The hunt for Russian hacker number 1

[DronVR]

The hunt for Russian hacker number 1

FBI vs Slavik.
On December 30, 2016, US President Barack Obama imposed sanctions against the FSB, the GRU, several technology companies and two hackers, among whom was Evgeny Bogachev.

Now the man is hiding, and nothing is known about his activities, but a few years ago, the FBI and the best cybersecurity IT specialists searched for this man around the world.

Bogachev is considered the creator of the famous ZeuS virus, which enslaved hundreds of thousands of computers around the world, and the founder of an elite hacker group that stole more than $ 100 million from bank accounts. For his head, the US government has appointed a reward of $ 3 million. The history of Bogachev’s activities and the struggle with the special services was told by the journalist of the Wired publication, Garrett M. Graff.

The formation of "Zeus"
In the spring of 2009, FBI Special Agent James Craig arrived at a bureau in Omaha, Nebraska. He was a former marine and established himself as a good IT specialist, so he was appointed investigator in the case of a major theft of funds via the Internet. In May 2009, $ 450 thousand was stolen from a subsidiary of the American company First Data. A little later, 100 thousand dollars were stolen from customers of the first national bank of Omaha.

Craig was embarrassed that in both cases the thefts were carried out from the IP addresses of the victims themselves using their usernames and passwords. After checking the computers, the FBI agent found that both devices are infected with the same virus - the Zeus Trojan.

With the help of cybersecurity experts, Craig found out that this virus first appeared in 2006. However, there are versions that the botnet first sold in 2007. One way or another, Zeus gained immense popularity among hackers, and security experts described Zeus as a convenient, efficient, and versatile technology masterpiece. Craig tried to find the author of the virus, however, he only found out the hacker nicknames: Slavik and lucky12345

Continuing the investigation, Craig studied the principle of Zeus. He infected the computer through fake emails and fake Internet notifications, which, when pressed by trickery, downloaded an infected file into the system. As soon as Zeus got into the computer, he stole user logins, passwords and PIN-codes on sites using a keylogger, that is, recording keystrokes. The virus could even change login forms, gaining access to answers to secret questions like mother’s maiden name or insurance number. After that, the computer could silently send spam to the user, spreading the virus further.

When you enter a seemingly secure site, Zeus covertly modifies the page before loading it, finds out the details of your account and pumps out money from the account.
Before the investigation, Craig Slavik often appeared on hacker forums and promoted his virus. However, in 2010, he announced his “departure” and finally showed an extended version of Zeus with the ability to bind the program to its owner. For a copy of the program, Slavik asked for 10 thousand dollars. Not all hackers could afford such expenses, but the author of “Zeus” no longer wanted to think small - he had big plans.

In the summer of 2009, together with trusted hackers, Slavik created a group of elite cybercriminals. For operational communication, he developed a modernized version of "Zeus" with a built-in Jabber Zeus messenger. Thanks to this, the team could secretly and efficiently communicate and coordinate hacking bank accounts. Slavik's new tactics suggested that the main emphasis would be on the theft of personal data from accountants and managers of large companies with access to financial systems.

At the same time, Craig was conducting an investigation, but, as he later admitted to Wired, he did not even suspect the extent of the threat. And only when dozens of American banks began to complain about electronic thefts of annual revenue, an FBI agent realized that he was faced with a professional hacker group.

Special Services Investigation
In September 2009, Craig, along with several IT professionals, discovered in New York a server connected to the Jabber Zeus system. The FBI agent obtained a search warrant and rewritten server traffic to the hard drive. When the federal service engineer saw the contents of the data, he was speechless for several minutes. It turned out that Craig got hacked correspondence on the Jabber messenger with addresses from Russia and Ukraine.

Over the next few months, Mandiant, an American cybersecurity company engineer, and FBI officials decrypted the correspondence. The process was hampered by hacker slang, which American linguists had to analyze.

In the decrypted data, hackers discussed hacked companies, and thanks to this, Craig phoned the leadership of the organizations. He said that their money was lost due to a dangerous computer virus. At this point, accountants from several firms had already been fired on suspicion of theft.

However, the successful decryption of data has poorly advanced further investigation. Only at the end of 2009 Craig found out how a hacker group manages to secretly transfer huge amounts of money.

It all started with the story of three Kazakhstan natives to FBI employees. They allegedly came to New York in search of work, and once an unknown person invited them to participate in a strange scheme. They were brought by car to the bank, after which the women opened an account there and informed employees that they had arrived in the country for the summer to study.

A few days later, a man brought women, and they withdrew the money received in the account. For this work they were paid a small percentage, and the rest was transferred to a recruiter. When Craig found out about this story, he realized that women were used as “money mules”. Their job is to transfer money to the Slavik hacker group. Soon the FBI found out that the “mules” scheme worked in the USA, Romania, Czech Republic, Great Britain, Ukraine and Russia.

