Netherlands: Two teenagers arrested in spying case linked to Russia
bbc.com/ Jacqueline Howard The pair were allegedly recruited by pro-Russian hackers and used a "wi-fi sniffer" on the Europol headquarters. Two 17-year-old boys have been arrested on suspicion of "state interference" in the Netherlands, prosecutors say, in a case with reported links to Russian spying. The pair were allegedly contacted by pro-Russian hackers on the messaging app Telegram, Dutch media reported. One of the boys allegedly walked past the offices of Europol, Eurojust and the Canadian embassy in The Hague carrying a "wi-fi sniffer" - a device designed to identify and intercept wi-fi networks. The teenagers appeared before a judge on Thursday, who ordered one boy be remanded in custody and the other placed on strict home bail conditions until a hearing, which is due to take place in the next two weeks. The National Office of the Netherlands Public Prosecution Service confirmed court appearance, but told the BBC it could not provide details on the case due to the suspects' age and in "the interest of the investigation", which is ongoing. One of the boy's father told Dutch newspaper De Telegraaf that police had arrested his son on Monday afternoon while he was doing his homework. He said police told him that the arrest related to espionage and rendering services to a foreign country, the paper reports. The teenager was described as being computer savvy and having a fascination for hacking, while holding a part-time job at a supermarket. The Netherlands' domestic intelligence and security agency declined to comment on the case when approached by the BBC.
CopyCop Deepens Its Playbook with New Websites and Targets
PUBLISHED ON 18 SEP 2025 recordedfuture.com Insikt Group® Executive Summary Since March 2025, Insikt Group has observed CopyCop (also known as Storm-1516), a Russian covert influence network, creating at least 200 new fictional media websites targeting the United States (US), France, and Canada, in addition to websites impersonating media brands and political parties and movements in France, Canada, and Armenia. CopyCop has also established a regionalized network of websites posing as a fictional fact-checking organization publishing content in Turkish, Ukrainian, and Swahili, languages never featured by the network before. Including the 94 websites targeting Germany reported by Insikt Group in February 2025, this amounts to over 300 websites established by CopyCop’s operators in the year to date, marking a significant expansion from our initial reporting on the network in 2024, and with many yet to be publicly documented. These websites are very likely operated by John Mark Dougan with support from the Moscow-based Center for Geopolitical Expertise (CGE) and the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). CopyCop uses these websites as infrastructure to disseminate influence content targeting pro-Western leadership and publish artificial intelligence (AI)-generated content with pro-Russian and anti-Ukrainian themes in support of Russia’s offensive operations in the global information environment. While the network’s scope in terms of target languages and countries has expanded, its primary objectives almost certainly remain unchanged: undermining support for Ukraine and exacerbating political fragmentation in Western countries backing Ukraine. Insikt Group has also observed CopyCop engaging in additional secondary objectives like advancing Russia’s geopolitical objectives in its broader sphere of influence, such as Armenia and Moldova. CopyCop’s narratives and content in support of these objectives are routinely amplified by an ecosystem of social media influencers in addition to other Russian influence networks like Portal Kombat and InfoDefense. Similar to its objectives, CopyCop’s tactics, techniques, and procedures (TTPs) remain broadly unchanged, with marginal improvements designed to strengthen the network’s reach, resilience, and credibility. Tactics and techniques used for content dissemination typically include deepfakes, lengthy dossiers intending to embarrass targets, and fake interviews of alleged whistleblowers making claims about political leaders in NATO member states like the US, France, and Germany. Insikt Group also identified new evidence that CopyCop uses self-hosted, uncensored large language models (LLMs) based on Meta’s Llama 3 open-source models to generate AI content rather than relying on Western AI service providers. Relative to other Russian influence networks, CopyCop’s impact remains significant: targeted influence content promoted by its websites and an ecosystem of pro-Russian social media influencers and so-called “journalists” regularly obtains high rates of organic engagement across multiple social media platforms, and has a precedent for breaking into mainstream political discourse. Persistently identifying and publicly exposing these networks should remain a priority for governments, journalists, and researchers seeking to defend democratic institutions from Russian influence. Key Findings To date, in 2025, CopyCop has widened its target languages to include Turkish, Ukrainian, and Swahili, and its geographic scope to include Moldova, Canada, and Armenia while sustaining influence operations targeting the US and France. The network is also leveraging new infrastructure to publish content, marking a significant expansion of its activities targeting new audiences. CopyCop’s core influence objectives remain eroding public support for Ukraine and undermining democratic processes and political leaders in Western countries supporting Ukraine. CopyCop’s TTPs are broadly unchanged from previous assessments, with only marginal improvements to increase the network’s reach, resilience, and credibility. Newly observed TTPs include evidence of CopyCop using self-hosted LLMs for content generation, employing subdomains as mirrors, and impersonating media outlets. Insikt Group has identified two uncensored versions of Meta’s Llama-3-8b model that are likely being used by CopyCop to generate articles. The network is also increasingly conducting influence operations within Russia’s sphere of influence, including targeting Moldova and Armenia ahead of their parliamentary elections in 2025 and 2026, respectively. This is a broader trend observed across the Russian influence ecosystem. Background Insikt Group previously documented CopyCop in May and June 2024, in addition to the network’s attempts at influencing the 2024 French snap elections, 2024 US presidential elections, and 2025 German federal elections. Reporting from other organizations such as Clemson University, VIGINUM, NewsGuard, Microsoft, European External Action Service, and Gnida Project has broadly corroborated our initial assessments of the network’s objectives, targets, and infrastructure, in addition to our attribution of part of the network’s activities to John Mark Dougan, a US citizen based in Moscow. The Washington Post and the US Department of the Treasury have also since established links between Dougan, the CGE, and the GRU. The GRU reportedly helped fund self-hosted LLM infrastructure, while the CGE was likely responsible, with Dougan’s assistance and direction from the GRU, for the creation of deepfakes and inauthentic content targeting political leaders in the US, Ukraine, France, and other countries.
