Ian Litschko
@ilitschko.bsky.social
Russian cyber espionage and cybercrime| Carleton University and MGIMO | GTA Khachipuri
Always fun to see the reason one of your instructors got the job at MGIMO.
November 18, 2025 at 5:56 PM
Always fun to see the reason one of your instructors got the job at MGIMO.
Off bright and early to DC for Cyberwarcon.
November 18, 2025 at 11:11 AM
Off bright and early to DC for Cyberwarcon.
Reposted by Ian Litschko
Oh ok so it wasn’t a GRU operator (necessarily) — it was a guy working as part of the recently identified threat group that pissed off Dutch intelligence
Russian alleged cyber-hacker faces extradition to US after arrest in Thailand | CNN
lite.cnn.com
November 15, 2025 at 10:41 PM
Oh ok so it wasn’t a GRU operator (necessarily) — it was a guy working as part of the recently identified threat group that pissed off Dutch intelligence
Reposted by Ian Litschko
The indefatigable Steven Fisher, formerly of Citibank Russia and Citibank Ukraine, has assembled this collection of remembrances from former expats in Russia. There is so much here, so many memories of a Russia vanished. I reminisced about riding the rails ( scottgehlbach.net/posts/4055-r...).
Once Upon a Russia: Voices From a Vanished Era
Amazon.com: Once Upon a Russia: Voices From a Vanished Era: 9781737766346: Fisher, Steven A.: Books
www.amazon.com
November 15, 2025 at 3:23 AM
The indefatigable Steven Fisher, formerly of Citibank Russia and Citibank Ukraine, has assembled this collection of remembrances from former expats in Russia. There is so much here, so many memories of a Russia vanished. I reminisced about riding the rails ( scottgehlbach.net/posts/4055-r...).
Reposted by Ian Litschko
FT report: Russia’s Rubikon unit is upending Ukraine’s drone advantage — locating & killing operators deep behind the lines, training other Russian teams, & seizing control of Ukraine's decisive "electromagnetic spectrum." Ukrainian pilots now face relentless pressure, must adapt tactics to survive.
The elite Russian unit hunting Ukraine’s drone warriors
Moscow’s new Rubikon team upends Kyiv’s control of the electronic battlefield
www.ft.com
November 13, 2025 at 10:49 PM
FT report: Russia’s Rubikon unit is upending Ukraine’s drone advantage — locating & killing operators deep behind the lines, training other Russian teams, & seizing control of Ukraine's decisive "electromagnetic spectrum." Ukrainian pilots now face relentless pressure, must adapt tactics to survive.
It is apparently very hard to use Yandex to search "what countries extradite to the US?"
theins.ru/news/286794
theins.ru/news/286794
В Таиланде арестовали «всемирно известного» российского хакера по запросу США. Предположительно, это сотрудник ГРУ Алексей Лукашев
Тайская киберполиция сообщила об аресте на Пхукете 35-летнего гражданина России, которого американские власти разыскивают по обвинению в хакерских атаках на государственные структуры Европы и США
theins.ru
November 13, 2025 at 6:51 PM
It is apparently very hard to use Yandex to search "what countries extradite to the US?"
theins.ru/news/286794
theins.ru/news/286794
Tonight's bottle of Georgian.
November 4, 2025 at 11:38 PM
Tonight's bottle of Georgian.
Reposted by Ian Litschko
Russia want's its own messanger app, independend and stuff.
Relies on Salesforce 🤣
Relies on Salesforce 🤣
Sowas aber auch … 😏
Der vom russischen FSB kontrollierte staatliche Messenger MAX wurde wahrscheinlich gehackt. 46,2 Millionen Datensätze sollen gestohlen worden sein. Hacker veröffentlichte Beispielzeilen aus der Datenbank im Dark Web.
Der vom russischen FSB kontrollierte staatliche Messenger MAX wurde wahrscheinlich gehackt. 46,2 Millionen Datensätze sollen gestohlen worden sein. Hacker veröffentlichte Beispielzeilen aus der Datenbank im Dark Web.
