Russia's Cybercriminals and Spies Are Officially in Cahoots

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Sublime Security.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

We've long known that Russian cybercriminals have worked to advance Russian state interests, but the details of the relationship between these criminals and the state has been hard to pin down concretely. 

Last week, however, the US Department of Justice (DoJ) used an indictment to tie the Russian cybercriminals behind the DanaBot malware to a second variant of the malware. Rather than stealing bank account credentials or cryptocurrency, the second variant was designed to conduct espionage for the Russian state. 

The DOJ's criminal complaint and indictment accuses 16 defendants of allegedly developing and deploying the DanaBot botnet and infostealer.

The charges were laid on the same day as an international operation disrupted the botnet. The takedown is covered in further detail at Risky Bulletin. 

The DoJ describes DanaBot as "multi-featured": 

It could be used to steal data from victim computers, and to hijack banking sessions, steal device information, user browsing histories, stored account credentials, and virtual currency wallet information.

DanaBot also had the capability to provide full remote access to victim computers, to record keystrokes, and record videos showing the activity of users on victim computers.

The original criminal variant was offered as a service on Russian cybercrime forums for several thousand dollars per month. The DoJ believes DanaBot has infected over 300,000 computers globally and caused damage exceeding USD$50 million.

But the espionage variant, according to the DoJ, "was allegedly used to target diplomats, law enforcement personnel, and members of the military in North America, and Europe". These are all standard state espionage targets. 

This espionage variant was not simply DanaBot with different targeting. It used different infrastructure and architecture and recorded all user interactions with infected computers, something that required manual activation in the criminal variant. 

Previous Russian cybercriminal and state interaction has appeared opportunistic and based on personal relationships. This feels a lot more formal, with DanaBot's administrators carrying out ongoing work to meet state requirements. 

The indictment doesn't delve into the exact nature of the relationship between DanaBot's developers and intelligence services. It does, however, fill in some blanks in the criminal-state nexus. And it suggests that intelligence agencies were instructing criminals to create tailored systems going at least as far back as 2021. That was when the espionage variant appeared, a full year before Russia’s invasion of Ukraine.

That's consistent with other information we have. CrowdStrike says that in March 2022, just weeks after Russia's invasion began, DanaBot was used in distributed denial-of-service attacks (DDoS) targeting Ukraine's Ministry of Defence and its National Security and Defense Council. It makes sense that DanaBot was already in cahoots with Russian interests. 

Last year we examined how Russia's use of cybercriminals appeared increasingly "planned and deliberate", and we suggested it was motivated by the need to support its war effort. The DanaBot indictment suggests that the Russian state's co-opting of its cybercriminal workforce started in earnest far earlier.   

The lines connecting the Russian state and its cybercriminals were once dotted and deniable. Now, it seems, they are direct and explicit. 

A One-Stop-Shop for Everyone's Private Data 

The Office of the Director of National Intelligence (ODNI) is working on a "one stop shop" for US intelligence agencies to buy sensitive, commercially acquired data. 

Reporting from The Intercept focuses on the potential for privacy and civil liberties violations. While we agree that there are always concerns when sensitive information is involved, we actually think this move will be a net positive. 

The ODNI is looking to create an "Intelligence Community Data Consortium", which will act as a portal for commercially acquired information or CAI. Per The Intercept:  

Rather than each agency purchasing CAI individually, as has been the case until now, the "Intelligence Community Data Consortium" will provide a single convenient web-based storefront for searching and accessing this data, along with a "data marketplace" for purchasing "the best data at the best price," faster than ever before, according to the documents. It will be designed for the 18 different federal agencies and offices that make up the US intelligence community, including the National Security Agency, CIA, FBI Intelligence Branch, and Homeland Security's Office of Intelligence and Analysis — though one document suggests the portal will also be used by agencies not directly related to intelligence or defense.

Back in 2023 we covered an ODNI report into the US intelligence community's (IC) then-use of CAI. That report recognised that CAI could be misused and it found that the IC didn't have robust and consistent policies in place to protect citizen's privacy and civil liberties. 

While the report provided some examples of how intelligence agencies were using CAI, it didn't find any actual privacy or civil liberty violations. And the uses it provided as examples were entirely justifiable in our view. Still, there was no centralised register or oversight of how CAI was being used in the IC. Each agency was limited only by its own internal policy, so the report couldn't rule out the possibility of violations. 

The ODNI subsequently issued an IC-wide policy framework in 2024. That policy says that CAI should only be used when it is necessary and that protection of privacy and civil liberties should be "integral considerations". It also defines higher risk "sensitive CAI" that needs enhanced safeguards and protections, periodic review and reassessment, and regular public reports about how the IC uses sensitive CAI. 

