Dossier Center Investigation: Prigozhin's Cyber Troops
Translated: How the IT infrastructure of Wagner, Troll Factory and Concorde works
Dossier Center Investigation: Prigozhin's Cyber Troops
Translation
March 18, 2023
In early autumn 2022, unknown hackers gained access to more than 1 million documents of Yevgeny Prigozhin's structures. For several months, the group maintained access to the network, pumping out all the fun from there. Some of the files from the #Wagnerleaks archives were at the disposal of journalists from Die Welt, the Dossier Center, Insider, Paris Match, and Arte.
For five years now, the Dossier Center has been investigating the murder of three journalists in the Central African Republic who were trying to make a documentary about the Wagner PMC. We managed to study the internal structure of Prigozhin’s business empire, including the so-called “Troll Factory” (Lakhta project), the Concord group of companies, the so-called PMC “Wagner” and other business activities of the Kremlin chef: school meals, construction, hotel business, chocolate trading, media business, mining of gold, diamonds, oil, and other minerals, international political consulting, a meat processing plant in the African jungle, a car wash - and more.
Numerous publications in the media usually focus on one aspect of his multifaceted activities, although in reality they are all organically linked: wounded Wagner soldiers come to their senses at a recreation center in Gelendzhik, Defense Ministry officials receive discount cards at the Eliseevsky store, Lakhta "trolls "meet in a building built by Prigozhin's companies and promote the services of PMCs from there to an international audience. Today, lawyers and financiers are considering concession agreements in St. Petersburg, and tomorrow - in Antananarivo or Bangui. The same thing happens with elections: the same political technologists work out orders in St. Petersburg, Moscow, Tula, Kyiv, Tripoli, Maputo, and Cape Town. Employees are regularly transferred from project to project: those who yesterday chose the furniture for Prigozhin’s daughter’s apartment,
It is precisely because of this flexible structure that sanctions against Prigozhin's projects do not work well. But with all the external independence and inconsistency in the actions of individual parts, Prigogine's mycelium is united by centralized information systems - today we will talk about some of them.
IT people
There are few IT specialists directly in the Wagner PMC - a few dozen people, mostly signalmen. Many more of them work for the Troll Factory, the Concord company, and the YaRus social network.
As of autumn 2021, the IT service of the Troll Factory employed about 40 people: project managers, 10 system administrators each, back-end developers and front-end developers, and a couple of web designers and testers.
The salaries of developers and system administrators are quite modest - from 60 to 250 thousand rubles per hand, depending on the position. On average - 110 thousand rubles.
Although in fact the employees of the Troll Factory work on the same projects, they are registered in different legal entities, mainly the media - NovInfo, Nevskiye Novosti, Ekonomiku Segodnya, the Federal News Agency (FAN), MAN LLC, and others.
In addition to the Troll Factory, Wagner, and Yarus, employees of the Company's IT department work in restaurants, hotels, and other projects. Here is how they are referred to in internal correspondence:
Car wash, VP, School meals, Eliseevsky, Russian Army, Catering, Old customs, Street food bar, Empire, River Palace 1, River Palace 2, Room 1137, River Lounge 1, River Lounge 2, RGO Catering, Motor ship Sochi, Chocolate Museum, Warehouse accounting MSK, Chalet, AUP Department of real estate, Tech. repair, Hotel, Combines (Yanino, Klenovo), Soc. food Moscow, central district.
By the way, they also take care of Prigozhin's relatives, including his mother Violetta Kirovna - recently she was almost lifted off the EU sanctions that were introduced in connection with the activities of Prigozhin and the Concorde group of companies.
Let's add: not only do they buy tickets for her at Concorde, but they also pay for other expenses, for example, wired Internet; the issue is coordinated at the level of the director of the IT department.
Qualification
The work biographies of the IT specialists of Prigozhin's structures vary. On the one hand, among the staff, there are talented graduate students from programs in programming and former scholarship holders of the Oxford Russian Foundation, recognized as "undesirable" because of ties to Mikhail Khodorkovsky. They are next to former accountants from Karaganda who have retrained in short-term online courses for web designers (which is reflected in the quality of the websites). There are also people with experience in military service, including in the GRU.
How do you feel about the military operation?
Many employees of the Troll Factory come to St. Petersburg from other cities or countries. This is due to the long-term negative image of Prigozhin in the urban labor market.
All potential employees, even if they work in restaurants, are subject to a mandatory two-hour interrogation on the Diana-07 polygraph. Its goal is to identify potentially disloyal or dangerous characters for Prigozhin. Weed out supporters of the opposition, people with contacts in the media and law enforcement agencies, drug users, and debtors.
After the start of the war, another question was added to the standard set - about the attitude towards the "military operation".
If the test subject has feelings about the war or Ukrainian relatives, he is rejected by the security service, even despite the approval of potential superiors.