Amazon disrupts watering hole campaign by Russia’s APT29
aws.amazon.com by CJ Moses on 29 AUG 2025 Amazon’s threat intelligence team has identified and disrupted a watering hole campaign conducted by APT29 (also known as Midnight Blizzard), a threat actor associated with Russia’s Foreign Intelligence Service (SVR). Our investigation uncovered an opportunistic watering hole campaign using compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft’s device code authentication flow. This opportunistic approach illustrates APT29’s continued evolution in scaling their operations to cast a wider net in their intelligence collection efforts. The evolving tactics of APT29 This campaign follows a pattern of activity we’ve previously observed from APT29. In October 2024, Amazon disrupted APT29’s attempt to use domains impersonating AWS to phish users with Remote Desktop Protocol files pointed to actor-controlled resources. Also, in June 2025, Google’s Threat Intelligence Group reported on APT29’s phishing campaigns targeting academics and critics of Russia using application-specific passwords (ASPs). The current campaign shows their continued focus on credential harvesting and intelligence collection, with refinements to their technical approach, and demonstrates an evolution in APT29’s tradecraft through their ability to: Compromise legitimate websites and initially inject obfuscated JavaScript Rapidly adapt infrastructure when faced with disruption On new infrastructure, adjust from use of JavaScript redirects to server-side redirects Technical details Amazon identified the activity through an analytic it created for APT29 infrastructure, which led to the discovery of the actor-controlled domain names. Through further investigation, Amazon identified the actor compromised various legitimate websites and injected JavaScript that redirected approximately 10% of visitors to these actor-controlled domains. These domains, including findcloudflare[.]com, mimicked Cloudflare verification pages to appear legitimate. The campaign’s ultimate target was Microsoft’s device code authentication flow. There was no compromise of AWS systems, nor was there a direct impact observed on AWS services or infrastructure. Analysis of the code revealed evasion techniques, including: Using randomization to only redirect a small percentage of visitors Employing base64 encoding to hide malicious code Setting cookies to prevent repeated redirects of the same visitor Pivoting to new infrastructure when blocked Image of compromised page, with domain name removed. Image of compromised page, with domain name removed. Amazon’s disruption efforts Amazon remains committed to protecting the security of the internet by actively hunting for and disrupting sophisticated threat actors. We will continue working with industry partners and the security community to share intelligence and mitigate threats. Upon discovering this campaign, Amazon worked quickly to isolate affected EC2 instances, partner with Cloudflare and other providers to disrupt the actor’s domains, and share relevant information with Microsoft. Despite the actor’s attempts to migrate to new infrastructure, including a move off AWS to another cloud provider, our team continued tracking and disrupting their operations. After our intervention, we observed the actor register additional domains such as cloudflare[.]redirectpartners[.]com, which again attempted to lure victims into Microsoft device code authentication workflows. Protecting users and organizations We recommend organizations implement the following protective measures: For end users: Be vigilant for suspicious redirect chains, particularly those masquerading as security verification pages. Always verify the authenticity of device authorization requests before approving them. Enable multi-factor authentication (MFA) on all accounts, similar to how AWS now requires MFA for root accounts. Be wary of web pages asking you to copy and paste commands or perform actions in Windows Run dialog (Win+R). This matches the recently documented “ClickFix” technique where attackers trick users into running malicious commands. For IT administrators: Follow Microsoft’s security guidance on device authentication flows and consider disabling this feature if not required. Enforce conditional access policies that restrict authentication based on device compliance, location, and risk factors. Implement robust logging and monitoring for authentication events, particularly those involving new device authorizations. Indicators of compromise (IOCs) findcloudflare[.]com cloudflare[.]redirectpartners[.]com Sample JavaScript code Decoded JavaScript code, with compromised site removed: "[removed_domain]" Decoded JavaScript code, with compromised site removed: “[removed_domain]” hole campaign using compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices […]
Russian hackers took control of Norwegian dam, police chief says
Cyberattacks are part of Russia’s hybrid warfare strategy, designed not only to cause harm, but to “demonstrate what they are capable of.” The Norwegian Police Security Service suspects pro-Russian hackers sabotaged a dam in southwestern Norway in April. Norwegian daily newspaper VG reported that the hackers breached the dam’s control system, opening valves for four hours, sending large amounts of water gushing forth until the valves could be shut. The chief of the Norwegian Police Security Service (PST) Beate Gangås, disclosed the incident during a presentation on pro-Russian cyber operations at a public event on Wednesday. According to VG, Gangås said that the number of cyberattacks on Western infrastructure was increasing, often not to cause damage but to “demonstrate what they are capable of.” She also said Norway should be prepared for further hacking attacks. At the same event, Nils Andreas Stensønes, head of the Norwegian Intelligence Service said that Russia was the biggest threat to Norway’s security. Cyberattacks on Western targets are part of Russia’s hybrid warfare strategy. In another water-related case in January 2024, a hacking group breached a Texas water facility’s system, causing it to overflow. The suspected hackers are linked to the Kremlin. The dam is located in the municipality of Bremanger, approximately 150 kilometers north of the city of Bergen. Local media say that the dam is not used for energy production and that the hackers might have exploited a security gap created by a weak password.
