Battling computer viruses, U.S. agents seize networks
A Russian computer hacker was accused Monday of leading a worldwide conspiracy that targeted hundreds of thousands of computers with malware, enabling his group to steal more than $100 million from business and other bank accounts.
The New York Times
WASHINGTON — Federal agents over the weekend secretly seized control of two computer networks that hackers used to steal millions of dollars from unsuspecting victims. In doing so, the Justice Department disrupted the circulation of two of the world’s most pernicious viruses and turned a 30-year-old Russian computer hacker into a most-wanted fugitive.
The strike, coordinated with the European authorities, was aimed at malware called GameOver Zeus, which is known to steal bank information and send it to overseas hackers, and CryptoLocker, which burrows into computers and encrypts personal data. The hackers then demand a ransom to unlock the files.
“By the time the victims learned that their computers had been infected, it was far too late,” Leslie Caldwell, the assistant attorney general in charge of the criminal division, said Monday.
Together, the Justice Department estimates, the two malicious programs have infected between 500,000 and 1 million computers and cost people more than $100 million in direct and indirect losses.
Authorities determined that the operations were run by the same man, whom the Justice Department identified as Evgeniy Bogachev, of Anapa, Russia. He has long been one of the government’s most sought-after individual cybercriminals, through his screen name, Lucky12345.
While both pieces of software are distributed through spam emails, they accomplish different things, each highly damaging.
Once inside a computer, GameOver Zeus quietly tracks each keystroke. When the software detects someone logging into a bank account, it records the password. Armed with that information, hackers log in and drain the account. Often they stole more than $1 million from businesses, prosecutors said, with at least one theft exceeding $6 million.
CryptoLocker spreads through emails that look like they are from legitimate businesses, including fake tracking notices from FedEx and UPS. As it spreads, the software locks up computer files behind unbreakable encryption, then demands hundreds of dollars in exchange for the code that unlocks it.
Investigators say many people and organizations, including the police department in Swansea, Mass., have paid to recover their files. Those who refused saw their files permanently erased.
While CryptoLocker used a command-and-control server, GameOver Zeus did not. Instead, it relied on a decentralized structure, and it did not have a simple shutdown command.
The best chance the FBI had to wrest control of the network, it was decided, was by seizing all servers that transmitted the malicious code and rerouting their traffic to a safe, government-controlled computer. In theory, each time an infected computer asked for instructions to carry out its malicious mission, it would instead be harmlessly talking to the U.S. government.
But the GameOver Zeus servers were spread across the world. If the agents missed one infected server, the hackers could use it to restart the network and continue spreading the code.
Early Friday, authorities in Canada, France, Germany, Luxembourg, Ukraine and the United Kingdom physically took over the servers that served as the backbone for GameOver Zeus and CryptoLocker, Caldwell said. All Internet traffic was then rerouted, under a court order, to the government’s safe computer.
All weekend, agents watched for signs of success. Investigators worked from command centers at FBI headquarters in Washington, Europol headquarters at The Hague in the Netherlands, and at the National Cyber-Forensics & Training Alliance in Pittsburgh.
One by one, computers across the world contacted the government’s safe computer, signifying that America, not the hackers, was in control of the network. With each electronic ping, the government collected the Internet addresses of the infected systems, providing a map of the global infection.
By Sunday, officials said they were confident they had dismantled the network and collected enough data to help security firms and technology companies clean infected computers.
CryptoLocker similarly came under U.S. control, Caldwell said.
On Monday, the government unsealed court documents charging Bogachev with bank, computer and wire fraud. The FBI placed Bogachev on its list of most-wanted cybercriminals.
Bogachev remains free, and the United States has asked Russian authorities to turn him over. Those discussions are continuing, the Justice Department said.