Hacked - RIP REvil
Episode Date: January 31, 2022Jordan Bloemen & Scott Francis Winder say goodbye to the ransomware gang REvil, and hello to a new era in cyber diplomacy. If you like the show and want to make sure we can keep making it, please sub...scribe and if you can visit https://www.patreon.com/hackedpodcast and show us some love. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
So that is the sound of a money-counting machine.
It's from a 95-second video published by the FSB, Russia's Federal Security Service.
And this moment, when they're counting up all the money, these, like, fat stacks of paper cash,
comes at the very end of the video.
It's kind of the climax of the whole thing.
The bulk of the video is essentially like a very high-stakes, very Russian episode of Cops.
And it's the same like Cops-style scene playing over and over again.
Some people in uniform, some in plain clothes, with their faces blurred, approach like a door in an apartment block.
And they knock the door down, they go in and they drag out whoever's inside.
Their faces also blurr, and they arrest them.
One after another we see person after person get picked up by the security forces team.
And the back half of the video is everything they find in these apartments.
It's like the looped. Computers, laptops, a screenshot of like a crypto wallet with a seven-figure balance.
and a ton of cash, so much so that they needed this machine to count it,
which is how the video ends.
That Russia's FSB is arresting people isn't really that interesting,
that they posted like a Victory Lab video on social media isn't that unique,
but who they arrested.
I think we got to talk about that, Scott.
Let's talk about it.
Because this arrest marks potentially the end of like a very notable era
in the world of international cybercrime.
at a very relevant moment in global geopolitics.
For years, there's been like this sort of like meta-narrative in news media about cybercrime.
And it's that Russia is home to a lot of the world cybercrime,
and the Kremlin turns a blind eye to it,
as long as those hackers' targets aren't Russian.
And as like international most wanted lists just got fuller and fuller of hackers from that part of the world,
it got harder and harder to believe that Russia was at all interested in stopping it.
And if you were to look at that list of most wanted cybercriminals,
if you were to really look for one of the apex predators in terms of hacking gangs in that ecosystem,
you'd find this group called R. Evil.
R. Evil is short for Ransomware Evil.
It's like a private ransomware as a service operation.
The ransomware software was behind the Microsoft Exchange server hack last year,
the infamous beef plant hack at JBS,
and this one other hack we're going to talk about from last year that you've almost certainly,
heard of. And this month, some comms person at the Russian Federal Security Service sat down at
their computer and uploaded this video announcing to the world that after years in operation,
our evil had finally been arrested. One person at a time, doors get knocked down in their
apartment, all the rubles getting counted up by a machine. The end of our evil. So this is,
I think we treat kind of like our post-mortem episode where we're going to reflect.
on one of these really prolific
actors in the world of Russian cybercrime
over the last couple years, their
greatest hits, and then like
speculating wildly why they
finally got taken down.
Here on Hacked. How's your day, Scott?
My day is great, Jordan. How's your day?
My day's pretty good.
Pretty wild time to be making an episode
talking about this part of the world.
Talking about Russia. Why? What's Russia up to?
I haven't seen them in the news at all.
I haven't been on the internet in two weeks.
Being of a moderate amount of Ukrainian descent, there's some Ukrainian enemy somewhere.
I have no idea what they're up to you.
Well, I have terrible news.
This is a weird one because, like, well, for obvious reasons, researching it even like seven days ago, writing it over the last week and now in that stretch of time, a whole bunch of stuff has changed.
and almost guaranteed by the time anyone listening to this,
more will have changed, hopefully better, who knows.
But it makes talking about some of this tricky.
What isn't tricky is like the core story here.
That isn't going to change because we're looking backwards.
The story of this group are evil, what they did and why they finally went down.
So I think we can talk about that.
Let's not talk about what they're up to and let's talk about what they've been up to.
Yeah, 100%.
Let's look backwards at a time when,
Forward's looks weird.
Scott, you've worked in software.