Almost half of the IT people work underhand, without a workbook, and officially registered employees often receive 40–60% of their salary in envelopes, follows by accounting documents. Between themselves, Prigozhin's employees discuss that in addition to the white salary in other companies, "there is something that we do not have and will not have": a flexible start to the working day, medical insurance, bonuses. Former employees also complain about the "climate in the team" - in particular, mutual intrigues. Uncompetitive working conditions may explain the low level of education among IT specialists of Prigozhin's structures. Qualified specialists can hardly withstand Prigozhin's spontaneous micromanagement and rudeness - many had moved to "unfriendly" countries even before the start of the war.
Perhaps in the coming months, Prigozhin will be able to recruit new, better employees in the IT departments. Wagner's aggressive PR campaign after the start of the war helped improve the Company's image in the eyes of the younger generation of IT students in St. Petersburg. For example, at the end of December 2022, Prigozhin held a Wagner PMC hackathon, in which talented programmers took part. Despite the criticism in social networks and the media, many of them saw nothing wrong with this. The hackathon was dedicated to drone programming and was used for recruiting — Concord structures have been actively looking for such specialists since the fall of 2021, according to internal documents. Probably, the recruitment was not only for the war in Ukraine but also for other projects. For example, employees of Wagner PMC have been using drones and quadrocopters in Syria and the Central African Republic for several years, even negligently burning one of their expensive reconnaissance drones of the Orlan model.
Despite the sanctions, the hackathon site was hosted on Amazon's AWS cloud hosting and was only blocked after activists complained.
In addition to IT specialists for the Internet projects of the Troll Factory, in 2022, more than 40 system administrators and specialists in 1C, the accounting system, worked in the central IT department and the main office of Prigozhin. By the way, their salaries are higher than those of the “factory” employees. For example, the head of the department receives not 250, but 400 thousand rubles, and her deputy - 300 thousand rubles.
Prigozhin needs so many 1C specialists due to the fact that he manages about 400 different companies - front legal entities and real enterprises with double bookkeeping (official for tax and real for internal accounting).
For example, in 2015, after Prigozhin received a contract from the Ministry of Defense to service dozens of military camps, remote access to 1C in St. Petersburg was provided to more than 360 users from various regional divisions of JSC Slavyanka and GU Housing. It was almost impossible to tell the fake companies from the real ones.
What does the Troll Factory do?
An analysis of the activity of "trolls" in social networks shows that they work most actively where you can use other people's content without restrictions and buy ads using gray schemes.
Here are some examples of rather undemanding projects of the "factory" in VK.com: news projects - "Shark", "Daring Square", "How do you like it, Elon Musk", "Strip", "Trashach", "Minning", "Dirt Warehouse ”, “The Art of War”, “Truth Serum”, “Curb City”, “VideoPiter”, in St. Petersburg - “Meme Horseman”, animated projects “Eagle (CheBe)” and “Spot”.
The budget also includes payment for publications and access to community administration in the VK "Arms of Russia" , for creating content for the project " Brezhnev's Eyebrows ".
In the documents of the "factory," there are mentions of payment for publications, retweets, and likes from independent thousands of bloggers on political topics on Twitter. For example, here:
https://twitter.com/vezhlivo;
TVJihad ;
A separate line is a payment for the services of a content manager for the projects " Actual Russia " and "Actual World".
In Telegram, the “trolls” paid for publications from third-party Telegram channels, such as Media Technologist, “Somehow Like This” and “338”, paid for reposts in the “Karaulny” channel, bought places in collections and ratings, and purchased services to cheat subscribers.
According to former employees, about 400 employees now work at the “factory”, of which more than 30 are engaged only in writing comments on media sites, and about 30 more people write comments on YouTube. Since 2019, about 40 employees have been sent to comment on publications in the Ukrainian media as well. The estimated budget for the "factory" in 2022 was 70-100 million rubles per month, excluding "special tasks".
"Special tasks"
"Special Tasks" are additional Internet projects related to the personal interests of Yevgeny Prigozhin. This category includes, for example, the organization of bullying on the Internet by Lyubov Sobol, who actively fought against corruption in the organization of school meals - the area of business interests of Prigozhin. In 2019, they spent from 700,000 to 1.7 million rubles a month on a project called Sable Hunting, although the documents do not say what exactly this money was spent on.
This also includes the payment of informants who provided information to Prigozhin's structures from the headquarters of the opposition in Moscow and St. Petersburg, the opposition media, the liberal environment, and other public groups. At various times, the staff of informers consisted of 17 to 25 people. On average, they received from 15 to 25 thousand rubles a month.
A source from the Dossier Center says that the curator of the "special tasks" is a former employee of RIA Novosti, Ilya Gorbunov. Since 2019, he has actually been in charge of the Patriot media group, since 2020 he has been in charge of the Troll Factory and all pseudo-opposition Telegram channels and has also been discrediting Governor Alexander Beglov.
The “special tasks” of Prigozhin’s employees are directed not only against oppositionists but also against completely systemic characters. A source of the Dossier Center claims that it was Ilya Gorbunov who initiated the collection of compromising evidence on Alexander Vinokurov, the son-in-law of Foreign Minister Sergei Lavrov. Novaya Gazeta talked about a criminal case against people associated with Prigozhin, who ordered the hacking of Vinokurov's SIM card and instant messengers. According to the source, compromising evidence was needed to blackmail Lavrov himself.
