The Federal Bureau of Investigation (FBI) teaming with international law enforcement, yesterday fingered Evgeniy Bogachev as the cyber-crime boss operating a Zeus-trojan-based botnet that has allegedly stolen millions from U.S. business bank accounts over the past five years. In a stunning blow to Bogachev’s alleged cyber-crime empire, which is also tied to the CryptoLocker ransomware attacks of last year, international law enforcement seized his “Gameover Zeus” command servers in Kiev sand Donetsk, cities in the Ukraine even as civil strife there is ongoing.
The U.S. Department of Justice (DoJ) yesterday leveled criminal charges against Bogachev, thought to live in Anapa, Russia, accusing him of illegal hacking, fraud and money laundering. While some of Bogachev’s cohorts, also under indictment, have been arrested outside Russia, Bogachev (who is said to have used the online nickname “lucky12345”) has not been arrested. The FBI notes he appears to enjoy boating on the Black Sea.
One question is whether Bogachev will try to quickly recoup his losses by re-constructing his botnet empire. The FBI, working with foreign counterparts in Ukraine, The Netherlands, Great Britain, and elsewhere across Europe, plus Canada, are doing their best to prevent that. They seized servers associated with his cybercrime operations, including CryptoLocker, which was used to attack business networks to encrypt files and demand a ransom to decrypt. The takedown also included the command-and-control servers for the sophisticated peer-to-peer “Gameover Zeus” Trojan used to infect computers in businesses mainly in order to steal funds from bank accounts. Law enforcement wants to identify the many victims of this “Gameover Zeus” infection to help them get rid of it.
“It’s a precedent-setting action—the level of coordination in technical, legal and the ISP sides of the coordinated team effort,” says Adam Meyers, vice president of intelligence at CrowdStrike, a security firm that was among some of the private-sector companies assisted in the botnet’s disruption. CrowdStrike’s contribution included technical support for analysis and reverse engineering of the malware that assisted in taking the bots out of the control of the cybercrime gang.
The question is whether the type of botnet linked to Bogachev’s gang will be re-assembled to continue its cybercrime spree. It’s uncertain, of course, especially as Bogachev hasn’t been arrested, but the massive international strike puts them “on notice,” says Meyers. At the same time, Meyers acknowledges that in the cybercrime world, the advantage often appears to be in the adversary’s court as they go about plundering across the world while law enforcement has work carefully to coordinate international moves against it.
Tom Kellermann, chief cyber security officer at Trend Micro, which was also among security firms assisting in the takedown operation, said Boachev almost seems “untouchable” unless either someone above him in the cybercrime operation hands him over as the “sacrifical lamb” or Russian law authorities take steps to cooperate with the U.S. to get Bogachev. So far, the U.S. doesn’t appear to have that cooperation with Russia, Kellermann adds.
Trend Micro assisted in the botnet disruption by providing help to international law enforcement with analytics related to victims’ computers taken over by the Gameover Zeus botnet and a “sinkholing” effort to block contact with the malware’s command-and-control servers.
The DoJ’s assistant attorney general Leslie Caldwell yesterday said, “We will do our best to ensure that the operators cannot re-establish control over infected machines and thus continue their lucrative enterprise,” adding the DoJ has reached out to Russian law enforcement “to take action to bring this defendant and those working with him to justice, and will work with our counterparts to do so.”
So what is the Bogachev gang accused of hitting by infiltrating business networks to steal funds? The DoJ indictment presents a long list of victims that still represents what’s probably just the tip of the iceberg over the past five years.
According to the official indictment against Bogachev, a “selected” list of 25 is presented, including APC Properties, Arben Group LLC, Bank of Albuquerque, Bank of Georgetown, Bastrire Edwards CPAS, Bullitt Country Fiscal Court, Capital One Bank, Doll Distributing, Downeast Energy and Building Supply, First National Bank of Omaha, Genlabs, Husker SG, LLC, Key Bank, Lieber’s Luggage, Parkinson Construction, the Massachusetts town of Egremont, Webster Bank and several more.
The type of cybercrime involved using Zeus malware to hide in the victim’s network to discover where computers were being used for funds transfer or online banking. Then the malware would be able to steal bank account numbers and PINs and initiate electronic funds transfers to money mules who transferred the money overseas. Many victims were small business, the indictment points out.
The DoJ’s Caldwell noted that “the CryptoLocker scheme, by contrast, was brutally direct about obtaining victims’ money. Rather than watch and wait, the cyber criminals simply took the victim’s computer hostage until the computer owner agreed to pay a ransom directly to them. They used sophisticated encryption—a tool originally designed to protect data from theft — to make it impossible for victims to access any data stored on their computers.”
But what the Gameover Zeus botnet for bank fraud and CryptoLocker for ransomware had in common, says Caldwell, is that once you learned you were infected by them, “it was too late.”
Trend Micro’s Kellermann says as important as the current effort against this cybercrime operation is, it’s important to realize that Eastern Europe is an ongoing “bazaar of new capabilities developed daily” for cybercrime that are being distributed out to the experienced cyber-criminals and neophytes alike. That means there are many more investigations that have to be done.