Given there currently is a policy framework, it makes sense that the "solutions solicitation" document The Intercept cites only mentions privacy and civil liberty considerations in passing. Instead it focusses on the procurement problem at hand:

The IC's fragmented and decentralized acquisition model for Commercially Available Information (CAI) has resulted in siloed acquisitions of commercial data and platform licenses, duplicative purchases where vendors are often selling the same or similar data to many IC customers, bulk data ingest and replication, and limited data sharing. Efforts to partially improve this approach have resulted in exorbitantly priced enterprise contracts for commercial platform licenses that are rarely used. In addition, the phenomenon of vendors reselling the same or similar data while implementing unique techniques to aggregate data makes it difficult for the IC to determine the differentiated value offered by each vendor. The Sponsor seeks an approach based on repeatable data management plus civil liberties and privacy best practices to help streamline access to CAI for the entire IC and make it available to mission users in a more cohesive, efficient, and cost-effective manner by avoiding duplicative purchases, preventing sunk costs from unused licenses, and reducing overall data storage and compute costs. 

Given that policy exists, that sounds fair enough to us. 

One concern, of course, is that the Trump administration's behaviour to-date does not exactly give us the warm and fuzzies when it comes to oversight. 

However, the IC is made up of massive bureaucracies that are, on the whole, conditioned to follow policy. There is also a long history of congressional oversight of the intelligence community. 

While there are reasons for concern, we remain optimistic that centralising CAI procurement will make it easier to ensure that privacy and civil liberties violations don't occur.    

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Operation Endgame is kicking goals: The international law enforcement operation has announced it has disrupted a variety of initial access malware strains including Bumblebee, Lactrodectus, Qakbot, Hijackloader, Trickbot, Warmcookie and DanaBot. Initial access malware, as the name suggests, is used to infiltrate systems. By disrupting entry pathways, Endgame hopes to damage the entire cybercrime ecosystem.  
2. Official AI data security guidelines released: Cyber security authorities from Australia, the UK and the US have released a document that provides "a brief overview of the AI system lifecycle and general best practices to secure data used during the development, testing, and operation of AI-based systems".  
3. 270 dark web arrests: Europol announced that an international sweep known as Operation RapTor had resulted in the arrests of 270 dark web vendors and buyers across ten countries. It says the suspects were identified based on intelligence gathered from the takedowns of the dark web marketplaces Nemesis, Tor2Door, Bohemia and Kingdom Markets. In addition to arrests, police seized over €184 million in cash and cryptocurrencies, over 2 tonnes of drugs and more than 180 firearms. 

Sponsor Section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Bobby Filar, Head of Machine Learning at Sublime Security. Bobby takes us through the rising problem of spam bombing, or email bombing, a technique threat actors are increasingly using for initial access into corporate environments.

Shorts

Oversight Firings Illegal, Says Judge   

President Trump's removals of two Democratic members of the Privacy and Civil Liberties Board (PCLOB) have been ruled unlawful by a US judge, reports The Record. That's good news for the board, but probably won't help restore European governments' faith in the robustness of the transatlantic data sharing and privacy framework. 

We discussed why the PCLOB is important for transatlantic data flows last month and Lawfare has a good overview of the board's history until January this year. 

The firings raised fears that the Trump administration might not be fully committed to ensuring the privacy guarantees previous administrations had signed up to. The judge's ruling is good news and it should restore a quorum to the board so that it can continue its work.

The White House, though, is signalling it will appeal the decision. Spokesperson Harrison Fields told The Record the Trump administration "looks forward to ultimate victory on the issue". 

That will do nothing to reassure European governments that the transatlantic data privacy protections are being rigorously overseen.

Signal Says No to Window's Recall

Signal has announced a new feature called Screen Security that will prevent Windows Recall from automatically taking and storing screenshots of chats.

Recall takes screenshots every few seconds to create a kind of photographic memory to help a user to find information that they've otherwise lost somewhere on their computer. It will eventually be broadly available on Windows 11 and will be opt-in.

What we like here is that Signal is treating privacy and security holistically and considering what is going on with the underlying computing platform. Having a perfect digital memory about what you've done and seen on your computer will be useful for a lot of people, but they (and their friends) probably don't want temporary Signal messages being stored forever. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about cyber's 'hard problems' and why they are intractable. 

Or watch it on YouTube!

From Risky Bulletin:

Dutch intelligence agencies discover a new Russian APT: Dutch intelligence agencies have uncovered a new Russian cyber-espionage group while investigating a security breach of its police force last September.

The new group is tracked as Laundry Bear by Dutch intelligence services AIVD and MIVD and Void Blizzard by Microsoft, which aided in the Dutch investigation.

Among the panoply of Russian APTs, the group appears to be a new cluster that was formed and started operations in mid-2024.

[more on Risky Bulletin]

SVG use for phishing explodes in 2025: Over the course of the past six months, the SVG image format has become a favorite method of hiding and delivering malicious code for email phishing campaigns.

More than a dozen cybersecurity firms have now noted the rise in SVG payloads in their email security detections: AhnLab, Cloudflare, Forcepoint, Intezer, Kaspersky, Keep Aware, KnowBe4, Mimecast, Sophos, Sublime Security, Trustwave, and VIPRE.

In its Q1 2025 trends report, Sublime Security says SVG payloads now account for 1% of all phishing attempts the company sees.

[more on Risky Bulletin]