Gorbunov could be the direct supervisor of the administrators of the Scanner Project Telegram channel, who were detained in 2022 on charges of extorting money from the subjects of their publications. Gorbunov oversaw the Telegram channel and helped employees with connections in Moscow. Scanner itself published criticism of the Russian authorities, but, according to journalist Mikhail Maglov, it changed owners several times and eventually began to be used to discredit the opposition.
Such channels are another area of work for the Troll Factory. They have been creating their Telegram network since 2017, and in the fall of 2020, they received the Kremlin’s approval to create pseudo-opposition resources. Issues of such importance are usually resolved directly with Sergei Kiriyenko, a Dossier source claims.
In addition to the federal Telegram channels, Prigozhin controls a small “opposition” network in St. Petersburg, which is busy criticizing Beglov:
"Protest Petersburg";
"Rebellion Square";
"Petersburg ass";
"Assembly";
1703;
"Peterskaya bun";
"Earlier than all St. Petersburg";
"Warehouse of dirt";
Griboyedov Canal.
Prigozhin's Telegram channels almost never interact with other major pro-government resources, such as Kristina Potupchik's networks. All work with third-party channels is based on a paid basis: someone on a “subscription fee,” and someone receives money for each publication separately. For example, in one of the documents, Prigozhin’s employees claim that in order to promote the YaRus project (which will be discussed below), they paid for posts in the following channels:
"How I Met Tetanus";
"Lentach";
"Only to no one";
"Durov's Code";
"Anti-gloss";
"Celestial";
Yaplakal;
FemaleMems;
"Chicken House" (show business news);
ebobo (show business news);
"Secular Chronicles".
In addition, even before the invasion of Russian troops into Ukraine, Prigozhin actively cooperated with the “military commanders”. His employees paid for publications in the public " Anti-Maidan ", " Syria|Military Chronicles " and one of the most famous "military bloggers" Yurasumy, he is Yuri Podolyak. “Military writer Vladlen Tatarsky ”, aka Maxim Fomin, also received compensation for promoting the necessary theses back in 2021.
Another well-known military observer - Rybar, aka Mikhail Zvinchuk, - a couple of years ago, came to work in the office of the Troll Factory and actively promoted his channel at her expense. In one of the documents of that time, Zvinchuk was listed as the head of the “international direction”, where, in addition to him, 49 other people were involved and received payments, including journalist Abbas Juma and military observer Boris Rozhin (Colonel Cassad). Employees of the “international direction” of the “factory” wrote analytical materials for the FAN and promoted the theses of the “trolls” through their Telegram channels:
"Wings of War";
"Lu Man: Looking East";
"Brussels snitch";
"India Today";
"American number";
"Center for Human Rights Violations";
"The Fifth Republic";
"South wind";
"Beekeeper";
"Tales from the Favelas" and others.
Of the famous people in the archive, you can find the deceased Daria Dugin. She joined the Patriot media group in 2018 or 2019 and worked there until the murder. Dugina was responsible for the foreign direction, including organizing Prigozhin's publications and comments in the Turkish media. In particular, according to the source, she organized a big interview with the Aydınlık newspaper and a photo of Prigozhin on the front page.
In the budgets of Prigozhin's employees, paid publications to slip through not only in social networks but also in the media - from small publications to Literaturnaya Gazeta and Kommersant. Accommodation in the latter in the winter of 2021, according to the documents, could cost Prigozhin 750 thousand rubles.
And to make it more difficult for the public to learn about the activities of Prigozhin's structures in open sources, the budget of the "factory" includes payment for the services of a content manager for Wikipedia accounts - writing and publishing articles.
Projects
On the technical side, most of the Troll Factory's web projects are unremarkable - they are mostly simple sites assembled "on the knee" for publishing propaganda materials (like the " Fund for Combating Repression ") or "stub sites" for shell companies. Standing apart among them is the YaRus project. It produces and distributes propaganda content in a standard factory fashion, but on a much larger scale.
«ЯRus»
YaRus has been created with Prigozhin’s money since January 2019. The project is described as a "patriotic counterpart" to Zen, Instagram, and TikTok. Probably, the need for their own social network arose due to the massive cleansing of the accounts of "trolls" on many portals. Judging by the reviews, videos are uploaded with a creak, moderation works poorly, there are few views, and monetization is almost zero.
In 2021, YaRus had 86 positions, but only 63 people worked. The total cost of paying their labor is 10 million rubles a month, while the bulk of the salaries were again paid in cash. The salary of the developers is small: project testers earn 70 thousand rubles, and the technical director - 270 thousand rubles a month. Prigozhin’s total expenses for YaRus for 2021 amounted to about 30–40 million rubles per month, depending on advertising costs.
There are practically no live users on the social network, and the content is mostly copied from other platforms.
There was even a separate line in the marketing budget “Content duplication”, and in the staff list there are several positions (about 10 people) of employees engaged in “ search for interesting videos on the Internet ”.
