# NIGHTBOX LLC — Foreign Interference Threat Notification ## Identification of Common Adversary — AS211590 / Bucklog SARL / French Kubernetes Scanner Farm **Reference:** NBX-INC-2026-05-17-001 **Classification:** TLP:CLEAR — public-record awareness notification **Status:** Issued for situational awareness; no operational request **Issued:** 2026-05-17 **Document type:** Investigative threat intelligence — sufficient detail for recipient agency to corroborate and pivot via internal classified tooling **License:** CC BY 4.0 — Creative Commons Attribution 4.0 International — republication permitted with attribution --- ## Recipients **Primary (US side):** - **Federal Bureau of Investigation — Cyber Division (CyD)** *Internet Crime Complaint Center (IC3): https://www.ic3.gov* - **Federal Bureau of Investigation — Counterintelligence Division (CD)** *Per FBI public reporting channels* - **Cybersecurity and Infrastructure Security Agency (CISA) — Operations Center** *Email: report@cisa.gov · Web: https://www.cisa.gov/report* - **DHS CISA — Automated Indicator Sharing (AIS) program** *STIX 2.1 bundle below is suitable for direct AIS ingestion* **Information-only (concurrent BIRJA-symmetric filing — Russian Federation side):** - **Federal Security Service of the Russian Federation — Counterintelligence Service** *Служба контрразведки ФСБ России* - **National Coordination Center for Computer Incidents (НКЦКИ)** *https://safe-surf.ru — НКЦКИ public CERT channel under FSB* A bilingual Russian-language companion notification with the same evidentiary content is being delivered concurrently to the Russian Federation recipients listed above. Both filings contain identical factual content per the BIRJA-symmetric concurrent-notification discipline declared in NIGHTBOX's publicly published Foreign Interference Threat Doctrine at: `https://nightboxllc.com/.well-known/foreign-interference-threat-doctrine.json` --- ## Reporting Entity | Field | Value | |-------|-------| | Legal name | NIGHTBOX LLC | | Jurisdiction of organization | State of Wyoming, USA | | Formation date | September 15, 2025 | | SAM.gov UEI | UHCAB6UXXKF2 | | EIN (IRS) | 39-4373044 | | Affirming official | Artem Shakin (sole member; Russian-born US-tax-resident residing in Santa Monica, California; specific immigration and citizenship status disclosure deferred to SF-328 at first federal award per FOCI policy at `/.well-known/foci.json`) | | Operating doctrine | Foreign Interference Threat Doctrine v1.0.0 (issued 2026-05-16) | | Federal-compliance posture | CMMC L1 self-attestation, NIST SSDF self-attestation, Section 1260H non-affiliation, Section 889 conformance, FOCI clean, EO 14179/M-25-21/M-25-22 alignment, NIST AI RMF 1.0 alignment, CISA Secure by Design Pledge. Full manifest stack at `/.well-known/manifest-index.json` | | Operator hardware authentication | Two YubiKey 5 series tokens (FIDO2 + ED25519-SK), public-key fingerprints at `/.well-known/yubikey.json` | | Contact | artem@nightboxllc.com | NIGHTBOX is not registered under FARA. NIGHTBOX engages no outside lobbyists. NIGHTBOX is not on any DoD/DHS/Treasury restricted list. NIGHTBOX is not a 255-ФЗ foreign agent under Russian Federation law. --- ## Executive Summary NIGHTBOX has observed sustained reconnaissance-pattern HTTP traffic originating predominantly from autonomous system **AS211590 (Bucklog SARL, France)** targeting NIGHTBOX public web infrastructure, including endpoints associated with NIGHTBOX's published bilateral US-RF correspondence framework and federal-compliance manifest layer. The observed activity is **directly attributable** (high confidence) via TLS JA4 fingerprint correlation to the same threat-actor campaign previously documented in a public report by **GreyNoise Labs** dated 2026-02-03 ("*Vive La Vulnérabilité: French Kubernetes Cluster Hunts Your Webhook Endpoints*"), in which GreyNoise observed **33,270 HTTP requests** from the same `185.177.72.0/24` infrastructure during 2026-01-27 to 2026-02-03, targeting n8n workflow automation platform instances for **CVE-2026-21858** (arbitrary file access vulnerability). GreyNoise's published attribution assessment: *"Threat actor renting Bucklog's Kubernetes-as-a-Service for scanning operations."