Russian cybercriminals may be piggybacking on the efforts of WikiLeaks, and the "hacktivists" who support it, to keep itself online.
Researchers at two Web watchdog sites noticed in December that a WikiLeaks “mirror site” (which duplicates other WikiLeaks sites) and an English-language message board for the hacktivist group “ Anonymou s” had both been set up in regions of the Internet thought to be controlled by Russian gangs.
The mirror site, called Wikileaks.info, was flagged by the malware-tracking site Spamhaus on Dec. 14 as being hosted by the companies Webalta and Heihachi, both suspected of being organized-crime fronts.
In a blog post that day, Spamhaus’ Quentin Jenkins said that Heihachi was “highly involved in botnet command and control and the hosting of Russian cybercrime.”
The day after Jenkins’ post, Spamhaus was subjected to a distributed denial-of-service (DDoS) attack.
On Dec. 27, Bank of America — some of whose confidential correspondence has been obtained by WikiLeaks — became the next major target of aDDoS attack.
The server that triggered that attack was in Russia, according to McAfeeLabs, which may mean that it was controlled by Russian copycats and not Anonymous.
It’s not clear if the regular members of Anonymous are aware that their efforts have attracted foreign criminals.
Anonymous is controversial within and beyond the cybersecurity world due to its methods, even as its motives -- supporting free speech online – have remained transparent.
The possibility that a Russian gang may be using Anonymous’ unorthodox methods and WikiLeaks’ high visibility to camouflage its own cybercrimes is especially troubling to security professionals.
Spamhaus advises hacktivists to go to wikileaks.ch for a list of legitimate WikiLeaks mirror sites (the Russian ones are not on it), and to stay off of Anonymous message boards hosted by Webalta or Heihachi or with an “.ru” domain name.