Russian Cyber Underground: Genesis and Anatomy of the Dark Web Forum Infinity
Executive Summary
The Yarix Cyber Threat Intelligence (YCTI) team analysed the genesis and anatomy of a brand-new forum operating in the Russian cyber underground: the Infinity Forum.
Infinity is a recently appeared cyber creature founded by KillMillk (former head of the pro-Russia hacktivist group Killnet) and engineered by Russian hacktivists. It is officially operative since January 2023, but its embryonic traces can be traced back at least to November 2022. Infinity is not like other known forums in the Dark Web. It has unique features, which were never seen before in the Russian cyber underground. Moreover, it is one of the most recent Dark Web forums founded by hacktivists.
As of January 2023, the hacker groups officially members of the forum are the following: Killnet, Anonymous Russia, Infinity Hacker By (Belarus), Bear IT Army, Deanon Club, Special Attack and Reconnaissance Division – SARD, National Hackers of Russia. However, Infinity’s ambition is to gather all main pro-Russia hacktivist groups. Therefore, we expect to see in the near future more hacker groups to become officially members of the forum.
Russian cyber-hacktivist groups like Killnet, Anonymous Russia or NoName057(16) [For further information read Ylabs article Analysis of the Russian-Speaking Threat Actor NoName 057(16)] are part of a wider strategy named Cyberwarfare in the Western doctrine and Information Warfare in the Russian one. Cyberwarfare is limited to computer network operations, while Information Warfare entails also psychological operations, as well as information and disinformation actions. From the analysis conducted by the YCTI team, it can be asserted that the cyber-collectives behind the Infinity Forum operate as agents of the Information Warfare, as will be further discussed in this article. However, there is no evidence of a potential connection with state entities of the Russian Federation.
The Infinity Forum is structured in a way similar to other well-known Russian-speaking forums and marketplaces active in the Dark Web such as XSS, Exploit and Club Hydra. However, this forum has also unique and distinctive features which make it different from the others. Specifically, there are sections dedicated to discussions about geopolitics, ideologies, social movements and operations carried out or triggered by its members in the physical world.
By analysing the contents of the forum, it can be assumed that the ideological background on which the Infinity Forum is grafted and through which flourished in the Dark Web is that one of the Russian ultra-nationalistic perspective with regards to the West. Namely, anti-Western/NATO sentiments and rhetoric.
One of the most striking and threatening features of the Infinity Forum is that it has broken the boundaries of the cyberspace and made a breakthrough into the real world. They not only conduct cyber-attacks, Infinity Forum members have raised the bar and conducted operations to harm the physical world. As an example, we can mention the terrorist attacks conducted by the cyber-collective National Hackers of Russia against Lithuanian airports, schools and state institutions. A further example is provided by the disinformation campaigns and support to protests and anti-government movements held in Poland and triggered by SARD, another cyber-collective officially member of the Infinity Forum. These and other examples will be further discussed in the present article, including an overview of the infrastructure built around the Infinity forum’s domain and correlated websites.
The Infinity Forum represents a disruptive and threatening new element in the cyber domain that is going to acquire wider recognition as one of the major threats coming from the Russian cyber underground.
The Landscape of Russian Cyber Underground
Russian cyber-underground: the fifth domain of warfare
“Everyone knows that Russians are good at maths. Our software writers are the best in the world, that’s why our hackers are the best in the world”.
Lt. Gen. Boris Miroshnikov, MVD Department K (Cybercrimes) [1]
London, 2005, during the e-Crime Congress in London, in front of a packed audience composed by experts coming from top-notch companies in the cybersecurity domain and governmental agencies, Lt. Gen. Boris Miroshnikov warned about the threat placed by Russian hackers. The Lt. Gen. called also for the strengthening of police international cooperation and for unified international laws in the field of Internet crime. Eighteen years have passed since that international conference and the world has changed a lot since then.