Much of the rest of the content is produced by Prigozhin's staff. For the work of "bloggers" three apartments were rented in St. Petersburg at the following addresses: Bogatyrsky Prospekt, 37; st. Aircraft designers, 36; Primorsky prospect, 22. Also, YaRus planned to order the service "manual filling of events" from the Daynet agency .
Comments and likes are generated by YaRus employees in two shifts - 14 people in the morning and 17 people in the evening. Each employee maintains eight separate accounts.
Servers for the project were rented from DataLine, which is part of the Rostelecom Data Processing Center, the ru service was used for SMS messages, and software for employees was purchased through softline.ru.
Services
For additional masking and bypassing IP blocking, Prigogine's "trolls" buy proxies from the Russian services Proxy6.net and best-proxies.ru.
In order to deceive the protection against the automatic publication of comments, the “trolls” purchase the services of a captcha recognition service. The costs for it in 2021 ranged from 35 to 50 thousand rubles per month. The average cost of solving 1,000 ordinary captchas is 35 rubles, that is, the service allowed “trolls” to write about 1 million automatic comments per month (or at least 30,000 to 50,000 comments per day).
To monitor the news, the “trolls” use “Medialogia” - they once wanted to buy the services of Igor Ashmanov’s company “Kribrum”, but did not agree on the price.
Additionally, Prigogine residents purchase subscriptions to analytics, design, and audio services: SMM Planer, AdSpoiler, Postinggram, LiveDune, SMMbro, Telegram Analytics, Canva, onlipuit.ru, Target Hunter, Adinblog, Splice, Soundly, Envato Elements, Telemetr, Artlist, Storyblock, simpleimage.services. To voice content, order the author's voices through Golosa24.ru.
Reviews in the AppStore and Google Play stores for YaRus and other applications were also ordered from external contractors - the Go Mobile company.
Likes for VK and YouTube are purchased from the cheat services z1y1x1, Youliker, ru, and others. In total, Prigozhin's structures spend 900 thousand rubles a month on likes for their own and dislikes for opposition videos.
In addition to services, “trolls” are constantly buying ready-made Vkontakte, YouTube, Facebook, Instagram, Google, and Protonmail accounts, since service administrations regularly block bots.
Technical capabilities
The technical capabilities of Prigozhin's structures to conduct active IT events are also quite limited - everything is done by contractors. Here is an example of a typical task: for 8,000 rubles, an outsider was assigned to check a database of almost 300,000 telephone numbers from the Congo for links to WhatsApp messenger.
The same situation is repeated with other countries, for example in Chad. In internal correspondence, Prigozhin’s employees call the performers “our hackers,” but in reality, they only pass orders along the chain.
An analysis of these operations leads to the conclusion that journalists often exaggerate the capabilities of the Troll Factory. Many of their successful activities have been outsourced on a commercial basis. This works with simple tasks that can be outsourced for a small fee: cheating views likes and dislikes, buying ads on Facebook and Instagram, buying up ready-made channels, or bottling Telegram. When creativity and skill are required, such as in live English-language online discussions on Twitter, it becomes more difficult to show results and it becomes necessary to brandish sledgehammers. What can I say if they are still active on livejournal.com (they maintain at least 76 accounts).
At the same time, the "trolls" manage to use the existing commercial infrastructure, hiding among law-abiding clients, while foreign offices with local employees, sometimes hired in the dark, and an international network of companies allow their operations to continue.
Connection
Devices and Prigozhin's secret mail
As a result of Prigozhin's hacking in 2015, it became known that he used to love using an iPad - sending letters, writing memoirs, and taking selfies.
Due to increased secrecy, the American device had to be parted. But Prigozhin remains true to his old habits - like 15 years ago, he uses a Psion battery-powered organizer.
Such an ancient toy, and even without an Internet connection, could protect Prigozhin from leaks if all the information was stored only there. However, backup copies of Prigozhin's personal organizer from 2012 to 2022, the contact book, and the schedule of meetings and meetings are found in the same place as all other documents - in a shared network folder on the server.
Important servers and "closed" mail
A server with the telling name SecMail was also available on the internal network - Prigozhin's secret mail passes through it. There is also a secret file-sharing service called Msec (as well as secfs and secfs-old) and several backup servers, including bkpsec for highly secret backups. Part of the secret mail encrypted with GPG is available on a public server in Thunderbird portable edition backups.
Most of these servers, as of autumn 2022, were located at the address: St. Petersburg, Primorsky Prospekt, 78 (perhaps some backups still remained on the 9th floor of the Senator business center). As part of the investigation into the murder of Russian journalists in the Central African Republic and other crimes associated with Wagner PMC and Prigozhin, law enforcement agencies could analyze these servers. The investigation should also take a look at a NAS server named Polit_BKP , which is likely to store reports of election interference by various countries, including Russia. If the security service cleans them up, you can always deploy backups. It's also worth taking a look at a couple of Roket.Chat servers are used for internal communications.
Internet
In Syria, Libya, Sudan, and the Central African Republic, Wagner units were provided with satellite Internet using Comtech UHP routers, the serial numbers and geographic coordinates of some of them are at the disposal of the Dossier Center. This equipment was located both at large bases and at tiny stations of a few people. Mikrotik routers were connected to UHP devices - their serial numbers are known to the Dossier Center.
