried in their mattress. And I'm like, I'm sure some of this is, you know, bullshit. And but I'm also sure that this is just a fraction of what you have. Like, buried in the woods somewhere is a crypto wallet. Like, I believe that. In all of this, there's this one figure we didn't really talk about, and it's our evil's most prominent voice, a hacker who went by the name, Unknown. And at some point over the last couple years, Unknown gives this interview with a very relevant quote that I think we'll end on. Unknown says, quote, I don't wanna be a bargaining chip. We brushed up against politics, and nothing good came of it, only losses. And with the current geopolitical relationships, everything is very beneficial for us without any interference. And unknown was talking about the then current geopolitical relationships, relationships that have changed and are changing and will have changed by the time most people listen to this. And as those, you know, bigger geopolitical relationships change, it's almost like the Earth moving under the feet of these hackers who built their whole enterprise on top of it. And suddenly, they've temporarily at least become exactly what unknown and our evil were afraid of becoming. A bargaining chip. Thanks for listening everybody. Big old shout out to our new patreons this month. Patreon.com/hackedpodcast. I just wanna thank Jim. Thanks, Jim. Thank you, Kathleen boys. Time for Crab. Thank you. Ozzlio. Ozzlio zero. Thank you. Luke de Luke. Thanks. Kevin Bragg. Thumbs up, Kevin. Steven Decker, do really appreciate it. And last but not least, Danny, thank you. If you like this episode, if you like the show, support us on Patreon. Patreon.com/hackedpodcast.

Speaker 2: Thank you

Speaker 1: so much for listening. This was, a really interesting one to put together. Hope it was a timely and interesting one for you to listen to, and we are excited to catch you back here in the next one. See you soon.

Speaker 7: If you've got an insurance question, you could talk to your nana. But she'd probably just tell you how she insured her couch from stains by covering it with plastic. Or you could talk to your local GEICO agent. They'll give you a different kind of warm and fuzzy with personalized assistance for all your insurance needs, like how you could be saving on your policies. So let your nana cover her couch in plastic and let a local GEICO agent help cover you, but not in plastic. To find a GEICO agent near you, visit geico.com/local.

Speaker 8: This episode is brought to you by Nespresso. Being the best version of yourself is an everyday journey, and it begins in the morning by taking a moment to ground yourself. With the new Nespresso Vertuo Up coffee machine, morning routines become rituals. Just one gentle press. And coffee brews, unfolding into whatever you need today. Bold or delicate, iced or hot, familiar or new. Press to explore. Every coffee, a new world. New virtual up. Shop now at nespresso.com.

Speaker 3: The grill is shot. The chairs are held together by optimism. And what happened to the rug? Sounds like your outdoor setup is not ready for patio season. Fix it all with Wayfair. Shop Wayfair for grills, rugs, furniture, and more. With 20,000,005 star reviews, room of choice delivery, and expert setup on qualifying orders, it's never been easier to do more for less. Get 10 off off your first eligible purchase. Hurry to wayfair.com or download the app now.

Speaker 8: Wayfair. Every style. Every home.