Entries filed under 'Russia'

Threat Research Blog

FireEye posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. These blog posts cover everything from exploits and vulnerabilities, to advanced malware and targeted attacks.


    TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers

    By FireEye Intelligence

    FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by a Russian government-owned technical research institution located in Moscow.

    Read more...


    Bad Actors Part 5 - UralNet

    By Alex Lanstein
    I'm not actively picking on the Eastern Bloc, but finding purely malicious IP blocks there is duck soup.  In this posting I'll be looking at UralNet, which is registered to an organization in Russia, but appears to be administered out of the Ukraine.     inetnum:        91.211.64.0 - 91.211.67.255 netname:        Ural-NET descr:          Ural Industrial Limited Company country:        RU address:        Russia, 620240 Ekaterinburg, Sofia Kovalevsaja st. origin:         AS48511 role:           UralNet IP Master address:        Read more...


    Quick nugget on the McColo/Russia/Rustock connection

    By Alex Lanstein
    Just a quickie before the weekend -I was browsing through the captures from my Rustock bot lab and I noticed something not-exactly-earth-shatteringPOST /data.php HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: enUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)Host: davis-service.orgContent-Type: multipart/form-dataContent-Encoding: gzipContent-Length: 134Connection: ClosePragma: no-cachedavis-service.org, let's see what we can find:root@alex_lanstein --- {~} whois davis-service.org[Querying whois.publicinterestregistry.net][whois.publicinterestregistry.net].........Domain ID:D153207965-LRORDomain Name:DAVIS-SERVICE.ORGCreated On:03-Jul-2008 08:55:16 UTCLast Updated On:02-Sep-2008 03:50:20 UTCExpiration Date:03-Jul-2009 Read more...