October 19, 2025 at 1:10 PM
Russia want's its own messanger app, independend and stuff.
Relies on Salesforce 🤣
Relies on Salesforce 🤣
Reposted by Ian Litschko
Don’t let anyone tell you that the Russians never arrest cybercriminals. Criminals who cause harm to Russians are regularly arrested, and as this instance shows, often dealt with harshly. See my timeline for a modest sampling of other arrests of hackers, fraudsters, and other Russian cybercriminals.
October 9, 2025 at 11:48 AM
Don’t let anyone tell you that the Russians never arrest cybercriminals. Criminals who cause harm to Russians are regularly arrested, and as this instance shows, often dealt with harshly. See my timeline for a modest sampling of other arrests of hackers, fraudsters, and other Russian cybercriminals.
Reposted by Ian Litschko
I think super important to track what they're saying about what they fear, what they think war looks like, & what they think adversaries will do, as well as what they themselves hope to do & what they actually do. Also crucial to track the disconnects between these & whether & when they narrow. 7/7
October 8, 2025 at 3:30 PM
I think super important to track what they're saying about what they fear, what they think war looks like, & what they think adversaries will do, as well as what they themselves hope to do & what they actually do. Also crucial to track the disconnects between these & whether & when they narrow. 7/7
Most interesting to me is that the cooperation between Gamaredon and Turlais distinct from the Gamaredon cooperation with Invisimole. They are really solidifying themselves as an initial access team within the FSB.
www.welivesecurity.com/en/eset-rese...
www.welivesecurity.com/en/eset-rese...
Gamaredon X Turla collab
ESET researchers reveal how the notorious APT group Turla collaborates with fellow FSB-associated group known as Gamaredon to compromise high‑profile targets in Ukraine.
www.welivesecurity.com
September 19, 2025 at 5:28 PM
Most interesting to me is that the cooperation between Gamaredon and Turlais distinct from the Gamaredon cooperation with Invisimole. They are really solidifying themselves as an initial access team within the FSB.
www.welivesecurity.com/en/eset-rese...
www.welivesecurity.com/en/eset-rese...
Reposted by Ian Litschko
APT or Another Phishing Training?
Seqrite reported an attack on the Kazakhstani oil company KazMunayGas attributed to a new group NoisyBear www.seqrite.com/blog/operati...
Yet the company later argued that this was a simulated attack orda.kz/planovoe-mer...
This looks plausible:
1/2
Seqrite reported an attack on the Kazakhstani oil company KazMunayGas attributed to a new group NoisyBear www.seqrite.com/blog/operati...
Yet the company later argued that this was a simulated attack orda.kz/planovoe-mer...
This looks plausible:
1/2
September 6, 2025 at 3:27 PM
APT or Another Phishing Training?
Seqrite reported an attack on the Kazakhstani oil company KazMunayGas attributed to a new group NoisyBear www.seqrite.com/blog/operati...
Yet the company later argued that this was a simulated attack orda.kz/planovoe-mer...
This looks plausible:
1/2
Seqrite reported an attack on the Kazakhstani oil company KazMunayGas attributed to a new group NoisyBear www.seqrite.com/blog/operati...
Yet the company later argued that this was a simulated attack orda.kz/planovoe-mer...