When you make software, shipping it is only part of the battle, right?
Because then you have to update it over time.
You have to keep the thing going.
And that's a lot of the work, right?
Oh, maintaining something?
Yeah.
You've seen the entire software industry shift from walking into a Best Buy or a store
and buying a piece of software off the shelf for $49.99 to $6 a month.
because companies realize that software requires perpetual,
you know, updating maintenance to keep it kind of alive and going.
You're seeing that shift across pretty much all software and video games now,
any kind of living game environments, you know,
they might make a ton of money on day one, a ton of pre-orders and stuff,
but if there's an expectation of a constantly delivered service,
that's why we're seeing things like micro-transactions and software as a service
and things like that.
So I think it's a logical step, but yes, to answer your original question, software requires maintenance often.
Which brings us pretty nicely to the start of R. Evil, back before they even were called R. Evil.
Back in 2018, one of the first big stories of ransomware as a service was this strain of ransomware called G&C rap.
Like most ransomware, G&C would hold a file on an effective system hostage unless you
paid a ransom. But the thing that made G&C different, and maybe the thing that kind of led it
to eclipse the success of other competing ransomware, like affiliate-style programs, was that,
as you said, its authors worked like a software company to update the malware over time so that it
could evade antivirus and, like, security software. G&C approached ransomware as a service, way more
like a software company, way more in the business of updating than most of their competitors at that
time. They were in the business of patching this stuff. If you're buying ransomware, I would imagine
that's pretty compelling, right? Because otherwise you don't know if what you're buying has been
addressed by the other side. In the 15 months span of GNC's affiliate-style business, starting in
January 2018, its curator shipped five major revisions to the base code essentially, each lining up
with someone on the defensive sides attempt to build up a wall around it, this sort of like
arms race that they're engaged in. And they were, they did a pretty,
good job of it. Brian Krebs from Krebs on security, gangster on his worst day, managed to follow
the breadcrumbs of GN's posts on the cybercrime forum, Exploit.in. Concluding that he'd, he thinks
he'd figured out who one of the hackers behind it was, someone named Igor Procopenko,
whose name wasn't in the list of people who were arrested, which raises all sorts of interesting
questions, but as quickly as GNC burst onto the scene, it seemed as though it had shuttered in 2019.
In a post on exploit.in, the user the Krebs identified wrote a post that read, quote,
We ourselves have earned over $150 million in one year.
This money has been successfully cashed out and invested in various legal projects, both online and offline.
It was a pleasure to work with you, but like we said, all things come to an end.
We're getting a well-deserved retirement.
We are living proof you can do evil and get off scot-free.
We have proved that one can make a lifetime of money in one year.
we've proved that you can become number one by general admission, not in your own conceit.
In one year, people who worked with us have earned over $2 billion.
Our name became a generic term for ransomware in the underground.
The average weekly income of the project was $2.5 million.
Russian security firm Kaspersky Lab estimated by the time the program wrapped up,
G&C made up half of the global ransomware market.
This was like three years ago.
Yeah.
So this is a story of like a runaway success, right?
Like you just retire at the height of your power.
Sure.
This is a Forbes article about, you know, Mark Zuckerberg walking away from Facebook.
This is, uh, this is MySpace Tom checking out at his peak and just traveling the world.
Oh, man.
God, what a hero.
Right?
Those are, those are some crazy, those are some crazy numbers.
Like, we should talk about the size of those numbers.
Like, uh, insane.
Like, $150 million.
and take home profit is like, you know, say a company averages 8 to 10% net income or profit,
you'd have to be doing billions of dollars in revenue.
Granted, they're all profit, right?
Like, they don't really have big overheads.
They would have overheads, but they wouldn't be huge.
So it's madness to think that, like, you know, that little ransomware company was essentially
a billion plus dollar enterprise.
100%.
Yeah, these companies would be on force.
Yeah, exactly.
Like, they'd be a big deal.
They'd be publicly traded.
