Fatal System Error (20 page)

Read Fatal System Error Online

Authors: Joseph Menn

Tags: #Business & Economics, #General, #Computers, #Security, #Viruses & Malware, #Online Safety & Privacy, #Law, #Computer & Internet, #Social Science, #Criminology

BOOK: Fatal System Error
4.63Mb size Format: txt, pdf, ePub
In the late 1990s, as the country’s power structure collapsed, that no longer held true, and Igor joined the MVD as a detective, working his way up just as Andy did in the English police system. Among other things, such advancement required knowing the safest places to steer an investigation. Igor’s largest case involved a nonexistent insulin factory that had been sold to the Russian government for $20 million. He arrested six men—though, of course, none were the corrupt officials who had approved the purchase sight unseen. Four of the six were acquitted, while the other two were granted bail—an unusual event in Russia, except when money changes hands—and then fled. With gangsters rolling in money that they flaunted in hotels and nightclubs, Andy no longer wondered why so many police officials were corrupt.
Igor himself, for all his rank, earned only about $500 a month to live in what was then the world’s third most expensive city. Igor began inviting Andy for Saturday dinners at his modest Moscow flat. In the beginning, each man did his best to impress at the weekly gettogethers. Andy brought vodka, chocolate, and flowers, while Igor’s wife cooked all day. As soon as Andy had cleared an inch of food off his plate, it was refilled. There was also the customary ritual toasting, with the first round honoring the meeting, the second or third honoring the guest, and so forth. By June 2004, as Andy’s Russian vocabulary had improved, he was using more words than he was absolutely sure of. At one dinner, when Sonia proposed the usual toast to their guest, Igor stunned them both by saying that Andy would never again be a guest in their house. Andy was sure he’d said something unforgivably offensive, and racked his brain for a blanket apology to salvage the deepest law-enforcement collaboration between their countries in a decade. As he began to splutter, Igor explained that Andy was no longer welcome as a guest because he was now part of the family. There were many dinners to come, but they were more what one might expect after stumbling into a buddy’s dorm room. Igor would remain on the couch in a T-shirt and shorts, calling out what he wanted Andy to bring from the refrigerator.
Andy was beginning to feel better about Russia. Once he got past the habitual lying and the formality, these were some of the most warm and loyal people he had ever met. They would do anything for someone they trusted. (It didn’t hurt that the women were lovely to look at, since Andy fancied himself a bit of a charmer.)
Being a high-ranking police officer in Russia had attractions that were nothing like being on the job in England, where Andy’s superiors occasionally turned on the microphone in his police car to make sure nothing inappropriate was said. In Moscow Igor would go out for the evening and drive sloppily, making illegal turns. When the police pulled him over, all Igor had to do was flash his badge and tell the cop to piss off. No one could arrest him but a higher-ranking MVD officer, a judge, or the FSB. Still, the authoritarian structure had obvious downsides. There were many people Igor couldn’t go after if he valued his position. When he asked whom Andy could arrest in England, Igor was shocked at the answer: any national officer could arrest anyone short of the Queen, since they were sworn to uphold the Queen’s law.
As the men bonded, their investigation finally picked up speed. Within weeks of getting the case, Igor put an undercover man in Balakovo, watching Ivan Maksakov and monitoring his Internet use. That showed Maksakov in frequent contact over ICQ with an IP address in St. Petersburg that the Russians traced to one Denis Stepanov. And the Russians had identified three people who withdrew the money sent from Latvia to the Stran bank account in Pyatigorsk.
Andy and Igor began to rely on each other as deeply as longtime partners in Britain, at times in less conventional ways. One public holiday, after a riverside picnic that included several courses of vodka, the larger, stockier Russian colonel playfully tapped Andy’s face with an open hand. Andy, the former competitive boxer, slapped back. Drunken momentum carried the contest into a gloveless fight that ended when Andy punched Igor hard in the eye. His pride wounded, the colonel immediately challenged Andy to a swimming race across the river, which Andy won as well.
The next day, sporting an enormous black eye, Igor went with Andy to visit a bank that had information on some money transfers. When a bank executive refused to hand it over without mounds of paperwork, Igor sat in silence and glared at him with his one good eye. Then he pointed to the other one and warned the executive truthfully: “If you don’t help, the man who gave me this will interview you next.”
