I don’t want to play into cliched preconceptions about the Wild East but Russians – and their “near abroad” – do seem to play Eve a little differently from the rest of us. This week, however, the Russian Eve forums are aflame with accusations over black-hat hacking of alliance members by its own leadership.

I’ve been director of the Goonfleet Intelligence Agency for almost four years, so I’m reasonably-well-placed to talk about this subject. Amongst Euro-Americans, the intel conflict is played out within certain bounds. Whether it is the GIA or N3’s Jean Leaner or PL’s very effective (if slightly more devolved) spying set-up, we all play the old-fashioned Cold War-era spying game. We attempt to insert agents into each other’s blocs and alliances.

We also all make strenuous efforts to burn hostile agents: we catch a great many and we no doubt execute more than our share of innocents on the precautionary principle, while attempting to cover our own agents by obliquely insinuating that patsies in hostile alliances are, in fact, working for us. So far, so reasonable.

There is a grey area, of course, in that we harvest character APIs for infiltrating enemy forums and communications, and we gather hostile IP addresses to check against our own databases, to detect careless enemy agents. But these activities, while strictly out-of-game, are effectively accepted as quasi-legitimate by custom and by CCP, for all that a court may take a dimmer view. I, myself, have steered clear of such activities for some time, preferring HumInt to SigInt.

The Wild East

Such niceties are not quite so rigorously observed by those in former members of the Soviet Union, especially Russia, Kazakhstan and the Ukraine.

One infamous example occurred when senior members of Red Alliance, about seven and a half years ago, requested that Goonswarm provide the address in the United Kingdom of a hostile titan pilot. Their plan was that they would get Russian expatriates in the UK to cut the power to the titan during a battle, and thereby kill his titan, which was at that point one of less than half a dozen in existence.  In case you need to be told, we made our excuses and declined.

This past week has seen a different sort of drama play out. On the Russian Eve Online forums, accusations are flying that Darkspawn alliance asked its own members to download a browser-plug-in, alleging it was necessary to connect to their Teamspeak server.

The plug-in was reasonably well obfuscated in form (using VMProtect Ultra), but an initial offer of a plex for anyone who could decompile it and explain its functionality grew to eight plexes and some ISK. Given the desire to be the one to unravel the mystery, this was no doubt more than enough to prompt one forum member to reverse-engineer the plug-in’s purpose.

After the use of obfuscation, the next worrying sign was that test_plugin.dll, normally a 30Kb dll, had bloated to a massive 500Kb. What was all this super-secret extra functionality?

Hack the Planet

It turns out that the plug-in was ostensibly aimed at stopping people recording Teamspeak, but that it also located and searched through their eve log folders, uploaded the results where required, It also communicated the user’s IP address to Darkspawn, which would be handy for spotting the real IP of people using a proxy to avoid detection. And it allegedly acted as a keylogger. There are other allegations (google translate version here), together with some sourcecode but I don’t have the language skills to reliably detail them.

The story is still developing, and I am not dumb enough to name the person that the thread alleges was behind the whole thing, but I might urge you to be cautious in your dealings and interactions with Darkspawn alliance.  Especially if you are invited onto their Teamspeak server.