back to article Here's 30 servers Russian intelligence uses to fling malware at the West, beams RiskIQ

Details of 30 servers thought to be used by Russia's SVR spy agency (aka APT29) as part of its ongoing campaigns to steal Western intellectual property were made public today by RiskIQ. Russia's Foreign Intelligence Service "is actively serving malware (WellMess, WellMail) previously used in espionage campaigns targeting COVID …

  1. Anonymous Coward
    Anonymous Coward

    Is it too much to hope that they are still using kremvax?

    1. jake Silver badge

      Sadly, kremvax (and it's comrades, moskvax and kgbvax) have passed into the mists of lore and legend. The sagas claim they are still warm and blinkin', waiting for the day that they are needed again. You can still view their memorial at http://kremvax.demos.su/ ...

  2. sean.fr

    if you know the suspect addresses

    Something is not being explained.

    Can just 30 addresses really be a major problem? It should be real easy to block 30 addresses.

    If not blocked by the local ISP, it can be blocked at the ISP outside Russia.

    There are companies that sell real time reputation checking services - both as an ISP service and as a firewall feature.

    It is easy to speak ill of Russia and China and forget the other players. There is no commitment from the USA, Israel, India and the EU to resist the temptation to hack their enemies.

    Lead by example.

    1. jake Silver badge

      Re: if you know the suspect addresses

      Those 30 addresses aren't directly causing the problem(s). Rather, they are being used to exploit tens of millions of compromised machines, which in turn cause the problem(s) being discussed.

      These tens of millions of machines will remain a problem as long as the sheeple of the world are ineducable. Nobody will do anything to secure these compromised machines, as all sides use them.

      Yes, you are correct. ALL countries engage in this kind of crap.

      The only thing "leading by example" will do is remove a tool that the other side will happily continue to exploit. Not that I approve, far from it, but them's the facts.

      1. Danny 2 Silver badge

        Re: if you know the suspect addresses

        "ALL countries engage in this kind of crap."

        Mostly your country though, if Snowden is to believed. You kind of have a huge lead here. Which leads to the question why can't you, or won't, just stamp it out?

        1. gerdesj Silver badge
          Childcatcher

          Re: if you know the suspect addresses

          Jake's a septic as you well know being an ex-pat, "our" (UK) lot are mentioned here:

          "Just for good measure, the GCHQ offshoot also briefed national newspapers in November that they were countering the SVR's continuing efforts to break into British research institutions, hinting they were deploying a form of encryption malware (think ransomware without the ransom) against the Russians."

          No need point fingers Mr Danny 2. I'm sure all Secret Services do all sorts of naughty things. It's what they do.

          What keeps me up at night is that back in the day, Boris (the Russian ones, not our PM) and co had to brush up on how tall Salisbury Cathedral's spire is before flying over here to poison people. With internets, you can bang on the virtual door of any tom, dick and harry, anywhere in the world for day, weeks, months or more until you guess the password and then wreak havoc.

          1. gandalfcn Silver badge

            Re: if you know the suspect addresses

            A septic Septic?

          2. Danny 2 Silver badge

            Re: if you know the suspect addresses

            I agree with your gist but Jakes a pal. I don't agree with him most times but this is a friendly forum. And the rule is forgive and engage

            You don't have to call me Mister Danny 2. Danny is fine. .

        2. gandalfcn Silver badge

          Re: if you know the suspect addresses

          Correct. But Septics stick their fingers in their ears and go lalala

          Bush signed a presidential order in 2002 allowing the NSA to monitor, without a warrant, domestic telephone calls and e-mail messages.

          FISA created the kangaroo courts that currently dole out secret FISA warrants to legalise spying on Americans.

          The PRISM surveillance programme.

          The network of “Fusion” centres.

          Ever heard of Snowden?

          The Patriot Act. The Freedom Act.

          The USPS spies on Americans by monitoring their social media.

          The NSA shares data with the FBI.

          And that is just domestically.

          1. Cliffwilliams44 Bronze badge

            Re: if you know the suspect addresses

            The "Order" was not to monitor the "content" of said phone calls or emails but to monitor the recipients of these communications so see of communications originating with the US to knows terrorist targets outside the US.

            I agree that this is not a legal order as it violates the 4th amendment and we all know that "restricted surveillance operations" like this are fraught with the potential for abuse.

