Srsly Risky Biz: Russia's cybercriminals and spies are officially in cahoots

Summary

Risky Bulletin Summary: "Srsly Risky Biz: Russia's Cybercriminals and Spies Are Officially in Cahoots"

Released on May 29, 2025 | Host: Patrick Gray | Guest: Tom Uren

Introduction

In this episode of Seriously Risky Business, hosted by Patrick Gray of risky.biz, the discussion delves into the intricate relationship between Russian cybercriminals and state-sponsored espionage activities. With insights from Tom Uren, the policy and intelligence editor at Risky Biz, the episode unpacks recent developments in cybersecurity threats emanating from Russia and the strategic responses from intelligence communities.

Takedown of Danabot: Cybercriminals and the Russian State

The episode begins with an in-depth analysis of the recent takedown of the Danabot malware and associated botnet. Tom Uren highlights a pivotal revelation from the Department of Justice (DOJ) indictment, which uncovers two distinct versions of Danabot:

Criminal Version: Designed primarily for financial theft and standard cybercriminal activities.
Espionage Version: Utilizes separate infrastructure and command-and-control (C2) mechanisms explicitly crafted for state-sponsored espionage.

Uren emphasizes the significance of this distinction, stating:

"It felt like they'd been given a work package, go away and do this, and we'll task that particular variant for our purposes." ([02:12])

This formal separation indicates a more structured collaboration between Russian state actors and cybercriminals, moving beyond the previously observed ad hoc interactions.

Timeline and Evolution of State-Criminal Relationships

A key discussion point revolves around the historical timeline of the collaboration between Russian cybercriminals and state intelligence:

Pre-Ukraine War (2020-2021): The espionage variant of Danabot was developed, suggesting that the relationship between criminals and the state was being formalized well before the escalation of the Ukraine conflict.
Post-Invasion Usage: Shortly after the invasion, Danabot was employed in Distributed Denial of Service (DDoS) attacks targeting Ukrainian government and military entities. Uren notes:

"This whole indictment made me change how far the relationship has gone and how early it started." ([05:19])

This timeline challenges previous assumptions that the war was the primary catalyst for deepening state-criminal collaborations.

Indictment and Delayed Public Disclosure

Patrick Gray expresses surprise over the delayed public unveiling of the indictment, considering the profound implications of the findings:

"I kind of wonder why that indictment was hanging around for so long. It suggests that maybe intelligence services in the west have been infiltrating these sort of botnets..." ([06:48])

However, Uren clarifies that the indictment was prepared in 2022 but remained sealed until recent actions against Danabot prompted its release:

"So I think it's one of those things where as a person on the outside of the threat intelligence industry... maybe this is something that a whole lot of people knew and they just would, you know, refer to dotted lines." ([07:04])

Intelligence Community Involvement

The conversation touches upon the potential role of Western intelligence services in monitoring or infiltrating botnets like Danabot. However, Uren downplays this possibility, attributing the exposure of Danabot's administrators to their own operational security failures:

"The conspirators had already done it themselves." ([08:07])

Additionally, Brian Krebs' reporting is referenced, indicating that Danabot’s administrators inadvertently compromised their own systems, leading to their identification and indictment.

Centralizing Intelligence Agencies' Purchase of Commercial Data

Shifting focus, the episode explores the Office of the Director of National Intelligence’s (ODNI) initiative to create a centralized platform for intelligence agencies to procure commercially available data. The Intercept's report frames this move as a potential threat to American privacy, suggesting that sensitive data could be exploited by intelligence agencies.

Tom Uren counters this perspective by arguing that centralization enhances oversight and efficiency:

"Once you get all of this stuff being procured in one place, it's kind of easier to control and monitor and apply oversight to what people are actually buying." ([11:00])

He further explains that a unified procurement system can mitigate duplication of efforts and ensure consistent application of privacy and civil liberties protections.

Balancing Efficiency with Privacy and Oversight

Uren details the evolution of policies surrounding Commercially Acquired Information (CAI) within the intelligence community:

Initial State (2023): ODNI recognized the use of CAI but identified a lack of consistent policy across agencies, leading to a fragmented and potentially insecure approach.
Policy Development: By 2024, ODNI introduced a comprehensive community-wide policy emphasizing the value of CAI while safeguarding privacy and civil liberties. Key elements include:
- Need-Based Usage: Data must align with specific intelligence missions.
- Sensitivity Considerations: Enhanced protections for more sensitive information.
- Public Reporting: Transparency in data usage purposes.

Uren asserts that these measures strike a necessary balance:

"It would seem ridiculous to say that there's all this commercially available data available to everyone except for people in the US Intelligence community. So that seems to strike a balance." ([12:00])

He also addresses concerns regarding administrative attitudes towards oversight, emphasizing the intelligence community’s longstanding adherence to policies and the benefits of centralized data procurement in facilitating congressional and internal oversight.

Conclusion

The episode concludes with Patrick Gray commending the detailed analysis presented by Tom Uren, encouraging listeners to subscribe to Risky Biz’s newsletter for more comprehensive insights. The discussion underscores a critical shift in the nexus between state-sponsored espionage and cybercriminal activities within Russia, as well as the strategic efforts by intelligence communities to manage and oversee the acquisition of commercial data more effectively.

