aeronet.cz: Kremlin Op Targeting Czechs and Slovaks
2015 July 04
Tweet this Follow @webradius Tweet to @webradius

aeronet.cz made the news in the Czech Republic in March. Time for a closer look.

The site is of the faux news type, accompanied by a Twitter account and a Facebook page. Some considerable effort has been made to mask the identities of those involved, and to make it appear as though it is based in the Netherlands. That said, the site can be traced back to Russia - St. Petersburg specifically. Despite the resources dedicated to the task, aeronet.cz doesn't appear to be getting much traction, reinforcing the perception that it is the result of a tasking.

The Name
The project's name is "American European News" and the cumbersome domain name can be seen as desperate attempt to acquire a Czech .cz domain name beginning with the letters A and E. Ever since it was acquired by the Kremlin's agents, the domain name has been held by US service provider Domains By Proxy, a unit of GoDaddy.Com.

The Netherlands
That the Netherlands is woven into this story is interesting in light of the presence of Kremlin trolls in the country, and the ongoing feud between Russia and the Netherlands over Russia's shooting down of Flight MH17, among other issues. It seems clear that the server used for aeronet.cz is located physically in the Netherlands. Whether any of the personnel involved are actually resident in Netherlands is not known, They claim an address in Eindhoven, and even invite visitors. From the site:


American European News, B.V.
Luchthavenweg 81
5657 EA Eindhoven
The Netherlands
Phone: +44 (0) 740 884 4155 (All Europe)
Phone: +1 (209) 340-9385 (US)

"If you decide to visit our company, we will be more than happy to schedule an appointment for you in advance. Just give us a call and ask Brian for details. No solicitations, no offers and no unscheduled visits as our premises are not publicly accessible. We are a startup company, so please be advised that our Eindhoven offices don’t have Czech or Slovak speaking personnel in place yet, so if you need to call us and you are not proficient in English, Russian or Dutch language, use the e-mail communication instead."

The IP Address Behind the CloudFlare
The Kremlin's agents make use of CloudFlare, in addition to Domains By Proxy, in an attempt to hide. While CloudFlare serves primarily as a defense against DDoS attacks, it has the effect of masking a website's real IP address. It is often possible to see past CloudFlare's screen, and in this case the IP address used by aeronet.cz has been revealed as 146.185.253.146 [see addenda below for netblock details].

As noted already, the server appears to reside in the Netherlands. The Dutch provider of network access (Serverius Holding B.V. d/b/a serverius.com) has a customer in India (XonServers of Vijayawada, Andhra Pradesh, d/b/a xonservers.com a/k/a swiftslots.com) who in turn appears to have sublet a portion of their netblock to Универсальный провайдер интернет-услуг «PIN» (ООО «Санкт-Петербургская Интернет Сеть») PIN LLC d/b/a pinspb.ru. The operators of aeronet.cz are almost certainly a Russian client of PIN. This said, note that Serverius offers up their website in English, Dutch, and Russian - so a more direct connection between aeronet.cz and Serverius cannot be entirely ruled out.

Twitter

Narozen 4. července – co přát zrozenci? Horoskop vzniku USA a astrologický pohled, proč ... - http://t.co/KmFQF4OTro pic.twitter.com/9RxoTZIzpC

— AE News (@aeronet_cz) July 4, 2015
The Twitter account exists to promote new posts to the website. It follows no one, and is entirely non-intereactive. The Twitter account was created at the end of May, 2015, and likely represents the desire on the part of the operators and/or their client (the Kremlin), to try and breath some life into it. Of the 95 tweets, only 4 have been retweeted, and three of those by a single account. Suffice to say the followers are worth taking a look at. At least one is likely involved in running aeronet.cz. Here are a few pointers:

Stalin a podnikatelé http://t.co/tZBgEjCXTV via @wordpressdotcom

— BARAKA MANA (@barakamana) July 2, 2015


В Латвии русофобская бл-дь избила ребенка со словами «русским тут не место» pic.twitter.com/6XZeylUEsV

— slovjanskij patriot (@ukrofob2) July 4, 2015


To nám ta EU pěkně eroduje.... https://t.co/iLAAH5xKx3

— Tribun Dogmaticus (@Tribunin) July 3, 2015

Facebook
As with Twitter, the Facebook account at https://www.facebook.com/aeronet.cz is of interest precisely because of the low number of engaged followers. Consequently a hard look at each person who Likes or Shares content from the aeronet.cz Facebook account is recommended, and will be more revealing than the engaged followers of the aeronet.cz Twitter account.


Addendum

	host direct.aeronet.cz
	direct.aeronet.cz has address 146.185.253.146

	% Abuse contact for '146.185.253.0 - 146.185.253.255' is 'abuse@pinspb.ru'

	IP Location	Netherlands Netherlands Dronten Xonservers
	ASN	Netherlands AS50673 SERVERIUS-AS Serverius Holding B.V. (registered Mar 05, 2010)
	Resolve Host	server.uret.in
	Whois Server	whois.ripe.net
	IP Address	146.185.253.146
	% Abuse contact for '146.185.253.0 - 146.185.253.255' is 'abuse@pinspb.ru'
	
	inetnum:        146.185.253.0 - 146.185.253.255
	netname:        XonServers
	geoloc:         52.5 5.75
	org:            ORG-XA90-RIPE
	descr:          XonServers
	country:        NL
	admin-c:        XA243-RIPE
	tech-c:         XA243-RIPE
	status:         ASSIGNED PA
	mnt-by:         MNT-PIN
	mnt-by:         MNT-PINSUPPORT
	mnt-routes:     SERVERIUS-MNT
	mnt-domains:    SERVERIUS-MNT
	changed:        admin@pinspb.ru 20131211
	remarks:        Please send email to "abuse@xonservers.com" for complaints regarding 
	portscans, DoS attacks and spam.
	created:        2013-12-11T12:00:04Z
	last-modified:  2014-04-08T00:42:09Z
	source:         RIPE
	
	organisation:   ORG-XA90-RIPE
	org-name:       XonServers
	org-type:       OTHER
	address:        Jhansi Lakshmi Street, Seetharamapuram
	address:        Vijayawada
	e-mail:         abuse@xonservers.com
	mnt-ref:        XonServers
	mnt-by:         XonServers
	changed:        info@xonservers.com 20140408
	created:        2014-04-08T00:26:18Z
	last-modified:  2014-04-08T00:26:18Z
	source:         RIPE
	
	role:           XonServers Abuse
	address:        Address: Jhansi Lakshmi Street, Seetharamapuram
	address:        Vijayawada
	e-mail:         abuse@xonservers.com
	nic-hdl:        XA243-RIPE
	mnt-by:         XonServers
	changed:        info@xonservers.com 20140408
	created:        2014-04-08T00:39:53Z
	last-modified:  2014-04-08T00:39:53Z
	source:         RIPE
	
	route:          146.185.253.0/24
	descr:          Serverius Route Object
	origin:         AS50673
	mnt-by:         SERVERIUS-MNT
	changed:        noc@serverius.net 20140116
	created:        2014-01-16T10:23:49Z
	last-modified:  2014-01-16T10:23:49Z
	source:         RIPE

© 2015 Andrew Aaron Weisburd