From (& To) Russia, With Love
If you ask security experts why more cyber criminals aren't brought to justice, the answer you will probably hear is that U.S. authorities simply aren't getting the cooperation they need from law enforcement officials in Russia and other Eastern European nations, where some of the world's most active cyber criminal gangs are thought to operate with impunity.
But I wonder whether authorities in those countries would be any more willing to pursue cyber crooks in their own countries if they were forced to confront just how deeply those groups have penetrated key government and private computer networks in those regions?
As Security Fix documented in When Cyber Criminals Eat Their Own, a common misconception about hacker groups in Russia and the former Soviet nations is that they avoid targeting their own people. On the contrary, aggregate statistics from recent attacks and outbreaks strongly suggest that perception no longer matches reality.
One gradual but notable shift on this front has been the increasing willingness of Russian and Eastern European cyber gangs to target companies in their home countries in virtual shakedowns known as distributed-denial-of-service (DDoS) attacks, according to exclusive data provided by cyber security research firm Team Cymru (pronounced kum-ree).
In DDoS assaults, cyber gangsters demand tens of thousands of dollars in protection money from businesses. If the businesses refuse to pay, the criminals order hundreds or thousands of compromised computers that they control to flood the Web sites with meaningless traffic, crippling the businesses and preventing legitimate visitors from transacting with the sites.
This video animation, provided by Team Cymru, depicts the targets of DDoS attacks between Jan. 1 and Mar. 1, 2009.
While it's difficult to tell from the video, over the 60-day period depicted here, Team Cymru counted some 45 distinct DDoS incidents in which Russian Internet addresses were the target of the attack (an enlargeable version of this movie can be seen here).
Team Cymru's Steve Santorelli said firms in China and Russia are no more insulated from DDoS attacks than their Western counterparts.
"It's clear from our monitoring that Chinese and Russian victims are much more common now than they were a few years ago," Santorelli said. "There are several possible reasons for that but it's a definite trend that many other in the security community have also noticed."
There also is evidence that cyber crooks have deeply compromised some key Russian and Eastern European government agencies and corporations, as well as top officials at those entities.
Some of the more granular data to support that comes from TrustedSource, which is McAfee's global intelligence system that assigns reputation to networks based on activity it sees coming from them. The following data sets show that TrustedSource recently has observed virus e-mail and spam originating from a variety of government agencies and banking institutions in Russia.
According to McAfee, compromised Russian banks include:
Link Capital Investment Bank
The Maritime Bank
Vladivostok Alfa Bank
Enisey's United Bank
McAfee's data suggests that computer systems in the following Russian government offices also are controlled by cyber gangs:
Ministry of Taxation, Nazran region
Russian State Internet Network
Regional Finance & Economy Institute
Joint Institute for Nuclear Research
Medical Center of Russian Federation President's Department
Pension Fund of the Russian Federation
Personal Network for the Russian Federation Justice
JSC Chechen Cellular Communication
Dmitri Alperovitch, McAfee's vice president of threat research, said online criminals are largely indiscriminate about their targets and will attack any organization of financial or other interest to them.
"This data disputes the prevalent myth that's been popular in the cyber security community that online criminals, of which a significant number are believed to reside in Eastern Europe, prefer to focus on targets in Western countries and tend to shy away from attacking people or companies in their local jurisdiction," Alperovitch said. "Clearly, the Internet knows no geographical boundaries and it is now apparent that cyber criminals will attack any target of opportunity presented to them."
As Security Fix showed in January, some of the largest collections of victims with data-stealing malicious software installed on their PCs are in Russia. This too, may be a factor of the indiscriminate malware economy: Many of the most common data-stealing keylogger programs - such as Zeus and Limbo - are sold as plug-and-play kits that will just as happily infect an American PC as they will Russian computers.
Just a few minutes of digging through more than 30 gigabytes of keylogged data intercepted by security researchers yielded some interesting results, and more than a few important victims in Russia and Eastern Europe had their corporate Microsoft Outlook e-mail credentials stolen, along with other user names and passwords. Among them was Vladimir Novikov, head of the corporate management department for Gazprom Neft, one of the largest oil-producing companies in Russia. Mr. Novikov did not return e-mails seeking comment.
March 3, 2009; 2:40 PM ET
Categories: Cyber Justice , Fraud , From the Bunker | Tags: banks, mcafee, russia, team cymru
Save & Share: Previous: "Koobface" Worm Resurfaces on Facebook, MySpace
Next: Fanning the Flames of the Browser Security Wars
Posted by: lostinthemiddle | March 3, 2009 6:51 PM | Report abuse
Posted by: BTKrebs | March 3, 2009 7:35 PM | Report abuse
Posted by: Dawny_Chambers | March 4, 2009 6:56 AM | Report abuse
Posted by: lostinthemiddle | March 4, 2009 9:25 AM | Report abuse
Posted by: peterpallesen | March 4, 2009 11:21 AM | Report abuse
Posted by: BTKrebs | March 4, 2009 2:17 PM | Report abuse
Posted by: absiebert2 | March 4, 2009 3:54 PM | Report abuse
Posted by: EirikThorvaldsson | March 5, 2009 1:03 AM | Report abuse
Posted by: lostinthemiddle | March 5, 2009 1:15 PM | Report abuse
Posted by: CalimeroCCCP | March 10, 2009 3:49 AM | Report abuse
Posted by: BTKrebs | March 10, 2009 9:34 AM | Report abuse
The comments to this entry are closed.