There are rumours Evgeniy Bogachev - widely known as Slavik, the creator of uber money-making malware Zeus – spends much of his time on a boat in the Black Sea. He’s avoiding contact with others, largely because the FBI has a $3 million reward
for anyone who can help expedite his capture.
But intelligence agencies
in the US and those closer to Moscow might soon be after him too;
researchers today claimed there are links between Slavik and Russia’s
espionage activity, including its work in the US.
Slavik ran the now defunct Gameover Zeus operation, which saw a vast
network of up to 1 million infected machines connected over a
peer-to-peer network maintained by Bogachev and his lackeys. The malware
was largely used to steal bank logins and disseminate other malicious
software. Bogachev’s own operations and those of his underground
partners resulted in the theft of more than $100 million from global
banks. Gameover Zeus hackers were also responsible for the Cryptolocker ransomware that had acquired its users $27 million in ransom payments after infecting and locking up more than 234,000 PCs. Both were shut down in June last year.
In the aftermath of that huge law enforcement operation, analysis of
the tools has indicated Slavik or one of his customers was seeking out
data about foreign governments that would have been of interest to the
Putin regime, says Michael Sandee, principal security expert at Fox-IT,
a Dutch digital forensics firm that worked with the FBI on the
investigation. In particular, Sandee dug up search commands that looked
for files related to foreign intelligence agencies in Georgia, Turkey
and Ukraine.
The FBI’s Wanted poster for the owner of the
Gameover Zeus cybercrime ring. There are suspicions he may have avoided
arrest due to surveillance work he appeared to be carrying out
alongside his huge fraud operation.
The reasons for Russia’s interests in old Soviet satellite
states are all too obvious, given Putin’s recent military activity in
both countries. Searches in Georgia sought for specific government
officials, most with the emails using the fiss.gov.ge and mia.gov.ge
domains belonging to the country’s foreign intelligence service and the
Ministry of Internal Affairs. In Ukraine, the searches were more
generic, including “federal security service” and “security agent”. As
for Turkey, it appeared the searches were looking for information on
Syria, where Russia is reportedly readying troops to aid the Assad regime in the war-torn country.
Sandee said Slavik was running separate Gameover Zeus botnets –
networks of infected machines – purely for surveillance work. The change
in Ukraine’s government to one anathema to Russia’s anti-Western
philosophy led to a spike in infections in the country and searches for
“politically sensitive information”, according to a whitepaper drawn up
by Fox-IT. Elliot Peterson of the FBI’s Pittsburgh branch and
CrowdStrike’s Tillmann Werner, who helped poison and crush the Gameover
Zeus network, were on hand to talk about the operation at the Black Hat
conference in Las Vegas today.
The searches stem back to 2011 when the specialised espionage botnets
were born, though the main search activity took place over 2013 and
2014.
There were also keyword searches related to the US, said Dr. Brett
Stone-Gross, senior researcher at Dell SecureWorks, another firm that
helped take down Gameover Zeus. Stone-Gross wouldn’t be
more specific, though noted American government agencies were targeted
and were now investigating the Slavik’s links to espionage. “They’re
very interested,” he told FORBES, noting that the operations could have
been carried out by one of Slavik’s affiliates.
FORBES contacted the National Security Agency and the Russian embassy
in the US. Neither had responded at the time of publication.
Whilst Crowdstrike’s Werner expressed doubt to FORBES about who was
running the apparent surveillance operations, suggesting a partner could
have been involved, Sandee said he was almost certain Slavik was
responsible. “I would say it was only Slavik himself that did it, I
think it was separate from all the rest… because there were no
references in the other systems to these botnets and Slavik was the only
one who managed those back ends,” Sandee added.
He suggested that Slavik had to keep the operation separate as
members of his fraud crew were based in Ukraine. Though they were
carrying out criminal acts, they may well have cared enough about
Ukraine’s strife to rebel if they were asked to spy on their own people.
All this, unsurprisingly, has led to speculation his links to Russian
intelligence could be one of the reasons why Slavik has evaded arrest.
But even Fox-IT knows it can only guess at what Slavik was up to, noting
in its whitepaper released at Black Hat: “We could speculate that due
to this part of his work he had obtained a level of protection, and was
able to get away with certain crimes as long as they were not committed
against Russia. This of course remains speculation, but perhaps it is
one of the reasons why he has as yet not been apprehended.”
Source:
Image credit: forbes
No comments:
Post a Comment