Inside the Hunt for Russia’s Most Notorious Hacker

Source: Wired | March 21, 2017 | Garrett M. Graff

On the morning of December 30, the day after Barack Obama imposed sanctions on Russia for interfering in the 2016 US election, Tillmann Werner was sitting down to breakfast in Bonn, Germany. He spread some jam on a slice of rye bread, poured himself a cup of coffee, and settled in to check Twitter at his dining room table.

The news about the sanctions had broken overnight, so Werner, a researcher with the cybersecurity firm CrowdStrike, was still catching up on details. Following a link to an official statement, Werner saw that the White House had targeted a short parade’s worth of Russian names and institutions—two intelligence agencies, four senior intelligence officials, 35 diplomats, three tech companies, two hackers. Most of the details were a blur. Then Werner stopped scrolling. His eyes locked on one name buried among the targets: Evgeniy Mikhailovich Bogachev. 

Werner, as it happened, knew quite a bit about Evgeniy Bogachev. He knew in precise, technical detail how Bogachev had managed to loot and terrorize the world’s financial systems with impunity for years. He knew what it was like to do battle with him.

But Werner had no idea what role Bogachev might have played in the US election hack. Bogachev wasn’t like the other targets—he was a bank robber. Maybe the most prolific bank robber in the world. “What on earth is he doing on this list?” Werner wondered.

…..

In online security circles, Craig discovered, Zeus was notorious. Having first appeared in 2006, the malware had a reputation among both criminals and security experts as a masterpiece—smooth, effective, versatile. Its author was a phantom. He was only known online, where he went by the handle Slavik, or lucky12345, or a half-dozen other names.

…..

By the time Craig started his investigation, Zeus had become the digital underground’s malware of choice—the Microsoft Office of online fraud. Slavik was something rare in the malware world: a genuine professional. He regularly updated the Zeus code, beta-testing new features. His product was endlessly adaptable, with variants optimized for different kinds of attacks and targets. A computer infected with Zeus could even be folded into a botnet, a network of infected computers that can be harnessed together to run spam servers or distributed denial-of-service attacks, or send out more deceptive emails to spread the malware further.

….

As Slavik turned increasingly to organized crime, he dramatically narrowed his retail malware business. In 2010 he announced his “retirement” online and then released what security researchers came to call Zeus 2.1, an advanced version of his malware protected by an encryption key—effectively tying each copy to a specific user—with a price tag upwards of $10,000 per copy. Now, Slavik was only dealing with an elite, ambitious group of criminals.

….

Craig’s first major break in the case came in September 2009. With the help of some industry experts, he identified a New York–based server that seemed to play some sort of role in the Zeus network. He obtained a search warrant, and an FBI forensics team copied the server’s data onto a hard drive, then overnighted it to Nebraska. When an engineer in Omaha examined the results, he sat in awe for a moment. The hard drive contained tens of thousands of lines of instant message chat logs in Russian and Ukrainian. Looking over at Craig, the engineer said: “You have their Jabber server.”

This was the gang’s whole digital operation—a road map to the entire case. The cybersecurity firm Mandiant dispatched an engineer to Omaha for months just to help untangle the Jabber Zeus code, while the FBI began cycling in agents from other regions on 30- or 90-day assignments. Linguists across the country pitched in to decipher the logs. “The slang was a challenge,” Craig says.

….

The United States, moreover, was just one market in what investigators soon realized was a multinational reign of fraud. Officials traced similar mule routes in Romania, the Czech Republic, the United Kingdom, Ukraine, and Russia. All told, investigators could attribute around $70 million to $80 million in thefts to the group—but they suspected the total was far more than that.

Banks howled at the FBI to shut the fraud down and stanch the losses. Over the summer, New York agents began to close in on high-ranking recruiters and the scheme’s masterminds in the US. Two Moldovans were arrested at a Milwaukee hotel at 11 pm following a tip; one suspect in Boston tried to flee a raid on his girlfriend’s apartment and had to be rescued from the fire escape.

….

