Wazawaka & Co., Part 2: Patriotic Hacker
The patriotic rhetoric, targeting and timing of attacks, and occasionally unprofitable operations of Mikhail Matveev's Babuk ransomware group align with Russian state strategic interests
In a previous posting, we discussed a report by cybersecurity company Prodaft that explores the place of Mikhail Matveev, a.k.a. Wazawaka, in the stormy Russian-speaking cybercrime ecosystem. As summarized in the Prodaft report, at various times Matveev operated and managed the Babuk and Monti ransomware operations, collaborated with actors from the RagnarLocker group, and worked as an affiliate of the Lockbit, Conti, Hive, NoEscape and Trigona groups.
Politics was not the focus of Prodaft’s analysis, but their report acknowledged that Wazawaka associated with “government-affiliated individuals” such as Conti actors, Yevgeniy Bogachev, and possibly the EvilCorp group. In addition, the material they presented gave glimpses into the political side of Matveev, such as rumors that he could be a police stooge. As the Natto Team commented there, the fact that Matveev continues to flaunt his exploits publicly, apparently confident that nobody will turn him in and claim the $10 million price the US State Department has offered for his arrest, suggests that he feels he has impunity in Russia.
In the present report, the Natto Team looks at Matveev’s words and actions and what they show about the likely character of his relationship to the Russian state. Matveev was not just a heartless criminal, but also portrayed himself as an ardent Russian patriot. Given that Russian officials and state media depict Russia as being in a de facto war with the West, particularly the “Anglo-Saxons” and especially the United States, Matveev rhetorically aligns himself with Russia’s side in that conflict. And he has claimed responsibility, in effect, for attacks that aligned with Russian strategic goals, sometimes apparently at the expense of his own financial well-being.
Cybercriminals and the Russian State
Natto Thoughts reports such as “Putin: The Spy as Hero,” “Stymied in Ukraine, Putin’s Government Resorts to Covert Sabotage and Panic-Mongering in the West,” “It's Raining on Putin’s Victory Day Parade,” “The Code of the Underworld: Mafia-Like Conflict Hinders Russian War Effort” have explored cybercriminals’ relationships with the Russian state.
The extent to which the Russian government values IT experts and hackers is evident in battles over the extradition of Russian hackers arrested outside Russia (see Natto Thoughts report “Two US Setbacks in Extradition Battles With Russia”). In one such battle in 2017, a Kremlin-friendly IT entrepreneur described hackers and IT specialists as a “combat resource” that the Russian state needs to watch over, lest Russia’s enemies coopt them for cyberattacks on Russia (https://www.gazeta[.]ru/army/2017/08/26/10859996.shtml). Accenture Cyber Threat Intelligence (ACTI) has described the Russian government’s wielding the threat of Russian hackers as “a sword of Damocles” to threaten and deter Russia’s adversaries and has used the term “hybrid ransomware” to describe those operations that align with both cybercriminals’ financial gain and state strategic goals. ACTI has also discussed how Russian state officials can use “carrots” — the ability to make money with impunity — and “sticks” — the threat of imprisonment — to induce criminals’ cooperation with state-directed projects, as well as hackers’ perceptions of the tension between doing their patriotic duty and making money.
Numerous excellent works have analyzed the range of state/hacker relationships—from uniformed hackers, through IT contractors, through coopted criminals, to “patriotic hackers.” These include works published by the Center for European Policy Analysis; the Atlantic Council, and Recorded Future.
Cyber law researcher Jason Healey introduced a 10-point “spectrum of state responsibility” for cyber threat operations, which provides a guide to clarifying relationships between cyber threat actors and the state. This is necessary, he said, using a comparison to a crowd who are throwing bricks at one’s house. One could try to catch and stop each brick-thrower individually; but if someone is egging them on, it would be quicker to convince that person to call off the attack.
The latest version of Healey’s spectrum reads as follows:
State-prohibited: The national government will help stop the third-party attack
State-prohibited-but-inadequate: The national government is cooperative but unable to stop the third-party attack
State-ignored: The national government knows about the third-party attacks but is unwilling to take any official action
State-encouraged: Third parties control and conduct the attack, but the national government encourages them as a matter of policy
State-shaped: Third parties control and conduct the attack, but the state provides some support
State-coordinated: The national government coordinates third-party attackers such as by “suggesting” operational details
State-ordered: The national government directs third-party proxies to conduct the attack on its behalf
State-rogue-conducted: Out-of-control elements of cyber forces of the national government conduct the attack
State-executed: The national government conducts the attack using cyber forces under its direct control
State-integrated: The national government attacks using integrated third-party proxies and government cyber forces
In a 2021 conference presentation, cybersecurity expert Josh Miller provides an example or two — mostly Iranian — for each category.