Russia partially restricts WhatsApp and Telegram calls to 'combat criminals'
france24.com In what it called an effort to "combat criminals," Russia said Wednesday it would restrict calls on the popular messaging apps WhatsApp and Telegram, platforms a watchdog says are used for fraud, extortion, and that involve Russian citizens in "terrorist activities." Russia announced curbs on calls on the WhatsApp and Telegram messenger apps on Wednesday, saying that this was necessary to fight criminality, state media reported. "In order to combat criminals, measures are being taken to partially restrict calls on these foreign messaging apps (WhatsApp and Telegram)," communications watchdog Roskomnadzor said, as quoted by the RIA and TASS news agencies. The messenger apps have become "the main voice services used for fraud and extortion, and for involving Russian citizens in subversive and terrorist activities," the watchdog added. Russian security services have frequently claimed that Ukraine was using Telegram to recruit people or commit acts of sabotage in Russia. Moscow wants the messengers to provide access to data upon request from law enforcement, not only for fraud probes but also for investigating activities that Russia describes as terrorist ones. "Access to calls in foreign messengers will be restored after they start complying with Russian legislation," Russia's digital ministry said. In a statement sent to AFP, Telegram said it "actively combats misuse of its platform, including calls for sabotage or violence, as well as fraud" and removes "millions of pieces of harmful content every day". Since launching its offensive in Ukraine, Russia has drastically restricted press freedom and freedom of speech online. "WhatsApp is private, end-to-end encrypted, and defies government attempts to violate people's right to secure communication, which is why Russia is trying to block it from over 100 million Russian people," a spokesperson for Meta-owned WhatsApp told AFP. More than 100 million people in Russia use WhatsApp for messages and calls, and the platform is concerned that this is an effort to push them onto platforms more vulnerable to government surveillance, according to the spokesperson. (FRANCE 24 with AFP)
Dutch Prosecutors Recover From Suspected Russian Hack
The Dutch Public Prosecution Service on Monday began phased restoration of its networks after a cyberattack last month forced the agency to take down its services offline. The agency on Monday confirmed that hackers exploited a vulnerability in a Citrix device, but said that no data was stolen or manipulated in the breach. It took systems offline on July 17 following disclosures of vulnerabilities in Citrix NetScaler ADC and Gateway appliances., Dutch media reported in late July that "well-informed sources" believe Russia is behind the incident. Cybersecurity experts told newspaper Algemeen Dagblad that Russian hackers were likely gathering intelligence from the prosecution office or intending to disrupt a close Western ally of Ukraine. The Netherlands has been a strong supporter of Kyiv following Moscow's 2022 invasion of Ukraine, including by transferring F-16 airplanes and training the Ukraine military. Only on Monday it pledged 500 million euros to a NATO fund purchasing U.S. munitions for Ukraine, including Patriot missile intercept systems. A July warning from the Dutch National Cyber Security Center that hackers were targeting vulnerabilities known as Citrix Bleed 2 prompted the prosecution service to isolate its internal network. The vulnerability, tracked as CVE-2025-5777, allows attackers to bypass multifactor authentication, hijack user sessions and gain unauthorized access to the equipment (see: Attackers Actively Exploit 'Citrix Bleed 2' Vulnerability). Netherlands intelligence agencies earlier this year fingerprinted Moscow hackers for September 2024 breach resulting in the theft of work-related contact details of all Dutch police officers. Dutch agencies said the hackers behind the police incident belonged to a new cluster of threat activity they dubbed Laundry Bear. The group shares tactics with Unit 26165 of the Russian Main Intelligence Directorate, commonly tracked as APT28, the government said (see: NATO Countries Targeted By New Russian Espionage Group). Citrix released patches for Citrix Bleed 2 on June 17. The Dutch Public Prosecution Service would not be the only organization to have succumbed to the flaw. Cybersecurity company Imperva in July reported observing more than 10 million attack attempts, although many of those were opportunistic and automated. Nor would Russia be the only nation-state to take advantage of the flaw. GreyNoise last month said it observed early exploitation attempts appearing to originate from China in what appeared to be targeted attacks.