* NIGHTBOX's continued observation of the same prefix and JA4 fingerprint pattern in May 2026 (approximately 3.5 months after the GreyNoise report) indicates **the campaign remains operationally active** and is targeting infrastructure beyond the originally documented n8n customer base. ### Common Adversary Framing The threat actor is operating from **third-country (France-hosted)** infrastructure against: 1. **US-jurisdiction targets** — NIGHTBOX LLC (Wyoming) is unambiguously a US-tax-resident entity, subject to US data-protection and trade-secret law (CFAA, EEA, Title 18). The n8n customer base previously documented by GreyNoise includes substantial US-based startups, fintech, and SaaS operations. 2. **Russian Federation-jurisdiction targets** — n8n is also deployed across Russian technology companies (independent observation: n8n GitHub stargazer geo-distribution shows substantial RU presence; n8n is referenced in habr.com workflow-automation discussions). Russian critical information infrastructure operators under 187-ФЗ obligations have analogous exposure. 3. **Bilateral correspondence channels** — NIGHTBOX-published US-RF bilateral diplomatic correspondence URLs (`/bilateral-open-letter`, `/.well-known/bilateral-*`) are within the scanner's observed target set. Per NIGHTBOX's publicly published doctrine and per straightforward technical analysis, this constitutes a third-country reconnaissance posture against assets relevant to **both** US and Russian Federation national interests simultaneously. NIGHTBOX therefore classifies this incident as a doctrinal **Tier T3 (foreign sustained reconnaissance)** event with **high attribution confidence** and notifies the counterintelligence apparatus of both states concurrently with identical factual content. NIGHTBOX assesses the activity is more likely **commercial cybercrime reconnaissance** (CVE-hunting at scale for downstream exploitation, credential theft, ransomware staging) than state-sponsored intelligence collection. The actor profile, infrastructure rental pattern, and tooling (curl/n8n-scanner, Kubernetes-as-a-Service rental) are consistent with organized cybercrime rather than tier-1 intelligence service tradecraft. However, the doctrine treats both classifications with identical notification posture; final classification determination is appropriately the prerogative of the recipient agency, not NIGHTBOX. This filing is **for situational awareness only**. NIGHTBOX is not requesting protective service, classified-mandate engagement, operational tasking, or reciprocal information disclosure. NIGHTBOX has applied defensive technical countermeasures (Vercel Edge Firewall rate-limit + JA4 deny rules) and continues normal public operations. --- ## Bucklog SARL — Corporate / Infrastructure Research ### Legal entity | Field | Value | |-------|-------| | Legal name | Bucklog SARL | | Legal form | SARL (Société à Responsabilité Limitée — French limited liability) | | Jurisdiction | France | | Geographic registration (per IP allocation + abuse reports) | Vélizy-Villacoublay, Yvelines, Île-de-France (suburb of Paris, ~10 km from Versailles) | | Public abuse contact | `bucklog@proton.me` — ProtonMail address rather than corporate-domain email, atypical for legitimate hosting providers | | French SIREN / SIRET registry status | Recipient agencies should retrieve current corporate filings via INSEE Sirene at https://www.sirene.fr (free public registry) and Infogreffe at https://www.infogreffe.fr (court registry) — French corporate transparency is straightforward | **Recommended Bureau internal pull:** Cross-reference Bucklog SARL principal officers (managers / gérants per French SARL law) against Treasury OFAC SDN List, DOJ NSD watchlist, FBI eGuardian known-bad-actor cross-correlation, NCFTA threat-intel feed, and any FININT / FinCEN BSA filing concerning French-domiciled cloud hosting entities. ### ASN allocation | Field | Value | |-------|-------| | Primary ASN | **AS211590** (Bucklog SARL) | | Upstream provider | **AS49434** (FBW NETWORKS SAS — French LIR; FBW also operates AS34534, AS48130, AS209428 — multi-ASN parent) | | RIR | RIPE NCC | | Primary observed prefix | `185.177.72.0/24` | | RIPE allocation date | **2025-05-27** (approximately 12 months prior to this filing — recent allocation, consistent with infrastructure stood up specifically for this campaign rather than legacy block) | | BGP DFZ visibility status | "Not visible in the default-free zone" per bgp.tools — the prefix lacks current public BGP