Stark Industries: Fuelling Russia’s Cyber Offensive

Arachne Digital
9 min readJul 14, 2024

--

The name of one hosting provider is coming up again and again with connections to Russian hacktivists, cyber attacks attributed to elements of the Russian government, and Russian disinformation campaigns: Stark Industries.

As strange as it is to see the name of an organisation from the Marvel universe in the real world, this mysterious hosting firm, run by Moldovan brothers Ivan and Yuri Neculiti, has become a central figure in Russia’s cyber and disinformation campaigns, targeting Ukraine and its Western allies.

Arachne Digital decided to pull together some of the known information on Stark Industries.

The Rise of Stark Industries

Brian Krebs has published a writeup on Stark Industries, outlining various elements of the organisation. Stark Industries Solutions, as it is officially known, emerged just two weeks before Russia’s invasion of Ukraine in February 2022. Incorporated in the UK but with roots and infrastructure embedded across Europe, this hosting provider quickly became a hub for distributed denial-of-service (DDoS) attacks and disinformation campaigns aimed at destabilising government and commercial targets in Ukraine and Europe.

The infrastructure of Stark Industries appears to be designed to obfuscate and protect the identities of those who use its services.

Stark Industries Solutions provides a range of web-hosting services, including virtual private servers (VPS), which are parts of larger physical servers rented for specific purposes. Their offerings are characterised by low prices, a variety of server locations, and multiple payment methods. Despite international sanctions, the company continues to focus on the Russian market, allowing customers to rent servers in countries like Norway to circumvent sanctions-related blocks.

Stark Industries also hosts dozens of proxy services and free virtual private networking (VPN) services, designed to shield users’ internet usage and locations. Their infrastructure supports various clients, including those involved in disinformation campaigns and cyberattacks, with significant IP space in the Netherlands, Germany, and the United States. The company’s servers are connected through a modern data centre in the Netherlands, utilising shared data traffic from upstream companies like MIRhosting, another hosting provider.

Relationship Between Stark Industries and MIRhosting

Stark Industries Solutions and MIRhosting have an interconnected relationship. MIRhosting, a hosting provider founded in the Netherlands in 2004, is known for its involvement in pro-Russian cyber activities. Stark Industries leverages MIRhosting’s established infrastructure to host various services.

The partnership extends to providing proxy and VPN services, which are crucial for concealing the origins of malicious traffic. Additionally, MIRhosting’s past involvement in cyber operations, such as the 2008 attacks on Georgia, underscores a long-standing pattern of facilitating pro-Russian cyber activities, a practice that continues with its association with Stark Industries.

Relationship Between Stark Industries and PQ Hosting

Stark Industries Solutions and PQ Hosting are also interconnected, with both companies playing integral roles in a network that supports various cyber activities.

Ivan Neculiti, the founder of PQ Hosting, established Stark Industries Solutions in the UK as a shell company to obscure the connection between the two entities. While PQ Hosting is based in Chișinău, Moldova, Stark Industries is registered at a mail drop address in London. On paper, Stark Industries is controlled by Yuri Neculiti, while Ivan handles the broader management of both companies. This setup allows the brothers to present PQ Hosting as a separate business while using Stark Industries to facilitate activities under a neutral name.

The infrastructure of Stark Industries and PQ Hosting is closely linked, with both companies utilising the same data centres and server resources. Stark Industries’ servers, which are connected through a modern data centre in the Netherlands, share data traffic with PQ Hosting, enabling seamless coordination and resource sharing. This interconnected infrastructure supports a range of activities, including web hosting, virtual private servers (VPS), and proxy services.

Both Stark Industries and PQ Hosting employ strategic business practices to circumvent international sanctions and regulatory oversight. Despite claims of reducing their operations in Russia, PQ Hosting continues to offer Russian payment services, allowing clients to bypass sanctions. By routing traffic through servers in various countries, the companies enable their clients to conduct activities that would otherwise be restricted. This strategy is facilitated by Stark Industries’ incorporation in the UK, which provides an additional layer of obfuscation.

The Neculiti Brothers

Ivan and Yuri Neculiti are the driving forces behind Stark Industries Solutions and PQ Hosting, according to Correctiv. Originating from the pro-Russian breakaway region of Transnistria in Moldova, the brothers have built a significant presence in the web-hosting industry, providing infrastructure that supports various cyber operations.

