by tyler | Feb 5, 2024 | Tech
Yandex N.V. , the Dutch parent company of the eponymous Russian internet giant, is selling the last of its remaining Russian businesses at a steep discount, following geopolitical pressures that emerged from Russia’s invasion of Ukraine two years ago.
The value of the transaction, which will include the sale of all Yandex N.V. businesses in Russia and a handful of neighboring markets, will amount to around 475 billion rubles ($5.2 billion) — roughly half of its market capitalization as per the average share price in the three months ending January 31, 2024. The reason for this markdown is due to a rule imposed by the Russian Government, which stipulates that any sale of Russian assets by parent companies incorporated in countries deemed “unfriendly” by Russia, will be subject to a “mandatory discount” of at least 50 percent. And the Netherlands, as a member of an EU bloc that has imposed sanctions on Russia, falls into that “unfriendly” category.
For context, Yandex was founded way back in 1997 and eventually became known as “The Google of Russia,” given that it sold products broadly similar to its U.S. counterpart including search , e-commerce, advertising, maps , transportation and more. But while Yandex’s primary market was Russia, the company went public on the Nasdaq in 2011 via a holding company called Yandex N.V. registered in the Netherlands, followed by a secondary listing three years later on the Moscow Exchange.
Yandex had been performing well as a public company, hitting a peak market cap of $31 billion in November, 2021. However, in the months that followed, Yandex’s shares nosedived as Russia invaded neighboring Ukraine, with the Nasdaq putting a temporary halt on trading before delisting Yandex (alongside several other Russian-affiliated companies) last March.
Fast-forward to today, and it’s not much of a surprise that Yandex N.V. — the parent holding company — is now offloading all remaining assets linked to Russia. Indeed, many Western companies suspended operations in Russia due to sanctions, and Yandex CEO and founder Arkady Volozh was forced out of the company after he was placed on a list of sanctions issued by the European Union.
Subsequently, Yandex has already been divesting some of its properties, including selling its news service to a rival with close ties to the Russian State , and the company announced plans for a corporate restructuring to further distance itself from its Russian roots. Yandex had also said previously that it would re-brand its Dutch holding company, though this had yet to happen — but once this deal concludes, Yandex N.V. has confirmed that it will no longer use the Yandex brand, as that will be kept by the new Russian owners.
“We expect that our international businesses will develop their own branding going forward,” Yandex wrote in a press release. “We intend to seek shareholder approval to change the legal name of YNV in due course.”
Breaking down the terms of the transaction, Yandex N.V. will be paid “at least” 230 billion rubles ($2.5 billion) in cash, which will be paid in Chinese Yuan (CNH) — presumably because the buyers, who are all Russia-based, aren’t able to transact in dollars or euros.
In terms of who the buyers are, well, Yandex says it will be a consortium led by senior managers from Yandex’s Russian businesses, who will provide some of the acquisition capital via a special purpose limited liability company called “FMP.” Other investors include an entity called Argonaut, which Yandex says is a closed-end mutual investment combined fund owned by Russian oil company PJSC Lukoil ; “Infinity Management,” a special purpose joint stock company owned by venture capitalist and entrepreneur Alexander Chachava ; “IT.Elaboration,” a special purpose joint stock company owned by Pavel Prass , CEO of investment manager Infinitum Asset Services ; and “Meridian-Servis,” a special purpose limited liability company owned by businessman and former politician Alexander Ryazanov .
Notably, the businesses that Yandex N.V. is selling represent “more than 95%” of the Yandex Group’s revenues for the first nine months of 2023, and roughly the same portion of its entire assets and employee headcount. Put simply, Yandex N.V. will be a much trimmer outfit once this transaction closes — its remaining “non-Russian assets,” as it puts it, will include four early-stage technology businesses. These include an autonomous vehicle company called Avride ; an AI cloud platform called Nebius AI ; a generative AI and LLM company called Toloka AI ; and edtech platform TripleTen .
Elsewhere, Yandex N.V. will also retain ownership of a data center in Finland, plus some other investments in various technology companies.
The deal, which is still subject to regulatory and shareholder approval, is touted to close in two stages — the first part will see Yandex N.V. sell a 68 percent stake of the Russian businesses within the first half of 2024 in a mixture of cash and shares in the Dutch entity. The second part is expected to close within seven weeks of that first stage closing.
The company says that it plans to use a chunk of its cash proceeds from the sale to further develop its remaining businesses, and deliver a return to its shareholders.
“Since February 2022, the Yandex group and our team have faced exceptional challenges. We believe that we have found the best possible solution for our shareholders, our teams and our users in these extraordinary circumstances,” said Yandex N.V. chairman John Boynton in a press release . “The proposed transaction will allow shareholders to recover some value for the businesses that we are divesting, while unlocking new growth potential for the international businesses we will retain and enabling the divested businesses to operate under new ownership.”
by tyler | Jan 26, 2024 | Tech
On Friday, Microsoft revealed that it had been the victim of a hack carried out by Russian government spies . Now, a week later, the technology giant said that it was not the only target of the espionage operation.