A simpler set of categories comes from Recorded Future’s report, which distinguishes Russian cybercriminals who had “direct affiliations” with Russian government agencies from those with “indirect affiliations” and those with “tacit agreements”; Recorded Future defines the latter as the “overlaps in cybercriminal activity, including targeting and timing, that benefit Russian state interests or strategic goals; such activity is conducted without direct or indirect links to the state but is allowed by the Kremlin, which looks the other way when such activity is conducted.”
The Natto Team assesses that Wazawaka likely fits in the category of a cyber criminal who has a tacit agreement with Russian state officials and possibly serves as a police informant in return for remaining at liberty to make money. In Healey’s terms, he probably fits in the “state-encouraged” or possibly “state-coordinated” category.
Signs that a ransomware criminal might include political considerations in their activities include timing and targeting that align with state priorities; political comments in ransom notes, forum postings, or even words inserted into malware code; and occasionally making an unrealistically high or strangely low ransom demand, showing a non-financial motivation for that operation. Wazawaka shows all of these.
Targeting and Timing
A recent analysis of the timing of Russia-origin ransomware attacks makes the case for politically timed ransomware attacks. “Assessing the Political Motivations Behind Ransomware Attacks, by authors from Stanford University, looks at Russia-based double extortion incidents (referring to incidents where the threat actor steals information from a victim system, then paralyzes the system using encryption, and demands money both for decrypting the system and for refraining from selling or publicizing the data) in the period Nov 2021-Apr 2022. The authors find “trends in the targeting of these attacks that are unlikely to be explained by financial motivations alone” such as clusters of attacks on foreign election systems around the time of elections.
As for Wazawaka, the Prodaft report assessed that his group “adopted an opportunistic approach in selecting their targets. .... Despite our knowledge of Wazawaka’s associations with government-affiliated individuals, we did not observe any instances of victims being specifically designated by external parties.”
Nevertheless, Wazawaka may have responded to cues from Russian officials and state media in choosing targets that would have political impact at particular times.
Ransomware actors often dwell in a breached system for weeks or more, exfiltrating data they can use for extortion. Sometimes when they unleash the encryption malware, it is to cover their tracks or as an additional message, sometimes without having set up the capability of even receiving ransom. These are more likely politically motivated. The Russian military hacker group Sandworm often used pseudo-ransomware, most famously in the NotPetya attack of June 2017 and the Whispergate attack of January 2022 to hide what were essentially destructive attacks against nearly the entire country of Ukraine. Some other ostensibly ransomware attacks raise the possibility of being politically motivated as well. Threat actors using the LockerGoga malware crippled the Norwegian energy and metal producer NorskHydro on March 19, 2019, within hours after the Norwegian government publicly blamed Russia for GPS jamming during a recent NATO exercise. One possible explanation for this timing is to make a political point. (Additional evidence pointing to the possibility of Russian state involvement in that incident appears here).
Two attacks involving Matveev, described below, took place shortly before May 9, the date that Russia celebrates victory over Nazi Germany in World War II. This date has for decades served as a powerful legitimating factor for successive Soviet and Russian governments. It is usually an occasion to tout Russian military might and any geopolitical victories. This is the kind of date a criminal might pick in order to show his patriotism. In the pieces “It’s Raining on Putin’s s Victory Day Parade” and “The Code of the Underworld,” the Natto Team has described cyber operations that may have been timed to be able to boast “wins” for Russia around that date.
DC Metropolitan Police Department:
On 27 April, 2021, Babuk posted a sample of files stolen from the Metropolitan Police Department (MPD) in Washington DC, including information on the MPD’s efforts to defend the US Capitol building during the insurrection of 6 January 2021. Babuk’s message said, “We will continue to attack the state sector of the USA, FBI CSA [sic, likely referring to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency]....even larger attacks await you soon.” They issued this claim on the very same day that MPD officer Michael Fanone testified about the physical and mental trauma he had suffered while trying to defend the US Congress on January 6 2021. In addition, at least one of the files the gang featured in their sample appeared to relate to the January 6 events. When ransom talks broke down, Babuk actors subsequently released more stolen data, including police officers’ Social Security numbers and psychological evaluations.
Matveev took full responsibility for posting the sensitive material of this traumatized police department, even though he had not himself directly carried out the breach: in an August 2022 interview with Recorded Future he recalled that, after he had set up the Babuk affiliate program, “Then one comrade came to us [an affiliate], who actually said that he had access to the police department....The affiliates wanted a certain ransom, and in the end, as we say in Russian, ‘shat their pants and ran’ when it came to uploading the data. They refused to accept the $100,000 ransom counteroffer by the MPD. But my take was: ‘If you do not accept the money, I will post this data on the blog’. To which the affiliates asked me, terrified, not to do this. I told them that the stolen data is the property of the Babuk affiliate program...”
In a May 2023 Recorded Future interview, he expanded on his motive for posting data that others had stolen from the MPD and from another US police department: “I just uploaded the data... to prove that it really had been stolen, and it wasn’t a hoax...” These statements suggest that he was not always motivated only for immediate financial gain.
Costa Rica:
The Prodaft report notes, “Wazawaka admitted in a conversation (as can be seen from Figure 54) to being responsible for orchestrating a Conti attack on Costa Rica,” They also cite a message where “WhyNot,” a group member, tells Wazawaka, “I got myself a book from Group IB [a Russian cybersecurity firm]. Well, there’s something about Costa right on the first pages. Will you sign it for me as a keepsake?”
A user nicknamed UNC1756, posting on the Conti ransomware group website, had claimed responsibility for April 2022 ransomware attacks that paralyzed virtually the entire government of Costa Rica for months. A month later a threat actor associated with the Hive ransomware enterprise claimed responsibility for an attack on Costa Rica’s Social Security Fund. (We recall that Matveev has also been an affiliate of Hive). Former Costa Rican President Carlos Alvarado Quesada claimed the attacks were politically motivated and were aimed “to threaten the stability of the country in a situation of transition” as the country prepared for the swearing-in of a new president on May 8. The message on the Conti website contained a veiled threat: "in the chat we are open for private dialogue…. keep stability in your beautiful country, you have beautiful nature, educated young people, developed business, we are waiting for you in the chat." The threat actors added that Costa Rica “cannot recover the information, they turned to the US for help and were told not to pay.” A further message was entitled “For Costa Rica and U.S. Terrorists (Biden and his Administration),” urged Costa Ricans to “organize rallies” to pressure the government to pay, and said, “we are determined to overthrow the government by means of a cyber attack.”
Why Costa Rica? One possible reason jumps out: it was the only Latin American country that joined global sanctions against Russia. More broadly, the attack aligns with the long-term Russian foreign policy goal of reducing US influence in Latin American countries and, more broadly, US global dominance. In addition, the attacks helped set a negative tone on the eve of the US-hosted Summit of the Americas that began on 6 June. These operations align with broader Russian diplomatic efforts in the “Global South” countries of Latin America, Africa, and Asia.
The Babuk gang has also stolen militarily sensitive data and threatened to leak it to enemy countries. On March 23 2021, the Babuk gang threatened to leak data of PDI Group, a US military supplier, and posted purported sample data. They wrote, “The publication of this information may lead to problems with the law and cause concern to customers. In addition, given the state of international politics, the information may be of interest to countries such as Russia and China. We are ready to delete these files and help with solving security problems.”
Wazawaka also associated with other threat actors whose activities aligned with Russian strategic interests
Conti:
As mentioned above, Matveev claimed to have carried out the attack on Costa Rica as an affiliate of the Conti group. The Conti group was ardently patriotic, having declared support for the Russian state immediately after the invasion of Ukraine and threatened “retaliatory measures” against any “American cyber aggression." Researchers analyzing leaked material from the Conti group and from the related Trickbot group have found Russian government officials contacting Conti actors with requests for help and tip-offs on American investigations. In May 2022 the US government warned US critical infrastructure organizations against threats from “Russia-aligned” cybercrime groups” including Wizard Spider, a group that includes Conti actors.
It is reasonable to consider the possibility that Conti actors could have served as go-betweens from their Russian government contacts to their affiliates such as Matveev; they could have transmitted suggestions on targeting and timing. Such a hypothesis would require further investigation.
Darkside/BlackMatter/AlphV/BlackCat?:
In a previously mentioned September 21 2023 forum posting by user “Vinki,” (Figure 3 of the Prodaft report), Vinki lists groups with which Wazawaka has affiliated and suggests that Wazawaka has exploited them. Vinki says, “He beautifully makes a fool of Lockbit (at the moment) and, in the past, Hive and Alpha.” His reference to “Alpha” might imply that Matveev did business with Alpha, a new ransomware group that emerged in early 2023 and whose malware appears to be a spinoff of the old Netwalker malware.
Alternatively, Vinki’s reference to Alpha may imply that Vinki did business with the AlphV, a.k.a. AlphaV or BlackCat, a ransomware operation so devastating that the US State Department has offered up to $10 million in rewards for conviction of its members.
