They’ve leaked terabytes of Russian emails, but who’s reading?

The city of Blagoveshchensk sits in the far east of Russia, some 3,500 miles from Moscow and further still from Kyiv. Across a river, the Chinese city of Heihe sprawls to the south, joined by the first Sino-Russian road bridge; beside the bridge, there’s little about the city to make the news.

But the public affairs of the city are now laid bare for anyone willing to look in the form of 150GB of emails from the Blagoveshchensk City Administration published online by the transparency collective Distributed Denial of Secrets — just one of many data sets leaked to the organization since the invasion of Ukraine began.

As the war in Ukraine approaches the 60-day mark, leaks from the country have been coming at an unprecedented rate. On April 20th, DDoSecrets co-founder Emma Best tweeted that the collective has published 5.8 terabytes of leaks since the invasion started, with no signs of slowing down.

On the day of that tweet, DDoSecrets published two new leaked email caches: 575,000 emails from property management company Sawatzky and 250,000 emails from Worldwide Invest, a Moscow-based investment firm.

In the “Russia” category, the leaks now include a huge cross-section of Russian society, including banks, oil and gas companies, and the Russian Orthodox Church. Relative to some of the other leaked content sourced by DDoSecrets, the Blagoveshchensk emails represent only a mid-sized leak. The smallest data set (a list of the personal details for 120,000 Russian soldiers in Ukraine) is a mere 22MB while the largest (20 years of emails from a Russian state-owned broadcaster) is a whopping 786GB.

DDoSecrets is not the only place to host leaks coming out of Russia, but it is now indisputably the most active — even though DDoSecrets member Lorax Horne says the organization isn’t explicitly trying to publish information that is pro-Ukraine or anti-Russia.

“For folks who haven’t heard of DDoSecrets before last month, they can be forgiven for assuming we’ve taken a position,” Horne told The Verge. “But really it has to do with the data we receive. If we were getting datasets from the other side, we would also consider that for publication. It just so happens that the majority of the datasets that are coming out are related to Russian entities.”

Still, it’s hard to deny that many of DDoSecret’s leaks are motivated by antiwar sentiment. (In an interview with NBC News, Emma Best described hacktivists who leak to the collective as “screaming in response to the injustice of Russia’s invasion of Ukraine and the inhumanity of the war crimes committed by the invaders.”) The call for hacktivism that came from the Ministry of Defence of Ukraine also helped, Horne says, directing energy toward a defined set of Russian targets. Besides the moral clarity that comes with direction from the Ukrainian government, other experts point toward a hands-off approach from actors who might otherwise curtail hacking activity.

The organization has been labeled as a successor to WikiLeaks, the pioneering leak-sharing platform that seems to have slowly fallen into disarray in the years since founder Julian Assange’s arrest. As the conflict began, almost all of the site’s channels for submitting documents were found to be inoperative, making it all but impossible to share leaks with the original transparency platform and meaning that WikiLeaks has played little role in hosting data related to the Ukraine conflict.

That has given DDoSecrets a newly strategic role, operating as a de facto front-end distribution system for the fruits of hacktivist activity against Russia.

“Traditional hackers were never looked upon fondly from law enforcement or members of the security community, but it seems they have received a free pass in the current conflict to attack all things Russian,” said Jeremiah Fowler, a security researcher who has published research on hacktivism in Ukraine. “Russia has become Anonymous’s biggest recruiter.”

Yet, while the more chronically online among us might long for a world where sharing data can turn the tide of a war, it’s not clear that this is the world we live in.

The leaked data would be most impactful if ordinary Russians had access to it and could browse through the archives for concrete evidence of the elite corruption that is still endemic to the country. But with the information environment in the country being ever more tightly controlled by government censorship, it is unlikely that the vast majority of the leaked information will ever receive mainstream attention domestically.

Bret Schafer, head of the information manipulation research team at the Alliance for Securing Democracy, points to the steady suppression of independent media in Russia as a likely factor in limiting the impact of any incriminating information contained in the recent leaks.

“Using the Pandora Papers as an example, they pointed to clear corruption at very high levels within the Kremlin and it didn’t even really create a ripple domestically in Russia because it wasn’t covered,” Schafer says. “You know, it was covered by a few independent outlets that now no longer exist. So even the limited impact that had domestically probably won’t happen this time around, because independent media has been stifled even further.”

