Feds Charge 16 Russians Allegedly Tied to Botnets Used in Cyberattacks and Spying

The hacker ecosystem in Russia, more than perhaps anywhere else, has long blurred the lines between cybercrime, state-sponsored cyberwarfare, and espionage. Now, an indictment of a group of Russian nationals and the takedown of their sprawling botnet offers the clearest example in years of how a single malware operation allegedly enabled hacking operations as varied as ransomware, wartime cyberattacks in Ukraine, and spying against foreign governments.

The US Department of Justice today announced criminal charges against 16 individuals law enforcement authorities have linked to a malware operation known as DanaBot, which, according to a complaint, infected at least 300,000 machines around the world. The DOJ’s announcement describes the group as “Russia-based,” naming two suspects, Aleksandr Stepanov and Artem Aleksandrovich Kalinkin, as residing in Novosibirsk, Russia. Five other suspects are named in the indictment, while another nine are identified only by their pseudonyms. Aside from the charges, the Justice Department states that the Defense Criminal Investigative Service (DCIS) carried out seizures of DanaBot infrastructure globally, including in the US.

The indictment highlights how DanaBot was used in for-profit criminal hacking and makes a rarer claim; it describes a second variant of the malware utilized in espionage against military, government, and NGO targets. "Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including sensitive military, diplomatic, and government entities, and causes many millions of dollars in losses,” US attorney Bill Essayli stated.

Since 2018, DanaBot—described in the criminal complaint as “incredibly invasive malware”—has infected millions of computers globally. Initially a banking trojan designed for stealing from PC owners with modular features for credit card and cryptocurrency theft, it was later used to install different forms of malware in broad operations, including ransomware, after its creators allegedly sold it in an “affiliate” model to other hacker groups for $3,000 to $4,000 a month. Its targets initially were in Ukraine, Poland, Italy, Germany, Austria, and Australia, before spreading to US and Canadian financial institutions, according to an analysis by cybersecurity firm Crowdstrike.

At one point in 2021, DanaBot was involved in a software supply-chain attack that hid the malware in a JavaScript coding tool called NPM with millions of weekly downloads. Victims of the compromised tool were found across financial services, transportation, technology, and media industries.

That scale and variety of uses made DanaBot “a juggernaut of the e-crime landscape,” according to Selena Larson, a staff threat researcher at Proofpoint. More notably, DanaBot has also been used in hacking campaigns appearing to be state-sponsored or linked to Russian government interests. In 2019 and 2020, it targeted a handful of Western government officials in espionage operations, delivered in phishing messages impersonating the Organization for Security and Cooperation in Europe and a Kazakhstan government entity.

During the early weeks of Russia's full-scale invasion of Ukraine, which began in February 2022, DanaBot was used to install a distributed denial-of-service (DDoS) tool on infected machines to attack the webmail server of the Ukrainian Ministry of Defense and National Security and Defense Council of Ukraine.

These actions make DanaBot a particularly clear example of cybercriminal malware allegedly being adopted by Russian state hackers. “Historically, there have been many suggestions of cybercriminal operators associating with Russian government entities, but there hasn't been a lot of public evidence of these blurred lines,” says Larson. The DanaBot case, she adds, “is notable as it shows e-crime tools being used for espionage purposes.”

DCIS investigator Elliott Peterson—a former FBI agent known for his work on the Mirai botnet investigation—alleges in the criminal complaint that some DanaBot members were identified after they infected their own computers with the malware, possibly to test the trojan or accidentally. This resulted in sensitive data being stolen from certain hackers' computers, stored on DanaBot servers, and helped identify members of the organization.

While DanaBot operators remain at large, the dismantling of a large-scale Russian-origin hacking tool represents a significant milestone, says Adam Meyers, who leads threat intelligence research at Crowdstrike. “Disrupting a multiyear operation impacts their ability to monetize it and creates a vacuum for others to fill. The more we disrupt them, the more we keep them on the back foot. We should continue to find the next targets.”

This story originally appeared at wired.com