Part 13 (2/2)
The historical evidence presented in this chapter points to a three-tiered model (Figure 7-10) that establishes command and control by the Kremlin through Nas.h.i.+ and other groups whose members.h.i.+p includes hackers, resulting in an organized yet open call for unaffiliated hackers to join in. Russian organized crime provides a protected platform from which these attacks can then be planned and launched. And all of this occurs while providing a cover of plausible deniability to the state. It's actually quite an impressive accomplishment from a strategic point of view.
Figure 7-10. Three-tier model of command and control for RF nonstate hackers The infrastructure-which not only makes those attacks possible but provides the environment for Russian hackers to thrive-is developed and owned by Russian organized crime interests such as Rove Digital, McColo, Atrivo/Intercage, ESTDomains, and others. We'll further explore the longstanding relations.h.i.+p between the Kremlin and Russian organized crime in Chapter 8.
Chapter 8. Organized Crime in Cybers.p.a.ce.
Card: I need guarantees.
Card: what if you change the pa.s.s and don't give any info? I've been on the *** several years now. It's a resource for carders.
7: I know, I am on there, too.
7: if you take my info into account and work a little, you can get a lot more money.
Card: I see.
7: I just think it's a pretty dangerous thing-there are some big guys behind this money-they don't ask who you are and why you are doing this. They'll just break both your arms.
-English translation of ICQ discussion between two hackers negotiating a fee for stolen card data.
Whether you think the Russian mafia or the Chinese Triads are involved in cyber attacks really depends on how closely you align cyber crime with other forms of cyber conflict. As I stated earlier, I believe that no such distinction should exist. Cyber crime is perpetrated by an attack on a network, just as is done in acts of cyber espionage or computer network exploitation (CNE). The malware used to gain access to backend databases is the same. In many cases, the same hackers are involved in cyber crime and geopolitical attacks on foreign government websites, as is the case with one of the two hackers quoted above.
The hacker identified as ”7” was also a member of the StopGeorgia.ru forum, albeit under a different alias, and directly partic.i.p.ated in attacks on Georgian government websites. 7 is also the one who inferred the involvement of the Russian mafia in underground cyber transactions such as the one from which that quote came (i.e., ”...there are some big guys behind this money-they don't ask who you are and why you are doing this. They'll just break both your arms.”).
a.s.sa.s.sination in the Russian Federation is a very real threat, and US intelligence agencies believe that elements of Russian organized crime have infiltrated the police force. That is why, the argument goes, so many a.s.sa.s.sinations remain unsolved.
US law enforcement and intelligence agencies have been investigating Russian organized crime since the 1990s. According to one of my contact's at one of the three-letter agencies, they were making some excellent progress in establis.h.i.+ng links between members of organized crime and Russia's political leaders.h.i.+p.
Once 9/11 happened, that research was halted, as everyone was transferred to counter-terrorism, which pretty much dominated things until 2007.
2007 was the year that the Russian Business Network (RBN) rose to prominence as a high-profit, low-risk criminal enterprise selling ”bulletproof” services to anyone willing to pay its fee. Its business model of earning high profits with almost zero risk of being caught made the RBN the darling of the Russian underworld.
Then, in November 2007, the RBN seemed to vanish (Figure 8-1).
Figure 8-1. 06 NOV 07 drop in traffic at AS40989 One thing that organized crime has always s.h.i.+ed away from is the spotlight of media attention, and the RBN was getting a lot of it. One of the reporters responsible for penning story after story on their antics was Brian Krebs of the Was.h.i.+ngton Post. On October 13, 2007, three separate articles appeared on the Post's Security Fix blog, written by Krebs.
Krebs's first article appeared in the main section of the Post, where he described the role of the RBN as a criminal services provider, referring to at what the time were recently published reports from Internet security firms Verisign, Symantec, and SecureWorks.
In a follow-up article on the Security Fix blog, Krebs went into much more detail, naming the upstream providers that the RBN relied on to provide its Internet connectivity: Tiscali.uk, SBT Telecom, Aki Mon Telecom, and Nevacon LTD (Figure 8-2).
