Suche innerhalb des Archivs / Search the Archive All words Any words
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[infowar.de] Re: Die FBI und die Russische Hacker Fahndung

Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------

-------- Original Message --------
Betreff: Re: [infowar.de] Die FBI und die Russische Hacker Fahndung
Datum: Mon, 19 May 2003 10:37:10 -0400
Von: PatriciaDenno -!
- aol -
 com
An: bendrath -!
- zedat -
 fu-berlin -
 de (Ralf Bendrath)

Hoffentlich klappt es......

A Tempting Offer for Russian Pair 
The Bait: Chance For Jobs in U.S. 
By Ariana Eunjung Cha

Washington Post Staff Writer

Monday, May 19, 2003; Page A01 

Jon Morgenstern's nightmare began with an e-mail. It arrived in his
computer's mailbox on July 15, 2000, and its basic message was this:
Your security has been compromised. We would like to help you.

Morgenstern, president of E-Money Inc., a Washington-based provider of
technology for online payment transactions, immediately suspected the
message's underlying meaning. It was a threat.

His fears were confirmed the next day when a youthful-sounding man
called and asked Morgenstern if he had received the e-mail. The man
identified himself as "Alex," said he was from Russia and part of
something called the "Expert Group of Protection Against Hackers." He
said he had gotten access to the firm's customer database , including
credit card information, and would be happy to ensure that further
intrusions were not possible -- as long as E-Money would pay him
$500,000 to do so.

As proof that E-Money's computer had been broken in to, he asked
Morgenstern to go to one of his servers and look for a system file
containing some digital graffiti. Morgenstern had no trouble finding the
file.

It said: "Alex was here."

So began a series of transatlantic telephone, e-mail and instant message
exchanges about how to resolve the situation. In the ensuing
back-and-forth between Morgenstern and his attackers, a kind of easy
rapport developed that would ultimately lead to the arrest of two
members of the "Expert Group" and allow U.S. officials to gain new
insight into an overseas hacking networks that to this day continues to
terrorize American businesses.

Hacking has reached crisis levels in the past few years -- the average
U.S. company is attacked 30 times a week, according to the online
security firm Symantec Corp. Most are not serious; they are efforts to
scan computer networks for vulnerabilities. Still, a significant number
-- about 15 percent -- are actual attempted or successful intrusions.

Morgenstern, meanwhile, was conflicted. He didn't want to pay any
extortion fee but he was determined not to let the hackers ruin his
company's reputation either. He was worried that news of even a minor
break-in might spook customers. After all, E-Money was built on trust.

Morgenstern hired an expensive security consultant from Silicon Valley
to respond to the hackers and ordered his systems administrators to do a
complete analysis of the E-Money systems for other vulnerabilities,
tasks that he estimates ended up costing his company more than $1
million in fees, lost business and new computer equipment.

Meanwhile, Morgenstern tried to negotiate with the hackers. The $500,000
demand to "assist in repairing the system" became $250,000, then
$150,000, and then $75,000. But when he still wouldn't pay, Morgenstern
said, the hackers launched a new type of attack, bombing the company's
network with so much bogus traffic that it caused his network to slow so
much that legitimate transactions could not get processed.

Morgenstern then called the FBI.

E-Money's Jon Morgenstern called the FBI after his firm's network was
hacked. Michael Robinson-Chavez -- The Washington Post 

To the agency, it was a familiar story. The FBI for many months had been
tracking organized hacker groups in Russia, the Ukraine and other
countries who had been trying to extort money from operators of Web
sites. In particular, references to the "Expert Group" kept coming up.
"The number of victims and losses involved made us take notice,"
remembered Charlie Mandigo, an FBI agent who was one of the supervisors
of the investigation of the extortion cases. By the next year, the
problem would become severe enough that the FBI would issue an unusual
alert about the spree, which they said netted more than 1 million credit
card numbers. The agency pleaded with firms to better secure their
systems. 

