Cyberattack on Russian independent media had links to US-sanctioned institute, researchers find

A Russian hosting provider allegedly involved in a recent cyberattack against independent media organizations in the country is reportedly connected to a state-affiliated research center sanctioned by the U.S., according to new research.

The hosting provider, Biterika, generated one-third of the junk traffic that flooded the websites of IStories and Verstka after they published an exposé on a child sex trafficking network in Russia that allegedly involved oligarchs and other powerful figures.

Within hours of publication earlier in June, both organizations suffered coordinated denial-of-service (DoS) attacks designed to disrupt access to their websites, according to researchers at the Sweden-based digital forensics organization Qurium.

Biterika was previously flagged as a high-risk hosting provider. It is associated with anonymization services, proxy abuse and infrastructure that enables potentially malicious internet activity. The company did not respond to a request for comment about Qurium’s research.

The company’s main owner, Valentina Aleshina, is a software engineer at a Russian state-linked tech center that is part of the Moscow Institute of Electronic Technology, which has been sanctioned by the U.S. since 2023 for its role in military technology development. Aleshina was reportedly involved in designing military software used with locally-produced chips, according to Qurium.

While Aleshina herself has not been named on any international sanctions lists, Qurium’s findings suggest she played a key role in transferring technical infrastructure from the state-linked institution to Biterika. Her now-defunct network — AS208475 — once held nearly 10,000 IP addresses, large portions of which were absorbed into Biterika’s systems, Qurium said.

Researchers say Aleshina’s use of infrastructure tied to a sanctioned Russian institution and her links to a high-risk hosting provider “raise significant attribution and compliance concerns.”

“Her case serves as a cautionary example of how sanctioned entities may still exert operational influence through affiliated individuals and independently registered technical assets,” the researchers said.

Proxy services are often exploited to conceal the true origins of malicious internet activity. So-called "bulletproof hosts" deliberately ignore what content or activity they allow on their servers — even if it’s illegal, unethical or violates terms of service. These providers turn a blind eye to phishing, malware, botnets, spam, child exploitation material or hacking tools.

On Tuesday, the U.S. sanctioned the St. Petersburg-based bulletproof hosting service Aeza Group. In February it sanctioned Russian bulletproof hosting service Zservers, which was used to facilitate ransomware attacks by the LockBit gang. Last year, Qurium uncovered infrastructure located or registered in Europe used by a prolific Russian-language disinformation network known as Doppelgänger, as well as by cybercriminals.

At the core of Doppelgänger’s operations in Europe and Russia is a company called Aeza — a Saint Petersburg-based hosting provider that allows suspected criminals to operate on its servers and reportedly finds many of its clients on the darknet.

In a report last week, U.S. cybersecurity firm Trustwave revealed that the threat actor known as Blind Eagle used the Russian bulletproof hosting service Proton66 to host various types of malicious content, including phishing pages.