The Fed allegedly accused 16 Russians of ransomware, cyberattacks and spies

Hacker ecosystem In Russia, more than anywhere else in the world, for a long time, the line has been blurred between cybercrime, state-funded cyberwallfa and espionage. Now, prosecution of a group of Russian nationals and revocation of its vast botnets provide the clearest example over the years, how the single malware action allegedly makes hacking operations as diverse as ransomware, wartime cyber attacks in Ukraine, and surveillance of foreign governments.

The U.S. Department of Justice announced today that criminal charges against 16 individual law enforcement agencies are linked to a malware operation called Danabot, according to a complaint from at least 300,000 machines worldwide. News of the Justice Ministry announced the allegations called the group “Russia” and listed the two suspects as Aleksandr Stepanov and Artem Aleksandrovich Kalinkin, who lives in Novasipirsk, Russia. The indictment mentioned five other suspects, and the other five were identified by their pseudonyms only. In addition to these allegations, the Department of Justice said the Defense Department’s criminal investigation unit, the Defense Criminal Investigation Bureau (DCIS), has contributed to seizures in Danabot infrastructure around the world, including the United States.

In addition to accusing Danabot of how it was used for profitable criminal hacking hacking, the indictment also makes rare claims – it describes how the second variant of malware it says was used for espionage targets against military, government and non-governmental organizations. “Popular malware like Danabot can harm hundreds of thousands of victims around the world, including sensitive military, diplomatic and government entities, and cause millions of dollars in damage,” U.S. Attorney Bill Essayli wrote in a statement.

Since 2018, Danabot has been described as a criminal complaint as “incredibly invasive malware” that has infected millions of computers around the world, starting as a bank Trojan horse designed to steal modular features for credit cards and cryptocurrency theft directly from these PCS owners. Because its creator allegedly sold it as a “member” model, which was available to other hacker groups for $3,000 to $4,000 a month, it was quickly used as a tool to install different forms of malware in a wide range of operations, including ransomware. According to an analysis of the action by cybersecurity company CrowdStrike, its targets also quickly spread from initial victims in Ukraine, Poland, Italy, Germany, Austria and Australia to us and Canadian financial institutions.

At some point in 2021, Danabot was used in a software supply chain attack that hid malware in a JavaScript encoding tool called NPM, downloading millions per week, according to CrowdStrike. CrowdStrike has found victims of this compromise tool throughout the financial services, transportation, technology and media industries.

Selena Larson, an employee threat researcher at cybersecurity firm Proofpoint, said the scale and its criminal uses make Danabot “the royal family of the e-crime landscape.”

But, more uniquely, Danabot is also sometimes used in hacking campaigns that appear to be sponsored by states or related to the interests of Russian government agencies. In 2019 and 2020, it was used to target a few Western government officials with obvious espionage, according to the Justice Department’s indictment. According to ProofPoint, in these cases, the malware is conveyed with phishing information that mimics the Organization for Security and Cooperation in Europe and the government entities of Kazakhstan.