Satellite phones
The main workhorse for the Wagnerites is an inexpensive Thuraya satellite phones from a UAE company. Only in the Central African Republic, mercenaries use about 50 such devices. In addition, they have several tubes from the Iridium company, which Prigozhin himself sometimes uses.
"Closed" phone, CODE
Initially, Prigozhin’s employees used ordinary disposable cell phones with left-handed SIM cards, issued “for a task,” but then switched to SMP -Atlas / 2 cryptophones - they are more difficult to listen to. At the same time, the introduction and use of satellite phones began.
A source from the Dossier Center says that disposable phones were not reliable - even the Concorde security service has several cars with special equipment to intercept cellular network traffic. Although they are intended only for security officers, they are easy to find on the open market - the use is limited to rather legal risks.
As the numbers grew, the Wagner PMC fighters had to switch to a cheaper and more versatile home-made version of the crypto smartphone, which supports voice calls, text messages, and email and file forwarding. Prigozhin's employees call them a "closed" phone, in internal documents, they are called VPN, KOD, or CODE. These are phones with a customized version of the Android operating system that uses the OpenVPN protocol with self-signed certificates to create an encrypted network between devices and a central server.
Basically, Prigozhin’s employees, including the Wagner PMC, use Samsung as “closed” phones - the Galaxy A20, A20S models, for some - the Samsung Galaxy On8 or Samsung Galaxy A31. Also, there are Samsung S8 and Asus Zenfone 3. All these phones are with two SIM cards.
The Dossier Center knows more than 500 devices that were active at the time of the murder of journalists in the Central African Republic. Another one-and-a-half hundred special telephones were used by employees of the Troll Factory. After the invasion of Russian troops into Ukraine, their number was to increase in proportion to the recruitment of Wagnerites - now there may be about 1 thousand units in operation.
This is how the interface of this messenger looks like - like secret mail, it works inside Prigogine's VPN. This scheme would be secure, but the central servers can be accessed from Concord's internal network, which, in turn, is open to almost the entire Internet. And since it is inconvenient to use designation codes, telephone directories are created in almost every department of Prigozhin's structures with a detailed description of who is hiding behind which number, where they are, and what they do.
Since security officers are constantly afraid of information leaks, they rewrite the serial numbers of all registered devices, write down the number and call sign of each owner, and force them to sign in special sheets - to report on the briefing. In the future, these statements are photographed, scanned, and sent, including through open communication channels, which nullifies all cybersecurity efforts.
“Closed” phones are also used by designers, video editors, and other PR people. Sometimes they are issued to foreign partners, such as officials and the president of the Central African Republic, or Russian officials of the Ministry of Defense.
The Wagnerites also use office phones to watch porn videos, visit dating sites, get acquainted with the value of "coins of various countries" and visit the Avito website. The security service is unsuccessfully trying to deal with all this - we talked about it in a separate investigation.
The secret communication itself does not work well - for example, a Wagnerian with the call sign Motorola complained about this. In addition, mercenaries have to maintain contact with the local population and other "related" organizations. So they buy local SIM cards and unregistered phones and immediately set up Telegram and WhatsApp accounts—sometimes with the approval of their superiors, and sometimes arbitrarily—to communicate with relatives and colleagues.
IT specialists also participate in telephone checks. Prigozhin’s security service gives them lists of phone numbers, names, and dates of birth of employees, after which the IT department looks for them on social networks and compiles lists of who and when went out or posted photos on WhatsApp, VK, Odnoklassniki. The search goes through friends and relatives, by date of birth and city - as in a real journalistic investigation. Violators are forced to delete and clean up social networks under the threat of heavy fines and dismissals. A typical note in a report looks like this: “ Repeatedly. The surname, day, month of birth, linking the page to the phone number, the spouse's friends (the name is removed. - CD), SSHG "Cap" match.
By 2020, there were about 50 active messengers out of 2,400 tested phones.
Now, most of the pages recorded in the checks have been deleted, although some messenger users are still active and answer calls from the Dossier Center employees.
Local sims
For the operation of local “troll factories”, Lakhta employees buy a large number of local SIM cards to register accounts on social networks - this happens in many countries. For example, this is what they did in Estonia, the Central African Republic, Syria, Sudan, France, and other countries. Interestingly, the Wagnerites are massively taking Russian SIM cards abroad with them, and, of course, this should be noticeable to local operators.
Notebooks
In addition to more or less standard phones, Wagner employees also have laptops of various models - mostly inexpensive HP, Lenovo and Asus for 10-30 thousand rubles.
Judging by the metadata of the files, laptops are running various versions of Windows, and sometimes even pirated copies are found. As an antivirus, the use of the free version of Avast was noticed.
A typical report on the equipment in the hands of Wagner employees looks like this:
Such reports are regularly compiled for each division, but this does not save you from the presence of unaccounted devices.