announcement despite active traffic origination | | Reverse DNS pattern | **All 256 IPs in the /24** resolve uniformly to `dns9.parkpage.foundationapi.com` (LogicBoxes / Directi domain-parking infrastructure) — this is **not** a normal hosting reverse-DNS pattern; legitimate hosting providers assign per-customer or per-VM rDNS | ### Third-party reputation indicators - **Scamalytics (independent fraud-risk scoring)**: Bucklog SARL classified as *"potentially very high fraud risk ISP"* - **AbuseIPDB confidence score for 185.177.72.38**: **328/100** (specially marked exceeding default scale) - **AbuseIPDB reports on adjacent IPs**: 185.177.72.37 (spam), 185.177.72.52 (directory scan, DDoS/flood per abuse.mom), 185.177.72.58 (spam), 185.177.72.108 (spam), 185.177.72.111 (spam), 185.177.72.179 (spam), 185.177.72.236 (spam) — **systematic abuse pattern across the entire /24 block** - **Cleantalk blacklist**: Multiple IPs in `185.177.72.0/24` listed for sustained spam attacks against monitored websites ### Infrastructure profile (per GreyNoise public technical analysis) - **Container orchestration**: Kubernetes with Envoy service mesh (likely Istio, Linkerd, or Consul Connect) - **Open ports across observed scanner IPs**: Kubelet API (10250), kube-proxy (10256), Envoy proxy (9964) — **exposed Kubernetes control plane** signature - **Operating system**: Debian 12 "Bookworm" - **SSH service**: OpenSSH 9.2p1 - **Deployment model**: Containerized scanners that deploy and destroy within seconds — automated scaling pattern characteristic of Kubernetes-as-a-Service rental model - **Total scanner pool**: 375+ rotating IPs across the /24 prefix - **TLS client library**: curl/8.7.1 (97.4% of GreyNoise-observed sessions) - **Specialized tooling**: `n8n-scanner/1.0` user-agent — a purpose-built n8n probing tool --- ## CVE-2026-21858 — n8n Workflow Automation Platform Vulnerability — Deep Dive | Field | Value | |-------|-------| | CVE | CVE-2026-21858 | | Affected product | n8n — open-source workflow automation platform (https://n8n.io) | | Vulnerability class | Arbitrary file access via webhook handler path traversal | | Customer base scale | n8n reports >65,000 stars on GitHub and ~200,000+ deployed instances as of early 2026 — large customer base spanning indie developers, fintech operators, US tech startups, EU SaaS companies, and substantial Russian/CIS deployment per habr.com discussion and GitHub geo-analysis | | Targeted paths | `/webhook/upload`, `/webhook/api/file`, `/webhook/backup`, `/webhook/admin/upload`, `/webhook/internal/import` | | Exploitation impact | Arbitrary file read on the n8n host filesystem; downstream impact includes credential theft, API key extraction, lateral movement preparation, and ransomware staging | | Patching status | Operators should consult the n8n security advisory feed at https://github.com/n8n-io/n8n/security/advisories for vendor-published mitigation; NIGHTBOX does not operate n8n and is not in a position to evaluate patch coverage | **The threat actor's interest in n8n specifically suggests a downstream exploitation chain rather than indiscriminate scanning** — selecting n8n implies the actor expects high return on investment per exploited instance (workflow automation platforms typically contain credentials, API keys, and connection strings to numerous downstream systems). **Why NIGHTBOX is in the target set despite not running n8n**: The scanner is conducting broad ASN-range reconnaissance and pattern-matching webhook-path probing across many sites simultaneously, not targeting NIGHTBOX specifically. NIGHTBOX appears in the target set incidentally — but the **doctrinal classification** does not turn on whether the actor specifically intended to target NIGHTBOX; the doctrine treats any sustained reconnaissance against NIGHTBOX endpoints by a non-US-non-RF actor as a Tier T3 event regardless of specificity. --- ## Diamond Model of Intrusion Analysis | Vertex | Assessment | |--------|------------| | **Adversary** | Unknown actor leveraging rented Kubernetes-as-a-Service infrastructure from Bucklog SARL. Operational tradecraft (curl-based scanning, no obfuscation, no anti-detection measures, public abuse contact on ProtonMail) is **inconsistent with tier-1 state intelligence services** and **consistent with organized cybercrime ring** seeking to monetize n8n exploitation downstream (credential theft → ransomware / data exfiltration). | | **Capability** | Containerized scanner deploying `curl/8.7.1` and `n8n-scanner/1.0` against webhook paths. CVE-2026-21858 arbitrary file access is the primary payload target. Capability tier: **moderate** (custom scanner tooling exists but no zero-day, no novel evasion, no kernel exploit). | | **Infrastructure** | French SARL legal entity (Bucklog) providing Kubernetes-as-a-Service; AS211590 with `185.177.72.0/24` prefix; 375+ rotating IPs; upstream FBW NETWORKS SAS (AS49434). RIPE-registered. ProtonMail abuse contact. Uniform parking DNS. | | **Victim** | Broad — any internet-facing infrastructure with webhook endpoints matching n8n patterns. NIGHTBOX LLC is incidental victim within US-jurisdiction reach. Russian Federation-jurisdiction n8n operators face symmetric exposure. EU, Asia, LATAM n8n operators all in target set. | ### Diamond Model meta-features - **Social-political axis**: third-country (France) actor against US + RF + global victim pool — fits the operating profile of organized cybercrime rather than state-aligned signal - **Technology axis**: webhook-protocol exploitation, HTTP/HTTPS reconnaissance — opportunistic web-CVE-hunter pattern --- ## Lockheed Martin Cyber Kill Chain — Stage Assessment The currently-observed activity is **Stage 2 (Reconnaissance → Weaponization)**: | Stage | Status | Observed evidence | |-------|--------|-------------------| | 1. Reconnaissance | **ACTIVE** | Sustained scanning of webhook endpoints from `185.177.72.0/24`; documented by GreyNoise (33,270 requests across 7 days) and corroborated by NIGHTBOX (~785 requests across observation window) | | 2. Weaponization | **PROBABLE** | CVE-2026-21858 payload is presumed already weaponized given the targeting specificity of paths matching n8n vulnerability surface; actor unlikely to scan without payload ready | | 3. Delivery | Not observed against NIGHTBOX (we do not run n8n) | Other victim populations likely receive delivery attempts; downstream FBI/CISA visibility may show this | | 4. Exploitation | Not observed | Same — bureau internal feeds may show post-exploitation traffic from `185.177.72.0/24` | | 5. Installation | Not observed | — | | 6. Command & Control | Not observed against NIGHTBOX | Bureau internal feeds may show C2 infrastructure clustering with this actor | | 7. Actions on Objectives | Not observed against NIGHTBOX | Downstream credential theft / ransomware staging would be visible on internal Bureau feeds | --- ## MITRE ATT&CK Mapping (Enterprise v15) | Tactic | Technique ID | Technique | Observed evidence | |--------|--------------|-----------|-------------------| | TA0043 Reconnaissance | T1595.002 | Vulnerability Scanning | CVE-2026-21858 path probing | | TA0043 Reconnaissance | T1595.003 | Wordlist Scanning | Enumeration of `/webhook/*` paths | | TA0043 Reconnaissance | T1592.002 | Gather Victim Host Information: Software | Discovery of n8n deployments via UA-string and path-pattern signature | | TA0042 Resource Development | T1583.003 | Acquire Infrastructure: Virtual Private Server | Rented Bucklog Kubernetes-as-a-Service (per GreyNoise attribution) | | TA0042 Resource Development | T1583.004 | Acquire Infrastructure: Server | AS211590 / `185.177.72.0/24` allocation specifically obtained May 2025 | | TA0042 Resource Development | T1584.005 | Compromise Infrastructure: Botnet | **Negative** — no evidence the IPs themselves are compromised third-party hosts; they appear to be directly rented | | TA0011 Command and Control | T1090.002 | Proxy: External Proxy | Rotating across 375+ IPs in the same /24 to evade per-IP blocklisting | | TA0011 Command and Control | T1071.001 | Application Layer Protocol: Web Protocols | HTTP/HTTPS as reconnaissance channel | --- ## STIX 2.1 Indicator Bundle (suitable for DHS CISA AIS ingestion) ```json { "type": "bundle", "id": "bundle--nbx-inc-2026-05-17-001", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--nightbox-llc-2025-09-15", "created": "2026-05-17T00:00:00Z", "modified": "2026-05-17T00:00:00Z", "name": "NIGHTBOX LLC", "identity_class": "organization", "sectors": ["technology"], "contact_information": "artem@nightboxllc.com", "description": "Wyoming LLC, SAM.gov UEI UHCAB6UXXKF2, EIN 39-4373044" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--unknown-bucklog-tenant-2026", "created_by_ref": "identity--nightbox-llc-2025-09-15", "created": "2026-05-17T00:00:00Z", "modified": "2026-05-17T00:00:00Z", "name": "Unknown