Schafer also points to the crackdown on internet freedom in Russia, exemplified by the blocking of Twitter and Facebook within the country since the invasion began. Though some younger, digitally savvy Russians might be able to circumvent some of these measures, the upshot is that even digital news is increasingly Kremlin-approved.

Long term, changing the Russian public’s understanding of the nature of the invasion will be a prerequisite for bringing the country back into the international order, whether this takes place years or even decades into the future. Leak sites could play some role in this, but so will diplomacy and other measures to support the eventual rebuilding of an independent media.

Whatever the end is here, we can’t kind of come out the other side with 70 percent of Russians thinking that this war was, well, not a war,” Schafer says.

Repost: Original Source and Author Link


Germany shuts down servers for Russian darknet marketplace Hydra

German authorities shut down the server infrastructure for the Russian darknet marketplace Hydra, seizing €23 million (~$25.2 million USD) worth of Bitcoin in the process, Germany’s Federal Crime Police Office (BKA) announced on Tuesday (via Bleeping Computer).

Hydra is a large marketplace on the dark web that serves as a hub for drugs, stolen credit card information, counterfeit bills, fake documents, and other illegal goods or services. The market primarily caters to criminals in Russia and surrounding nations. “Treasuremen,” or dealers connected with the site, push drugs throughout the region by hiding them in geo-tagged pickup locations.

With the shutdown of the German-based server, authorities are now launching an investigation into the “unknown operators and administrators” of Hydra, whom they suspect of selling narcotics and engaging in money laundering. German authorities say they have been investigating the marketplace with the help of the US since August 2021. The BKA told The Verge that no arrests have been made as of yet.

Although Hydra is known for aiding in the sale of narcotics, a report from risk intelligence organization Flashpoint (via Wired) points to cryptocurrency laundering as another growing trend. Cybercriminals could purchase cryptocurrency from other sellers in exchange for rubles, and then receive their cash through payment apps like YooMoney, Tinkoff, or QUIWI. Other crypto launderers would opt for a delivery method similar to the one used for drugs — a courier would bury money in a discrete location, which the customer would later dig up.

As noted by Wired, cryptocurrency investigation firm Chainanalysis found $200 million in stolen cryptocurrency floating around on the platform in 2021 and early 2022, including $5 million linked to fraud, $4 million linked to ransomware, and $4 million from sanctioned sources. About $2 billion in transactions in total came from “risky” sources.

In response to the shutdown, the US Department of the Treasury’s Office of Foreign Assets Control announced that it has sanctioned Hydra and Russian cryptocurrency exchange Garantex. The US is also working to identify over 100 cryptocurrency addresses with ties to the illegal marketplace.

“Our actions send a message today to criminals that you cannot hide on the darknet or their forums, and you cannot hide in Russia or anywhere else in the world,” Secretary of Treasury Janet L. Yellen said. “In coordination with allies and partners, like Germany and Estonia, we will continue to disrupt these networks.”

With about 17 million customer accounts and 19,000 sellers, Germany’s BKA and Central Office for Combatting Cybercrime (ZIT) say Hydra has the highest turnover rate out of any illegal market in the world, estimating a turnover of about €1.23 billion (~$1.35 million USD) in 2020 alone. German authorities note that cryptocurrency transactions on Hydra are especially hard to track due to a crypto-concealing service called the Bitcoin Bank Mixer.

Last year, German authorities shut down the darknet marketplace DarkMarket, which had nearly half a million users at the time. Authorities across the world have long been trying to crack down on illegal marketplaces, taking down Silk Road, Wall Street Market, and AlphaBay over the course of several years.

Update April 5th, 6:25PM ET: Updated to add context surrounding money laundering on Hydra from Flashpoint report.

Repost: Original Source and Author Link


Microsoft seized Russian domains targeting Ukrainian media organizations

Microsoft seized seven domains belonging to Strontium, also known as Fancy Bear or APT28, a Russian hacking group with ties to the country’s military intelligence agency, the company announced in a blog post (via TechCrunch). According to Microsoft, Russian spies used these sites to target Ukrainian media outlets, as well as foreign policy think tanks and government institutions located in the US and the European Union.

