Infant among six injured, with at least one dead and more trapped in building in central Ukraine; 10 Ukrainian civilians freed from Russia and Belarus jails in Vatican-mediated deal. What we know on day 857

• See all our Ukraine war coverage

A Russian missile strike hit a nine-storey residential building in the central Ukrainian city of Dnipro on Friday, killing at least one person and injuring six others, officials said. The death toll would likely rise as more people remained trapped in the building, where four upper storeys collapsed as a result of the attack, said the interior minister, Ihor Klymenko. A photo posted on Telegram by the governor, Serhiy Lysak, and other images on social media showed a badly damaged building that had smoke rising from a gaping hole in its upper storeys. A seven-month-old infant was among the injured, Lysak said. Three people were in severe condition.

Volodymyr Zelenskiy said 10 civilians including a politician and two priests taken prisoner in Russia and Belarus had been freed in a deal mediated by the Vatican. Russia and Ukraine have exchanged hundreds of prisoners throughout their two-year conflict but the release of civilian prisoners is rarer. “We managed to return 10 more of our people from Russian captivity,” the Ukrainian president said on Telegram. It was not immediately clear if the release was part of an exchange deal involving Russian prisoners held in Ukraine. Some of those released had been in prison since 2017, he said, arrested in Russian-controlled parts of eastern Ukraine that at the time were run by Moscow-backed separatists.

Russia’s defence ministry claimed its forces had taken control of the settlement of Rozdolivka in eastern Ukraine, but the Ukrainian military said heavy fighting was raging in areas around the settlement. The Russian ministry said on Friday that Russia’s “southern” military grouping had taken up what it called more favourable positions after pushing Ukrainian forces out of the settlement. Rozdolivka is in the Donetsk region, the focal point of Russia’s slow advance across eastern Ukraine. It lies north of Bakhmut and Soledar, two localities brought under Russian control last year.

The Ukrainian military’s general staff said Russian forces had launched 19 attacks in a broad sector that included Rozdolivka. “Our soldiers resolutely held their defences and repelled 15 of the assaults,” the evening report on Friday said. “Four armed confrontations are continuing.” The battlefield accounts from either side could not be verified.

The Biden administration will provide Ukraine with $150m worth of weapons and ammunition, including Hawk air defence interceptors and 155mm artillery munitions, two US officials said. The weapons aid package was expected be unveiled on Monday, they said on Friday, declining to be named. The administration is responding to Ukraine’s desperate requests for air defence support as Russia has pounded Ukrainian energy facilities in recent weeks via aerial attacks.

Vladimir Putin said Russia should start producing short- and intermediate-range missiles that were previously banned under a now-defunct arms treaty with the US. The Russian president was referring to missiles with a range of 500 to 5,500km (300-3,400 miles) that were banned under the cold war-era intermediate-range nuclear forces (INF) treaty. Washington withdrew from the deal in 2019, citing Russia’s failure to comply. The Kremlin said at the time that it would abide by a moratorium on production if the US did not deploy missiles within striking distance of Russia. In a televised address to his top security officials on Friday, Putin said the US had started using such missiles in training exercises in Denmark and “we need to react to this”.

Russia’s defence minister has ordered officials to prepare a “response” to US drone flights over the Black Sea, the ministry said, in an apparent warning that Moscow may take forceful action to ward off the American reconnaissance aircraft. The Russian defence ministry noted a recent “increased intensity” of US drones over the Black Sea, saying they “conduct intelligence and targeting for precision weapons supplied to the Ukrainian military by western countries for strikes on Russian facilities”.

The International Monetary Fund’s executive board has voted to approve a $2.2bn payout for Ukraine under an existing loan programme, and lowered its growth outlook following “devastating” Russian attacks against the country’s energy infrastructure. The much-needed funds would be used for “budget support” and bring the total amount disbursed under the 48-month loan agreement to about $7.6b, the IMF said on Friday.

Continue reading...

💾

© Photograph: Mykola Synelnykov/Reuters

💾

© Photograph: Mykola Synelnykov/Reuters

War in Gaza, a failed coup in Bolivia, protests in Nairobi and Taylor Swift at Wembley: the last seven days as captured by the world’s leading photojournalists

Continue reading...

💾

© Photograph: Luis Tato/AFP/Getty Images

💾

© Photograph: Luis Tato/AFP/Getty Images

Some call for rethink by Democrats and say continent must step up preparations for another Trump term

European politicians, already drowning in multiple crises of their own, were left shell-shocked and aghast at Joe Biden’s meandering performance in Thursday’s presidential debate, aware that a second Trump term had drawn that much nearer – with all that this implies for the rise of populism in the continent, the future of Nato, and for Ukraine and the Middle East.

The voices of despair came from across the mainstream political spectrum, interspersed with the odd call for Europe to prepare even more intensively for a Trump second coming.

Continue reading...

💾

© Photograph: Kyle Mazza/SOPA Images/REX/Shutterstock

💾

© Photograph: Kyle Mazza/SOPA Images/REX/Shutterstock

Critics fear Kallas’s unyielding nature makes her the wrong fit to succeed Josep Borrell but allies admire her strength and clarity

Kaja Kallas will be giving up a lot to return to Europe to succeed Josep Borrell as the EU’s foreign policy chief.

Her 18th-century offices at the top of the picturesque old town in Tallinn marry elegance with efficiency, with the neoclassical cabinet chamber capable of projecting business papers on to the wall. Outside there is a balcony on the edge of Toompea hill where Kallas sometimes sits, with glorious views over the town and the Gulf of Finland.

Continue reading...

💾

© Photograph: Geert Vanden Wijngaert/AP

💾

© Photograph: Geert Vanden Wijngaert/AP

Estonia’s PM, Kaja Kallas, set to become the EU’s top diplomat, while former Portuguese PM António Costa takes over as president of the European Council

Ursula von der Leyen has clinched the nomination to serve a second term as president of the European Commission, despite Italian prime minister Giorgia Meloni’s complaints of a “wrong” process.

Estonia’s prime minister, Kaja Kallas, is set to become the EU’s top diplomat, representing the bloc on the world stage for the next five years. The former Portuguese prime minister António Costa has been elected to take over as president of the European Council, putting him in charge of finding compromises between the 27 heads of state and government.

Continue reading...

💾

© Photograph: Yves Herman/Reuters

💾

© Photograph: Yves Herman/Reuters

The US Justice Department has announced charges against Amin Stigal for conducting wiper cyberattacks on Ukraine in 2022.

The post US Announces Charges, Reward for Russian National Behind Wiper Attacks on Ukraine appeared first on SecurityWeek.

Ukrainian president signs military agreement with EU and says ‘fulfilment of every promise’ of support is important

Ukraine’s president, Volodymyr Zelenskiy, has told EU leaders that Russia’s spring offensive in Kharkiv showed that international pressure on the Kremlin was “not enough”, as he signed a military agreement with the bloc.

Vladimir Putin had tried to “expand the war” in May with a new offensive in eastern Ukraine, Zelenskiy said on Thursday, referring to relentless attacks on the Kharkiv region.

Continue reading...

💾

© Photograph: Olivier Hoslet/Reuters

💾

© Photograph: Olivier Hoslet/Reuters

In Odesa, a city attacked by Russian rockets, with daily power outages and air-raid sirens, the street and social documentary photographer Richard Morgan explores to what extent the football is still important, if the game still has meaning, if the match really matters

This is not a story about how a football tournament is taking hold of a country’s imagination for one glorious, fleeting summer against a dark backdrop of war. It is not a tale of how Ukraine’s participation at Euro 24 is providing people with “some light relief from the harsh realities of war”, as the cliche goes. It is not My Summer with Des, Ukrainian-style.

For it is impossible to escape from the horrors of war in Ukraine, to find relief in the football, because the war is in the very experience of following the football here: it’s in the walk to the game past anti-tank defences, sandbags, covered monuments, and boarded-up churches; it’s in the pre-match motivational messages from frontline fighters to the footballers; it’s in the air-raid warnings of rocket attacks flashing across the TV screen as you watch the game in the pub; it’s in the power cuts before kick-off. Euro 24 is not a convenient distraction from war in Ukraine, but yet another way to live it.

Andriy shows off his new national-team tracksuit, a gift from his mother before the Euros. Behind him stands a row of Czech hedgehogs, the anti-tank defences that block main roads around Odesa’s central station and Kulykove Pole Square (above). A group of friends, excited about the tournament, play keepie-uppie on Holy Trinity Day in front of the bombed Spaso-Preobrazhensky Cathedral, a towering symbol of the war. The cathedral was badly damaged by a Russian rocket attack and now huge boards protect the windows from rocket blasts (below left). A football-styled car aerial sits above a damaged windshield on Derybasivska Street (below right).

Continue reading...

💾

© Photograph: Richard Morgan

💾

© Photograph: Richard Morgan

Anger, confusion and disappointment were among the emotions in the nations eliminated in group stage

Poland were the last team to qualify (their penalty shootout playoff win in Cardiff finished later than Ukraine’s and Georgia’s games) so it is no great surprise they bowed out first, being the only side to lose their opening two matches. The 36-year Robert Lewandowski is insisting on carrying on despite the public having doubts and his penalty (scored at the second attempt) in a 1-1 draw with France was a consolation for the Barcelona striker. The respected Polish journalist Michal Okonski summed up Poland’s tournament by writing: “Poland saved its face. It’s got the face of Kacper Urbanski” – referring to the 19-year-old youngest member of the squad, who at Thiago Motta’s Bologna has learned to play without fear.

“Gone in 60 Seconds,” declared the front page of the Scottish Sun. “Down and Out,” said the Daily Record. The Record showed Scott McTominay with head in hands, the Sun providing a shot of Steve Clarke consoling the Manchester United midfielder. Coverage of another Scotland group-stage exit has been twofold. The Tartan Army, who have captured hearts and minds across Germany, take up a lot of the column inches as tens of thousands of Scots beat a hasty march home. There has also been stark criticism of Clarke for what is perceived as an overly negative approach, particularly against Hungary in a must-win fixture. The manager faces an uphill task to remove that label of over-caution. Clarke’s emphasising of a non-European referee during the Hungary defeat – in which Scotland were denied a late penalty – has drawn ridicule at home.