This looks plausible:
1/2
Reposted by Ian Litschko
Russia is considering forbidding dissemination of information on how cyber attacks are conducted. Could be a big problem for CTI practitioners or incident responders sharing TTPs, because those include that kind of information.
www.kommersant.ru/doc/7991253
www.kommersant.ru/doc/7991253
«Белых хакеров» записали в черный список
Борьба с мошенниками может затронуть специалистов по кибербезопасности
www.kommersant.ru
August 29, 2025 at 1:32 PM
Russia is considering forbidding dissemination of information on how cyber attacks are conducted. Could be a big problem for CTI practitioners or incident responders sharing TTPs, because those include that kind of information.
www.kommersant.ru/doc/7991253
www.kommersant.ru/doc/7991253
Most notable thing in this (apart from new publicly available info on Energetic Bear), is the assertion that Static Tundra is a subgroup of Energetic Bear. Been happening a lot with GRU groups, now FSB 16th Centre.
blog.talosintelligence.com/static-tundra/
blog.talosintelligence.com/static-tundra/
Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices
A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide, targeting key sectors for intelligence gathering.
blog.talosintelligence.com
August 20, 2025 at 2:44 PM
Most notable thing in this (apart from new publicly available info on Energetic Bear), is the assertion that Static Tundra is a subgroup of Energetic Bear. Been happening a lot with GRU groups, now FSB 16th Centre.
blog.talosintelligence.com/static-tundra/
blog.talosintelligence.com/static-tundra/
And there goes the rest of my day.
New: The Dossier Center has a multipart investigation into the GRU out today (in Russian). Includes a section on the agency's cyber activities.
gru.dossier.center
gru.dossier.center
ГРУ: эволюция, методы, кризис
Доклад Центра «Досье»
gru.dossier.center
August 11, 2025 at 6:19 PM
And there goes the rest of my day.
Not a fan, just tastes like a hop bomb.
August 10, 2025 at 2:20 AM
Not a fan, just tastes like a hop bomb.
First Japanese wheat beer.
August 7, 2025 at 10:24 PM
First Japanese wheat beer.
SORM in action. Next, someone will tell me the guys cop boxes outside of embassy gates in Moscow who just want to take a look at your passport aren't taking note. Even when you're just going to the basement bar for cheap Moosehead on a Friday evening.
www.microsoft.com/en-us/securi...
www.microsoft.com/en-us/securi...
Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats | Microsoft Security Blog
Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been ongoing since at least 2024, targeting embassies in Moscow us...
www.microsoft.com
July 31, 2025 at 4:48 PM
SORM in action. Next, someone will tell me the guys cop boxes outside of embassy gates in Moscow who just want to take a look at your passport aren't taking note. Even when you're just going to the basement bar for cheap Moosehead on a Friday evening.
www.microsoft.com/en-us/securi...
www.microsoft.com/en-us/securi...
Reposted by Ian Litschko
A major cyber incident in Russia: two groups, Cyber Partisans & Silent Crow, took credit for a cyber attack on Aeroflot, claiming they destroyed its internal IT systems. Aeroflot didn't acknowledge the attack but canceled nearly 100 flights & delayed some more due to an 'outage'
July 28, 2025 at 12:51 PM
A major cyber incident in Russia: two groups, Cyber Partisans & Silent Crow, took credit for a cyber attack on Aeroflot, claiming they destroyed its internal IT systems. Aeroflot didn't acknowledge the attack but canceled nearly 100 flights & delayed some more due to an 'outage'
What is interesting is that it looks like more disruption to flights was caused in this attack than by the multiple airlines breached by Scattered Spider.
A hacker group calling itself Silent Crow claimed responsibility for the system failure, calling the attack a “long-term and large-scale operation.”
Aeroflot Cancels Dozens of Flights After Reported Cyberattack - The Moscow Times
Russia’s flagship airline Aeroflot canceled dozens of flights on Monday due to a system malfunction that a hacker group later claimed was the result of a targeted cyberattack.
www.themoscowtimes.com
July 28, 2025 at 10:50 AM
What is interesting is that it looks like more disruption to flights was caused in this attack than by the multiple airlines breached by Scattered Spider.
Reposted by Ian Litschko
while you’re at it, just go ahead and burn this collection on SVR cyber operations. who cares. not like it helps SVR’s CI analyses. fuck do I know. (Pg 16)
July 24, 2025 at 11:41 PM
while you’re at it, just go ahead and burn this collection on SVR cyber operations. who cares. not like it helps SVR’s CI analyses. fuck do I know. (Pg 16)
Regionality has become a recurring theme in reporting on Russian cyber.