"There’s congressional oversight, so it’s not just the administration seeing what's going on as well." ([14:26])

The episode reinforces the importance of understanding the evolving landscape of cybersecurity threats and the mechanisms in place to counteract them, offering valuable perspectives for both cybersecurity professionals and informed citizens.

Subscribe to Risky Biz to stay updated with in-depth analyses and expert insights on the latest developments in cybersecurity and intelligence.

Summary

Risky Bulletin Summary: "Srsly Risky Biz: Russia's Cybercriminals and Spies Are Officially in Cahoots"

Released on May 29, 2025 | Host: Patrick Gray | Guest: Tom Uren

Introduction

Takedown of Danabot: Cybercriminals and the Russian State

Criminal Version: Designed primarily for financial theft and standard cybercriminal activities.
Espionage Version: Utilizes separate infrastructure and command-and-control (C2) mechanisms explicitly crafted for state-sponsored espionage.

Uren emphasizes the significance of this distinction, stating:

"It felt like they'd been given a work package, go away and do this, and we'll task that particular variant for our purposes." ([02:12])

This formal separation indicates a more structured collaboration between Russian state actors and cybercriminals, moving beyond the previously observed ad hoc interactions.

Timeline and Evolution of State-Criminal Relationships

A key discussion point revolves around the historical timeline of the collaboration between Russian cybercriminals and state intelligence:

Pre-Ukraine War (2020-2021): The espionage variant of Danabot was developed, suggesting that the relationship between criminals and the state was being formalized well before the escalation of the Ukraine conflict.
Post-Invasion Usage: Shortly after the invasion, Danabot was employed in Distributed Denial of Service (DDoS) attacks targeting Ukrainian government and military entities. Uren notes:

"This whole indictment made me change how far the relationship has gone and how early it started." ([05:19])

This timeline challenges previous assumptions that the war was the primary catalyst for deepening state-criminal collaborations.

Indictment and Delayed Public Disclosure

Patrick Gray expresses surprise over the delayed public unveiling of the indictment, considering the profound implications of the findings:

"I kind of wonder why that indictment was hanging around for so long. It suggests that maybe intelligence services in the west have been infiltrating these sort of botnets..." ([06:48])

However, Uren clarifies that the indictment was prepared in 2022 but remained sealed until recent actions against Danabot prompted its release:

"So I think it's one of those things where as a person on the outside of the threat intelligence industry... maybe this is something that a whole lot of people knew and they just would, you know, refer to dotted lines." ([07:04])

Intelligence Community Involvement

"The conspirators had already done it themselves." ([08:07])

Additionally, Brian Krebs' reporting is referenced, indicating that Danabot’s administrators inadvertently compromised their own systems, leading to their identification and indictment.

Centralizing Intelligence Agencies' Purchase of Commercial Data

Tom Uren counters this perspective by arguing that centralization enhances oversight and efficiency:

"Once you get all of this stuff being procured in one place, it's kind of easier to control and monitor and apply oversight to what people are actually buying." ([11:00])

He further explains that a unified procurement system can mitigate duplication of efforts and ensure consistent application of privacy and civil liberties protections.

Balancing Efficiency with Privacy and Oversight

Uren details the evolution of policies surrounding Commercially Acquired Information (CAI) within the intelligence community:

Initial State (2023): ODNI recognized the use of CAI but identified a lack of consistent policy across agencies, leading to a fragmented and potentially insecure approach.
Policy Development: By 2024, ODNI introduced a comprehensive community-wide policy emphasizing the value of CAI while safeguarding privacy and civil liberties. Key elements include:
- Need-Based Usage: Data must align with specific intelligence missions.
- Sensitivity Considerations: Enhanced protections for more sensitive information.
- Public Reporting: Transparency in data usage purposes.

Uren asserts that these measures strike a necessary balance:

"It would seem ridiculous to say that there's all this commercially available data available to everyone except for people in the US Intelligence community. So that seems to strike a balance." ([12:00])

Conclusion

"There’s congressional oversight, so it’s not just the administration seeing what's going on as well." ([14:26])

Subscribe to Risky Biz to stay updated with in-depth analyses and expert insights on the latest developments in cybersecurity and intelligence.

wavePod

Powered by Wave AI

Summary

Introduction

Takedown of Danabot: Cybercriminals and the Russian State

Timeline and Evolution of State-Criminal Relationships

Indictment and Delayed Public Disclosure

Intelligence Community Involvement

Centralizing Intelligence Agencies' Purchase of Commercial Data

Balancing Efficiency with Privacy and Oversight

Conclusion

Summary

Introduction

Takedown of Danabot: Cybercriminals and the Russian State

Timeline and Evolution of State-Criminal Relationships

Indictment and Delayed Public Disclosure

Intelligence Community Involvement

Centralizing Intelligence Agencies' Purchase of Commercial Data

Balancing Efficiency with Privacy and Oversight

Conclusion