Continue reading...

💾

© Photograph: Dan Mullan/Getty Images

💾

© Photograph: Dan Mullan/Getty Images

Amidst the ongoing Russo-Ukrainian war, hackers from Italy have decided to join forces with an infamous cyber attacker group in Russia. Azzasec is an Italian hacktivist group who has been involved in anti-Israel campaigns and has teamed up with the infamous pro-Russian hacktivists Noname057(16). Azzasec has a large network of partner groups, whereas Noname05716 is selective in their allies. The alliance between these two nefarious groups signifies a potential increase in the scale and sophistication of cyberattacks on Ukraine and its allies.

Understanding the AzzaSec Ransomware

On June 26, 2024, NoName formally announced on its social media channels about the alliance. “Today we have formed an alliance with the Italian hacker group AzzaSec, which is one of the TOP 3 coolest hack teams in Italy! We are always open to cooperation with various trance around the world!” the post read. [caption id="attachment_79189" align="alignnone" width="837"] Source: X[/caption] AzzaSec is an infamous actor that infects computers and encrypts files. It later demands a ransom for its decryption. Once a computer is infected, AzzaSec assigns the '.AzzaSec' extension to the filenames. It alters files such as '1.png' to '1.png.AzzaSec' and '2.pdf' to '2.pdf.AzzaSec.' Additionally, it changes the desktop wallpaper and provides a ransom note via a pop-up window like the screenshot below. [caption id="attachment_79190" align="alignnone" width="1828"] Source: X[/caption] The group demands ransom through Bitcoin. AzzaSec’s sophisticated encryption techniques and the secrecy of cryptocurrency transactions make it increasingly difficult for authorities to crackdown and defuse the cybercriminals. AzzaSec recently announced the release of a Windows ransomware builder. The group claimed that their ransomware could bypass major antivirus solutions such as Windows 10 / 11 Defender, Avast, Kaspersky, and AVG. AzzaSec’s emergence into the ransomware scene signals a reminder for organizations and individuals alike to upgrade their cybersecurity measures and remain vigilant against online threats.

Inglorious Past of NoName

NoName057(16) , on the other hand,  first emerged in March 2022 and is known for its cyber-attacks on Ukrainian, American, and European government agencies, media, and private companies. The group is considered one of the biggest unorganised and free pro-Russian activist group. Renowned for its widespread cyber operations, NoName057(16) has garnered notoriety for developing and distributing custom malware, notably the DDoS attack tool, the successor to the Bobik DDoS botnet. [caption id="attachment_79192" align="alignnone" width="1280"] Source: X[/caption] According to a report by Google-owned Mandiant, NoName057(16), along with other Russian state hackers, pose the biggest cyber threat to elections in regions with Russian interest. “Mandiant is tracking multiple self-proclaimed hacktivist groups primarily conducting DDoS attacks and leaking compromised data in support of Russian interests. These groups claim to have targeted organizations spanning the government, financial services, telecommunications, transportation, and energy sectors in Europe, North America, and Asia; however, target selection and messaging suggests that the activity is primarily focused on the conflict in Ukraine. Relevant groups include KillNet, Anonymous Sudan, NoName057(16), JokerDNR/DPR, Beregini, FRwL_Team (aka "From Russia with Love"), and Moldova Leaks,” Google stated in its threat intelligence report in April. The alliance between AzzaSec and NoName057(16) raises serious concerns about the evolving cyber threat landscape. With a combined skillset for ransomware deployment and large-scale attacks, these groups pose a significant risk to organizations and governments aligned with Ukraine. As the Russo-Ukrainian war rages on, the digital front is likely to see further escalation in cyberattacks.  It is crucial for targeted nations and organizations to bolster their cybersecurity defenses, implement robust incident response plans, and collaborate on international efforts to counter these cyber threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

• Tedesco claims he had two minutes for pre-match talk
• Coach is ‘so proud’ despite team being booed by own fans

The Belgium head coach, Domenico Tedesco, condemned the local organisation after a 0-0 draw against Ukraine on Wednesday, a result which secured qualification for a tie against France in the last 16.

“We arrived at the stadium in circumstances I never saw before,” Tedesco said. “It took one hour to come from the hotel with a police escort. The road was completely free, but they slowed down to 20-25km/h. Every traffic light was red. I had two minutes to make a preparation talk and we had to reduce the warmup. It’s unbelievable, unbelievable, unbelievable …”

Continue reading...

💾

© Photograph: Lee Smith/Reuters

💾

© Photograph: Lee Smith/Reuters

Justice department announces $10m reward for information on 22-year-old Amin Timovich Stigal, who remains at large. What we know on day 855

A Russian has been charged with conspiring to hack and destroy computer systems and data in Ukraine and allied countries including the US, the US justice department said on Wednesday, and announced a $10m reward for information. Before the invasion of Ukraine in February 2022, Amin Timovich Stigal, 22, who remains at large, targeted Kyiv’s government systems and data with no military-related role, the department alleged. Computer systems in the US and other countries that provided support to Ukraine were targeted later, it alleged.

Wall Street Journal reporter Evan Gershkovich went on trial behind closed doors in Ekaterinburg on Wednesday, 15 months after his arrest in the Russian city on espionage charges that he, his employer and the US government vehemently deny. The 32-year-old was arrested in March 2023, while on a reporting trip to Ekaterinburg, in the Ural Mountains, with authorities claiming without offering any evidence that he was gathering secret information for the US.

The EU is expected to sign a security agreement with Ukrainian President Volodymyr Zelenskiy on Thursday, pledging to keep delivering weapons, military training and other aid to Kyiv for years to come. The agreement will lay out the EU’s commitment to help Ukraine in nine areas of security and defence policy – including arms deliveries, military training, defence industry cooperation and demining, according to a draft seen by Reuters.

European Union countries agreed a sanctions package against Belarus on Wednesday, EU diplomats and Belgium said, to try to close off a route to avoiding restrictions on Russia. “This package will strengthen our measures in response to Russia’s invasion of Ukraine, including combating circumvention of sanctions,” Belgium, which holds the EU presidency until the end of June, said on X.

President Volodymyr Zelenskiy made an unannounced visit to the Donetsk region in eastern Ukraine to bolster morale among troops, amid continuing advances by Russian forces. The Ukrainian president recorded a video address against the backdrop of Pokrovsk, a city with a prewar population of about 61,000 that has experienced some of the most intense fighting during the 28-month-long full-scale invasion. Zelenskiy made the trip alongside Brig Gen Andriy Hnatov, the newly appointed commander of the joint forces.

During the visit, Zelenskiy signalled that he was getting tough on officials he suspects are shirking their duties. He said that back in Kyiv he would speak to “officials who must be here and in other areas near the frontline – in difficult communities where people need immediate solutions.” He continued: “I was surprised to learn that some relevant officials have not been here for six months or more. There will be a serious conversation, and I will draw appropriate conclusions regarding them.”

Five Lithuanians were wounded when they came under fire in eastern Ukraine as they delivered aid to troops, officials and team members said Wednesday. The volunteer workers were in a car that was shelled on Monday in Pokrovsk in Ukraine’s Donetsk region, a colleague Valdas Bartkevicius told AFP. The region’s governor reported that five people were killed and dozens wounded in Russian strikes on Pokrovsk on Monday.

Representatives of Russia’s and Ukraine’s human rights offices held a meeting for the first time during an exchange of prisoners of war on Tuesday, Kyiv said. The two countries each released 90 captured soldiers in a deal brokered by the United Arab Emirates, the latest in more than 50 prisoner exchanges that have taken place throughout the war. But it was the first time Russia had agreed to hold a direct meeting between human rights representatives during the exchange, Ukraine’s human rights commissioner Dmytro Lubinets told AFP.

Nato’s 32 nations on Wednesday appointed outgoing Dutch prime minister Mark Rutte as the alliance’s next head. Rutte will take over from secretary general Jens Stoltenberg on 1 October after major powers – spearheaded by the US – wrapped up his nomination ahead of a summit of Nato leaders in Washington next month.

Continue reading...

💾

© Photograph: Anadolu Agency/Getty Images

💾

© Photograph: Anadolu Agency/Getty Images

A U.S. grand jury has indicted a Russian citizen, Amin Timovich Stigal, for allegedly conspiring with Russia's military intelligence agency (GRU) to launch cyberattacks crippling Ukrainian government systems and data ahead of Russia's full-scale invasion in February 2022.

The indictment, unsealed yesterday in Maryland, sheds light on a coordinated effort to disrupt critical Ukrainian infrastructure and sow panic among the population.

“As alleged, the defendant conspired with Russian military intelligence on the eve of Russia’s unjust and unprovoked invasion of Ukraine to launch cyberattacks targeting the Ukrainian government and later targeting its allies, including the United States.” - Attorney General Merrick B. Garland

Attacker Aimed for 'Complete Destruction' in Cyberattacks Targeting Ukraine

Stigal, 22, who remains at large, was charged for his alleged role in using a deceptive malware strain called "WhisperGate" to infiltrate dozens of Ukrainian government networks, including ministries, state services, and critical infrastructure entities. Disguised as ransomware, WhisperGate reportedly went beyond data encryption, aiming for complete destruction of targeted systems and data.

The attacks coincided with the defacement of Ukrainian websites displaying threatening messages designed to intimidate the public. Sensitive data, including patient health records, was exfiltrated and offered for sale online, further amplifying the chaos.

U.S. Critical Infrastructure Targeted Too

But the malicious campaign wasn't limited to cyberattacks targeting Ukraine. The indictment broadens the scope beyond Ukraine, revealing attempts to probe U.S. government networks in Maryland using similar tactics.

