Russian and Ukrainian criminals favor The Planet for their Web hosting

Last Updated on Monday, 8 March 2010 10:46 Written by Jeffreycarr Monday, 8 March 2010 10:46

James McQuaid has published an eye-opening post which graphically demonstrates what I’ve been saying ever since the first Project Grey Goose report came out in October, 2008; i.e., that the U.S. is the favored hosting provider for bad actors around the world. In this case, we’re talking about criminal enterprises operating out of Russia and the Ukraine and just one of the 20 or so U.S. companies who sell services to them – The Planet of Plano, TX.

By the way, there’s nothing in the unclassified 12 initiatives of the CNCI that call out this critical problem, yet its one of the easiest and least expensive problems to solve.

RBN servers support Tehran’s propaganda arm, the IRIB

Last Updated on Monday, 7 December 2009 02:21 Written by Jeffreycarr Monday, 7 December 2009 03:07

As Tehran struggles to retain its hold on traditional power it is struggling to grasp the power of untraditional media; i.e., Twitter, Facebook, YouTube and the like. Farnaz Fassihi’s article “Iranian Crackdown goes Global” in Friday’s Wall Street Journal does a great job in depicting to what length Iran is willing to go to keep change at bay including ordering agents of its Intelligence Service to monitor Iranian dissidents in foreign countries like Germany. Fassihi also writes that Iran’s Revolutionary Guard is using social media to identify and track dissidents online and in some cases confront them in person to squash dissent.

In order to understand new media and the social web, Tehran relies on the work of the Research Center of Islamic Republic of Iran Broadcasting (RCIRIB). The director of the IRIB is personally appointed by the Supreme Leader and representatives from Iran’s Judiciary, Parliament, and the office of the President oversee its operation. If you visit the RCIRIB website, you’ll see that there’s an English version. Don’t bother clicking that button because if you do all you’ll see are carefully selected articles like “I am Canadian: National identity in beer commercials“. Instead, just run the URL through an online translator, head over to this link and you’ll find several papers exploring “social capital” and many other research topics of actual interest to the Iranian government.

The real surprise for me was when I learned of the RCIRIB’s connection to Russian organized crime. Tehran has learned at least one thing about “social capital”; that its websites are vulnerable to DDoS attacks. A connection to an RBN server is going to help them avoid that problem according to what EmergingThreats.net RBN researcher James McQuade has told me in a recent e-mail exchange:

The Iranians turned to either the Russian government or organized crime for assistance because their servers are facing DDOS and DNS flood attacks from Iranian activists.  Such attacks are organized quite easily using simple tools that require no technical expertise on the part of the hacktivist (as occurred in the latter half of the Russia-Georgia War).  The Register reported on these events on June 22nd:

“Rather than using simple code, with automated viral botnets and the like, these efforts are largely being driven by hand. There are a number of simple scripts going around that can be downloaded and which continually reload the target Web sites in a browser window,” said Jim Cowie, CTO of security tools firm Renesys”

Consequent to the request, the RBN has configured at least two of their servers to provide name server resolution from www.crspa.ir (the CNAME forward entry on the RBN servers) to crspa.ir (a CNAME entry on the Iranian server which is an alias for www.rcirib.ir).  This allows for the resolution of the www.rcirib.ir web site during periods when its name servers (ns1.rcirib.ir and ns2.rcirib.ir), are unable to respond due to attacks by Iranian hacktivists.  Both of the rcirib.ir and crspa.ir domains are owned by The Research Center of Islamic Republic of Iran Broadcasting, which gathers intelligence on dissenters from the Internet on behalf of the crackdown.

As recently as April, the crspa.ir domain had its own name server (which is no longer in existence), but was probably on the same machine as ns1.rcirib.ir. The RBN are skilled at DNS tactics (revolving DNS, flux, etc.), and it will be interesting to see how they respond should their servers become engaged by the Iranian hacktivists.

For those of you who believe that the RBN vanished in November, 2007, it didn’t. It went dark shortly after a meeting between agents of the FBI and FSB occurred in Moscow. It remains a key part of the Kremlin’s Information Warfare strategy by providing the infrastructure for non-state actors to engage opposition groups in various cyber operations ranging from espionage to network attacks. However, this is the first time that I have seen it used to support an allied regime. Kudos to Jim and his fellow researchers for their ongoing work in tracking them.

UPDATE: The RBN is supporting two domains assigned to the IRIB (courtesy Secure Home Networks):

RBN Connection to Ingushetia DDoS Attacks Provides Insight Into How the RF Conducts Cyber Warfare

Last Updated on Monday, 31 August 2009 01:08 Written by Jeffreycarr Monday, 31 August 2009 01:08

Ingushetia has been a hotbed of regional violence for years (see this BBC report for an overview). The most recent flair up of violence has been covered by Russia Today, Caucasian Knot, and UPI.

This week’s issue of IntelFusion: FLASH Traffic discloses evidence of RBN involvement in the DDoS attacks occurring presently in the region and expanding to include domains in Finland, Denmark, Australia and a sensitive DoD Website in the U.S.

The key takeaway from this important briefing is that it provides evidence of a cyber attack model that we are seeing used more and more frequently.

1. The Kremlin, with the help of the FSB, targets opposition Web sites for attack.
2. Attack orders are passed down through political channels to Russian youth organizations whose members initiate the attack, which gains further momentum through crowd-sourcing.
3. Russian organized crime provides its international platform of servers from which these attacks are launched, which in some cases are servers hosted by badware providers in the U.S.

For DoD planners and policy makers, an awareness of this model should trigger a re-evaluation of the approach that is taken in our cyber security strategy. U.S. companies who sell hosting services to spammers, pornographers, carders, MUST be held accountable when those same servers become attack platforms in geopolitical conflicts.

—————

For a sample weekly brief and rate sheet for an IntelFusion: FLASH Traffic subscription, contact me from your work email address.