Feds Charge 16 Russians Allegedly Tied to Botnets Used in Ransomware, Cyberattacks, and Spying
The hacker ecosystem in Russia has long been a hotbed of illicit activity, with cybercrime, state-sponsored cyberwarfare, and espionage blurring the lines. A recent indictment by the US Department of Justice brings into focus the role of botnets in these activities, highlighting the dangers of pervasive malware like DanaBot.
According to the DOJ's announcement today, 16 individuals have been charged in connection with a malware operation known as DanaBot, which allegedly infected at least 300,000 machines around the world. The suspects are described as "Russia-based," and two of them, Aleksandr Stepanov and Artem Aleksandrovich Kalinkin, are named specifically, living in Novosibirsk, Russia. Five other suspects are mentioned by name, while nine others are identified only by their pseudonyms.
The Justice Department also announced that the Defense Criminal Investigative Service (DCIS) had carried out seizures of DanaBot infrastructure around the world, including in the US. The indictment alleges that DanaBot was used for-profit criminal hacking, but also makes a rare claim about its use in espionage against military, government, and NGO targets.
The Rise of DanaBot
DanaBot has been described as "incredibly invasive malware" since 2018, infecting millions of computers around the world initially as a banking trojan designed to steal directly from those PCs' owners with modular features designed for credit card and cryptocurrency theft. However, its creators allegedly sold it in an "affiliate" model that made it available to other hacker groups for $3,000 to $4,000 a month.
This business model allowed DanaBot to be used as a tool to install different forms of malware in a broad array of operations, including ransomware. Its targets quickly spread from initial victims in Ukraine, Poland, Italy, Germany, Austria, and Australia to US and Canadian financial institutions, according to an analysis by cybersecurity firm Crowdstrike.
State-Sponsored Operations
DanaBot has also been used for hacking campaigns that appear to be state-sponsored or linked to Russian government agency interests. In 2019 and 2020, it was used to target a handful of Western government officials in apparent espionage operations, according to the DOJ's indictment.
Then, in the early weeks of Russia's full-scale invasion of Ukraine, which began in February 2022, DanaBot was used to install a distributed denial-of-service (DDoS) tool onto infected machines and launch attacks against the webmail server of the Ukrainian Ministry of Defense and National Security and Defense Council of Ukraine.
The Overlap Between Cybercrime and Espionage
"There have been a lot of suggestions historically of cybercriminal operators palling around with Russian government entities, but there hasn't been a lot of public reporting on these increasingly blurred lines," says Selena Larson, a staff threat researcher at cybersecurity firm Proofpoint.
The case of DanaBot is notable because it provides public evidence of this overlap, where e-crime tooling is used for espionage purposes. As Larson notes, "The more we can disrupt them, the more we keep them on their back heels. We should rinse and repeat and go find the next target."