Ivan Neculiti, the older of the two, started his career in the digital realm at a young age, eventually founding PQ Hosting in Chișinău, Moldova. PQ Hosting offers server locations in 38 countries, catering to a diverse clientele by providing low-cost, versatile hosting solutions.

Yuri Neculiti owns a small share of PQ Hosting. Together, they established Stark Industries Solutions in the UK. This strategic move enables them to provide hosting services without immediately revealing their ties to Moldova.

The brothers have cultivated an image of success and affluence, frequently showcasing their luxurious lifestyles on social media. However, beneath this exterior lies a complex network of businesses that play a crucial role in supporting pro-Russian cyber activities. Stark Industries and PQ Hosting are implicated in hosting infrastructure for disinformation campaigns, cyberattacks, and other malicious activities.

How FIN7 Leverages Stark Industries

FIN7, a notorious cybercrime group known for its phishing and malware attacks, has revived its operations with substantial support from Stark Industries Solutions. After being declared defunct in 2023 following a series of arrests and convictions, FIN7 reemerged in 2024, leveraging the infrastructure provided by Stark Industries to rebuild and expand its cybercrime activities.

The cybercrime group uses thousands of domains hosted by Stark Industries to execute various attack vectors, including typosquatting, malicious browser extensions, and spearphishing. These domains often mimic legitimate websites of well-known brands and services, such as American Express, Google, Microsoft, and many others, to deceive and exploit unsuspecting victims.

One of FIN7’s key tactics involves “aging” domains hosted by Stark Industries. The group creates innocuous-looking websites with benign content to build a positive or neutral reputation over time. Once these domains have established credibility, FIN7 repurposes them for phishing attacks, significantly increasing the likelihood of success by reducing detection from tools that rely on the age of a domain to calculate a positive reputation.

Stark Industries’ infrastructure also supports the group’s technical needs for managing and coordinating their widespread cybercrime activities. By hosting command-and-control (C2) servers and other essential components on Stark Industries’ platforms, FIN7 ensures that their malicious operations are well-coordinated and resilient to disruptions. This setup allows FIN7 to maintain a continuous presence and adapt quickly to any countermeasures deployed by cybersecurity professionals.

Additionally, Stark Industries provides FIN7 with the capability to launch targeted attacks through sponsored Google ads that lead to fake websites hosting malware. These malicious advertisements are prominently displayed in search results, often above legitimate sources, thereby increasing the likelihood of user engagement and subsequent malware infections.

How NoName057(16) Leverages Stark Industries

NoName057(16), a pro-Russian hacktivist group, extensively leverages the infrastructure provided by Stark Industries Solutions to conduct its cyber operations. Known for orchestrating repeated Distributed Denial of Service (DDoS) attacks against entities in Western countries, NoName057(16) relies on Stark Industries for a stable and secure environment to coordinate and launch attacks. The group utilises servers and IP addresses from Stark Industries to host Command and Control (C2) servers and other critical components of their attack infrastructure. This setup allows them to manage their operations effectively and ensures the availability and reliability of their services.

The hacktivist group operates using a volunteer-based system, where individuals are recruited via Telegram channels to participate in DDoS attacks. These volunteers use pre-configured tools and scripts, which are often hosted on Stark Industries’ servers, to target specific entities. The infrastructure provided by Stark Industries ensures that the volunteers have continuous access to these tools, facilitating coordination and execution of attacks.

It is noteworthy that Team Cymru raises questions about the breadth of volunteers, as a great deal of traffic appears to be coming from not scattered locations as would be expected with volunteers, but from Stark Industries.

The relationship between NoName057(16) and Stark Industries also extends to data storage and management. NoName057(16) appears to store critical operational data, such as attack instructions and targeting information, on databases and message queues hosted on Stark Industries’ infrastructure. This setup enables efficient distribution of commands and real-time updates on the status of attacks, enhancing the group’s operational effectiveness.

How Doppelganger Leverages Stark Industries

The Doppelganger operation, a Russian disinformation campaign, leverages the infrastructure provided by Stark Industries Solutions to disseminate pro-Russian propaganda across Europe and beyond. This operation, which involves spreading false information and manipulating public perception, uses Stark Industries’ hosting services to sustain its activities and evade detection.