“These GRU actors are known to have targeted U.S. critical infrastructure. During these malicious cyber activities, GRU actors launched efforts to scan for vulnerabilities, map networks, and identify potential website vulnerabilities in U.S.-based critical infrastructure – particularly the energy, government, and aerospace sectors.” - Rewards for Justice

The scope of the malicious campaign highlights the potential wide-ranging objectives of the GRU cyber campaign and the ongoing threat posed by nation-state actors.

Reward Offered for Info Leading to Capture

The Justice Department emphasized its commitment to holding accountable those responsible for Russia's malicious cyber activity. The indictment carries a maximum sentence of five years, but international cooperation remains crucial to apprehend Stigal.

The U.S. Department of State's Rewards for Justice program is offering a significant reward – up to $10 million – for information leading to Stigal's capture or the disruption of his cyber operations. This substantial reward underscores the seriousness of the charges and the international effort to dismantle Russia's cyber warfare apparatus.

This case serves as a stark reminder of the evolving cyber threat landscape. The destructive capabilities of malware like WhisperGate, coupled with the targeting of critical infrastructure necessitates vigilance and collaboration between governments and security professionals to defend against nation-state cyberattacks.

“Malicious cyber actors who attack our allies should know that we will pursue them to the full extent of the law,” said Erek L. Barron, U.S. Attorney for the District of Maryland. “Cyber intrusion schemes such as the one alleged threaten our national security, and we will use all the technologies and investigative measures at our disposal to disrupt and track down these cybercriminals.”

Who is Amin Stigal?

The U.S. linked 22-year-old Amin Stigal to the Russian GRU and labelled him for his involvement in the WhisperGate malware operations. But who is Amin Stigal and what is the extent of his involvement? [caption id="attachment_79079" align="aligncenter" width="947"] Source: Rewards for Justice[/caption] The U.S. authorities, along with the $10 million bounty, released scarce but very important details on Stigal's cyber trail - his aliases or the threat group names with whom he is affiliated. The Cyber Express did an open-source intelligence (OSINT) study on these aliases and found the following details on Amin Stigal's cyber activities:

DEV-0586/Cadet Blizzard

Microsoft first tracked this threat actor as DEV-0586 and observed its destructive malware targeting Ukrainian organizations in January 2022. The tech giant later in April 2023 shifted to a new threat actor-naming taxonomy and thus named the TA "Cadet Blizzard." Cadet Blizzard has been operational since at least 2020 and has initiated a wave of destructive wiper attacks against Ukraine in the lead up to Russia's February 2022 invasion of Ukraine. Specifically, it created and developed WhisperGate, a wiper that deletes the master boot record, Microsoft said.

EMBER BEAR

Crowd Strike tracked this threat actor as EMBER BEAR (aka Lorec Bear, Bleeding Bear, Saint Bear) and linked it to an adversary group that has operated against government and military organizations in eastern Europe since early 2021. The likely motive of this TA is to collect intelligence from target networks, the cybersecurity firm said. EMBER BEAR primarily weaponized the access and data obtained during their intrusions to support information operations (IO), according to CrowdStrike. Their aim in employing this tactic was to create public mistrust in targeted institutions and degrade respective government's ability to counter Russian cyber operations.

UAC-0056

The Computer Emergency Response Team of Ukraine tracked this Russian-linked threat actor/group as UAC-0056 and observed its malicious campaigns targeting Ukraine through phishing campaigns in July 2022. In the discovered attack, threat actors sought to disrupt the integrity and availability of government websites by exploiting several backdoors and deploying Cobalt Strike Beacon malware. The threat actors communicated with the web shell using IP addresses, including those belonging to neighboring devices of other hacked organizations due to their previous account abuse and additional VPN connection to the corresponding organizations. The hackers also applied other malware samples in this campaign including the GOST (Go Simple Tunnel) and Ngrok utilities, to deploy the HoaxPen backdoor.

What is WhisperGate Malware?

WhisperGate is a destructive malware that is seemingly designed like a ransomware, but it is not. Unlike ransomware, which encrypts data and demands a ransom for decryption, WhisperGate aimed to completely destroy data, rendering the infected systems inoperable. It first targeted Ukrainian organizations in January 2022 and ever since continues to remain on the list of top malware variants used to target Kyiv.

Key Points on WhisperGate:

• Multi-stage Attack: It operated in stages, with the first stage overwriting the Master Boot Record (MBR) to prevent the system from booting normally and displaying a fake ransom note.
• Data Wiping: The MBR overwrite made data recovery nearly impossible.
• Motive: Experts believe the goal was data destruction, not financial gain, due to the lack of a real decryption method.
• Deployment: The malware resided in common directories like C:\PerfLogs and used a publicly available tool called Impacket to spread laterally within networks.

At one end of the ground, one team stood, exhausted, in the penalty area in front of their fans and were warmly applauded. At the other, their opponents could barely approach the box before being driven back by the fury of their support. The oddity was, it was Ukraine who had gone out who were celebrated, and Belgium who had gone through who were booed and jeered to such an extent that Kevin De Bruyne told the players to go to the dressing room.

In the end, Ukraine just didn’t have the energy or the guile. They will feel unfortunate to have been eliminated from the Euros having picked up four points, the same as every other side in the group, more than Denmark who qualified in second and various third-placed teams. But in the final minutes, when it became apparent that they would need a goal after all, they had nothing.

Continue reading...

💾

© Photograph: Álex Caparrós/UEFA/Getty Images

💾

© Photograph: Álex Caparrós/UEFA/Getty Images

Cyble Research and Intelligence Labs (CRIL) researchers have observed the Russia-linked threat actor group UAC-0184 targeting Ukraine with the XWorm remote access trojan (RAT) through the use of Python-related files.

Technical Overview of XWorm RAT Campaign

The campaign begins with a malicious LNK shortcut file, disguised as a legitimate Excel document, which executes a PowerShell script upon execution. The script downloads two files, "pkg.zip" and "NewCopy.xlsx", from a specified URL. The LNK shortcut file then executes "pythonw.exe" using the start command, which duplicates files and stores them in a new folder. The "pythonw.exe" loads a malicious DLL, "python310.dll", through DLL sideloading, injecting shellcode into the MSBuild process. [caption id="attachment_78917" align="alignnone" width="1529"] Source: Cyble[/caption] The hackers use a technique called DLL sideloading, where a malicious library file masquerades as a legitimate one. This allows the attackers to run their code under the guise of trusted software. Additionally, they employ a tool called Shadowloader to inject the XWorm RAT into a running process, further obscuring its presence. The XWorm RAT is then executed, offering a range of capabilities, including data theft, DDoS attacks, and cryptocurrency address manipulation. The malware attempts to connect to a Command-and-Control (C&C) server, but at the time of analysis, the server was inactive, resulting in no observed malicious activities. [caption id="attachment_78919" align="alignnone" width="537"] Source: Cyble[/caption] While the initial infection vector remains unclear, researchers suspect phishing emails may play a role. The intended victim could not be ascertained from accessing the the Excel lure used in the campaign. CRIL researchers had previously observed the UAC-0184 threat actor group employing lures tailored to appeal to Ukrainian targets, often mimicking official government or utility communications.

Protecting Against XWorm RAT

The XWorm RAT malware employed in the campaign is designed to be easily accessible even to to threat actors lacking sophistication and technical expertise. The versatile malware offers several functionalities, including data theft, DDoS attacks, cryptocurrency address manipulation, ransomware deployment, and downloading additional malware onto compromised systems. Cyble researchers have recommended several measures to defend against this campaign:

• Implement strong email filtering to block malicious attachments.
• Exercise caution with email attachments, especially from unknown senders.
• Limit execution of scripting languages where possible.
• Use application whitelisting to control which programs can run.
• Deploy robust antivirus and anti-malware solutions.
• Enforce strong, unique passwords and two-factor authentication.
• Monitor networks for unusual activity or data exfiltration attempts.

The campaign demonstrates UAC-0184's relentless efforts at attacking Ukraine with evasive techniques. The use of the XWorm RAT as the final payload indicates the intent to establish remote access over compromised systems for strategic purposes. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A round-up of links inside on the Russia-Ukraine war. Today is day 848 of the invasion.

Russia: Russia wages a scorched-earth war in Ukraine with retrofitted bombs and new airstrips (AP) Fire at drone-hit Russian oil depot rages for second day (Reuters) Putin accuses NATO of creating a security threat for Russia in Asia (Reuters) China: Outgoing NATO chief says China should face consequences for backing Russia's war on Ukraine (CBC) Ukraine peace summit is a 'success', China key to ending war: ambassador to Singapore (South China Morning Post) China lobbying for its alternative peace plan ahead of Ukraine's summit, Reuters reports (Kyiv Independent) EU: EU passes 14th sanctions package in first major move against Russian gas (Kyiv Independent) Romania to send Patriot defense system to Ukraine (Kyiv Independent) EU envoys agree on more Russia sanctions. LNG imports are among the targets. (AP) Japan: Signing of the Accord on Support for Ukraine and Cooperation between the Government of Japan and Ukraine (Ministry of Foreign Affairs of Japan) Japan to finance US$188 million technology transfer to Ukrainian business (MSN) North & South Korea: Russia and North Korea sign mutual defence pact: Vladimir Putin and Kim Jong-un's agreement raises western alarm about possible Russian help for nuclear programme (Guardian) What's known, and not known, about the partnership agreement signed by Russia and North Korea (AP) Putin says South Korea would be making 'a big mistake' if it supplies arms to Ukraine (Reuters) Ukraine: Russian troops fail to advance as Ukraine garners military, financial aid (Al Jazeera) Ukraine, Russia targeting each other's energy infrastructure (NHK World Japan) Ukraine launches a national sexual assault registry for victims of Russian forces (CTV) USA: US to focus on deepening ties with Vietnam after Putin's Hanoi visit (Reuters) Exclusive: Biden to ban US sales of Kaspersky software over Russia ties, source says (Reuters) White House confirms Ukraine to get priority on air defense missile deliveries (Kyiv Independent; post title is a Biden quote from this article) Aid: Fidelity Charitable list of organizations; UNICEF; Support Sellers in Ukraine

A pair of whales were extricated from the besieged city of Kharkiv and taken to an aquarium in Spain with help from experts around the world.

