Russian Government Accused of Involvement in Kaseya Cyber-Assault by Unidentified Hacker
In an exclusive interview at DEFCON, Yaroslav Vasinskyi, a former affiliate of the notorious REvil ransomware syndicate, shared insights about his role in the infamous Kaseya attack in July 2021 and his claims of ties between REvil and the Russian government.
Vasinskyi, who is currently serving over 13 years in US federal prison at FCI Danbury, Connecticut, alleged that the Kaseya attack was chosen specifically for its software distribution capabilities, with the goal of inflicting maximum damage on thousands of downstream clients. He claimed that he prepared the attack himself, from initial access to testing the final payload, but handed the payload delivery phase over to REvil.
The operation to cripple downstream systems, gather information, and access critical infrastructure during the Kaseya attack was conducted by REvil, according to Vasinskyi. However, he disputed the theory that UNKN, the persona behind the attack, was Aleksandr Ermakov, a former Russian police officer. Instead, Vasinskyi believes that two people controlled the UNKN account: Ermakov, who took orders, and one who gave them. The true leader, Vasinskyi insisted, remained "Unknown."
Vasinskyi's account suggests that the true role of REvil was as a technical contractor, not an operational commander, in the Kaseya attack. He claimed that he tried to leave REvil multiple times for moral reasons but was blackmailed into preparing the Kaseya attack before leaving.
Jon DiMaggio, chief security strategist at Analyst1, interviewed Vasinskyi about his experiences with REvil and published his findings in the Ransomware Diaries Volume 7 report on August 9. DiMaggio highlighted that Vasinskyi seemed to have never lied about things tested by the researcher.
Vasinskyi's troubles with REvil and high-ranking figures extended beyond the Kaseya attack. He attempted to leave REvil in March 2020 due to personal tragedies and moral concerns about alleged attacks on a Baptist church and a hospital. However, his handlers were more powerful than REvil's government-linked associates, suggesting his troubles stemmed from entanglement with high-ranking figures.
Vasinskyi operated out of Poland with a few trips to Ukraine while working with REvil. He felt disgusted by the dismissive attitude towards human death within REvil and stepped away from the group. To provide evidence that he did not execute the Kaseya attack, Vasinskyi sent a letter to the FBI, used speakerphone during conversations with REvil leadership, and showed his face to CCTV cameras.
A hacker involved in the Kaseya supply chain attack in July 2021 claims he was coerced by the Russian government. This allegation, coupled with Vasinskyi's claims of ties between REvil and the Russian government, raises concerns about the extent of state involvement in cybercrime activities.
As Vasinskyi serves his prison sentence, his account sheds light on the inner workings of one of the most dangerous ransomware groups in history and the potential involvement of state actors in cybercrime.