Internal systems
Prigozhin's internal network has several hundred servers - physical and virtual, including a significant number of physical 1C servers, as well as a whole cluster of 1C virtual machines. At some point, Concord employees even had to register their own 1C franchisee (for the shell company Vertikal LLC) in order to get a discount on countless licenses. In the accompanying documents, Prigozhin’s IT people worried that the lack of licenses could “lead to ‘unhealthy interest’ on the part of the regulatory authorities (department K and department R (MVD. — TsD))” .
Basically, the servers are running Windows Server 2012r2, Windows Server 2008R2, or Windows Server 2016, there are even "virtual machines" with Windows XP, and occasionally Ubuntu Linux is found.
Mail and SIP
To hide participation in tenders of front legal entities, several dozens of virtual mail servers (VMware) and "virtual machines" with the VLIS document management system and "bank-client" systems are used. The affiliation of all these legal entities with each other also has to be hidden - for this, many separate agreements are concluded with providers (however, sometimes they get by with the help of separate USB modems for mobile Internet). For e-mail alone, about 100 external IP addresses were used, obtained from several providers.
Address of the objectSubdivisionService ProviderShpalernaya, 36 (former Zhukovsky 4)Personnel department (Zhukovsky, 3 - Mokhovaya), Vyborgskaya embankment 45GlobalWebHuman Resources DepartmentSeveren-TelecomKolpinskaya 9Cleaning Department (Kolpinskaya)ObitKrestovsky IslandKrestovsky Island (5151-5154 Khabarovsk)Severen-TelecomBolshaya Pushkarskaya 25Warehouse DepartmentGlobalWeb17 Line 22Building Department (Senator)Severen-Telecom17VPUpholsteredZelenina, 8Lenvo DivisionUpholsteredAcademician Pavlova 14/2Alps363-49-8317200 numbers for bank clients on Sredny 77WestCallUniv. Emb. 21StreetFoodBar №1Megafon (issued on kmik)Univ. Emb. 21StreetFoodBar №1 - MerchandiserGlobalWeb7th Line V.O. 76 (of. 509)ITC (accounting)Yaninofood plant "Concord", CJSC "KDP" west callPiskarevsky 25CJSC "KDP" GlobalWebRevolution Highway 69Shkolnik-SWunitelAlexander Nevsky Square, 2BusinessProf (BC Moscow)Obit17 Line 22KROwest call17 Line 22KRO officewest callEmb. 12 Griboyedov Canal, letter A, apt. 6RSP LLCGlobalWebPrimorsky 78Lakhta Plaza HotelWestCall, Unitel reservePl. Al. Nevsky, d. 2E, of. 2014Provision LLCunitelShipbuilders st. 30, room. 234-NBit Plus LLCGlobalWebMoss 37 lit. B, office 1 BC OscarKMiK LLCGlobalWeb16 line V.O 7, room 1404IP Kovaleva O.V.GlobalWeb8th line V.O., 19IP Lobanova E.A.unitel16 line V.O 7, pom. 1408OOO RealGlobalWeb18 line V.O. 45 Lit. A., pom 15-NOOO ProvisionObit16 line V.O 7, pom. 9601-9608OOO BusinessInvestGlobalWebSea embankment d. 21k2 room. 10NAktual LLCGlobalWebNevsky 17EmpireObitBolshoi Ave. V.O., 80R, room 608, 6th floorOOO "Information Bureau" west call9 Line 34OOO "Diva" RecruitmentGlobalWeb5-line V.O. house 42, lit. B, room 60Technosila LLCwest callBolshoy Ave. V.O., 80, bldg. R, of. 317Profit Group LLCwest call44, lit. A, of. 311AOOO PoloGlobalWebZausadebnaya st. 31, lit. A1-A9, A1-A5, office K11Fiesta LLCGlobalWebst. Rozenshteina 21, lit. A, room 121 - H, room. elevenLLC Computer LawGlobalWebPeat road d 7 lit A, office 310OOO RadiusGlobalWebKolomyazhsky pr.33OOO RemstroyproektGlobalWebSinopskaya 22OOO BusinessprofObitProf. Popova 38Amegauniteltelephony is in the Alps (ip - Veliky Novgorod)GlobalWebPopova 47LLC SolutionGlobalWebPirogovskaya emb., 21, letter AJSC United Investment GroupunitelMoskovsky pr., 103Ferrum Mining LLCunitelVyborgskaya embankment, house 29, letter A, room 12-N, 13-N, 14-N, 15-N, office No. 527OOO "UK"severeBolshoi prospect VO, 83 room 328GlobalWebst. Zvenigorodskaya 9-11, lit L, 3rd floor, office 311MNK-Prof LLCGlobalWebLLC EuropolisGlobalWebLigovsky Ave., 43-45, letter B, of. 405MTO-Expert LLCGlobalWebLakhta, sales department LLC Lakhta park, Lakhta PlazaPetersburg telephonest. Novaya d. 51 building. 26Petersburg telephoneRevolution Highway 69 lit. B, cab. 425OOO "Verona"UnitelSredny Ave. V.O. 85UJSC "MIK" Unitel26th line of VO, 15, bldg. 2OOO DivaUnitel18th line V.O, d.29LLC "Adel" Severen19th line V.O., house 34, building 1, letter B, room 121-1LLC "Metropol" Unitel12 line V.O., 13, room 18-NMain Line LLC KROWestCall7-line d.76 office №304ITCWestCallHelsingforsskaya, 4, bldg. 1, lit. V, pom. 17NMegalineUnitelLakhtinskoe 85"LLC Legal field"GlobalWebEmbankment of Lieutenant Schmidt, 7LLC Bar ServiceUnitelASP LLCWestCall(R-Telecom)
The presence of a large number of contracts also helped in responding to tax inquiries. For example, to the request of MIFNS 18, the Global Web Group provider replied that Colosseum LLC and Center Social Nutrition LLC are two different companies that used two different IP addresses, these companies have different agreements with the provider, and protocols of communication sessions "cannot be provided for technical reasons."