© via Oceanogràfic de Valencia

The UK, US and Canada have accused Russia of an elaborate plot to interfere in Moldova’s upcoming presidential election and referendum on EU membership. The allegations came in a joint statement released on the opening day of the G7 summit, pointing to a far-reaching campaign of political meddling by Moscow. The three nations claim Russia is actively spreading disinformation to 'undermine Moldovan democratic institutions' and 'degrade public confidence' in the government ahead of the votes on October 20th. Specific targets include President Maia Sandu and her pro-Western administration, which has strongly backed Ukraine in the Russia-Ukraine conflict.

Kremlin Actors Seeking to Discredit Moldova's Leaders

According to a statement from the U.S. Embassy in Russia, Russian threat actors are aggressively distributing propaganda to “foment negative public perceptions” of President Sandu. This involves fabricating electoral irregularities while also aiming to incite protests if the incumbent president is re-elected. The plot dates back years, with the Kremlin providing support to fugitive Moldovan businessman Ilan Shor. Shor had previously been sentenced to 15 years in prison in connection with the disappearance of $1 billion from Moldovan banks in 2014. All three countries had issued sanctions on Shor for his connection to the incident. The statement singled out Russian state-television channel RT for providing several years of support to Shor. The UK, US and Canada claim they have already shared detailed evidence with Moldovan authorities to enable further investigation and disruption. They also state they will continue backing Moldova with a range of support measures as it deals with Russian interference and fallout from the Ukraine war.

All Three Countries Announce Support at G7 Summit

The three nations expressed confidence in Moldova's ability to manage these threats linked to Russian interference. They have taken several measures to support Moldova's efforts, including:

• The sharing of detailed information with Moldovan partners to investigate, thwart, and put a stop to the Kremlin's plans.
• Increasing accountability and punishment for individuals and entities involved in covertly financing political activities in Moldova through sanctions and potential further actions.
• Strongly supporting Moldova's democratic, economic, security, and anti-corruption reforms, as well as its deepening European integration.

The three nations affirmed their support deepening ties between Moldova and the EU. President Sandu is widely perceived as a firmly pro-Ukranian and pro-Western leader since her election in 2020. In reaction, the Kremlin appears intent on preventing her re-election in order to install a more Russia-friendly president. By publicizing the interference plot, the Western allies hope to deter Moscow while urging respect for Moldovan sovereignty and free, fair elections. However, with under five months until the votes, concerns remain high over Russia's determination to influence election results. "We will continue to stand with all of our friends, partners, and Allies in defense of our shared democratic values and freedoms," the statement read. The U.S. embassy's statement also highlighted the surrounding threat to elections in 2024, a year in which "hundreds of millions of people across Europe and North America go to the polls to select their leaders in European, national, regional, and local elections."

Russia Is a Threat to Election Security: Researchers

An earlier report from Mandiant in April suggested that Russia presented the biggest threat to election security in the United States, United Kingdom and European Union. “Multiple Russian groups have targeted past elections in the U.S., France, and Ukraine, and these groups have continued to demonstrate the capability and intent to target elections both directly and indirectly,” the report stated. Experts also fear Russian attempts at spreading disinformation or influencing public opinion on non-election events such as the upcoming 2024 Summer Olympics in Paris. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Ukraine’s Security Service (SBU) detained two individuals accused of aiding Russian intelligence in hacking the phones of Ukrainian soldiers and spreading pro-Kremlin propaganda. The suspects operated bot farms using servers and SIM cards to create fake social media accounts. One bot farm in the Zhytomyr Oblast was hosted in an apartment of a Ukrainian woman. She allegedly registered over 600 virtual mobile numbers and several anonymous Telegram accounts.

Russian Intelligence Installed Spyware in Campaign

The woman sold or rented these accounts in exchange for cryptocurrency on online Russian underground marketplaces. Russian intelligence used these accounts and numbers to hack phones of Ukrainian military personnel by sending phishing emails containing spyware that collected sensitive confidential data. Russian hackers were recently observed using legitimate remote monitoring and management (RMM) software to spy on Ukraine and its allies. [caption id="attachment_77338" align="aligncenter" width="1024"] Source: SBU[/caption] According to the SBU, the accounts hosted on this bot farm were also used to spread pro-Kremlin propaganda purporting as ordinary Ukrainian citizens. Another 30-year-old man from Dnipro allegedly registered nearly 15,000 fake accounts on various social networks and messaging platforms using Ukrainian SIM cards. He sold these accounts to Russian intelligence services on darknet forums. [caption id="attachment_77337" align="aligncenter" width="1024"] Source: SBU[/caption] Both suspects face up to three years in prison or a fine if found guilty. The investigation continues.

Russian Bot Farms Used Since Invasion Started

Russia has used bot farms to disseminate Kremlin propaganda, incite panic and manipulate narratives since the beginning of its Ukrainian invasion. The Ukrainian authorities have busted dozens of bot farms and arrested hundreds of people across the country who operate them. In December 2022, they dismantled more than a dozen bot farms. In September of that year, two bot farms were taken down, while in August a group that operated more than 1 million bots was also dismantled. Bot farm operators typically receive payments in Russian rubles, a prohibited currency in Ukraine. These activities continued in the second year of the war, where the Ukrainian Cyber Police raided 21 locations across the country and seized computer equipment, mobile phones and more than 250 GSM gateways. This included 150,000 SIM cards of different mobile operators used in the illicit activities to create fake social media profiles.

Ukraine National Police have arrested a man they say helped disguise ransomware used by Russia-based threat groups. The 28-year-old cryptor developer was unnamed in Ukraine and Netherlands announcements of the arrest, but the Dutch statement said he was arrested on April 18, 2024 in a lead-up to May’s massive “Operation Endgame” botnet takedown.

Cryptor Developer Worked with Conti, LockBit

Ukraine cyber ​​police and National Police investigators say they established that the man was involved in the LockBit and Conti ransomware groups. The Kyiv man infected a company in the Netherlands with Conti ransomware in 2021, demanded a ransom and threatened to release confidential company information if payment wasn’t made, according to the Dutch announcement, which cited work by the Netherlands’ High Tech Crime Team of the National Operations and Interventions Unit and the National Public Prosecution Service. They requested Ukraine’s assistance in the case as part of their investigation. As part of the arrest, Ukrainian police conducted house searches in the city of Kyiv and the Kharkiv region on April 18 and seized computer equipment, mobile phones and documents for further investigation (pictured below). [caption id="attachment_76895" align="alignnone" width="300"] Items seized in Ukraine ransomware arrest[/caption] The Ukraine cyber police said the man “specialized in the development of cryptors,” or “special software for masking computer viruses under the guise of safe files” (quotes translated from the Ukraine statement). “Thanks to his programming skills, the person involved was able to hide malicious software from the most popular antiviruses,” the Ukraine statement added.

LockBit Remains Active Despite Repeated Enforcement Activities

The Conti ransomware group reportedly dissolved in 2022 after a Ukrainian researcher leaked the group's source code in retaliation for the group's support of Russia's invasion of Ukraine, but LockBit has remained persistent. Despite the Ukraine arrest and law enforcement successes like Operation Endgame, Operation Cronos, and the unmasking of formerly anonymous LockBit leader Dmitry Khoroshev, LockBit has shown an ability to continually regroup and reestablish threat activities, recently launching high-profile ransomware attacks such as one that the city of Wichita is finally recovering from. Ukraine officials said the investigation is ongoing. The suspect is being charged under part 5 of Article 361, Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks, of the Criminal Code of Ukraine. The article provides for publishment of up to 15 years of imprisonment, and additional charges are possible. Netherlands officials thanked the Ukrainian investigators for their assistance and said they “are very pleased with the arrest in Ukraine and are grateful for the space that the Ukrainian police have found for this in times of war.”

Switzerland has seen a notable increase in cyberattacks and disinformation campaigns as it prepares to host a crucial summit aimed at creating a pathway for peace in Ukraine. On Monday, the government reported these developments in a press conference, highlighting the challenges of convening a high-stakes international dialogue amidst rising digital threats. The summit, Summit on Peace in Ukraine is scheduled at a resort near Lucerne from June 15-16, and will gather representatives from 90 states and organizations. About half of the participants come from South America, Asia, Africa, and the Middle East. Notably, absent from the attendee list is Russia which was not invited due to its lack of interest in participating. However, the Swiss government emphasized that the summit’s goal is to "jointly define a roadmap" to eventually include both Russia and Ukraine in a future peace process. Swiss President Viola Amherd addressed the media, acknowledging the uptick in cyberattacks and disinformation efforts leading up to the event. These cyberattacks have targeted various facets of the summit, including personal attacks on President Amherd herself, particularly in Russian media outlets publicized within Switzerland. "We haven't summoned the ambassador," Amherd stated in response to these attacks. "That's how I wanted it because the disinformation campaign is so extreme that one can see that little of it reflects reality."

Switzerland Disruption Efforts and Cybersecurity

Foreign Minister Ignazio Cassis also spoke at the press conference, noting a clear "interest" in disrupting the talks. However, he refrained from directly accusing any particular entity, including Russia, when questioned about the source of the cyberattacks. This restraint highlights the delicate diplomatic balancing act Switzerland is attempting as host. Switzerland agreed to host the summit at the behest of Ukrainian President Volodymyr Zelenskyy and has been actively seeking support from countries with more neutral or favorable relations with Moscow compared to leading Western powers. This strategic outreach aims to broaden the coalition backing the peace efforts and mitigate the polarized dynamics that have characterized the conflict thus far.

