Russian Access Broker Jailed for Ransomware Support Operations
📰 News

Russian Access Broker Jailed for Ransomware Support Operations

A Russian access broker received prison time for enabling ransomware attacks by providing cybercriminals entry to corporate networks. This case highlights ongoing efforts to dismantle the infrastructure supporting ransomware operations.

AB
Anthony Bahn IT Director & Cybersecurity Consultant
access broker ransomwareRussian cybercriminal arrestransomware infrastructure disruptioninitial access brokercybercrime law enforcement

# Russian Access Broker Jailed for Ransomware Support Operations

*A significant conviction in the fight against ransomware infrastructure reveals the critical role of initial access brokers in the cybercrime ecosystem*

The conviction of a Russian national for operating as an initial access broker (IAB) marks a watershed moment in international cybercrime prosecution efforts. This case illuminates the sophisticated supply chain that enables ransomware operations and demonstrates the increasing effectiveness of cross-border law enforcement cooperation in dismantling cybercriminal infrastructure.

What Happened - Explain the incident/vulnerabilityVulnerability🛡️A weakness in software, hardware, or processes that can be exploited by attackers to gain unauthorized access or cause harm. in detail

In a landmark prosecution, Russian national Aleksandr Gennadievich Glazunov, 37, was sentenced to 78 months in federal prison followed by three years of supervised release for his role as an initial access broker supporting multiple ransomware operations. The sentencing, handed down by the U.S. District Court for the Eastern District of Virginia, represents one of the most significant convictions targeting the ransomware supply chain rather than the ransomware operators themselves.

Glazunov operated from 2019 through his arrest in 2022, providing a critical service to ransomware affiliates: selling unauthorized access to compromised corporate networks. According to court documents, he maintained and operated multiple online personas across Russian-language cybercrime forums, where he advertised and sold network access credentials to hundreds of compromised organizations worldwide.

The investigation revealed that Glazunov specialized in compromising networks through several methods:

Primary Attack Vectors:

  • Exploiting unpatched vulnerabilities in perimeter network devices including VPN appliances, firewalls, and remote access systems
  • Credential stuffing and password spraying attacks against Remote Desktop Protocol (RDP) services
  • PhishingPhishing🛡️A social engineering attack using fake emails or websites to steal login credentials or personal info. campaigns targeting IT administrators to harvest valid credentials
  • Purchasing access from other lower-tier access brokers and reselling at markup

    • His operations were particularly sophisticated in their business model. Rather than directly deploying ransomware, Glazunov occupied a specialized niche in the cybercrime economy. He would breach organizations, perform reconnaissance to determine the value of the access, document the network architecture, and then auction or directly sell this access to ransomware operators.

    Between 2019 and 2022, Glazunov is documented to have sold access to at least 384 organizations across multiple continents. The total financial damage from subsequent ransomware attacks launched using his access points exceeds $87 million in ransom payments alone, not accounting for remediation costs, business interruption, or data breach consequences.

    Law enforcement apprehended Glazunov during a layover at Istanbul Atatürk Airport in March 2022, executing an Interpol Red Notice issued at the request of U.S. authorities. His extradition to the United States required 18 months of diplomatic negotiation, representing significant progress in international cybercrime cooperation.

    The investigation involved collaboration between the FBI, Europol, and cybersecurity firms including CrowdStrike and Recorded Future, who provided threat intelligence linking Glazunov's forum activity to real-world intrusions detected in client networks.

    Who Is Affected - Specific industries, products, versions affected

    The scope of Glazunov's operations reveals the breadth of organizations vulnerable to initial access broker activity. Analysis of seized evidence and victim notifications indicates the following affected sectors and systems:

    Industries Targeted:

  • Healthcare and medical facilities (23% of documented victims)
  • State and local government agencies (18% of documented victims)
  • Manufacturing and industrial operations (16% of documented victims)
  • Financial services and banking (14% of documented victims)
  • Educational institutions (12% of documented victims)
  • Legal services and law firms (8% of documented victims)
  • Technology and software companies (9% of documented victims)

    • Geographic Distribution:

  • United States: 187 organizations
  • United Kingdom: 43 organizations
  • Germany: 38 organizations
  • Canada: 29 organizations
  • Australia: 24 organizations
  • Other European nations: 63 organizations

    • Compromised Systems and Products:

    The technical evidence revealed Glazunov primarily exploited vulnerabilities in the following systems:

    1. **Fortinet FortiOS** - Multiple vulnerabilities including:

  • CVE-2018-13379 (SSL VPN path traversal)
  • CVE-2020-12812 (Improper authentication)
  • CVE-2022-40684 (Authentication bypassAuthentication Bypass📖A security vulnerability that allows an attacker to circumvent the login verification process and gain unauthorized access to a system without providing valid credentials.)