According to official estimates, by 2010, hackers stole from 70 to 80 million dollars. However, some FBI experts believe that the real amount is much larger.
When US intelligence agencies asked banks to report people who resembled such “mules,” FBI agents soon had to communicate with dozens of people. Mostly these were students and immigrants, withdrawing from the accounts of nine thousand dollars, so as not to attract attention.

In the summer of 2010, service officers arrested two Moldovan natives offering a “mule” job. In parallel with this, the FBI, together with the Ministry of Justice, determined that the three leaders of the Slavik hacker group were hiding in Ukraine in Donetsk.

In autumn 2010, the FBI agreed with the Ukrainian Security Service (SBU) on a joint raid on one of the hacker leaders Ivan Klepikov. When the special agents arrived at the apartment in the old Soviet house and began the search, the hacker calmly watched the process. In the kitchen, his wife held a child in her arms and laughed with SBU agents. Craig took over 20 terabytes of information from dozens of Klepikov hard drives and returned to the United States.

At the same time, agents arrested 39 mule recruiters in four countries. This was enough to disrupt the hacker system of money laundering. However, Craig was disappointed - the FBI did not come close to catching the leader of the Slavik group. The security services knew for sure only one thing: he has a wife. After a special services raid in Ukraine, the hacker leader and author of Jabber Zeus disappeared, and Craig was transferred to another investigation.

New virus and failed attack
In 2011, a small cyber security community noticed a new variation of Zeus with an upgraded botnet system. In the initial versions of the virus, infected computers were controlled through one command center, which made the entire system vulnerable. After all, if the special services discover this service, they will be able to turn off the entire system with one blow.

In the new version of Zeus, which became known as GameOver Zeus, infected computers constantly stored and updated the list of other infected ones. This was done in case the virus on the device detects an attempt to intercept its connection with the command center. At such a moment, the infected computer could switch to another command service and confuse the special services.

The FBI suggested that GameOver Zeus used the new Business Club hacker group, which Slavik founded instead of the scattered Jabber Zeus. First, GameOver stole banking information using an infected computer, then pumped out money and transferred it to accounts controlled by hackers. In parallel, the virus on computers blocked access to the banking service to prevent people from checking their bank accounts until the money was finally transferred to the attackers.

The new system worked perfectly. In November 2012, Business Club stole nearly $ 7 million from an American company. The FBI could no longer capture recruiters and interrupt the process of receiving money. All "mules" worked in the cities of Far Eastern China near Vladivostok.

But success with hacking bank accounts using the new virus was only the beginning of a new Slavik strategy. In October 2013, the group spread the CryptoLocker virus on the Internet.

Screenshot from a computer infected with CryptoLocker

On average, hackers demanded from 300 to 500 dollars for unlocking. They accepted money only in bitcoins so that they would not be tracked by special services. Using CryptoLocker, hackers were able to monetize thousands of computers that fell under the influence of the virus, but did not contain useful information. This idea was not new, but it was the клуба Business Club ’cryptographer that developed it internationally.

In 2013, the American cybersecurity company Dell SecureWorks announced that about 250 thousand computers around the world are infected with CryptoLocker every year.
From 2011 to 2013, cybersecurity experts tried three times to undermine the operation of the Business Club servers and the GameOverZeus virus. However, each time the hacker group easily repulsed attacks. The only result of such actions was that Slavik strengthened the defense against new attacks.

This was probably the reason for the failure of the next attack. It was planned by a small team of professional IT specialists fighting viruses. One of the experts in the group was a native of Germany Tillmann Werner (Tillmann Werner) - an employee of the company CrowdStrike.

In February 2012, an IT professional completely interrupted the Kelihos virus, which grew up on spam mails with Viagra. For Werner, this was a big victory, but he knew Kelihos and did not stand close with GameOver Zeus. The specialist saw how easily Slavik repulsed attacks on its servers, and took this experience into account.

For almost a year, Werner and a team of European experts worked on a plan to "storm" the GameOver Zeus servers. The idea was to centralize all the virus traffic coming from infected computers, and then direct it to a server controlled by the Werner group. Thus, they hoped to track down the source of infection - the Slavik computer.

In January 2013, IT experts attacked the servers and quickly collected a bunch of 99% of the traffic of virus-infected computers. However, the remaining percentage was controlled by the hacker's command center, and all infected computers were connected to this server. Two weeks later, Slavik again controlled the infected computers. The plan, which European experts prepared for nine months, failed.