nytimes.com 04.08 - The introduction of a state-approved messaging app has raised fears that Russia could be preparing to block WhatsApp and Telegram. Russia is escalating its efforts to curtail online freedom, taking new steps toward a draconian state-controlled internet. The authorities are cracking down on workarounds that Russians have been using for access to foreign apps and banned content, including through new laws signed by President Vladimir V. Putin this past week. Moscow has also been impeding the function of services from U.S. tech companies, like YouTube, that Russians have used for years. At the same time, the Kremlin is building out a domestic ecosystem of easily monitored and censored Russian alternatives to Western tech products. That includes a new state-approved messaging service, MAX, which will come preinstalled by law on all new smartphones sold in Russia starting next month. The idea, experts say, is to migrate more Russians from an open internet dominated by the products of Western tech giants to a censored online ecosystem, where Russians primarily use software under the gaze and influence of the state. The effort has advanced significantly amid wartime repression, but it is unclear how far it will go. “The goal here is absolute control,” said Anastasiia Kruope, a researcher at Human Rights Watch who wrote a recent report on declining Russian internet freedoms. The Kremlin wants to control not only the information available online but also where and how internet traffic flows, Ms. Kruope said, so the Russian internet can function in isolation and be switched on and off at will. Russia’s technical capabilities for clamping down are improving, she added. “They are not perfect,” Ms. Kruope said. “They are not nearly at the level they would like them to be. But they are getting better, and this is the reason to start paying attention.”“The goal here is absolute control,” said Anastasiia Kruope, a researcher at Human Rights Watch who wrote a recent report on declining Russian internet freedoms. The Kremlin wants to control not only the information available online but also where and how internet traffic flows, Ms. Kruope said, so the Russian internet can function in isolation and be switched on and off at will. Russia’s technical capabilities for clamping down are improving, she added. “They are not perfect,” Ms. Kruope said. “They are not nearly at the level they would like them to be. But they are getting better, and this is the reason to start paying attention.”
Ukrainian intelligence crashes Russian occupation servers in Crimea
newsukraine.rbc.ua - Cyber specialists from Ukraine's Defense Intelligence (HUR) have carried out a large-scale special operation targeting the occupation authorities in Crimea. According to a Ukrainian intelligence source speaking to RBC-Ukraine, the operation lasted several days. A powerful DDoS attack effectively paralyzed the information systems and network infrastructure in Crimea. While the Russian occupiers were scrambling to identify the cause of the government systems' failure, HUR cyber experts infiltrated the electronic accounts of the leadership of the occupation administration in temporarily occupied Crimea. They gained access to the following digital resources: electronic document management system DIALOG, systems SED and Delo, * accounting platforms 1C:Document Flow, Directum, and ATLAS. Over two days, 100 terabytes of documents belonging to the occupation authorities of the peninsula were downloaded.
Pro-Ukrainian hackers claim massive cyberattack on Russia's Aeroflot
reuters.com - Russian airline Aeroflot was forced to cancel more than 50 round-trip flights on Monday, disrupting travel across the world's biggest country, as two pro-Ukraine hacking groups claimed to have inflicted a crippling cyberattack. Aeroflot cancels dozens of flights Prosecutors say the airline was hacked Two pro-Ukraine groups claim responsibility Passengers vent fury, Kremlin calls situation 'alarming' MOSCOW, July 28 (Reuters) - Russian airline Aeroflot (AFLT.MM), opens new tab was forced to cancel more than 50 round-trip flights on Monday, disrupting travel across the world's biggest country, as two pro-Ukraine hacking groups claimed to have inflicted a crippling cyberattack. The Kremlin said the situation was worrying, and lawmakers described it as a wake-up call for Russia. Prosecutors confirmed the disruption at the national flag carrier was caused by a hack and opened a criminal investigation. Senior lawmaker Anton Gorelkin said Russia was under digital attack. "We must not forget that the war against our country is being waged on all fronts, including the digital one. And I do not rule out that the ‘hacktivists’ who claimed responsibility for the incident are in the service of unfriendly states," Gorelkin said in a statement. Another member of parliament, Anton Nemkin, said investigators must identify not only the attackers but "those who allowed systemic failures in protection". Aeroflot did not say how long the problems would take to resolve, but departure boards at Moscow's Sheremetyevo Airport turned red as flights were cancelled at a time when many Russians take their holidays. The company's shares were down by 3.9% by 1533 GMT, underperforming the wider market, which was 1.3% lower. A statement purporting to be from a hacking group called Silent Crow said it had carried out the operation together with Belarusian Cyberpartisans, a self-styled hacktivist group that opposes president Alexander Lukashenko and says it wants to liberate Belarus from dictatorship.