The FBI's Don Cavender, who worked on the cases, said the breadth of the
attacks showed the need for more trained cybercrime investigators. In
part as a response to these case, the FBI recently doubled its staffing
to 700 agents, supplementing the 200 trained agents the Secret Service
employs.

The local field office of the FBI sent two agents to help Morgenstern.
They came by E-Money's offices and brought equipment so that Morgenstern
could record all his conversations with Alex and a friend who called
himself Victor, or Vladimir. Over several weeks, the FBI agents came by
and sat next to Morgenstern at his Dupont Circle headquarters and his
Gaithersburg home, listening in on his negotiations, their vigil
fortified by one Diet Pepsi after another.

They advised him to keep notes, drag out the negotiations and gather as
much information as possible about the guys he was dealing with. 

Morgenstern said he spoke to them at least four times a week, or often
more. It was always Alex or Victor who initiated the conversation,
claiming to be dialing in from a satellite phone they had commandeered.

The first few conversations followed this formula: Alex would begin by
offering to lower the price for "protection" from hacking. Each time
Morgenstern would make up different excuses about why he couldn't pay.

"My board is made up of very strict guys and they want to meet you and
put you on a long-term retainer," Morgenstern told them. (With only 15
employees, E-Money did not, in fact, have a board.) "We need you in the
United States. Or how about a more neutral place -- Finland? Denmark?"
Morgenstern asked. (He was hoping officials in those countries would be
more cooperative about letting U.S. authorities arrest the hackers.)

But as the days went by, the tenor of the conversations changed. The men
went from sounding arrogant and angry to gradually becoming more chatty.
Sometimes the hackers would call Morgenstern at home. Morgenstern said
his young son became so used to the odd-hours phone calls that he would
often pick up and shout "Dad, it's Alex on the phone again!"

Morgenstern told them about life in the United States and they in turn
told him about life in Russia.

Alex said he was fresh out of school and had had trouble finding a job
and had little money for food or clothes. Victor said he was older,
married with a child. Their personalities were evident in their choice
of e-mail addresses: Alex was "megapunk" while Victor used a more
generic name, "accessd."

Alex seemed okay with his situation, once saying that he could "live
like a king here" on the money he made from American companies. But
Victor was more uneasy.

FBI Special Agent Don Cavender, a computer crisis instructor who worked
on the Russian hackers case, introduces students to search and seizure
tactics at the FBI Academy at Quantico. He said the breadth of the
attacks showed the need for more trained cybercrime investigators. 

Andrea Bruce Woodall -- The Washington Post 

"You don't understand how hard I work. I work 72 hours at a time and I
have all my programmers [to care for]. They are sleeping here and then
we work more and more.... Jon, you think I like to do this for a
living?" Morgenstern recalled Victor saying.

Alex and Victor described how they were forced by men with "leather
jackets" and "big guns" to work for a crime group and that he was
supposed to get 50 cents per credit card number. The problem, they said,
was that they often didn't get paid.

Then one day Victor said something that threw Morgenstern off
completely: He told him to forget about the extortion fee. He simply
asked for a visa and employment in the United States.

"Please get job from America," Morgenstern remembered Victor telling
him. "John, I will fix up your system and you will never get anyone
attack you again. I need to bring my wife and little child."

Victor confirmed his intentions in a follow-up e-mail a few days later,
on Sept. 15: "I have made a decision to come and visit you in USA
whenever will happen to me. I am [expletive] tired of hiding. I will
take a risc [sic]. I think I can trust you. . . . I want to get a job to
forget about my criminal past. . . . I can departure next week."

Morgenstern, who is a lawyer, empathized with their situation. He
offered to serve as the men's representative and tried to broker an
offer of immunity from the FBI if the two were to come to the United
States and find honest work. He put them in touch with an agent who said
he would talk to them about the possibility.

The attacks abruptly stopped and Morgenstern never heard from the men
again.