Final clash
Over the past ten years, the FBI's Pittsburgh department has acquired the status of the most powerful state apparatus to combat cybercrime. The main role in this was played by agent Keith Mularsky. He joined the FBI in 1998, and for the next seven years investigated cases of espionage and terrorism. Mularsky did not understand computers, but in 2005 he moved to the young cyber defense department in Pittsburgh

Keith Mularsky in the FBI department. Photo AP

For the next two years, Mularski worked undercover, rubbing his trust in the leadership of the cybercrime group DarkMarket. The hacker organization became famous for the theft and sale of personal data and credit card numbers, and for many years remained elusive to the FBI.

Thanks to Mularski, who became the administrator of DarkMarket, in 2008, security services arrested 60 people due to relations with the group. After that, the illegal site was closed, and the department for the fight against Internet crime received large state funding. Therefore, when the operation of the European IT specialists to combat Slavik failed, they asked Mularski for help.

Typically, the FBI refuses to cooperate with other organizations, but the agency needed help. Therefore, the lead investigator Slavik Mularski invited a team of European IT specialists who once stormed the Zeus servers. They knew the principles of the system and, as Mularski decided, would be able to help.

The joint cybersecurity team put together a thoughtful plan to defeat Slavik and its virus. To begin with, FBI employees had to find out the real name of the hacker in order to file a lawsuit against him. Then European programmers would again attack the infected computers and try to centralize their traffic. If this succeeded, investigators received warrants for the seizure of servers. After that, specialists planned to release an update that would “cure” infected computers.

FBI staff and programmers realized that if they made at least one mistake, it would jeopardize the entire operation.
In early 2014, a month after the launch of the investigation, the team went on the trail of Slavik. She tracked the email address to which the hacker account was registered on the site of the "Business Club". A careful study revealed that the traces of email are always associated with the same name on Russian social networks - Evgeny Bogachev.

Investigators realized that the 30-year-old resident of Russia from Anapa is the hacker who for years dryly beat international intelligence agencies and the best cyber specialists. In the photographs, Bogachev was with his wife and daughter, and later programmers found out that the first version of Zeus Bogachev wrote back in 22 years.

However, not defining the real name Slavik was a revelation. Through his mail, security services tracked regular traffic to infected computers. With their help, Bogachev searched for secret data from the Georgian, Turkish and Ukrainian special services, and also collected information on Russia's participation in the Syrian war.

After the disclosure of this information, experts decided that the programmer is spying on the Russian government. This theory became even more real when in March 2014 Crimea became part of the Russian Federation. After that, the frequency of requests for Ukrainian secret data from infected computers increased.

For the next two years, Mularski worked undercover, rubbing his trust in the leadership of the cybercrime group DarkMarket. The hacker organization became famous for the theft and sale of personal data and credit card numbers, and for many years remained elusive to the FBI.

Thanks to Mularski, who became the administrator of DarkMarket, in 2008, security services arrested 60 people due to relations with the group. After that, the illegal site was closed, and the department for the fight against Internet crime received large state funding. Therefore, when the operation of the European IT specialists to combat Slavik failed, they asked Mularski for help.

Typically, the FBI refuses to cooperate with other organizations, but the agency needed help. Therefore, the lead investigator Slavik Mularski invited a team of European IT specialists who once stormed the Zeus servers. They knew the principles of the system and, as Mularski decided, would be able to help.

The joint cybersecurity team put together a thoughtful plan to defeat Slavik and its virus. To begin with, FBI employees had to find out the real name of the hacker in order to file a lawsuit against him. Then European programmers would again attack the infected computers and try to centralize their traffic. If this succeeded, investigators received warrants for the seizure of servers. After that, specialists planned to release an update that would “cure” infected computers.

FBI staff and programmers realized that if they made at least one mistake, it would jeopardize the entire operation.
In early 2014, a month after the launch of the investigation, the team went on the trail of Slavik. She tracked the email address to which the hacker account was registered on the site of the "Business Club". A careful study revealed that the traces of email are always associated with the same name on Russian social networks - Evgeny Bogachev.

Investigators realized that the 30-year-old resident of Russia from Anapa is the hacker who for years dryly beat international intelligence agencies and the best cyber specialists. In the photographs, Bogachev was with his wife and daughter, and later programmers found out that the first version of Zeus Bogachev wrote back in 22 years.

However, not defining the real name Slavik was a revelation. Through his mail, security services tracked regular traffic to infected computers. With their help, Bogachev searched for secret data from the Georgian, Turkish and Ukrainian special services, and also collected information on Russia's participation in the Syrian war.

After the disclosure of this information, experts decided that the programmer is spying on the Russian government. This theory became even more real when in March 2014 Crimea became part of the Russian Federation. After that, the frequency of requests for Ukrainian secret data from infected computers increased.

 

[Люков]

the farther into the forest, the more the master’s business is afraid