Russian vodka producer reports disruptions after ransomware attack | The Record from Recorded Future News
therecord.media - Novabev Group, the Russian maker of Beluga Vodka and other brands, had to stop shipments and temporarily close stores in its WineLab subsidiary after a ransomware attack. More than 2,000 WineLab liquor stores across Russia have remained shut for three days following a ransomware attack on their parent company, one of Russia’s largest alcohol producers. Signs on WineLab doors said the stores were closed due to “technical issues.” The attack crippled parts of the Novabev Group’s infrastructure, affecting WineLab’s point-of-sale systems and online services. The company confirmed that the attackers had demanded a ransom but said it refused to negotiate. “The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands,” Novabev Group said in a statement on Wednesday. There is no indication so far that customer data has been compromised, though an investigation is ongoing, the company added. The identity of the attackers remains unknown. No ransomware group has claimed responsibility for the incident, and Novabev has not publicly attributed the attack. Novabev Group is a major Russian producer and distributor of spirits, including the Beluga and Belenkaya vodka brands. The cyberattack has halted product shipments from Novabev for at least two days, according to local retailers quoted by Russian media outlet Vedomosti. Customers also reported being unable to pick up orders from retail locations or parcel lockers, with customer service offering to extend storage periods for online purchases. WineLab’s stores are currently closed in major cities, including Moscow, St. Petersburg and surrounding regions, according to location data from Yandex Maps. Novabev’s website and mobile app also remain offline. Forbes Russia estimated that each day of downtime could cost WineLab 200 million to 300 million rubles ($2.6 million to $3.8 million) in lost revenue. Cybersecurity experts interviewed by Forbes said they could not recall a comparable case in which a major Russian retail chain was forced to shut down entirely due to a cyberattack. Novabev said its internal IT team is working “around the clock” with external specialists to restore operations and strengthen defenses against future threats.
French intel chief warns of evolving Russian hybrid operations, ‘existential threat’ to Europe | The Record from Recorded Future News
therecord.media July 9th, 2025 - DGSE intelligence head Nicolas Lerner said Moscow’s tactics are evolving and increasingly include on-the-ground activities carried out by paid operatives. France’s top intelligence official has warned that Russia is waging "a war of influence" against the country through hybrid online disinformation, espionage and sabotage operations. Nicolas Lerner, head of the DGSE foreign intelligence agency, said in an interview with French broadcaster LCI that Moscow’s tactics are evolving and now include physical operations carried out by paid intermediaries. He cited an incident last year in which suspected Russian saboteurs placed coffins near the Eiffel Tower draped in the French flag bearing the inscription “French soldiers of Ukraine.” “These are not amateur operations,” Lerner said. “They reflect a desire to disrupt our information space and undermine trust in our institutions.” He said that around 80 Russian agents were active in France before Russia’s full-scale invasion of Ukraine in 2022, and that 50 of them have since been expelled. Paris has also imposed sanctions on individuals linked to Moscow’s intelligence services. Lerner warned that Russia poses a medium- and long-term “existential threat” to Europe, its democracies and its values. His comments come amid alarm over a growing wave of alleged Russian hybrid operations across Europe. In recent months, NATO allies and EU member states have reported suspected sabotage, cyberattacks, and disinformation campaigns linked to Moscow. In June, trains between Amsterdam and The Hague were disrupted in what Dutch authorities suspect was a sabotage attempt tied to the NATO summit. Around the same time, pro-Russian hacktivists claimed responsibility for distributed denial-of-service attacks targeting summit-related organizations. In France, the high-speed rail network was hit by coordinated sabotage just hours before last year’s Olympic Games opening ceremony, affecting lines around Paris. Polish officials recently accused Russian intelligence of orchestrating a 2024 fire at a major Warsaw shopping mall. Warsaw responded by shutting down a Russian consulate. On Tuesday, three South London men were found guilty of carrying out an arson attack on a depot housing humanitarian aid intended for Ukraine. The men were hired by the Wagner Group, a private militia that has acted under the orders of the Kremlin. European officials have also warned of cyber operations targeting military, government, and critical infrastructure across the continent. On Wednesday, German media reported that a Kremlin-linked hacking group is attempting to steal sensitive data from the German armed forces.
A volunteer-run network of service centers halts custom firmware updates for DJI drones following a cyber attack. Can a cyber operation have an impact on drone warfare? Recent developments in Russia offer an example of how this can happen in a not-so-obvious way. On Friday, a volunteer group Russian Hackers for the Front (“Русские Хакеры – Фронту”, RH) known for building a customized firmware for DJI drones reported a cyber attack that affected its servers and end-point devices (terminals). While recovering from the attack, RH instructed hundreds of service centers to stop using its terminals until further notice, thus pausing a wide operation of weaponizing commercial drones. Although details are scanty, this is a rare publicly reported cyber attack that affects drones warfare and might have militarily significant consequences. In this post I will summarize what is known about the attack and provide additional information about the impact and who might be behind it.
