The Russian Business Network

In 2006 the Russian Business Network pivoted its business: the once legitimate ISP became a ‘bullet-proof' hosting service, catering to the needs of cybercriminals. It quickly became the largest player in the Russian cybercrime landscape, with ~60% of all cybercrime activity related to Russia connected to it in some way. Following the Russian government’s years-old tradition of collaborating with organized crime, it's no wonder that the Russian Business Network quickly became Putin’s informal cyber attack arm.

Hosted By

Ran Levi

Exec. Editor @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 15 million downloads as of July 2022.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

The Russian Business Network

After the fall of the Soviet Union in 1991, most of Russia’s technology sector was in shambles, suffering from a severe lack of funds and infrastructure. Many of the people that were able to do so, fled the country in the hope of a better future. While the West experienced a dot-com boom, Russia was still back in the dark ages, so to speak. In this vacuum, a group of former KGB operatives took the initiative and started an ISP – Internet Service Provider – based in St. Petersburg, called the ‘Russian Business Network’- RBN, for short. As far as we can tell, RBN was a legitimate service provider, not much different from other ISPs you might be familiar with such as Verizon or AT&T. 

But it didn’t stay like that for long. 


It took some time, but in the late 1990s the Russian state started to sponsor technological initiatives to bootstrap the development of its High Tech industry, and try to catch up with the rest of the world. The government began to invest in the private sector, and encouraged more and more technology companies to expand overseas. For that reason, it established in 2007 a new State Corporation called Rostekhnologii (literally, ‘Russian Technologies’) – later renamed to Rostec – and transferred Some 450 struggling high-tech companies to its ownership. Rostec orchestrated the reforms needed to enable the ailing companies’ growth. 

The Russian government had another, more secretive reason, for establishing Rostec. In a directive published in November 2007, President Putin ordered the Russian Federation to engage in “technical intelligence gathering” and revealed his expectations for mutual collaboration between private and state organizations. 

What kind of ‘mutual collaborations’? Yevgeniy Primakov, former Prime Minister of Russia and a former director of the Foreign Intelligence Service, provided further clarity when he noted that Rostec is: 

“A serious mechanism, which brings together achievements of the defense industry and feeds the civilian sector… When the entire industry was state-owned, information from technical intelligence was given to all, but now one needs a body that would give it also to private enterprises.”

In other words, Rostec’s unofficial goal was to help local high-tech companies benefit from the Russian military’s cyber industrial espionage. 

And Russia had yet another, even more nefarious, goal. When asked by NBC News about the reasons that led to Russia’s embracing of cybercriminal activities, Mike McFaul, the former U.S. ambassador to Russia, said: 

“For years now, the Kremlin has looked for ways to disrupt democracies, to help the people that they like to come to power and to undermine the credibility of the democratic process”.

Surprisingly, the Kremlin does not deny its intentions. Anatoly Serdyukov, Russia’s Minister of Defense, explained In a 2011 speech the Russian government’s goal in what’s known as the “Information Confrontation”:

“…the confrontation between two or more states in the information space, with the purpose of inflicting damage to information systems, processes and resources, critical and other structures. Undermining the political, economic and social systems, a massive psychological manipulation of the population to destabilize the state and society, as well as coercing the state to take decisions for the benefit of the opposition.”

Since Rostec was trying to be perceived by Western companies as a legitimate business partner, using its resources for such obviously criminal activities would probably have been too risky – as was demonstrated in 2014, when the Obama administration sanctioned Rostec for its involvement in the Russian annexation of Crimea. The Russian government, then, turned to another ‘resource’ it had under its belt: cybercriminals. 

A 400-years History

The connection between the Russian government and organized crime isn’t something new. The U.S Department of Justice described this strong affiliation in a report published in 2001. Quote: 

“Organized crime is deeply rooted in the 400-year history of Russia’s peculiar administrative bureaucracy, but it was especially shaped into its current form during the seven decades of Soviet hegemony that ended in 1991 […] Contemporary Russian organized crime grew out of the Soviet “nomenklatura” system (the government’s organizational structure and high-level officials), in which some individual “apparatchiks” (government bureaucrats) developed mutually beneficial personal relationships with the thieves’ world. These sorts of relationships provided the original nexus between organized crime and the government. From these beginnings, organized crime in Russia evolved to its present ambiguous position of being both in direct collaboration with the state and, at the same time, in conflict with it.”

This 400-year old relationship grew even stronger in the age of the Internet. In a report by the Carnegie Endowment for International Peace, an international think tank, cybercrime expert Misha Glenny wrote, quote: 

“Russian law enforcement and the FSB in particular, have a very good idea of what is going on [in organized crime] and they are monitoring it, but as long as the fraud is restricted to other parts of the world – they don’t care”.