Vinki may well have had AlphV in mind, because Matveev appears to have had a relationship with predecessor groups DarkSide and BlackMatter. Brian Krebs noted that Wazawaka once claimed in a forum to have “teamed up” with operators of AlphV predecessor DarkSide, the group that carried out the devastating attack on Colonial Pipeline in May 2021, causing long lines and panic-buying at US gas stations. Later, the leaders of Babuk spinoff group Groove allowed the BlackMatter gang, the successor to the DarkSide group , to store one of their victims’ data on a Babuk server, possibly signifying that “the Groove gang worked as an affiliate for the BlackMatter gang,” according to Intel471. Later still, members of BlackMatter rebranded as AlphV, also known as BlackCat or AlphaV.
Following in the footsteps of Darkside, AlphV operators have carried out numerous attacks against pipelines and other critical infrastructure. They crippled militarily sensitive fuel-loading facilities and ports in Central Europe on the eve of Russia’s invasion of Ukraine. They also targeted an Argentinian company that was developing liquefied natural gas production, at a time when many countries were scrambling to find new supplies of fuel, including from Latin America, to lessen dependence on Russian fuel. These attacks align with Russia’s strategic goals. (The US government said in December 2023 that it had shut down AlphV’s online infrastructure and developed a decryption tool for hundreds of victims; in February 15 2024 the US State Department offered up to $10 million in rewards for the apprehension of AlphV/BlackCat operators. AlphV operators claimed to have restored their darknet presence, called for and claimed new attacks on critical infrastructure, and also threatened to leak masses of military documents it claimed to have stolen from a US military contractor).
In addition, as the previous report discussed, Matveev has interacted with Yevgeniy Bogachev and possibly with the EvilCorp group, both of whom have ties with Russian intelligence services. Hypothetically, they too could serve as intermediaries transmitting “suggestions” on targeting and timing from government officials to someone like Matveev.
“I Declare War on the United States!” Patriotic Rhetoric
In addition to the anti-US statements during the MPD and Costa Rica campaigns, Matveev and the Babuk persona have often made statements of loyalty to Russia and hostility to its adversaries and competitors. As mentioned in the previous report, in January 2022 Matveev “declared war” on the US and released a zero-day exploit that could be used against global targets. He likely views himself as part of a community of Russian hackers who show their patriotism by attacking Russia’s enemies. In his current Twitter account (https://twitter[.]com/ransomboris), he describes himself as a “Russian security artist.” This evokes a statement Russian President Vladimir Putin made in 2017. When challenged about the Russian hackers who had breached Democratic party computer systems weaponized the data during the 2016 US presidential election, Putin said, "Hackers are free people. They are like artists. If they are in a good mood, they get up in the morning and begin painting their pictures. Hackers are the same. They wake up in the morning, they read about some developments in international affairs, and if they have a patriotic mindset, then they try to make their own contribution the way they consider right into the fight against those who have bad things to say about Russia." Analysts have interpreted that statement as Putin’s encouragement of “patriotic hacking to provide cover for state-run operations.”
The Babuk website, when it launched on January 2021, claimed that the group would refrain from attacking certain organizations, including “any non-profitable [sic] charitable foundation (except the foundations who help LGBT and BLM).” Thus it was declaring disdain for LGBT — referring to lesbian, gay, bisexual and transsexual people -- and BLM, referring to the Black Lives Matter racial justice organization in the United States. (Russian state media portray Black Lives Matter protests unsympathetically). The Babuk website also featured a crude comment about US President Joe Biden. Matveev was thus showing interest and taking a side in United States politics.
His rhetoric targets other competitor countries as well. “Come, rob, and get dough!…show them who is boss,” Wazawaka stated in a March 2020 forum thread where he sold stolen access credentials for a major Chinese company, Brian Krebs reports.
According to the Prodaft report, after his US indictment, Matveev bragged that he was a “hero of the country now....everyone is on my side. They want to give me a reward. Sometimes people come up to me on the street to shake my hand. They showed the news on the federal media.” (Figure 12 of the Prodaft report). At the same time, he acknowledged that he would not be able to travel outside Russia, lest he be arrested. The Prodaft authors note, “This conversation paints a complex picture of Wazawaka’s mixed emotions, balancing national pride, public acknowledgement, and the sobering reality of legal constraints.”
