LookingGlass Issues Special Alert Linking Major Cybercrime Organization to IT Infrastructure at Sochi
– by Chris Coleman
Investigation reveals connection to Russian Business Network, a known reseller of stolen identities.
Special Alert: We at LookingGlass are seeing significant new criminal activity positioned in the Sochi region of Russia.
This is a serious threat. For those traveling to the area, be wary of using 4G or untrusted/unsecure wireless connections. Act with overall heightened awareness of cyber security risks. Be on the lookout for the following: strange emails, links, social engineering, Phishing: The use of emails that appear to be from a legitimate, trusted source that are enticed to trick recipients into entering valid credentials including personal information such as passwords or credit card numbers into a fake platform or service. LookingGlass Cyber (n) - tailoring an attack (such as email) to garner trust and credentials that are then used maliciously. The preverbal digital version of the ol' hook and bait., etc. Be extra protective of business and personal credentials and credit card information. Monitor for fraudulent charges to your credit cards as they may slip automated flags set up by your provider if you have notified them you are traveling to the region. Limit the use of network-connected devices such as smartphones and laptops, especially from accessing proprietary, financial, confidential or personal information. Consider cleaning devices of critical information prior to entering the region.
For background: In advance of the 2014 Olympic games, LookingGlass began profiling network infrastructure in the Sochi region of Russia to serve the influx of businesses, VIPs, athletes, media, spectators and visitors. The initial analysis of this infrastructure reflects a high degree of criminal infrastructure and high-risk behavior emanating from the area and the associated networks.
In particular, these networks are wrought with criminal infrastructure linked to SPAM: Email or postings containing irrelevant, inappropriate or indiscriminate messages sent to a large number of recipients. LookingGlass Cyber (n) - tons and tons of emails sent out with no relevance to anyone, or anything. and Botnets such as Cutwail, Slenfbot, Conficker and overall command and control nodes. Many of these indicators reside on both wireless and mobile networks. In fact, the Cutwail indicators originating in Sochi are stemming from 4G networks. While much of the criminal infrastructure is active in other parts of the world, the majority of the infrastructure and activity in the Sochi region has surfaced over the past few weeks. This is a clear positioning element and intent by the cyber criminal in the preparation and targeting of the 2014 Olympic games.
Cutwail is a SPAM botnet that has a history of being leveraged to infect hosts with the ZeuS GameOver banking Trojan as well as infecting hosts to conduct DDoS attacks. The bulk of the Sochi criminal infrastructure also shares common services with other Russian-based infrastructure associated with the Russian Business Network (RBN). The Russian Business Network is a multi-faceted cybercrime organization specializing in identity theft for resale.
This preliminary analysis has also shown a high degree of port scanning and spike in P2P traffic originating from these networks. Even popular hotel websites in Sochi are hosted in areas of Russia with high degrees of RBN association.
LookingGlass will continue to monitor and perform analysis of the Sochi infrastructure during the games. If possible, spectators should avoid the use of network-connected devices such as smartphones and laptops. If not possible, please heed the guidance of our Special Alert at a minimum.