Latest news with #AleksandrStepanov
Business Mayor
23-05-2025
- Business Mayor
Russian-led cybercrime network dismantled in global operation
European and North American cybercrime investigators say they have dismantled the heart of a malware operation directed by Russian criminals after a global operation involving British, Canadian, Danish, Dutch, French, German and US police. International arrest warrants have been issued for 20 suspects, most of them living in Russia, by European investigators while indictments were unsealed in the US against 16 individuals. Those charged include the alleged leaders of the Qakbot and Danabot malware operations, including Rustam Rafailevich Gallyamov, 48, who lives in Moscow and Aleksandr Stepanov, 39, AKA JimmBee and Artem Aleksandrovich Kalinkin, 34, AKA Onix, both of Novosibirsk, Russia, the US Department of Justice said. Cyber-attacks aimed at destabilising governments or simple theft and blackmail are becoming increasingly pernicious. The high-street retailer Marks & Spencer is one of the most high-profile and recent victims in the UK this month. The Europeans led by the German crime agency, Bundeskriminalamt (BKA) released public appeals in its attempts to track down 18 suspects believed to be involved in the Qakbot malware family along with a third malware known as Trickbot. BKA and its international counterparts said the majority of the suspects were Russian citizens. The Russian national Vitalii Nikolayevich Kovalev, 36, already wanted in the US, is one of BKA's most wanted. He is allegedly behind Conti, considered to be the most professional and best-organised ransomware blackmail group in the world with Kovalev described as one of the 'most successful blackmailers in the history of cybercrime' by German investigators. Using the pseudonyms Stern and Ben, BKA allege he is claimed to have attacked hundreds of companies worldwide and extracted large ransom payments from them. Read More Judge given formal advice over rude interruptions Kovolev, 36, from Volgorod, is believed to be living in Moscow, where several firms are registered in his name. He was identified by US investigators in 2023 as having been a member of Trickbot. Investigators now also believe he was at the helm of Conti and other blackmail groups, such as Royal and Blacksuit (founded in 2022). His own cryptowallet is said to be worth about €1bn. BKA said, along with international partners, of the 37 perpetrators they identified they had enough evidence to issue 20 arrest warrants. The US attorney's office in California at the same time unsealed the details of charges against 16 defendants who allegedly 'developed and deployed the DanaBot malware'. The criminal infiltrations into victims' computers were 'controlled and deployed' by a Russia-based cybercrime organisation that has infected more than 300,000 computers around the world particularly in the US, Australia, Poland, India and Italy. It was advertised on Russian-language criminal forums and also had an 'espionage variant used to target military, diplomatic, government and non-governmental organisations' the indictment states. 'For this variant, separate servers were established, such that data stolen from these victims was ultimately stored in the Russian federation.' Also on the Europe most-wanted list as a result of the German operation is a 36-year-old Russian-speaking Ukrainian, Roman Mikhailovich Prokop, a suspected member of Qakbot, according to BKA. Operation Endgame was instigated by the German authorities in 2022. The BKA president, Holger Münch, said Germany was a particular focus of cybercriminals. BKA in particular is investigating the suspected perpetrators' involvement in gang-related activities and commercial extortion as well as membership of an overseas-based criminal organisation. Read More Society seeks conveyancers' views for climate risk practice note Between 2010 and 2022 the Conti group focused specifically on US hospitals, increasing its attacks during the Covid pandemic. US authorities had offered a $10m reward to anyone who would lead them to its figureheads. Most suspects are operating in Russia, some also in Dubai. Their extradition to Europe or the US was unlikely, Münch said, but their identification was significant and damaging to them. 'With Operation Endgame 2.0, we have once again demonstrated that our strategies work – even in the supposedly anonymous darknet.'