The current state of cooperation between Western powers and the Russian Federation is at the lowest level since the Cold War. That relationship of trust built with Russia has inevitably been affected by the on-going conflict in Ukraine. It will take years to restore good relations, if that ever happens. Nowadays, the West is confronting Russia in the battlefield indirectly by providing, mostly, defensive military support to Ukraine. However, as we all know, in the 21st century, after land, sea, air and space, warfare has entered a fifth domain: cyberspace. Therefore, the West is called to face as well the threats stemming from the Russian cyber-arsenal. Since the beginning of the conflict in Ukraine, in February 2022, several pro-Russia hacktivist groups have emerged in the cyber-underground. Cyber-collectives whose aim is to attack, weaken and undermine Western countries and, in general, those who provide support to Ukraine in the conflict with Russia. Some of these groups, like Killnet, became well-known and were widely covered by media outreach for their cyber-attacks conducted against Western critical infrastructures and strategic economic domains (i.e., governmental agencies, airports, hospitals). Other pro-Russia cyber-collectives kept a more low-key profile, working silently but unceasingly in the wings.
As stated before, Russian cyber-hacktivists hit the news with their blatant attacks and declarations against Western countries critical targets. Everyone in the cybersecurity filed has heard about Killnet and probably almost everyone must have heard at least once about its founder: KillMilk.
KillMilk is not only the former leader of the well-known pro-Russia cyber-collective Killnet, he is also the founder of a brand-new Forum in the cyber-underground named Infinity, a recently appeared cyber creature engineered by Russian hacktivists. The Infinity Forum is officially operative since January 2023, but its embryonic traces can be traced back to the end of November 2022. Infinity is not like other known forums in the Dark Web. It has unique features, which were never seen before in the Russian cyber-underground. Moreover, it is one of the most recent Dark Web forum founded by hacktivists.
Russian Information Warfare: from Soviet military theory to Internet 4.0
Russian cyber-hacktivist groups like Killnet, Anonymous Russia or NoName057(16) [For further information read Ylabs article Analysis of the Russian-Speaking Threat Actor NoName 057(16)] are part of a wider strategy named Cyberwarfare in the Western doctrine and Information Warfare in the Russian one.
According to the Western doctrine, Cyberwarfare is defined as a conflict between states, but it can include non-state actors as well, with the aim of penetrating another nation’s networks or computers, using communication technologies techniques to cause harm and disruption or steal valuable information to military, industrial or civilian targets. [2]
The Russian military doctrine prefers to use the term Information Warfare (Russian: Информационная Война; Romanized: Informatsionnaya Voyna) instead of cyberwarfare. The reason behind this linguistic choice lies on the fact that Informatsionnaya Voyna is a much broader concept than cyberwarfare, including not only electronic warfare and computer network operations, but also psychological operations, as well as information and disinformation actions. Informatsionnaya Voyna is relatively new in terms of the means employed, but, as far as the reasons, the targets and the strategies employed are concerned, it is as old as the Soviet times. More generally, is one of the means at Russian governmental disposal to dominate the information sphere for its own purposes.
What emerges from this picture is that the Russians, both the population and the political élite, perceive an on-going threat coming from abroad, whose main aim is the manipulation of information. In this context, cybersecurity is valued as a high-level defence and offensive system, as a fundamental tool of the Information Warfare, that can provide protection and also allows the Russian Federation to impose itself on the global arena.
Infinity Forum
Genesis of Infinity: a new frontier in cyber-hacktivism?
Infinity is a Russian-speaking Dark Web forum created in December 2022 and counting about 4200 active members. Before launching the forum in the Dark Web, Infinity was a Telegram Channel (November 2022) that was later closed and whose chat history was deleted.
Below evidence about an announcement regarding the Infinity Forum shared on Telegram channels.
Telegram, Post of November 2022
Translation:
New project – INFINITY
KILLNET | DEANON CLUB
Official project chat – https://*************
In the chat we are waiting for everyone who somehow wants to take part in the life of the project. Whether it’s simple communication, whether is providing help with skills, and so on…
In the project chat there will be no answers to questions that do not concern the project itself.
Let’s chat! All the news will be there – stay tuned and please don’t spam!
Sponsors, you have written about 10 pieces – all the conditions have not yet been spelled out. Reach out separately to – @*************
Telegram, Post of December 2022
The Dark Web Forum Infinity was founded by KillMilk, former leader of the Russian cyber-collective Killnet, that gained notoriety during the first months of the Russian-Ukraine conflict in February 2022, when the hacktivist group inaugurated widespread attacks against Ukrainian and Western targets (i.e., Distributed Denial of Service attacks, misinformation and disinformation campaigns).