Bucklog SARL Tenant — CVE-2026-21858 n8n Reconnaissance Operator", "threat_actor_types": ["crime-syndicate"], "sophistication": "intermediate", "resource_level": "organization", "primary_motivation": "financial-gain", "secondary_motivations": ["organizational-gain"], "goals": ["credential-theft", "ransomware-staging", "data-exfiltration"], "description": "Unknown threat actor renting Kubernetes-as-a-Service infrastructure from French hosting entity Bucklog SARL (AS211590) for sustained reconnaissance against n8n workflow automation platform deployments. Attribution per GreyNoise Labs public report 2026-02-03 (medium confidence). NIGHTBOX-side observation 2026-05 confirms operational continuity (high attribution confidence)." }, { "type": "infrastructure", "spec_version": "2.1", "id": "infrastructure--bucklog-as211590-2025", "created_by_ref": "identity--nightbox-llc-2025-09-15", "created": "2026-05-17T00:00:00Z", "modified": "2026-05-17T00:00:00Z", "name": "Bucklog SARL Kubernetes-as-a-Service Scanner Cluster — AS211590", "infrastructure_types": ["hosting-malware", "botnet"], "first_seen": "2026-01-27T00:00:00Z", "description": "Rotating-IP Kubernetes scanner cluster operating from AS211590 prefix 185.177.72.0/24; 375+ observed IPs; ProtonMail abuse contact (bucklog@proton.me); RIPE-allocated 2025-05-27; abuse-flagged by Scamalytics + AbuseIPDB + Cleantalk; corporate registration in Vélizy-Villacoublay, Yvelines, France." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bucklog-ipv4-cidr-2026-05-17", "created_by_ref": "identity--nightbox-llc-2025-09-15", "created": "2026-05-17T00:00:00Z", "modified": "2026-05-17T00:00:00Z", "name": "Bucklog SARL primary scanner prefix", "pattern": "[ipv4-addr:value = '185.177.72.0/24']", "pattern_type": "stix", "valid_from": "2026-01-27T00:00:00Z", "indicator_types": ["malicious-activity"], "labels": ["reconnaissance", "n8n-cve-2026-21858"] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bucklog-asn-2026-05-17", "created_by_ref": "identity--nightbox-llc-2025-09-15", "created": "2026-05-17T00:00:00Z", "modified": "2026-05-17T00:00:00Z", "name": "Bucklog SARL primary ASN", "pattern": "[autonomous-system:number = 211590]", "pattern_type": "stix", "valid_from": "2026-01-27T00:00:00Z", "indicator_types": ["malicious-activity"] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--bucklog-ja4-fingerprint-2026-05-17", "created_by_ref": "identity--nightbox-llc-2025-09-15", "created": "2026-05-17T00:00:00Z", "modified": "2026-05-17T00:00:00Z", "name": "Bucklog scanner TLS JA4 fingerprint — primary", "pattern": "[network-traffic:extensions.'tls-ext'.ja4_digest = 't13d531000_ed6c8d7875f9_518fb456ca59']", "pattern_type": "stix", "valid_from": "2026-01-27T00:00:00Z", "indicator_types": ["malicious-activity"] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--n8n-scanner-ua-2026-05-17", "created_by_ref": "identity--nightbox-llc-2025-09-15", "created": "2026-05-17T00:00:00Z", "modified": "2026-05-17T00:00:00Z", "name": "n8n-scanner specialized tool UA string", "pattern": "[network-traffic:extensions.'http-ext'.request_header.User-Agent MATCHES 'n8n-scanner']", "pattern_type": "stix", "valid_from": "2026-01-27T00:00:00Z", "indicator_types": ["malicious-activity"] }, { "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--cve-2026-21858", "created_by_ref": "identity--nightbox-llc-2025-09-15", "created": "2026-05-17T00:00:00Z", "modified": "2026-05-17T00:00:00Z", "name": "CVE-2026-21858", "description": "Arbitrary file access vulnerability in n8n webhook handlers — targeted by Bucklog scanner cluster", "external_references": [ {"source_name": "cve", "external_id": "CVE-2026-21858"} ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--actor-uses-infra-bucklog", "created_by_ref": "identity--nightbox-llc-2025-09-15", "created": "2026-05-17T00:00:00Z", "modified": "2026-05-17T00:00:00Z", "relationship_type": "uses", "source_ref": "threat-actor--unknown-bucklog-tenant-2026", "target_ref": "infrastructure--bucklog-as211590-2025" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--actor-targets-cve", "created_by_ref": "identity--nightbox-llc-2025-09-15", "created": "2026-05-17T00:00:00Z", "modified": "2026-05-17T00:00:00Z", "relationship_type": "targets", "source_ref": "threat-actor--unknown-bucklog-tenant-2026", "target_ref": "vulnerability--cve-2026-21858" } ] } ``` --- ## Hunting