With 39 arrests around the world—stretching across four nations—investigators managed to disrupt the network. But crucial players slipped away. One top mule recruiter in the US fled west, staying a step ahead of investigators in Las Vegas and Los Angeles before finally escaping the country inside a shipping container. More important, Slavik, the mastermind himself, remained almost a complete cipher. Investigators assumed he was based in Russia. And once, in an online chat, they saw him reference that he was married. Other than that, they had nothing. The formal indictment referred to the creator of the Zeus malware using his online pseu­do­nym. Craig didn’t even know what his prime suspect looked like. “We have thousands of photos from tank, petr0­vich—not once did we see Slavik’s mug,” Craig says. Soon even the criminal’s online traces vanished. Slavik, whoever he was, went dark. And after seven years of chasing Jabber Zeus, James Craig moved on to other cases.

….

As far as anyone could tell, GameOver Zeus was controlled by a very elite group of hackers—and the group’s leader was Slavik. He had reemerged, more powerful than ever. Slavik’s new crime ring came to be called the Business Club. A September 2011 internal announcement to the group—introducing members to a new suite of online tools for organizing money transfers and mules—concluded with a warm welcome to Slavik’s select recipients: “We wish you all successful and productive work.”

…..

Unlike the earlier Jabber Zeus gang, the more advanced network behind GameOver focused on larger six- and seven-figure bank thefts—a scale that made bank withdrawals in Brooklyn obsolete. Instead, they used the globe’s interconnected banking system against itself, hiding their massive thefts inside the trillions of dollars of legitimate commerce that slosh around the world each day. Investigators specifically identified two areas in far eastern China, close to the Russian city of Vladivostok, from which mules funneled huge amounts of stolen money into Business Club accounts. The strategy, investigators realized, represented an evolutionary leap in organized crime: Bank robbers no longer had to have a footprint inside the US. Now they could do everything remotely, never touching a US jurisdiction. “That’s all it takes to operate with impunity,” says Leo Taddeo, a former top FBI official.

…..

In the years that followed, the head of the Pittsburgh office decided to invest aggressively in combating cybercrime—a bet on its increasing importance. By 2014, the FBI agents in Mularski’s squad, together with another squad assigned to a little-known Pittsburgh institution called the National Cyber-Forensics and Training Alliance, were prosecuting some of the Justice Department’s biggest cases. Two of Mularski’s agents, Elliott Peterson and Steven J. Lampo, were chasing the hackers behind GameOver Zeus, even as their desk-mates simultaneously investigated a case that would ultimately indict five Chinese army hackers who had penetrated computer systems at Westinghouse, US Steel, and other companies to benefit Chinese industry.

….

Both sides realized that in order to tackle the botnet, they needed to work on three simultaneous fronts. First, they had to figure out once and for all who was running GameOver—what investigators call “attribution”—and build up a criminal prosecution; even after millions of dollars in thefts, neither the FBI nor the security industry had so much as a single Business Club member’s name. Second, they needed to take down the digital infrastructure of GameOver itself; that’s where Werner and Stone-Gross came in. And third, they needed to disable the botnet’s physical infrastructure by assembling court orders and enlisting the help of other governments to seize its servers across the globe. Once all that was done, they needed partners in the private sector to be ready with software updates and security patches to help recover infected computers the moment the good guys had control of the botnet. Absent any one of those moves, the next effort to take down GameOver Zeus was likely to fail just as the previous ones had.

…..

First, to help nail down Slavik’s identity and get intelligence on the Business Club, the FBI teamed up with Fox-IT, a Dutch outfit renowned for its expertise in cyber-­forensics. The Dutch researchers got to work tracing old usernames and email addresses associated with Slavik’s ring to piece together an understanding of how the group operated.

…..

One Day, after months of following leads, the investigators at Fox-IT got a tip from a source about an email address they might want to look into. It was one of many similar tips they’d chased down. “We had a lot of bread crumbs,” Mularski says. But this one led to something vital: The team was able to trace the email address to a British server that Slavik used to run the Business Club’s websites. More investigative work and more court orders eventually led authorities to Russian social media sites where the email address was connected to a real name: Evgeniy Mikhailovich Bogachev. At first it was meaningless to the group. It took weeks’ more effort to realize that the name actually belonged to the phantom who had invented Zeus and created the Business Club.

