21 March 2017
On 30 Dec 2016, the day after Barack Obama imposed sanctions on Russia for interfering in the 2016 US election, Tillmann Werner was sitting down to breakfast in Bonn, Germany.
wired.com/2017/03/russia…
On 30 Dec 2016, the day after Barack Obama imposed sanctions on Russia for interfering in the 2016 US election, Tillmann Werner was sitting down to breakfast in Bonn, Germany.
wired.com/2017/03/russia…
The news about the sanctions had broken overnight, so Werner, a researcher with the cybersecurity firm CrowdStrike, was still catching up on details.
Werner saw that the White House had targeted a short parade’s worth of Russian names and institutions:
two intelligence agencies
four senior intelligence officials
35 diplomats
three tech companies
two hackers
two intelligence agencies
four senior intelligence officials
35 diplomats
three tech companies
two hackers
Most of the details were a blur. Then Werner stopped scrolling. His eyes locked on one name buried among the targets: Evgeniy Mikhailovich Bogachev.
Werner, as it happened, knew quite a bit about Evgeniy Bogachev. He knew in precise, technical detail how Bogachev had managed to loot and terrorize the world’s financial systems with impunity for years. He knew what it was like to do battle with him.
But Werner had no idea what role Bogachev might have played in the US election hack. Bogachev wasn’t like the other targets—he was a bank robber. Maybe the most prolific bank robber in the world. “What on earth is he doing on this list?” Werner wondered.
America’s war with Russia’s greatest cybercriminal began in the spring of 2009, when special agent James Craig, a rookie in the FBI’s Omaha, Nebraska, field office, began looking into a strange pair of electronic thefts.
A former marine, Craig had been an agent for just six months, but his superiors tapped him for the case anyway, because of his background: For years, he’d been an IT guy for the FBI. One of his nicknames in college was “the silent geek.”
The leading victim in the case was a subsidiary of the payments-processing giant First Data, which lost $450k May 2009. That was quickly followed by a $100k theft from a client of the First National Bank of Omaha.
What was odd, Craig noticed, was that the thefts seemed to have been executed from the victims’ own IP addresses, using their own logins and passwords. Examining their computers, he saw that they were infected with the same malware: something called the Zeus Trojan horse.
In online security circles, Craig discovered, Zeus was notorious. Having first appeared in 2006, the malware had a reputation among both criminals and security experts as a masterpiece. Its author was only known by the handle Slavik, or lucky12345, or a half-dozen other names.
Zeus infected computers through fairly typical means: fake IRS emails, say, or illegitimate UPS shipping notices that tricked recipients into downloading a file. They could hijack websites and use a keystroke logger to record usernames, passwords, and PINs.
Hackers could then launch a “man in the browser” attack to modify login forms to request further valuable info. The malware modifies pages before they load. Only when you log in from a different computer do you realize the money is gone. It could also be used for spam & botnets
But sometime shortly before Craig picked up his case in 2009, Slavik had begun to change tack. He started cultivating an inner circle of online criminals, providing a select group with a variant of his malware, called Jabber Zeus.
It came equipped with a Jabber instant-message plug-in, allowing the group to communicate and coordinate attacks. Rather than rely on broad infection campaigns, they began to specifically target corporate accountants and people with access to financial systems.
In 2010 he announced his “retirement” online and then released what security researchers came to call Zeus 2.1, protected by an encryption key w/ a price tag upwards of $10,000 per copy. Now, Slavik was only dealing with an elite, ambitious group of criminals.
Craig’s first major break in the case came in September 2009. With the help of some industry experts, he identified a New York–based server that seemed to play some sort of role in the Zeus network.
He obtained a search warrant, and an FBI forensics team copied the server’s data. The hard drive contained tens of thousands of lines of instant message chat logs in Russian and Ukrainian. Looking over at Craig, the engineer said: “You have their Jabber server.”
This was the gang’s whole digital operation—a road map to the entire case. The cybersecurity firm Mandiant dispatched an engineer to Omaha for months just to help untangle the Jabber Zeus code, while the FBI began cycling in agents from other regions on 30- or 90-day assignments.
The messages contained references to hundreds of victims, their stolen credentials scattered in English throughout the files. Craig and other agents started cold-calling institutions, telling them they had been hit.
2009, New York
three young women from Kazakhstan walked into the FBI field office, they had come to the US to look for work and found themselves participating in a curious scheme: A man would drive them to a local bank and tell them to go inside and open a new account.
three young women from Kazakhstan walked into the FBI field office, they had come to the US to look for work and found themselves participating in a curious scheme: A man would drive them to a local bank and tell them to go inside and open a new account.