Doppelganger operates through a network of fake news websites, including “Recent Reliable News” (RRN), which publishes articles and videos designed to stoke fears and spread misinformation. These sites mimic legitimate news outlets, creating confusion and lending credibility to their deceptive content. Stark Industries provides the essential hosting infrastructure that allows these sites to remain online, resilient to takedowns and scrutiny.

Stark Industries’ servers support the technical needs of Doppelganger by ensuring that the propaganda websites can handle large volumes of traffic and remain accessible even during concerted efforts to block or remove them.

Additionally, the infrastructure provided by Stark Industries enables Doppelganger to implement obfuscation techniques. For example, the use of privacy services and shared data traffic with other entities makes it difficult for authorities to trace the true origins of the propaganda sites. This obfuscation is critical in ensuring that Doppelganger’s activities can continue without immediate disruption, even in the face of sanctions and regulatory actions.

Doppelganger also takes advantage of the different server locations that Stark Industries provides. By hosting servers in various countries, Stark Industries helps Doppelganger circumvent geographical restrictions and regulatory oversight. This dispersion of infrastructure not only enhances the resilience of the propaganda campaign but also complicates efforts by cybersecurity professionals to pinpoint and dismantle the operation.

How Russian Government Agencies Leverage Stark Industries

Blue Charlie, also known as TAG-53, is a Russian-aligned cyber espionage group that has been targeting nongovernmental organisations, think tanks, journalists, and government and defence officials. This group has been linked to various Russian threat activity groups such as Callisto Group, COLDRIVER, and SEABORGIUM. The alias SEABORGIUM has been superseded by Star Blizzard. SEABORGIUM/Star Blizzard is attributed to Centre 18 of the Federal Security Service of the Russian Federation, the FSB.

Recorded Future’s Insikt Group has released a detailed report on the credential harvesting infrastructure used by Blue Charlie/TAG-53. The infrastructure exhibits recurring patterns, including the use of specific domain registrars, Let’s Encrypt TLS certificates, and a small cluster of autonomous systems. Notably, the group uses spoofed login pages, such as fake Microsoft login pages mimicking legitimate U.S. military suppliers, to conduct their operations. Their credential harvesting activities are primarily driven by phishing campaigns, which are facilitated by the infrastructure hosted by these registrars and autonomous systems.

In their technical analysis, Insikt Group found that TAG-53 frequently uses registrars like NameCheap and Porkbun and operates within a limited number of autonomous systems, including those linked to MIRhosting, Stark Industries and others. The domains typically follow a specific stylistic structure, often comprising hyphenated terms like “cloud-safety[.]online.” Additionally, the widespread use of Let’s Encrypt TLS certificates across TAG-53 domains strengthens the correlation between these domains and the group’s infrastructure.

TAG-53 targets a wide range of organisations, particularly those in government, intelligence, and military sectors. Their domains often masquerade as legitimate entities to enhance their credibility to potential victims.

Also, according to the Computer Emergency Response Team of UIkraine, Stark Industries Solutions’ infrastructure was used in a cyberattack on the Ukrainian news agency Ukrinform in January 2023. The attack was attributed to Sandworm. Sandworm is in turn attributed to Unit 74455 of the Main Centre of Special Technologies (GTsST), a part of the Main Directorate of the General Staff of the Armed Forces, or the GRU.

A Pivotal Asset for Russian Interests

Stark Industries Solutions has emerged as a pivotal asset in advancing Russian interests through cyberspace. The activities of Stark Industries Solutions underscore the critical need for vigilance and robust cybersecurity measures. As digital threats continue to evolve, so must our defences. The Neculiti brothers’ empire, shrouded in layers of corporate and digital obfuscation, represents a significant challenge to global cybersecurity efforts.

References

https://krebsonsecurity.com/2024/07/the-stark-truth-behind-the-resurgence-of-russias-fin7/

https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/

https://www.team-cymru.com/post/a-blog-with-noname

https://correctiv.org/en/fact-checking-en/2024/05/31/hacks-and-propaganda-meet-the-two-brothers-bringing-russias-cyber-war-to-europe/

https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide

https://www.justice.gov/media/1327601/dl?inline

https://www.recordedfuture.com/research/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations

https://cert.gov.ua/article/3718487

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

--

--

Arachne Digital

Providing timely and actionable cyber threat intelligence. Email us on contact at arachne dot digital.