A Russian tech entrepreneur accused in the Trump-Russia scandal two years ago may end up regretting the defamation lawsuit he filed against a U.S. media outlet.
Thousands of pages about his company’s operations and finances were released to the public last week by the federal judge overseeing the case—effectively turning the suit into a WikiLeaks-sized data dump that’s raising new questions about his dealings with computer criminals.
Aleksej Gubarev came to notoriety in 2017 over a single paragraph in the so-called Steele dossier compiled by former U.K. intelligence officer Christopher Steele. The controversial dossier is a 35-page compilation of anonymously sourced tips and anecdotes about Donald Trump’s ties to Russia, a mixed bag of claims ranging from the lurid to the prosaic. Some of the reporting has since been broadly substantiated, much of it has not, and there are parts that have been all but proven false.
ADVERTISEMENT
The dossier’s claims about Gubarev fall in the latter category.
Gubarev runs a multinational internet hosting company called XBT that boasts subsidiaries in Europe, the United States, and Asia. Shortly after the 2016 election, one of Steele’s sources fingered Gubarev and his businesses as “significant players” in the Kremlin’s election-hacking, claiming Russia’s domestic spy agency the FSB had pressured Gubarev and his companies to use “botnets and porn traffic to transmit viruses, plant bugs, steal data and conduct ‘altering operations’ against the Democratic Party leadership.”
When BuzzFeed published a leaked copy of the dossier in January 2017, Gubarev vehemently denied any role on the Kremlin’s hack and filed a defamation lawsuit against the media company. Over the years, that litigation has produced a mountain of documents and hour upon hour of videotaped depositions, nearly all of which was kept under seal. A federal judge threw out Gubarev’s lawsuit last December on the grounds that BuzzFeed, being a news outlet, was within its rights to publish a document that top FBI agents had cited in surveillance court affidavits, and that two U.S. presidents had received personal briefings about.
Gubarev is appealing that ruling. In the meantime, on Thursday, the same judge unsealed the majority of the documents in the case at the urging of separate petitions by BuzzFeed and The New York Times.
In a twist that must be maddening to Gubarev, the media coverage of the document dump is giving fresh oxygen to the dossier’s claims about Gubarev and his business.
Much of the coverage focuses on a report prepared by one of BuzzFeed’s expert witnesses, Anthony Ferrante of FTI Consulting, a former FBI agent retained to investigate Steele’s claims. Ferrante’s report found that Gubarev’s hosting company “was utilized by Russian civilian and military intelligence services to compromise and exploit networks.”
“Additionally, evidence suggests that Cozy Bear and Fancy Bear, the Russian government affiliated APT groups responsible for hacking the Democratic Party leadership, have used XBT infrastructure to support other malicious activity,” Ferrante wrote.
Prior to Thursday, the dossier’s tale of Gubarev using porn to hack Democrats had been banished to the fringes of the Russiagate narratives—buried under far more credible reporting from U.S. intelligence agencies, congressional investigators, and the detailed tick-tock of the election hacks presented in Robert Mueller’s indictment against GRU officers. None of those accounts named Gubarev, or even left space for him in the story. He was essentially vindicated.
Now, the Times notes, “the report’s suggestions of a link between Mr. Gubarev and Russian hacking is likely to spur new demands for renewed investigations.”
Trump-Russia watchers are always interested when new evidence emerges to support the Steele dossier. But in this case there’s much less than meets the eye.
Ferrante’s job in the report was to sniff out links between XBT and the Russian government hackers—known as “Fancy Bear” in the security world—who carried out the election interference intrusions. He and his team did that work with vigor. “The report is well crafted, and although there are some small technical errors it’s obviously been thoroughly researched,” security expert Robert Lee, CEO of Dragos, told The Daily Beast.
The outcome, though, was essentially preordained. That’s because XBT is a hosting company that provides cheap, turnkey internet servers on demand. And Fancy Bear is a ravenous consumer of turnkey hosting services around the world.
