Srsly Risky Biz: Russia's cybercriminals and spies are officially in cahoots - Risky Bulletin

Summary4 min read

Risky Bulletin Summary: "Srsly Risky Biz: Russia's Cybercriminals and Spies Are Officially in Cahoots"

Released on May 29, 2025 | Host: Patrick Gray | Guest: Tom Uren

Introduction

In this episode of Seriously Risky Business, hosted by Patrick Gray of risky.biz, the discussion delves into the intricate relationship between Russian cybercriminals and state-sponsored espionage activities. With insights from Tom Uren, the policy and intelligence editor at Risky Biz, the episode unpacks recent developments in cybersecurity threats emanating from Russia and the strategic responses from intelligence communities.

Takedown of Danabot: Cybercriminals and the Russian State

The episode begins with an in-depth analysis of the recent takedown of the Danabot malware and associated botnet. Tom Uren highlights a pivotal revelation from the Department of Justice (DOJ) indictment, which uncovers two distinct versions of Danabot:

Criminal Version: Designed primarily for financial theft and standard cybercriminal activities.
Espionage Version: Utilizes separate infrastructure and command-and-control (C2) mechanisms explicitly crafted for state-sponsored espionage.

Uren emphasizes the significance of this distinction, stating:

"It felt like they'd been given a work package, go away and do this, and we'll task that particular variant for our purposes." ([02:12])

This formal separation indicates a more structured collaboration between Russian state actors and cybercriminals, moving beyond the previously observed ad hoc interactions.

Timeline and Evolution of State-Criminal Relationships

A key discussion point revolves around the historical timeline of the collaboration between Russian cybercriminals and state intelligence:

Pre-Ukraine War (2020-2021): The espionage variant of Danabot was developed, suggesting that the relationship between criminals and the state was being formalized well before the escalation of the Ukraine conflict.
Post-Invasion Usage: Shortly after the invasion, Danabot was employed in Distributed Denial of Service (DDoS) attacks targeting Ukrainian government and military entities. Uren notes:

"This whole indictment made me change how far the relationship has gone and how early it started." ([05:19])

This timeline challenges previous assumptions that the war was the primary catalyst for deepening state-criminal collaborations.

Indictment and Delayed Public Disclosure

Patrick Gray expresses surprise over the delayed public unveiling of the indictment, considering the profound implications of the findings:

"I kind of wonder why that indictment was hanging around for so long. It suggests that maybe intelligence services in the west have been infiltrating these sort of botnets..." ([06:48])

However, Uren clarifies that the indictment was prepared in 2022 but remained sealed until recent actions against Danabot prompted its release:

"So I think it's one of those things where as a person on the outside of the threat intelligence industry... maybe this is something that a whole lot of people knew and they just would, you know, refer to dotted lines." ([07:04])

Intelligence Community Involvement

The conversation touches upon the potential role of Western intelligence services in monitoring or infiltrating botnets like Danabot. However, Uren downplays this possibility, attributing the exposure of Danabot's administrators to their own operational security failures:

"The conspirators had already done it themselves." ([08:07])

Additionally, Brian Krebs' reporting is referenced, indicating that Danabot’s administrators inadvertently compromised their own systems, leading to their identification and indictment.

Centralizing Intelligence Agencies' Purchase of Commercial Data

Shifting focus, the episode explores the Office of the Director of National Intelligence’s (ODNI) initiative to create a centralized platform for intelligence agencies to procure commercially available data. The Intercept's report frames this move as a potential threat to American privacy, suggesting that sensitive data could be exploited by intelligence agencies.

Tom Uren counters this perspective by arguing that centralization enhances oversight and efficiency:

"Once you get all of this stuff being procured in one place, it's kind of easier to control and monitor and apply oversight to what people are actually buying." ([11:00])

He further explains that a unified procurement system can mitigate duplication of efforts and ensure consistent application of privacy and civil liberties protections.

Balancing Efficiency with Privacy and Oversight

Uren details the evolution of policies surrounding Commercially Acquired Information (CAI) within the intelligence community:

Initial State (2023): ODNI recognized the use of CAI but identified a lack of consistent policy across agencies, leading to a fragmented and potentially insecure approach.
Policy Development: By 2024, ODNI introduced a comprehensive community-wide policy emphasizing the value of CAI while safeguarding privacy and civil liberties. Key elements include:
- Need-Based Usage: Data must align with specific intelligence missions.
- Sensitivity Considerations: Enhanced protections for more sensitive information.
- Public Reporting: Transparency in data usage purposes.

Uren asserts that these measures strike a necessary balance:

"It would seem ridiculous to say that there's all this commercially available data available to everyone except for people in the US Intelligence community. So that seems to strike a balance." ([12:00])

He also addresses concerns regarding administrative attitudes towards oversight, emphasizing the intelligence community’s longstanding adherence to policies and the benefits of centralized data procurement in facilitating congressional and internal oversight.

Conclusion

The episode concludes with Patrick Gray commending the detailed analysis presented by Tom Uren, encouraging listeners to subscribe to Risky Biz’s newsletter for more comprehensive insights. The discussion underscores a critical shift in the nexus between state-sponsored espionage and cybercriminal activities within Russia, as well as the strategic efforts by intelligence communities to manage and oversee the acquisition of commercial data more effectively.

"There’s congressional oversight, so it’s not just the administration seeing what's going on as well." ([14:26])

The episode reinforces the importance of understanding the evolving landscape of cybersecurity threats and the mechanisms in place to counteract them, offering valuable perspectives for both cybersecurity professionals and informed citizens.

Subscribe to Risky Biz to stay updated with in-depth analyses and expert insights on the latest developments in cybersecurity and intelligence.

Loading summary

Transcript24 lines

[00:05]
Patrick Gray
Hi, everyone, and welcome to Seriously Risky Business, the podcast we do here at Risky Biz hq, which is all about cyber policy and intelligence. My name is Patrick Gray. Before we get started, we'd like to say thanks to the William and Flora Hewlett foundation for supporting this work, and also to Lawfare Media, who we kind of partner with a little bit on all of this. And of course, this week we have a sponsor as well, which is Sublime Security. And Sublime makes a modern contemporary email security solution. So I guess it's just like the next iteration of all of that stuff. It's much more adaptable to individual environments. You can crack the hood and make changes to it yourself, which you can't really do with a lot of the enterprise email security gateways. So, yeah, Sublime Security, if you're looking to do mail security or looking to replace some older stuff, definitely check them out. So, Tom Uren, our policy and intelligence editor, joins me now. G' day, Tom.
[01:04]
Tom Uren
G' day, Patrick. How are you?
[01:06]
Patrick Gray
Good, good. And, yeah, we're going to talk through the newsletter that you've written this week, which people can obviously find at Risky Biz. Just click through to the newsletter section and you can subscribe to it there and get it in your inbox once a week. So the first thing we're going to take a look at is, and we mentioned this briefly on the weekly show yesterday, but you've done a more detailed write up here. We saw a takedown of the. What is it, the Danabot malware and botnet, and a bunch of, you know, indictments being unsealed and criminal complaints and so on and so forth. But there was a really interesting detail in all of this, which is the America's Department of Justice is alleging that there were basically two versions of the Dana Bot malware. There was one that they used to steal money, just doing normal crime stuff. And then there was a second version which used different infrastructure and C2 and all of that, which. Which was clearly designed to conduct espionage on behalf of the Russian state. And basically what you've written here is that we've long talked about that dotted line between the Russian state and cyber criminals, but these days those dots are starting to turn into lines. Basically. Yeah.
[02:12]
Tom Uren
What I thought was really interesting about this is that a lot of the stories in the past have been, here's some evidence that certain criminals have done something to help out the state, and it might be, you know, they've searched for particular terms or it. It looks like they've done some tasking on behalf of the state. And it was never clear whether this is, like, flows from the state. You do this and then it goes back, or it's, we'll do this because the FSB might want it. And it could be something that would give us a bit of, you know, something to give the fsb, if we ever get, you know, investigated. So the FSB is Russia's internal security service. So it was, it felt potentially ad hoc and more like corruption rather than a planned, purposeful. We're going to leverage cybercriminals. Now, this one, because it's creating a separate infrastructure and modifying the malware, like, at least a little bit. It feels much more like we're doing this because someone told us to do this and we're keeping it separate. Like, if you've got a botnet, you don't create a separate infrastructure just for fun. Like, you do that because you need to do it. So it felt like they'd be given a work package, go away and do this, and we'll task that that particular variant for our purposes. So this feels a lot more formalized. Now, it's not clear to me exactly how much extra work it is, whether it's a little bit or a fair bit. But to me, it felt significant that there was a difference between the previous examples I've heard of and this one. And so the infrastructure was different. It's set up to record everything that victims do on their computer, whereas the criminal variant had that as an option. But it seemed like this is something that a state would want all the time. And also the targeting was very different. So it was targeted at basically, you know, government, military, law enforcement, that kind of thing. So all these kind of added up to a much more direct from state to criminal tasking relationship than the criminals kind of operating on their own bat just because they think it might be useful or because their uncle is in the security service or whatever.
[04:42]
Patrick Gray
Now, I guess one of the most interesting things about all of this, though, is it's giving us a timeline on these deepening links that we didn't quite have before, because, as I say, that dotted line has been there for a while, but we haven't known the precise relationships. We have seen other reports suggesting there was another botnet, I can't remember which one, that had been doing some espionage stuff as well. So we've seen this kind of thing before, but never so comprehensively and sort of spelled out in an indictment. But one thing you've written about here is it shows us when this started, which was actually going Back to like pre Ukraine war. So we're talking like 20, 21, right?
[05:20]
Tom Uren
Yeah, yeah. So before this came out, I would have said there's been these loose ad hoc relationships that have gone on for a long time and that the Russian invasion of Ukraine actually provided an impetus for security forces to, I guess, enrich the relationship. And so they've done that by buying criminal services, they've recruited personnel, and I suspect that might be by coercing them, like, come and work for us or else. But. And I would have thought the war is the driving motivation, but it turns out that this espionage variant was created a whole year, at least a whole year before the war started. So it sort of pushes back the timeline on all on my assumptions about how this relationship has evolved. So very early after the invasion, Dana Bot was used in DDoS attacks against the Ukrainian Ministry of Defence and their National Security Council. And so that makes sense if there's already at least a semi formal relationship with the danabot administrators that they're able to, within weeks of the invasion, say, do this DDoS thing. And the DDoS thing involved installing a plugin and then launching the attacks. So this whole indictment made me change how far the relationship has gone and how early it started.
[06:49]
Patrick Gray
I mean, to a degree, I'm kind of surprised that we didn't know more sooner, given that we're seeing this evidence come out now of just quite how strong these links are. Why is it that we're hearing about it four years later? Because it does surprise me. We usually have a better idea about what's going on.
[07:04]
Tom Uren
So one reason is that the indictment was actually written in 2022, I think, and it just sat there. And so they only unsealed it because of the takedown of danabot, which occurred last week, and a whole lot of other things. So I think it's one of those things where as a person on the outside of the threat intelligence industry looking in, maybe this is something that a whole lot of people knew and they just would, you know, refer to dotted lines.
[07:37]
Patrick Gray
Yeah, well, you do, you do sort of wonder why that indictment was hanging around for so long. And it suggests that maybe, you know, I mean, look, this is pure speculation, but, you know, intelligence services in the west have been known to infiltrate these sort of botnets and to watch what they're watching and things like that. I mean, do you think that's possible in this case?
[07:58]
Tom Uren
I mean, anything's possible. I got no hint of that from what I read, and is my point.
[08:05]
Patrick Gray
Right.
[08:07]
Tom Uren
Like, sometimes you get a Feeling just based on how much they know. And to me everything in there seemed consistent with, you know, looking at forums, maybe infiltrating like, what's the word? Chat groups and stuff like that, but not actually getting onto the Danabot. Well, the biggest thing that they did do was that the Danabot administrator infected their own computer.
[08:32]
Patrick Gray
Yeah, Brian. Brian Krebs had great reporting on this. It turns out like a bunch of them infected their own computers and that's how they were sort of unmasked for the purposes of the indictment, which is. Yeah, Whoops.
[08:41]
Tom Uren
Yeah, yeah. And the indictment talks about how the, I think it was the FBI seized a server and the server had information from the administrators that had been siphoned up by Danabot. So they were able to get a whole lot of information from that. So I guess my answer now that I've remembered that is oh yeah, they were on the boxes, but only because danabot was on the boxes themselves. And so it was a self own and there was probably, I guess in that case there wasn't any need for intelligence services to get on the box. The conspirators had already done it themselves.
[09:20]
Patrick Gray
Yeah, yeah. All right, well let's move on to our next topic now. And this is an interesting one because it hasn't actually been reported that widely and where it has been reported, it's kind of a bit breathless. Right. So the public report that we've linked through to from this one is from the Intercept and they're reporting that. Oh my God. The office of the Director of National Intelligence is setting up a one stop shop for intelligence agencies to buy sensitive commercially available data. And they've gone very hard on this angle of like they're going to be buying Americans data and whatnot. But you know, honestly, you know, pretty much all of the time that's not what these agencies are using this data for. I mean there are exceptions and we've reported on them and whatnot. You know, generally speaking, commercially available data from data brokers is very useful for foreign intelligence purposes. But every agency seems to have a different policy, different way of procuring this stuff. And it looks like ODNI is setting up like a centralised platform to prevent agencies from buying the same stuff twice and whatnot. So it kind of looks like an efficiency measure here. The Intercept has sort of suggested that this is a terrible thing and it's going to result in a bunch of Americans data going off to these agencies. You're arguing the opposite of that, which is that once you get all of this place all of this stuff being procured in one place, it's kind of easier to control and monitor and apply oversight to what people are actually buying. And I, you know, I tend to agree with you on that. I mean, it doesn't mean that, you know, the idea of protecting people's data, oh, that's a solved problem now. But this is certainly something that you would like to have in place if you wanted to apply better oversight to the procurement of data by intelligence agencies from data brokers.