Slavik, it turned out, was a 30-year-old who lived an upper-middle-class existence in Anapa, a Russian resort city on the Black Sea. Online photos showed that he enjoyed boating with his wife. The couple had a young daughter. One photo showed Bogachev posing in leopard-print pajamas and dark sunglasses, holding a large cat. The investigative team realized that he had written the first draft of Zeus when he was just 22 years old.

But that wasn’t the most astounding revelation that the Dutch investigators turned up. As they continued their analysis, they noticed that someone at the helm of GameOver had been regularly searching tens of thousands of the botnet’s infected computers in certain countries for things like email addresses belonging to Georgian intelligence officers or leaders of elite Turkish police units, or documents that bore markings designating classified Ukrainian secrets. Whoever it was was also searching for classified ­material linked to the Syrian conflict and Russian arms dealing. At some point, a light bulb went off. “These are espionage commands,” Sandee says.

GameOver wasn’t merely a sophisticated piece of criminal malware; it was a sophisticated intelligence-­gathering tool. And as best as the investigators could determine, Bogachev was the only member of the Business Club who knew about this particular feature of the botnet. He appeared to be running a covert operation right under the noses of the world’s most prolific bank robbers. The FBI and Fox-IT team couldn’t find specific evidence of a link between Bogachev and the Russian state, but some entity seemed to be feeding Slavik specific terms to search for in his vast network of zombie computers. Bogachev, it appeared, was a Russian intelligence asset.

In March 2014, investigators could even watch as an international crisis played out live inside the snow globe of Bogachev’s criminal botnet. Weeks after the Sochi Olympics, Russian forces seized the Ukrainian region of Crimea and began efforts to destabilize the country’s eastern border. Right in step with the Russian campaign, Bogachev redirected a section of his botnet to search for politically sensitive information on infected Ukrainian computers—trawling for intelligence that might help the Russians anticipate their adversaries’ next moves.

…..

Finally, by evening Pittsburgh time, the traffic to their sinkhole began to climb. On the other side of the world, Bogachev came online. The attack had interrupted his weekend. Perhaps he didn’t think much of it at first, given that he had easily weathered other attempts to seize control of his botnet. “Right away, he’s kicking the tires. He doesn’t know what we’ve done,” Peterson recalls. That night, yet again, Bogachev readied for battle—wrestling for control of his network, testing it, redirecting traffic to new servers, and deciphering the Pittsburgh team’s method of attack. “It was cyber-hand-to-hand combat,” recalls Pittsburgh US attorney David Hickton. “It was amazing to watch.”

The team was able to monitor Bogachev’s communication channels without his knowledge and knock out his Turkish proxy server. Then they watched as he tried to come back online using the anonymizing service Tor, desperate to get some visibility into his losses. Finally, after hours of losing battles, Slavik went silent. The attack, it appeared, was more than he had bargained for. The Pittsburgh team powered on through the night. “He must’ve realized it was law enforcement. It wasn’t just the normal researcher attack,” Stone-Gross says.

By Sunday night, nearly 60 hours in, the Pittsburgh team knew they’d won. On Monday, June 2, the FBI and Justice Department announced the takedown and unsealed a 14-count indictment against Bogachev.

…..

But the uncomfortable truth is that Bogachev and other Russian cybercriminals lie pretty far beyond America’s reach. The huge questions that linger over the GameOver case—like those surrounding Bogachev’s precise relationship to Russian intelligence and the full tally of his thefts, which officials can only round to the nearest $100 million or so—foreshadow the challenges that face the analysts looking into the election hacks. Fortunately, the agents on the case have experience to draw from: The DNC breach is reportedly being investigated by the FBI’s Pittsburgh office.

…..

…..

Viewing 1 post (of 1 total)
Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.