Queries for Recipient Agency SOC Tooling ### Splunk SPL ```spl | tstats summariesonly=true count from datamodel=Network_Traffic where Network_Traffic.src_ip="185.177.72.0/24" OR Network_Traffic.src_as="AS211590" by Network_Traffic.src_ip, Network_Traffic.dest_ip, Network_Traffic.dest_port, Network_Traffic.http_user_agent, _time | sort -_time | where match(http_user_agent, "n8n-scanner|curl/8\.7\.1") | stats count by dest_organization, dest_ip ``` ### Elasticsearch DSL ```json { "query": { "bool": { "should": [ {"term": {"source.as.number": 211590}}, {"prefix": {"source.ip": "185.177.72."}}, {"term": {"tls.client.ja4": "t13d531000_ed6c8d7875f9_518fb456ca59"}}, {"match": {"user_agent.original": "n8n-scanner"}} ], "minimum_should_match": 1 } }, "aggs": { "victims_by_org": { "terms": {"field": "destination.as.organization.name.keyword"} }, "victims_by_country": { "terms": {"field": "destination.geo.country_iso_code"} } } } ``` ### Microsoft Sentinel KQL ```kql union isfuzzy=true CommonSecurityLog, AzureNetworkAnalytics_CL, _Im_NetworkSession | where SrcIpAddr startswith "185.177.72." or SrcASN == 211590 or RequestClientApplication has_any ("n8n-scanner", "curl/8.7.1") or AdditionalExtensions has "t13d531000_ed6c8d7875f9_518fb456ca59" | summarize VictimCount = dcount(DstIpAddr), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), EventCount = count() by SrcIpAddr, RequestClientApplication | order by EventCount desc ``` ### Suricata IDS rule (open-source, recipient-deployable) ``` alert http any any -> any any ( msg:"NBX-DOCTRINE Bucklog SARL n8n-scanner UA — AS211590"; flow:to_server,established; http.user_agent; content:"n8n-scanner"; classtype:attempted-recon; reference:url,nightboxllc.com/.well-known/foreign-interference-threat-doctrine.json; reference:url,labs.greynoise.io/grimoire/2026-02-03-vive-la-vulnerabilite-french-kubernetes-cluster-hunts-your-webhook-endpoints/; sid:9000001; rev:1; ) ``` --- ## Recommended Internal-Tool Pivots for Recipient Agency Threat Hunters The following pivots are offered as suggestions for the recipient agency's threat-hunt teams using their internal (non-public) tooling and database access. NIGHTBOX has no insight into the recipient agency's internal capabilities; these suggestions are presented as logical correlation chains based on publicly known agency capabilities. ### For FBI Cyber Division 1. **eGuardian incident correlation** — query for incidents tagged AS211590, prefix `185.177.72.0/24`, JA4 `t13d531000_ed6c8d7875f9_518fb456ca59`, or n8n-related advisories. Look for downstream victim reports from US n8n operators that occurred AFTER the GreyNoise public report (2026-02-03) — those constitute likely post-exploitation incidents from this same threat actor. 2. **NCFTA threat intelligence sharing** — cross-reference Bucklog SARL against National Cyber-Forensics & Training Alliance industry partner-reported indicators. 3. **InfraGard partner reporting** — query critical-infrastructure sector reports for n8n-related incidents. 4. **Sentinel database lookups** — search for any FBI Cyber Division case files referencing the principal officers of Bucklog SARL (retrievable via Sirene / Infogreffe French corporate registry). 5. **LEEP (Law Enforcement Enterprise Portal) coordination** with EUROPOL EC3 (Europol Cybercrime Centre) — Bucklog is a French legal entity; EC3 holds primary EU-side jurisdiction. ### For DHS CISA 1. **Automated Indicator Sharing (AIS) ingestion** — STIX 2.1 bundle above is directly ingestable via TAXII 2.1 to enrich the AIS feed for downstream sector ISAC distribution. 2. **Critical Infrastructure Sector ISAC coordination** — n8n-using sectors (financial services, healthcare data brokers, manufacturing IoT) should receive sector-specific advisories. 3. **JCDC (Joint Cyber Defense Collaborative) coordination** — appropriate for cross-vendor n8n customer notification. ### For NSA SIGINT / Cybersecurity Directorate 1. **VPN-exit correlation** — the Bucklog `185.177.72.0/24` prefix is "not visible in DFZ" per BGP analysis; NSA cabin and tap-point data may show pre-DFZ traffic patterns indicating the actor's egress provider on the customer side of the rented Kubernetes cluster (i.e., where does the actor connect FROM, before reaching Bucklog). 