By the summer of 2000, about the time Morgenstern's systems had been
hacked, the United States had come to view the "Expert Group" as a major
threat to the country's financial networks. People identifying
themselves as members of the group had claimed responsibility for some
of attacks on some of the country's most critical companies -- Western
Union, PayPal and a series of regional banks. Investigators worried that
perhaps the extortion demands represented only part of what the group
was trying to accomplish. They feared the hackers had control of other
computer networks that no one knew about and that they were attempting
to creating a "credit card production system" that they could tap at any
time. The attacks seemed to be coordinated by someone who knew more
about money laundering than the average hacker, someone who could turn
the credit card numbers in to goods and then sell the goods to generate
cash.

"One of the more disturbing trends we were beginning to see was an
increased level of cooperation between the Russian hacker community and
traditional organized crime," said Shawn J. Chen, a U.S. attorney in
Connecticut who worked on the case.

More than a dozen U.S. attorneys and FBI agents from Connecticut,
Washington, California and New Jersey convened a series of brainstorming
conferences about how to stop them.

For months the law enforcement group had been pursuing conventional
methods of trying to capture the Russian hackers. They suspected at
least some of the hacks were being conducted by someone named Alexey
Ivanov. He was so bold that he had been sending his resume and picture
around to companies he was trying to extort. While authorities were
investigating an incident at CTS Network Services in Seattle, which had
"hired" Ivanov as a consultant, they found 38,000 partial credit card
numbers from E-Money databases on one of the hacker's computer accounts.

The Justice Department sent a letter through diplomatic channels asking
that Ivanov be detained and questioned. There was no response. They sent
a follow-up inquiry. Again, no response.

To catch Ivanov, U.S. authorities couldn't very well go to Russia and
grab him so they had to figure out a way to get him here, recalled
Stephen Schroeder, one of the main U.S. attorneys on the case.

"We do not have an extradition treaty with Russia so unless they were
found outside of Russia our ability to deal with them would be limited,"
said Schroeder, who recently retired.

Not having an extradition treaty with Russia made the hackers case more
difficult to prosecute, says Stephen Schroeder, who worked on the case
as a U.S. attorney. Patrick Hagerty for The Washington Post 

The United States has taken the lead in recent years on trying to get
countries to cooperate in cybercrime investigations. It came to an
agreement with other G-8 nations, which represent the governments of the
world's biggest industrialized countries, to create a way for them to
more easily share information and to make Internet service providers
save data about break-ins. U.S. authorities have also sent attorneys and
agents to travel around the world to train foreign intelligence
officials about how to investigate such crimes. They are urging other
countries to draft laws making hacking illegal.

But in the end it is up to individual nations to decide whether they
want to help.

Morgenstern's pleas for the Russian programmers to meet him to discuss a
business contract was just one of the ways the FBI was working behind
the scenes to try to get the hackers to a place where they could be
arrested. His conversations with the hackers along with those of other
victims yielded valuable clues about the group's personality and
hierarchy, allowing the U.S. government to invent what must have been
seemed to Ivanov as an opportunity he couldn't refuse.

That turned out to be a potential job offer from a fake company called
Invita Technologies. Invita claimed to be looking to partner with a
security firm to provide consulting services to U.S. companies.
Investigators sent a flattering letter to Ivanov, telling him they had
heard good things about him and were considering him as a candidate. He
would need to come to their offices in Seattle for an interview.

>From Ivanov's perspective, the offer must have seemed magical: Finally
someone recognized his talents and was offering to bring him to America.

Ivanov contacted Invita and agreed, asking if he also could bring along
his "business partner," a Vasiliy Gorshkov whose name the FBI officials
hadn't heard before. The company responded yes. It would pay all of
Ivanov's expenses, but his associate Gorshkov would need to buy his own
plane ticket. Gorshkov gladly shelled out the money.

Sergey Gorshkov, Vasiliy's older brother by two years and now 29,
remembers that Vasiliy couldn't stop smiling after he received the
letter. "It seemed like a dream come true to him, to all of us," Sergey
said in a recent interview.

