Cyber Police Department of the National Police of Ukraine dismantled another massive bot farm linked to more than 100 individuals after searches at almost two dozen locations.
My guess is that it’d make it look like it were actual ukrainians spreading the disinfo, as the IP wouldn’t show russian addresses. Could also be that Ukraine is blocking internet traffic from Russia, so being there is a way to bypass the block.
I fully expect the assholes behind said farms to be safely within russian territory, so they’re just sighing and shrugging as having to set up a new base.
Depends what you mean by “faking”. You can fake Ukrainian IP by using some VPN service, but then you’re using VPN IP which is quite obvious. If you want many genuinely residential IPs, you could use some botnet and infected computers in Ukraine. This is more authentic and harder to filter out. But some services actually require phone number and at least capability to receive texts to verify the number, some use the number as user account. (Telegram and such) Then you need actual SIM cards (not to be confused with Sims 3, the game 😉) and you need to connect to local cell tower. (perhaps you could do roaming, but that would be quite obvious long term) Now to fake all that, you’d need at least some devices operated in Ukraine and at that stage it’s probably easier to find some people willing to do this locally for money or because they are high on russian propaganda themselves.
Do you need to connect to actual celltowers tho? I know legit SIMs are a kind of a barrier, but then…
Using a portal through KZ to an UA endpoint via VPN\proxy, faking geoloc and other identifying stuff on your device.
For me, it sounds like enough, and a collaborant is only holding an exit node that is easier to defend in court than having all infrastructure at their place.
Well you do if you want to receive the confirmation text. And while you’re at it, you might as well use the same cell tower for data so that you get “residential” IP.
You can definitely fake geolocation and perhaps you could fake IP through some proxy, but you can’t use commercial VPN services as their IPs are well known VPN IP ranges at this stage. (these SIMs might have been used as such proxies for some spamming besides being used for this specific botnet) Effectively the more you want to blend in with the actual Ukrainian end user traffic, the more you need to be present in the country and the more complicated it is to fake it otherwise. Especially if you’re trying to hide from state level investigation, that has access to triangulation from cell towers, providers logs, etc…
You can do the gateway on a PC thing. You don’t even need to have collaborator to do that, plenty of people run outdated systems riddled with malware.
But once you need actual working SIM (Telegram, Watsapp, etc…) you really need that SIM somewhere in Ukraine. And you need plenty of them. (see the pictures in the article, there’s a ton) At minimum to activate the accounts and more realistically for occasional re-verification. (2fa) Sure you can then run actual bots in russia, but that need for physical presence is still there at least occasionally. The article mentions 100 individuals, when you consider that 150k SIMs were there, most of the operation indeed was in russia or somewhere else.
The triangulation is just a way to maybe correlate multiple SIMs in the same spot by Ukrainian officials once they had enough suspected malicious SIMs. (So that they know it’s not just few random persons with malware on their phone, but it’s indeed huge concentration of SIMs in one spot)
If they did that it would be pretty easy to spot for anyone looking, all the bot accounts would be connecting through the same IP address(es). For it to be believable, you would need thousands of Ukrainian IP addresses, owned by Ukrainian internet providers. What Russia did is an effective way to achieve this. With thousands of sim cards on multiple Ukrainian mobile networks, the traffic is very hard to distinguish from real Ukrainian internet traffic. Of course the downside is that all the devices with those sim cards have to be in Ukraine for it to work. It’s also possible that at least some of these devices were essentially just acting as VPNs for more devices in Russia.
why are these are being set up in Ukraine and not Russia? What do they gain from having them within reach of the Ukrainian police?
My guess is that it’d make it look like it were actual ukrainians spreading the disinfo, as the IP wouldn’t show russian addresses. Could also be that Ukraine is blocking internet traffic from Russia, so being there is a way to bypass the block.
I fully expect the assholes behind said farms to be safely within russian territory, so they’re just sighing and shrugging as having to set up a new base.
Still, being physically there is weird. Aren’t there reliable ways to fake it?
Depends what you mean by “faking”. You can fake Ukrainian IP by using some VPN service, but then you’re using VPN IP which is quite obvious. If you want many genuinely residential IPs, you could use some botnet and infected computers in Ukraine. This is more authentic and harder to filter out. But some services actually require phone number and at least capability to receive texts to verify the number, some use the number as user account. (Telegram and such) Then you need actual SIM cards (not to be confused with Sims 3, the game 😉) and you need to connect to local cell tower. (perhaps you could do roaming, but that would be quite obvious long term) Now to fake all that, you’d need at least some devices operated in Ukraine and at that stage it’s probably easier to find some people willing to do this locally for money or because they are high on russian propaganda themselves.
Do you need to connect to actual celltowers tho? I know legit SIMs are a kind of a barrier, but then…
Using a portal through KZ to an UA endpoint via VPN\proxy, faking geoloc and other identifying stuff on your device.
For me, it sounds like enough, and a collaborant is only holding an exit node that is easier to defend in court than having all infrastructure at their place.
Well you do if you want to receive the confirmation text. And while you’re at it, you might as well use the same cell tower for data so that you get “residential” IP.
You can definitely fake geolocation and perhaps you could fake IP through some proxy, but you can’t use commercial VPN services as their IPs are well known VPN IP ranges at this stage. (these SIMs might have been used as such proxies for some spamming besides being used for this specific botnet) Effectively the more you want to blend in with the actual Ukrainian end user traffic, the more you need to be present in the country and the more complicated it is to fake it otherwise. Especially if you’re trying to hide from state level investigation, that has access to triangulation from cell towers, providers logs, etc…
It’s just I see one collab having a gateway on their PC for russian-based labs to operare rather than the whole scheme based oin Ukraine.
Cell-tower data would be hepfull to locate the guy, but do web\apps collect it?
You can do the gateway on a PC thing. You don’t even need to have collaborator to do that, plenty of people run outdated systems riddled with malware.
But once you need actual working SIM (Telegram, Watsapp, etc…) you really need that SIM somewhere in Ukraine. And you need plenty of them. (see the pictures in the article, there’s a ton) At minimum to activate the accounts and more realistically for occasional re-verification. (2fa) Sure you can then run actual bots in russia, but that need for physical presence is still there at least occasionally. The article mentions 100 individuals, when you consider that 150k SIMs were there, most of the operation indeed was in russia or somewhere else.
The triangulation is just a way to maybe correlate multiple SIMs in the same spot by Ukrainian officials once they had enough suspected malicious SIMs. (So that they know it’s not just few random persons with malware on their phone, but it’s indeed huge concentration of SIMs in one spot)
Thanks for your detailed answers.
deleted by creator
it’s so these accounts can believably pose as ukrainian
Couldn’t they set up a VPN / Proxy in Ukraine and have the actual bot farm run from within Russia.
If they did that it would be pretty easy to spot for anyone looking, all the bot accounts would be connecting through the same IP address(es). For it to be believable, you would need thousands of Ukrainian IP addresses, owned by Ukrainian internet providers. What Russia did is an effective way to achieve this. With thousands of sim cards on multiple Ukrainian mobile networks, the traffic is very hard to distinguish from real Ukrainian internet traffic. Of course the downside is that all the devices with those sim cards have to be in Ukraine for it to work. It’s also possible that at least some of these devices were essentially just acting as VPNs for more devices in Russia.
Better infrastructure and access to tech would be my guess
Sim farms can be found in most countries. Granted this is a big one.
Russia would be a less than ideal choice for criminals right now due to the sanctions affecting routes and prices between Russia and Europe.