Microsoft obtained a court order to take control of each domain on April 6th. It then redirected them to a sinkhole, or a server used by cybersecurity experts to capture and analyze malicious connections. The company says it has seized over 100 domains controlled by Fancy Bear before this most recent takedown.

“We believe Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information,” Tom Burt, Microsoft’s corporate vice president of customer security and trust said in the post. “We have notified Ukraine’s government about the activity we detected and the action we’ve taken.”

This particular hacking group has a long history of attempting to interfere with both Ukraine and the US. Fancy Bear was linked to cyberattacks on the Democratic National Committee in 2016 and targeted the US election in 2020.

Russia’s invasion of Ukraine has only exacerbated cyberattacks by Fancy Bear and other bad actors. Last month, Google said Fancy Bear and Belarusian hacking group Ghostwriter carried out a phishing attack targeting Ukrainian officials and members of the Polish military. Russian state-sponsored hackers have also been accused of hacking into a European satellite service at the start of Russia’s invasion of Ukraine, as well as targeting US defense contractors in February. It’s unclear whether Fancy Bear was behind either attack.

Repost: Original Source and Author Link


Ukraine says it stopped a Russian cyberattack on its power grid

An attack on Ukraine’s power grid was foiled by cybersecurity analysts and officials, as reported by Reuters. After investigating the methods and software used by the attackers, cybersecurity firm ESET says that it was likely carried out by a hacking group called Sandworm, which The Record reports allegedly has ties to the Russian government.

The group planned to shut down computers that controlled substations and infrastructure belonging to a particular power company, according to the Computer Emergency Response Team of Ukraine (or CERT-UA). The hackers meant to cut off power on April 8th while also wiping the computers that would be used to try and get the grid back online.

This attempted attack involved a wide variety of malware, according to ESET, including the recently discovered CaddyWiper. ESET also found a new piece of malware, which it calls Industroyer2. The original Industroyer was used in a successful 2016 cyberattack that cut off power in parts of Kyiv, according to the security firm, probably by the same group behind this month’s foiled attack. Industroyer isn’t widely used by hackers — ESET notes that it’s only seen it used twice (earlier this month and in 2016), which implies that it’s written for very specific uses.

CERT-UA says that the hackers were biding their time, initially breaching the company’s systems before March. ESET’s analysis shows that one of the main pieces of malware was compiled over two weeks before the attack was supposed to take place.

It’s unclear how the hackers initially got into the company’s network or how they gained access to the network that controls industrial equipment like the targeted substations. The analysis does show, however, that the hackers were planning on covering their tracks after the attack.

Ukraine and its infrastructure have been targeted by hackers since before the Russian invasion began. It’s likely that this won’t be the last attack on its power grid, but the country’s response to this incident shows that its cybersecurity defense strategy is capable of warding off complex attacks.

Repost: Original Source and Author Link


After ‘protestware’ attacks, a Russian bank has advised clients to stop updating software

As the Russian invasion of Ukraine draws on, consequences are being felt by many parts of the technology sector, including open-source software development.

In a recent announcement, the Russian bank Sber advised its customers to temporarily stop installing software updates to any applications out of concern that they could contain malicious code specifically targeted at Russian users, labeled by some as “protestware.”

As quoted in Russian-language news sites, Sber’s announcement reads:

Currently, cases of provocative media content being introduced into freely distributed software have become more frequent. In addition, various content and malicious code can be embedded in freely distributed libraries used for software development. The use of such software can lead to malware infection of personal and corporate computers, as well as IT infrastructure.

Where there was an urgent need to use the software, Sber advised clients to scan files with an antivirus or carry out manual review of source code — a suggestion that is likely to be impractical, if not impossible, for most users.

Though framed in general terms, the announcement was likely made in reference to an incident that took place earlier in March, where the developer of a widely used JavaScript library added an update that overwrote files on machines located in Russia or Belarus. Supposedly implemented as a protest against the war, the update raised alarm from many in the open-source community, with fears that it would undermine confidence in the security of open-source software overall.

The update was made in a JavaScript module called node-ipc, which, according to the NPM package manager, is downloaded around 1 million times per week and used as a dependency by the popular front-end development framework Vue.js.