Additionally, a dozen virtual mail servers are spinning on the network for legal entities involved in Prigozhin's international operations, such as Europolis, M-Invest, M-Finance, Wellada, Ferrum Mining, and others.
For SIP telephony, there are many Asterisk servers on the network.
Hosting
In total, 260 to 450 leased servers are used for Prigozhin's IT projects at different times. The smallest and cheapest for proxy and VPN services and auxiliary tasks, full-fledged - for temporary and permanent web projects. Presumably, in order to mask activity and minimize the risks of sanctions, Prigozhin's employees use the services of over 20 different hosting providers.
As of September 2021, the main supplier for the Troll Factory was inferno.name hosting - where Prigozhin's employees rented about a hundred servers purchased from several accounts, probably due to the fact that inferno provides many servers with IP addresses of 20 countries of the world. Hosting "Inferno" has been registered in the UK for 10 years. The shares in Inferno were transferred several times from one offshore company to another, now the Estonian company Netrox Europe OU is listed in the register. More than 60 servers of the Prigozhin structure are rented from the Russian hosting timeweb.ru (addresses in the Russian Federation, Kazakhstan, EU), a few dozen more - from netbreeze.net (Europe, Asia, USA), and a few dozen - from ruvds.com(RF). Also, several servers are rented from Ukrainian hosting thehost.com.ua and American digitalocean.com, well-known Russian companies Selectel and Infobox. Most likely, they do not even know who their client really is. In contrast, for example, the DataLine company, which hosts the YaRus project.
Among other things, Prigozhin’s employees also rented dedicated servers from the German hosting provider Hetzner for several years, including for use as a VPN and watching movies while “being on the territory,” that is, in Syria, Sudan, and the Central African Republic.
These are some of the IP addresses:
78.47.65.117
195.201.92.6
148.251.46.106
Here are a few more permanent external IP addresses that have been directly used by Prigozhin's structures in St. Petersburg over the past few years:
185.124.191.114
185.124.191.123
91.108.43.111
95.47.137.104
46.231.213.254
178.16.146.186
81.27.240.134
84.52.111.135
109.195.82.134
109.195.82.138
37.77.129.246
37.77.135.5 (!)
109.95.210.145
149.126.17.198
Additionally, the address 193.106.74.11 was highlighted, where previously it was possible to connect to the old, Moscow office, with VPN and RDP; Cisco Anyconnect was used to connect to the VPN.
From the list of VPN networks based on Juniper 210 in different regions of Russia, it follows that Prigozhin's employees consider St. Petersburg to be the country's capital - in any case, the Moscow office is clearly in last place on the list, and even in the "Regions" tab.
Foreign sites
In addition to renting the usual commercial hosting, Prigozhin's employees sometimes installed computer equipment in rented apartments abroad - in those countries where the "trolls" were active. For example, in France, political technologists under the leadership of Jeyhun Aslanov have repeatedly tried to take part in promoting a radical agenda in social networks. The earliest such case was recorded in April 2014.
Interestingly, Dmitry Syty, one of Prigozhin’s employees in Bangui, also lived in France for some time and until recently visited there regularly.
Information (in)security
Despite the direct prohibition of the "boss" to work from home, some employees worked remotely for several years. Moreover, system administrators turned off the antivirus (Avast Free Antivirus), turned on TeamViewer 10 and AMMY Admin remote access systems, provided access to the system for third-party consultants, installed personal Skype on work computers and played Sims 4 during working hours. All this indicates a real state of affairs with cybersecurity in Prigozhin's structures.
Passwords
Prigozhin's employees often used the same passwords by default, stored them in plain text files, and sent each other files with server addresses, login passwords, and user certificates. Based on the data in these files, multiple mail accounts use the same passwords. The Dossier Center has refrained from checking their relevance, but there are good reasons to suspect that they are never changed. On the other hand, the study of passwords makes it possible once again to make sure that Prigozhin's employees have certain tendencies: the numbers 1488 often turn out to be part of the password. However, sometimes Prigozhin's employees added these significant numbers to the outgoing numbers of official documents.
paper security
There were two open vacancies for security specialists among the system administrators in the YaRus staffing table. In other projects, such positions were simply not provided for in the staffing table.
