23 November 2021
Qurium has during the past months received two emails from “legal representatives” of Alexander Mashkevich, an Israeli-Kazakh billionaire, businessman and investor who has major holdings and close political relationships in Kazakhstan. Both representatives have requested Qurium to remove a certain article published by Kloop Media, a Kyrgyzstan media organization focusing on investigative journalism, member of both GIJN and OCCRP.
The first email Qurium received came from Raphael Landauu and the second from Andrew Gustmann, both using Gmail accounts. Mr. Landau made multiple references to Articles of the Criminal Procedure Code of the Republic of Kazakhstan and Mr. Gustmann opted for references to the European Directive on Electronic Commerce (Directive 2000/31/EC).
A small detail that caught our attention was the use the double-consonant at the end of their surnames (Landauu and Gustmann) although they both signed their letters with a single consonant.
A quick look into Raphael’s Gmail profile showed the image of a handsome man in suit.
Thanks to a Google Image search we could find that the profile image of “Raphael Landauu” was stolen from the Israeli lawyer “Mose Freeman”.
Knowing that the letters were coming from someone trying to impersonate lawyers made us look into the traffic logs of the Kloop website.
We found multiple visits to the article that they requested Qurium to remove, from the network 89.184.66.0/24 in Ukraine.
route: 89.184.66.0/24 descr: Internet Invest Ltd. descr: Web hosting, datacenter and domain names registration in Ukraine descr: Dedicated part descr: Kiev, Ukraine origin: AS28907 mnt-by: MIROHOST-MNT
A ticket system (Jira) was found
The traffic logs also revealed an interesting HTTP referer, namely jira.artdock{.}studio. The “fake lawyers” were visiting a ticket system (Jira) before sending the fake legal letters from their Gmail addresses.
"20/Oct/2021:13:45:13 +0000" "89.184.66.66" "1634737513.123" "GET" "/blog/2021/02/03/skonchalsya-alidzhan-ibragimov-izvestnyj-kak-graf-tokmakskij/" "200" "kloop.kg" "https://jira.artdock.studio/"
Art Dock Studio (1) (2) is a Ukrainian Online Reputation Management company (ORM) funded in 2019 by Russian Dimitr Liubomirov.
During our analysis we also discovered that the same address is not just visiting the article of Kloop periodically but several other websites publishing investigations about financial corruption in Romania, Azerbaijan, Latvia, Serbian and Kazakhstan.
A search for the job offers of Artdock Studio reads “Будет плюсом если есть опыт написания жалоб провайдерам", which translates to “Plus to have experience of writing abuse emails”.
Linking 89.184.66{.}66 with Artdock Studio
Several pieces of digital forensics information helped us to link the IP address 89.184.66{.}66 with Artdock{.}studio.
Looking into the history of PTR DNS records of the prefix 89.184.66.0/23 we found several machines using the domain aserv{.}me. All of them run Proxmox virtualization environment and one of the IPs is the ticket system jira.artdock.studio server “srv4.aserv{.}me”
DNS records of the domain aserv.me confirm that the IP address 89.184.66{.}66 is linked to Artdock.Studio
aserv.me. 120 IN MX 10 mx.artdock.studio. 89.184.66.16 srv1.aserv.me 89.184.66.32 srv2.aserv.me 89.184.66.41 srv3.aserv.me 89.184.66.49 srv3.aserv.me 89.184.66.55 srv4.aserv.me 89.184.66.66 srv4.aserv.me
Reaching out to Artdock
On November 17th, Qurium reached out to Artdock Studio to ask if Raphael Landau(u) and Andrew Gustman(n) were working for the company. Qurium emailed the company (info@) and the founder (Hibinksi Dimitr Liubomirov) hoping to get an explanation. We have evidence that the mails have been read, but at the time of the publishing of this report (Nov 23), we have not yet received an answer.