According to The Register, updates to node-ipc made on March 7th and March 8th added code that checked whether the IP address of a host machine was geolocated in Russia or Belarus, and if so, overwrote as many files as possible with a heart symbol. A later version of the module dispensed with the overwriting function and instead dropped a text file on users’ desktops containing a message that “war is not the answer, no matter how bad it is,” with a link to a song by Matisyahu.

Although the most destructive features of the “protestware” module no longer appear in the code, the consequences are harder to undo. Since open-source libraries are fundamental to software development, a general loss of trust in their integrity could have knock-on effects for users in Russia and elsewhere.

In a tweet, cybersecurity analyst Selena Larson referred to it as “forced insecurity”; in general, the open-source community has fiercely condemned the node-ipc update and pushed back on the idea of protest through module sabotage, even for worthy causes.

More broadly, the Ukraine conflict has posed difficult ethical questions to technology companies working in Russia. While many global tech leaders like Apple, Amazon, and Sony have paused or halted sales in the Russian market, others remain: in a blog post from March 7th, Cloudflare CEO Matthew Prince said that the company would continue to provide service in Russia despite calls to pull out, writing that “Russia needs more Internet access, not less.”

Repost: Original Source and Author Link


Russian military reportedly hacked into European satellites at start of Ukraine war

American government officials told The Washington Post that the Russian military was responsible for a cyberattack on a European satellite internet service that affected Ukrainian military communications in late February.

The hack affected the KA-SAT satellite broadband network, owned by Viasat, an American satellite communications company. On February 24th, the day the Russian invasion of Ukraine began, the KA-SAT network was hit by outages that affected Ukraine and surrounding regions in Europe. A few days afterward, Viasat blamed outages on a “cyber event,” but did not release further details.

Though Ukrainian officials have not fully disclosed the impact, the outage is believed to have caused significant communications disruptions at the beginning of the war.

The NSA was reported to be collaborating on an investigation with Ukrainian intelligence services, but no results have been officially announced. However, anonymous officials reportedly told the Post that US intelligence analysts have now concluded that Russian military hackers were behind the attack.

A request for confirmation sent by The Verge to the Cybersecurity and Infrastructure Security Agency (CISA) had not received a response by the time of publication.

Officials from Viasat told Air Force Magazine that the attack was conducted through a compromise of the system that manages customer satellite terminals, and only affected customers of the KA-SAT network, a smaller broadband provider that Viasat bought last year from French satellite operator Eutelsat.

At the outset of the conflict, commentators feared that Russia could launch widespread and destructive cyberattacks. While one perspective holds that such attacks have failed to materialize, the slow release of additional information gives credence to the suggestion that many attacks may have occurred in the shadows.

In the aftermath of the hack, CISA and the FBI issued a joint cybersecurity advisory to satellite communications providers, warning that the agencies were aware of possible threats to US and international networks, and advising companies to report any indications of malicious activity immediately.

As the war in Ukraine continues — and US opposition to Russia grows in the form of sanctions — the Biden administration has issued increasingly serious warnings about the possibility of Russian cyberattacks on US infrastructure.

On Monday, President Biden advised US businesses to take added precautions against hacking, citing “evolving intelligence” that Russia was preparing to target the US with cyberattacks. Then on Thursday, the Department of Justice unsealed indictments against four Russians accused of mounting state-sponsored cyberattacks against the US, publicly releasing details of a highly sophisticated hacking campaign involving supply-chain software compromises and spear-phishing campaigns against thousands of employees of companies and US government agencies.

Repost: Original Source and Author Link


Data leak from Russian delivery app shows dining habits of the secret police

A massive data leak from Russian food delivery service Yandex Food revealed the delivery addresses, phone numbers, names, and delivery instructions belonging to those associated with Russia’s secret police, according to findings from Bellingcat.

Yandex Food, a subsidiary of the larger Russian internet company, Yandex, first reported the data leak on March 1st, blaming it on the “dishonest actions” of one of its employees and noting that the leak doesn’t include users’ login information. Russian communications regulator Roskomnadzor has since threatened to fine the company up to 100,000 rubles (~$1,166 USD) for the leak, which Reuters says exposed the information of about 58,000 users. The Roskomnadzor also blocked access to an online map containing the data — an attempt to conceal the information of ordinary citizens, as well as those with ties to the Russian military and security services.

