Information operations · Information Warfare · Russia

Russia: Online Criminal Behavior May Be Mistaken For State Espionage

Rosneft President and Chairman of the Management Board Igor Sechin. (Photo by Mikhail MetzelTASS via Getty Images)

This well researched and documented article shows a criminal behavior, using virtually identical websites to Russian critical infrastructure, continuously changes targets, and uses many techniques which make it almost indistinguishable from state and state-sponsored cyber efforts. 

I include only the introduction here, it is well worth reading the entire article online. 

But wait, this article is all about cyber, that is, unless you’re familiar with Russian “corporations”.  I turned to the article for one thing, and found something else…

What really seized my attention, beside the cyber aspect, was the “privatization” of Rosneft.  The article doesn’t fully expand on that topic, so I did some digging. In the article it mentions 20% of Russia’s largest publicly-held oil company was being privatized, purchased by two entities. To me this screams of corruption within Rosneft.  I found this, from May 2018.

Just eight months after announcing its “privatization” sale to Glencore and a Qatari sovereign wealth fund, one of them jumped ship. Over the weekend, the Chinese company that Rosneft CEO Igor Sechin was touting as Glencore’s replacement followed suit. They’re out too.  Six Months After ‘Privatization’ Sale, Russia’s Rosneft Loses Two Big Buyers

Allegedly Rosneft needed the cash to pay off debts. 

There is a little issue of trust. Nobody trusts Rosneft, everybody seems to believe it’s corrupt. This is why the Glencore-Qatari consortium folded. Part of that distrust also stems from US sanctions against Russia, the two buyers possibly did not want to run counter to them and be targeted by the US.

By the way, Rosneft President and Chairman of the Management Board Igor Sechin is allegedly the second most powerful man in Russia. That indicates how much Russia depends on oil income. 

Returning to the cyber aspect, the article is really good! 

</end editorial>

Poking the Bear: Three-Year Campaign Targets Russian Critical Infrastructure

Nation-state conflict has come to dominate many of the policy discussions and much of the strategic thinking about cybersecurity. When events of geopolitical significance hit the papers, researchers look for parallel signs of sub rosa cyber activity carried out by state-sponsored threat actors—espionage, sabotage, coercion, information operations—to complete the picture. After all, behind every story may lurk a cyber campaign.

But ordinary criminals read the newspaper too and are keenly aware of the bias some researchers bring to the table. Exploiting that bias can provide additional camouflage, another layer of seeming invisibility, making threat actors harder to detect.

In this Threat Intelligence Bulletin, we’ll show how an investigation into the apparent targeting of a state-owned Russian oil company led to the uncovering not of a state-sponsored campaign but of the bold activity of what we believe to be a criminal effort motivated by the oldest of incentives—money.


Rosneft calls itself the world’s largest publicly traded oil company, and, according to recent analysis in the New York Times, it is also a prominent foreign policy tool of the Russian government. More than half of the company is owned by Moscow and serves as a major pillar of critical infrastructure for Russia as well as other neighboring nation states.

So when a deal reportedly worth an excess of $10 billion was announced to take nearly 20% of the company private, news organizations around the world took note.

The deal quickly became the subject of international political intrigue: Who were the buyers? Why was it sold? Who brokered the deal? Facts that became even more apparent when the transaction received conspicuous mention in the now-infamous Steele Dossier.

Reporters, business leaders, and international observers also focused scrutiny on Rosneft in part because the deal was, according to news reports, fraught with delays and setbacks and came to involve a cast of characters that reportedly included a former Qatari diplomat turned head of a sovereign wealth fund.

Everything we learned about Rosneft in the last few years—its status as critical infrastructure, the huge sums of money involved in its privatization, its domestic and international political significance—made it a highly likely and legitimate target of foreign espionage efforts.

Indeed, when we at Cylance first saw the name “Rosneft” emerge in our research, we thought that was exactly what we were looking at: another state or state-sponsored espionage effort.

But we soon discovered that our initial impressions were flawed.

Evolution of a Threat

In July 2017, Cylance stumbled upon some interesting macros embedded in Word documents we uncovered in a common malware repository that seemed to be aimed at Russian-speaking users. We observed the same type of document resurface in the beginning of 2018 and decided to take a closer look.

Upon closer inspection, we noticed that the malware author meticulously used command and control (C2) domains which very closely mimicked their real counterparts in the Russian oil and gas industries, in particular Rosneft and subsidiaries of Rosneft.

As we investigated further, we discovered that the threat actor had created similar sites to mimic more than two dozen mostly state-owned oil, gas, chemical, agricultural, and other critical infrastructure organizations, in addition to major Russian financial exchanges.

The first Rosneft-related site we came across was “rnp-rosneft[.]ru” which was designed to resemble the legitimate webpage “mp-rosneft[.]ru”. The only reference to this domain we could identify was the email address “sec_hotline@mp-rosneft[.]ru” which was used by Rosneft for confidentially reporting corporate fraud, corruption, and embezzlement.

After a bit of malware excavation, we discovered that the author had been operating for more than three years with very few changes to the actual malware used other than his/her targets. Interestingly, we uncovered evidence that suggests the actor started out targeting the gaming community, specifically users of Steam, then quickly evolved to more lucrative endeavors.

Continued at

One thought on “Russia: Online Criminal Behavior May Be Mistaken For State Espionage

Comments are closed.