{ "id": "f2299895-402c-4f77-b350-2dce22dcc4f7", "created_at": "2026-04-06T00:17:17.059269Z", "updated_at": "2026-04-10T13:11:31.110847Z", "deleted_at": null, "sha1_hash": "849f58e7a70e807d7ffc3fc8e803830050a0cab4", "title": "Russia's Extradition Wars Are Not What You Think They Are", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 336880, "plain_text": "Russia's Extradition Wars Are Not What You Think They Are\r\nBy Tom Uren\r\nPublished: 2023-09-14 · Archived: 2026-04-05 16:17:35 UTC\r\nYour weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from\r\nCatalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and this week's edition is\r\nbrought to you by runZero.\r\nAuthorities in Kazakhstan have detained Nikita Kislitsin, a Russian cyber security executive, following an\r\ninternational arrest warrant issued by the United States. \r\nThis newsletter's sister publication, Risky Business News, described how this has triggered a \"diplomatic tug-of-war\" between the US and Russia, because Russian authorities are now also seeking to extradite Kislitsin.\r\nThe US government alleges Kislitsin stole and sold information, including logins from former social media site\r\nFormspring. Kitslitsin subsequently worked for Group-IB, a cyber security company once headquartered in\r\nRussia, and is now employed by FACCT, a company that spun out of Group-IB's Russia-based operations\r\ncompany in April this year. \r\nRisky Business News has more detail on Kislitsin's case, but also points out that this isn't the first time that\r\nRussians accused of cyber crime have been the subject of competing extradition processes. Cimpanu's article lists\r\nfive previous examples dating back to as early as 2012: \r\nWe've seen this before many times. Every time a big Russian hacker gets arrested outside Russia's\r\nborders, Russian authorities hocus-pocus some charges out of a hat and try to get him back home like\r\nthe suspects are some sort of national treasure.\r\nGavin Wilde, Senior Fellow at the Carnegie Institute and expert on Russian cyber operations, told Seriously Risky\r\nBusiness he thinks Russia's actions are primarily motivated by its desire to be viewed as an equal to the US. \r\nExtradition efforts require a response because, historically, the law in Russia is used as \"a tool to enable the\r\npowers that be, lending a veneer of credibility to crude authoritarianism\". Given that world view, US indictments\r\nof Russian hackers are viewed \"as mere coercive bullying and lawfare by the West — against which, naturally,\r\nMoscow wants to posture itself as a counterweight on the international stage\". \r\nWilde also thinks there might be some government concern that Russian cyber criminals \"have some degree of\r\ninsight\" into links between security services and cyber criminals that the government would want to keep quiet. \r\nWilde pointed out that there were indications, such as in the Conti leaks, for example, \"of some degree of give and\r\ntake\" between the FSB and Russian cyber criminals. However, he cautioned about  \"drawing too firm a link…\r\nbetween the command and control of the Russian State and any and all Russian cybercriminals\". \r\n\"I think by and large it's something that they tolerate rather than have… orchestration or control over,\" he said. \r\nhttps://srslyriskybiz.substack.com/p/russias-extradition-wars-are-not\r\nPage 1 of 5\n\n\"If anything, there is probably a degree of shame or embarrassment about how permissive [the Russian\r\ncybercrime] environment is and what a lack of control the Russian security services, the interior ministry and the\r\npolice forces have,\" he continued. \r\nAlthough the extradition hijinks following Kislitsin's arrest are perhaps expected, that his arrest occurred in\r\nKazakhstan may actually be good news — it may signify fewer countries are happy to act as safe havens for\r\ncybercriminals. \r\nDmitry Smilyanets, director of product management at Recorded Future and formerly involved in Russia's\r\ncybercrime scene, told The Record \"Kislitsin's arrest is a clear indication of the shift in Kazakhstan geopolitics\".\r\n\"Some hackers called it 'betrayal' and 'backstabbing' in the private chats on Telegram\", Smilyanets continued.\r\nEarlier this year Georgia, another former Soviet republic, arrested and extradited to the US a Russian national\r\naccused of creating and selling NLBrute, a tool to brute force RDP login credentials. \r\nRussia losing these extradition battles at an increased rate is definitely on the cards. That some of these battles will\r\nbe lost in former Soviet republics is just the cherry on top.\r\nThe purported Ukrainian hacking group Cyber Anarchy Squad has been on a tear lately, causing a severe, albeit\r\nshort-term impact on two Russian telecommunications providers. These operations illustrate both the potential —\r\nand the limits — of disruptive hacktivist actions.\r\nIn the first incident, in early June, Cyber Anarchy Squad wiped routers and networking devices belonging to\r\nRussian telco Infotel JSC. On Telegram, the group wrote that \"all their infrastructure is destroyed, nothing alive is\r\nleft there\" (translated with Google services). Infotel JSC operates the Automated Electronic Interaction System for\r\nRussia's central bank, so the attack did actually cause serious disruption to Russia's financial system, which was\r\nunable to process electronic payments for more than a day.