Agenda and Key Issues

The summit will address several critical areas of international concern, including nuclear and food security, freedom of navigation, and humanitarian issues such as prisoner of war exchanges. These topics are integral to the broader context of the Ukraine conflict and resonate with the international community's strategic and humanitarian interests. Turkey and India are confirmed participants, though their representation level remains unspecified. There is still uncertainty regarding the participation of Brazil and South Africa. Switzerland noted that roughly half of the participating countries would be represented by heads of state or government, highlighting the summit's high profile and potential impact. The summit aims to conclude with a final declaration, which ideally would receive unanimous backing. This declaration is expected to outline the next steps in the peace process. When asked about potential successors to Switzerland in leading the next phase, Foreign Minister Cassis indicated ongoing efforts to engage regions beyond the Western sphere, particularly the Global South and Arabian countries. Such inclusion could foster a more comprehensive and globally supported peace initiative.

To Wrap Up

The summit represents a significant diplomatic effort to address the Ukraine conflict. However, the surge in cyberattacks on Switzerland and disinformation campaigns, highlights the complexities of such high-stakes international dialogue. In March 2024, Switzerland’s district court in the German-speaking district of March, home to around 45,000 residents, fell victim to a cyberattack. While details are scarce, the court’s website suggests it could potentially be a ransomware attack. As Switzerland navigates these challenges, the outcomes of this summit could set important precedents for future peace efforts and international cooperation.

Last week's EU parliamentary elections have resulted in big wins for right (and far-right) parties across the continent, with inflation- and migration-driven campaigns seeing late surges in support from Giorgia Meloni's Brothers of Italy to Geert Wilder's Party of Freedom to the extremist (and Nazi-curious) Alternative for Germany. Most notable was the unprecedented success of Marine Le Pen's hard-right National Rally in France, whose demolition of the ruling centrist coalition was so complete that President Emmanuel Macron has unexpectedly dissolved the legislature and called for snap elections later this month in a high-stakes bid to disrupt the national-populist wave. Not all is grim for the left -- socialist parties held their own in multiple nations, proudly illiberal Viktor Orban's Fidesz fell short of projections against a rising Péter Magyar, and France's two-round system has reliably kept the far-right out of power. Still, this week's results have massive and troubling implications for climate change, Ukraine, and a swath of other critical issues.

In an exclusive interview with the Guardian, the Ukrainian president, Volodymyr Zelenskiy, revealed the tactics and traits that help him face the daily frustrations of leading a country at war for more than two years.

Within a ceremonial room inside Kyiv’s presidential compound, Zelenskiy spoke for nearly an hour with a Guardian team, including the editor-in-chief, Katharine Viner. The interview took place during perhaps the toughest time for Ukraine since the early days of the war. Russia is on the offensive in Kharkiv, an advance that follows months of delay in the US Congress over the passing of a major support package, limiting Ukraine’s battlefield capabilities

Continue reading...

💾

© Photograph: The Guardian

💾

© Photograph: The Guardian

Russia has deployed advanced tech to interfere with Elon Musk’s satellite internet service, Ukrainian officials said, leading to more outages on the northern front battle line.

© Sasha Maslov for The New York Times

Russia has deployed advanced tech to interfere with Elon Musk’s satellite internet service, Ukrainian officials said, leading to more outages on the northern front battle line.

© Sasha Maslov for The New York Times

Two weeks before Russia invaded Ukraine in February 2022, a large, mysterious new Internet hosting firm called Stark Industries Solutions materialized and quickly became the epicenter of massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe. An investigation into Stark Industries reveals it is being used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia.

At least a dozen patriotic Russian hacking groups have been launching DDoS attacks since the start of the war at a variety of targets seen as opposed to Moscow. But by all accounts, few attacks from those gangs have come close to the amount of firepower wielded by a pro-Russia group calling itself “NoName057(16).”

As detailed by researchers at Radware, NoName has effectively gamified DDoS attacks, recruiting hacktivists via its Telegram channel and offering to pay people who agree to install a piece of software called DDoSia. That program allows NoName to commandeer the host computers and their Internet connections in coordinated DDoS campaigns, and DDoSia users with the most attacks can win cash prizes.

A report from the security firm Team Cymru found the DDoS attack infrastructure used in NoName campaigns is assigned to two interlinked hosting providers: MIRhosting and Stark Industries. MIRhosting is a hosting provider founded in The Netherlands in 2004. But Stark Industries Solutions Ltd was incorporated on February 10, 2022, just two weeks before the Russian invasion of Ukraine.

PROXY WARS

Security experts say that not long after the war started, Stark began hosting dozens of proxy services and free virtual private networking (VPN) services, which are designed to help users shield their Internet usage and location from prying eyes.

Proxy providers allow users to route their Internet and Web browsing traffic through someone else’s computer. From a website’s perspective, the traffic from a proxy network user appears to originate from the rented IP address, not from the proxy service customer.

These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are also massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

What’s more, many proxy services do not disclose how they obtain access to the proxies they are renting out, and in many cases the access is obtained through the dissemination of malicious software that turns the infected system into a traffic relay — usually unbeknownst to the legitimate owner of the Internet connection. Other proxy services will allow users to make money by renting out their Internet connection to anyone.

Spur.us is a company that tracks VPNs and proxy services worldwide. Spur finds that Stark Industries (AS44477) currently is home to at least 74 VPN services, and 40 different proxy services. As we’ll see in the final section of this story, just one of those proxy networks has over a million Internet addresses available for rent across the globe.

Raymond Dijkxhoorn operates a hosting firm in The Netherlands called Prolocation. He also co-runs SURBL, an anti-abuse service that flags domains and Internet address ranges that are strongly associated with spam and cybercrime activity, including DDoS.

Dijkxhoorn said last year SURBL heard from multiple people who said they operated VPN services whose web resources were included in SURBL’s block lists.

“We had people doing delistings at SURBL for domain names that were suspended by the registrars,” Dijkhoorn told KrebsOnSecurity. “And at least two of them explained that Stark offered them free VPN services that they were reselling.”

Dijkxhoorn added that Stark Industries also sponsored activist groups from Ukraine.

“How valuable would it be for Russia to know the real IPs from Ukraine’s tech warriors?” he observed.

CLOUDY WITH A CHANCE OF BULLETS

Richard Hummel is threat intelligence lead at NETSCOUT. Hummel said when he considers the worst of all the hosting providers out there today, Stark Industries is consistently near or at the top of that list.

“The reason is we’ve had at least a dozen service providers come to us saying, ‘There’s this network out there inundating us with traffic,'” Hummel said. “And it wasn’t even DDoS attacks. [The systems] on Stark were just scanning these providers so fast it was crashing some of their services.”

Hummel said NoName will typically launch their attacks using a mix of resources rented from major, legitimate cloud services, and those from so-called “bulletproof” hosting providers like Stark. Bulletproof providers are so named when they earn or cultivate a reputation for ignoring any abuse complaints or police reports about activity on their networks.

Combining bulletproof providers with legitimate cloud hosting, Hummel said, likely makes NoName’s DDoS campaigns more resilient because many network operators will hesitate to be too aggressive in blocking Internet addresses associated with the major cloud services.

“What we typically see here is a distribution of cloud hosting providers and bulletproof hosting providers in DDoS attacks,” he said. “They’re using public cloud hosting providers because a lot of times that’s your first layer of network defense, and because [many companies are wary of] over-blocking access to legitimate cloud resources.”

But even if the cloud provider detects abuse coming from the customer, the provider is probably not going to shut the customer down immediately, Hummel said.

“There is usually a grace period, and even if that’s only an hour or two, you can still launch a large number of attacks in that time,” he said. “And then they just keep coming back and opening new cloud accounts.”

MERCENARIES TEAM

Stark Industries is incorporated at a mail drop address in the United Kingdom. UK business records list an Ivan Vladimirovich Neculiti as the company’s secretary. Mr. Neculiti also is named as the CEO and founder of PQ Hosting Plus S.R.L. (aka Perfect Quality Hosting), a Moldovan company formed in 2019 that lists the same UK mail drop address as Stark Industries.

Reached via LinkedIn, Mr. Neculiti said PQ Hosting established Stark Industries as a “white label” of its brand so that “resellers could distribute our services using our IP addresses and their clients would not have any affairs with PQ Hosting.”

“PQ Hosting is a company with over 1,000+ of [our] own physical servers in 38 countries and we have over 100,000 clients,” he said. “Though we are not as large as Hetzner, Amazon and OVH, nevertheless we are a fast growing company that provides services to tens of thousands of private customers and legal entities.”

Asked about the constant stream of DDoS attacks whose origins have traced back to Stark Industries over the past two years, Neculiti maintained Stark hasn’t received any official abuse reports about attacks coming from its networks.

“It was probably some kind of clever attack that we did not see, I do not rule out this fact, because we have a very large number of clients and our Internet channels are quite large,” he said. “But, in this situation, unfortunately, no one contacted us to report that there was an attack from our addresses; if someone had contacted us, we would have definitely blocked the network data.”

DomainTools.com finds Ivan V. Neculiti was the owner of war[.]md, a website launched in 2008 that chronicled the history of a 1990 armed conflict in Moldova known as the Transnistria War and the Moldo-Russian war.

Transnistria is a breakaway pro-Russian region that declared itself a state in 1990, although it is not internationally recognized. The copyright on that website credits the “MercenarieS TeaM,” which was at one time a Moldovan IT firm. Mr. Neculiti confirmed personally registering this domain.

DON CHICHO & DFYZ

The data breach tracking service Constella Intelligence reports that an Ivan V. Neculiti registered multiple online accounts under the email address dfyz_bk@bk.ru. Cyber intelligence firm Intel 471 shows this email address is tied to the username “dfyz” on more than a half-dozen Russian language cybercrime forums since 2008. The user dfyz on Searchengines[.]ru in 2008 asked other forum members to review war.md, and said they were part of the MercenarieS TeaM.