The technical infrastructure that underpins Telegram is controlled by a man whose companies have collaborated with Russian intelligence services. An investigation by IStories Telegram, the wildly popular chat and messaging app, is the pride of the Russian IT industry. According to Pavel Durov, the enigmatic entrepreneur who created the service twelve years ago, it now has over a billion monthly active users around the world. Among the reasons for this success is Telegram’s reputation for security, coupled with Durov’s image as a free speech champion who has defied multiple governments. “Unlike some of our competitors, we don’t trade privacy for market share,” he wrote this April. “In its 12-year history, Telegram has never disclosed a single byte of private messages.” But IStories’ new investigation reveals a critical vulnerability. When we investigated who controls the infrastructure that keeps Telegram’s billions of messages flowing, we found a man with no public profile but unparalleled access: Vladimir Vedeneev, a 45-year-old network engineer. Vedeneev owns the company that maintains Telegram’s networking equipment and assigns thousands of its IP addresses. Court documents show that he was granted exclusive access to some of Telegram’s servers and was even empowered to sign contracts on Telegram’s behalf. There is no evidence that this company has worked with the Russian government or provided any data. But two other closely linked Vedeneev companies — one of which also assigns Telegram IP addresses, and another which did so until 2020 — have had multiple highly sensitive clients tied to the security services. Among their clients is the FSB intelligence agency; a secretive “research computing center” that helped plan the invasion of Ukraine and developed tools to deanonymize internet users; and a flagship state-owned nuclear research laboratory. Without you, there is no us Support IStories — it helps us to continue telling the truth Donate “If true, this reporting highlights the dangerous disconnect between what many believe about Telegram’s security and privacy features, and the reality," said John Scott-Railton, a Senior Researcher at The Citizen Lab. "When people don't know what is actually going on, but assume they have metadata privacy, they can unknowingly make risky choices, bringing danger to themselves and the people they’re communicating with. This is doubly true if the Russian government sees them as a threat." A Ukrainian IT specialist who spoke with IStories on condition of anonymity said that the Russian military has used “man-in-the-middle” type surveillance in his country after capturing network infrastructure. "You get physical access to the data transmission channel and install your equipment there,” he said. “In such an attack, the hackers aren’t even interested so much in the user's correspondence. They get metadata to analyze. And that means IP addresses, user locations, who exchanges data packets with whom, the kind of data it is… really, all possible information.” Durov is currently under investigation in France after being arrested last August on charges related to the circulation of illegal content on Telegram. The company has since implemented a number of measures to crack down and step up its collaboration with the authorities. Durov has been released under judicial supervision and is allowed to travel. He did not reply to requests for comment. Vedeneev spoke with IStories but declined to make any of his comments public.
New Russia-affiliated actor Void Blizzard targets critical sectors for espionage
Microsoft Threat Intelligence has discovered a cluster of worldwide cloud abuse activity conducted by a threat actor we track as Void Blizzard, who we assess with high confidence is Russia-affiliated and has been active since at least April 2024. Void Blizzard’s cyberespionage operations tend to be highly targeted at specific organizations of interest to Russia, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America.
Detailed blueprints of Russia’s modernized nuclear weapon sites, including missile silos, were found leaking in public procurement database. Russia is modernizing its nuclear weapon sites, including underground missile silos and support infrastructure. Data, including building plans, diagrams, equipment, and other schematics, is accessible to anyone in the public procurement database. Journalists from Danwatch and Der Spiegel scraped and analyzed over two million documents from the public procurement database, which exposed Russian nuclear facilities, including their layout, in great detail. The investigation unveils that European companies participate in modernizing them. According to the exclusive Der Spiegel report, Russian procurement documents expose some of the world’s most secret construction sites. “It even contains floor plans and infrastructure details for nuclear weapons silos,” the report reads. German building materials and construction system giant Knauf and numerous other European companies were found to be indirectly supplying the modernization through small local companies and subsidiaries. Knauf condemned the Russian invasion of Ukraine and announced its intention to withdraw from its Russian business in 2024. Knauf told Der Spiegel that it only trades with independent dealers and cannot control who ultimately uses its materials in Russia. Danwatch jointly reports that “hundreds of detailed blueprints” of Russian nuclear facilities, exposed in procurement databases, make them vulnerable to attacks. “An enormous Russian security breach has exposed the innermost parts of Russia’s nuclear modernization,” the article reads. “It’s completely unprecedented.” The journalists used proxy servers in Russia, Kazakhstan, and Belarus to circumvent network restrictions and access the documents. The rich multimedia in the report details the inner structure of bunkers and missile silos.