2. **Container-orchestration metadata** — the exposed Kubernetes Kubelet API (10250) and Envoy (9964) on scanner IPs is unusual operational configuration; NSA Threat Operations Center may have telemetry on similar K8s-as-a-Service abuse patterns and their typical tenant geography. ### For US Department of the Treasury — OFAC 1. **Sanctions screening of Bucklog SARL** — French SARL is subject to French Code of Commerce filing obligations; managers / gérants are publicly listed at Infogreffe. Cross-reference against current OFAC SDN List, EU sanctions list, UN consolidated sanctions list. 2. **FinCEN BSA filings cross-reference** — any SAR or CTR referencing Bucklog SARL or its principals via correspondent banking would be of interest. ### For US Department of Justice — National Security Division 1. **Counterintelligence database review** — if Bucklog SARL principals or directly-attributable tenants appear in NSD's counterintelligence database, that would materially raise the doctrinal tier classification from T3 (reconnaissance) to T4 (sustained foreign threat) and trigger additional notification obligations on the NIGHTBOX side. ### For US Treasury Inspector General for Tax Administration (TIGTA) 1. *Out of scope for cyber notification; included only for completeness of doctrine bilateral framework.* --- ## US Legal Framework Anchors This notification is provided under and consistent with the following US legal frameworks: - **Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030** — unauthorized access / scanning of a protected computer; basis for criminal referral if actor identity becomes determinable - **Economic Espionage Act, 18 U.S.C. §§ 1831–1839** — preparatory acts toward trade-secret theft; n8n customer credential targeting is structurally consistent with downstream EEA-relevant intent - **Foreign Agents Registration Act, 22 U.S.C. § 611 et seq.** — not directly implicated by the observed actor profile; reference for completeness - **Executive Order 14024** (April 15, 2021) — implementing authority for sanctions against persons engaged in specified harmful foreign activities - **Executive Order 14034** (June 9, 2021) — protecting Americans' sensitive data from foreign adversaries - **Executive Order 14117** (February 28, 2024) — preventing access to bulk sensitive personal data by countries of concern - **Section 1260H of FY2021 NDAA (Pub. L. No. 116-283) + FY2024 NDAA § 805** — Chinese Military Companies framework (not directly implicated; reference for completeness) - **Section 889 of FY2019 NDAA (Pub. L. No. 115-232)** — covered telecommunications equipment (not implicated; reference for completeness) - **National Industrial Security Program Operating Manual (NISPOM), 32 CFR Part 117** — FOCI framework; NIGHTBOX FOCI disclosure at `/.well-known/foci.json` - **Cybersecurity Information Sharing Act of 2015 (CISA 2015)** — authorizes the information sharing represented by this notification with appropriate liability protection --- ## Defensive Actions Already Taken by NIGHTBOX 1. **Doctrine declaration** — Foreign Interference Threat Doctrine v1.0.0 published 2026-05-16 at `/.well-known/foreign-interference-threat-doctrine.json` (bilingual EN+RU, operative force). 2. **Observability** — All tripwire and edge-defense events persisted to Neon Postgres `edge_alerts` table with doctrine classification (tier, jurisdiction class, interference category, attribution confidence). Telegram operator-alerts on T2+ events with severity icons; 10-minute dedup; storm protection. Public BIRJA-honest observability disclosure at `/.well-known/observability-and-tripwires.json`. 3. **Vercel Edge Firewall custom rules** (six rules total, published to production 2026-05-17): - `rate-limit-fr-aggressive-scanner-185-177-72` — 10 req/60s deny on `185.177.72.0/24` - Five bypass rules for `/bilateral-*` correspondence paths ensuring legitimate diplomatic readership is not subject to bot challenge 4. **Public incident log** — `/.well-known/foreign-interference-incidents-log.json` (JSON Feed v1.1, dynamic, backed by Neon `edge_alerts`) prepared for operator-approved publication. **Privacy-preserving** — IP addresses, User-Agents, JA4 fingerprints, and `trigger_detail` are NEVER exposed publicly; only doctrine classification + country + AS-organization + path + layer + timestamp. 