Stark Industries Solutions has emerged as a large Internet hosting firm that acts as a global proxy network to mask Russia-linked cyberattacks and disinformation campaigns. The piece also highlights NoName057(16), a pro-Russia group delivering massive DDoS campaigns against Ukraine and Europe, leveraging DDoSia and bulletproof hosting to boost impact.
Keypoints
- Stark Industries Solutions functions as a global proxy/VPN hosting network used to hide the source of cyberattacks and disinformation campaigns.
- NoName057(16) has conducted massive DDoS campaigns against government and commercial targets in Ukraine and Europe, with greater firepower than many other Russian groups.
- NoName057(16) gamifies DDoS operations by recruiting hacktivists via Telegram and paying participants who install DDoSia on their systems.
- The DDoS infrastructure is tied to MIRhosting and Stark Industries, with Stark hosting dozens of proxy services and mapping to Proxyline’s vast proxy network.
- Correctiv.org reports that Stark/MIRhosting host a sanctioned Russian disinformation portal (RRN), and Ukrainian authorities identified Sandworm as responsible for a related Ukrinform attack.
- A complex network around the Neculiti brothers (Ivan Neculiti, DonChicho) involves bulletproof hosting, domain ownership, and links to historic Runet and Moldova-related activity.
MITRE Techniques
- [T1090] Proxy – A global proxy network conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia. ‘conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia.’
- [T1499] Denial of Service – NoName057(16) launches massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe. ‘massive distributed denial-of-service (DDoS) attacks on government and commercial targets in Ukraine and Europe.’
- [T1583] Acquire Infrastructure – Recruiting hacktivists via Telegram and offering to pay for installing DDoSia. ‘gamified DDoS attacks, recruiting hacktivists via its Telegram channel and offering to pay people who agree to install a piece of software called DDoSia.’
- [T1566] Phishing – Phishing and credential harvesting infrastructure used for Russia-aligned espionage operations by Blue Charlie (TAG-53). ‘phishing and credential harvesting infrastructure used for Russia-aligned espionage operations by a group dubbed Blue Charlie (aka TAG-53).’
- [T1071] Web Protocols – Coordination and recruitment through Telegram channel and related communications. ‘recruiting hacktivists via its Telegram channel…’
Indicators of Compromise
- [IP] 213.159.64.0/20 – Stark�s announced address range, previously tied to Computer Technologies Institute Ltd; Netherlands-based MIRhosting presence.
- [IP] 84.234.55.29 – DonChicho registration context linked to Transnistria/DonChicho history.
- [IP] 139.28.233.0 – Stark-related address ranges observed in Proxyline mapping.
- [Domain] war.md – Domain registered to Ivan V. Neculiti; historical Moldova/transnistria content.
- [Domain] ctinet.ru – Domain associated with Computer Technologies Institute/Runet history; linked to Neculiti/MIRhosting network.
- [Domain] donservers.ru – Bulletproof hosting domain tied to the BoRK/DonChicho ecosystem; used in credential/hosting operations.
- [Domain] tracker-free.cn – Domain registered to [email protected] era; connected to DonChicho/Dfyz activity.
- [Email] [email protected] – Email used by DonChicho-related activity and domain registrations.
- [Email] [email protected] – Email tied to bulletproof hosting/DonChicho network.
Read more: https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud