From (& To) Russia, With Love-ONLINE HACKERS

http://voices.washingtonpost.com/securityfix/2009/03/from_to_russia_with_love.html?wpisrc=newsletter&wpisrc=newsletter

If you ask security experts why more cyber criminals aren't brought to justice, the answer you will probably hear is that U.S. authorities simply aren't getting the cooperation they need from law enforcement officials in Russia and other Eastern European nations, where some of the world's most active cyber criminal gangs are thought to operate with impunity.

But I wonder whether authorities in those countries would be any more willing to pursue cyber crooks in their own countries if they were forced to confront just how deeply those groups have penetrated key government and private computer networks in those regions?




As Security Fix documented in When Cyber Criminals Eat Their Own, a common misconception about hacker groups in Russia and the former Soviet nations is that they avoid targeting their own people. On the contrary, aggregate statistics from recent attacks and outbreaks strongly suggest that perception no longer matches reality.

One gradual but notable shift on this front has been the increasing willingness of Russian and Eastern European cyber gangs to target companies in their home countries in virtual shakedowns known as distributed-denial-of-service (DDoS) attacks, according to exclusive data provided by cyber security research firm Team Cymru (pronounced kum-ree).

In DDoS assaults, cyber gangsters demand tens of thousands of dollars in protection money from businesses. If the businesses refuse to pay, the criminals order hundreds or thousands of compromised computers that they control to flood the Web sites with meaningless traffic, crippling the businesses and preventing legitimate visitors from transacting with the sites.

This video animation, provided by Team Cymru, depicts the targets of DDoS attacks between Jan. 1 and Mar. 1, 2009.


While it's difficult to tell from the video, over the 60-day period depicted here, Team Cymru counted some 45 distinct DDoS incidents in which Russian Internet addresses were the target of the attack (an enlargeable version of this movie can be seen here).

Team Cymru's Steve Santorelli said firms in China and Russia are no more insulated from DDoS attacks than their Western counterparts.

"It's clear from our monitoring that Chinese and Russian victims are much more common now than they were a few years ago," Santorelli said. "There are several possible reasons for that but it's a definite trend that many other in the security community have also noticed."

There also is evidence that cyber crooks have deeply compromised some key Russian and Eastern European government agencies and corporations, as well as top officials at those entities.

Some of the more granular data to support that comes from TrustedSource, which is McAfee's global intelligence system that assigns reputation to networks based on activity it sees coming from them. The following data sets show that TrustedSource recently has observed virus e-mail and spam originating from a variety of government agencies and banking institutions in Russia.

According to McAfee, compromised Russian banks include:

Rusfinance Bank
OGO Bank
Tusarbank
Link Capital Investment Bank
The Maritime Bank
Vladivostok Alfa Bank
Bank Eurotreid
Bank Voronezh
Bashcreditbank
Enisey's United Bank
Inter-Svayz Bank

McAfee's data suggests that computer systems in the following Russian government offices also are controlled by cyber gangs:

Ministry of Taxation, Nazran region
Russian State Internet Network
Regional Finance & Economy Institute
Joint Institute for Nuclear Research
Medical Center of Russian Federation President's Department
Pension Fund of the Russian Federation
Personal Network for the Russian Federation Justice
JSC Chechen Cellular Communication


Dmitri Alperovitch, McAfee's vice president of threat research, said online criminals are largely indiscriminate about their targets and will attack any organization of financial or other interest to them.


"This data disputes the prevalent myth that's been popular in the cyber security community that online criminals, of which a significant number are believed to reside in Eastern Europe, prefer to focus on targets in Western countries and tend to shy away from attacking people or companies in their local jurisdiction," Alperovitch said. "Clearly, the Internet knows no geographical boundaries and it is now apparent that cyber criminals will attack any target of opportunity presented to them."

As Security Fix showed in January, some of the largest collections of victims with data-stealing malicious software installed on their PCs are in Russia. This too, may be a factor of the indiscriminate malware economy: Many of the most common data-stealing keylogger programs - such as Zeus and Limbo - are sold as plug-and-play kits that will just as happily infect an American PC as they will Russian computers.

