MOSCOW -- The ransomware hackers suspected of targeting Colonial Pipeline and other businesses around the world have a strict set of rules.
First and foremost: Don't target Russia or friendly states. It's even hard-wired into the malware, including coding to prevent hacks on Moscow's ally Syria, according to cybersecurity experts who have analyzed the malware's digital fingerprints.
They say the reasons appear clear.
"In the West you say, 'Don't ... where you eat,'" said Dmitry Smilyanets, a former Russia-based hacker who is now an intelligence analyst at Recorded Future, a cybersecurity company with offices in Washington and elsewhere around the world. "It's a red line."
Targeting Russia could mean a knock on the door from state security agents, he said. But attacking Western enterprises is unlikely to trigger a crackdown.
The relationship between the Russian government and ransomware criminals allegedly operating from within the country is expected to be a point of tension between President Joe Biden and Russia's Vladimir Putin at their summit in Geneva on Wednesday. The United States has accused Russia of acting as a haven for hackers by tolerating their activities -- as long as they are directed outside the country.
Biden and allies have said Russia appears to be the base for the masterminds of DarkSide and REvil, the cybercriminal groups linked to recent high-profile ransomware attacks on Colonial and the U.S. operations and other markets of JBS, a Brazil-based company and the world's largest meat supplier.
There is no clear evidence the Kremlin was directly involved. But Moscow has "some responsibility to deal with this," Biden said last month.
In a 2016 interview with NBC, when asked why Russia was not arresting hackers believed to have interfered in the U.S. election, Putin hinted at the hands-off approach: "If they did not break Russian law, there is nothing to prosecute them for in Russia."
As Russia became fertile ground for skilled hackers, it recruited some to work for its state security agencies, including the military intelligence service, the GRU, allegedly responsible for damaging cyber-campaigns against U.S. institutions, according to Western intelligence agencies.
But with other hackers, there appeared to be a sort of handshake deal, cybersecurity experts speculate. As long as hackers left alone Russia and selected friendly countries, they could largely do as they wished without fear of a crackdown or extradition, the analysts said.
"If you look at the ransomware code for most of these actors, it will not install on systems that have a Russian-language keyboard, are coming from Russian IP [Internet Protocol] addresses or have the Russian-language packs installed," said Allan Liska, Recorded Future's ransomware expert.
"In these underground forums, they explicitly say there's no going after Russian targets," he added. "And that allows them to operate with impunity ... . They are not operating at the behest of Russia, but they're operating with the tacit acknowledgment of Russia."
The Kremlin has been dismissive of U.S. complaints that Russia is harboring cybercriminals. Spokesman Dmitry Peskov said last week that hackers exist everywhere.
RANSOMWARE SERVICES
Ransomware is the region's specialty, analysts said.
DarkSide and REvil are both ransomware-as-a-service outfits, meaning they don't carry out the attacks themselves but work as intermediaries by providing the tools and affiliated services to hackers. Liska, of Recorded Future, said DarkSide's hackers were originally part of REvil before spinning out on their own.
They won't work with just anyone. The groups interview their potential partners and ask for proof of bona fides out of paranoia that Western intelligence agencies might be trying to infiltrate them, analysts said. All communication is done in Russian.
"If you wanted to pretend to be Russian and jump on these forums, I think they would notice any peculiarities in the language," Liska said.
Dmitry Galov, a security researcher at Kaspersky, a top Russian cybersecurity firm, said the evidence is weak to definitively trace the ransomware attacks back to Russia.
"It's pretty tricky because when someone is speaking English on dark net forums, no one says that it is England behind the attacks," Galov said.
Information for this article was contributed by Mary Ilyushina of The Washington Post.