Inside Cyber Warfare - Jeffrey Carr [70]
The domain registration for Steadyhost.ru provides the following information:
Domain
Steadyhost.ru
Type
CORPORATE
Nserver
ns1.steadyhoster.com
Nserver
ns2.steadyhoster.com
State
Registered, delegated
Person
Sergey A Deduhin
Phone
+7 905 4754005
****@steadyhost.ru
Registrar
RUCENTER-REG-RIPN
Created
09/30/06
Paid till
09/30/09
Source
TC-RIPN
Sergey A. Deduhin, the person who registered the domain name Steadyhost.ru, doesn’t seem to have any more of an Internet footprint than StopGeorgia.ru’s Andrej V Uglovatyj.
According to contact information at SteadyHost’s website, it has its office in an apartment building at 88 Khoroshevskoe Shosse, Moskva (Moscow).
SteadyHost’s neighbor, in the adjacent building, is the Ministry of Defense Research Institute called the Center for Research of Military Strength of Foreign Countries. And just down the block, at 76 Khoroshevskoe Shosse, is GRU headquarters, also known as the Aquarium (see Figure 7-5).
Figure 7-5. Google Earth view of GRU headquarters
The GRU is the Main Intelligence Directorate of the Russian Armed Forces. Its primary business is deploying several thousand spies in foreign countries for political and military information gathering.
According to the Federation of American Scientists (FAS) website, the GRU may be thought of as the Russian equivalent of the US Defense Intelligence Agency (DIA). It is involved in the collection of human intelligence (HUMINT) via foreign agents, signals intelligence (SIGINT) via various electronic mediums, and image intelligence (IMINT) via satellite imagery.
In a 1996 interview with Pravda, General Fedor Ladygin, the leader of the GRU at that time, included technical espionage among the missions of his organization (Komsomolskaya Pravda, 05 November 1996). This included hacking computer networks to gain access to sensitive data.
The current leader, General Valentin Korabelnikov, added open source intelligence (OSINT) to the GRU’s mission, according to an interview with CDI Russia Weekly on July 17, 2003. The physical location of Steadyhost.ru’s “office” near GRU headquarters is circumstantial and is not offered as proof of GRU involvement; it is simply one element among many to be considered when weighing possible state connections to the attackers.
Innovation IT Solutions Corp
Most legitimate registrars will confirm at least some of the registration information provided by a customer as part of the process of registering a domain name. Those that don’t have become favorites of spammers and cyber criminals.
If you look closer at the information provided on the StopGeorgia.ru IP address, you’ll see that it is part of an IP block subdelegation leased to Innovation IT Solutions Corp in England by SoftLayer Technologies in Dallas.
Innovation IT Solutions Corp had a website URL, http://init-sol.com, but no website. Instead visitors see a placeholder page providing basic contact information (Figure 7-6).
Figure 7-6. Innovation IT Solutions Corp web page
According to WHOIS data, the Init-sol.com domain name was registered by an employee of Innovation IT Solutions Corp named Andrey Nesterenko. Mr. Nesterenko purchased the domain name through another company—MIRhosting.com.
If you examine the WHOIS records in the following table, you’ll see that Mr. Nesterenko is apparently employed by both companies, and both companies have the same business address: 95 Wilton Road, Suite 3, London. A Google search for that address brings up a variety of businesses, including a porn site (Cheeky-Touch), a teen site, Goldstein Equitas, Inc., and Global Securities Consulting; in other words, 95 Wilton Road, Suite 3, London, is a mail drop.
Domain name