KillMilk’s profile on Infinity Forum
The Infinity Forum aims to gather all major pro-Russia hacktivist groups, as explicitly stated by Killnet in a communication made to sponsor the forum in the Russian cyber-underground.
Translation:
Hello! Russian Dark Forum №1 – INFINITY invites top teams of hackers to be placed on the site! Each team gets its own branch and verification name status under each member!
We are waiting for our friends from Beregini, Zarya, RaHDIt, XakNet, DPR Joker, NoName 057(16) and other among the strongest hack teams in the world!
Verification for the forum is easy! Repost this post and write to our admin – @*************
Infinity is a brand-new type of Dark Web forum. Unlike standards forums in the Dark Web, used by threat actors to buy and sell illegal stuff – ranging from drugs and weapons to VPN and RDP accesses – Infinity Forum is configured as a reference point in the Dark Web for cyber-hacktivists campaigns and initiatives.
Anatomy of the Infinity Forum
The Infinity Forum is structured in a way similar to other well-known Russian-speaking forums and marketplaces active in the Dark Web such as XSS, Exploit and Club Hydra. However, this forum has also unique and distinctive features which make it different from the others. Specifically, there are sections dedicated to political science and discussions about geopolitics, ideologies and social movements.
Below a screenshot of the landing page of the Infinity Forum where is provided a translation of the main sections available in the menu toolbar, namely:
- Forum;
- Chat;
- HACKSHOP;
- Guarantor;
- Support;
- Advertising;
- Status.
For the purpose of this article, we are not going to delve deeper each and every one of the sections of the Forum.
Imstead, we will provide an overview of four sections which represent a novelty, namely the following ones:
- Network / Сеть and Hack Shop;
- Hacknews / Новости Хак Группировок;
- Social activity / Общественная деятельность;
- Internet media | News agencies / Интернет СМИ | Информационные агентства.
1. Network / Сеть and Hack Shop
In the “Network” section of the forum, aside from standards parts dedicated for example to hacking tools, network security and software development, there is also a specific place reserved to Distributed Denial of Service (DDoS) and Denial of Service (DoS).
Within the “DDoS | DoS” subsection, members of Infinity provide information and resources on different tools to perform the attacks such as: Raven Storm, Smurf, Hasoki.
In the following evidence, a user of the Infinity Forum provides for free a python tool named “Tornado” that he developed to conduct a DoS attack, available on Linux and Windows.
Furthermore, in the “Hack Shop” section, there is a specific subsection dedicated to DDoS, where are being sold tools for conducting attacks.
2. Hacknews / Новости Хак Группировок
This section hosts the main news regarding the hacktivist groups officially members of the Infinity Forum. In this section the Telegram contacts of the cyber-collectives are provided, as well as relevant news regarding their operations and activities.
3. Social activity / Общественная деятельность
This section is designated to be a space for discussion and confrontation about ideologies, geopolitics, political and social movements. An in-depth analysis of this section is provided in par. Ideological grounds.
Below an image of the section with translations in English:
4. Internet media | News agencies / Интернет СМИ | Информационные агентства
Another interesting aspect about the Infinity Forum is that it is equipped with two news agencies: Rogandar News and Military Z.
Official hacktivist groups members of the Infinity Forum
Infinity’s ambition is to gather all main pro-Russia hacktivist groups, as clearly stated in one of their official communication (see par. Genesis of Infinity: a new frontier in cyber-hacktivism?).
As of January 2023, the hacktivist groups officially members of Infinity are the following:
Snapshot of Infinity Forum’s users
Based on the group of hacktivists mentioned in the previous section, the following diagram aims to illustrate the correlations between them and some key users of the forum.
Ideological grounds
As mentioned before, the Infinity Forum has a section specifically tailored for discussions about politics, ideologies, geopolitics, and social movement: the “Social Activity” section (in Russian: Общественная деятельность; Romanized: Obshchestvennaya deyatel’nost’).
