Men who worked on the Klopov case called his capture a miracle. Cracking such cases is ten times more difficult than a few years ago, they said, because as the biggest underground forums have collapsed, the leaders of such criminal cells have restricted themselves to dealing with a dozen or so associates apiece, all online, with heavy encryption. The only way in is through a turned informant or the takeover of an accomplice’s identity. “Right now, online criminals have very little risk,” said Steve Santorelli of Team Cymru.
Many more criminals could be brought in with the cooperation of other governments, especially those in former Soviet states. And Andy proved that’s possible to get. “You need to have those personal relationships, and the only way that happens is by spending a lot of time with them and not calling them just when you need something. The U.S. misplayed that pretty good,” said one senior U.S. agent amazed by Andy’s work. “We failed to understand the Russian mentality and work in and around their system.” When Andy brought Igor Yakovlev to conferences in the U.S. and other countries, Western investigators beseeched him for help with their cases. But when Igor told them about the formal procedure, most gave up.
FBI Assistant Director Shawn Henry said that the FBI and FSB began cooperating on multiple cases in 2008, and he said the Russians made a number of undisclosed arrests in St. Petersburg based on U.S. information. In early 2009, Henry sent an agent to work for two weeks at the MVD. That almost caught the feds up to where Andy had been five years earlier. “We’re still kind of in the infant stages of this relationship,” Henry said. “It’s going to take some time to show evidence, but I think the foundation is there.”
What it will take going forward is a commitment to deal with other powers as they are, with respect and openness: “working with the Russians, not against them,” Andy said. There has to be a carrot, in the form of sharing information and techniques, and a stick, in the form of diplomatic penalties. Above all, the harboring and sponsorship of arch criminals must be elevated to the levels that Andy required to get his Russian peers moving, the U.K. equivalent of the U.S. secretary of state. The integrity of corporate, consumer, and government technology and the online financial system has to be recognized as a top priority. It deserves to be an issue at head-of-state summits. If the U.S. is going to wheel and deal with others on the world stage about matters ranging from invasions to crop subsidies, their treatment of cybercriminals has to be on the agenda too. A good place to start would be with pressure on Russia and others to ratify something like the European Convention on Cyber Crime, which sets out a framework for what constitutes criminal activity.
The Obama administration initially appeared to be getting some of the picture. The president said online crime was costing the world $1 trillion every year, and Melissa Hathaway’s report called on the White House to stop passing the buck and to lead. While giving Obama credit for his May speech, Andy said much of what he and Hathaway said was old news. He said nothing in it would get Russia or China to change their ways. He said the world’s Net authorities, from the Internet Corporation for Assigned Names and Numbers (ICANN) to the major service providers, needed to be given more power.
The U.S. was just taking the first steps toward sharing information on new attack modes with the electric utilities and other private industries. Government officials said they felt more urgency in developing offensive cyberweapons, which in theory could retaliate in kind for acts against U.S. assets or allies—that is, if the initial attackers could be identified. Most of the other key actions called for in Obama’s speech remained on hold.
In February 2009 Senate testimony, two weeks after he was named director of national intelligence, Admiral Dennis Blair had warned that Russia and China had the capability to break parts of the U.S. information infrastructure and collect intelligence. “We expect disruptive cyber activities to be the norm in future political or military conflicts,” he testified. Using some of the most direct language to date from such a high official, Blair continued, “powerful, high-profile Eurasian criminal groups often form strategic alliances with senior political leaders and business tycoons and operate from a relative safe-haven status with little to no fear of international arrest and prosecution.... The change in the structure and types of activities conducted by transnational criminal groups is making it increasingly hard to identify and attack them.” He said 15 percent of all online computers were expected to become bots by the end of 2009, and that spam-related fraud alone cost $140 billion the previous year.
Senate Intelligence Chair and California Senator Dianne Feinstein tried to coax Blair still further, into exposing the connections between the Russian mob and the Kremlin, but Blair wasn’t ready for that step. “Do you see any nexus between Russian organized crime, cybernetworks, and the government?” she asked. “I’d rather not answer that in this session, Madame Chairman,” Blair replied.
As Obama’s first summit with Prime Minister Putin and President Dmitry Medvedev approached in July 2009, experts briefed Obama on cybercrime, suggesting he press for greater law enforcement cooperation. They warned him that the Russian preference for subjecting cyberweapons to arms control treaties would leave the Kremlin too much freedom to keep outsourcing to organized crime without detection. But Obama was ill-equipped to deal seriously because he still had no cybersecurity czar, and sources said the issue never came up. It was a missed opportunity.
THE U.S. CAN’T RELY ON DIPLOMACY ALONE. That’s why it must also try harder to disable or blunt the major weapons in the criminals’ arsenal, including their botnets and access to bulletproof server hosting and high-speed access in the West. As for the botnets themselves, the landscape is bleak. By 2009, there were perhaps 1,000 of the old-fashioned zombie armies controlled by Internet Relay Channels, another 100 directed with greater stealth from websites like those Brain switched to, and 10 run like the more recent Conficker worm in peer-to-peer fashion, with drones updating each other and no head to cut off, according to Team Cymru. Experts said the fight against the bots is now unwinnable. What’s worse, “we’re losing at an accelerating rate,” said Alan Paller, director of the SANS Institute, a nonprofit security training outfit.