            Also the last 2 Democrat administrations have taken Domestic Spying to new levels never seen in this country before.

        3. Michael Wojcik Silver badge

          Re: if you know the suspect addresses

          Which leads to the question why can't you, or won't, just stamp it out?

          "Can't" is very difficult. The US most certainly does not have the capability to do that without massive collateral damage (sorry, NSA trufans).

          To really understand why you'd need to learn quite a lot about the current state of IT security, but you might start by reading some of the major IT-security blogs and mailing lists such as (just as examples, in no particular order) Full Disclosure, Threatpost, Brian Krebs' blog, Bruce Schneier's blog (or his CRYPTO-GRAM email newsletter), and Graham Cluley's blog. And also some of the more-rigorous research outlets such as Citizen Labs' publications and the research announced in Cambridge's Light Blue Touchpaper blog.

          Or you could just read decent popular treatments such as Greenberg's Sandworm, which is a pretty good piece of investigative reporting. (I'm not usually a fan of Wired's output, but Greenberg does his research.)

          As for "won't" – well, as it happens, a number of people have asked US Federal officials about why the US response to IT attacks has been so inconsistent and generally muted. The answers (when they aren't just the usual waffling bullshit) are pretty consistent: the US government doesn't want to advocate rules in this area that it doesn't want to abide by. Various agencies in the US believe we have good IT offensive capabilities and can develop better ones, so they aren't willing to take, say, attacks on civilian infrastructure (like the Ukraine blackouts perpetrated by Sandworm / Voodoo Bear1) off the table. Those are likely to be very useful in future conflicts.

          As for why the US government doesn't just happily rattle its sabre over these sorts of attacks and then go on to do the same thing ... well, that's a matter of geopolitics and diplomacy. Sometimes not appearing hypocritical is useful. Sometimes not making promises you don't want to keep is useful.

          1Some reports have grouped Sandworm, aka Voodoo Bear, in APT28 (aka Fancy Bear), but there's evidence to suggest this is incorrect; specifically that Fancy Bear and Sandworm / Voodoo Bear are separate GRU units which sometimes both contribute to specific campaigns.

          1. Danny 2 Silver badge

            Re: if you know the suspect addresses

            Ta Michael, that was a very detailed and informative response, If you ever need a safe house then contact me. Horrid flat, barely liveable but survivable.. You won't even meet me because I'm an utter coward.

      2. gandalfcn Silver badge

        Re: if you know the suspect addresses

        You say " ALL countries", which i doubt is anywhere near true as most not only do not have the need or the wherewithal but CBA,

        In the world league the USA is and always has been the leader by far both domestically and globally.

      3. Potemkine! Silver badge

        Re: if you know the suspect addresses

        "ALL countries engage in this kind of crap"

        Then may all countries publish the CoC IP of their fellow counterparts!

        If SVR has the equivalent IPs from the US, UK, or EU, let it publish them, I would welcome the data, and I'll check them the same way I checked the ones provided by RiskIQ.

    2. sanmigueelbeer Silver badge

      Re: if you know the suspect addresses

      It should be real easy to block 30 addresses.

      It is but APT openly use hosted commercial VM.

      1. Doctor Syntax Silver badge

        Re: if you know the suspect addresses

        If the addresses hosting the VMs are blocked then either the operators stop hosting them (probably not an easy decision to make) or the other commercial customers go elsewhere. Maybe they'll turn out to not be very commercial hosting businesses after all.

    3. gandalfcn Silver badge

      Re: if you know the suspect addresses

      "Lead by example." The US does. It's the biggest hacker of all, including domestically.

      1. Mark Exclamation

        Re: if you know the suspect addresses

        You just can't help yourself, can you?

    4. Potemkine! Silver badge

      Re: if you know the suspect addresses

      Lead by example.

      Ha! I've got an Eiffel tower to sell. Interested?

      History shows that morality of individuals and morality of states are unrelated. "Reason of State" is untemporal and occurs everywhere.

  3. a pressbutton

    Why couldnt they just ask politely

    If Russia wanted a bit of help on researching a covid vaccine, pretty sure if they asked politely, someone would help.

  4. gandalfcn Silver badge

    Do we know which servers the USA uses? Or the UK?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021