By analysing the contents of the forum and in particular of this section, it can be assumed that the ideological background on which the Infinity Forum is grafted and through which flourished in the Dark Web is that one of the Russian perspective with regards to the West. Namely, anti-Western/NATO sentiments and rhetoric. However, Infinity represents not only an ideological stronghold against the West, it also seems to be a cyber-arm of a well-known and deeply rooted ideology in the Post-Soviet space: Neo-Eurasianism (Russian: Eвразийство; Romanized: Yevraziystvo). Neo-Eurasianism is a political doctrine affirming that Russia occupies a median position between Europe and Asia and that Russian specific features and culture are a result of the fusion of Slavic and Turko-Muslim peoples. The main ideological ground of Neo-Eurasianism are the following:
- anti-Western rhetoric which includes sharp criticism against Europe, NATO domination and capitalism;
- a strong assertion of the cultural unity of Russians and countries of the former Soviet Union as well as ethnic Russians disseminated around the world;
- the idea that the central geographical position of Eurasia entails an imperial form of political organization, leaving newly independent states no choice but to revert to a unified political entity. [3]
The Russian cyber-underground and Infinity Forum are dominated by a plethora of ideologies ranging from Neo-Eurasianism, Pan-Slavisim, Putinism, Russian Orthodoxy, Nationalism, Czarist Imperialism to nostalgia for the era of the Soviet Union (Russian: Ностальгия по СССР; Romanized: Nostal’giya po SSSR). As a result, the Russian-speaking cyber-underground is a cocktail of ideologies which seem much more like propaganda and indoctrination rather than well-grounded political thoughts. However, all these ideologies have one common factor: the sublimation of the Russian Federation and Slavic (in particular Russian) values and cultures in opposition to the Western moral and cultural decay.
We considered the following contributions to the “Social Activity” section of particular interest.
1. Ideological manifesto of the organisation “Double-headed Eagle”/ “Dvuglavyi Orel”
On January 12, 2023, a user named “SvinoreZzWagnera” shared in the forum the main ideologies of an organization denominated “Double-headed Eagle”/ “Dvuglavyi Orel”.
The username of the author, as well as his profile picture, explicitly refers to the Wagner Group (Russian: Группа Вагнера; Romanized: Gruppa Vagnera), a Russian paramilitary organization or a de facto private army of Russian President Vladimir Putin.
Infinity Forum: “SvinoreZzWagnera” profile
Telegram; “Na Zloby dnya” profile picture
The author is also active on Telegram where owns a channel named “Na Zloby dnya” (Russian: На Zлобу дня), that literally would be translated as “on the malice of the day”. However, this is a literary Russian expression that means “topical, something that arouses a strong public interest”. It is also interesting to observe the pun created in the expression were the first letter “Z” of the word “Zлобу” is written in Latin characters, rather than Cyrillic ones, as the standard requires. The reason behind this linguistic choice made by the author is to underline the letter Z, one of several symbols (including “V” and “O”) painted on military vehicles of the Russian Armed Forces involved in the 2022 Russian invasion of Ukraine. It is speculated that the Z helps task forces distinguish themselves from other forces. it also became a militarist symbol used in Russian propaganda and by Russian civilians as a sign of support for the invasion.
Extract of the post published on the Infinity Forum
The author published on the forum the main points of the ideology proclaimed by the Russian supra-party public organization “Double-headed Eagle”/“Dvuglavyi Orel” also known as “Tsargrad”, established in November 2015. The organisation main objectives are to revive the Russian Empire within its historical borders, represent the interests of the Russian people, protect the Russian Orthodox Church and fight against Russophobia.
The author is probably a member of the aforementioned organization and in his post on the Infinity Forum he summed up its ideologies.
Below a translation of a significant passage of the post:
The main issues for us are the preservation of the people, the protection of the traditional family, the birth and upbringing of children, the reunification of the Russian people, the protection of compatriots, historical, cultural and educational policies, the protection of traditional values, Russian culture, and migration policy. Revival of the Russian Empire within its historical borders. We must unite the supporters of the Empire throughout the post-Soviet space – in Ukraine and Novorossia, in Belarus and the Baltic states, in Moldova and Transnistria, in the Caucasus and Central Asia. The imperial idea should be embodied not only in the development of the modern Russian Federation, but also in the development of the Eurasian Union and the Union State of Russia and Belarus.
Throughout the post, but generally in the Russian cyber-underground, we can observe a high degree of politicization. Cyber operations conducted by these hacktivists groups are led by political and moral objectives, rather than economic reasons.
The author then closes his contribution to the forum with a quote by Russian commander Alexander Vasilyevich Suvorov, uttered by him during the so-called Swiss campaign: “We are Russians! God is with us!” (Russian: Мы — Русские! С нами Бог!; Romanized: My Russkie! S nami Bog!).