They were to explain to the teller that they were students visiting for the summer. A few days later, the man had them return to the bank and withdraw all of the money in the account; they kept a small cut and passed the rest on to him.
Agents pieced together that the women were “money mules”: Their job was to cash out the funds that Slavik and his comrades had siphoned from legitimate accounts.
By summer 2010, New York investigators had put banks across the region on alert. The alert turned up dozens of mules withdrawing tens of thousands of dollars. Most were students or newly arrived immigrants in Brighton Beach.
Officials traced similar mule routes in Romania, the Czech Republic, the United Kingdom, Ukraine, and Russia. All told, investigators could attribute around $70M-$80M in thefts to the group—but they suspected the total was far more than that.
Over the summer, New York agents began to close in on high-ranking recruiters and the scheme’s masterminds in the US. Two Moldovans were arrested at a Milwaukee hotel at 11 pm following a tip; one suspect in Boston tried to flee and had to be rescued from the fire escape.
FBI and the Justice Department had zeroed in on an area in eastern Ukraine around the city of Donetsk, where several of the Jabber Zeus leaders seemed to live.
Alexey Bron, aka “thehead”
specialized in moving the gang’s money around the world
Ivan Viktorvich Klepikov, aka “petr0vich”
ran the IT management, web hosting, and domain names
Vyacheslav Igorevich Penchukov, aka “tank,” managed the whole scheme, was 2nd in command to Slavik
specialized in moving the gang’s money around the world
Ivan Viktorvich Klepikov, aka “petr0vich”
ran the IT management, web hosting, and domain names
Vyacheslav Igorevich Penchukov, aka “tank,” managed the whole scheme, was 2nd in command to Slavik
The chat logs were filled with discussions of fancy vacations across Turkey, Crimea, and the United Arab Emirates.
Fall 2010
Craig was on a train ride across Ukraine to Donetsk, where he met up with agents from the country’s security service to raid tank’s and petr0vich’s homes
Fall 2010
Craig was on a train ride across Ukraine to Donetsk, where he met up with agents from the country’s security service to raid tank’s and petr0vich’s homes
Standing in petr0vich’s living room, a Ukrainian agent told Craig to flash his FBI badge. “Show him it’s not just us,” he urged. The raids lasted well into the night, and Craig didn’t return to his hotel until 3 am. He took nearly 20 terabytes of seized data back to Omaha.
39 arrests across four nations , but crucial players slipped away. One top mule recruiter in the US fled west, staying a step ahead of investigators in Las Vegas and Los Angeles before finally escaping the country inside a shipping container.
Slavik, the mastermind himself, remained almost a complete cipher. Investigators assumed he was based in Russia. And once, in an online chat, they saw him reference that he was married. Other than that, they had nothing.
About a year after the FBI shut down the Jabber Zeus ring, cybersecurity researchers began to notice a new variant of Zeus emerge. The malware’s source code had been leaked online in 2011 setting off an explosion of new variants.
A new variant, GameOver Zeus was controlled by a very elite group of hackers—and the group’s leader was Slavik. The new crime ring came to be called the Business Club.
Investigators specifically identified two areas in far eastern China, close to the Russian city of Vladivostok, from which mules funneled huge amounts of stolen money into Business Club accounts.
Botnet fighters are a small, proud group of engineers and security researchers, Tillmann Werner, the tall, lanky German researcher with the security firm CrowdStrike—had become known for his flair and enthusiasm for the work.
In 2012 he had linked up with Stone-Gross—who was just a few months out of graduate school and was based in California—plus a few other researchers to map out an effort to attack GameOver.
Jan 2013, they were ready: Their plan was to reroute GameOver’s peer-to-peer network, centralize it, and then redirect the traffic to a new server under their control—a process known as “sinkholing.”
The researchers’ ploy failed. In an online chat with a Polish security team, he crowed about how all the efforts to seize his network had come to naught. Dejected, the two researchers were eager to try again. But they needed help—from Pittsburgh.
Over the past decade, the FBI’s Pittsburgh field office has emerged as the source of the government’s biggest cybercrime indictments, thanks in no small part to the head of the local cybersquad there, a onetime furniture salesman named J. Keith Mularski.
By 2014, the FBI agents in Mularski’s squad, together with another squad assigned to a little-known Pittsburgh institution called the National Cyber-Forensics and Training Alliance NCFTA, were prosecuting some of the Justice Department’s biggest cases.
