Web infrastructure owned by a Russian internet entrepreneur named in the Christopher Steele dossier may have been used to support the hack on the Democratic National Committee during the 2016 election, a private intelligence report newly unsealed in federal court alleges.
That same infrastructure may also have been used in spearfishing attempts on John Podesta, chair of Hillary Clinton’s presidential campaign, according to the report. Thousands of Podesta’s emails, revealing campaign strategies and other sensitive material, were subsequently published by WikiLeaks in early October 2016.
The research report, by a former top-ranking FBI cybersecurity agent who also directed the National Security Council’s cyber-response team, found “technical evidence” suggesting the groups behind the hack used infrastructure belonging to XBT Holding, which is owned by Aleksej Gubarev.
Gubarev and his companies were named in the dossier on Russian election interference written by Steele, a former British intelligence agent, which linked them with attempts to use cyberattacks to influence the US elections and collude with Donald Trump’s campaign. Steele’s report alleged that XBT and other companies owned by the entrepreneur had been using “botnets and porn traffic to transmit viruses, plant bugs, steal data and conduct ‘altering operations’” against the Democrats.
Gubarev filed suit against BuzzFeed News after it published the dossier in January 2017. The report unsealed today was compiled by Anthony Ferrante, a private investigator and former chief of staff for the FBI’s cyber division who works for FTI Consulting, which was retained by BuzzFeed’s defense team, and filed in federal court for the Southern District of Florida.
Gubarev and his attorneys have adamantly denied that XBT or any of its subsidiaries had any role in election interference and say that they are not responsible for the actions of third parties — including hackers — who use its infrastructure.
The Russian had fought to keep Ferrante's report from public view but a petition by the New York Times to release it and other documents in the case prevailed and it was unsealed on Thursday afternoon.
In preparing his expert report, Ferrante's mandate was to determine "whether it could find any technical connections between XBT and the allegations made in the Dossier about XBT and affiliates." He did not, however, attempt to validate separate claims contained in the Dossier that alleged connections between Gubarev and Russia's top security agency, the FSB.
Concluded in May 2018 — after nine months of research — Ferrante's final report found that "XBT and its affiliated web hosting companies have provided gateways to the internet for cybercriminals and Russian state sponsored actors to launch and control large scale malware campaigns over the past decade."
It also said that XBT's "infrastructure was used to support the malicious spear phishing attack of Democratic Party leadership in 2016 which resulted in the theft and subsequent publication of highly sensitive information related to the Hillary Clinton presidential campaign."
Ferrante reported that XBT’s infrastructure had technical links to Fancy Bear — one of the two main espionage groups that US intelligence agencies have identified as conducting the attacks at the Democratic Party leadership.
In all, the report identified numerous technical connections to malicious cyber activity, including spearfishing attempts on Democratic leadership, an attack on Ukraine’s power grid, and several fraudulent internet scams. Ferrante's report also criticized efforts by XBT to police its own infrastructure as minimal and inadequate, even after it was contacted by government regulators inquiring about suspect activity.
The report does not allege that Gubarev or XBT were directly involved with the hack or the other malicious activity, as alleged in the dossier. But it concluded: "FTI’s findings illustrate a pattern that XBT infrastructure has been a resource for cybercriminals to launch attacks without fear of repercussion, including specifically cybercriminals engaging in Russian state sponsored malicious activities.
“Based on documentation produced during discovery and deposition transcripts, Gubarev and other XBT executives do not appear to actively prevent cybercriminals from using their infrastructure. Minimal, if any, investigations were performed by XBT when their infrastructure was cited in high profile government or private security firm reports."
The report also found that Fancy Bear had used XBT servers in other cyber campaigns in the past.
Ken Bensinger is an investigative reporter for BuzzFeed News and is based in Los Angeles. He is the author of "Red Card," on the FIFA scandal. His secure PGP fingerprint is 97CC 6E32 10A2 23FE 4E84 98B4 9CFF 4214 9D26 8AA7
Got a confidential tip? Submit it here.