Former USSR internet domain a haven for cyber-criminals

Former Soviet Union domain name has become a major haven for hackers and cyber-criminals

PUBLISHED : Sunday, 02 June, 2013, 12:51am
UPDATED : Sunday, 02 June, 2013, 2:44am


Related topics

The Soviet Union disappeared from the map more than two decades ago, but online an 'e-vil empire' is thriving.

Security experts say the .su internet suffix assigned to the USSR in 1990 has become a haven for hackers who have flocked to the defunct superpower's domain space to send spam and steal money.

Capitalist concerns, rather than communist nostalgia, explain the move.

"I don't think that this is really a political thing," Oren David, a manager at security firm RSA's anti-fraud unit, said, adding that other obscure areas of the internet, such as the .tk domain associated with the South Pacific territory of Tokelau, have been used by opportunistic hackers.

"It's all about business," he said.

David and others say scammers began to move to .su after the administrators of Russia's .ru space toughened their rules in late 2011.

Group-IB, which runs one of Russia's two official internet watchdogs, says that the number of malicious websites hosted across the Soviet Union's old domain doubled in 2011 and doubled again in 2012, surpassing even the vast number of renegade sites on .ru and its newer Cyrillic-language counterpart.
The Soviet domain has "lots of problems", Group-IB's Andrei Komarov said. "In my opinion more than half of cyber-criminals in Russia and former USSR use it."

The most notorious site was, which purportedly published credit records belonging to United States President Barack Obama's wife, Michelle,  Republican presidential challengers Mitt Romney and Donald Trump, and celebrities including Britney Spears, Jay Z, Beyonce and Tiger Woods. The site is now defunct.

Other Soviet sites are used to control botnets - the name given to the networks of hijacked computers used by criminals to empty bank accounts, deliver spam, or launch attacks against rival websites.

Internet hosting companies generally eliminate such sites as soon as they are identified. But Swiss security researcher Roman Huessy, whose blog tracks botnet control sites, said hackers based in Soviet cyberspace could operate with impunity for months at a time.

Asked for examples, he listed a series of sites involved in ransacking bank accounts or holding hard drives hostage in return for ransom - brazenly working in the online equivalent of broad daylight.

"I can continue posting this list for ages," he said via Skype.

The history of .su goes back to the early days of the internet, when its architects were creating the universe of country code suffixes meant to mark out a website's nationality. Each code - such as .fr for France or .ca for Canada - was meant to correspond to a country.

Some cold-war-era domain names - such as .yu for Yugoslavia or .dd for East Germany - evaporated after the countries behind them disappeared. However, .su survived the dissolution of the Soviet Union in 1991 and the creation of a .ru domain in 1994, resisting repeated attempts to wipe it from the Web because, unlike other defunct domains, those behind .su refused to pull the plug - on both commercial and patriotic grounds.

With more than 120,000 domains registered, mothballing .su now would be a messy operation.

"It's like blocking .com or .org," Komarov said. "Lots of legitimate domains are registered there."

Among them are, which eulogises the dictator, and the English-language, an absurdist parody site.

But experts say many are fraudulent, and even the organisation behind .su accepts that.

"We realise it is a threat for our image," said Sergei Ovcharenko, whose Moscow-based non-profit Foundation for Internet Development took responsibility for .su in 2007.

Ovcharenko insisted that only a small number of .su sites were malicious, although he acknowledged that criminal sites could stay online for extremely long periods of time. He said his hands were tied by weak Russian legislation and outdated terms of service, but promised that stricter rules were on their way after months of legal work.

"We are almost there," he said. "This summer, we will be rolling out our new policy."

Meanwhile, .su has become increasingly notorious, an online echo of the "evil empire" tag assigned to the Soviet Union by United States president Ronald Reagan 30 years ago.

David said the emergence of a communist relic as a 21st century security threat was bizarre.

"I thought that the Berlin Wall and my grandma's borscht were the only remnants of the Soviet Union," he said. "I was wrong."

Associated Press