A recently unsealed US federal grand jury indictment and criminal complaint charges 16 defendants who allegedly developed and deployed the DanaBot malware which a Russia-based cybercrime organisation controlled and deployed, infecting more than 300,000 computers around the world, facilitated fraud and ransomware, and caused at least USD50 million in damage.
The defendants include Aleksandr Stepanov, 39, a.k.a. JimmBee, and Artem Aleksandrovich Kalinkin, 34, a.k.a. Onix, both of Novosibirsk, Russia. Stepanov was charged with conspiracy, conspiracy to commit wire fraud and bank fraud, aggravated identity theft, unauthorised access to a protected computer to obtain information, unauthorised impairment of a protected computer, wiretapping, and use of an intercepted communication.
Kalinkin was charged with conspiracy to gain unauthorised access to a computer to obtain information, to gain unauthorised access to a computer to defraud and to commit unauthorised impairment of a protected computer. Both defendants are believed to be in Russia and are not in custody.
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt.
However, according to the indictment and complaint, DanaBot malware used a variety of methods to infect victim computers, including spam email messages containing malicious attachments or hyperlinks. Victim computers infected with DanaBot malware became part of a botnet (a network of compromised computers), enabling the operators and users of the botnet to remotely control the infected computers in a coordinated manner. The owners and operators of the victim computers are typically unaware of the infection.
The DanaBot malware allegedly operated on a malware-as-a-service model, with the administrators leasing access to the botnet and support tools to client coconspirators for a fee that was typically several thousand dollars a month. The DanaBot malware was multi-featured and had extensive capabilities to exploit victim computers. It could be used to steal data from victim computers and to hijack banking sessions, steal device information, user browsing histories, stored account credentials, and virtual currency wallet information.
DanaBot also had the capability to provide full remote access to victim computers, to record keystrokes, and record videos showing the activity of users on victim computers. DanaBot has further been used as an initial means of infection for other forms of malware, including ransomware. The DanaBot malware has infected over 300,000 computers around the world, and caused damage estimated to exceed USD50 million.
DanaBot administrators operated a second version of the botnet that was used to target victim computers in military, diplomatic, government, and related entities. This version of the botnet recorded all interactions with the computer and sent stolen data to a different server than the fraud-oriented version of DanaBot. This variant was allegedly used to target diplomats, law enforcement personnel, and members of the military in North America and Europe.
Amazon, Crowdstrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Spycloud, Team CYMRU, and ZScaler provided assistance.
“DanaBot is a prolific malware-as-a-service platform in the eCrime ecosystem, and its use by Russian-nexus actors for espionage blurs the lines between Russian eCrime and state-sponsored cyber operations,” said CrowdStrike’s Head of Counter Adversary Operations Adam Meyers. “SCULLY SPIDER operated with apparent impunity from within Russia, enabling disruptive campaigns while avoiding domestic enforcement. Takedowns like this are critical to raising the cost of operations for adversaries. CrowdStrike is proud to support law enforcement with the intelligence and expertise needed to help disrupt these threats.”
CrowdStrike says it supported the takedown by providing threat intelligence, infrastructure analysis and insight into the group’s technical operations.
“Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including sensitive military, diplomatic, and government entities, and causes many millions of dollars in losses,” said United States Attorney Bill Essayli. “The charges and activities demonstrate our commitment to eradicating the largest threats to global cybersecurity and pursuing the most malicious cyber actors, wherever they are located.”
“The enforcement actions announced today, made possible by enduring law enforcement and industry partnerships across the globe, disrupted a significant cyber threat group, who were profiting from the theft of victim data and the targeting of sensitive networks,” said Special Agent in Charge Kenneth DeChellis of the Department of Defense Office of Inspector General, Defense Criminal Investigative Service, Cyber Field Office. “The DanaBot malware was a clear threat to the Department of Defense and our partners. DCIS will vigorously defend our infrastructure, personnel, and intellectual property.”
“Today’s announcement represents a significant step forward in the FBI’s ongoing efforts to disrupt and dismantle the cyber-criminal ecosystem that wreaks havoc on global digital security,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office.
If convicted, Kalinkin would face a statutory maximum sentence of 72 years in federal prison, and Stepanov would face a statutory maximum sentence of five years in federal prison.
As part of the operation, Defense Criminal Investigative Service (DCIS) agents effected seizures and takedowns of DanaBot command and control servers, including dozens of virtual servers hosted in the United States. The US government is now working with partners including the Shadowserver Foundation to notify DanaBot victims and help remediate infections.
These law enforcement actions were taken in conjunction with Operation Endgame, an ongoing, coordinated effort among international law enforcement agencies aimed at dismantling and prosecuting cybercriminal organisations around the world.
The investigation into DanaBot was led by the FBI’s Anchorage Field Office and the Defense Criminal Investigative Service, working closely with Germany’s Bundeskriminalamt (BKA), the Netherlands National Police, and the Australian Federal Police. The Justice Department’s Office of International Affairs provided significant assistance.
