From Cybercrime Saul Goodman to the Russian GRU – Krebs on Safety

In 2021, the unique Russian cybercrime discussion board Mazafaka was hacked. The leaked consumer database exhibits one of many discussion board’s founders was an legal professional who suggested Russia’s high hackers on the authorized dangers of their work, and what to do in the event that they obtained caught. A evaluation of this consumer’s hacker identities exhibits that in his time on the boards he served as an officer within the particular forces of the GRU, the overseas navy intelligence company of the Russian Federation.

Launched in 2001 beneath the tagline “Community terrorism,” Mazafaka would evolve into one of the vital guarded Russian-language cybercrime communities. The discussion board’s member roster included a Who’s Who of high Russian cybercriminals, and it featured sub-forums for a variety of cybercrime specialities, together with malware, spam, coding and id theft.

In nearly any database leak, the primary accounts listed are normally the directors and early core members. However the Mazafaka consumer data posted on-line was not a database file per se, and it was clearly edited, redacted and restructured by whoever launched it. In consequence, it may be tough to inform which members are the earliest customers.

The unique Mazafaka is thought to have been launched by a hacker utilizing the nickname “Stalker.” Nonetheless, the bottom numbered (non-admin) consumer ID within the Mazafaka database belongs to a different particular person who used the deal with “Djamix,” and the e-mail deal with djamix@mazafaka[.]ru.

From the discussion board’s inception till round 2008, Djamix was one in all its most energetic and eloquent contributors. Djamix instructed discussion board members he was a lawyer, and practically all of his posts included authorized analyses of varied public circumstances involving hackers arrested and charged with cybercrimes in Russia and overseas.

“Hiding with purely technical parameters is not going to assist in a severe matter,” Djamix suggested Maza members in September 2007. “So as to ESCAPE the legislation, it’s worthwhile to KNOW the legislation. That is an important factor. Technical capabilities can’t overcome intelligence and crafty.”

Stalker himself credited Djamix with maintaining Mazafaka on-line for therefore a few years. In a retrospective put up printed to Livejournal in 2014 titled, “Mazafaka, from conception to the current day,” Stalker stated Djamix had turn into a core member of the group.

“This man is in all places,” Stalker stated of Djamix. “There’s not a factor on [Mazafaka] that he doesn’t participate in. For me, he’s a stimulus-irritant and due to him, Maza continues to be alive. Our rallying pressure!”

Djamix instructed different discussion board denizens he was a licensed legal professional who may very well be employed for distant or in-person consultations, and his posts on Mazafaka and different Russian boards present a number of hackers dealing with authorized jeopardy seemingly took him up on this provide.

“I’ve the best to signify your pursuits in court docket,” Djamix stated on the Russian-language cybercrime discussion board Verified in Jan. 2011. “Remotely (within the type of fixed help and consultations), or in individual – that is mentioned individually. In addition to the price of my companies.”

WHO IS DJAMIX?

A search on djamix@mazafaka[.]ru at DomainTools.com reveals this deal with has been used to register at the very least 10 domains since 2008. These embody a number of web sites about life in and round Sochi, Russia, the positioning of the 2014 Winter Olympics, in addition to a close-by coastal city known as Adler. All of these websites say they had been registered to an Aleksei Safronov from Sochi who additionally lists Adler as a hometown.

The breach monitoring service Constella Intelligence finds that the telephone quantity related to these domains — +7.9676442212 — is tied to a Fb account for an Aleksei Valerievich Safronov from Sochi. Mr. Safronov’s Fb profile, which was final up to date in October 2022, says his ICQ immediate messenger quantity is 53765. This is identical ICQ quantity assigned to Djamix within the Mazafaka consumer database.

A “Djamix” account on the discussion board privetsochi[.]ru (“Good day Sochi”) says this consumer was born Oct. 2, 1970, and that his web site is uposter[.]ru. This Russian language information website’s tagline is, “We Create Communication,” and it focuses closely on information about Sochi, Adler, Russia and the struggle in Ukraine, with a robust pro-Kremlin bent.

Safronov’s Fb profile additionally offers his Skype username as “Djamixadler,” and it contains dozens of pictures of him wearing navy fatigues together with a regiment of troopers deploying in pretty distant areas of Russia. A few of these pictures date again to 2008.

In a number of of the photographs, we will see a patch on the arm of Safronov’s jacket that bears the emblem of the Spetsnaz GRU, a particular forces unit of the Russian navy. In keeping with a 2020 report from the Congressional Analysis Service, the GRU operates each as an intelligence company — amassing human, cyber, and alerts intelligence — and as a navy group answerable for battlefield reconnaissance and the operation of Russia’s Spetsnaz navy commando models.

“In recent times, studies have linked the GRU to a few of Russia’s most aggressive and public intelligence operations,” the CRS report explains. “Reportedly, the GRU performed a key position in Russia’s occupation of Ukraine’s Crimea area and invasion of jap Ukraine, the tried assassination of former Russian intelligence officer Sergei Skripal in the UK, interference within the 2016 U.S. presidential elections, disinformation and propaganda operations, and a few of the world’s most damaging cyberattacks.”

In keeping with the Russia-focused investigative information outlet Meduza, in 2014 the Russian Protection Ministry created its “information-operation troops” for motion in “cyber-confrontations with potential adversaries.”

“Later, sources within the Protection Ministry defined that these new troops had been meant to ‘disrupt the potential adversary’s data networks,’” Meduza reported in 2018. “Recruiters reportedly went in search of ‘hackers who’ve had issues with the legislation.’”

Mr. Safronov didn’t reply to a number of requests for remark. A 2018 treatise written by Aleksei Valerievich Safronov titled “One Hundred Years of GRU Navy Intelligence” explains the importance of the bat within the seal of the GRU.

“A method or one other, the bat is an emblem that unites all energetic and retired intelligence officers; it’s a image of unity and exclusivity,” Safronov wrote. “And, normally, it doesn’t matter who we’re speaking about – a secret GRU agent someplace within the military or a sniper in any of the particular forces brigades. All of them did and are doing one essential and accountable factor.”

It’s unclear what position Mr. Safronov performs or performed within the GRU, but it surely appears seemingly the navy intelligence company would have exploited his appreciable technical abilities, information and connections on the Russian cybercrime boards.

Looking out on Safronov’s area uposter[.]ru in Constella Intelligence reveals that this area was utilized in 2022 to register an account at a well-liked Spanish-language dialogue discussion board devoted to serving to candidates put together for a profession within the Guardia Civil, one in all Spain’s two nationwide police forces. Pivoting on that Russian IP in Constella exhibits three different accounts had been created on the similar Spanish consumer discussion board across the similar date.

Mark Rasch is a former cybercrime prosecutor for the U.S. Division of Justice who now serves as chief authorized officer for the New York cybersecurity agency Unit 221B. Rasch stated there has at all times been an in depth relationship between the GRU and the Russian hacker group, noting that within the early 2000s the GRU was soliciting hackers with the abilities essential to hack US banks with a view to procure funds to assist finance Russia’s struggle in Chechnya.

“The man is closely hooked into the Russian cyber group, and that’s helpful for intelligence companies,” Rasch stated. “He may have been infiltrating the group to watch it for the GRU. Or he may simply be a man carrying a navy uniform.”