Yahoo
23-05-2025
- Yahoo
Russian-led cybercrime network dismantled in global operation
European and North American cybercrime investigators say they have dismantled the heart of a malware operation directed by Russian criminals after a global operation involving British, Canadian, Danish, Dutch, French, German and US police. International arrest warrants have been issued for 20 suspects, most of them living in Russia, by European investigators while indictments were unsealed in the US against 16 individuals. Those charged include the alleged leaders of the Qakbot and Danabot malware operations, including Rustam Rafailevich Gallyamov, 48, who lives in Moscow and Aleksandr Stepanov, 39, AKA JimmBee and Artem Aleksandrovich Kalinkin, 34, AKA Onix, both of Novosibirsk, Russia, the US Department of Justice said. Cyber-attacks aimed at destabilising governments or simple theft and blackmail are becoming increasingly pernicious. The high-street retailer Marks & Spencer is one of the most high-profile and recent victims in the UK this month. The Europeans led by the German crime agency, Bundeskriminalamt (BKA) released public appeals in its attempts to track down 18 suspects believed to be involved in the Qakbot malware family along with a third malware known as Trickbot. BKA and its international counterparts said the majority of the suspects were Russian citizens. The Russian national Vitalii Nikolayevich Kovalev, 36, already wanted in the US, is one of BKA's most wanted. He is allegedly behind Conti, considered to be the most professional and best-organised ransomware blackmail group in the world with Kovalev described as one of the 'most successful blackmailers in the history of cybercrime' by German investigators. Using the pseudonyms Stern and Ben, BKA allege he is claimed to have attacked hundreds of companies worldwide and extracted large ransom payments from them. Kovolev, 36, from Volgorod, is believed to be living in Moscow, where several firms are registered in his name. He was identified by US investigators in 2023 as having been a member of Trickbot. Investigators now also believe he was at the helm of Conti and other blackmail groups, such as Royal and Blacksuit (founded in 2022). His own cryptowallet is said to be worth about €1bn. BKA said, along with international partners, of the 37 perpetrators they identified they had enough evidence to issue 20 arrest warrants. The US attorney's office in California at the same time unsealed the details of charges against 16 defendants who allegedly 'developed and deployed the DanaBot malware'. The criminal infiltrations into victims' computers were 'controlled and deployed' by a Russia-based cybercrime organisation that has infected more than 300,000 computers around the world particularly in the US, Australia, Poland, India and Italy. It was advertised on Russian-language criminal forums and also had an 'espionage variant used to target military, diplomatic, government and non-governmental organisations' the indictment states. 'For this variant, separate servers were established, such that data stolen from these victims was ultimately stored in the Russian federation.' Also on the Europe most-wanted list as a result of the German operation is a 36-year-old Russian-speaking Ukrainian, Roman Mikhailovich Prokop, a suspected member of Qakbot, according to BKA. Operation Endgame was instigated by the German authorities in 2022. The BKA president, Holger Münch, said Germany was a particular focus of cybercriminals. BKA in particular is investigating the suspected perpetrators' involvement in gang-related activities and commercial extortion as well as membership of an overseas-based criminal organisation. Between 2010 and 2022 the Conti group focused specifically on US hospitals, increasing its attacks during the Covid pandemic. US authorities had offered a $10m reward to anyone who would lead them to its figureheads. Most suspects are operating in Russia, some also in Dubai. Their extradition to Europe or the US was unlikely, Münch said, but their identification was significant and damaging to them. 'With Operation Endgame 2.0, we have once again demonstrated that our strategies work – even in the supposedly anonymous darknet.'