Marks & Spencer hackers appear to protect ‘former Soviet states’ from attacks | The Observer
Marks & Spencer hackers appear to protect ‘former Soviet states’ from attacks Marks & Spencer hackers appear to protect ‘former Soviet states’ from attacks DragonForce group also says it has targeted Co-op and Harrods in cybercrime spree Hackers who bragged about crippling Marks & Spencer’s systems and breaching Co-op Group databases appeared to have vowed to protect “the former Soviet Union” from the technology used in the attacks. The DragonForce cybercrime group appeared to use a dark web forum to issue a threat to “punish any violations” by fellow hackers planning to use its ransomware in Russia or the former Soviet states – the first indication of any allegiance. The group, which licenses its ransomware to other hacking gangs for a fee, claimed responsibility for an attack that has left shelves at some branches of M&S bare and has forced the company to suspend online orders. A separate attack on the Co-op led to a data breach and customer details being stolen, and the group has also been linked to an attempt to hack systems at Harrods. “Any attack by our software on critical infrastructure, hospitals where critical patients, children, and the elderly are kept, or on the countries of the former Soviet Union, is a PROVOCATION by unscrupulous partners,” read a statement which claimed to be from the group, released at the end of last month. “We, as regulators, are doing our best to counteract this, and we will punish any violations, as well as assist in solving the problems of the affected parties.”
Security Researchers Warn a Widely Used Open Source Tool Poses a 'Persistent' Risk to the US
The open source software easyjson is used by the US government and American companies. But its ties to Russia’s VK, whose CEO has been sanctioned, have researchers sounding the alarm. Security researchers warn that a popular open source tool maintained by Russian developers could pose significant risks to US national security. Key Points: The open source tool easyjson is linked to VK Group, a company run by a sanctioned Russian executive. easyjson is widely used in the US across various critical sectors including defense, finance, and healthcare. * Concerns are heightened due to the potential for data theft and cyberattacks stemming from this software. *Recent findings from cybersecurity researchers at Hunted Labs indicate that easyjson, a code serialization tool for the Go programming language, is at the center of a national security alert. This tool, which has been integrated into multiple sectors such as the US Department of Defense, is maintained by a group of Russian developers linked to VK Group, led by Vladimir Kiriyenko. While the complete codebase appears secure, the geopolitical context surrounding its management raises substantial concerns about the potential risks involved. The significance of easyjson cannot be overstated, as it serves as a foundational element within the cloud-native ecosystem, critical for operations across various platforms. With connections to a sanctioned CEO and the broader backdrop of Russian state-backed cyberattacks, the fear is that easyjson could be manipulated to conduct espionage or potentially compromise critical infrastructures. Such capabilities underscore the pressing need for independent evaluations and potential reevaluations of software supply chains, particularly when foreign entities are involved.
Ransom-War and Russian Political Culture: Trust, Corruption, and Putin's Zero-Sum Sovereignty
Recent Western government revelations about EvilCorp flesh out how Russian ransomware actors and the Russian government use each other to navigate a world they perceive as dangerous. Note added April 30 2025: Originally posted October 16, 2024 in a very different global geopolitical context, this analysis remains relevant today. Subsequent revelations, especially a set of leaked messages from the Black Basta group – a successor to the Conti group – reaffirm the complexity of relations between Russian ransomware actors and security officials. (The Natto Team discussed the value of leaks here). The Black Basta leaks show that group's members as: Receiving Protection: Black Basta chief “Tramp” – who chose as his moniker the Russian version of the current US president’s name – boasted of receiving high-level help from Russian authorities after Armenian officials arrested him in June 2024. But Still Vulnerable: Tramp speculated in July 2024 that someone from their circle had snitched on him, “tempted” by the rewards the US State Department has offered for information on Tramp. He also received tipoffs from criminal acquaintances and from “my law enforcement people,” telling him that Russian officials faced international pressure to crack down on Russian cybercriminals: “those who get paid by Interpol here will start making our lives hell.” In September 2024, Black Basta coder “YY” told Tramp that Russian officials had raided YY's home, impounded his car, and “marinated” him in custody for a time. Under Pressure to Work for the Russian State: In a November 14 2022 chat, “Tramp” said, “I have guys in Lubyanka [FSB headquarters] and the GRU [military intelligence agency] – I have been “feeding” them for a long time. They only want to take people on to work for them. They won’t even talk about [prison] sentences or anything. You can go in to work every day at 8 am and leave at 6 pm, just like in a ‘white’ [legitimate] job.” Tracking Geopolitics: In May 2024, after Black Basta paralyzed IT systems at US-based Ascension Healthcare, Black Basta ransom negotiator “Tinker” pondered the group's extortion strategy in light of US election-year politics. He mused that, if anyone died as a result of the group’s attack on a healthcare entity – particularly a Christian hospital system like Ascension – US citizens would demand that their government do whatever it took to induce Russia to crack down on the criminals. Tinker speculated that the Joe Biden administration might make serious concessions to Russia, such as reducing military aid to Ukraine, in return for Russia’s cracking down on the criminals. For the Natto Team’s own assessment of Russian-US “ransomware diplomacy,” see here and here. It will be interesting to observe how Russian cybercriminals interpret recent developments in US-Russian relations.
Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations | Trend Micro (US)
Trend Research has identified multiple IP address ranges in Russia that are being used for cybercrime activities aligned with North Korea. These activities are associated with a cluster of campaigns related to the Void Dokkaebi intrusion set, also known as Famous Chollima. The Russian IP address ranges, which are concealed by a large anonymization network that uses commercial VPN services, proxy servers, and numerous VPS servers with RDP, are assigned to two companies in Khasan and Khabarovsk. Khasan is a mile from the North Korea-Russia border, and Khabarovsk is known for its economic and cultural ties with North Korea. Trend Research assesses that North Korea deployed IT workers who connect back to their home country through two IP addresses in the Russian IP ranges and two IP addresses in North Korea. Trend Micro’s telemetry strongly suggests these DPRK aligned IT workers work from China, Russia and Pakistan, among others. Based on Trend Research’s assessment, North Korea-aligned actors use the Russian IP ranges to connect to dozens of VPS servers over RDP, then perform tasks like interacting on job recruitment sites and accessing cryptocurrency-related services. Some servers involved in their brute-force activity to crack cryptocurrency wallet passwords fall within one of the Russian IP ranges. Instructional videos have also been found with what it looks like non-native English text, detailing how to set up a Beavertail malware command-and-control server and how to crack cryptocurrency wallet passwords. This makes it plausible that North Korea is also working with foreign conspirators. IT professionals in Ukraine, US, and Germany have been targeted in these campaigns by fictitious companies that lure them into fraudulent job interviews. Trend Research assesses that the primary focus of Void Dokkaebi is to steal cryptocurrency from software professionals interested in cryptocurrency, Web3, and blockchain technologies. Trend Vision One™ detects and blocks the IOCs discussed in this blog. Trend Vision One customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on Void Dokkaebi.
Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows
Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) accounts of targeted individuals. This activity comes on the heels of attacks Volexity reported on back in February 2025, where Russian threat actors were discovered targeting users and organizations through Device Code Authentication phishing...
The Ever-Evolving Threat of the Russian-Speaking Cybercriminal Underground | Trend Micro (US)
We dive into one of the most sophisticated and impactful ecosystems within the global cybercrime landscape. Our research looks at tools and techniques, specialized forums, popular services, plus a deeply ingrained culture of secrecy and collaboration.
The Russian hacking group known as Gamaredon, or “Shuckworm,” has been making headlines with its sophisticated cyberattacks targeting Western military missions. This group has evolved its tactics, techniques, and procedures (TTPs) to enhance stealth and effectiveness, transitioning from Visual Basic Script (VBS) to PowerShell-based tools. PowerShell is a task automation framework from Microsoft, often used by attackers to execute commands and scripts on Windows systems. This shift, as reported by Symantec, highlights their strategic move to obfuscate, or hide, payloads and leverage legitimate services for evasion. Gamaredon’s recent campaigns have notably involved the use of malicious removable drives, targeting Western military missions in Ukraine with .LNK files that initiate infections upon execution. These developments underscore the group’s persistent threat to geopolitical entities, particularly those related to the Ukrainian military.
Russia arrests CEO of tech company linked to Doppelgänger disinformation campaign
Two other employees at the St. Petersburg-based hosting provider Azea Group were arrested. The company has alleged links to state-sponsored disinformation campaigns and cybercriminal infrastructure.
Doppelgänger: New disinformation campaigns spreading on social media through Russian networks
This report presents: The intrusion set commonly known as Doppelgänger continues to spread disinformation narratives on social medias such as X, through bot accounts specifically made for such campaigns. As for its previous campaigns, Doppelgänger pushes its anti-western narrative on pages spoofing the medias of the targeted countries, such as France, Germany, Italy, Ukraine, and Israel. The disinformation campaign aims to manipulate public opinion by exploiting sensitive issues and exacerbating social and geopolitical divisions. The linguistic characteristics of the articles suggest that some of them were translated from Russian or edited by Russian natives, reinforcing the hypothesis that they are of Russian origin. In order to bypass both manual and automatic moderation on social media platforms, Doppelgänger continues to leverage Kehr[.]io, a redirection provider advertised on Russian speaking underground forums. This service hosts its infrastructure on IPs announced by English companies managed by Ukrainian and Belarusian individuals that we could connect with a high level of confidence to bulletproof network hosting solutions. * The disinformation campaigns remain ongoing.
Exclusive: Hegseth orders Cyber Command to stand down on Russia planning
The secretary of Defense has ordered U.S. Cyber Command to stand down from all planning against Russia, including offensive digital actions, sources tell Recorded Future News.
Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372. Our ongoing investigation indicates that this campaign has been active since August 2024 with the actor creating lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. Storm-2372’s targets during this time have included government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft.
Starting in mid-January 2025, Volexity identified several social-engineering and spear-phishing campaigns by Russian threat actors aimed at compromising Microsoft 365 (M365) accounts. These attack campaigns were highly targeted and carried out in a variety of ways. The majority of these attacks originated via spear-phishing emails with different themes. In one case, the eventual breach began with highly tailored outreach via Signal.Through its investigations, Volexity discovered that Russian threat actors were impersonating a variety of individuals