Occasionally Non-Remunerative Activity
Matveev has said he prefers not to sell the data stolen during ransomware operations, instead leaking it openly online. “The only and the main principle of ransomware is: the information that you steal should never be sold,” Matveev’s “Uhodiransomwar” account wrote in August 2020. “The community needs to receive it absolutely free of charge if the ransom isn’t paid by the side that this information is stolen from.” He might have various financial motives for doing this, such as increasing the potential embarrassment of the victim to force them to pay ransom. However, another possible reason is that it is designed to undermine the reputations of the victim organizations rather than make money. In the Washington DC Metropolitan Police Department attack mentioned above, Matveev asserted that he leaked the MPD data rather than trying to get money for it, likely for the political motive of embarrassing that department and the entire US government. In essence, ransomware as an information operation.
Coping with the Threat
An organization wanting to defend against ransomware threats or suffering an ongoing incident might consider these factors — political rhetoric by the threat actor, politically sensitive targeting or timing, and ransom demands that do not align with a purely financial motive — in deciding whether the threat or incident may involve a hybrid of financial and political motives. Organizations should apply the usual protection measures such as cyber hygiene, employee education, insider threat awareness, multi-factor authentication, offline data backups, and least-privilege policies to minimize damage.
In an incident that could have national security implications, it is especially important to work with government agencies such as by contacting the FBI’s Internet Crime and Complaint Center (IC3) if you are in the United States. Government initiatives such as the US Cybersecurity and Infrastructure Security Agency’s StopRansomware program and ongoing advisories can help. In addition, the Atlantic Council provides extensive recommendations for policymakers on how to grapple with the threat of politically entangled cybercrime.
As for the story of Wazawaka in particular, Prodaft’s report, discussed in the previous Natto Thoughts posting, provided several suggestions including the following:
Ransomware actors cannot be trusted to decrypt your systems or refrain from leaking your stolen data, even if you pay the ransom.
Compromised IT staff could have an incentive to exaggerate the sophistication of an attack in order to excuse their own failure to prevent it.
It may be possible to exploit the divisions and distrust among cybercriminal groups against them.
p.s. Escape from Bakhmut: Political Commentary, or Life as Video Game? Updated April 20 2024
The Prodaft report cited a May 5 2023 posting by one of his criminal group members in a chat dedicated to mocking another member, shokoladniy_zayac. The post (Figure 9 of the Prodaft report) reads (in Latin letters): DumkiUlistsheniyaakaPobegIzBahmuta; in Cyrillic this would likely break out to Думки Улищения a.k.a. Побег Из Бахмута. The final part of this string corresponds to the Russian phrase “Escape from Bakhmut,” referring to the Ukrainian city that would finally fall to Russian forces in late May 2023. (The first part of the phrase could have various possible meanings in several Slavic languages but mostly likely should be Думки уліщення, meaning “thoughts of flattery”; meaning unclear). Prodaft hypothesized that the phrase “Escape from Bakhmut” may mean that shokoladniy_zayac lived in Bakhmut and finally was able to flee. Alternative explanations might also be considered. It could be a mildly critical political commentary. On May 5, citing poor support from Russia’s Defense Ministry, mercenary chief Yevgeniy Prigozhin threatened to withdraw his Wagner forces from around Bakhmut on May 10. The Natto Team analyzed that dramatic moment in The Code of the Underworld: Mafia-Like Conflict Hinders Russian War Effort. Alternatively, if the phrase is supposed to be in the Ukrainian language, it could be intended to point to the Ukrainian soldiers’ withdrawals from parts of Bakhmut. A fuller understanding of the political nuance of that comment would require further context.
Update April 19-20 2024: A sharp-eyed reader pointed out that the phrase “Escape from Bakhmut” could be a reference to the video game “Escape from Tarkov,” a “zone game” or “extraction shooter” in which a Russian-speaking private militia battles an English-speaking mercenary group and local bandits in a fictional Russian city to obtain and extract valuable items. The game is unusual in that it has real consequences if a character dies, he loses his weaponry for good. The Wazawaka members were likely familiar with this game. It might be especially appealing to cybercriminals, who resemble the game players in that their goal is to enter the territory of victims’ computers, steal information, and emerge undetected
The Wazawaka members might possibly have also been familiar with a more obscure video game entitled “Escape from Bakhmut,” featured on a Bakhmut-themed closed discussion forum (hxxps://baxmyt.forum2[.]net/viewtopic.php_id=4). The Wazawaka members were more likely to be familiar with a video that pro-Kremlin media circulated on April 29, purportedly taken by a Ukrainian soldier as he fled from Bakhmut along the “road of death” under fire from the Wagner militia. So it is possible they were mocking Ukrainian soldiers like the one whose escape video was shown on April 29, or mocking Russian mercenary leader Yevgeniy Prigozhin for threatening to leave Bakhmut on May 5, or they were simply interpreting bloody current events through the lens of a video game.