In 2006 the Russian Business Network pivoted its business: the once legitimate ISP became what’s known as a ‘bullet-proof hosting service’: a web hosting provider catering to the needs of cybercriminals. David Bizeul, Chief Scientific Officer at Sekoia.io, a cybersecurity SaaS company, described RBN’s new business model: 

“RBN offers a complete infrastructure to achieve malicious activities. It’s a cybercrime service provider. Whatever the activity is: phishing, malware hosting, gambling, child pornography… RBN will offer a convenient solution to fulfill it.”

RBN’s services included, for example, email servers for sending malicious spam, web servers for hosting the fake phishing websites the links in these emails are pointing at, and drop sites for the documents and other data stolen as a result of these phishing attacks.  

One of the outfit’s strongest selling points was its reliability: for a fee of some 200$ an hour, a botnet operator could count on RBN checking his network of bots every five minutes, making sure that it was fully operational. If someone filed a complaint to RBN about a malicious service or a website hosted on its servers, RBN would take it down – only to re-enable it the next day. 

Within a few short months, the Russian Business Network became the largest player in the Russian cybercrime landscape: according to some estimates, roughly 60% of all cybercrime activity related to Russia was connected to it in some way. Security journalist Brian Kerbs wrote in 2007 that, quote: 

“Nearly every major advancement in computer viruses or worms over the past two years has emanated from or sent stolen consumer data back to servers at RBN, including such notable pieces of malware as Gozi, Grab, Haxdoor, Metaphisher, Mpack, Ordergun, Pinch, Rustock, Snatch, Torpig, and URsnif.”

The Estonia Attack

Knowing what we know about RBN’s dominance in the Russian cyber-underground, and the Russian government’s years-old tradition of collaborating with organized crime, it’s no wonder that the Russian Business Network quickly became Putin’s informal cyber attack arm.  

RBN’s earliest known cyber activity relating to the Kremlin, dates to 2007. Estonia, a former member of the Soviet Union, decided to relocate a memorial statue dedicated to the Russian soldiers that liberated Estonia from the Nazi occupation in World War II, from its place in the center of Talinn, the capital, to a remote cemetery on the outskirts of the city. When the decision about the statue’s relocation was made public, a series of violent demonstrations broke out in the streets of Tallinn, carried out by Estonian citizens of Russian descent. The Russian public, too, was furious about what was perceived to be an unforgivable insult to the memory of fallen Soviet soldiers who gave their lives for the liberation of Estonia. 

Soon after, dozens of major Estonian websites – from newspapers and banks to government services – fell victim to a massive DDoS attacks that went on for no less than three weeks, reaching their peak on May 9th, the official Russian holiday known as ‘Victory Day’, commemorating Russia’s victory over Nazi Germany. We discussed the attack on Estonia in more detail in episode 4 of Malicious Life, called “Big Cannons.”

Moscow denied any connection to those attacks, claiming that they were carried by private citizens in response to Estonia’s insult. It was pretty evident, though, that someone in the Russian government took care to orchestrate all of the operations. As security vendor Sophos noted on its blog: 

“Fully prepared tools and instructions on how to participate in DDoS attacks appeared on Russian forums almost immediately after the moving of the statue. These attacks targeted websites belonging to the President, Parliament, police, political parties, and major media outlets… Everyone immediately implicated Russia, but attributing distributed denial of service attacks is near impossible, by design. It is now widely believed these DDoS attacks were the work of the Russian Business Network (RBN), a notorious organized crime group in Russia with ties to spamming, botnets and pharmaceutical affiliate schemes. Their services appear to have been “procured” for precisely a week to conduct these attacks”.

Flyman

What do we know about the Russian Business Network and the people behind it? Not much, sadly. Despite its name, it is not registered as a company in Russia and has no legal identity. It also doesn’t have an official website of its own: the only way for a criminal to purchase its services is to contact RBN’s operators via instant-messaging applications or Russian-language online forums. We don’t even know if it’s an hierarchical organization or a loosely affiliated band of similar, smaller groups. Dancho Danchev, an independent analyst, said of RBN – 

“What is the RBN at the bottom line? A diversified set of IP blocks located at different parts of the world , who periodically appear within the deobfuscated javascripts of the sites who got IFRAME-ed and were found to serve malware by exploiting outdated browser vulnerabilities.”

All of RBN’s executives are known only by their nicknames, including the man who is supposedly the organization’s leader: Flyman. 

