Dark Covenant: Connections Between the Russian State and Criminal Actors

This report examines the unspoken connections between the Russian Federation (in the form of Russian intelligence services or the Kremlin) and cybercriminals in Russia and Eastern Europe. Sources include the Recorded Future® Platform as well as other dark web and open sources. The report will be of interest to threat researchers, as well as law enforcement, government, and defense organizations. 

Executive Summary

​The intersection of individuals in the Russian cybercriminal world and officials in the Russian government, typically from the domestic law enforcement or intelligence services, is well established yet highly diffuse. The relationships in this ecosystem are based on spoken and unspoken agreements and comprise fluid associations.

Recorded Future identified 3 types of links between the Russian intelligence services and the Russian criminal underground based on historical activity and associations, as well as recent ransomware attacks: direct links, indirect affiliations, and tacit agreement.      

Even in cases with discernible, direct links between cybercriminal threat actors and the Russian state, indirect affiliations suggest collaboration, and a lack of meaningful punitive actions shows either a tolerance for, or tacit approval of, these efforts. This assessment takes into account that the Russian government possesses a robust surveillance apparatus and interfaces with cybercriminal elements and therefore has visibility into, if not control over, many of the resources used by these threat actors and can shut them down if they so desire.

Visit Resource

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge