What do you do if you’re a modern state and need extra capacity in a hurry? You outsource. And if you’re also a kleptocracy, to whom can you turn for this? Criminals. It’s not clear whether Qilin, the Russian hacker group behind the recent attack on NHS suppliers is run, encouraged, or simply given a pass by the Kremlin, but the growing interpenetration of espionage, subversion and crime is a threat we must recognise.
Qilin, which engages in ‘ransomware’ attacks whereby it locks up a target’s systems until it pays to have them unlocked – £40 million is the demand in this latest attack – has been active since October 2022. The group refuses to discuss its origins ‘for security reasons’, but has been widely linked to hackers in Russia. However, while one US intelligence source told me their view was that ‘this group has direct links with the Russian security services, probably the FSB’ – the notorious Federal Security Service – ‘and may even be run by them,’ the consensus seems to be that it is really just a criminal gang, even if it has tried to give its recent attack a vague political message that it is punishing Britain for not putting ‘a penny on the lives of those who fight on the front edge of free world.’
Qilin has also diversified into ‘ransomware-for-hire’ activities, offering other groups access to its malware in return for a cut of their profits. These groups, scattered around the world, may well be vulnerable to law enforcement operations, but so long as Qilin itself continues in its current practice of not launching attacks within Russia or allied post-Soviet states, it is likely safe.
One pernicious by-product of the collapse in relations between Russia and the West since Putin’s invasion of Ukraine in 2022 has, after all, been the virtual end of any law enforcement cooperation. There still is some very limited information-sharing, largely over cases of terrorism (as witnessed by the US warnings ahead of the attack on Moscow’s Crocus City Hall music venue in March) or paedophilia and child abductions. Otherwise, Russia, which in any case doesn’t extradite its own nationals, is now essentially unwilling to prosecute any crimes committed on its territory that affect western targets.
Yet it is not simply that Russia is becoming a safe haven for transnational criminals. Although cheap media cliches about a ‘Mafia State’ over-simplify – the Kremlin no more controls organised crime than vice versa – there have long been pragmatic ‘understandings’ which are becoming increasingly strong. Back in 2017, I warned that:
Russian-based organised crime groups in Europe have been used for a variety of purposes, including as sources of ‘black cash’, to launch cyber attacks, to wield political influence, to traffic people and goods, and even to carry out targeted assassinations on behalf of the Kremlin.
Since then, this relationship has only strengthened. There is a still a clear distinction between the (corrupt) state and traditional organised crime, but the degree to which the former is having to use the latter as an instrument of its statecraft abroad is only increasing. The mass expulsions of some 600 Russian intelligence officers working under diplomatic cover across Europe in the past two years, for example, has simply forced them to find new ways of gathering intelligence and conducting covert operations at the very time when the Kremlin has become less concerned about diplomatic blowback. As one former Russian diplomat told me: ‘the more Putin feels isolated and demonised, the less reason he has to rein in the special services.’
We have seen a Russian defector gunned down in Spain in what looks like an assassination outsourced to organised crime, sanctioned electronic components stolen to order and even greater use of blackmail and extortion to force people into working for Moscow’s intelligence agencies. However, it is in the cyber realm that some of the closest working relationships are to be found, such that a GCHQ officer admitted that it is ‘often hard to know where government operations end, and criminal enterprise begins.’
GCHQ director Anne Keast-Butler has warned that her agency is ‘increasingly concerned about growing links between the Russian intelligence services and proxy groups to conduct cyber-attacks’ and although until recently, the Kremlin seemed relatively cautious in its physical and online operations in the West, there seems to be a greater willingness to take risks. The aim seems to be general disruption, but also a warning that if the West insists on involving itself in Ukraine’s war, then it will face consequences.
This is where online criminals such as Qilin fit in. They may be getting direct support from the Russian state, but this is unlikely. It is more likely that, with the Kremlin no longer willing to cooperate with the West and eager to spread chaos and disfunction (or, a cynic might say, more chaos and disfunction), it has no reason to prosecute such groups and every reason to encourage them. Today, they operate with the state’s benign neglect. However, if they uncover data that may be of value to the state, or if it decides it wants to troll or give to grief a particular target, then the line between criminal organisation and government asset will prove very easy to cross.
Comments