Back then, dfyz was selling “bulletproof servers for any purpose,” meaning the hosting company would willfully ignore abuse complaints or police inquiries about the activity of its customers.

DomainTools reports there are at least 33 domain names registered to dfyz_bk@bk.ru. Several of these domains have Ivan Neculiti in their registration records, including tracker-free[.]cn, which was registered to an Ivan Neculiti at dfyz_bk@bk.ru and referenced the MercenarieS TeaM in its original registration records.

Dfyz also used the nickname DonChicho, who likewise sold bulletproof hosting services and access to hacked Internet servers. In 2014, a prominent member of the Russian language cybercrime community Antichat filed a complaint against DonChicho, saying this user scammed them and had used the email address dfyz_bk@bk.ru.

The complaint said DonChicho registered on Antichat from the Transnistria Internet address 84.234.55[.]29. Searching this address in Constella reveals it has been used to register just five accounts online that have been created over the years, including one at ask.ru, where the user registered with the email address neculitzy1@yandex.ru. Constella also returns for that email address a user by the name “Ivan” at memoraleak.com and 000webhost.com.

Constella finds that the password most frequently used by the email address dfyz_bk@bk.ru was “filecast,” and that there are more than 90 email addresses associated with this password. Among them are roughly two dozen addresses with the name “Neculiti” in them, as well as the address support@donservers[.]ru.

Intel 471 says DonChicho posted to several Russian cybercrime forums that support@donservers[.]ru was his address, and that he logged into cybercrime forums almost exclusively from Internet addresses in Tiraspol, the capital of Transnistria. A review of DonChicho’s posts shows this person was banned from several forums in 2014 for scamming other users.

Cached copies of DonChicho’s vanity domain (donchicho[.]ru) show that in 2009 he was a spammer who peddled knockoff prescription drugs via Rx-Promotion, once one of the largest pharmacy spam moneymaking programs for Russian-speaking affiliates.

Mr. Neculiti told KrebsOnSecurity he has never used the nickname DonChicho.

“I may assure you that I have no relation to DonChicho nor to his bulletproof servers,” he said.

Below is a mind map that shows the connections between the accounts mentioned above.

Earlier this year, NoName began massively hitting government and industry websites in Moldova. A new report from Arbor Networks says the attacks began around March 6, when NoName alleged the government of Moldova was “craving for Russophobia.”

“Since early March, more than 50 websites have been targeted, according to posted ‘proof’ by the groups involved in attacking the country,” Arbor’s ASERT Team wrote. “While NoName seemingly initiated the ramp of attacks, a host of other DDoS hacktivists have joined the fray in claiming credit for attacks across more than 15 industries.”

CORRECTIV ACTION

The German independent news outlet Correctiv.org last week published a scathing investigative report on Stark Industries and MIRhosting, which notes that Ivan Neculiti operates his hosting companies with the help of his brother, Yuri.

The report points out that Stark Industries continues to host a Russian disinformation news outlet called “Recent Reliable News” (RRN) that was sanctioned by the European Union in 2023 for spreading links to propaganda blogs and fake European media and government websites.

“The website was not running on computers in Moscow or St. Petersburg until recently, but in the middle of the EU, in the Netherlands, on the computers of the Neculiti brothers,” Correctiv reporters wrote.

“After a request from this editorial team, a well-known service was installed that hides the actual web host,” the report continues. “Ivan Neculiti announced that he had blocked the associated access and server following internal investigations. “We very much regret that we are only now finding out that one of our customers is a sanctioned portal,” said the company boss. However, RRN is still accessible via its servers.”

Correctiv also points to a January 2023 report from the Ukrainian government, which found servers from Stark Industries Solutions were used as part of a cyber attack on the Ukrainian news agency “Ukrinform”. Correctiv notes the notorious hacker group Sandworm — an advanced persistent threat (APT) group operated by a cyberwarfare unit of Russia’s military intelligence service — was identified by Ukrainian government authorities as responsible for that attack.

PEACE HOSTING?

Public records indicate MIRhosting is based in The Netherlands and is operated by 37-year old Andrey Nesterenko, whose personal website says he is an accomplished concert pianist who began performing publicly at a young age.

DomainTools says mirhosting[.]com is registered to Mr. Nesterenko and to Innovation IT Solutions Corp, which lists addresses in London and in Nesterenko’s stated hometown of Nizhny Novgorod, Russia.

This is interesting because according to the book Inside Cyber Warfare by Jeffrey Carr, Innovation IT Solutions Corp. was responsible for hosting StopGeorgia[.]ru, a hacktivist website for organizing cyberattacks against Georgia that appeared at the same time Russian forces invaded the former Soviet nation in 2008. That conflict was thought to be the first war ever fought in which a notable cyberattack and an actual military engagement happened simultaneously.

Responding to questions from KrebsOnSecurity, Mr. Nesterenko said he couldn’t say whether his network had ever hosted the StopGeorgia website back in 2008 because his company didn’t keep records going back that far. But he said Stark Industries Solutions is indeed one of MIRhsoting’s colocation customers.

“Our relationship is purely provider-customer,” Nesterenko said. “They also utilize multiple providers and data centers globally, so connecting them directly to MIRhosting overlooks their broader network.”

“We take any report of malicious activity seriously and are always open to information that can help us identify and prevent misuse of our infrastructure, whether involving Stark Industries or any other customer,” Nesterenko continued. “In cases where our services are exploited for malicious purposes, we collaborate fully with Dutch cyber police and other relevant authorities to investigate and take appropriate measures. However, we have yet to receive any actionable information beyond the article itself, which has not provided us with sufficient detail to identify or block malicious actors.”

In December 2022, security firm Recorded Future profiled the phishing and credential harvesting infrastructure used for Russia-aligned espionage operations by a group dubbed Blue Charlie (aka TAG-53), which has targeted email accounts of nongovernmental organizations and think tanks, journalists, and government and defense officials.

Recorded Future found that virtually all the Blue Charlie domains existed in just ten different ISPs, with a significant concentration located in two networks, one of which was MIRhosting. Both Microsoft and the UK government assess that Blue Charlie is linked to the Russian threat activity groups variously known as Callisto Group, COLDRIVER, and SEABORGIUM.

Mr. Nesterenko took exception to a story on that report from The Record, which is owned by Recorded Future.

“We’ve discussed its contents with our customer, Stark Industries,” he said. “We understand that they have initiated legal proceedings against the website in question, as they firmly believe that the claims made are inaccurate.”

Recorded Future said they updated their story with comments from Mr. Neculiti, but that they stand by their reporting.

Mr. Nesterenko’s LinkedIn profile says he was previously the foreign region sales manager at Serverius-as, a hosting company in The Netherlands that remains in the same data center as MIRhosting.

In February, the Dutch police took 13 servers offline that were used by the infamous LockBit ransomware group, which had originally bragged on its darknet website that its home base was in The Netherlands. Sources tell KrebsOnSecurity the servers seized by the Dutch police were located in Serverius’ data center in Dronten, which is also shared by MIRhosting.

Serverius-as did not respond to requests for comment. Nesterenko said MIRhosting does use one of Serverius’s data centers for its operations in the Netherlands, alongside two other data centers, but that the recent incident involving the seizure of servers has no connection to MIRhosting.

“We are legally prohibited by Dutch law and police regulations from sharing information with third parties regarding any communications we may have had,” he said.

A February 2024 report from security firm ESET found Serverius-as systems were involved in a series of targeted phishing attacks by Russia-aligned groups against Ukrainian entities throughout 2023. ESET observed that after the spearphishing domains were no longer active, they were converted to promoting rogue Internet pharmacy websites.

PEERING INTO THE VOID

A review of the Internet address ranges recently added to the network operated by Stark Industries Solutions offers some insight into its customer base, usage, and maybe even true origins. Here is a snapshot (PDF) of all Internet address ranges announced by Stark Industries so far in the month of May 2024 (this information was graciously collated by the network observability platform Kentik.com).

Those records indicate that the largest portion of the IP space used by Stark is in The Netherlands, followed by Germany and the United States. Stark says it is connected to roughly 4,600 Internet addresses that currently list their ownership as Comcast Cable Communications.

A review of those address ranges at spur.us shows all of them are connected to an entity called Proxyline, which is a sprawling proxy service based in Russia that currently says it has more than 1.6 million proxies globally that are available for rent.

Reached for comment, Comcast said the Internet address ranges never did belong to Comcast, so it is likely that Stark has been fudging the real location of its routing announcements in some cases.

Stark reports that it has more than 67,000 Internet addresses at Santa Clara, Calif.-based EGIhosting. Spur says the Stark addresses involving EGIhosting all map to Proxyline as well. EGIhosting did not respond to requests for comment.

EGIhosting manages Internet addresses for the Cyprus-based hosting firm ITHOSTLINE LTD (aka HOSTLINE-LTD), which is represented throughout Stark’s announced Internet ranges. Stark says it has more than 21,000 Internet addresses with HOSTLINE. Spur.us finds Proxyline addresses are especially concentrated in the Stark ranges labeled ITHOSTLINE LTD, HOSTLINE-LTD, and Proline IT.

Stark’s network list includes approximately 21,000 Internet addresses at Hockessin, De. based DediPath, which abruptly ceased operations without warning in August 2023. According to a phishing report released last year by Interisle Consulting, DediPath was the fourth most common source of phishing attacks in the year ending Oct. 2022. Spur.us likewise finds that virtually all of the Stark address ranges marked “DediPath LLC” are tied to Proxyline.

A large number of the Internet address ranges announced by Stark in May originate in India, and the names that are self-assigned to many of these networks indicate they were previously used to send large volumes of spam for herbal medicinal products, with names like HerbalFarm, AdsChrome, Nutravo, Herbzoot and Herbalve.

The anti-spam organization SpamHaus reports that many of the Indian IP address ranges are associated with known “snowshoe spam,” a form of abuse that involves mass email campaigns spread across several domains and IP addresses to weaken reputation metrics and avoid spam filters.