Decoding Secrets Through Symbols: How Military Insignia Revealed Russia’s Hidden SIGINT Network by @checkfirst.network
↘️
checkfirst.network/decoding-sec...
↘️
checkfirst.network/decoding-sec...
Decoding Secrets Through Symbols: How Military Insignia Revealed Russia's Hidden SIGINT Network - CheckFirst
Sometimes the best intelligence comes from the most unexpected sources. Our latest investigation proves this by using Russian online military insignia stores to map one of the FSB's most secretive uni...
checkfirst.network
July 20, 2025 at 6:45 PM
Regionality has become a recurring theme in reporting on Russian cyber.
Reposted by Ian Litschko
Decoding Secrets Through Symbols: How Military Insignia Revealed Russia’s Hidden SIGINT Network by @checkfirst.network
↘️
checkfirst.network/decoding-sec...
↘️
checkfirst.network/decoding-sec...
Decoding Secrets Through Symbols: How Military Insignia Revealed Russia's Hidden SIGINT Network - CheckFirst
Sometimes the best intelligence comes from the most unexpected sources. Our latest investigation proves this by using Russian online military insignia stores to map one of the FSB's most secretive uni...
checkfirst.network
July 20, 2025 at 6:06 PM
Decoding Secrets Through Symbols: How Military Insignia Revealed Russia’s Hidden SIGINT Network by @checkfirst.network
↘️
checkfirst.network/decoding-sec...
↘️
checkfirst.network/decoding-sec...
Reposted by Ian Litschko
some other highlights:
- this cluster tried to re-establish relationships after we disabled their accounts by creating new, similarly named accounts. very persistent!
- if you thought their device linking phase was over, think again! susp apt29 groups looove this & want to make it seem more legit
- this cluster tried to re-establish relationships after we disabled their accounts by creating new, similarly named accounts. very persistent!
- if you thought their device linking phase was over, think again! susp apt29 groups looove this & want to make it seem more legit
We (@gabagool.ing - AKA gabbot) and I updated this with some more recent tomfoolery from this group.
They continued the ASP campaign with evidence they responded to our initial publication.
They were doing some sneaky calendar stuff that lead to adding a device to the target's O365 tenant.
They continued the ASP campaign with evidence they responded to our initial publication.
They were doing some sneaky calendar stuff that lead to adding a device to the target's O365 tenant.
So @gabagool.ing (who will henceforth be referred to as "gabbot") and I wrote some stuff on some ASP phishing campaigns: cloud.google.com/blog/topics/...
Citizen Lab worked closely with one of the targets and shared their work on it also: citizenlab.ca/2025/06/russ...
Citizen Lab worked closely with one of the targets and shared their work on it also: citizenlab.ca/2025/06/russ...
July 10, 2025 at 8:52 PM
some other highlights:
- this cluster tried to re-establish relationships after we disabled their accounts by creating new, similarly named accounts. very persistent!
- if you thought their device linking phase was over, think again! susp apt29 groups looove this & want to make it seem more legit
- this cluster tried to re-establish relationships after we disabled their accounts by creating new, similarly named accounts. very persistent!
- if you thought their device linking phase was over, think again! susp apt29 groups looove this & want to make it seem more legit
Reposted by Ian Litschko
If there were any American or French lords of war currently imprisoned in Russia, it would make for sweet poetry to get them in a prisoner swap for Russian basketball player Daniil Kasatkin, who was just jailed in Paris on charges of aiding a ransomware conspiracy. meduza.io/en/news/2025...
July 9, 2025 at 9:50 PM
If there were any American or French lords of war currently imprisoned in Russia, it would make for sweet poetry to get them in a prisoner swap for Russian basketball player Daniil Kasatkin, who was just jailed in Paris on charges of aiding a ransomware conspiracy. meduza.io/en/news/2025...