The same words constitute the official motto of the Tsargrad Society/Dvuglavyi Orel.
Official website of the Tsargrad Society/Dvuglavyi Orel
2. Terrorist threats against schools, police stations, media and airports in Lithuania claimed by National Hackers of Russia
From 23 to 26 January Lithuania received false reports of planted explosive devices at Vilnius and Kaunas district courts, airports, prosecutors and schools. Vilnius District Police was informed that explosive devices were planted in all schools, airports and all prosecutor’s offices. The district courts of Vilnius and Kaunas also received reports of the presence of explosives and reported this to the police. Passengers from all of the country’s airports were evacuated after receiving information via email about a possible explosive device at an unidentified Lithuanian airport. [4]
The cyber-collective National Hackers of Russia (Russian: Национальные Хакеры России; Romanized: Natsional’nye Khakery Rossii) – officially one of the hacktivist groups part of the Infinity collective – claimed responsibility for the threats received by schools, police stations, media and airports in Lithuania. The threats against Lithuania targets were part of the cyber-collective’s “Operation Visas” (Russian: Операция Визы ; Romanized: Operatsiya Visy). This operation, as declared by the group, was originally against Lithuania but then extended to all Baltic countries, thus including Latvia and Estonia.
It is interesting to underline that they reject to be defined terrorists. Instead they consider themselves as patriots who defend their country, Russia, from the enemies.
Translation:
And anyone who thinks we are terrorists – f**k off. We protect the rights, interests and freedom of our people. We punish the enemies of Russia and restore justice.
The cyber-collective claimed responsibility for the threats both on their Telegram channel and through a post published on the Infinity Forum on January 29, 2023.
Translation:
VISA OPERATION
Already yesterday we completed our first operation in Lithuania. We were responsible for evacuating the buildings of state institutions. We destabilised all the security services in Lithuania throughout the week.
Many people know about us, many media outlets write about us. The Visa Operation did not achieve the expected result, but notably we destabilized the Lithuanian security services. However [this operation] is coming to an end and now the operation DIE POLAND against the Polish government will be ahead.
Below we provide some evidence of the responsibility claimed by the National Hackers of Russia on their Telegram channel.
23 January 2023
Translation:
Our main enemy is LITHUANIA.
Lithuania is a NATO state, a state that has recognized Russia as a terrorist nation. And in general Lithuania was born a w**re.
Today the airport and private school in Vilnius will be in shock.
26 January 2023
Translation:
Today, the National Hackers of Russia team made decisions to expand the goals of our Visa operation.
Now our targets are the Baltic states. These are Lithuania, Latvia, Estonia. Our requirements are the same.
So now the whole Baltic region is fu***d.
We appeal to our audience once again. We ask you to leave in the comments the emails of the Baltic targets that should be wiped off the face of the earth and tomorrow the infrastructure and services of the entire Baltic will be destabilized. Please leave it like this: Mail – Name of the target, what kind of target is that in short, the state where it is located.
Be afraid of us, Baltic clowns.
28 January 2023
Translation:
Good morning country! Yesterday’s summary of our activities appeared. Many state institutions were evacuated.
hxxps://obzor[.]lt/news/n88109[.]html
hxxps://vk[.]com/wall-213640588_2843
Operation Visa continues.
On 28 January, they also announced a new operation, this time against Poland:
Translation:
We declare total war against Poland. We announce the beginning of our Operation “DIE POLAND”.
Its goal is to destabilize the police and state authorities every day. There are many reasons for such an operation, the transfer of weapons to Ukraine, support to Ukrainian Nazism, unfair sanctions against Russia and many other grounds.
Poland still has not thanked Russia for the fact that in the past our nation saved her as*. And now this ungrateful NATO wh**e also supports the enemy of Russia, it’s a shame to help after such a thing.
3. Destabilization campaigns in Europe
On 21 January, the hacktivist group SARD (Special Attack and Reconnaissance Division) – officially member of the Infinity Forum, claimed responsibility for protests held in Poland by pro-Russia movements against the government stance in support of Ukraine in the on-going conflict with the Russian Federation.
The news about the protests held in Poland was also shared by Killnet in its official communication channels.