[11:01]
Tom Uren
Yeah, yeah. This was interesting to me in the terms of someone who's been following it for a while. So I first wrote about, they call it CAI, commercially acquired information in the intelligence community back in 2023. And at that point there was an ODNR report that said, yep, intelligence agencies are using this data. There's no consistent policy. Mostly people seem to be doing the right thing, but we're not entirely sure because we can't see what everyone has done. I guess the feeling I got was, look, we've asked around and this is what people tell us and this seems fine, but we can't guarantee that every single use of CAI is totally fine. And so it felt like a bit of a haphazard mishmash where people are trying to do the best they can, but they've come up with different, I guess, policy answers based on an per agency. Now it turns out that they've, a year later, after that report, the ODNI came out with a community wide policy. And the policy is like pretty sensible. It's, yeah, this stuff can be valuable. We've got to consider privacy and civil liberties. That's very important. And some data is more sensitive. So if you, first of all, you have to have a need to use it. It has to satisfy an IC mission. And if it's sensitive, you know, we need all these extra protections. Plus there's got to be a report to the public that says this is what we're using this data for. And so that to me actually seems fair enough. It would seem ridiculous to say that there's all this commercially available data available to everyone except for people in the US Intelligence community. So that seems to strike a balance. Now the next part would be, well, okay, we've got this policy, that seems fair enough. How do we get that data so that every agency isn't buying it for itself and trying to manage it separately in different silos. So this is really what it's all about. And it's also, there's this quite interesting problem that you can buy data I guess at different levels where you can buy it from one vendor and then another vendor takes that, munges it with something else and creates a slightly different product, which is in some sense duplication. And so the idea is that if you centralize all the purchasing and you say to that organization or that body or that function, make sure that we're getting the best value for money for what we need to do, you remove the duplication, you stop buying the same thing twice, you get a more consistent product. And it's also easier to make sure that privacy and civil liberties are protected. And like, that seemed fair enough to me.
[13:46]
Patrick Gray
Yeah.
[13:46]
Tom Uren
I think the big concern is that the Trump admin does not give us the warm and fuzzies that they care all that much about oversight. I think to the administration, they feel that oversight is an encumbrance rather than an enabler. My view would be, is that oversight is a long term enabler of getting stuff done. And so that's, I suppose, the worry. I think the intelligence community has a very long history of enacting policy and following policy like it's been beaten into them over 10 or 20 years longer. And so.
[14:26]
Patrick Gray
Well, that's what you've written here, which is the intelligence community is a group of bureaucracies and on the whole they're conditioned to follow policy. It's just kind of the nature of the beast.
[14:35]
Tom Uren
Yeah. And because they're so large, that's not something that changes overnight. So I think that actually having this kind of data going to those organizations in a centralized fashion actually makes sense. It would be easier to see where that data is being used, what purposes it's used for. It actually makes oversight easier. There's congressional oversight, so it's not just the administration seeing what's going on as well. So I think making the oversight easier is a win.
[15:02]
Patrick Gray
Yeah, no, I completely agree with you. I mean, this is still an area that needs a lot more policy development. I mean, it's been something that you've been writing about for years now and it's still not there yet. But I do find it funny that something like this gets spun up and the reaction from a masthead like the intercept is oh, no, you know, like, it's just, it's just, that's just how they be. Right.
[15:27]
Tom Uren
I think there's, you know, everyone brings their own lens into how they look at the world and it's, I guess that's just the default position. And I think there's the value of oversight and public reports is that you get to see what actually is happening and then make up your own mind.
[15:48]
Patrick Gray
Yeah, yeah, that's it. All right, mate. Well, we're going to wrap it up there. That was look great newsletter as usual. So again, people should head over to Risky Biz and subscribe to it so they can read through the whole thing. And there's obviously more stuff in the newsletter than just what we talk about in the podcast. But yeah, we will wrap it up there. Tom Uren, thank you so much for joining me to talk through your newsletter this week.
[16:09]
Tom Uren
Thanks a lot, Patrick.