FSB Operatives Exposed: A Live OSINT Investigation
Delivered as a live webinar, an OSINT Industries Palette investigation crucial to the UK’s future.
“The risk of cyber attack is severe, and attacks on key public services are likely to happen regularly.” – Gareth Davies, Head of the UK’s National Audit Office [Source: NAO]
Cyber threats to the United Kingdom from Russian Advanced Persistent Threat (APT) groups are showing no sign of diminishing. Several factors are behind this surge, from increased detection capabilities to geopolitical tensions. More alarming, however, is the development of APT tactics towards obfuscating their source.
Disruptive and dangerous, traditional formal APT groups are directly managed by autocratic state intelligence agencies like the Russian FSB. With political and propaganda motives, these groups undertake cyber espionage, sabotage, and disinformation campaigns against perceived ‘enemies’. A state like Russia operates APT operatives to degrade, damage and directly threaten data and systems, including those that exist to prevent physical threats to civilians.
Clear hybrid warfare by this pathway exposes the attacking regime to unwanted scrutiny. A method to preserve plausible deniability for governments – and stop ‘good guys’ tracing their threats – has arrived: outsourcing. Via ‘independent’ hacktivists, an attacking regime can deny their involvement in political impacts and propaganda victories. When exposed, organs like the FSB can claim ignorance, blaming patriotic volunteers or rogue actors, with no tricky diplomatic consequences or damning evidence.
“A radar hit by a missile can be seen to be a smoking ruin, but from the outside, a successful cyberattack on a radar may not look different from one that fails…” – James Andrew Lewis, Senior Advisor (Non-Resident), CSIS Economic Security and Technology Department [Source: CSIS]
These state-aligned hacktivists may operate ‘independently’, but receive tacit approval, indirect funding, and/or technical support in threatening the safety of their victim population. Pseudo-independent hacktivists like ‘the People’s Cyber Army’ and ‘CyberVolk’ have graduated from traditional Distributed Denial-of-Service (DDoS) attacks: their defacement (altering official websites with propaganda messages), ransomware and wiper malware, espionage and data theft manoeuvres show a more disorganised, volatile strategy. However, given the obfuscating shield of an ‘independent’ actor, organs like the FSB have extended their tactics beyond symbolic attacks, attempting to compromise power grids, water facilities, healthcare systems and transportation networks in operations that directly threaten citizens’ livelihoods – and lives.
Meanwhile, one in three UK government cybersecurity roles lies vacant, or filled by temporary or contingent staff; translating to 50% of overall tech roles empty overall, and 70% of specialist security architects only temporary in their posts. 58 critical government IT systems assessed by the NAO were found to have “significant gaps in cyber-resilience”, and the cyber vulnerability of at least 228 outmoded “legacy” IT systems was found to be an unknown quantity to the government. The NAO declined to name these weak systems for fear of helping already-savvy attackers choose better targets. The UK is increasingly defenceless against a growing Arctic storm from the East – a storm the nation’s infrastructure stands no chance of weathering in its current state.
“There is a widening gap between the increasingly complex threats… and our collective defensive capabilities in the UK… That widening gap will only become more pronounced over time as the scale and capability of cyber actors proliferates, the relationship between state and non-state actors becomes more obfuscated, and states’ abilities to understand cyber activity becomes fraught…” – UK National Cyber Security Centre Annual Review 2024 [Source: NCSC]
It’s in this climate that OSINT Industries CEO Nathaniel Fried delivered his live webinar. Nathaniel demonstrated how investigators and threat responders can discover backgrounds of key Russian bad actors using Palette, our powerful node graph investigative tool designed to map connections and uncover hidden relationships.
By visually trace links between individuals, organizations, and digital footprints, with our tool, it’s possible to piece together complex networks, analyze behavioral patterns, and cut through the FSB’s obfuscation attempts to identify potential threats with greater precision. When Palette can find what traditional methods overlook, it becomes clear how OSINT and our tool could be key to the UK’s fightback strategy.
The Target: Andrey Stanislavovich Korinets
“Welcome, everybody. Today, we're gonna be looking at a very interesting investigation into the FSB…” – Nathaniel Fried
[CAPTION: An organogram demonstrating the cyber structure of the Russian Intelligence Services. [Source: gov.uk]
The FSB, or Federal Security Service (Федеральная служба безопасности (ФСБ)) is the successor to Russia’s notorious KGB. Since 2010, cyberattack duties like electronic surveillance of equipment and foreign penetration have been delegated to FSB Centres 16 (16-й Центр) and 18 – including APT operation, and malign activity against the UK and other nation states.
The emblem of FSB Centre 16 is designed to represent their threat: a satellite dish and a key, shattered by lightning. They’re known to have attacked the UK energy sector in 2014, the aviation sector in 2020, and perpetrated data theft over two decades with ‘Snake’ malware that saw implants infecting over 50 countries.