The FBI and similar organizations have been trying to get their hands on Flyman for years: it is believed that he is the one responsible for RBN’s 2006 pivot from a legitimate ISP to a crime outfit. Yet even after more than 15 years, the mysterious ring leader is still at large. Why? We can glean the answer from the following story, taken from “Fatal System Error”, a 2010 book by Joseph Menn, a cybersecurity journalist. Menn tells the story of a British investigator named Andy Crocker, who traveled to Russia to investigate the RBN and met there with Igor Yakovlev, a colonel in the Russian Ministry of Internal Affairs. 

Crocker told Menn that the two of them went to a small town called Balakovo, where they met with a member of the RBN who shared with them some information about the botnet he was using for DDoS attacks, and the thousands of dollars he was making in extortions. When Crocker tried to find out more information about Flyman, he didn’t manage to get very far, because local authorities, quote – 

“Instructed the MVD (Ministry of Internal Affairs) not to cooperate [with me] during my trip to that country, informing the agency that I was ‘probably’ a spy. Inside the hotels where I stayed, muscled security guards kept track of whom I met and spoke into wireless mouthpieces when I moved.”

He learned that a senior MVD investigator who tried to arrest Flyman in 2006 – 

“Met forceful, official resistance. Flyman’s father is an influential St. Petersburg politician who used his leverage and money to persuade law enforcement authorities to prevent do-gooders from pursuing the case. […] Flyman is a very rare type, in that he has both mafia protection and political protection at a very strong level.”


But ironically, as is often the case in criminal matters, RBN’s success soon became a liability, as it started to draw more and more public attention: first from independent security researchers such as Dancho Danchev, and then from major publications such as the British Guardian. Wired magazine spoke via email with an individual who went by the name Tim Jaret and identified as working in RBN’s abuse department.  Jaret was apparently shocked – shocked, I tell you! – to learn about the criticism against his organization. 

“We can’t understand on which basis these organizations have such an opinion about our company. We can say that this is a subjective opinion based on these organizations’ guesswork.”

Jaret also revealed that RBN was owned by an offshore company called First Connect Telecom Limited – although that company’s principals preferred, somewhat unsurprisingly, to remain anonymous as well. 

The media’s reports spurred the FBI to pressure its Russian counterpart, the FSB, to shutdown RBN’s operations – but what did the job, apparently, was a decision by Tiscali, RBN’s biggest upstream network provider, to refuse to route internet traffic for RBN, followed by a similar decision by another major provider. 

RBN’s executives realized that the tide was turning against them, and on November 4th, 2007, almost all of RBN’s network went dark. Almost all of its malicious websites, providing identity theft, denial of service and similar services – vanished. There were signs that RBN was moving its infrastructure to China, yet a few weeks later it disappeared from there as well. RBN was defeated. 

Or so it seemed.

Red October

In 2008, tensions between Russia and Georgia – another former Soviet state – began to escalate. This time, the conflict’s focal point was the province of South Ossetia, who both sides claimed ownership of. Mikheil Saakashvili, the Georgian president, launched a large-scale military offensive and managed to recapture most of the capital of the region, but the Russians responded with a ground and naval assault of their own, which also included a series of large-scale cyberattacks. From a Sophos news article – 

“On July 19, 2008, a new wave of DDoS attacks began targeting news and government websites in Georgia. These attacks mysteriously intensified dramatically on August 8, 2008, as Russian troops invaded the separatist province of South Ossetia. Initially they targeted Georgian news and government sites before moving on to include financial institutions, businesses, education, Western media, and a Georgian hacker website. Like the earlier attacks on Estonia, a website appeared featuring a list of targets as well as a set of tools with instructions for using them. This ruse also attempted to attribute the attacks to “patriots” defending against Georgian aggression, yet most of the actual attack traffic originated from a known large botnet believed to be controlled by RBN.”

If RBN was behind the cyber attacks against Georgia, then this incident proved what many analysts have suspected from the start: that RBN’s vanishing act was just that – an act. Behind the scenes, RBN was still very much active and working closely with the Russian government. 

How closely? Very closely, according to Dr. Andrew F. Krepinevich Jr., president of the Center for Strategic and Budgetary Assessments. Krepinevich wrote in a report titled “Cyber Warfare: A ‘Nuclear Option’?” – 

“The Russian attack on Georgia appears to have been the first-time cyber weapons were integrated at the operational level of war. Just as radio and radar were integrated into operations during World War II to enhance the effectiveness of military forces, cyber weapons appear to have been employed by the Russians to enhance their forces’ effectiveness… The cyber-attacks on Georgia showed the world that cyber weapons can be integrated to the traditional military operations.”