WIRED
22-05-2025
- WIRED
Feds Charge 16 Russians Allegedly Tied to Botnets Used in Ransomware, Cyberattacks, and Spying
May 22, 2025 3:56 PM A new US indictment against a group of Russian nationals offers a clear example of how, authorities say, a single malware operation can enable both criminal and state-sponsored hacking. Photo-Illustration:The hacker ecosystem in Russia, more than perhaps anywhere else in the world, has long blurred the lines between cybercrime, state-sponsored cyberwarfare, and espionage. Now an indictment of a group of Russian nationals and the takedown of their sprawling botnet offers the clearest example in years of how a single malware operation allegedly enabled hacking operations as varied as ransomware, wartime cyberattacks in Ukraine, and spying against foreign governments. The US Department of Justice today announced criminal charges today against 16 individuals law enforcement authorities have linked to a malware operation known as DanaBot, which according to a complaint infected at least 300,000 machines around the world. The DOJ's announcement of the charges describes the group as 'Russia-based,' and names two of the suspects, Aleksandr Stepanov and Artem Aleksandrovich Kalinkin, as living in Novosibirsk, Russia. Five other suspects are named in the indictment, while another nine are identified only by their pseudonyms. In addition to those charges, the Justice Department says the Defense Criminal Investigative Service—a criminal investigation arm of the Department of Defense—carried out seizures of DanaBot infrastructure around the world, including in the US. Aside from alleging how DanaBot was used in for-profit criminal hacking, the indictment also describes a second variant of the malware that it says was used in espionage against military, government, and NGO targets. 'Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including sensitive military, diplomatic, and government entities, and causes many millions of dollars in losses,' US Attorney Bill Essayli wrote in a statement. Since 2018, DanaBot has infected millions of computers around the world, initially as a banking trojan designed to steal directly from those PCs' owners with modular features designed for credit card and cryptocurrency theft. Because its creators allegedly sold it in an 'affiliate' model that made it available to other hacker groups for $3,000 to $4,000 a month, however, it was soon used as a tool to install different forms of malware in a broad array of operations, including ransomware. Its targets, too, quickly spread from initial victims in Ukraine, Poland, Italy, Germany, Austria, and Australia to US and Canadian financial institutions, according to an analysis of the operation by cybersecurity firm Crowdstrike. At one point in 2021, according to Crowdstrike, Danabot was used in a software supply chain attack that hid the malware in a javascript coding tool called NPM with millions of weekly downloads. Crowdstrike found victims of that compromised tool across the financial services, transportation, technology, and media industries. That scale and the wide variety of its criminal uses made DanaBot 'a juggernaut of the e-crime landscape,' according to Selena Larson, a staff threat researcher at cybersecurity firm Proofpoint. More uniquely, though, DanaBot has also been used at times for hacking campaigns that appear to be state-sponsored or linked to Russian government agency interests. In 2019 and 2020, it was used to target a handful of Western government officials in apparent espionage operations, according to the DOJ's indictment. According to Proofpoint, the malware in those instances was delivered in phishing messages that impersonated the Organization for Security and Cooperation in Europe and a Kazakhstan government entity. Then, in the early weeks of Russia's full-scale invasion of Ukraine, which began in February 2022, DanaBot was used to install a distributed denial-of-service (DDoS) tool onto infected machines and launch attacks against the webmail server of the Ukrainian Ministry of Defense and National Security and Defense Council of Ukraine. All of that makes DanaBot a particularly clear example of how cybercriminal malware has been adopted by Russian state hackers, Proofpoint's Larson alleges. 'There have been a lot of suggestions historically of cybercriminal operators palling around with Russian government entities, but there hasn't been a lot of public reporting on these increasingly blurred lines,' says Larson. The case of DanaBot, she says, "is pretty notable, because it's public evidence of this overlap where we see e-crime tooling used for espionage purposes.' Despite the operators of DanaBot remaining at large, the takedown of a large-scale tool in so many forms of Russian-origin hacking—both state-sponsored and criminal—represents a significant milestone, says Adam Meyers, who leads threat intelligence research at Crowdstrike. 'Every time you disrupt a multi-year operation, you're impacting their ability to monetize it. It also creates a bit of a vacuum, and somebody else is going to step up and take that place,' Meyers says. 'But the more we can disrupt them, the more we keep them on their back heels. We should rinse and repeat and go find the next target.' This is a developing story. Check back for updates.