\r\nIn late June, the group also hit Russian satellite telecommunications operator DoZoR-Teleport. Cyber Anarchy\r\nSquad claimed to have destroyed network servers, bricked some of the company's satellite modems, and stolen\r\nand leaked documents. This was later confirmed by the company, per Risky Business News: \r\nThe company says the incident impacted infrastructure hosted with one of its cloud service providers,\r\nbut did not name the operator. Dozor-Teleport general director Alexander Anosov says it may take up to\r\ntwo weeks to restore affected services. The company provides satellite connectivity to some of Russia's\r\nlargest organizations, such as Gazprom, Rosatom, the FSB, and Moscow's regional government.\r\nIn both cases, the disruption was severe and was confirmed by data from the IODA internet monitoring system. \r\nThese attacks have been far more effective than the vast majority of actions that have very involved DDoS or data\r\nbreaches. However, in both cases, the incidents were relatively short-term, and the networks were restored within\r\ndays to a week. \r\nIn general, this newsletter is sceptical that disruptive hacktivist action will make a significant difference when it\r\ncomes to conventional military conflicts such as the ongoing war in Ukraine. There are several reasons that it is\r\ndifficult for state cyber services to coordinate with hacktivist groups, one particularly significant one being that it\r\nhttps://srslyriskybiz.substack.com/p/russias-extradition-wars-are-not\r\nPage 2 of 5\n\nis risky to trust unvetted activists with information that reveals significant plans and targets. This makes it difficult\r\nfor hacktivist actions to be well coordinated and so enable or enhance other state action which could take\r\nadvantage of the cyber-enabled interruption.  \r\nFrom what we know so far, these attacks haven't enabled any kind of significant Ukrainian success. They certainly\r\ncaused significant disruption, so if launched at the right time and place and combined with other actions, it is\r\npossible they could have enabled some significant and enduring outcome. But at this stage, it looks like that\r\ncoordination with other types of state power is missing, and these attacks are merely an embuggerance.\r\nThe Grugq and this author discussed how Ukraine could use its volunteer Ukraine IT Army in this edition of the\r\nBetween Two Nerds podcast.  \r\nListen to Patrick Gray and Tom Uren discuss this edition of the newsletter in the Seriously Risky Business\r\npodcast:\r\n1. Akira ransomware decryptor: Cybersecurity firm Avast has released a free decryptor for the Akira\r\nransomware strain. The Akira strain emerged in March of this year, has both Windows and Linux versions\r\nand has attacked companies across a wide range of sectors. \r\n2. FTC to ban fake reviews: The US Federal Trade Commission has proposed a rule banning fake reviews\r\nand testimonials. \r\n3. CISA's CyberSentry launched: The US Cybersecurity and Infrastructure Security Agency has launched\r\nCyberSentry, a new threat detection and monitoring platform. CyberSentry is free to all critical\r\ninfrastructure operators and will allow CISA to monitor networks for potential threats \r\nThis week’s sponsor is runZero, the fastest and easiest way to get to a full asset inventory with actionable insights.\r\nIn this Risky Business News sponsor interview Tom Uren talks to runZero’s CEO Chris Kirsch about how the\r\ncompany has evolved from offering an active scanning product to one that can now discover assets on OT and\r\ncloud environments using both active and passive scanning approaches:\r\nLast week Australia's financial regulator, APRA, announced that it will require Medibank Private to set aside an\r\nadditional AUD$250m to cover potential future losses. \r\nMedibank Private was victim of a major cyber incident in October 2022 that resulted in data from all Medibank's\r\ncustomers being stolen. This was a big deal in Australia and triggered a whole-of-government response.  \r\nAPRA is aiming its action squarely at Medibank's infosec practices, saying the capital adjustment reflected\r\n\"weaknesses identified in Medibank’s information security environment\" and \"will remain in place until an agreed\r\nremediation program of work is completed by Medibank to APRA’s satisfaction\". \r\nBlockchain security firm SlowMist reports that in the first half of 2023 there were 185 crypto asset-related\r\nsecurity incidents that led to losses of up to USD$920m. In the first half of 2022 there were a similar number of\r\nincidents, 187, but approximately USD$2bn in losses.\r\nDebate over the UK's proposed Online Safety Bill has heated up recently as tech experts and civil society groups\r\nissued an open letter to Technology Minister Chloe Smith expressing concerns about the bill's implication for end-https://srslyriskybiz.substack.com/p/russias-extradition-wars-are-not\r\nPage 3 of 5\n\nto-end encryption. Apple also issued a statement asking the government to \"amend the bill to protect strong end-to-end encryption for the benefit of all\", joining encrypted messaging service providers Signal and WhatsApp  in\r\nexpressing concern about the bill.