Below the post published by the SARD cyber-collective on the Infinity Forum:
Translation:
We are SARD and we take responsibility for today’s rallies and protests in Poland. The Russian grin appeared. Glory to Russia!
4. Anti-Western rhetoric
In a post titled “Globalists. How the West brainwashes people”, a user expresses his views about what he refers to “Western brainwashing”. In his contribution, the author expresses explicit anti-Western sentiments criticising Western liberalism and “globalists” choices by leveraging on wide-spread conspiracy theories about the establishment of a totalitarian new world order.
5. Beyond the borders of the Russian Federation: Russian-speaking Muslims part of the Russian Forum Infinity
A further interesting contribution we analysed in the Politologiya section is about a news story shared in the forum. Specifically, the post is dedicated to a disrespectful act accomplished by Rasmus Paludan, the head of the Danish far-right political party Hard Line that, on January 21, 2023, who burned a copy of the Koran outside the Turkish Embassy in Stockholm, Sweden.
Translation
Activists burned a Koran in front of the Turkish embassy in Stockholm, the far-right Stram Kurs party said on Facebook (activity banned in Russia). Local authorities had earlier allowed the action to take place. Swedish[5] radical Rasmus Paludan said it was his way of showing full freedom of speech and democracy. Turkey’s Foreign Ministry summoned the Swedish ambassador after the rally. Turkish Foreign Minister Mevlut Cavusoglu said “burning the Koran is an act of hatred. He said such actions cannot be called freedom of expression.
Comment :
It has never been and will never be freedom of expression. An insult to the feelings of believers. And I hope this nutcase gets punished very soon and very badly.
This post is of particular interest since it suggests that the Infinity Forum members’ are not only citizens of the Russian Federation (where there is a Muslim minority), but they are also Russian-speaking people of other nations belonging to the former Soviet Union (the so-called Post-Soviet space), such as the Caucasus region and Central Asia, where Islam is one of the main and official professed faiths.
Moreover, another post published on January 22 reports the news about Swedish government, educational and banking sites being hacked and targeted by a defacement campaign that puts the photo of the Ka’bah [6] in the attacked websites as well as the Azan melody. [7]
The author of the post implicitly suggests that these cyber-attacks were conducted by members of the Infinity Forum as an act of retaliation to the disrespectful action accomplished by Rasmus Paludan.
Translation
On Telegram, in particular on the MIG channel, there was the news about several Swedish government, educational and banking sites being hacked.
At the same time, a photo of the Ka’bah was posted in these sites, as well as the Azan melody.
I wonder if these are “our guys” or not?
6. Actions undertaken by members of the Infinity Forum against suspected paedophiles
Moreover, in the Politiologiya section there are several posts about suspected paedophiles, where evidence is being provided, as well as the Identikit of the individuals.
Leaving aside the fact that one may not agree with the ideologies proposed by the Infinity Forum, it is worth underlining the presence of an ethical structure behind their operations. This movement against paedophiles could be an example of such an ethical framework. It is also relevant to highlight that we do not have certainty about the actual crimes committed by the individuals publicly exposed in the forum as paedophiles. However, the authors published evidence of their crimes alongside with the main contact information and profile photos of the perpetrators.
7. Salvic Brotherhood
The call to “Slavic Brotherhood” (Russian: Братья Славяне; Romanized: Brat’ya Slavyane) made by the author of the post is a genuine invitation to stop the war between Slavic people.
However, this concept has its roots in Pan-Slavism, a political ideology which crystallized in the mid-19th century concerned with the advancement of integrity and unity for the Slavic people. Currently Pan-Slavism is a concept widely used by ultranationalist parties like the Russian National Unity party to advocate for a Russian-dominated Slavic Union, although this type of irredentism became mainstream with Putin and the political discourse repeatedly calling for expansionism, embracing irredentist movements in Georgia, Moldova, Ukraine and other countries where there are Russian ethnic minorities.
Translation:
We are hitting each other for true. How was that ever be possible? We have common blood, common culture. We get sucked in by money, but we have lived by different principles all our history. Every nation has its own culture. Ukrainians understand the language of love. The Poles are brothers, but the capitalists could not bring us into a war with each other. As many people have lived under the wing of the Russians, so many are still alive today. Brothers. The fact that France is giving Ukraine BMPs and Poland is training its army – does not bode well. I wholeheartedly root for the good continuation of peace on our planet. Be kind.