When they had the evidence they needed in July 2004, the team organized what Andy called “a day of action,” planning to arrest five prime suspects in one swoop before they had time to warn each other.
8
THE DAY OF ACTION
ANDY CROCKER AND IGOR YAKOVLEV planned to make arrests in three cities on July 20, 2004. They scrambled fifteen officers and set their top target as Ivan Maksakov. The hacker lived in Balakovo, a small city on the Volga River. Target No. 2 was Denis Stepanov, to the northwest in St. Petersburg, whom they had seen in online contact with Maksakov. And third, they wanted to raid a house in Pyatigorsk, farther south than Balakovo and just seventy miles from the border with Georgia. The house belonged to a couple, Timur Arutchev and Maria Zarubina. Those two, and Timur’s brother Yan Arutchev, were believed to have shared the online identity Stran, which received the extortion payoffs. Following the money-laundering arrests in Latvia, Andy and the investigators in that country and Russia had established that Stran was chatting online with the mules in Latvia while Timur Arutchev was also online on a forum devoted to Webmoney, the currency the mules were sending him. And the bank in Pyatigorsk had told the MVD investigators that all three had withdrawn Webmoney funds sent to an account there.
Since Andy could make it to only one of those far-flung places, he chose Maksakov’s house in Balakovo. Andy flew with Igor and several national officers a few days beforehand to the regional capital, Saratov, and headed for the fanciest hotel in town, the Olympia. Andy was the only one with the budget to spring for a luxury room. What he got included a double bed with a single sheet and a bedspread covered with rockets. The stifling midsummer air was so hot that Andy asked about the air conditioning. The little old babushka who had unlocked the door laughed and opened the window. Andy tried washing his hands and then asked what time the hot water came on. The babushka laughed again and told him October 1.
Balakovo was worse. “A one-horse town,” he complained to a colleague. “The horse is dead, and it may have been eaten.” The detectives badly wanted Maksakov to be at his computer when they arrived to arrest him. If he were using any of his online aliases, that would be even better. He would then have a tough time complaining that someone else had been using his computer when the attacks had been launched and the conspiracy discussed. So Igor had an operative call the house where Maksakov lived with his parents and pretend to be an employee of Maksakov’s Internet service provider. “There’s a problem with your connection,” the man told Maksakov. “Please go online to try it out, and don’t turn the computer off. We’ll send out a technician.”
When the “technician” knocked at the door and Maksakov opened it in a shirt and shorts, the officers barged in. Two forced Maksakov back to his bedroom while the others raced through the house until they found the computer, where he was still logged in. “I’m from the National Hi-Tech Crime Unit in Britain,” Andy said through a translator. “We’ve been following what you’ve been up to for a long time.” Igor joined the double-team: “We know you’ve been running bots off your server,” he said in Russian. “Did you think you could get away with it?”
Maksakov’s thin shoulders slumped as he sat down on his bed, shaggy hair flopping over his pale face. Only twenty-one, he was no hard case. “No,” Maksakov said quietly. “I knew one day this was coming.” For three hours, the detectives let Maksakov tell them what he’d done. He showed real remorse, even writing down his passwords and the online handles he used, including eXe and x3mlst.
Igor tried to comfort Maksakov’s parents before officers brought him to the local jail. That night, and for two days afterward, they brought him to the police station for questions, getting more and more detail from the man who until now had been their enemy. As Maksakov sketched out the operation, Andy realized he was taking part in the best interrogation to date of a Russian hacker.
Maksakov said he had been online only since 2000, when he bought his first computer. While he was just a semester shy of graduating from Balakovskova Institute of Technology and Management, like Barrett he had taught himself almost everything he knew about computers. In 2003 he started his own Internet Relay Chat channel,
IRC.chatnet.org
. To keep the channel active—and immune from takeover attempts—he wrote basic bot code. But he had no server to host the bot, so he read up on common vulnerabilities in Web servers. Then he broke into one and parked his bot command center there. Not long after Maksakov started up the bot, he heard from another man online who called himself Milsan and lived in Kazakhstan. Milsan introduced him to a third man, Zet, who lived in Astrakhan, a Russian city of 500,000 on the Volga an hour from its mouth on the Caspian Sea. Milsan and Zet were developing what Maksakov called a “self-breeding bot,” one that would spread by itself among computers, enslaving them as it went. They invited him to join the effort. Asked who had been in charge of