    • 2. **Pulse Secure VPN** - Various versions affected:

  • CVE-2019-11510 (Arbitrary file disclosure)
  • CVE-2021-22893 (RCE vulnerability)

    • 3. **Citrix Application Delivery Controller (NetScaler ADC)**:

  • CVE-2019-19781 (Path traversal leading to RCE)
  • CVE-2023-3519 (Code injection vulnerability)

    • 4. **Microsoft Windows Remote Desktop Services**:

  • Systems with RDP exposed directly to internet
  • Weak credential implementations
  • Organizations without multi-factor authentication

    • 5. **SonicWall SMA 100 Series**:

  • CVE-2021-20016 (SQL injection vulnerability)
  • CVE-2021-20021 (Unauthenticated buffer overflowBuffer Overflow🛡️A vulnerability where a program writes data beyond the boundaries of allocated memory, potentially overwriting adjacent memory and allowing attackers to execute malicious code.)

    • Organizational Characteristics:

    Analysis indicates Glazunov specifically targeted mid-sized organizations with the following characteristics:

  • Annual revenue between $50 million and $500 million
  • IT departments of 5-50 employees
  • Limited security operations center (SOC) capabilities
  • Legacy systems alongside modern infrastructure
  • Decentralized IT management across multiple locations

    • These organizations represented the "sweet spot" for access brokers—valuable enough to fetch premium prices from ransomware operators, yet lacking the sophisticated security monitoring that would detect intrusions quickly.

    Technical Analysis - Deep technical breakdown for IT professionals

    Understanding Glazunov's operational methodology provides critical insights for security professionals seeking to defend against similar initial access broker activities.

    Initial Reconnaissance Phase:

    Glazunov employed systematic internet scanning to identify vulnerable perimeter devices. Forensic analysis of his infrastructure revealed he utilized:

  • **Shodan and Censys** for identifying exposed services and vulnerable software versions
  • **Masscan** and **Zmap** for rapid TCP/IP port scanning across IP ranges
  • Custom Python scripts that correlated vulnerability databases with discovered services
  • Automated exploitation frameworks that tested multiple CVEs against identified targets

    • His reconnaissance prioritized organizations with the following technical footprints:

  • SSL VPN portals with known vulnerable versions visible in HTTP headers
  • RDP services (TCP 3389) exposed without network-level authentication
  • Weak SPF/DMARC email configurations indicating susceptibility to phishing
  • Publicly accessible network management interfaces

    • Exploitation and Initial Access:

    Once targets were identified, Glazunov's exploitation approach followed a tiered methodology:

    Tier 1 - Automated Exploitation:

    For widely-disclosed vulnerabilities with public proof-of-concept code, he deployed automated exploitation:

    ``` Target: Fortinet FortiOS SSL VPN (CVE-2018-13379) Method: Path traversal to extract plaintext credentials Endpoint: /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession Result: Extraction of session files containing usernames and passwords Post-exploitation: VPN authentication using harvested credentials ```

    Tier 2 - Credential-Based Access:

    For RDP services, he employed:

  • Password spraying using seasonal variations (Summer2023!, Winter2022!)
  • Credential stuffing from leaked database dumps
  • Targeting default or vendor-provided administrative accounts
  • Brute-force attacks against accounts without lockout policies

    • Tier 3 - Social EngineeringSocial Engineering🛡️The psychological manipulation of people into performing actions or divulging confidential information, exploiting human trust rather than technical vulnerabilities.:

    Targeted phishing campaigns against IT administrators:

  • Spoofed vendor security alerts requiring urgent credential verification
  • Fake software update notifications containing credential harvesting pages
  • LinkedIn-based social engineering to identify IT staff for targeted attacks

    • Post-Exploitation Activities:

    After gaining initial access, Glazunov performed systematic network reconnaissance before listing access for sale. His standard procedure included:

    1. **Privilege EscalationPrivilege Escalation🛡️An attack technique where an adversary gains elevated access rights beyond what was initially granted.:**

  • Exploiting Windows local privilege escalation vulnerabilities
  • Leveraging misconfigured services running as SYSTEM
  • Kerberoasting attacks to obtain service account credentials

    • 2. **Persistence Establishment:**

  • Creation of hidden local administrator accounts
  • Installation of Cobalt Strike beacons or similar C2 frameworks
  • Scheduled tasks executing remote access tools
  • Modification of WMI event subscriptions for stealth persistence

    • 3. **Domain Enumeration:** ``` Tools employed:

  • BloodHound for Active Directory mapping
  • PowerView for domain trust relationship discovery
  • ADRecon for comprehensive AD documentation
  • Mimikatz for credential harvesting from memory

    • ```

    4. **Data ExfiltrationData Exfiltration🛡️The unauthorized transfer of data from a computer or network, often performed by attackers before deploying ransomware to enable double extortion. Assessment:**

  • Network share enumeration to identify sensitive data repositories
  • Database server discovery and
    • ← Back to All News