Theoretically, a constantly updated PC would have few holes. But more than 98 percent of computers run at least one piece of code with a serious, well-publicized security hole that has not been fixed with an available patch, according to an analysis of 20,000 machines scanned by security firm Secunia. MPack installed a variety of pay-loads. Among the worst, delivered again by RBN machines, was a 2006 keylogger calledTorpig. It waited for computer users to log onto one of a list of sites including eBay, PayPal, and Bank of America. Then it flashed a realistic error message indicating that the log-on was incorrect and asking for bona fides, including social security numbers and bankcard codes. Anything typed in was whisked off to St. Petersburg—more than half a million bank credentials. “Primarily, the RBN’s objective is to use any and many alternative means to infect your PC and then gain or extort personal information, and if possible hijack and enslave the PC as a zombie,” said Armin.
Using public domain name registration filings and other sources, Bizeul identified several names apparently at the center of RBN activity, including Vladimir Kuznetsov and the unnameable Flyman. Armin added more, including Nikolae Shishkin, listed as a director of the U.K. company that registered many of RBN’s Internet addresses. Some security researchers have theorized that one of RBN’s biggest clients has been Rock Phish, an operation blamed by security firm RSA for half of the world’s phishing attacks. What the researchers don’t know is that law enforcement believes it made the definitive link, showing that an RBN leader controlled Rock Phish directly. In a secret report in 2006, the FBI, Britain’s NHTCU, and others, working with a wide number of banks whose sites had been mimicked, identified a leader of the Rock Phish attacks as one Igor Vladimirovich Kuznetsov. The report noted that in some registration forms Kuznetsov used the pseudonym Vladimir Igor Kuznetsov. While the law enforcement report didn’t mention the Russian Business Network, Vladimir Kuznetsov was named as a central figure at RBN by both Bizeul and Armin, who relied on other sources.
Kuznetsov’s most legitimate work appeared to be running a St. Petersburg retail outlet at
www.lefthandshop.ru
, which customized products for left-handed people. But he also advertised spamming services. Rock Phish targeted customers of Barclays, Chase, Wells Fargo, and many other financial institutions—an average of eighteen brands every day. Industry researchers assisting law enforcement agencies hacked into the administrative console for the Rock Phish program. It showed twelve administrators permitted access, including one named Russell. By tracking the websites under Russell’s control, the investigators established that he was really Kuznetsov. Whoever received that international police report didn’t do much to dismantle Rock Phish. Two years later, the group allied itself with a cutting-edge botnet known as Asprox, which used a new technology to constantly shift Internet addresses and evade blocking.
As A WHOLE, ANDY SAW THAT admitted criminals and obvious suspects were committing fraud worth hundreds of millions of dollars, enslaving tens of millions of computers, and enjoying the power to severely damage electronic commerce. It was as if a dozen Al Capones were allowed complete freedom. How did they operate with such impunity?
The answer to that crucial question lies in the economics and politics of the countries where they based themselves. Many countries in Eastern Europe had fairly strong technical education programs, but much less in the way of solid career opportunities in computing fields. Most of the worst extortionists, identity thieves, and other cybercriminals, meanwhile, were naturally inclined to pick victims far from home, because credit cards had yet to deeply penetrate the middle classes where they lived. Combine that with a general resentment of American power, and few of those in government cared much about curbing cybercrime. Such forums as Russia’s
Hacker
magazine ran ads from the likes of Microsoft and Hewlett-Packard but openly celebrated a criminal techno-culture-depicting attractive women hanging on moneyed new mobsters—and distributed CDs enabling subscribers to hack their own Internet service providers without any technical skills. Added to that was the significant predisposition toward corruption in countries where police officials, even the top brass at the Russian equivalent of the FBI, earned just a few hundred dollars a month. According to one watchdog group, the portion of Russians engaging in corruption rose from 50 percent in 2001 to 55 percent in 2005. Another survey identified police officials as the most corrupt.
All of that would be bad enough. It would show how far the world has to go in confronting a problem that is already dire and poised to get far worse—potentially wiping out faith in electronic transactions and rendering the Internet unfit for more than entertainment and informal, quasi-public communication.
Unfortunately, the full truth is much worse than that. The full truth is that a number of enormously powerful national governments, especially those of Russia and China, have picked the blossoming of the Internet age as the time to ally with organized crime.
What reason would they have to do so? Simply put, the benefits outweigh the costs. As for the price, such alliances are easier in countries without deep democratic traditions—but even the United States, for a prize deemed as important as the elimination of Fidel Castro, has dallied with the mafia. Neither the China nor the Russia of 2009 is accountable to its people. And organized crime is so endemic in Russia that some argue the government itself is an ongoing criminal enterprise. Joe Serio, who probed organized crime for the old Soviet government and then headed the Moscow office of private security firm Kroll Associates, describes organized crime, business, and government as so intertwined as to make unraveling the strands impossible. Just as the powerful English nobility during the long-ago Wars of the Roses picked figurehead contenders for the throne who suited their needs, the richest mobs in Russia championed candidates for federal office. The big difference between the Russian Federation’s first president, Boris Yeltsin, and his successor, Vladimir Putin, is that the outside plutocrats were in charge of Yeltsin, while Putin is in charge of the plutocrats, centralizing corruption.
