Cyber Incident Victim: Russian Federal Drug Control Service Liquidation Commission
Date:
Dec 2016
Location:
Russia
Summary
A hacker known as Cryptolulz666 conducted a distributed denial-of-service (DDoS) attack against a Russian government agency's website, specifically targeting its drug control service liquidation commission. The attacker utilized a NetBIOS amplification technique, leveraging approximately 2 million compromised bots discovered through internet scanning, alongside self-developed Python scripts and spoofing servers to generate sustained malicious traffic. The attack rendered the website inaccessible for several hours, with the hacker claiming motivation to expose inadequate security measures within government systems and to provoke awareness among authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In December 2016, the hacker known as Cryptolulz666 executed a series of disruptive cyber operations targeting government websites, culminating in an attack against the Russian Federal Drug Control Service liquidation commission's online portal. This followed an earlier compromise of the Russian embassy of Armenia's website through a blind SQL injection vulnerability, which the attacker claimed was intended to raise security awareness. After testing his capabilities with a DDoS attack against the Italian government's startup visa website (italiastartupvisa.mise.gov.it), Cryptolulz666 redirected his efforts toward the Russian drug control service's site (www.fskn.gov.ru/pages/main/info/43634/index.shtml). The attacker employed a NetBIOS amplification technique, leveraging the protocol's characteristic of generating responses three times larger than initial queries when exploiting UDP-based communications. To assemble this attack infrastructure, he conducted internet-wide scans covering approximately 10% of accessible systems, identifying and weaponizing two million vulnerable devices suitable for amplification attacks.
The sustained DDoS campaign successfully rendered the Russian Federal Drug Control Service website inaccessible for multiple hours, demonstrating the attacker's ability to maintain persistent disruptive pressure. Cryptolulz666 implemented two additional spoofing servers controlled through custom Python scripts to stabilize malicious traffic flows toward the target. In post-incident communications, the hacker characterized the operation as an awareness-raising effort regarding governmental cybersecurity deficiencies, explicitly citing inadequate protective measures for critical web assets. He confirmed the attack's singular execution achieved prolonged downtime without requiring follow-up actions and announced intentions to target additional government websites using similar methods. Technical analysis revealed the NetBIOS vectors enabled distributed reflected denial of service (DRDoS) conditions by exploiting misconfigured network devices that responded to spoofed requests, though no evidence indicated data compromise beyond service availability impacts. The incident highlighted operational vulnerabilities in public sector infrastructure against volumetric attacks orchestrated by individual actors with moderate technical resources.