Except for the peer-to-peer setups, though, the bad guys still need places from which to control the botnets. They also need spots to store their digital treasure and process transactions. The Russian Business Network provided those things. But when people like Jart Armin, David Bizeul, and others started tracking RBN and its vendors and customers, then shared their findings with others and the media, even the RBN felt the heat. It dropped its main Internet connections in St. Petersburg in summer 2007 and began operating through other links.
Some crowed that the RBN was dead. Others complained that it should have been left alone, since it was now harder to track. But Armin and his allies learned about the operation by following how it reconnected. One of the things they realized was that the RBN and its ilk want hosting outside of Russia, ideally in the United States. That way the power never goes out, the links to the Internet backbone are fastest, and the outgoing traffic eludes security systems that bar entire countries from protected networks.
For years the Eastern European mobsters got that. They found service providers based in the U.S. or with operations in the country that were either crooked themselves or very willing to take the money and ask no questions. But researchers obsessed with tracking where new viruses, phishing attacks, and Trojans were coming from spent months following the threads and comparing notes. Many were volunteers like James McQuaid, a Michigan programmer in the health care industry. McQuaid had been running some servers for a hospital group in the year 2000 that kept getting hacked by someone who used the machines to sell pirated DVDs. McQuaid traced the Internet address back to St. Petersburg, then kicked the pirates off and locked the machines down. Four years later, McQuaid bought a new PC for his teenage son. McQuaid kept the computer fully patched and behind a firewall. But when he switched antivirus programs, the new software picked up a remote-access Trojan that had been there almost from the beginning, when it got in through an anime site and a Microsoft flaw that hadn’t been fixed yet. McQuaid read up on the Trojan, which SANS attributed to the RBN.
After that, McQuaid said, “I pretty much concluded that you couldn’t avoid the RBN, and the best defense was to find where they were at and apply that knowledge to your defensive mechanism.” McQuaid began assembling a blacklist of RBN IP addresses and domain names, and he has been updating it ever since. Companies that adopted his list have reported a major drop in intrusions and malware.
In the second half of 2008, Armin edited and published two reports with contributions from McQuaid, Bizeul, and others, some of them unnamed. The effort brought together experts at tracking criminal groups, at analyzing how code works, and at tracing Internet connections. They produced work largely aimed at Internet service professionals like those Barrett had spoken to years before at the Peering Forum. The first report targeted Atrivo, a notorious service provider that was hosting many RBN-affiliated scam pages. Among the findings: of the 100 most widespread fake anti-spyware programs, 66 were distributed through Atrivo machines. Atrivo also hosted child porn, more than 1,000 botnet control servers, and an array of other malware. More than 3 percent of the Atrivo sites tested were dangerous, compared with 0.1 percent at an average hosting company. After the report’s publication, some of Atrivo’s service providers stopped giving it connections to the rest of the Net. The world volume of spam dropped by 10 percent.
The second Armin report exposed McColo Corporation, which had gained some Atrivo customers in addition to its previous clientele. McColo’s upstream providers Global Crossing Ltd. and Hurricane Electric Internet Services dropped it as a customer, slashing spam by an astonishing two-thirds, independent mail filtering companies said. The FBI also began investigating whether McColo knowingly hosted child porn and scam artists.
Under Obama’s new chairman, the Federal Trade Commission tried to catch up. Acting with help from private experts, it took unprecedented federal action against a third provider, Pricewert, convincing a judge to shut it down without giving notice to the owners, who might have destroyed evidence. “Almost anything that you can find that harms consumers on the Internet, this ISP was involved in,” said new FTC Chair Jon Leibowitz, noting that it hosted seventeen botnet command servers and advertised on Russian-language criminal forums. All of the Pricewert employees investigators could track worked from Ukraine or Estonia, though the company was incorporated in Oregon and gave Belize as its base. Perhaps more significant was the private pressure on registrar EST Domains, which sold domain names and hosted many fraudulent sites out of Estonia, especially through Atrivo. U.S. investigators and others had run into walls at the company for years. In one case, a Secret Service agent was working with Andy to track one of Bra1n’s botnets. He disabled a server hosted at an Atrivo data center in Silicon Valley and was told that the server had been leased to EST Domains. To his surprise, an EST executive called and asked what the problem was. The agent flew to meet him in Estonia, where the executive told him that he had re-leased the server to a customer in Moscow whom he only dealt with over ICQ.
Armin and his allies got better results when they provided information on EST to Brian Krebs, a
Washington Post
tech security writer who gave the Atrivo and McColo studies the broadest exposure. Krebs reported on hundreds of malicious sites at EST Domains, then followed up with a report that EST Chief Executive Vladimir Tsastsin had recently been convicted of credit card fraud and forgery. ICANN, which for years had allowed companies to sell domain names with almost total secrecy to whomever they wanted, took the historic step of revoking EST’s right to peddle website addresses. ICANN, the slow-moving governance body run by consensus, had all of four people assigned to police registrars. If it had more power and money, Andy said, the world would be a safer place. Failing that, the volunteer efforts aren’t going to do much more than force the criminals to go farther afield for hosting and connections. But other service providers might feel compelled to ask for documentation before cutting deals, or even check what is happening on their machines.
The potential for bad publicity reached Eastern Europe again in mid-2009, when Armin and his allies found that a provider called Real Host housed botnet command sites and served up malware through a Latvian hosting firm,Junik, which used the major Nordic telecommunications company TeliaSonera for bandwidth. Armin contacted the
Financial Times,
which called TeliaSonera, which told Junik to drop Real Host or get dropped itself. Junik pulled the plug, briefly sending world spam volume down 38 percent.