Preoccupied with terrorism, wars in Iraq, Afghanistan, and Georgia, and Russian oil production, the West has done very little to press Russia for action on cybercrime. As a result, the government faces few consequences for its sordid alliances.
THE BENEFITS TO STATE-SPONSORED CYBERCRIME, on the other hand, are vast. Starting with the theoretical and moving toward absolute certainty: primarily Eastern European gangs possess about half of the world’s credit card numbers, according to the head of the Justice Department’s computer crime section, though they haven’t used most of them. Justice’s Kimberly Kiefer Peretti said the greater danger would come if they cracked debit and ATM cards en masse as well. The more precise statement would be not if, but when. King Arthur could do it, and so could Albert Gonzalez’s Russian partners. The Russian government, and possibly the Chinese government, has access to minds capable not only of stealing millions upon millions of dollars, but potentially disrupting the Western economy. Why wouldn’t they encourage additional research to nurture such a weapon?
Next, the anonymous author of “Who Wrote SoBig” said that the most important beneficiary of the SoBig virus was not the Send-Safe spamming company but one particular customer of that company, which was not an ordinary spammer. More afraid for his life than unsure of his findings, he never directly stated whom he believed that customer to be, but he advised “looking behind” the RBN, which he called a front. Given the rest of the conversation, the most reasonable interpretation of what he was saying was that the customer is the FSB, though he could have meant another spying operation. There is no obvious reason that such an agency would want access to controllable computers scattered across the globe. But there are some intriguing possibilities. One, again put forward by the white paper’s author, is that Send-Safe’s customer could be sending spam containing coded messages. That might sound far-fetched. But the author pointed to an article in a computer security publication,
CompSec Online,
which said unnamed U.S. intelligence sources had found codes in the ubiquitous Nigerian advance-fees spam that held instructions for the assassinations of two officials in the Ivory Coast and an attempted coup there. Sending the same message from co-opted machines to thousands or millions of people makes it impossible for investigators to trace the plotters’ chain of command. Another explanation could be that the FSB wants to keep a network of machines in reserve for offensive acts, such as denial-of-service attacks, or to cover the origins of clandestine spying through technical breaches.
The Russians have not been publicly exposed for using hacking to spy in the U.S. But officials told the
Los Angeles Times
in late 2008 that they suspected that a recent Trojan attack on Defense Department networks, including U.S. Central Command and classified systems, was directed from Russian computers. The attacks spread in large part through ultra-portable flash drives, where the stealth program could overcome most network security policies. It was so severe that Pentagon leaders briefed President George W. Bush on the matter and banned the use of flash drives, until then in heavy use by U.S. forces in Iraq and Afghanistan. Some outside security experts, including those at Team Cymru, cautioned that the Russian computers could have been commandeered by hackers from another country. “None of these things are definitive,” said Howard Schmidt, who served as head of cybersecurity in the early years of Bush’s White House. “If people are as good as they are purported to be, it wouldn’t be leading right to them. I worry more about the stuff where we have no clue it’s even happening.” But Bruce McConnell, who was briefed on the attacks during his time on a cyberthreat commission at the Center for Strategic and International Studies, said, “I think they know who it was, and it was state sponsored.”
The Russian government also might have used Russian Business Network machines to spy on the country of Georgia’s networks, which were penetrated during the land war in late 2008. That hasn’t been proved. But it is clear that those computers assaulted official websites in Estonia and Georgia with denial-of-service attacks. When Barrett walked away from Prolexic, DDoS attacks were becoming routine, and the mob was beginning to use botnets for more profitable mass identity theft instead. But Russia’s cyber military campaigns of 2007 and 2008 demonstrated that DDoS assaults, far from disappearing, had reemerged as a geopolitical weapon.
In April 2007, after Estonian officials removed a major statue of a Soviet soldier from a park in Tallinn, street riots by those of Russian descent were joined by an unprecedented and sustained denial-of-service attack on Estonian government websites. Sites for banks, media, and infrastructure companies fell as well in the first all-out cyber-attack on an entire country. More than a million computers from all over the world inundated the sites at once, generating two hundred times the normal traffic. A simultaneous spam flood shut down the parliament’s email service for days. The only thing the government could do to keep functioning, said Estonian President Toomas Ilves, was cut itself off from the outside world, blocking all foreign Internet traffic.
Technologists traced some of the DDoS packets to Internet addresses within Putin’s administration. A Russian government spokesman pointed out that the IP addresses could have been faked or the machines hijacked. Analysts disagreed over whether the Russian government directed the assaults, which nevertheless prompted a call for stronger cyberdefense from NATO. Russian blogs were full of instructions for how to join in the DDoS campaign, and certainly some citizens volunteered for the cause. But the major part of the assault suddenly stopped a month after it began, suggesting that a botnet had been leased for that period. “It was a new form of public-private partnership,” Estonia’s lives said drily. “This was clearly paid for, but I think it was a policy decision.” Even if the Russian government wasn’t calling the shots, it clearly could have acted to stop the flow, and it did not. “In Estonia,” said National Security Agency chief General Keith Alexander, “all of a sudden we went from cybercrime to cyberwarfare.” Andy Crocker’s theory is that the Estonia attack was “a proof of concept,” in which the RBN picked a target to show the Russian authorities how valuable it could be.