Bulletproof hosts stay online by operating out of disputed backwaters

VB2017 Some bulletproof hosting (BPH) operations – wellspring of all manner of online villainy – are moving their operations to the disputed territories of eastern Ukraine and Transnistria on the Moldovan border.

BPH is often sold through darknet bazaars. These services sit at the centre of long-lasting, large-scale and profitable cybercrime campaigns.

One of the most infamous BPH operations, the Russian Business Network (RBN), pioneered the market a decade ago and became notorious for phishing, spam, malware distribution and even child abuse material. The crooks behind the network understood Border Gateway Protocol (BGP), peering, routing, and how these technologies could be used to hide their core infrastructure while providing connectivity to clients. Its founder was long rumoured to be the nephew of a high-ranking St Petersburg politician.

The network has supposedly been offline since 2007.

However, new research by Dhia Mahjoub, of Cisco Umbrella (OpenDNS), and Jason Passwaters, of Intel 471, a former US Marine officer with years of experience investigating cybercrime incidents, has revealed that some of those involved in the RBN are still up to their old tricks. The business model of BPH is very much alive and well, evolving into separate strands to maintain its position as a key enabler of cybercrime.

One service cited by the work is a cloud proxy network that abuses the services of legitimate providers including AWS and TenCent. The product offered by "Alexander" typically costs $250/month/domain and maintains operations by cycling through an enormous number of providers – 230 in just 90 days, according to the researchers. Alex – who may have been affiliated with the RBN – was resident in Beijing and associated with a bar in 2008. These days he operates out of Vladivostok in far-eastern Russia.

Another provider, "Boris", plies a bot-based flux proxy content delivery network for criminals as his flagship product with nameservers hosted mainly across Iranian IP addresses. Boris has operated out of Ukraine since 2010, the researchers said.

"Corruption plays a massive role," according to Passwaters. "Some elements of what was thought to be the RBN are likely still operating."

Takedown operations are rarely successful. For example, a suspect in the high-profile Avalanche takedown, a combined industry and government op that look years to put together, was freed within 24 hours.

Mahjoub added that part of the problem is that the activities of BPH firms may not be illegal in the countries they operate. "Not all the activity is bad," he said. "There is some legit hosting going on."

Operating out of political hotspots gives some BPH operations another shield against takedown attempts. One reseller uses data centres and providers in Lugansk, a separatist region of eastern Ukraine, while several schemes are based in Transnistria, a breakaway region between Ukraine and the River Dniester, Moldova.

There are 15 main BPH operations on the darknet. Most operate from either Russia, Ukraine or Moldova.

The research was based on exclusive access to vetted closed underground forums combined with large-scale analysis of network traffic and telemetry. Network and actor-centric perspectives are needed to unpick the activities of BPH operations, the researchers argue.

Their research was presented at the Virus Bulletin conference in Madrid on Wednesday in a talk titled BPH exposed – RBN never left, they just adapted and evolved. Did you?. ®