How, then, do the requirements of the law manage when organizing electronic document management with authorities? Very simple - with a pen and paper. Nominee directors sign orders to appoint one of the 1C programmers as administrator for information security, and this is where it all ends - the formal requirements are met. Due to the formalism, in order for employees to access network folders, it is necessary to submit paper applications for each employee, which are signed by department heads, but in the end, all information lies on shared network drives.
Of course, several times, especially after 2019, there were attempts to tighten the regime - the use of code designations for locations expanded: “Sands” instead of Syria, “Tsaritsyno” instead of the Central African Republic, “Lipetsk” instead of Libya, and so on. Increasingly, employees are recorded in documents by COD numbers, even at some point they carried out a change in token numbers and a scheme for generating pseudonyms for the Wagnerites. Including there were attempts to introduce rules for handling personal data.
One version of the regulation even implied 100% isolation from the Internet of workstations that processed employee data, including Wagner PMC.
The same ideas were put forward regarding accounting programs and internal accounting documents, but they remained not fully implemented.
In the archives of Prigozhin's companies, we practically did not find any documents indicating training or at least informing the Wagnerians about possible IT risks. The same emptiness in place of security audit reports of IT projects and IT systems - there are almost no traces of targeted information protection.
Data protection
The general attitude of Prigozhin's employees towards data protection looks careless. They repeatedly used free public hosting services (Yandex.Disk, Mail.ru) to transfer files containing sensitive information - for example, they posted copies of their databases and lists of full names and addresses of tens of thousands of residents of the Russian Defense Ministry military camps they serve.
This applies to both the central office and the Wagnerites in the field. The contents of laptops, mobile devices, and external drives of fighters and "political scientists" captured by the enemy were shown in the media, confirming that the measures to protect information on these devices were not sufficiently reliable.
Among the many thousands of files leaked at various times from Prigozhin's former and current employees, there are almost never encrypted ones. Even ordinary archives with a password are so rare that they can be counted on the fingers, except that an employee with the call sign Prival put a password on his archives a couple of times, which later, in unpacked and decrypted form, were still sent by free e-mail - Mail.ru, Gmail, Yandex.ru or messengers. A couple of times, “political scientists” tried to start using Tutanota encrypted mail to transfer documents among themselves, but soon returned back to Telegram. It comes to the ridiculous - Prigozhin's employees send files to each other through open communication channels with requests to "send them to a secret mail address."
Priorities
An outside observer cannot help being surprised by the fact that Wagner, in principle, keeps such detailed records and draws up such a large number of various documents on any occasion. Why do we need all these tens of thousands of receipts with passport data and exact amounts? What is the point of compiling tables in Excel indicating what amounts are paid officially, what amounts are paid in black cash, and what size bribe was paid to this or that official, minister, or rebel in a distant African country?
The answer to this question is given by the book “The Terrorist’s Dilemma: Managing Violent Organizations” - secret expenses allow employees to steal significant amounts, so even the most criminal organized crime groups and real terrorists are forced to keep detailed records of exactly how much money was spent on bribing officials, buying and transporting weapons and feeding their fighters. Multi-level control and audit allow to slightly reduce, but not stop, the volume of theft (theft on political projects is especially great). For the same reason - "accounting and control" - all reports, applications, invoices, justifications, receipts, and lists of real, former, and potential Wagnerists are repeatedly scanned, duplicated, and accumulated in the central office, which in the event of a hack leads toto massive leaks of hundreds of thousands of classified documents.
Synergy is created by mixing business activities with the military, intelligence, political dirty deeds, and media activities. On the other hand, this brings huge problems, since the level of operational security in departments is very different and all military secrets are blabbed out by some cook, political PR assistant, or accountant.
It turns out a strange imbalance: intimidation of employees with a polygraph, requirements to delete social networks, a ban on their own smartphones, the use of cryptophones, nominees to register contracts with providers, and regular investigations for information leaks are combined with an absolute disregard for digital security - no employees, no training, no instructions, no encryption, no quality monitoring of the network infrastructure, in general, you can go on for quite some time, in any case, this is not what you expect to see from a "transnational criminal organization". How can this be?
There are several possible explanations:
incompetence and nepotism;
deliberate sabotage by employees;
savings on matches;
other priorities.
It seems that the latter option is the most likely: from the analysis of the documents of the security service, it can be seen that the main threats that Prigozhin and the security services of Wagner-Concord are fighting are his own employees, who pass materials on journalists, opposition and friends/acquaintances the activities of Wagner, the tax authorities, from which large amounts of black cash are hidden, government agencies, from which dummy bidders hide, as well as the FSB. For unknown reasons, employees of the PMC "Wagner" with friends or relatives in the FSB are instantly blacklisted, but people from the Ministry of Internal Affairs or the GRU are not. Surprisingly, the list of threats does not include Anonymous hackers, the SBU, the FBI, the NSO Group, or similar organizations from countries where Prigozhin’s employees interfere in elections or directly participate in hostilities. At least no attempts to somehow take IT security issues seriously on the part of the Concorde and Wagner structures were recorded. More than Americans, Europeans, or Ukrainians, Prigozhin hides from the FSB, which is always somewhere nearby.