It’s not clear how much of Stark’s network address space traces its origins to Russia, but big chunks of it recently belonged to some of the oldest entities on the Russian Internet (a.k.a. “Runet”).

For example, many Stark address ranges were most recently assigned to a Russian government entity whose full name is the “Federal State Autonomous Educational Establishment of Additional Professional Education Center of Realization of State Educational Policy and Informational Technologies.”

A review of Internet address ranges adjacent to this entity reveals a long list of Russian government organizations that are part of the Federal Guard Service of the Russian Federation. Wikipedia says the Federal Guard Service is a Russian federal government agency concerned with tasks related to protection of several high-ranking state officials, including the President of Russia, as well as certain federal properties. The agency traces its origins to the USSR’s Ninth Directorate of the KGB, and later the presidential security service.

Stark recently announced the address range 213.159.64.0/20 from April 27 to May 1, and this range was previously assigned to an ancient ISP in St. Petersburg, RU called the Computer Technologies Institute Ltd.

According to a post on the Russian language webmaster forum searchengines[.]ru, the domain for Computer Technologies Institute — ctinet[.]ru — is the seventh-oldest domain in the entire history of the Runet.

Curiously, Stark also lists large tracts of Internet addresses (close to 48,000 in total) assigned to a small ISP in Kharkiv, Ukraine called NetAssist. Reached via email, the CEO of NetAssist Max Tulyev confirmed his company provides a number of services to PQ Hosting.

“We colocate their equipment in Warsaw, Madrid, Sofia and Thessaloniki, provide them IP transit and IPv4 addresses,” Tulyev said. “For their size, we receive relatively low number of complains to their networks. I never seen anything about their pro-Russian activity or support of Russian hackers. It is very interesting for me to see proofs of your accusations.”

Spur.us mapped the entire infrastructure of Proxyline, and found more than one million proxies across multiple providers, but by far the biggest concentration was at Stark Industries Solutions. The full list of Proxyline address ranges (.CSV) shows two other ISPs appear repeatedly throughout the list. One is Kharkiv, Ukraine based ITL LLC, also known as Information Technology Laboratories Group, and Integrated Technologies Laboratory.

The second is a related hosting company in Miami, called Green Floid LLC. Green Floid featured in a 2017 scoop by CNN, which profiled the company’s owner and quizzed him about Russian troll farms using proxy networks on Green Floid and its parent firm ITL to mask disinformation efforts tied to the Kremlin’s Internet Research Agency (IRA). At the time, the IRA was using Facebook and other social media networks to spread videos showing police brutality against African Americans in an effort to encourage protests across the United States.

Doug Madory, director of Internet analysis at Kentik, was able to see at a high level the top sources and destinations for traffic traversing Stark’s network.

“Based on our aggregate NetFlow, we see Iran as the top destination (35.1%) for traffic emanating from Stark (AS44477),” Madory said. “Specifically, the top destination is MTN Irancell, while the top source is Facebook. This data supports the theory that AS44477 houses proxy services as Facebook is blocked in Iran.”

On April 30, the security firm Malwarebytes explored an extensive malware operation that targets corporate Internet users with malicious ads. Among the sites used as lures in that campaign were fake Wall Street Journal and CNN websites that told visitors they were required to install a WSJ or CNN-branded browser extension (malware). Malwarebytes found a domain name central to that operation was hosted at Internet addresses owned by Stark Industries.

The United States joined the United Kingdom and Australia today in sanctioning 31-year-old Russian national Dmitry Yuryevich Khoroshev as the alleged leader of the infamous ransomware group LockBit. The U.S. Department of Justice also indicted Khoroshev and charged him with using Lockbit to attack more than 2,000 victims and extort at least $100 million in ransomware payments.

Khoroshev (Дмитрий Юрьевич Хорошев), a resident of Voronezh, Russia, was charged in a 26-count indictment by a grand jury in New Jersey.

“Dmitry Khoroshev conceived, developed, and administered Lockbit, the most prolific ransomware variant and group in the world, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to thousands of victims around the globe,” U.S. Attorney Philip R. Sellinger said in a statement released by the Justice Department.

The indictment alleges Khoroshev acted as the LockBit ransomware group’s developer and administrator from its inception in September 2019 through May 2024, and that he typically received a 20 percent share of each ransom payment extorted from LockBit victims.

The government says LockBit victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies.

“Khoroshev and his co-conspirators extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery,” the DOJ said. “The LockBit ransomware group attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States.”

The unmasking of LockBitSupp comes nearly three months after U.S. and U.K. authorities seized the darknet websites run by LockBit, retrofitting it with press releases about the law enforcement action and free tools to help LockBit victims decrypt infected systems.

One of the blog captions that authorities left on the seized site was a teaser page that read, “Who is LockbitSupp?,” which promised to reveal the true identity of the ransomware group leader. That item featured a countdown clock until the big reveal, but when the site’s timer expired no such details were offered.

Following the FBI’s raid, LockBitSupp took to Russian cybercrime forums to assure his partners and affiliates that the ransomware operation was still fully operational. LockBitSupp also raised another set of darknet websites that soon promised to release data stolen from a number of LockBit victims ransomed prior to the FBI raid.

One of the victims LockBitSupp continued extorting was Fulton County, Ga. Following the FBI raid, LockbitSupp vowed to release sensitive documents stolen from the county court system unless paid a ransom demand before LockBit’s countdown timer expired. But when Fulton County officials refused to pay and the timer expired, no stolen records were ever published. Experts said it was likely the FBI had in fact seized all of LockBit’s stolen data.

LockBitSupp also bragged that their real identity would never be revealed, and at one point offered to pay $10 million to anyone who could discover their real name.

KrebsOnSecurity has been in intermittent contact with LockBitSupp for several months over the course of reporting on different LockBit victims. Reached at the same ToX instant messenger identity that the ransomware group leader has promoted on Russian cybercrime forums, LockBitSupp claimed the authorities named the wrong guy.

“It’s not me,” LockBitSupp replied in Russian. “I don’t understand how the FBI was able to connect me with this poor guy. Where is the logical chain that it is me? Don’t you feel sorry for a random innocent person?”

LockBitSupp, who now has a $10 million bounty for his arrest from the U.S. Department of State, has been known to be flexible with the truth. The Lockbit group routinely practiced “double extortion” against its victims — requiring one ransom payment for a key to unlock hijacked systems, and a separate payment in exchange for a promise to delete data stolen from its victims.

But Justice Department officials say LockBit never deleted its victim data, regardless of whether those organizations paid a ransom to keep the information from being published on LockBit’s victim shaming website.

Khoroshev is the sixth person officially indicted as active members of LockBit. The government says Russian national Artur Sungatov used LockBit ransomware against victims in manufacturing, logistics, insurance and other companies throughout the United States.

Ivan Gennadievich Kondratyev, a.k.a. “Bassterlord,” allegedly deployed LockBit against targets in the United States, Singapore, Taiwan, and Lebanon. Kondratyev is also charged (PDF) with three criminal counts arising from his alleged use of the Sodinokibi (aka “REvil“) ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.

In May 2023, U.S. authorities unsealed indictments against two alleged LockBit affiliates, Mikhail “Wazawaka” Matveev and Mikhail Vasiliev. In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 31-year-old Mikhail Matveev from Abaza, RU.

Matveev remains at large, presumably still in Russia. Meanwhile, the U.S. Department of State has a standing $10 million reward offer for information leading to Matveev’s arrest.

Vasiliev, 35, of Bradford, Ontario, Canada, is in custody in Canada awaiting extradition to the United States (the complaint against Vasiliev is at this PDF).

In June 2023, Russian national Ruslan Magomedovich Astamirov was charged in New Jersey for his participation in the LockBit conspiracy, including the deployment of LockBit against victims in Florida, Japan, France, and Kenya. Astamirov is currently in custody in the United States awaiting trial.

The Justice Department is urging victims targeted by LockBit to contact the FBI at https://lockbitvictims.ic3.gov/ to file an official complaint, and to determine whether affected systems can be successfully decrypted.

A cybercrook who has been setting up websites that mimic the self-destructing message service privnote.com accidentally exposed the breadth of their operations recently when they threatened to sue a software company. The disclosure revealed a profitable network of phishing sites that behave and look like the real Privnote, except that any messages containing cryptocurrency addresses will be automatically altered to include a different payment address controlled by the scammers.

Launched in 2008, privnote.com employs technology that encrypts each message so that even Privnote itself cannot read its contents. And it doesn’t send or receive messages. Creating a message merely generates a link. When that link is clicked or visited, the service warns that the message will be gone forever after it is read.

Privnote’s ease-of-use and popularity among cryptocurrency enthusiasts has made it a perennial target of phishers, who erect Privnote clones that function more or less as advertised but also quietly inject their own cryptocurrency payment addresses when a note is created that contains crypto wallets.

Last month, a new user on GitHub named fory66399 lodged a complaint on the “issues” page for MetaMask, a software cryptocurrency wallet used to interact with the Ethereum blockchain. Fory66399 insisted that their website — privnote[.]co — was being wrongly flagged by MetaMask’s “eth-phishing-detect” list as malicious.

“We filed a lawsuit with a lawyer for dishonestly adding a site to the block list, damaging reputation, as well as ignoring the moderation department and ignoring answers!” fory66399 threatened. “Provide evidence or I will demand compensation!”

MetaMask’s lead product manager Taylor Monahan replied by posting several screenshots of privnote[.]co showing the site did indeed swap out any cryptocurrency addresses.

After being told where they could send a copy of their lawsuit, Fory66399 appeared to become flustered, and proceeded to mention a number of other interesting domain names:

You sent me screenshots from some other site! It’s red!!!!
The tornote.io website has a different color altogether
The privatenote,io website also has a different color! What’s wrong?????