Infrastructure
Overview
The domain infinity.ink was registered on 25th of December via the registrar NameCheap and leverages the CloudFlare CDN services to protect itself from external attacks and hide the real IP of the webserver.
Furthermore, the website uses AntiBot Cloud service [8] at the application layer to add an additional layer of protection from spam, bots, illegitimate activities and attack attempts.
The forum, like many other underground forums, is based on XenForo v2.2.9
An analysis of the source code of the initial captcha challenge web page, which is part of the Antibot Cloud filter, revealed a potential misconfiguration which apparently leaks the real IP hosting the infinity.ink domain:
The value of the ip and ptr variables should represent the IP address of the visitor, in this case the values are static, and by forging an HTTP request to 195.189.96.174 with the header “Host: infinity.ink”, the webserver answers with the forum antispam challenge:
The IP 195.189.96.174 is geolocated in Lithuania and belongs to the UAB Cherry Servers hosting provider.
Through the analysis of passive DNS and exposed services history of the aforementioned IP we detected multiple domains pointing to it, some of them associated with past suspicious activities (e.g., compromised websites, sponsorship of drug markets, casinos). However, we believe that around mid of December the server ownership changed and therefore there is no correlation between Infinity and the previous activities/domains.
Related websites
During research activities we tried to find other sources that mentioned the forum, in doing so we identified an interesting domain indexed on Google that sponsors the official Infinity Telegram channel and forum:
The lnflnlty.ru domain (LNFLNLTY.RU) looks like a phishing domain and it has never been mentioned on the official Infinity channels. It was registered on 17th January 2023 via the registrar Regtime-ru and leverages the Cloudflare DNS services, so also in this case the real web server IP is not directly known.
Further investigations led to the identification of the potential real IP behind cloudflare:
The IP 80[.]87[.]203[.]254, with hostname sosihuynato1.fvds.ru (the name choosen for the subdomain contains an offensive reference to NATO in Russian language), responds to an HTTP GET request with the same HTML content of lnflnlty.ru.
The IP is geolocated in Russia and belong to JSC IOT network, the domain sosihuynato1.fvds.ru is associated to the FirstDVS hosting provider.
There are not enough indicators to state that the identified domain was created by the forum authors or that it is “officially” related to it, since, as previously stated, this is never mentioned in official channels. Moreover, the presence of numerous typos makes it more suitable for future phishing/social engineering activities against the forum users themselves, or it may have been registered pre-emptively to avoid such kind of attacks.
Conclusions
The Infinity Forum is a brand-new cyber creature, but its tentacles infiltrate several domains of the Russian cyber underground, where a tangled cobweb of cyber-collectives are forming alliances and joint operations against Western targets.
There are plenty of forums in the Dark Web, but Infinity has unique features. It is not just a standard Forum, it has a strong ideology and a solid values framework. One may not agree with their ideas or ideologies, but it cannot be said that they do not have their own principles and moral values. However, the Infinity Forum represents also a dangerous new experiment engineered by Russian hackers. Extremism paved the way between its members. They do not limit themselves to attacks in the cyber domain, as done by several other pro-Russia cyber-collectives. Members of the Infinity Forum have raised the bar to a new threatening level: operations in the real world. As discussed before in this article, National Hackers of Russia claimed responsibility for terrorist acts conducted against Lithuania; SARD (Special Attack and Reconnaissance Division) claimed responsibilities for protests and demonstrations against the government in Poland; users of the forum spread controversial ideologies that depict the West as the enemy and that delineate a sharp opposition between Russia and the West.
They are agents of the Russian Information Warfare, conducting cyber operations but also psychological operations with the aim to destabilise the enemy, namely Western countries supporting Ukraine in the on-going conflict with Russia. There is no evidence about a potential connection with state structures of the Russian Federation. However, they explicitly operate in defence of the Russian Federation. Are they spontaneous movements or state-driven actors? We cannot provide an answer and we will avoid speculation.
