The main platform for the coordination of the actions of the miners can be closed chats of Telegram channels

This is the number: false minings in Russia have a Ukrainian trace

Behind the wave of telephone terrorism, which overwhelmed Russia since the beginning of 2022, in most cases, citizens of Ukraine are hiding, information security experts found out. They discovered several closed communities in social networks and instant messengers, where the actions of the attackers are coordinated, and In digital traces About twenty administrators of such groups identified. Almost everyone turned out to be users from Ukraine, in isolated cases – from Poland and Russia. Data on all has already been transferred to law enforcement agencies. Lawyers say that in Russia they can face up to five years in prison.

Non -Russian trace

At the beginning of 2022, a wave of telephone terrorism swept Russia. Over the past two days, evacuation has been held in 300 Russian schools. We are talking about Saratov, Krasnoyarsk, Arkhangelsk, Samara and not only. Message reports come not only to educational institutions. For example, January 11, messages about the inherent explosive devices received 13 ships of Moscow and several-St. Petersburg.

Most calls about mining are carried out from the territory of Ukraine, during their own investigations, information security experts from T.Hunter. Several telephone terrorists managed to track in Poland and Russia. Attackers coordinate their actions in closed Telegram chats and VKontakte groups. Researchers managed to find over ten such associations. Most of them were registered in January 2022.

-Studying one of the Telegram channels, we identified the built-in chat and copied the list of its participants. Of these, nine profiles of users – community administrators and one profile of the community owner were allocated. The subsequent study of the profiles of the administrators of the Telegram channel made it possible to establish their likely personalities and the location-says Igor Bederov, head of the department of information and analytical research of T.Hunter.

In total, T.Hunter experts analyzed several hundred accounts in such chats and groups, which made it possible to identify about twenty administrators and creators of Telegram chats. It is they who, as a rule, are most actively engaged in the calling of victims and attract other group participants to this activity.

Almost all identified users are citizens of Ukraine, from Kyiv, Ternopol, Polong and other cities. At least one administrator was discovered in Russia, in the Tver region. The researchers also managed to determine the digital traces of telephone terrorists leading to Poland.

Alexander Dvoryansky, Director of Strategic Communications, Infosecurity a Softline company, confirms T.Hunter's data. According to him, both earlier and now, such calls come most often from the territory of other countries with which there are no full-fledged diplomatic relations.

“Most likely, the coordination of actions actually goes through closed Telegram channels, which are the most difficult to track and identify, and to a lesser extent through other communication channels, including social networks, since it is much easier to identify and track intruders through them,” says is he.

In its turn Alexander Kalinin, Head of the Group-IB Information Security Incident Response Center, does not rule out that the current calls with messages about mining can be carried out under the order, from people offering relevant services on shady forums. Who exactly can stand behind such orders, he does not know.

Valery Andreev, Deputy General Director for Science and Development of the Information Implementation Company, adds that This is not the first time that the Ukrainian trace has been discussed in the context of telephone terrorism. According to him, Dnepropetrovsk is always called a hub for unauthorized activity on the Web. However, in this case, due to the lack of data, the expert is not ready to say that the citizens of Ukraine are to blame.

The press service of VKontakte stated that they did not record the growth in the number of such communities in recent years.. The social network adheres to a strict moderation policy regarding telephone terrorism. The company proactively monitors communities and carefully reviews all incoming complaints related to this topic.

Telegram at the time of publication of the material did not respond to the corresponding request from Izvestia.

Izvestia sent a request to the Ministry of Internal Affairs. Earlier, on January 12, the department announced that the leadership of the investigative department took control of the investigation of the criminal case on the fact of false reports about the mining of educational institutions in Yekaterinburg.

Rite of Identification

User identification is carried out by T.Hunter analysts using specialized software, which parses a set of markers. The most common ones are email address, phone number, nickname or social profile.

– When a message about mining is received, the sender is automatically sent several emails with logged content: a picture, a video, a document. When a user opens an email, their device automatically downloads the script contained in the attachment. Further, the researchers' systems receive feedback, including the IP address of the attacker's device. And it is often easy to determine the country of the user from it. With this data and using other open data intelligence tools, we can get a phone number and even a person’s first and last name,” says Bederov.

Another tool that experts regularly use is tracking of cryptocurrency transactions. According to them, the specialist notes, you can also find the data of the devices of the sender and recipient. Also, according to Bederov, it is important to use a search for closed communities to see who took responsibility for specific mining. These data miners publish in chats and channels on social networks, Telegram or Darknet.

Information about the detected attackers is transferred to law enforcement agencies.

Associal networks

Izvestia got acquainted with the content of some channels and communities and made sure that they are actively discussing the goals of “mining”. For example, at the time of publication of the material in one of the chat, attackers were chosen between Minsk and Kaliningrad through a survey. In some chats, participants openly announced their readiness to call a particular organization and declare mining.

A separate achievement among participants in such groups is the discussion of their actions in the media. So, for example, the administrator of one of the chats on the afternoon of January 11 announced the mining of shopping centers in Barnaul, and already in the evening of the same day, regional media reported evacuation in at least one of the buildings of the city at that time – Boom shopping center.

The head of the criminal practice of BMS Law Firm, Alexander Inoyadov, recalled that ZAssistously false messages about terrorism acts Depending on the motives of the commission of the crime, the object of the object whose activity is blocked, to social infrastructure, as well as the consequences of They are qualified according to the relevant part of Article 207 of the Criminal Code of the Russian Federation.

– So, With a hooligan motive and the absence of other consequences, the punishment is sentenced in the form of a fine of 200 thousand to 500 thousand rubles or in the amount of earnings for a period of 1 year to 1.5 years, restriction of freedom or forced labor for up to three years– he says.

The most common, according to the lawyer, are crimes against social infrastructure facilities and infuriates damage over 1 million rubles. In these cases, the punishment is more severe: in addition to a fine of up to 700 thousand rubles, imprisonment for up to five years may be imposed.