Just a few minutes of digging through more than 30 gigabytes of keylogged data intercepted by security researchers yielded some interesting results, and more than a few important victims in Russia and Eastern Europe had their corporate Microsoft Outlook e-mail credentials stolen, along with other user names and passwords. Among them was Vladimir Novikov, head of the corporate management department for Gazprom Neft, one of the largest oil-producing companies in Russia. Mr. Novikov did not return e-mails seeking comment.

By Brian Krebs | March 3, 2009; 2:40 PM ET Cyber Justice , Fraud , From the Bunker , Misc.
Previous: "Koobface" Worm Resurfaces on Facebook, MySpace | Next: Fanning the Flames of the Browser Security Wars

CommentsPlease email us to report offensive comments.



Brian, In the animation there is one spot in North America near the great lakes that appears as being attacked about 90% of the time. I watched a few times, and that one spot appears to be attacked considerably more than any other spot shown. Any ideas where this place is and why it would be such a consistent target?

Posted by: lostinthemiddle | March 3, 2009 6:51 PM

@lostinthemiddle -- I have no idea. But I will ask. Looks sort of like the target may be in Canada.

Posted by: BTKrebs | March 3, 2009 7:35 PM

I continue to be impressed with the depth and originality of your reporting, Brian. I hope The Post appreciates your work.

Posted by: Dawny_Chambers | March 4, 2009 6:56 AM

I second that and raise you a 'I truly value the ability to ask you a question in the comments knowing you will read and respond if appropriate'. It makes a big difference.

Posted by: lostinthemiddle | March 4, 2009 9:25 AM

This development is actually most welcome. As an unintended consequence, perhaps the governments being attacked will finally take notice and do something. Of course, the dismaying news is that some government agencies are themselves complicit, whether by design or otherwise.
Too bad we can't invent an electronic analogy to counter-artillery weaponry that instantly targets the source of incoming shells, computes a solution, and fires back destroying the source.

Posted by: peterpallesen | March 4, 2009 11:21 AM

@lostinthemiddle -- so I asked the Team Cymru guys about the target you mentioned. their response:

Yep, that's an attack taking place on an IP located in Ontario -
Toronto, in Canada. It was initiated by an HTTP based botnet in China
and the attack command stayed there for a long time, hence the impact on
the video.

Posted by: BTKrebs | March 4, 2009 2:17 PM

Excellent piece.

Not even the lesser cyber transgressions such as the pfishing expeditions launched from who knows where get resolved by the FBI. Having tried to get the Baltimore office of the FBI to go after those sending pfishing messages my total net response or even a email back from them is exactly 0. Corporations who have had their corporate names and identities purloined by the pfishers also seem unwilling to aggressively go after the pfishers.

Citizens need protection that only governments can provide. If we cannot get resolution of pfishing expeditions how can we expect the government to successfully resolve the greater cyber invasions described in Kreb's good work?

Posted by: absiebert2 | March 4, 2009 3:54 PM

absiebert2 has a point:
A couple of years ago, I received 2 phishing Emails that appeared to be from a well-known very large bank. I had once had an account there, so I did not automatically delete them. The Emails were artfully crafted with graphics copied from the bank's website. But one or 2 sentences were tell-tale that the writer did not usually speak English, so I examined the "click here" to see where it was really going - overseas!

I printed them out each time and took them to the bank branch. No one there had any idea what to do, as if they had never seen such a thing. Worse, they did not perceive it as damaging to their image.

I suggested to the branch manager that he probably would not be able to interest law enforcement in this, but it would be wise to send it up the line to his bosses, to get a warning printed on the next month's statements that the bank would never ask for info by Email. The larger the bank, the more likely phishers would broadcast in their name, hoping to snare a customer.
Not being a customer, I never found out if he took my suggestion seriously.

Eirík Þorvaldsson


Posted by: EirikThorvaldsson | March 5, 2009 1:03 AM

@BTKrebs
Thank you for the follow up.


Posted by: lostinthemiddle | March 5, 2009 1:15 PM

Post a Comment
We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.



You must be signed in to washingtonpost.com to comment. Please sign in.
Comments: