IAB breaching networks

A 31-year-old Russian national named Evgeniy Doroshenko has been indicted for wire and computer fraud in the United States for allegedly acting as an “initial access broker” from February 2019 to May 2024.

An initial access broker (IAB) is a threat actor who breaches corporate networks and then sells that access to other threat actors, who commonly use the access to conduct data theft or ransomware attacks.

Doroshenko, allegedly known online by the aliases “FlankerWWH” and “Flanker,” is accused of gaining unauthorized access to corporate networks and then offering to sell this access on Russian-language cybercrime forums.

“From February 2019 to May 2024, Doroshenko devised a scheme whereby he gained unlawful access to victim computer systems and sold this access to others for a profit through a Russian language cybercrime forum located on the dark web,” reads the U.S. Department of Justice announcement.

The indictment mentions an incident from January 2024 when the FlankerWWH alias attempted to sell access to the network of a company in Bergen County, New Jersey.

Using KELA’s cyber-intelligence tools, was able to locate what we believe may be the particular auction for this company, where the threat actor set the starting price at $3,000 with $500 increments, and a “flash sale” (buy now) figure at $6,000.

Doroshenko offering initial access to a NJ firm
Doroshenko offering initial access to a NJ firm
Source: KELA

From the historical data of FlankerWWH’s activity,  the threat actor’s preferred attack method was breaching networks by brute-forcing exposed Remote Desktop Protocol services.

Moreover, the same user was spotted requesting help cracking NTLM hashes, which were likely obtained after breaching a network.

Using Flare’s threat intelligence system, found additional posts by the threat actor asking for help removing passwords from Excel spreadsheets and advice on contacting the developer of a keylogger.

In addition to all the above, the indictment also mentions a case where Doroshenko stole information from one of the systems he breached, valued at over $5,000.

The wire fraud charge carries a maximum sentence of 20 years in prison and a fine of $250,000, while the computer fraud charge is punishable by up to five years of imprisonment and a similar fine.

For now, though, the suspect hasn’t been arrested, and given that he is based in Russia, it seems unlikely that he will ever be unless he leaves the country.