DanaBot takedown highlights blurred lines in Russian cybercrime

The United States Department of Justice has unsealed an indictment against several Russian nationals accused of developing, administering and operating the DanaBot malware-as-a-service platform, tracked by CrowdStrike as SCULLY SPIDER.

SCULLY SPIDER has been active since 2018 and was initially known for deploying DanaBot as a banking trojan. Over time, DanaBot evolved into a rentable botnet platform utilised for a variety of cybercrime activities, including eCrime, espionage, and distributed denial-of-service (DDoS) attacks. The platform has also reportedly been used to target entities in Ukraine, raising concerns over its potential ties to Russian state interests.

In its technical analysis, CrowdStrike reported that certain sub-botnets associated with DanaBot, specifically sub-botnets 24 and 25, have demonstrated connections to Russian intelligence. This finding underscores the risk that eCrime infrastructure may be repurposed for state-backed cyber operations.

Despite the operation of SCULLY SPIDER from within Russian territory, there has been little evidence of domestic law enforcement action against the group. CrowdStrike's research suggests this lack of enforcement may indicate a degree of tolerance, or even proxy use, by Russian authorities.

CrowdStrike has played a role in supporting the takedown of DanaBot, providing intelligence, infrastructure analysis, and technical insight into the group's operations. The company has published a detailed blog outlining the tactics of SCULLY SPIDER and the implications of this law enforcement action for Russian-aligned cyber operations.

Commenting on the indictment, Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, said: "DanaBot is a prolific malware-as-a-service platform in the eCrime ecosystem, and its use by Russian-nexus actors for espionage blurs the lines between Russian eCrime and state-sponsored cyber operations. SCULLY SPIDER operated with apparent impunity from within Russia, enabling disruptive campaigns while avoiding domestic enforcement. Takedowns like this are critical to raising the cost of operations for adversaries. CrowdStrike is proud to support law enforcement with the intelligence and expertise needed to help disrupt these threats."

The Department of Justice's actions included the seizure of DanaBot's US-based server infrastructure by the US Defense Criminal Investigative Service (DCIS). This measure is intended to prevent the group from issuing commands to compromised systems, effectively severing the operators' control and halting malicious activities against victims.

The blog from CrowdStrike provides additional context, observing, "This takedown represents more than just disrupting a criminal enterprise — it strikes at a cyber capability that has appeared to align with Russian government interests." CrowdStrike's analysis emphasises the difficulty in separating the criminal and state-sponsored aspects of cyber operations in Russia, noting that while DanaBot initially focused on financial crimes, its infrastructure has also been utilised for DDoS attacks supporting Russian military objectives, such as those targeting the Ukrainian Ministry of Defence and the National Security and Defense Council of Ukraine following the 2022 invasion.

CrowdStrike identifies the pattern of non-enforcement within Russia as indicative of a potentially strategic relationship, stating, "What distinguishes DanaBot from typical eCrime operations, however, is the Russian government's tolerance of its activities… a pattern that suggests these cybercriminals serve as proxy forces applying pressure on Western nations while maintaining plausible deniability for the Russian state."

Notably, the group's operations have included supply chain attacks, such as the compromise of the NPM package ua-parser-js in October 2021, which saw DanaBot deployed across a range of industry sectors, including transportation, media, technology, and finance. Further evidence of state alignment came to light when sub-botnet 5 conducted DDoS attacks on Ukrainian governmental entities shortly after Russia's military escalation in Ukraine.

The indictment unsealed by US authorities also includes details of DanaBot's use for espionage via dedicated sub-botnets. CrowdStrike's assessment is that this use of malware infrastructure for intelligence gathering supports the idea that SCULLY SPIDER may have operated at the behest of Russian government interests. As stated in the company's blog, "Such dual use of criminal infrastructure for state espionage represents a cornerstone of Russia's hybrid cyber strategy, allowing the government to maintain distance from operations while benefiting from their outcomes."

Since 2022, SCULLY SPIDER has reportedly adapted its product and service offerings in response to shifts in the eCrime ecosystem, including adjustments to service pricing and updates to DanaBot's codebase to strengthen defences against detection.

CrowdStrike stresses the importance of cooperation between public and private sectors when addressing complex cyber threats involving both criminal and state actors. Adam Meyers highlighted the need for continued vigilance and disruption against such dual-purpose operations, stating, "Takedowns like this are critical to raising the cost of operations for adversaries."