Researchers at Bellingcat gained access to the trove of information, sifting through it for leads on any people of interest, such as an individual linked to the poisoning of Russian opposition leader Alexey Navalny. By searching the database for phone numbers collected as part of a previous investigation, Bellingcat uncovered the name of the person who was in contact with Russia’s Federal Security Service (FSB) to plan Navalny’s poisoning. Bellingcat says this person also used his work email address to register with Yandex Food, allowing researchers to further ascertain his identity.

Researchers also examined the leaked information for the phone numbers belonging to individuals tied to Russia’s Main Intelligence Directorate (GRU), or the country’s foreign military intelligence agency. They found the name of one of these agents, Yevgeny, and were able to link him to Russia’s Ministry of Foreign Affairs and find his vehicle registration information.

Bellingcat uncovered some valuable information by searching the database for specific addresses as well. When researchers looked for the GRU headquarters in Moscow, they found just four results — a potential sign that workers just don’t use the delivery app, or opt to order from restaurants within walking distance instead. When Bellingcat searched for FSB’s Special Operation Center in a Moscow suburb, however, it yielded 20 results. Several results contained interesting delivery instructions, warning drivers that the delivery location is actually a military base. One user told their driver “Go up to the three boom barriers near the blue booth and call. After the stop for bus 110 up to the end,” while another said “Closed territory. Go up to the checkpoint. Call [number] ten minutes before you arrive!”

In a translated tweet, Russian politician and Navalny supporter, Lyubov Sobol, said the leaked information even led to additional information about Russian President Vladimir Putin’s former mistress and their alleged “secret” daughter. “Thanks to the leaked Yandex database, another apartment of Putin’s ex-mistress Svetlana Krivonogikh was found,” Sobol said. “That’s where their daughter Luiza Rozova ordered her meals. The apartment is 400 m², worth about 170 million rubles [~$1.98 million USD]!”

If researchers were able to uncover this much information based on data from a food delivery app, it’s a bit unnerving to think about the amount of information Uber Eats, DoorDash, Grubhub, and others have on users. In 2019, a DoorDash data breach exposed the names, email addresses, phone numbers, delivery order details, delivery addresses, and the hashed, salted passwords of 4.9 million people — a much larger number than those affected in the Yandex Food leak.

Repost: Original Source and Author Link


Russian ‘King of Fraud’ sentenced to 10 years in prison for Methbot digital ad scheme

A Russian man convicted on wire fraud and money laundering charges for his role in the Methbot digital advertising scheme was sentenced to 10 years in prison on Wednesday.

The Department of Justice said between September 2014 and December 2016, Aleksandr Zhukov, 41, and several co-conspirators made deals with ad networks to place online ads but used a bot farm and rented servers to simulate users visiting spoofed versions of websites like the New York Times and the New York Daily News. The ads were never shown to human users, but Zhukov raked in $7 million running the fake traffic scam (which became known as “Methbot,” after the name of his phony ad network Media Methane), according to the DOJ.

“Sitting at his computer keyboard in Bulgaria and Russia, Zhukov boldly devised and carried out an elaborate multi-million-dollar fraud against the digital advertising industry, and victimized thousands of companies across the United States,” US Attorney Breon Peace said in a statement.

As part of the elaborate plan, Zhukov recruited programmers and others to help build the infrastructure that made the scheme possible. Authorities said he referred to the recruits as his developers and to himself as “the king of fraud.”

In May, a jury convicted Zhukov of wire fraud conspiracy, wire fraud, money laundering conspiracy, and money laundering. In addition to the 10-year prison term, Zhukov was ordered to pay $3.8 million in forfeiture.

Repost: Original Source and Author Link


Russian hackers reportedly attacked GOP computer systems

Russian state hackers affiliated with the group Cozy Bear were reportedly behind an attack last week on Synnex, a contractor that provides IT services for the Republican National Committee (RNC), Bloomberg writes. The attack may have exposed the organization’s information.