Yeah, you could buy, like, they're almost a blue chip.
Like, you could buy, you could responsibly buy shares in our evil if you wanted to.
Yeah.
Like, I'm just trying to think, like, for like, like, uh, the shares been beaten up a little bit right now.
But I'm trying to think what Peloton's gross revenues are.
Like, they're probably, probably in kind of that realm of like a medium, medium-sized tech startup.
100%.
And people don't keep writing television scenes where people die on our evil ransomware.
Yeah, yeah, yeah.
So Peloton makes $800 million in revenue last year and had a net income of minus 400 million,
where these guys made a hefty profit of $150 million.
So, you know, just saying which one would you rather invest in?
In one year, people who worked with us have earned over $2 billion U.S.
their business model is really good.
It's this affiliate thing.
They make the product and they use it and they use it in their own hacks.
But then they'll license it to other people and they get a cut of those profits too.
It's like this is very well considered.
It's like an affiliate marketing scam except for it's criminal.
It's the same kind of principle.
It's a pyramid scheme.
It's a Melaluka or an Amway or whatever.
that's fascinating.
Good for them.
Good business model.
They've taken it,
taking peer to peer marketing
or whatever that stuff's called,
multi-level marketing
and applied it to the criminal world.
And they got out like on top.
Yeah.
But in the months that followed
as like new strains of ransomware
started emerging in that same ecosystem,
this theory starts to kind of bubble up
based on a growing body of evidence
suggesting that like maybe the people
behind G&C who'd like famously checked out right at the top, maybe they hadn't actually retired.
Maybe they'd done that publicly while they turned on to this like new project.
Bringing our attention to this new piece of ransomware that was making rounds in 2019.
At first like a far more like behind closed doors bespoke private ransomware as a service offering.
In late April, researchers at Cisco Talo spotted a new ransomware strain dubbed Soda No Kee.
which eventually took on like another name in the community.
The name that its creators would adopt as their own,
R. Evil.
And the R. Evil strain was a hit.
It was like another hit, a hit after a hit.
It was the iPhone, like right after the iPod,
Lion King, right after Aladdin,
Are Evil right after G&C.
If you're a, you know, if you're, say you're a musician,
it's going to be hard to be a creator, you know,
and create something that's so impactful and so,
amazing. How do you follow it?
And like granted that it's a bunch of evil and then to walk away and retire young and
be like, you know what, I'm going to spend more time with my family and I'm out of here.
And then to sit every day being like I've achieved greatness and I can achieve it again.
Totally. You know, it's going to be. I know I have the ability.
Yeah, the trials and tribulations of the human psyche.
If you were interested in tracking their process throughout all this, like what hacks are
evil's products were behind?
what groups they were working with, you had to go no further than the happy blog.
Happy blog was R. Evil's official, like, almost like, PR page.
And for roughly the next two years, our evil's happy blog is just knocking out press release after
press release, naming and shaming all of these, like, new victims every single week.
And it's a pretty impressive run, because out of these hacks, you will recognize a lot of them.
So it's worth talking briefly about some of their big hacks before we get to really the big one.
Do you remember the JBS meatpacking supply hacks got?
I do not.
It was one of the first ones in 2020 that like, it was part of this like pattern of like, oh,
we're actually seeing disruptions in North American supply chains.
They went after a meat packing supplier called JBS and ended up making them, I think,
11 million bucks off this one hack alone.
And it genuinely did disrupt a small corner of the food supply chain.
It wasn't ginormous, but we saw there's certain people who aren't able to buy certain products because of some hackers from another country.
And that was pretty novel at the time in North America.
Two months later, they put another post up on their happy blog,
explaining how they'd incapacitated thousands of small and medium-sized businesses in North America after exploiting a vulnerability in the update mechanism of a piece of IT management software called Kaseya.
because they had made this IT management software,
R Evil used it as like an attack vector for a supply chain attack,
which we've talked about before in this show.
So they're posting about all these different, you know,
multi-million dollar hacks, weekly, sometimes daily for this whole run of like time.
And at this point, everyone online knows that G&C had become R Evil.
And at this point, people are going,
this is just more of their uninterrupted success.
First, they were doing it under that name, now they're doing it here,
but wow, this crew of people cannot be stopped.
A February 2020 analysis from researchers at IBM found that our evil had earned more than $120 million in 2020 alone.
They were doing food stuff.
They were doing IT stuff.
There was really nothing they wouldn't go after or empower their affiliates to go after as long as they were getting a cut of the profits.
2020 was just sort of a warm up.
Their products were out in the world.
They're raking in the cash.
and this is where I'm going to speculate a little here
but I think between the like hit that was GNC
like that feeling you talked about Scott
where they're sitting there in retirement reflecting on
what they can do and wondering
why am I not seeing how far I can go
I think that this is when they kind of started to get a little
bit cocky by the standards of an already really cocky crew
sure
and like their retirement post for GNC
sort of showed that a little bit
that they really acknowledge the scale of
what they'd achieved, but they start to go a little bit further here.
And it's like, Jay-Z and Kanye watched the throne type moment.
They start looking around for who's the other big dog that we could collaborate with.
Like, who can we drop a record with?
And they start looking around for the other big player on the scene,
a collaborator worthy of their clout.
And they found that collaborator for their next hack,
the one where they maybe fly a little close to the sun.
With a hacking group called Darkside.
I'm not sure if you remember hearing about Darkside, Scott, but they were a hacking group that showed up in 2020.
And they kind of like, I feel like the headline we might have bumped into was that they fashioned themselves as sort of like a Robin Hood hacking crew at first.
Sure.
Do you remember hearing about that?
Yeah.
Yeah.
This rings bells.
Yeah.
They're the ones that donated like the story that kind of came up was I think Children's International and like a water nonprofit had both gotten Bitcoin donations.
from them that they'd stolen from someone else.
From them that they'd stolen from somebody else.
So these charity just had to be like,
we are not keeping this money.
It was a very confusing situation.
There's been some speculation that DarkSaid has a relationship with our evil.
Point being is that in the summer of 2021,
our evil and Darkside decided they're going to do this co-lap.
And it's going to be a big one,
a very, very flashy one.
I love the idea of talking about it as a co-lab.
It's two artists meeting up to, like,
jam out and make like, you know, it's John Lennon and, you know, Noss and they're going to make some
insane, you know, genre bending album. I love this. I love this. I love the way you talk about it.
It's a, they're going to drop the record of the year, song of the summer. Yeah, exactly.
You know, top 10 bop that went by the name, and you may have heard it, of colonial pipeline.
Yeah, that sounds familiar.
Yeah, it sure does.
Because Colonial Pipeline was kind of a watershed moment in recent cyber diplomacy, and it all turned on one single password.
Colonial Pipeline Chief Executive Joseph Blount told U.S. Senate Committee that the attack factor for the Colonial Pipeline hack was, and we've talked about this before, an out-of-date VPN that didn't have multi-factor authentication in place, which meant that the way you could control and shut down this entire pipeline hinged on one single password.
That was written on a sticky note
and hadn't been changed
between the 300 employees
that had come and gone.
The result of that vulnerability
was a ransomware attack
that shuttered 5,500 miles of pipeline
stranding.
We still don't know how much
like untold barrels of gasoline,
diesel, and jet fuel
all along the Gulf Coast.
Like a major supply chain disruption
to the transportation industry.
The colonial pipeline hack
followed the still very common practice
of double extortion, which is a phrase I hadn't really heard before, which involves you
demand separate sums for the digital key needed to unlock the files and then another sum
for the promise to destroy everything you took. You're going to have to pay if you want your stuff
back and then if you want us to not have it, you're going to have to pay again.
That is the genre bender right there. That is the...
That fusion. That's what John Lennon needed from Noss. He needed that push to go one step
further, you know. God, I wish John Lennon and Noss cut it down a quick like a, like, I know you're
joking, but I just want to hear it. You know what I mean? Yeah, yeah, yeah. I think I'm on
of something here. Too bad. It's sadly impossible. Yeah. In a negotiation that started it,
it was like a $30 million opening bid. It ended up resolving a little over like, I think,
11 million. Colonial pipeline eventually did come back online. But it had created this like
very attention grabbing supply chain disruption in the United States.
They'd gotten the like, there's Russian hackers who the Kremlin keeps tolerating a story in the news in a way that it had never really been before in the States.
And it started to become clear that this group of people might have finally found a level of attention that they were uncomfortable with.
Like Colonial Pipeline made news in a way that few hacks do.
And you had these evocative images of people just lined up around the street at gas pumps trying to fill their cars.
And we've seen on this show that you can, you can.
mess with a lot of things and people will tolerate it.
You can flood a small town with sewage and no one seems to really mind that much.
You can shut down a meatpacking plant and it's one story you'll read that day.
But if you throttle like oil along the entire eastern seaboard, you crossed some kind of line.
Yeah, you're shutting down critical infrastructure.
You're shutting down critical infrastructure.
Yeah.
The economy needs to keep moving.
It needs oil and gas to do that, George.
And you have pumped the brakes on that process, and people don't like that.
And so, DarkSat and Our Evil at first try and, you know, pump the brakes a little bit.
They put out a statement on their site, clarifying that infrastructure attacks aren't their business.
Quote, we are apolitical.
We do not participate in geopolitics.
You do not need to tie us with a defined government and look for our motives.
Our goal is to make money, not creating problems.
for society. From today, we introduce moderation and check each company that our partners
want to encrypt to avoid social consequences in the future. This is our evil kind of trying to
distance themselves from Darkside, Darkside trying to distance themselves from our evil.
It's like a PR statement to like, you know, deal with crisis intervention for a hacking group
that's now being drug into geopolitical things. We promise to do better.
We made the tweet. Yeah, we made the tweet and, you know, we now see the air in our ways.
You know, the classic.
I said something offensive on the internet.
Now I want to take it back.
Yeah, mistakes were made.
Mistakes were made.
I've grown and learned a lot since then.
We're sorry, we attach your pipeline.
But also give me my money.
But it's too late, right?
And things start to shift.
On November 4th of that year,
Romanian authorities arrested two individuals suspected
of being involved in our evil ransomware.
couple days later, another five people get arrested in cooperation with like France, Germany,
Romania, Europol and Eurojust. So a couple of these people are starting to get picked up.
They'd flown a little too close to the sun. They'd attracted like an irresponsible amount of
attention and now they're in trouble. But importantly, and this goes back to those GNC blockposts
from years earlier, there was still one place where they'd proven that, quote, they could do evil
and get off scot-free. They had a part of the
the world, as long as they just stayed there, it kind of functioned as a safe zone, where even if
the U.S. and Interpol and all these groups knew your name, even if your peers in other countries
were getting arrested, as long as you stayed here, you could continue to operate. This like fortress
of solitude, the size of the largest country on Earth. What happened to our evil there?
After the break. Think about the last time you heard a breach story on this show. It always starts
the same way. Someone, somewhere, saw something too late, an alert buried, a signal missed,
an SOC that just couldn't keep up. Arctic Wolf set out to solve that problem by rebuilding
security operations from the ground up for a world where attackers are already using AI. They
created the Aurora Super Intelligence Platform, a fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic
agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy.
And all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora agent SOC.
It's the first SCC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven
decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and
proactive risk reductions while the agents handle the grind. If you want to see what trustworthy,
production-ready AI insecurity operations actually looks like, go to arcticwolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up? Last year,
2025 was nothing short of a record-breaking year for major breaches, from sophisticated ransomware
operators to AI-enabled attacks that turned defenses on their head. Organizations around the world saw
headlines they never expected and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th, diving the most impactful
breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened, but why
these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving,
how defenders are responding, and what strategies can help you stay ahead of the next big breach.
