Today, we wanted to discuss a Ukrainian provider called ITL Network. ITL Network is connected to another Ukrainian provider called Xserver as its upstream provider in the BPG routing. The graph below represents the BGP routing of Xserver (AS48031), where we can find the upstream link to ITL (AS15626).

The threat recon team stumbled several times on this particular provider during their daily research and analysis of malware infrastructure. Seclytics, a predictive threat intelligence company, has provided us with their reports on the ITL network showing the level of maliciousness reported per day. The coloring code refers as:

Yellow: 1-2 IP’s reported
Orange: 3-6 IP’s reported
Red: 6 IP’s or more reported

Seclytics has provided us with a list of threat associated with ITL networks.

We decided to take a look at the company ITL Networks. The CEO is a person named Dmitry Deineka, and he advertises on his Facebook profile that he is the owner and CEO of ITL Network. He advertises that he works at ITL Networks. ITL Networks has three locations, the main one is in the Ukraine, the second one is in Bulgaria, and the last one is in the Czech Republic. Dmitry Deineka has a personal website deineka[.]net where he talks about his vacations, business trips to Bulgaria and computer related software.

Looking at his friends in Facebook, we noticed one of his friends is Vitaly Ivanov, the owner of Xserver. Well, they both live in Kharkov, Ukraine, they may or may not know each other offline. Knowing that some of the Avalanche infrastructures were on Xserver network, we wonder how much ITL networks is involved and aware of the illegal activities on their network. Xserver could be considered a bulletproof hoster as they don’t really seem to care about the illicit content on their network and seems to always be part of a malicious campaign. All the IP blocks for these two providers can be found here:

http://bgp.he.net/AS48031#_prefixes
http://bgp.he.net/AS15626#_prefixes