In a new blog post , Microsoft said that “the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.”
At this point, it’s unclear how many organizations the Russian-backed hackers targeted.
Contact Us
Do you have more information about this hack? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email lorenzo@techcrunch.com. You also can contact TechCrunch via SecureDrop.
A Microsoft spokesperson did not respond to a request for comment, asking the company to provide a specific number of victims it has notified so far.
Microsoft identified the hackers as the group it calls Midnight Blizzard . This group is widely believed to be working for Russia’s Foreign Intelligence Service, or SVR. Other security companies call the group APT29 and Cozy Bear .
Microsoft said it detected the intrusion on January 12, and then established that the hacking campaign started in late November, when the hackers used a “password spray attack” on a legacy system that did not have multi-factor authentication enabled. Password spraying is when hackers attempt to brute-force access to accounts using commonly used passwords, or a larger list of passwords from past data breaches.
“The actor tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection and avoid account blocks based on the volume of failures,” Microsoft wrote in its latest blog post. “The threat actor further reduced the likelihood of discovery by launching these attacks from a distributed residential proxy infrastructure. These evasion techniques helped ensure the actor obfuscated their activity and could persist the attack over time until successful.”
Once the Russian-backed hackers gained access to an account on that legacy system, they “used the account’s permissions to access a very small percentage of Microsoft corporate email accounts,” according to Microsoft, which has not yet specified how many email accounts were compromised.
Microsoft, however, said that the hackers specifically targeted the company’s senior executives, as well as people who work in cybersecurity, legal, and other departments. The hackers were able to steal “some emails and attached documents.”
Curiously, the hackers were interested in finding out information about themselves, specifically what Microsoft knows about them, the company said.
On Thursday, Hewlett Packard Enterprise (HPE) disclosed that its Microsoft-hosted email system was hacked by Midnight Blizzard . HPE said it was notified of the breach — without saying by whom — on December 12. The company said that according to its own investigation, the hackers “accessed and exfiltrated data” from a “small percentage” of HPE mailboxes starting in May 2023.
It’s unclear how, or if, this breach is linked to the hackers’ espionage campaign targeting Microsoft, as HPE said its incident was connected to an earlier intrusion where the same hackers exfiltrated “a limited number of SharePoint files” from its network.
“We don’t have the details of the incident that Microsoft experienced and disclosed last week, so we’re unable to link the two at this time,” HPE spokesperson Adam R. Bauer told TechCrunch.
by tyler | Jan 26, 2024 | Tech
On Friday, Microsoft revealed that it had been the victim of a hack carried out by Russian government spies . Now, a week later, the technology giant said that it was not the only target of the espionage operation.
In a new blog post , Microsoft said that “the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations.”
At this point, it’s unclear how many organizations the Russian-backed hackers targeted.
Contact Us
Do you have more information about this hack? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email lorenzo@techcrunch.com. You also can contact TechCrunch via SecureDrop.
A Microsoft spokesperson did not respond to a request for comment, asking the company to provide a specific number of victims it has notified so far.
Microsoft identified the hackers as the group it calls Midnight Blizzard . This group is widely believed to be working for Russia’s Foreign Intelligence Service, or SVR. Other security companies call the group APT29 and Cozy Bear .
Microsoft said it detected the intrusion on January 12, and then established that the hacking campaign started in late November, when the hackers used a “password spray attack” on a legacy system that did not have multi-factor authentication enabled. Password spraying is when hackers attempt to brute-force access to accounts using commonly used passwords, or a larger list of passwords from past data breaches.
“The actor tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection and avoid account blocks based on the volume of failures,” Microsoft wrote in its latest blog post. “The threat actor further reduced the likelihood of discovery by launching these attacks from a distributed residential proxy infrastructure. These evasion techniques helped ensure the actor obfuscated their activity and could persist the attack over time until successful.”
Once the Russian-backed hackers gained access to an account on that legacy system, they “used the account’s permissions to access a very small percentage of Microsoft corporate email accounts,” according to Microsoft, which has not yet specified how many email accounts were compromised.
Microsoft, however, said that the hackers specifically targeted the company’s senior executives, as well as people who work in cybersecurity, legal, and other departments. The hackers were able to steal “some emails and attached documents.”
Curiously, the hackers were interested in finding out information about themselves, specifically what Microsoft knows about them, the company said.
On Thursday, Hewlett Packard Enterprise (HPE) disclosed that its Microsoft-hosted email system was hacked by Midnight Blizzard . HPE said it was notified of the breach — without saying by whom — on December 12. The company said that according to its own investigation, the hackers “accessed and exfiltrated data” from a “small percentage” of HPE mailboxes starting in May 2023.
It’s unclear how, or if, this breach is linked to the hackers’ espionage campaign targeting Microsoft, as HPE said its incident was connected to an earlier intrusion where the same hackers exfiltrated “a limited number of SharePoint files” from its network.