FSB Centre 18, a.k.a. Centre for Information Security (TsIB) Military Unit 64829, sits within the FSB 1st Service, a ‘counter-intelligence’ organ. The NCSC, however, has assessed with certainty that they operate a well-known threat actor against the UK: ‘Star Blizzard’.
The US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ) agree that this group is an FSB subordinate. StarBlizzard has threatened UK democratic and political process on multiple occasions, including operations in which they “selectively leaked and amplified the release of information in line with Russian information confrontation priorities, including to undermine trust in politics in the UK and likeminded states.”
Formerly known as SEABORGIUM and also labeled Callisto Group, TA446, COLDRIVER, TAG-53 or BlueCharlie, StarBlizzard specializes in spearfishing and impersonation operations.
[CAPTION] StarBlizzard threat actors attempt to ensnare an intergovernmental contact [Source: SocRadar]
Attacks have been linked to Russia’s invasion of Ukraine, but Ukraine is not StarBlizzard’s only concern. Targets – often intergovernmental workers or even UK Members of Parliament – will receive emails tailored according to operatives’ in-depth research on publicly available information. This sinister use of OSINT and SOCMINT for nefarious purposes culminates in a chosen entry point, by which time threat actors may be indistinguishable from a legitimate professional or even personal contact. Common interests spark conversations, and after rapport is established, targets will be offered a malicious link to click. It looks like a familiar platform, like OneDrive or Google Drive, a file to download or an event invitation. Then Star Blizzard taps into the open-source framework EvilGinx to harvest targets’ usernames, passwords, credentials and cookies, circumventing Two-Factor Authentication.
However, it’s with an ex-StarBlizzard actor that OSINT Industries’ live investigation with Palette began.
“Our story starts in 2015…”
A Milan-based cyberoffensive company, Hacking Team was in the business of spyware research and manufacturing; in simple terms, the business of hacking other people. Ironically, in 2015, they were hacked themselves.
Over 400 gigabytes of data were released that July, bringing an end to a prosperous run with the publicization of internal emails, communications and credentials. Now on the receiving end, media coverage of the Hacking Team saga focused primarily on the company’s unsavory client list – alongside the irony-laden tweets from the Hacking Team corporate account.
CAPTION: The Hacking Team company Twitter feed post-hack. [Source: [Sky News]
Indeed, Hacking Team had engaged in targeting journalists, undermining human rights and collaborating with repressive regimes like Libya, Azerbaijan, Kazakhstan, Uzbekistan, Russia, Bahrain, Saudi Arabia, Sudan and the UAE. However, the Hacking Team hack had other repercussions.
“What's really interesting… What had quite a tangible impact on the world of information warfare was that they also released all of the tools and methodologies. And some of these tools were not incredibly sophisticated, but helped to automate attacking infrastructure…”
File sharing website Mega now hosted emails, files and source code that amounted to a how-to: the basics of infrastructure destabilization on an automated scale. Not long after, an investigation by F-Secure discovered a threat actor group targeting European officials, think tanks, journalists and government institutions with techniques ‘borrowed’ from Hacking Team.
The group’s interests were clearly Russian. Their operations were clearly in service of the FSB. However, this entity’s command and control structure (and competency level) differed from the existing APT known as Callisto Group or StarBlizzard. In 2017, these hackers were unsuccessfully attempting to spearfish targets. When Russia illegally invaded Ukraine, these hackers targeted pro-Ukraine think tanks, pro-Ukraine organizations and charities, and Ukraine itself.
[CAPTION: FSB operative Andrey Stanislavovich Korinets in the FBI’s Most Wanted database. [Source: FBI]
Our primary target: one of the two perpetrators, Andrey Stanislavovich Korinets, appears on sanctions lists in both the US and UK for his involvement in StarBlizzard/Callisto Group and global computer intrusion campaigns. Korinets is still working with Russia’s Federal Security Service (FSB), hacking into networks worldwide on behalf of the Kremlin – and demonstrating the blurred line between APT, and hacktivist operations.
“As we'll soon see, these two individuals didn't have great OPSEC…”
Starting With a Name: The Hunt for Andrey Begins
(Nathaniel delivered disclaimers preceding this investigation:
- This investigation uses breached data, may not be right for you.
- OSINT requires OPSEC, be safe.
- The subject in this investigation is on the FBI’s Most Wanted List.
- Nation states can be dangerous, exercise caution.)
“Nice. So with all of this context, we're gonna run headfirst into an open source intelligence investigation…”
OSINT Industries Palette is a node graph investigative tool with built in OSINT Industries capabilities; a ‘mind map’ of connections between data points. The first step – as in any investigation – is adding a node with a single source of data, like a name, email address, domain or similar. Nathaniel started simple with a full name as listed for sanctions: ‘Andrey Stanislavovich Korinets’.
“I could fire up Telegram on my phone… and maybe it would tell me the Telegram account that's connected. Then I could go do this with WhatsApp, okay.ru and all these additional sources. This would make this webinar very, very boring – and you wouldn't be able to share the screen of my phone. The way OSINT Industries works, you can automate all of these searches in thirty seconds… “
From here, it’s easy to employ OSINT Industries’ name searching capability. Right-clicking on a node initiates a search, at the cost of one credit (without free access for law enforcement, non-profits or journalists). This search would bring up a phone number. While the search was running, Nathaniel began manually sifting breached data. As the Hacking Team debacle demonstrates, many hackers are just as vulnerable to being hacked themselves.
Around 2016, a data leak featuring 20 million debtors from Russian credit institutions had exposed telephone numbers, full names, residential addresses, passport details and dates of birth – including comments in the database that clarified the nature of the debt. In early January 2023, another hack by the NLB hacker team on Russian sports store Sportmaster released 17 million emails, telephone numbers, names, genders, dates of birth and residential addresses of its users. Particularly useful was a retaliatory breach by IT Army of Ukraine, whose stated goal to “de-anonymize Russian users” had spurred them to post more than 30 GB of data from the Russian courier service SDEK, including telephone numbers and full legal names – which tend to be required for courier services. Cross referencing the number listed for Andrey with breaches from NumBuster, VKontakte, Avito and Russian online pharmacy Zdravcity.ru suggested one mobile number was likely correct, ending in 4442. This was added as a graph node, and linked to Andrey’s name – now, this node could be searched too. OSINT Industries verified the number as Andrey’s with CallApp, TrueCaller and Eyecon, and revealed Yandex and WhatsApp accounts complete with a familiar profile picture.
[CAPTION: Andrey’s WhatsApp account reveals a profile picture. [Source: OSINT Industries]
“People often search for the first thing, like a name, then get a telephone number, and that's the end of the investigation. But what you can do is recursively search again. You can take this telephone number, search it again, and pull back where else this telephone number has appeared….”
Click, Cross-Ref, Repeat: One Node Becomes a Network
By now, Nathaniel’s Palette investigation had grown exponentially. His searches so far had revealed – among physical addresses, accounts and other nodes – a rambler.ru email, alongside a listing that suggested it was part of data breaches. He cross referenced with breached data from ZdravCity, Telderi.ru, and several hacker forum data collections and found another email address: zeg888@gmail[.]com. Nathaniel inputted this node, and right-clicked for an OSINT Industries search. While he waited, he double-checked a leak from Russian laboratory Gemotest, in which 30.4 million people’s names, dates of birth, genders, telephone numbers, physical addresses, insurance and passport numbers were breached from COVID testing labs. The data, including the date of birth listed on Andrey’s sanction and Most Wanted profile, matched up with the zeg888 address. Nathaniel connected the DoB and email nodes, and re-structured his visualisation for clarity with just a click.
“You've got the date of birth.. but it looks kinda bad. You can just click refresh layouts, and everything will get nicely structured for you based on the settings that you have…”
It was now easy to see that Andrey’s date of birth, original telephone number and email address correlated; the image provided from WhatsApp via OSINT Industries clearly matched with his Most Wanted mugshot. A deeper drive into the number ending 0442 revealed a VKontakte (VK) account, and a new email: NEPKOMI@gmail[.]com.
Continuing the investigation on Palette with right-clicks and cross-referencing breaches, Nathaniel was able to build out an extensive visualized investigation, He found six verified email addresses, a confirmed mobile phone number, seven aliases including the English ‘Colin Ian’, profile pictures and accounts from VK, WhatsApp, Vivino, MyFitnessPal, YouPorn, Quora and culminating in an OSINT Industries search that brought up a Google Maps account. Here, Andrey had left beer reviews – and (despite his very short hair) a purchase of a display sample hairdryer. This had taken place in the City of Syktyvkar, Russia, confirming where Andrey was still residing: his FBI-listed place of birth.
Working with OSINT Industries Palette
“It's all real time intelligence, automating what you as open source intelligence analysts can do yourselves…”
The success of this live investigation to uncover an FSB operative indicates how OSINT Industries Palette can transform from a simple tool into an evolving investigative ecosystem. The task of growing a network from one node allows analysts to map, link, and visualize across breaches, platforms, and identifiers in a way that organically represents an investigation, but avoids the confusion such an organic approach would traditionally cause. With Palette, both data and process are clear for all to see.
Palette is an ongoing project for our developers; Nathaniel had to manually sift and import data breaches, but this feature will soon be automated. With investigations on Russian targets often necessitating the use of breached data, this feature speaks to Palette’s usefulness as an international investigation tool; graph visualization displays in a universal language the connections between disparate datasets. What’s more, the ability to export and re-import investigations maintains continuity in long-term cases that often necessitate a disrupted workflow, keeping things clear once your findings are exported to the relevant brokers.
Palette is poised to become even more powerful. What once required countless manual steps can now be built into a fluid, automated investigation — case by case, click by click and node by node.