A "company" representative picked them up from the airport in November
2000, took them to what looked like an ordinary office building. There,
the hackers were asked to prove their skills.

The FBI secretly videotaped the encounter. The grainy black-and-white
video shows two young men in the heavy, puffy coats they brought with
them from Chelyabinsk -- outerwear that looked out of place in the mild
weather of Seattle. Company employees flit around them in the
8-by-20-foot room asking if they want drinks or anything else to make
them comfortable. They muse about the price of cigarettes, the weather.
Then the real conversation begins.

Gorshkov takes charge, telling the officials that the two men are
experienced hackers. He describes past exploits as Ivanov sits silently
tapping away at the keyboard of his laptop and later at one of the
"company's" computers, apparently analyzing various Web sites and their
security vulnerabilities while playing snippets of pop music.

An undercover FBI agent asks: "So how often have you hacked into
computer systems and have you ever found or taken credit card numbers?"

Gorshkov avoids the question. He chuckles, then says, "These things are
better talked about in Russia."

But as the conversation drags on for an hour or so, he becomes bolder.

Gorshkov: "We don't think about the FBI at all. Because they can't get
us in Russia."

FBI: "Right."

Gorshkov: "Your guys don't work in Russia."

Unbeknownst to Gorshkov and Ivanov, the agents had installed onto the
"company's" computers a program that logged the young men's keystrokes
as they were accessing the tech.net.ru systems in Russia. That allowed
U.S. law enforcement to obtain the hackers' passwords.

At about 5 p.m., the company officials offer to take Gorshkov and Ivanov
to the flat that has been rented for them. After a short drive, the car
doors burst open and someone shouts: "FBI -- Get out of the car! Get out
of the car with your hands behind your back," according to a transcript
of the taped encounter. There's garbled conversation and then one of the
hackers -- it isn't clear which one -- starts pummeling the vehicle.

"It's not my car," one of the FBI agents says. "Yeah, you can hit it. I
don't care."

A few hours later it was over. Gorshkov and Ivanov were in jail. And FBI
computer specialists were preparing to enter the hackers' computers in
Russia. They would eventually download 2,700 megabytes of data --
hacking programs, extortion letters, credit card numbers -- to help them
build their case.

Morgenstern didn't hear about the arrests until early 2001, a few months
after they happened. By that time, he had managed to sell his business
for a tidy sum to a competitor (he still serves as an executive). He
wasn't sure whether Gorshkov and Ivanov were in fact the men he talked
to on the phone but he knew they were somehow linked because they all
identified themselves as part of the "Expert Group." He had mixed
feelings about the sting. He was angry at the men for jeopardizing his
business but he had come to understand that perhaps they had little
choice in doing what they did.

"It isn't their fault that they were born in a place where they don't
have opportunities," Morgenstern said.

Gorshkov pleaded innocent but was found guilty of conspiracy, computer
fraud, hacking and extortion. Last fall, he was sentenced to three years
in prison and ordered to pay $700,000 in restitution. In a plea
agreement, Ivanov acknowledged hacking into 16 companies, including
E-Money, as well as a scheme to defraud payment service PayPal by using
stolen credit card numbers to set up accounts. Ivanov is likely to be
sentenced this summer and faces up to 20 years in prison and a $250,000
fine.

The FBI sting operation was held up as a example of the ingenuity of
American law enforcement. Two of the agents who set up the sting --
Marty Prewett and Michael Schuler -- won outstanding criminal
investigation awards from the agency's director.

But there was still a little problem.

In a series of interviews with investigators that took place over the
next year, Ivanov acknowledged that he hacked E-Money but that he was
not Alex and Gorshkov was not Victor as U.S. authorities initially had
believed. Someone else had been on the phone with Morgenstern, he
claimed, and that someone else was still in Russia.

---------------------------------------------------------------
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.