Friday, 7 August 2015
FBI 'Most Wanted' Cybercrime Kingpin Linked To Russian Espionage On US Government
There are rumours Evgeniy Bogachev - widely known as Slavik, the creator of uber money-making malware Zeus – spends much of his time on a boat in the Black Sea. He’s avoiding contact with others, largely because the FBI has a $3 million reward for anyone who can help expedite his capture.But intelligence agencies in the US and those closer to Moscow might soon be after him too; researchers today claimed there are links between Slavik and Russia’s espionage activity, including its work in the US.
Slavik ran the now defunct Gameover Zeus operation, which saw a vast network of up to 1 million infected machines connected over a peer-to-peer network maintained by Bogachev and his lackeys. The malware was largely used to steal bank logins and disseminate other malicious software. Bogachev’s own operations and those of his underground partners resulted in the theft of more than $100 million from global banks. Gameover Zeus hackers were also responsible for the Cryptolocker ransomware that had acquired its users $27 million in ransom payments after infecting and locking up more than 234,000 PCs. Both were shut down in June last year.
In the aftermath of that huge law enforcement operation, analysis of the tools has indicated Slavik or one of his customers was seeking out data about foreign governments that would have been of interest to the Putin regime, says Michael Sandee, principal security expert at Fox-IT, a Dutch digital forensics firm that worked with the FBI on the investigation. In particular, Sandee dug up search commands that looked for files related to foreign intelligence agencies in Georgia, Turkey and Ukraine.
The reasons for Russia’s interests in old Soviet satellite states are all too obvious, given Putin’s recent military activity in both countries. Searches in Georgia sought for specific government officials, most with the emails using the fiss.gov.ge and mia.gov.ge domains belonging to the country’s foreign intelligence service and the Ministry of Internal Affairs. In Ukraine, the searches were more generic, including “federal security service” and “security agent”. As for Turkey, it appeared the searches were looking for information on Syria, where Russia is reportedly readying troops to aid the Assad regime in the war-torn country.
Sandee said Slavik was running separate Gameover Zeus botnets – networks of infected machines – purely for surveillance work. The change in Ukraine’s government to one anathema to Russia’s anti-Western philosophy led to a spike in infections in the country and searches for “politically sensitive information”, according to a whitepaper drawn up by Fox-IT. Elliot Peterson of the FBI’s Pittsburgh branch and CrowdStrike’s Tillmann Werner, who helped poison and crush the Gameover Zeus network, were on hand to talk about the operation at the Black Hat conference in Las Vegas today.
The searches stem back to 2011 when the specialised espionage botnets were born, though the main search activity took place over 2013 and 2014.
There were also keyword searches related to the US, said Dr. Brett Stone-Gross, senior researcher at Dell SecureWorks, another firm that helped take down Gameover Zeus. Stone-Gross wouldn’t be more specific, though noted American government agencies were targeted and were now investigating the Slavik’s links to espionage. “They’re very interested,” he told FORBES, noting that the operations could have been carried out by one of Slavik’s affiliates.
FORBES contacted the National Security Agency and the Russian embassy in the US. Neither had responded at the time of publication.
Whilst Crowdstrike’s Werner expressed doubt to FORBES about who was running the apparent surveillance operations, suggesting a partner could have been involved, Sandee said he was almost certain Slavik was responsible. “I would say it was only Slavik himself that did it, I think it was separate from all the rest… because there were no references in the other systems to these botnets and Slavik was the only one who managed those back ends,” Sandee added.
He suggested that Slavik had to keep the operation separate as members of his fraud crew were based in Ukraine. Though they were carrying out criminal acts, they may well have cared enough about Ukraine’s strife to rebel if they were asked to spy on their own people.
All this, unsurprisingly, has led to speculation his links to Russian intelligence could be one of the reasons why Slavik has evaded arrest. But even Fox-IT knows it can only guess at what Slavik was up to, noting in its whitepaper released at Black Hat: “We could speculate that due to this part of his work he had obtained a level of protection, and was able to get away with certain crimes as long as they were not committed against Russia. This of course remains speculation, but perhaps it is one of the reasons why he has as yet not been apprehended.”
Image credit: forbes