aeronet.cz made the news in the Czech Republic in March. Time for a closer look.
The site is of the faux news type, accompanied by a Twitter account and a Facebook page. Some considerable effort has been made to mask the identities of those involved, and to make it appear as though it is based in the Netherlands. That said, the site can be traced back to Russia - St. Petersburg specifically. Despite the resources dedicated to the task, aeronet.cz doesn't appear to be getting much traction, reinforcing the perception that it is the result of a tasking.
The project's name is "American European News" and the cumbersome domain name can be seen as desperate attempt to acquire a Czech .cz domain name beginning with the letters A and E. Ever since it was acquired by the Kremlin's agents, the domain name has been held by US service provider Domains By Proxy, a unit of GoDaddy.Com.
That the Netherlands is woven into this story is interesting in light of the presence of Kremlin trolls in the country, and the ongoing feud between Russia and the Netherlands over Russia's shooting down of Flight MH17, among other issues. It seems clear that the server used for aeronet.cz is located physically in the Netherlands. Whether any of the personnel involved are actually resident in Netherlands is not known, They claim an address in Eindhoven, and even invite visitors. From the site:
The IP Address Behind the CloudFlare
The Kremlin's agents make use of CloudFlare, in addition to Domains By Proxy, in an attempt to hide. While CloudFlare serves primarily as a defense against DDoS attacks, it has the effect of masking a website's real IP address. It is often possible to see past CloudFlare's screen, and in this case the IP address used by aeronet.cz has been revealed as 18.104.22.168 [see addenda below for netblock details].
As noted already, the server appears to reside in the Netherlands. The Dutch provider of network access (Serverius Holding B.V. d/b/a serverius.com) has a customer in India (XonServers of Vijayawada, Andhra Pradesh, d/b/a xonservers.com a/k/a swiftslots.com) who in turn appears to have sublet a portion of their netblock to Универсальный провайдер интернет-услуг «PIN» (ООО «Санкт-Петербургская Интернет Сеть») PIN LLC d/b/a pinspb.ru. The operators of aeronet.cz are almost certainly a Russian client of PIN. This said, note that Serverius offers up their website in English, Dutch, and Russian - so a more direct connection between aeronet.cz and Serverius cannot be entirely ruled out.
В Латвии русофобская бл-дь избила ребенка со словами «русским тут не место» pic.twitter.com/6XZeylUEsV— slovjanskij patriot (@ukrofob2) July 4, 2015
To nám ta EU pěkně eroduje.... https://t.co/iLAAH5xKx3— Tribun Dogmaticus (@Tribunin) July 3, 2015
As with Twitter, the Facebook account at https://www.facebook.com/aeronet.cz is of interest precisely because of the low number of engaged followers. Consequently a hard look at each person who Likes or Shares content from the aeronet.cz Facebook account is recommended, and will be more revealing than the engaged followers of the aeronet.cz Twitter account.
host direct.aeronet.cz direct.aeronet.cz has address 22.214.171.124 % Abuse contact for '126.96.36.199 - 188.8.131.52' is 'firstname.lastname@example.org' IP Location Netherlands Netherlands Dronten Xonservers ASN Netherlands AS50673 SERVERIUS-AS Serverius Holding B.V. (registered Mar 05, 2010) Resolve Host server.uret.in Whois Server whois.ripe.net IP Address 184.108.40.206 % Abuse contact for '220.127.116.11 - 18.104.22.168' is 'email@example.com' inetnum: 22.214.171.124 - 126.96.36.199 netname: XonServers geoloc: 52.5 5.75 org: ORG-XA90-RIPE descr: XonServers country: NL admin-c: XA243-RIPE tech-c: XA243-RIPE status: ASSIGNED PA mnt-by: MNT-PIN mnt-by: MNT-PINSUPPORT mnt-routes: SERVERIUS-MNT mnt-domains: SERVERIUS-MNT changed: firstname.lastname@example.org 20131211 remarks: Please send email to "email@example.com" for complaints regarding portscans, DoS attacks and spam. created: 2013-12-11T12:00:04Z last-modified: 2014-04-08T00:42:09Z source: RIPE organisation: ORG-XA90-RIPE org-name: XonServers org-type: OTHER address: Jhansi Lakshmi Street, Seetharamapuram address: Vijayawada e-mail: firstname.lastname@example.org mnt-ref: XonServers mnt-by: XonServers changed: email@example.com 20140408 created: 2014-04-08T00:26:18Z last-modified: 2014-04-08T00:26:18Z source: RIPE role: XonServers Abuse address: Address: Jhansi Lakshmi Street, Seetharamapuram address: Vijayawada e-mail: firstname.lastname@example.org nic-hdl: XA243-RIPE mnt-by: XonServers changed: email@example.com 20140408 created: 2014-04-08T00:39:53Z last-modified: 2014-04-08T00:39:53Z source: RIPE route: 188.8.131.52/24 descr: Serverius Route Object origin: AS50673 mnt-by: SERVERIUS-MNT changed: firstname.lastname@example.org 20140116 created: 2014-01-16T10:23:49Z last-modified: 2014-01-16T10:23:49Z source: RIPE
© 2015 Andrew Aaron Weisburd