The GRU hackers need servers to “drop” malware onto a fresh victim computer, to host the fake login forms for their phishing operations, to serve as command-and-control hubs for their long term surveillance implants. They rent the servers using fake names and disposable email accounts, and pay in bitcoin when they can. According to Mueller’s indictment, the GRU has an entire department, headed by Aleksey Aleksandrovich Potemkin, “responsible for the administration of computer infrastructure used in cyber operations.”
So when Ferrante went looking for Fancy Bear’s paw prints at XBT, it’s no surprise he found them. But a fair reading of his findings suggests the Kremlin’s hackers have no particular affinity for XBT over other server farms. If anything, it’s among their least favorite options.
Consider one of the tendrils supposedly connecting XBT to the election hacks by way of a December 2016 DHS report. Called “Grizzly Steppe,” the report lists 876 internet IP addresses that have been used by Russian hackers over the years, according to DHS. Ferrante reports that some of those addresses belonged to XBT. To be more specific, 12 of them.
Four of the 12 are part of the Tor anonymization network, a free public system open to anyone in need of additional privacy. Assuming all of the remaining eight were indeed XBT servers rented by Russian spies, that’s 1 percent of the list--not exactly a ringing endorsement of Gubarev's business by Putin’s hackers.
It’s worth noting that none of those eight addresses have been linked specifically to the election hacking operation. Others, operated by different companies, have been.
Ferrante also examined a batch of 42 IP addresses connected to the GRU hackers by a website certificate used in a number of their hack attacks, including the 2014 intrusion at German Parliament and the 2016 DNC breach. Ferrante reports that one of the 42 addresses belongs to XBT. That particular address is not known to have been used in the election hacks. The other 41 addresses, including one that did play a role in the DNC breach, trace back to entirely different hosting companies scattered throughout Europe.
“Without more intelligence indicating that Gubarev’s subsidiaries were directly involved with and aware of the malicious activity leveraging their infrastructure… it seems to be an analytic leap to imply significance in those connections,” said Kyle Ehmke, an analyst at ThreatConnect, which has tracked the GRU’s hacking infrastructure closer than most.
Another set of 41 IP addresses comes from logs at the URL-shortener Bit.ly, which the Russians used in their months-long email phishing campaign against Hillary Clinton’s staff and thousands of other political targets. Between October 2015 and and June 2016, a GRU officer set up 11,139 shortened links leading to fake webmail login pages. It was one of those links that tricked Clinton campaign chief John Podesta into giving the Russians full access to his inbox.
Ferrante found that one of the 41 servers the GRU used to connect to Bit.ly and make the links was at XBT. Presumably the other 40 were rented from other firms.
“Is it your opinion that the owners of all 40 of the other IP addresses are also culpable for the hack of the DNC?” Gubarev’s attorney asked during a deposition.
“No,” Ferrante replied. “It's my opinion that XBT and its infrastructure… is linked to a pattern of significant malicious activity.”
Even a small overlap between the election hackers and the man named in the Steele dossier as their tech guy might be interesting if the Russians were the only hackers who use XBT’s services. But the company’s past customer base also includes the spy services of completely different governments at the same or greater adoption rate.
This is even noted in the Ferrante report, but it’s easy to miss because the report sticks with the generic security industry monikers for the non-Russian hacking operations. Ferrante takes pains to observe that Fancy Bear and Cozy Duke have been linked to the Russian government, but neglects to report that “DarkHotel,” “Nitro,” and “Careto”—who’ve also used XBT IP addresses—have been tied to the governments of North Korea, China, and Spain, respectively.
If the Ferrante report fails as vindication of the Steele dossier, it makes a more compelling case for XBT being an equal-opportunity host to all manner of cyber wrongdoing. And on that point the other unsealed documents contain plenty of evidence to back it up.
The documents show that XBT hosted a rogues’ gallery of traditional for-profit cyber criminals over the years, including the professional bank heist crew known as the Carbanak Gang, crooks stealing from consumers and small businesses with the Zeus malware, and the brains behind a sophisticated long-con known as “Methbot” that built an infrastructure twice the size of Facebook to fleece advertisers of millions.