“We don’t have the details of the incident that Microsoft experienced and disclosed last week, so we’re unable to link the two at this time,” HPE spokesperson Adam R. Bauer told TechCrunch.
by tyler | Jan 23, 2024 | Tech
The U.S. government sanctioned a Russian national for allegedly playing a “pivotal role” in the ransomware attack against Australian health insurance giant Medibank that exposed the sensitive information of almost 10 million patients.
Thirty-three-year-old Alexander Ermakov, who has also been sanctioned in Australia and the United Kingdom, stands accused of infiltrating Medibank’s network in October 2022 to steal personally identifiable information (PII) and sensitive health data linked to approximately 9.7 million customers.
This data, which was published on the dark web after Medibank refused to pay the hackers’ $10 million ransom demand, included customers’ names, birth dates, passport numbers, information on medical claims, and sensitive files related to abortions and alcohol-related illnesses. The breach is believed to have impacted several high-profile Medibank customers, including senior Australian government lawmakers.
Ermakov was first named on Tuesday by the Australian government, which has “worked tirelessly over the past 18 months to unmask those responsible for the cyberattack on Medibank,” Richard Marles, deputy prime minister and defense minister, said in a statement.
The U.S. Treasury Department sanctioned Ermakov shortly after the Australian government imposed first-of-its-kind sanctions against the Russian national. These sanctions, the first to be issued under Australia’s new cyber sanctions framework, make it a criminal offense, punishable by up to 10 years imprisonment and heavy fines, to provide assets to Aleksandr Ermakov or to use or deal with his assets, including through cryptocurrency wallets or ransomware payments.
Ermakov and the other hackers behind the Medibank breach are believed to be linked to the Russia-backed cybercrime gang REvil, which was previously linked to the 2021 hack of Florida-based managed service provider Kaseya that encrypted thousands of its customers’ networks.
According to the U.S. Treasury, REvil ransomware has been deployed on approximately 175,000 computers worldwide, garnering at least $200 million in ransom payments.
In January 2022, Russia’s Federal Security Service (FSB) intelligence agency said it had detained multiple people associated with REvil at the request of the U.S. authorities. The FSB’s surprise operation came just months after the U.S. Department of Justice charged a 22-year-old Ukrainian citizen linked to the REvil ransomware gang due to his alleged role in the Kaseya attack.
Do government sanctions against ransomware groups work?
by tyler | Jan 18, 2024 | Tech
Google researchers say they have evidence that a notorious Russian-linked hacking group — tracked as “Cold River” — is evolving its tactics beyond phishing to target victims with data-stealing malware.
Cold River, also known as “Callisto Group” and “Star Blizzard,” is known for conducting long-running espionage campaigns against NATO countries, particularly the United States and the United Kingdom .
Researchers believe the group’s activities, which typically target high-profile individuals and organizations involved in international affairs and defense, suggest close ties to the Russian state. U.S. prosecutors in December indicted two Russian nationals linked to the group .
Google’s Threat Analysis Group (TAG) said in new research this week that it has observed Cold River ramping up its activity in recent months and using new tactics capable of causing more disruption to its victims, predominantly targets in Ukraine and its NATO allies, academic institutions and non-government organizations.
These latest findings come soon after Microsoft researchers reported that the Russia-aligned hacking group had improved its ability to evade detection .
In research shared with TechCrunch ahead of its publication on Thursday, TAG researchers say that Cold River has continued to shift beyond its usual tactic of phishing for credentials to delivering malware via campaigns using PDF documents as lures.
These PDF documents, which TAG said Cold River has delivered to targets since November 2022, masquerade as an opinion-editorial piece or another type of article that the spoofed account is looking to solicit feedback on.
When the victim opens the benign PDF, the text appears as if it is encrypted. If the target responds that they cannot read the document, the hacker will send a link to a “decryption” utility, which Google researchers say is a custom backdoor tracked as “SPICA.” This backdoor, which Google says is the first custom malware to be developed and used by Cold River, gives the attackers persistent access to the victim’s machine to execute commands, steal browser cookies, and exfiltrate documents.
Billy Leonard, a security engineer at TAG, told TechCrunch that Google does not have visibility into the number of victims who were successfully compromised with SPICA, but said the company believes that SPICA was only used in “very limited, targeted attacks.” Leonard added that the malware is likely still under active development and being used in ongoing attacks and that Cold River activity “has remained fairly consistent over the past several years,” despite law enforcement action.
Google says that on discovery of the Cold River malware campaign, the technology giant added all of the identified websites, domains, and files to its Safe Browsing service to block the campaign from further targeting Google users.
Google researchers previously linked the Cold River group to a hack-and-leak operation that saw a trove of emails and documents stolen and leaked from high-level Brexit proponents, including Sir Richard Dearlove, the former head of the U.K. foreign intelligence service MI6.
Meet the prolific Russian espionage crew hacking spymasters and lawmakers