Four years later, in 2012, we got yet more evidence that RBN was by no means gone when in January of that year, Russian cybersecurity firm Kaspersky reported on a newly discovered cyber espionage campaign named ‘Red October’, which had been operating undetected since 2007.

Its targets were embassies, nuclear research centers, Oil & Gas Institutions and aerospace factories belonging to countries that were former members of the Soviet Union, as well as countries in Central Asia, Western Europe, and North America. The attackers used a rather conventional method – Spear Phishing emails with an attached Trojan dropper – to infect classified computer systems, personal mobile devices and network equipment. Tom Goren Bar, a security researcher at Imperva, noted that – 

“The potential bounty that can be extracted from such victims is varied both in content and in type: documents and presentations of meeting summaries and strategic plans, database financial records, CRM records, technical blueprints of weapons and infrastructure, sensitive email conversations and more.”

What made “Red October” unique was its sophistication. The malware used in the attack, named “Rocra”, was designed to be highly-flexible and multifunctional, targeting a wide range of platforms – and even included what we’d call a “Resurrection Module”. From Kaspersky’s report: 

“The module expects a specially crafted document […]. The document may be sent to the victim via email. It will not have an exploit code and will safely pass all security checks. However […] the document will be instantly processed by the module and the module will start a malicious application attached to the document. This trick can be used to regain access to the infected machines in case of unexpected C&C servers shutdown/takeover.”

The researchers that examined “Rocra” noted an interesting find: it seemed that the malware was the “love child” of both Russian and Chinese authors. Specifically, it seemed that the exploits were created by Chinese hackers, while the Russians designed the malware’s modules. As always, there was no definitive proof of this suspicion – but there were several potential clues. For example, there were a few Russian words that appeared in the malware’s code, such as ‘Proga’ – “Program”, in Russian – and ‘Zakladka’, which is a Cold War era Russian espionage slang that refers to a microphone bug embedded in the wall of an embassy. Also, most of Rocra’s C&C servers were located around Germany and Russia. 

Rocra’s potential connection to China hinted at the identity of the malware’s operators. Jeffrey Carr, a cybersecurity researcher and entrepreneur, wrote in his blog that – 

“The developers behind ROCRA, who are Russian, are comfortable using Chinese malware and adapting it for their own use according to the Kaspersky report. This fits the RBN profile to a ‘t’. I ran 13 IPs listed in Kaspersky’s report against the RBN list […] and found matching IP blocks for five of them… It has been my belief for many years that the RBN has a working relationship with the Russian government; that it disappeared from view when the FBI sought the assistance of the FSB to shut down their operations in 2007; and that it has continued operating below the radar all this time. It provides distance and deniability to the FSB for certain offensive cyber operations and, in exchange, the FSB allows the RBN to operate as a criminal enterprise; a portion of which involves selling the data that it steals to whomever is interested.”

The second reason that Jeffrey Carr thinks that the RBN is behind “Rocra” might be even more compelling. 

“According to Kaspersky’s report, the oldest domain name used in the Red October network was registered in November, 2007, and the newest in May, 2012. The November, 2007 date immediately rang a bell in my memory as the date that the Russian Business Network went dark (November 4, 2007) and temporarily moved operations to China.”

Epilogue

A report published in October of 2022 by WhoisXML API, a cybersecurity intelligence company, suggests that the Russian Business Network is still alive and kicking, more than 15 years after it first emerged as a dominant force in the cyber underworld. 

“DNS lookups for the IoCs led to the discovery of 45 IP addresses to which they resolved. These were spread across eight countries topped by the U.S., Germany, China, and the British Virgin Islands… The bulk WHOIS lookup also showed that a majority of the additional domains were created between 2015 and 2022.”

It’s possible that the partnership between the RBN and the Kremlin might be ruinous to Russia in the long run: the 400 years long history of partnership between the Russian government and Organized Crime is a testament to how hard it is to shake the disease of corruption and crime once it had managed to burrow its roots into a country’s innermost governmental machinery. When Putin is gone, the Russians will undoubtedly have to face the consequences of this unholy alliance. 

But surviving, and maybe even thriving for so long in the dynamic and highly competitive world of cyber crime is no mean feat: RBN’s long history is a testament to the effectiveness of this partnership between a powerful nation state and sophisticated crime organization. There’s little doubt that there are other countries out there taking notes and contemplating similar alliances  – perhaps countries who have little to lose by such a move. How will the international community deal with such a formidable challenge? We’ll have to wait and see.