Does that mean the company is more lax in patrolling its servers for criminals than other hosting firms? Ferrante thinks so, but the report doesn’t provide an industrywide comparison. Independent security experts interviewed for this story say it’s hard to tell.
“Not sure that I could really qualify a level of badness for comparison across infrastructure resellers, but based on what I read in that report, it doesn't seem particularly anomalous,” said ThreatConnect’s Ehmke. “We’ve seen similar concentrations of malicious activity on infrastructure procured from resellers like Njalla and ITitch, which offer services that these sorts of actors probably look for, such as anonymity and payment via BitCoin.”
Kimberly Zenz, a veteran threat analyst specializing in Russian cybercrime, told The Daily Beast that XBT’s reputation is “on the wrong side of the line for things like abuse responses, consequences for terms-of-service violations, and illegal behavior.” She said: “They respond slower and less aggressively and less often than they should. They do respond sometimes, or in some ways, though. They’re not like an old-school, 100 percent-crime service.”
The unsealed documents are at their most revelatory when it comes to Gubarev’s relationship with one of his allegedly criminal clients, Aleksandr Zhukov. The 38-year-old native of St. Petersburg, Russia, is in a federal detention center in Brooklyn awaiting trial on four counts of wire fraud and money laundering, in part for allegedly masterminding the Methbot operation. For a time he was XBT’s biggest customer.
Methbot was an enterprising scam that used a fake internet advertising agency called MediaMethane to sell millions of dollars worth of video ad spots on premium content sites.
Instead of running the ads on sites like The New York Times and Fox, the crew used rented hosting in Dallas to operate its own private network of fake sites mimicking the real ones—and then ran the ads there. The audience for the ads were thousands of “consumers” who were actually sophisticated bots happy to watch 300 million video ads a day.
To make the bots look real to advertisers, the perpetrators leased over 800,000 IP addresses and then filed bogus information with internet registries to make them look like residential broadband providers in demographically desirable American neighborhoods.
A sizable portion of those fake Comcast, AT&T, and Cox Cable addresses were leased from XBT. The company says it thought they were being used for an advertising metrics business.
According to prosecutors, the Methbot scheme conned hundreds of brands and advertisers out of $7 million before it was exposed by a New York security company in December 2016. The unsealed documents show XBT was paid millions. In the scam’s final month alone, XBT was paid $400,000, according to internal financial reports, accounting for 7 percent of the company’s earnings that month.
The unsealed documents show that when Methbot was exposed, XBT was worried it would be swept into a press storm at a time when Russian hackers were getting a lot of attention. Gubarev hired an American PR crisis manager who boasted of once repping accused mega-pirate Kim DotCom. In a series of emails, his chief operating office, Nick Dvas, urged the PR consultant to handle reporters with care.
“Please, be very careful with Mr. Krebs,” Dvas wrote in one email, referring to independent security journalist Brian Krebs. “He has been performing lots of research in connection with cybercrime originating from Russia, and he might jump to some sort of unnecessary conclusions.”
In another message to the PR consultant, Gubarev admitted to direct dealings with Zhukov. “We know him personally many years,” he wrote. “We was [sic] under impression that it is a big data analytics system for ad networks as per his explanation.”
Despite the close and lucrative relationship, XBT evidently kept scant documentation pertaining to its biggest customer, according to a filing by BuzzFeed’s lawyers. “Their internal records consist of a credit card check with a ‘tolerance threshold’ of $1,000 and notations regarding multiple Russian names and e-mail addresses they are unable to identify,” read the filing. “And though he was supposedly a client for more than a year who personally visited them several times, they have not produced a single actual e-mail, message or other communication from Zhukov.”
In the end, the evidence knocked loose by Gubarev’s lawsuit doesn’t tie him in any meaningful way to Russiagate. But it does show that his company, perhaps innocently, was paid a lot of money as part of an epic Russian cybercrime caper that’s now headed toward a federal trial in New York. That’s the kind of publicity that money can’t buy.