[Infowarrior] - The Evil (Cyber) Empire

[Richard Forno]

The Evil (Cyber) Empire
Inside the world of Russian hackers.
By Yulia Taratuta, Igor Ivanov, Svetlana Zaitseva, and Mikhail Zygar |  
Russky Newsweek

http://www.newsweek.com/id/228674/output/print
Did Russian hackers manage to steal tens of millions of dollars from  
Citigroup? While The Wall Street Journal reports  that the FBI is  
investigating the alleged loss, the financial organization denies  
losing money in such a security breach. It may take awhile to uncover  
the truth, but reports of the attack have cast yet another spotlight  
into the shadowy world of cybercrime. This report, adapted from a  
cover package by NEWSWEEK's Russia-language partner,Russky Newsweek,  
takes a closer look at those behind this global threat. (Click here  
for a look at the world's top 10 spammers).

The assaults may seem to be political. In 2007, a cyberattack on  
Estonia, home of the popular Internet phone company Skype, paralyzed  
the country's entire government. Then, when the Russia-Georgia  
conflict flared in 2008, software suddenly became available to anyone  
wanting to wage their own personal cyberwar on the Georgian capital of  
Tbilisi. And later that year, Lithuania too became a cyber-victim when  
it vetoed negotiations between Russia and the European Union. Indeed,  
NATO takes the threat of cyber-warfare so seriously that it signed off  
on a special report on the topic during its parliamentary assembly  
last October. "Although there is no conclusive evidence that the  
cyberattacks in Georgia were executed or sanctioned by the Russian  
government," the NATO report notes, "there is no evidence that it  
tried to stop them, either."


Russian lawmaker Nikolai Kovalyov angrily dismisses these allegations  
as propaganda from the Cold-War era. "The report does not contain a  
single piece of evidence of the mythical Russian cyberthreat or a  
Russian trail from the cross-border cyberattacks," he says. Still,  
NATO has little doubt that—official or no—the attacks have a common  
Russian thread: the Russian Business Network (RBN), a shadowy  
cyberstructure that is reported to have sold hacking tools and  
software for accessing U.S. government systems. According to the NATO  
investigators, however, political subversion is little more than a  
sideline for these hackers. Their real goal: stealing money through  
scams, spam, and infiltrating the networks of Western banks.

Reportedly started by someone operating under the name "Flyman," RBN  
is known as the mother of cybercrime among online investigators.  
François Paget, senior expert for the McAfee company, says that RBN  
began as an Internet provider and offered "impenetrable" hosting for  
$600 a month. This meant a guarantee that it would not give out  
information about its clients, no matter what business they were in.  
Aleksandr Gostev, director of Kaspersky Labs, a global research and  
threat analysis center, believes that RBN's servers are located in  
Panama. "Confidential data about clients can be obtained only by a  
court decision," a Newsweek source familiar with the situation says.  
"But what court do you apply to if criminal ties are discovered? A  
Panamanian court?"

Paget says that RBN was once known as the most active criminal group  
in the virtual world. Crime researchers are uncertain as to whether  
RBN itself was a real organization or whether it just offered a  
virtual home to cybergangs. According to one study, the network  
comprised 406 addresses and 2090 domain names by the end of 2007. That  
same year, the group—hounded both by Russian and American law- 
enforcement agencies—seemed to disappear. That, however, may have been  
an illusion. RBN may have vanished, but the host organization gave  
birth to multiple evil offspring operated by Russian expats and  
deployed on servers in China, Turkey, Ukraine, and the United States.  
"The world got about 10 RBNs," says Gostev.

The original RBN was behind the cyberattack on Estonia, Paget says,  
and, according to a study by the U.S. Cyber Consequences Unit (US— 
CCU), one of its successors was behind the virtual assault on Georgia.  
RBN's real money, though, is believed to come from sources that  
include spam, child porn, online casinos, and phishing scams to steal  
bank passwords and card numbers. One of RBN's most prosperous  
businesses is Internet pharmacies, with the international organization  
Spamhaus naming Canadian Pharmacy as the main propagator of criminal  
cyberschemes. Sources in the market say that this is a drug-selling  
network comprising several dozen virtual pharmacies making sales,  
mostly to the U.S. The name of the main Web site to which the  
pharmacies relay their orders—glavmed.com—is distinctly Russian; the  
illegally-copied medications are said to be made in India. Those who  
order from these sites are likely to have their e-mail addresses  
harvested and sold to spammers, who then inundate them with offers for  
everything ranging from pharmaceuticals to porn. According to Dmitry  
Golubov, who describes himself as the leader of the Internet Party of  
Ukraine, a group of 20 to 25 people account for 70 percent of the  
world's spam. "A database of active e-mails costs money," says  
Golubov. "For example, a million addresses of purchasers of access to  
porn resources costs $25,000 to $30,000."

Golubov prefers not to discuss his own Internet profits, although he  
too is said to have been part of RBN. The McAfee company calls him the  
No. 1 carder—hackers who steal from bank cards—in the world. In a  
conversation with Russky Newsweek, however, Dmitry Golubov denied  
everything. "On September 29, 2009, the Solomensky District court in  
Kiev dropped the criminal case against me for lack of corpus delicti,"  
he says, adding that he is not aware that he is in trouble with the  
law outside Ukraine.

Like the original RBN, many of its spinoffs are under scrutiny. The  
company Hoster McColo, registered in California, was pushed offline  
following a petition by the U.S. Federal Trade Commission (FTC) citing  
it for spam and what is known as distributed denial of service  
attacks. (The company's founder, racer Nikolai McColo, was killed when  
he crashed into a metal pillar during one of his high-speed nighttime  
drives in Moscow in 2007.) Another RBN affiliate, the Atrivo company,  
had its license revoked and was disconnected from the Internet on a  
charge of disseminating porn and viruses and theft of information.  
EstDomains, an Estonian subsidiary of the "mother of cyberterrorism,"  
suffered a similar disconnect at the FTC's initiative, when the host  
3FN, a Russian-language service created by a native of Latvia, was  
forced out of operation. And last January the company Ukrtelegrup,  
another mainstay of cybercrime, bit the dust. It had been accused of  
creating a program that made it possible to steal users' personal  
information, including financial data.

The hacker community, however, doesn't believe that RBN is dead.  
"RBN's cause is alive even now," one authoritative member insists.  
Certainly, the cause counts for more than the location. After the  
attack on Estonia, Russian lawmaker Kovalyov noted angrily that 60  
percent of the disruptive traffic came from the United States and 30  
percent from China. Only 10 percent came from Russia, he said. That  
Estonia was attacked primarily from American territory hardly means  
that the culprits were on American soil. In effect, hackers can  
operate virtually from anywhere in the world. Via viruses, hackers  
create "botnets" that utilize zombie PCs in foreign lands to send out  
spam, or, say, launch a cyberattack. In other words, unsuspecting  
users become the source of the malicious traffic—and physical distance  
no longer offers any protection against crime or political subversion.

Translated from the Russian by Steven Shabad

Find this article at http://www.newsweek.com/id/228674

© 2009