It's not fearmongering. It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
The White House says that this call between President Biden and Vladimir Putin yesterday lasted for nearly an hour,
and that President Biden basically told Putin that he was running out of time,
and he needs to help the U.S. crack down on these ransomware attacks now, or the U.S. is going to take action.
So there's this press event, right?
Where it's Joe Biden, and he's telling the press about this phone call he had,
where he pressed Russian president Vladimir Putin to take action
to try and, like, pump the brakes on ransomware coming out of their country
from these private groups.
When he says, quote,
When ransomware operation is coming from his soil,
even though it's not sponsored by the state,
expect them to act.
The U.S. and a bunch of people,
of countries have been like formally asking Russia for quite a while to arrest cybercriminals,
specifically ransomware operators whose names they know.
For a long time, we've kind of like seen the architecture of this unspoken agreement in how
ransomware groups like Are Evil and Darkside and GNC before that, like how they work.
Providing ransomware as a service means giving up a little bit of control over who gets targeted
by your software.
That's, you know, the nature of any affiliate or franchise style business.
Like you try your best to vet them, but you got to have.
have some quality controls because who knows who's going to come knocking looking to open a subway
like sandwich shop. But all of these tools and all these groups, they had certain things in
common, certain checks and balances. Importantly, that if the software detected that if your
device's default language was Russian, it would not lock down your files. Which means that either
these hackers are all very, very patriotic, or there's like an unspoken thing here, that as long
as Russian-speaking hackers weren't targeting Russian-speaking victims, it was cool. They could
proceed. Yeah, I remember
reading all about this
about how they were filtering
out data and they were not attacking
like local targets. I thought that was
very fascinating.
It just felt very
Russian to me, you know? It did
feel patriotic to me. Like it felt, it just
felt like something that, you know,
I feel like American greed is American
greed, but Russian greed
is Russian greed without
wanting to harm ones like
countrymen.
You know? Russian greed,
stands in solidarity.
Exactly.
Exactly.
I found it very interesting.
When I'm sure, I don't really know the answer to this, but I know the base mechanism
has to do with language detection.
I'm sure it got more nuanced by the end of this, right?
I'm sure it went just beyond what language a computer was on and got into, like, I don't
really know how you would keep track of that.
Yeah, and like all files that have text in them will have a character set coding for what
they're using.
Cyrillic versus.
Yeah, you'd be able to check in.
There'd be a lot of ways to detect it.
But to make a Boolean decision is this computer Russian or not,
to within a degree of tolerance that we're willing to, you know,
it's probably pretty easy.
Well, then it's still ransomware, right?
So on the far side of that, if it turns out, like, one slipped through
and they start talking to you and you realize you're like,
oh, okay, never mind, have your stuff back.
Like, we know how this works.
Yeah, yeah.
If the chat window pops up and the guy's yelling at you in Russian,
you just like hit the undo button.
100% unencrypt, goodbye.
Have a good day.
Yeah, yeah.
We're sorry about this.
Sorry, sir.
We thought you were.
It won't happen again.
Your IP address was pinging Washington, D.C.
You know, we didn't think you were potentially.
Like, yeah, I was using a VPN.
Like the sponsors of this episode.
No.
Which is what makes, all of this is what makes this arrest that happened this last month so notable.
is that it wasn't Interpol, it wasn't the U.S., it was Russia arresting Russian hackers who had not hacked Russian victims.
This is something new.
When you talk about Russian hackers, you have to make the distinction between state-sponsored and private groups.
This has all been the story of a private hacking group, like they're for-profit individuals.
And I think we're going to talk about this, it's worth acknowledging that as this arrest was taking place of this,
private Russian hacking group, some other hacking in Russia was going on.
On January 14th, within, I think, two days of these arrests starting,
attacks affecting nearly 80 different Ukrainian government agency sites were taking place.
Replacing pages with this message written in multiple languages that read, quote,
Be afraid and expect the worst.
Oh, my God.
And that's like a pretty entry-level tactic.
We've talked about this defacement.
It's not a high-level type.
but only a day after that defacement, things started escalating.
On January 15th, a data-wiping malware targeted the internal systems of a dozen or so
Ukrainian government agencies, non-profits, and IT companies.
Microsoft spots it first.
And according to researchers, it's a malware that's designed to look like ransomware,
but was actually this special type of software designed to be just destructive and render
target devices inoperable.
This hack, unlike our evil, was not about money.
It was just about chaos.
And it allegedly and intuitively caused a lot of damage to different government agency websites and infrastructure.
And Ukrainian officials have said that the two acts appear to have been coordinated to occur at roughly the same time.
And this is just the new stuff.
In 2015, hackers disabled Ukraine's power grid, which led to a blackout in Ukraine's capital city of Kiev.
Like some hackers took control of some SCADA systems, they busted up IT infrastructure,
and they used malware to remotely switch off
like all these electrical substations
which plunged like a quarter million people into darkness.
There's no Petey in 2017
that did like $10 billion in damage to Ukraine's financial system.
As Russia was arresting Russian hackers,
Russia be hacking.
Russia'd be employing those hackers, maybe, question mark.
Russia might be hacking.
We talk a lot about cyber war here on this show,
but I bumped into a phrase while I was
reading about this that I hadn't really heard and it was
I thought was interesting, it's
hybrid war. Which is when
you amass troops in
real life and online at the same time
against the same enemy. Just completely cripple
a country and then actually go in
an attack said country.
And when I think about that... I get really scared.
And it makes you think
about our evil in like, especially
the arrest of our evil in kind of different
way. This is sad, but my brain
goes to every pop culture hacking
TV show ever made.
where it begins with
black hat hacker being
caught by the FBI, the FBI
then offering them an olive branch
of becoming a member of the FBI
or whatever the three-letter agency name is.
And I feel like that's probably
not untrue of what goes on in Russia.
Like, when you talk about posturing
and war and, you know,
you know aggression
wouldn't you want the best weapons
in your in your army
and like in your best tools in your toolbox
and it's like if you're arresting
literally the world's greatest
you know malware
and hacking guys are groups
why would you not
offer them on olive branch and be like
actually hey we're thinking about invading these
countries do you want to come facilitate
that with us
so that's where my head goes to is it goes to
pop culture TV
sure oh that's interesting I didn't even get there it's like you're you're um you're
you're amassing resources a little bit yeah first we got to pull you off a street but then we're
gonna have a conversation it's like hey you've got two options here gulog or like essentially
bureaucratic royalty which one would you prefer yeah you're already independently wealthy
yeah do you want to do this same thing you've been doing for huh that was an interesting
interesting take. We're going to let you keep all your money. We're going to let you live in the
nicest St. Petersburg apartments and all you have to do is go to work every day and attack who
we tell you rather than who you want to. So.
Huh. I like that. I don't like that. I hate that. But I think that's a very interesting
take. And it's kind of compatible with, I think, where my brain went to, which is that like,
So you're Russia and you've got this war that you're interested in waging.
And you're amassing digital and physical troops at your enemy's borders, so to speak.
But at the same time, you've got this digital insurgent group inside your own borders.
Picking a fight with an unrelated target, the other like big dog in the yard.
And while you're trying to wage your war on your border, this insurgent group,
is picking their own fight against this unrelated huge threat.
And you start to notice, right, that, okay, these folks inside my borders keep picking this fight.
And if they keep doing that, the people they're fighting might take my enemy's side.
So you probably want to shut that insurgency group down.
So they don't keep attracting any more attention than you're already getting for the war that you want to be waging.
So that you can keep attacking your enemy without all this negative spotlight shining down.
on you. See, see, I agree with you in like a thing, but I think the, where my mind goes is in the
world that we live in, where if you're going to be an aggressive nation state, like we are so
technologically driven as a, as a globe now, like every single country, it doesn't matter,
you know, first world, second world, third world, whatever. We all have communication networks. We all
have computer-controlled infrastructure, we all have, et cetera, et cetera. Russia being more cool
with hacking and things like that for the last 20 years has led to them now probably
truthfully becoming the global specialist at it. They've allowed people to learn and train,
sharpen and tune and profit from these tools and skills and tactics, which is a lot of
them to evolve them where you know look at the like two or three episodes ago we were
talking about somebody who viewed the source of their website getting charged in the united states
like i don't think that would happen in russia so it's like you know we many nations are now
underdeveloped where certain nations notably russia and probably north korea are probably
overdeveloped very developed so you know if you look at it as
training and skilled development, which is a weird way to look at it.
Yeah, sure. Capacity building.
Capacity building for future wars.
Russia has been capacity building for a lot longer than a lot of other places.
So, you know, we have specialists here that work for the NSAs and the CIAs and stuff like that.
But I don't think it's the same incentive as the profit incentive of the way that Russia's been learning it.
I think it's, I think you're totally right.
And I think that even if we think of it like capacity building, where by allowing these people to do this for so long unchecked, you've allowed them to develop tools and technology.
It's like IP.
They've developed all of this great new stuff.
You've built this capacity.
But I think it's compatible with this idea that you've also, from a diplomatic perspective, you've built a bargaining chip.
Like you've built this thing that you can take on or off the table.
And that has some diplomatic utility.
Yeah.
During the are evil arrests on Friday, officials from FSB and the Department of Ministry of Internal Affairs seized computer equipment, I think 20 luxury cars, like five and a half million rubles just sort of laying around a few million more in crypto.
But it's thought that this is just like this tiny constitute of what this group had earned over the years.
This was what was in their house essentially.
Yeah, sure.
Who knows where the rest of it is.
I only had $10 million in cash sitting under my bed, but the rest is.
100%.
buried in bank accounts and investments around the world.
Totally.
You look at the blog posts and then you look at what's buried in their mattress.
And I'm like, I'm sure some of this is, you know, bullshit.
But I'm also sure that this is just a fraction of what you have.
Like buried in the woods somewhere as a crypto wallet.
Like I believe that.
In all of this, there's this one figure we didn't really talk about.
And it's our evil's most prominent voice, a hacker who went by the name unknown.
And at some point over the last couple years, Unknown gives this interview with a very relevant quote that I think we'll end on.
Unknown says, quote, I don't want to be a bargaining chip.
We brushed up against politics and nothing good came of it, only losses.
And with the current geopolitical relationships, everything is very beneficial for us without any interference.
And Unknown was talking about the then current geopolitical relationships.
Relationships that have changed and are changing and will have changed by the time most people listen to this.
And as those, you know, bigger geopolitical relationships change, it's almost like the earth moving under the feet of these hackers who built their whole enterprise on top of it.
And suddenly, they've temporarily at least become exactly what unknown and are evil were afraid of becoming.
A bargaining chip.
Thanks for listening, everybody.
Big old shout out to our new Patrions this month.
Patreon.com slash hacked podcast.
I just want to thank Jim.
Thanks, Jim.
Thank you, Kathleen, boys.
Time for crab.
Thank you.
Oslieo.
Oslie Zero.
Thank you.
Luke, thanks.
Kevin Bragg?
Thumbs up.
Kevin.
Stephen Decker.
Do really appreciate it.
And last but not least,
Danny, thank you.
If you like this episode, if you like the show,
support us on Patreon.
on patreon.com slash hacked podcast. Thank you so much for listening. This was a really interesting one
to put together. Hope it was a timely, interesting one for you to listen to. And we are excited to
catch you back here in the next one. See you soon.