Gang of Cyber Criminals on the Run in Ukraine and Russia

What's This?

A Ukrainian army paratrooper patrols near the territory of Anti-terrorist opposition base in Donetsk region, where cybercrime gang leader Evgeniy Mikhaylovich Bogachev hid his servers.

Image: Sergii Kharchenko/Pacific Press/LightRocket via Getty Images

By Brian Ries2014-06-03 12:07:01 UTC

If you're going to be a computer hacker, separatist-occupied eastern Ukraine is not a bad place to hide your servers.

The U.S. Department of Justice charged Evgeniy Mikhailovich Bogachev, 30, with conspiracy, computer hacking, wire fraud, bank fraud and money laundering in connection with his alleged leadership of a gang of cyber criminals that operated in Russia and Ukraine.

See also: Ukraine-Russia Border Shaky After Day-Long Gunfight Kills 5

The group allegedly ran the GameOver Zeus malware, letting them control "the most sophisticated botnet the FBI and our allies have ever attempted to disrupt," FBI Executive Assistant Director Robert Anderson Jr said in an statement on Monday.

Evgeniy Mikhaylovich Bogachev, leader of the cybercriminal gang that created Gameover Zeus, was last known to reside in Anapa, Russia.

GameOver Zeus is a type of bank credential-stealing malware (think Napster for bank passwords). It uses a decentralized network of infected computers (peers) that, unbeknownst to their owners, make up a global network of zombie machines — some of them elevated to "proxy" status — which are controlled and in contact with hackers operating behind a command-and-control infrastructure.

Calling the schemes "highly sophisticated and immensely lucrative," Assistant Attorney General Leslie R. Caldwell said Bogachev and his co-conspirators managed to stay out of the authorities' reach, forcing them to launch a multinational, interagency effort to find and stop the hacker, seize his servers and disassemble the massive botnet.

It's a process that began in Donetsk, Ukraine on May 7 — days before pro-Russian separatists there held a highly-suspect referendum to leave Ukraine in favor of greater autonomy.

See also: Photos: Face-to-Face With Ukraine's Pro-Russian Separatists

Ukrainian authorities, working in coordination with the FBI, seized and copied a number of key GameOver Zeus command servers in Donetsk and Kiev that day, knocking out a crucial part of the botnet's infrastructure and gaining intel, in the midst of Ukraine's explosive regional crisis.

The DOJ on May 19 obtained sealed criminal charges against the alleged hacker, who also goes by the names “Slavik,” "lucky12345” and "Pollingsoon" online. On May 28, investigators had court orders to stop the computers from communicating with his computer servers, redirecting them instead towards a server managed by the investigators, Assistant Attorney General Caldwell said.

Caldwell said the court also authorized the DOJ to collect information necessary to identify victims' computers, enabling investigators the ability provide information that could help victims rid their computers of the infection — the U.S. recommends users update their anti-virus software, applications and operating systems, change passwords and use anti-malware tools like F-Secure or Sophos’s Virus Removal Tool.

What happened next reads like a 1980s spy novel:

Beginning in the early morning hours on Friday and continuing through the weekend, the FBI and foreign law enforcement then began the coordinated seizure of computer servers around the world that had been the backbone of GameOver Zeus and Cryptolocker. These seizures took place in Canada, France, Germany, Luxembourg, the Netherlands, Ukraine and the United Kingdom. Recognizing that seizures alone would not be enough because cyber criminals can quickly establish new servers in other locations, our team began a carefully timed sequence of technical measures to wrest from the criminals the ability to send commands to hundreds of thousands of infected computers, and to direct those computers to contact the server that the court had authorized us to establish. Working from command posts in the United States and at the European Cybercrime Centre in the Hague, Netherlands, the FBI and our foreign counterparts—assisted by numerous private sector partners—worked feverishly around the clock to accomplish this re-direction and to defeat various defenses built into the malware, as well as countermeasures attempted in real time over the weekend by the cyber criminals who were trying to retain control over their network.

Security researchers and the FBI estimate that between 500,000 and 1 million computers worldwide are infected with GameOver Zeus. Approximately 25% of those computers are in the United States.

Take a look at one private security researcher's map of infected computers in Pennsylvania on a single day in May 2013 — it gives a sense of the size of the GOZ botnet.

A map shows the IP addresses of GOZ-infected computers on a single day in May 2013 in Pennsylvania.

Its principle purpose, the DOJ says, is to capture banking credentials from infected computers which are then used to for wire transfers to overseas accounts — the FBI estimates says the botnet can be blamed for causing more than $100 million in losses.

While more than 300,000 computers have been freed as a result of this week's high-stakes-cyber crackdown, Bogachev remains on the run in either Russia or Ukraine, a few steps ahead of the U.S. authorities. He has been added to the FBI’s list of most wanted cyber criminals, and a reward for information leading to his arrest will be offered.

"We are asking Russian law enforcement to take action to bring this defendant and those working with him to justice, and will work with our counterparts to do so," Caldwell said on Monday.

But with U.S.-Russian relations at their lowest point since the Cold War, that's not likely to happen anytime soon.

Have something to add to this story? Share it in the comments.

Topics: botnets, DOJ, FBI, hackers, russia, Ukraine , U.S., US & World, World