5. **No offensive response** — per doctrine, NIGHTBOX has conducted **zero** counter-reconnaissance, zero port-scanning, zero hack-back, and zero offensive activity against AS211590 or related infrastructure. NIGHTBOX defends; NIGHTBOX does not attack. --- ## What NIGHTBOX is and is NOT Requesting **NIGHTBOX is NOT requesting:** - Protective service, watch-list addition, or classified-mandate engagement - Operational tasking of any kind - Counterintelligence support beyond standard public-facing channels - Reciprocal information disclosure outside FOIA / standard channels - Any expedited handling — this is awareness-only **NIGHTBOX would appreciate (entirely optional, low-priority):** - Acknowledgement of receipt for NIGHTBOX records - Notification if NIGHTBOX is mentioned in any **public or non-classified** FBI / CISA advisory product touching AS211590 / Bucklog SARL / CVE-2026-21858 — so NIGHTBOX can cross-reference its public incident log - Indication of whether the recipient agency prefers NIGHTBOX continue routine doctrine-tier T3 notifications via this channel (`artem@nightboxllc.com`) or via a different reporting mechanism (e.g., IC3 web form directly, ECTF liaison, JCDC partner channel) --- ## BIRJA-Symmetric Concurrent Notification Disclosure Per the publicly published Foreign Interference Threat Doctrine, an identical bilingual Russian-language version of this notification has been concurrently filed with: - Federal Security Service of the Russian Federation — Counterintelligence Service / Служба контрразведки ФСБ России - National Coordination Center for Computer Incidents (НКЦКИ) — НКЦКИ is the FSB-affiliated public CERT operating safe-surf.ru **Information-symmetric handling commitment**: any reply or non-classified follow-up communication received from US federal recipients will be retained in NIGHTBOX corporate records and will NOT be shared with Russian Federation recipients without further explicit consent from US federal recipients. The reverse symmetry applies — replies from RF recipients are not shared with US recipients without explicit consent. The publicly accessible Russian-language filing is available at: `https://nightboxllc.com/reports/2026-05-17-FSB-NKCKI-uvedomlenie-inostrannoe-vmeshatelstvo-AS211590.md` (URL transliterated for character-set portability; original Cyrillic title: «*Уведомление об инциденте иностранного вмешательства*») --- ## Open Source Corroboration This NIGHTBOX-side observation is corroborated by the following independently published threat-intelligence reports and reputation services: - **GreyNoise Labs** — *"Vive La Vulnérabilité: French Kubernetes Cluster Hunts Your Webhook Endpoints"* — 2026-02-03 https://www.labs.greynoise.io/grimoire/2026-02-03-vive-la-vulnerabilite-french-kubernetes-cluster-hunts-your-webhook-endpoints/ - **Scamalytics** — *"Bucklog SARL — Fraud Check"* — *"Potentially very high fraud risk ISP"* https://scamalytics.com/ip/isp/bucklog-sarl - **AbuseIPDB** — 185.177.72.38 individual IP report (confidence score 328/100) https://www.abuseipdb.com/check/185.177.72.38 - **AbuseIPDB** — AS211590 aggregate abuse summary https://www.abuseipdb.com/check/AS211590 - **abuse.mom** — 185.177.72.52 — *Directory Scan, DDoS / Flood* https://www.abuse.mom/ip/185/185.177.72.52/ - **Cleantalk** — multiple IPs in `185.177.72.0/24` listed for sustained spam attacks - **BGP analysis** — bgp.tools prefix 185.177.72.0/24 + AS211590 + AS49434 (FBW NETWORKS SAS parent) - **IPinfo.io** — AS211590 organizational detail - **BGPView** — AS211590 BGP routing data --- ## Filing Authority and Authentication | Field | Value | |-------|-------| | **Affirming official** | Artem Shakin | | **Title** | Sole Member, NIGHTBOX LLC | | **Date** | 2026-05-17 | | **Contact** | artem@nightboxllc.com | | **Operator hardware authentication** | YubiKey 5 (FIDO2 + ED25519-SK) — public key fingerprint disclosed at `/.well-known/yubikey.json` | | **Document integrity** | SHA-256 hash of this document is recorded in Neon `audit_log` table at time of issuance; verifiable on request | --- **Document classification:** TLP:CLEAR **Licensing:** CC BY 4.0 — Creative Commons Attribution 4.0 International **Republication permitted:** Yes, with attribution **No claim of confidentiality:** This document is a public-record awareness notification, not a confidential intelligence product. NIGHTBOX retains no proprietary or trade-secret claim over the information contained herein. — end of notification —