Was there a boy? Our servers and hacker attack on the US Democratic Party
This summer , news appeared on the Web about the “Russian trail” in the hacker attack on the servers of the US Democratic Party. The attack was successful, and in its course, gigabytes of data were merged into the network. This is a personal correspondence, internal documents of the party, data of party members and much more. After investigating the incident, it became clear that hackers had access to the party’s network for a year. The director of US national intelligence, James Clapper, even said that behind the attack were hackers who work in the interests of foreign countries (mainly implied Russia and China).
But all this lyrics. As it turned out recently , the “Russian trace” in attacks on the US Democratic Party in Illinois was expressed not so actively. And one of the main arguments in favor of the "trace" was the use of our servers by attackers. We are a Russian company, and, apparently, the Americans decided that if the attackers took advantage of our servers, they are also from Russia.
As far as we know, the attackers worked not only with our servers, but the media attention was attracted by the fact that the Russian company was involved in the attack. The most interesting thing is that until September 15, the servers used by cybercriminals did not receive complaints and appeals. No one made any attempt to withdraw the server, or at least try to contact us. After we learned about the problem, the servers were immediately disconnected from the network.
We conducted a thorough investigation. An analysis of the internal data allows us to say that the Russian special services are in no way involved in the attack (well, or the scouts were well disguised). The fact is that we still have all the logs of access to the admin panel of server management after the stripping of the software used by the hackers. We analyzed the logs and got a list of about 10 different IP addresses of the attackers. None of these IPs is Russian.
')
“Servers have been working since May 2016, that is, a few months. Today after the article, have been disabled. We did not receive any complaints during this time, there were no requests from the Netherlands police. Logs of authorizations show that the inputs were through IP to the appropriate countries of Scandinavia (Norway, Sweden) and the European Union (Italy), we did not find the IP of Russian companies, ”says Vladimir Fomenko, head of King Servers.
Plus, the attackers turned to our customer support in broken English. From the side of the “Russian intelligence officers” it would be rather strange to behave this way. Plus, those who rented our servers owed $ 290 for server rental services. We think that the logical step would be to send the bill to the president of the country that is declared guilty of conducting the attack :)
Payment for servers was made using a fairly well-known in Russia semi-anonymous payment system. In Russia, she is known for her collaboration with US security agencies. Both servers leased by attackers were most likely controlled by one person. The fact is that the login IP matches both there and there (at the time of login). This person (or team) does not know English very well, as evidenced by appeals to the ticket. Plus, during the registration this person used the nickname Robin Good (and not Hood).
Now we have all the investigation materials, copies of servers and log files, plus correspondence. If necessary, we can provide this data to law enforcement agencies and the media in accordance with the law.
We would like to emphasize that we consider it our duty to convey this information to the public and special thanks to the press service of ChronoPay , who kindly agreed to assist in this matter.
But all this lyrics. As it turned out recently , the “Russian trace” in attacks on the US Democratic Party in Illinois was expressed not so actively. And one of the main arguments in favor of the "trace" was the use of our servers by attackers. We are a Russian company, and, apparently, the Americans decided that if the attackers took advantage of our servers, they are also from Russia.
As far as we know, the attackers worked not only with our servers, but the media attention was attracted by the fact that the Russian company was involved in the attack. The most interesting thing is that until September 15, the servers used by cybercriminals did not receive complaints and appeals. No one made any attempt to withdraw the server, or at least try to contact us. After we learned about the problem, the servers were immediately disconnected from the network.
We conducted a thorough investigation. An analysis of the internal data allows us to say that the Russian special services are in no way involved in the attack (well, or the scouts were well disguised). The fact is that we still have all the logs of access to the admin panel of server management after the stripping of the software used by the hackers. We analyzed the logs and got a list of about 10 different IP addresses of the attackers. None of these IPs is Russian.
')
“Servers have been working since May 2016, that is, a few months. Today after the article, have been disabled. We did not receive any complaints during this time, there were no requests from the Netherlands police. Logs of authorizations show that the inputs were through IP to the appropriate countries of Scandinavia (Norway, Sweden) and the European Union (Italy), we did not find the IP of Russian companies, ”says Vladimir Fomenko, head of King Servers.
Plus, the attackers turned to our customer support in broken English. From the side of the “Russian intelligence officers” it would be rather strange to behave this way. Plus, those who rented our servers owed $ 290 for server rental services. We think that the logical step would be to send the bill to the president of the country that is declared guilty of conducting the attack :)
Payment for servers was made using a fairly well-known in Russia semi-anonymous payment system. In Russia, she is known for her collaboration with US security agencies. Both servers leased by attackers were most likely controlled by one person. The fact is that the login IP matches both there and there (at the time of login). This person (or team) does not know English very well, as evidenced by appeals to the ticket. Plus, during the registration this person used the nickname Robin Good (and not Hood).
Now we have all the investigation materials, copies of servers and log files, plus correspondence. If necessary, we can provide this data to law enforcement agencies and the media in accordance with the law.
We would like to emphasize that we consider it our duty to convey this information to the public and special thanks to the press service of ChronoPay , who kindly agreed to assist in this matter.
Source: https://habr.com/ru/post/310100/
All Articles