Posted February 7, 2014
LookingGlass Issues Special Alert Linking Major Cybercrime Organization to IT Infrastructure at Sochi
– by Chris Coleman
Investigation reveals connection to Russian Business Network, a known reseller of stolen identities.
Special Alert: We at LookingGlass are seeing significant new criminal activity positioned in the Sochi region of Russia.
This is a serious threat. For those traveling to the area, be wary of using 4G or untrusted/unsecure wireless connections. Act with overall heightened awareness of cyber security risks. Be on the lookout for the following: strange emails, links, social engineering, Phishing: The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers., etc. Be extra protective of business and personal credentials and credit card information. Monitor for fraudulent charges to your credit cards as they may slip automated flags set up by your provider if you have notified them you are traveling to the region. Limit the use of network-connected devices such as smartphones and laptops, especially from accessing proprietary, financial, confidential or personal information. Consider cleaning devices of critical information prior to entering the region.
For background: In advance of the 2014 Olympic games, LookingGlass began profiling network infrastructure in the Sochi region of Russia to serve the influx of businesses, VIPs, athletes, media, spectators and visitors. The initial analysis of this infrastructure reflects a high degree of criminal infrastructure and high-risk behavior emanating from the area and the associated networks.
In particular, these networks are wrought with criminal infrastructure linked to SPAM: Unsolicited usually commercial messages (such as e-mails, text messages, or Internet postings) sent to a large number of recipients or posted in a large number of places. and Botnets such as Cutwail, Slenfbot, Conficker and overall command and control nodes. Many of these indicators reside on both wireless and mobile networks. In fact, the Cutwail indicators originating in Sochi are stemming from 4G networks. While much of the criminal infrastructure is active in other parts of the world, the majority of the infrastructure and activity in the Sochi region has surfaced over the past few weeks. This is a clear positioning element and intent by the cyber criminal in the preparation and targeting of the 2014 Olympic games.
Cutwail is a SPAM botnet that has a history of being leveraged to infect hosts with the ZeuS GameOver banking Trojan as well as infecting hosts to conduct DDoS attacks. The bulk of the Sochi criminal infrastructure also shares common services with other Russian-based infrastructure associated with the Russian Business Network (RBN). The Russian Business Network is a multi-faceted cybercrime organization specializing in identity theft for resale.
This preliminary analysis has also shown a high degree of port scanning and spike in P2P traffic originating from these networks. Even popular hotel websites in Sochi are hosted in areas of Russia with high degrees of RBN association.
LookingGlass will continue to monitor and perform analysis of the Sochi infrastructure during the games. If possible, spectators should avoid the use of network-connected devices such as smartphones and laptops. If not possible, please heed the guidance of our Special Alert at a minimum.