When asked by Bloomberg, a spokesperson for the RNC denied the organization’s systems had been hacked, but confirmed that one of its IT providers Synnex, had been exposed. The RNC provided the following statement in reference to the attack:

Over the weekend, we were informed that Synnex, a third party provider, had been breached. We immediately blocked all access from Synnex accounts to our cloud environment. Our team worked with Microsoft to conduct a review of our systems and after a thorough investigation, no RNC data was accessed. We will continue to work with Microsoft, as well as federal law enforcement officials on this matter.

In a statement released on July 6th, Synnex further confirmed “it is aware of a few instances where outside actors have attempted to gain access, through Synnex, to customer applications within the Microsoft cloud environment.” The company claims it is reviewing the attack alongside Microsoft and a third-party security firm. Manipulating enterprise software that interacts with Microsoft’s cloud rather than going after Azure or Office products directly shares some similarities with the SolarWinds hack in 2020.

And that connection would make sense: members of Cozy Bear working with SVR, Russia’s foreign intelligence service, are largely suspected to be behind the manipulation of the SolarWinds software for illegal ends. The SolarWinds breach potentially exposed information from over a hundred companies and government organizations, and even compromised the tools of cybersecurity companies designed to prevent these kinds of attacks, like FireEye.

There’s also parallels to draw between a breach of the RNC and the hack of the Democratic National Committee and Hilary Clinton’s presidential campaign in 2016. That breach, and the leak of thousands of emails on WikiLeaks, ultimately led to the indictment of 12 members of GRU, a Russian military intelligence agency with connections to another group of ursine-inspired Russian hackers called Fancy Bear.

The RNC attack arrives among a flurry of ransomware attacks on critical infrastructure and companies in the US. The list is long, but in the last year, Colonial Pipeline, insurance provider CNA, and more recently, IT software provider Kaseya, have all been the victims of ransomware attacks. Bloomberg suggests Cozy Bear’s attack could have used these ransomware hacks as a kind of cover, and even if they didn’t, attacking political targets is an ongoing problem that doesn’t always end in a dramatic leak.

Repost: Original Source and Author Link


Microsoft warns of ‘sophisticated’ Russian email attack targeting government agencies

Microsoft has raised the alarm over a “sophisticated” ongoing cyberattack believed to be from the same Russia-linked hackers behind the SolarWinds hack. In a blog post, Tom Burt, Microsoft’s corporate vice president for customer security and trust, said the attack appears to be targeting government agencies, think tanks, consultants, and NGOs. In total, around 3,000 email accounts are believed to have been targeted across 150 organizations. Victims are spread across upward of 24 countries, but the majority are believed to be in the US.

According to Microsoft, hackers from a threat actor called Nobelium were able to compromise the US Agency for International Development’s account on a marketing service called Constant Contact, allowing them to send authentic-looking phishing emails. Microsoft’s post contains a screenshot of one of these emails, which claimed to contain a link to “documents on election fraud” from Donald Trump. However, when clicked, this link would install a backdoor that let the attackers steal data or infect other computers on the same network.

“We are aware that the account credentials of one of our customers were compromised and used by a malicious actor to access the customer’s Constant Contact accounts,” a spokesperson for Constant Contact said in a statement. “This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement.”

Microsoft says it believes that many of the attacks were blocked automatically, and that its Windows Defender antivirus software is also limiting the spread of the malware. The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security has acknowledged Microsoft’s blog post and encouraged administrators to apply the “necessary mitigations.”

This salvo of malicious emails is a warning that supply chain cyberattacks against US organizations are showing no signs of slowing, and that hackers are updating their methods in response to previous attacks becoming public. In its post, Microsoft calls for new international norms to be established governing “nation-state conduct in cyberspace” along with expectations of the consequences for breaking them.

The US government has blamed SVR, the Russian foreign intelligence service, for the SolarWinds hack, Bloomberg notes, although Russia’s president Vladimir Putin has denied Russian involvement. The attack is believed to have compromised around 100 private sector companies and nine federal agencies. Up to 18,000 SolarWinds customers are believed to have been exposed to the malicious code. In response, President Biden announced new sanctions on Russia and moved to expel 10 Russian diplomats from Washington, Bloomberg reports.

Repost: Original Source and Author Link