Figure 8-2. Map of companies providing network services to the RBN He also traced its history back to 2004, when it was known as ”Too Coin Software” and ”Value Dot,” and then walked his readers forward to its present iteration: Nearly every major advancement in computer viruses or worms over the past two years has emanated from or sent stolen consumer data back to servers at RBN, including such notable pieces of malware as Gozi (/research/threats/gozi/?threat=gozi), Grab, Haxdoor (/v-descs/haxdoor.shtml), Metaphisher (research.sunbelt-software.com/threatdisplay.aspx?name=PWS-Banker&threatid=41413), Mpack (blog.was.h.i.+ngtonpost.com/securityfix/2007/06/the_mother_of_all_exploits_1.html), Ordergun (/enterprise/security_response/weblog/2006/11/handling_todays_tough_security.html), Pinch (pandalabs.pandasecurity.com/archive/PINCH_2C00_-THE-TROJAN-CREATOR.aspx), Rustock, s.n.a.t.c.h, Torpig (/virusinfo/a.n.a.lyses/trojtorpiga.html), and URsnif (/us/securityadvisor/virusinfo/virus.aspx?id=58752). The price for these malware products often includes software support, and usually some virus writers guarantee that the custom version created for the buyer will evade detection by anti-virus products for some period of time.
David Bizeul is a French security researcher who has written one of the best reports on the RBN to date (see Figure 8-3). He summed up its business focus quite succinctly: The RBN offers a complete infrastructure to achieve malicious activities. It is a cyber crime service provider. Whatever the activity is-phis.h.i.+ng, malware hosting, gambling, p.o.r.nography...the RBN will offer the convenient solution to fulfill it.
Figure 8-3. The RBN-a crime service provider In any attempt to understand the influence of Russian organized crime in the cyber threat domain, a key distinction must be made between organized crime in Russia and elsewhere.
In the United States, the FBI and other agencies focus on how criminals may be infiltrating or, at the very least, influencing government offices. In Russia, the government infiltrates organized crime and establishes a reciprocal business relations.h.i.+p. The government provides protection in exchange for favors. Favors may range from making money to using a gang to implement state interests.
Richard Palmer made a similar case in his testimony before the House Banking Committee (September 21, 1999), wherein he explained how Russia is governed by the rule of ”understandings” rather than the rule of law. According to Palmer, who spent 11 years with the Directorate of Operations at CIA, businesses operating inside the Russian Federation quickly learn that when it comes to collecting on bad debts or enforcing contracts, it's faster and cheaper to engage Russian criminals than wait for the Russian court system to take care of it. Unfortunately, the flip side of that equation is also true: it's sometimes cheaper to have the person you owe money to killed than to repay a debt.
In the case of the RBN, once media attention became frequent enough, the FBI sent several officials to Moscow to meet with its counterparts in the Federal Security Service (FSB). The purpose of the meeting was to share information about the criminal activities of certain individuals a.s.sociated with the RBN and how the Kremlin might want to remove such a presence from the Russian Internet. The Russian security officers excused themselves, and when they returned approximately a half hour later, they informed the FBI officials that they must be mistaken, that no such domains existed on RuNet.
Back at the US emba.s.sy in Moscow, the FBI discovered that the more public domains formerly a.s.sociated with the RBN had been migrated to new IP addresses.
That's why it appeared that the RBN suddenly dropped from view. In reality it never went away; it just slipped back under the radar, away from any further media spotlight.
A Subtle Threat.
Tell Krebs nice job on Atrivo, but if he's thinking of doing McColo next, he's pus.h.i.+ng his luck.
Investigating the Russian mob is one thing, but when an investigation may hurt profits, that's another, much more dangerous matter entirely. Shortly after his September 2008 coverage of Atrivo, Krebs received the aforementioned anonymous threat.
Atrivo is an interesting case study for this book because it ill.u.s.trates one of the problems yet to be addressed in cyber conflicts. What happens when a country is being attacked by malware that sits on a server within its own borders?
Atrivo/Intercage.
Atrivo, also known as Intercage, was a Concord, CA-based company that specialized in providing networks for spammers and other bad actors to use, many of which were a.s.sociated with the Russian Business Network.
The RBN relied heavily on two networks hosted by Atrivo: UkrTeleGroup, which routed traffic through the Ukraine; and HostFresh, which routed traffic through Hong Kong and China.
A report by iDefense named Atrivo as having the highest concentration of malicious activity of any hosting company in the world.
Thanks to the concentrated efforts of independent researchers such as Jart Armin and James McQuaid, as well as Brian Krebs's reporting of their work, Atrivo was dropped by its upstream providers and was effectively put out of business on September 22, 2008.
<script>