fbi.pp.ru
, the server Andy had seized in Houston, Maksakov said it was yet another man, named Brain. Maksakov said he didn’t know Bra1n’s real name or where he lived, but that he was “into” DDoS attacks and extortion. After the Houston machine disappeared, Maksakov had to rent his own server,
balakovo.cc.ru
, and he also hosted an IRC channel called
xakep.balakovo.pp.ru
(xakep
is Russian for hacker). That was the channel Maksakov used to infect new machines and attack websites. Maksakov said Milsan and Zet advertised “DDoS for hire” on websites central to the underground economy, including CarderPlanet. Maksakov said he was at least one and probably two people removed from those who did the hiring. Milsan and Zet handled inquiries drawn by the advertisement and then assigned Maksakov to conduct the attacks. He said that he thought Milsan had been hired by a Russian middleman for the DDoS attacks, and he remembered Milsan telling him that the original request came from American sportsbooks that were trying to take out the competition. He couldn’t recall all the sites he had attacked, but he remembered that BetCRIS was one of them.
After a couple of months of attacking betting sites for hire, Milsan and Zet decided to start freelancing, Maksakov said. Without waiting for a job, they took it upon themselves to choose sportsbooks to attack, sending emails demanding $5,000 or $10,000 for “protection.” Maksakov got paid $1,000 for each of two attacks and spent $500 of it on a new server. Milsan and Zet raised the price of protection to $15,000 or $20,000 and Maksakov got $2,000 for one attack, the only time a company in that round paid up.
Following three days of interviews, the MVD took Maksakov to a Moscow prison to await trial. But Igor decided Maksakov would be more useful if he weren’t stuck behind bars. Igor suppressed news of the hacker’s continuing time in custody and got him a day job at an Internet café. Andy promised he would ask the judge to spare Maksakov from a term in the harsh Russian penal system if he continued to help. Maksakov gave them still more information about the way the criminal rings worked, and he agreed to chat with his former associates as if nothing had happened.
The extortion system was more impressive than Andy and Barrett had realized. When Maksakov’s ring struck out on its own, the hackers started by researching prospective targets. That included some online chats with members of the target’s staff. They would pick an attack date just ahead of a major sporting event. Then they would investigate the technical infrastructure of the company. If it had its own domain name server, that would have to be attacked first, to stop the company from switching the numeric address behind the website. They also looked for parts of the website where bots could chew up the most resources, such as internal search pages, pages requiring authorization to use, and pages offering downloads.
To cover themselves during the reconnaissance effort, the ring’s leaders would investigate potential targets with several hundred bots, confusing any search for the location of the real person. The spy would connect from his Internet service provider to an encrypted virtual private network (VPN), a kind of secure tunnel most common in large corporations with employees in the field. The VPN would take them to a bot, and only from there would the extortionists connect to the target. The eventual attacks would use “rooms” in IRC channels that had a thousand bots each.
One thing Maksakov said would make sense only years later when Andy ran it by Barrett. The ring had stopped attacking websites where the Internet Protocol address began with 140, because the bandwidth at those firms was so big that they were impossible to overwhelm. Maksakov thought the number 140 carried some special technological importance. In fact, Prolexic had simply been assigned a block of IP addresses that began with that number. Other IP addresses that began with 140 were owned by all manner of companies and individuals, but if a gambling website began that way, the odds were it had moved to Barrett’s haven, where the attackers stood little chance.
To collect the extorted money, the rings went into the forums of CarderPlanet or a similar site aimed at English speakers, Shadowcrew, and advertised for an “executive” to coordinate “drops.”These typically followed the pattern that Andy had seen with the Canbet payments to Latvia. In exchange for a cut of the proceeds, the executive would supply a list of locations and names to receive payments via Western Union. Those mules would then convert the cash into Webmoney, where it could be picked up in Russia and exchanged for rubles, usually by the hackers themselves, who could sign in at a franchise with little more than a first name.

Other books

The Last Kolovsky Playboy by Carol Marinelli
Where is the Baby? by Charlotte Vale-Allen
Collected Poems by Sillitoe, Alan;
SECRET IDENTITY by Linda Mooney
This Is My Life by Meg Wolitzer
Seduced by Pain by Kinrade, Kimberly
Payback by Graham Marks
A Change of Fortune by Beryl Matthews