For many years, the community has watched different Russian state-aligned actors intersect with cybercrime ecosystems to varying degrees and with different purposes. At CYBERWARCON 2022 – Microsoft discussed the development of a never-before-seen "ransomware" strain known as Prestige by IRIDIUM/Seashell Blizzard, a group publicly reported to be comprised of Russian military intelligence officers. The cyber-attack, disguised as a new “ransomware” strain, was meant to cause disruption while providing a thin veneer of plausible deniability for the sponsoring organization.
This presentation will focus on a different threat actor (Storm-0978) that emerged in the Spring of 2022 that legitimately conducts both cybercrime operations as well as espionage/enablement operations, with possible ties to Russian security services. Is it a cybercrime group conducting espionage or a government-sponsored group conducting cybercrime? Why are we seeing the confluence of what historically have been separate objectives - is Russia limited in its ability to scale wartime cyber operations? Is Russia activating cybercriminal elements for operations to provide a level of plausible deniability for future destructive attacks? The Ukraine war has illustrated that Russia has likely had to activate other capabilities on the periphery. Storm-0978 is one probable example where it’s clear that other elements have been co-opted to achieve objectives of both a wartime environment and strategic landscape either to achieve effects-led operations or prepositioning.