A search at DomainTools.com for privatenote[.]io shows it has been registered to two names over as many years, including Andrey Sokol from Moscow and Alexandr Ermakov from Kiev. There is no indication these are the real names of the phishers, but the names are useful in pointing to other sites targeting Privnote since 2020.

DomainTools says other domains registered to Alexandr Ermakov include pirvnota[.]com, privatemessage[.]net, privatenote[.]io, and tornote[.]io.

The registration records for pirvnota[.]com at one point were updated from Andrey Sokol to “BPW” as the registrant organization, and “Tambov district” in the registrant state/province field. Searching DomainTools for domains that include both of these terms reveals pirwnote[.]com.

Other Privnote phishing domains that also phoned home to the same Internet address as pirwnote[.]com include privnode[.]com, privnate[.]com, and prevnóte[.]com. Pirwnote[.]com is currently selling security cameras made by the Chinese manufacturer Hikvision, via an Internet address based in Hong Kong.

It appears someone has gone to great lengths to make tornote[.]io seem like a legitimate website. For example, this account at Medium has authored more than a dozen blog posts in the past year singing the praises of Tornote as a secure, self-destructing messaging service. However, testing shows tornote[.]io will also replace any cryptocurrency addresses in messages with their own payment address.

These malicious note sites attract visitors by gaming search engine results to make the phishing domains appear prominently in search results for “privnote.” A search in Google for “privnote” currently returns tornote[.]io as the fifth result. Like other phishing sites tied to this network, Tornote will use the same cryptocurrency addresses for roughly 5 days, and then rotate in new payment addresses.

Throughout 2023, Tornote was hosted with the Russian provider DDoS-Guard, at the Internet address 186.2.163[.]216. A review of the passive DNS records tied to this address shows that apart from subdomains dedicated to tornote[.]io, the main other domain at this address was hkleaks[.]ml.

In August 2019, a slew of websites and social media channels dubbed “HKLEAKS” began doxing the identities and personal information of pro-democracy activists in Hong Kong. According to a report (PDF) from Citizen Lab, hkleaks[.]ml was the second domain that appeared as the perpetrators began to expand the list of those doxed.

DomainTools shows there are more than 1,000 other domains whose registration records include the organization name “BPW” and “Tambov District” as the location. Virtually all of those domains were registered through one of two registrars — Hong Kong-based Nicenic and Singapore-based WebCC — and almost all appear to be phishing or pill-spam related.

Among those is rustraitor[.]info, a website erected after Russia invaded Ukraine in early 2022 that doxed Russians perceived to have helped the Ukrainian cause.

In keeping with the overall theme, these phishing domains appear focused on stealing usernames and passwords to some of the cybercrime underground’s busiest shops, including Brian’s Club. What do all the phished sites have in common? They all accept payment via virtual currencies.

It appears MetaMask’s Monahan made the correct decision in forcing these phishers to tip their hand: Among the websites at that DDoS-Guard address are multiple MetaMask phishing domains, including metarrnask[.]com, meternask[.]com, and rnetamask[.]com.

How profitable are these private note phishing sites? Reviewing the four malicious cryptocurrency payment addresses that the attackers swapped into notes passed through privnote[.]co (as pictured in Monahan’s screenshot above) shows that between March 15 and March 19, 2024, those address raked in and transferred out nearly $18,000 in cryptocurrencies. And that’s just one of their phishing websites.

In 2021, the exclusive Russian cybercrime forum Mazafaka was hacked. The leaked user database shows one of the forum’s founders was an attorney who advised Russia’s top hackers on the legal risks of their work, and what to do if they got caught. A review of this user’s hacker identities shows that during his time on the forums he served as an officer in the special forces of the GRU, the foreign military intelligence agency of the Russian Federation.

Launched in 2001 under the tagline “Network terrorism,” Mazafaka would evolve into one of the most guarded Russian-language cybercrime communities. The forum’s member roster included a Who’s Who of top Russian cybercriminals, and it featured sub-forums for a wide range of cybercrime specialities, including malware, spam, coding and identity theft.

In almost any database leak, the first accounts listed are usually the administrators and early core members. But the Mazafaka user information posted online was not a database file per se, and it was clearly edited, redacted and restructured by whoever released it. As a result, it can be difficult to tell which members are the earliest users.

The original Mazafaka is known to have been launched by a hacker using the nickname “Stalker.” However, the lowest numbered (non-admin) user ID in the Mazafaka database belongs to another individual who used the handle “Djamix,” and the email address djamix@mazafaka[.]ru.

From the forum’s inception until around 2008, Djamix was one of its most active and eloquent contributors. Djamix told forum members he was a lawyer, and nearly all of his posts included legal analyses of various public cases involving hackers arrested and charged with cybercrimes in Russia and abroad.

“Hiding with purely technical parameters will not help in a serious matter,” Djamix advised Maza members in September 2007. “In order to ESCAPE the law, you need to KNOW the law. This is the most important thing. Technical capabilities cannot overcome intelligence and cunning.”

Stalker himself credited Djamix with keeping Mazafaka online for so many years. In a retrospective post published to Livejournal in 2014 titled, “Mazafaka, from conception to the present day,” Stalker said Djamix had become a core member of the community.

“This guy is everywhere,” Stalker said of Djamix. “There’s not a thing on [Mazafaka] that he doesn’t take part in. For me, he is a stimulus-irritant and thanks to him, Maza is still alive. Our rallying force!”

Djamix told other forum denizens he was a licensed attorney who could be hired for remote or in-person consultations, and his posts on Mazafaka and other Russian boards show several hackers facing legal jeopardy likely took him up on this offer.

“I have the right to represent your interests in court,” Djamix said on the Russian-language cybercrime forum Verified in Jan. 2011. “Remotely (in the form of constant support and consultations), or in person – this is discussed separately. As well as the cost of my services.”

WHO IS DJAMIX?

A search on djamix@mazafaka[.]ru at DomainTools.com reveals this address has been used to register at least 10 domain names since 2008. Those include several websites about life in and around Sochi, Russia, the site of the 2014 Winter Olympics, as well as a nearby coastal town called Adler. All of those sites say they were registered to an Aleksei Safronov from Sochi who also lists Adler as a hometown.

The breach tracking service Constella Intelligence finds that the phone number associated with those domains — +7.9676442212 — is tied to a Facebook account for an Aleksei Valerievich Safronov from Sochi. Mr. Safronov’s Facebook profile, which was last updated in October 2022, says his ICQ instant messenger number is 53765. This is the same ICQ number assigned to Djamix in the Mazafaka user database.

A “Djamix” account on the forum privetsochi[.]ru (“Hello Sochi”) says this user was born Oct. 2, 1970, and that his website is uposter[.]ru. This Russian language news site’s tagline is, “We Create Communication,” and it focuses heavily on news about Sochi, Adler, Russia and the war in Ukraine, with a strong pro-Kremlin bent.

Safronov’s Facebook profile also gives his Skype username as “Djamixadler,” and it includes dozens of photos of him dressed in military fatigues along with a regiment of soldiers deploying in fairly remote areas of Russia. Some of those photos date back to 2008.

In several of the images, we can see a patch on the arm of Safronov’s jacket that bears the logo of the Spetsnaz GRU, a special forces unit of the Russian military. According to a 2020 report from the Congressional Research Service, the GRU operates both as an intelligence agency — collecting human, cyber, and signals intelligence — and as a military organization responsible for battlefield reconnaissance and the operation of Russia’s Spetsnaz military commando units.

“In recent years, reports have linked the GRU to some of Russia’s most aggressive and public intelligence operations,” the CRS report explains. “Reportedly, the GRU played a key role in Russia’s occupation of Ukraine’s Crimea region and invasion of eastern Ukraine, the attempted assassination of former Russian intelligence officer Sergei Skripal in the United Kingdom, interference in the 2016 U.S. presidential elections, disinformation and propaganda operations, and some of the world’s most damaging cyberattacks.”

According to the Russia-focused investigative news outlet Meduza, in 2014 the Russian Defense Ministry created its “information-operation troops” for action in “cyber-confrontations with potential adversaries.”

“Later, sources in the Defense Ministry explained that these new troops were meant to ‘disrupt the potential adversary’s information networks,'” Meduza reported in 2018. “Recruiters reportedly went looking for ‘hackers who have had problems with the law.'”

Mr. Safronov did not respond to multiple requests for comment. A 2018 treatise written by Aleksei Valerievich Safronov titled “One Hundred Years of GRU Military Intelligence” explains the significance of the bat in the seal of the GRU.

“One way or another, the bat is an emblem that unites all active and retired intelligence officers; it is a symbol of unity and exclusivity,” Safronov wrote. “And, in general, it doesn’t matter who we’re talking about – a secret GRU agent somewhere in the army or a sniper in any of the special forces brigades. They all did and are doing one very important and responsible thing.”

It’s unclear what role Mr. Safronov plays or played in the GRU, but it seems likely the military intelligence agency would have exploited his considerable technical skills, knowledge and connections on the Russian cybercrime forums.

Searching on Safronov’s domain uposter[.]ru in Constella Intelligence reveals that this domain was used in 2022 to register an account at a popular Spanish-language discussion forum dedicated to helping applicants prepare for a career in the Guardia Civil, one of Spain’s two national police forces. Pivoting on that Russian IP in Constella shows three other accounts were created at the same Spanish user forum around the same date.

Mark Rasch is a former cybercrime prosecutor for the U.S. Department of Justice who now serves as chief legal officer for the New York cybersecurity firm Unit 221B. Rasch said there has always been a close relationship between the GRU and the Russian hacker community, noting that in the early 2000s the GRU was soliciting hackers with the skills necessary to hack US banks in order to procure funds to help finance Russia’s war in Chechnya.

“The guy is heavily hooked into the Russian cyber community, and that’s useful for intelligence services,” Rasch said. “He could have been infiltrating the community to monitor it for the GRU. Or he could just be a guy wearing a military uniform.”