Moreover, through the analysis conducted by the YCTI team, it can be affirmed that users of the Infinity Forum have, on average, a good cultural level. We are not talking about inexperienced people. The ideas they express, the arguments they carry out clearly show that they know what they are talking about. As previously said, one may disagree with their opinions and ideologies but it cannot be denied that they propose well-structured ideologies and ideas. This aspect represents also a further difference with standards forums in the Dark Web, which are usually populated by users with high-technical skills mainly interested in economic gains. Infinity is different, it has both high-skilled technical users, as well as others more concerned with ideologies and political visions.
It is also worth mentioning that the Infinity Forum is composed by Russian-speaking people supporting the Russian Federation, but not all of them are Russians in strict terms. As for the evidence shown in this research, there are members probably belonging to other areas outside Russia, where Russian is one of the official languages or where Russian is spoken by minorities, as a legacy of the common Soviet past. For example, there are probably members of the forum which belong to the Caucasus region or Central Asia, where there are Russian-speaking Muslims. As discussed in this research, members of the forum implicitly claimed responsibility for the cyber-attacks conducted against Sweden after the outrageous act accomplished by a far-right activist who burned the Koran in front of the Turkish embassy in Stokholm. Just to mention an example.
Another point that deserves attention is their organisation. What is interesting is that they are quite de-centralized, without a tight and established hierarchy. Rather they cooperate with each others on an equal level. It seems that there are not subordinated that take orders. They are a cyber-collective that shares common values and mission. It is interesting to notice that this decentralized structure also resembles that one of Russian criminal underworld. As observed by Galeotti, [9] the Russian criminal underworld is not defined by a tight hierarchical structure and a single group striving for hegemonic control over a given territory as the Italian mafia. There are rather several groups with different extensions, cooperating among them for specific criminal activities. Therefore, their structure resembles more a network with loose and flexible organisation.
In conclusion, we expect the Infinity Forum and the hacker groups belonging to the cyber-collective to acquire a wider relevance in the cyber hacktivism domain and greater recognition in the cybersecurity field. They represent a disruptive new type of threat, conducting operations both in the cyber and physical domains.
The cyberspace has broken through the boundaries of the real world.
Authors
Ludovico Ninotti is a member of the Yarix Cyber Threat Intelligence Team. He specialized in Russian Information Warfare and Russian-speaking cybercrime in Europe through his experience in international organizations and the private sector, as well as his research work focused on Russia. Outside of work he enjoys photography and techno/electronic music.
Giovanni Barbieri is a member of the Yarix Cyber Threat Intelligence Team. He has a master degree in computer engineering and, in addition to research and threat intelligence activities, he enjoys making some noise with his electric guitar and travelling.
Notes
[1] ZDNet, 6 April 2005. Speech available at https://www.cnet.com/news/russian-police-our-hackers-are-the-best/
[2] Arquilla John and Ronfeldt David, Cyberwar is coming, Vol.12 No.2 in Comparative Strategy, (Taylor & Francis: 1993). Available at https://www.rand.org/content/dam/rand/pubs/reprints/2007/RAND_RP223.pdf.
Cornish Paul, Livingstone David, Clemente Dave, Yorke Claire, On Cyber Warfare, ( London: The Royal Institute of International Affairs, 2010). Available at http://www.chathamhouse.org/sites/default/files/public/Research/International%20Security/r1110_cyberwarfare.pdf
[3] Laurelle, M., Russian Eurasianism: An Ideology of Empire, Woodrow Wilson Center Press, Washington, DC, 2008.
[4] https://www.lrt.lt/en/news-in-english/19/1873824/false-reports-claim-bombs-in-vilnius-schools
[5] The user of the Infinity Forum affirmed that Rasmus Paludan is of Swedish nationality, however he is a Swedish-Danish national.
[6] The Kaaba is a building at the centre of Islam’s most important mosque, the Masjid al-Haram in Mecca, Saudi Arabia. It is the most sacred site in Islam. It is considered by Muslims to be the Bayt Allah (Arabic: بَيْت ٱللَّٰه, lit. ’House of God’) and is the qibla (Arabic: قِبْلَة, direction of prayer) for Muslims around the world when performing salah.
[7] The Azan in Arabic is the Islamic call to worship, recited by the muezzins at prescribed five times of the day. The meaning of the word is “to listen, to hear, and be informed about”.
[8] Available at: https://antibot.cloud/
[9] Galeotti Mark, The Vory. Russia’s Super Mafia, (New Heaven and London: Yale University Press, 2018).