The FBI’s GameOver case had been under way for about a year by the time Werner and Stone-Gross offered to join forces with the Pittsburgh squad to take down Slavik’s botnet.
Mularski’s squad began to stitch together an international partnership enlisting
UK’s National Crime Agency
Officials in
Switzerland
the Netherlands
Ukraine
Luxembourg
and 12 other countries
Industry experts from
Microsoft
CrowdStrike
McAfee
Dell SecureWorks
and others
UK’s National Crime Agency
Officials in
Switzerland
the Netherlands
Ukraine
Luxembourg
and 12 other countries
Industry experts from
Microsoft
CrowdStrike
McAfee
Dell SecureWorks
and others
To help nail down Slavik’s ID and get intel on the Business Club, the FBI teamed up with Fox-IT, a Dutch outfit renowned for its expertise in cyber-forensics. The Dutch researchers got to work tracing old usernames and email addresses associated with Slavik’s ring
The Business Club, was a loose confederation of about 50 criminals, who each paid an initiation fee to access GameOver’s advanced control panels. The network was run through two password-protected British websites, Visitcoastweekend[.]com and Work.businessclub[.]so
The team was able to trace the email address to a British server that Slavik used to run the Business Club’s websites. It led authorities to Russian social media sites where the email address was connected to a real name: Evgeniy Mikhailovich Bogachev.
The team couldn’t find specific evidence of a link between Bogachev and the Russian state, but some entity seemed to be feeding Slavik specific terms to search for in his vast network of zombie computers.
Fox-IT noticed someone at the helm of GameOver had been searching the botnet’s infected computers for things like email addresses belonging to Georgian intel officers or leaders of elite Turkish police units, or docs that bore markings designating classified Ukrainian secrets
Whoever it was was also searching for classified material linked to the Syrian conflict and Russian arms dealing. At some point, a light bulb went off. “These are espionage commands,” Sandee says.
As best as the investigators could determine, Bogachev was the only member of the Business Club who knew about this particular feature of the botnet. He appeared to be running a covert operation right under the noses of the world’s most prolific bank robbers.
March 2014
investigators watched as an international crisis played out weeks after the Sochi Olympics, when Russian forces seized the Ukrainian region of Crimea and began efforts to destabilize the country’s eastern border.
investigators watched as an international crisis played out weeks after the Sochi Olympics, when Russian forces seized the Ukrainian region of Crimea and began efforts to destabilize the country’s eastern border.
Right in step with the Russian campaign, Bogachev redirected a section of his botnet to search for politically sensitive information on infected Ukrainian computers—trawling for intelligence that might help the Russians anticipate their adversaries’ next moves.
The system that Slavik used to make his intelligence queries dated back approximately to the moment in 2010 when he made access to his malware more exclusive. Perhaps Russian security services, in exchange for a license to commit fraud the state made certain demands.
30 May 2014, the American-led forces got ready to move in on GameOver. Working with a cast of dozens, communicating with more than 70 internet service providers and a dozen other law enforcement agencies from Canada to the UK to Japan to Italy, the team readied an attack
That morning, Werner and Stone-Gross arrived at their office building to find that one of the operation’s partners, McAfee, had prematurely published a blog post announcing the attack on the botnet, titled “It’s ‘Game Over’ for Zeus and Cryptolocker.”
After frantic calls to get the post taken down, the attack finally began. Canadian and Ukrainian authorities shut down GameOver’s command servers, knocking each offline in turn. For hours, the attack went nowhere; the researchers struggled to figure out where the bugs lay
By Sunday night, nearly 60 hours in, the Pittsburgh team knew they’d won. On Monday, 2 June 2014, the FBI and Justice Department announced the takedown and unsealed a 14-count indictment against Bogachev.
In 2015, the State Dept put a $3M bounty on Bogachev, the highest reward the US has posted for a cybercriminal. But he remains at large. According to US intel sources, the govt does not, suspect that Bogachev took part in the Russian campaign to influence the US election
Rather, the Obama administration included him in the sanctions to put pressure on the Russian govt. The hope is that the Russians might be willing to hand over Bogachev as a sign of good faith, since the botnet useful to them is defunct.
The huge questions that linger over the GameOver case foreshadow the challenges that face the analysts looking into the election hacks. Fortunately, the agents on the case have experience to draw from: The DNC breach is reportedly being investigated by the FBI’s Pittsburgh office
Anapa is close to Crimea.
I wonder if Bogachev supported the invasion
I wonder if Bogachev supported the invasion
• • •
Missing some Tweet in this thread? You can try to
force a refresh