\r\nCiaran Martin, former head of the UK's NCSC has weighed in to the debate, essentially saying that rather than\r\nbeing about breaking encryption, the bill is all about client-side scanning (Apple proposed its implementation\r\nback in August of 2021, but it was shelved after pushback from privacy and security advocates). The problem for\r\nthe Online Safety Bill, Martin says, is that the UK government hasn't set out how client-side scanning would work\r\nsecurely and he calls for further amendments to the bill:\r\nSurely then, parliamentarians should be shown the details of a workable draft regulation before voting?\r\nIf not, this controversial power will be driven through, but likely never used. Cue another bitter and\r\ndamaging row about Britain’s perceived hostility to encryption, but with no actual benefit to those\r\nfighting online harms. If peers do not ask the government to think again, parliament will be legislating\r\nfor a unicorn — and not the billion-dollar tech company kind.\r\nYou can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed\r\n(RSS, iTunes or Spotify).  \r\nIn our last \"Between Two Nerds\" discussion Tom Uren and The Grugq look at European Union efforts to make\r\nlaws to protect journalists from spyware. \r\nPrigozhin troll farms in limbo following Wagner mutiny: Several Russia-based news outlets are reporting that\r\nYevgeny Prigozhin is shutting down his Patriot media company in the aftermath of his failed mutiny at the head of\r\nthe Wagner PMC last month.\r\nThe Patriot media group is a holding company for a dozen of Russian-language propaganda and fake news sites,\r\nsuch as RIA FAN, Politika Segodnya (Politics Today), Ekonomika Segodnya (Economics Today), Nevskiye\r\nNovosti (Nevsky News), and Narodnye Novosti (People's News). It is also the holding company for the Internet\r\nResearch Agency—Russia's infamous \"troll farm\" linked to multiple instances of election interference across the\r\nworld.\r\nPrigozhin has allegedly fired all employees and plans to shut down all news sites. All this information comes from\r\nPatriot media group insiders, and Prigozhin has not made a formal statement or has been seen or heard from since\r\nleaving Russia for Belarus. [more on Risky Business News]\r\nUK NCSC first-ever APT response: The UK National Cyber Security Centre (NCSC) says the first-ever state-sponsored cyber-attack that targeted the UK government took place 20 years ago, in June 2003. The agency didn't\r\nreveal who was behind the attack but says the operation was a phishing campaign carried out by a foreign state.\r\nThe incident was investigated by the Communications-Electronics Security Group of the GCHQ and is what\r\neventually led the UK government to form a dedicated cybersecurity arm within the agency years later.\r\nSmugX: Chinese cyber-espionage group RedDelta (Mustang Panda) has continued its persistent targeting of\r\nForeign Affairs ministries and embassies across Europe. Security firm Check Point says the new attack represents\r\na larger trend within the Chinese espionage ecosystem that has been slowly shifting its attention to European\r\nentities. The new operations are a continuation of RedDelta campaigns initially reported back in December 2022\r\nhttps://srslyriskybiz.substack.com/p/russias-extradition-wars-are-not\r\nPage 4 of 5\n\nby BlackBerry and Recorded Future. The attacks were spotted in countries such as Sweden, France, Ukraine,\r\nCzechia, Slovakia, Hungary, and the UK. Just like last year, the final malware payload deployed on infected\r\nsystems was the good ol' faithful PlugX backdoor—a malware strain used by tens of Chinese APT groups for\r\nmore than a decade.\r\nSource: https://srslyriskybiz.substack.com/p/russias-extradition-wars-are-not\r\nhttps://srslyriskybiz.substack.com/p/russias-extradition-wars-are-not\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://srslyriskybiz.substack.com/p/russias-extradition-wars-are-not" ], "report_names": [ "russias-extradition-wars-are-not" ], "threat_actors": [ { "id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4", "created_at": "2022-10-25T16:07:23.667223Z", "updated_at": "2026-04-10T02:00:04.705778Z", "deleted_at": null, "main_name": "GCHQ", "aliases": [ "Government Communications Headquarters", "Operation Socialist" ], "source_name": "ETDA:GCHQ", "tools": [ "Prax", "Regin", "WarriorPride" ], "source_id": "ETDA", "reports": null }, { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "2ff375ef-7859-4d44-9399-06c9d1d9359c", "created_at": "2023-07-11T02:00:10.063244Z", "updated_at": "2026-04-10T02:00:03.367017Z", "deleted_at": null, "main_name": "SmugX", "aliases": [], "source_name": "MISPGALAXY:SmugX", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "c26ba56b-628e-4610-b167-1610efb08459", "created_at": "2024-02-22T02:00:03.77679Z", "updated_at": "2026-04-10T02:00:03.594516Z", "deleted_at": null, "main_name": "Cyber.Anarchy.Squad", "aliases": [ "Cyber Anarchy Squad" ], "source_name": "MISPGALAXY:Cyber.Anarchy.Squad", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434637, "ts_updated_at": 1775826691, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/849f58e7a70e807d7ffc3fc8e803830050a0cab4.pdf", "text": "https://archive.orkl.eu/849f58e7a70e807d7ffc3fc8e803830050a0cab4.txt", "img": "https://archive.orkl.eu/849f58e7a70e807d7ffc3fc8e803830050a0cab4.jpg" } }