A Tempting Offer for Russian Pair

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.washingtonpost.com/wp-dyn/articles/A7774-2003May18.html

By Ariana Eunjung Cha
Washington Post Staff Writer
Monday, May 19, 2003 

Second of three articles 

Jon Morgenstern's nightmare began with an e-mail. It arrived in his 
computer's mailbox on July 15, 2000, and its basic message was this: 
Your security has been compromised. We would like to help you.

Morgenstern, president of E-Money Inc., a Washington-based provider of 
technology for online payment transactions, immediately suspected the 
message's underlying meaning. It was a threat.

His fears were confirmed the next day when a youthful-sounding man 
called and asked Morgenstern if he had received the e-mail. The man 
identified himself as "Alex," said he was from Russia and part of 
something called the "Expert Group of Protection Against Hackers." He 
said he had gotten access to the firm's customer database , including 
credit card information, and would be happy to ensure that further 
intrusions were not possible -- as long as E-Money would pay him 
$500,000 to do so.

As proof that E-Money's computer had been broken in to, he asked 
Morgenstern to go to one of his servers and look for a system file 
containing some digital graffiti. Morgenstern had no trouble finding 
the file.

It said: "Alex was here."

So began a series of transatlantic telephone, e-mail and instant 
message exchanges about how to resolve the situation. In the ensuing 
back-and-forth between Morgenstern and his attackers, a kind of easy 
rapport developed that would ultimately lead to the arrest of two 
members of the "Expert Group" and allow U.S. officials to gain new 
insight into an overseas hacking networks that to this day continues 
to terrorize American businesses.

Hacking has reached crisis levels in the past few years -- the average 
U.S. company is attacked 30 times a week, according to the online 
security firm Symantec Corp. Most are not serious; they are efforts to 
scan computer networks for vulnerabilities. Still, a significant 
number -- about 15 percent -- are actual attempted or successful 
intrusions.

Morgenstern, meanwhile, was conflicted. He didn't want to pay any 
extortion fee but he was determined not to let the hackers ruin his 
company's reputation either. He was worried that news of even a minor 
break-in might spook customers. After all, E-Money was built on trust.

Morgenstern hired an expensive security consultant from Silicon Valley 
to respond to the hackers and ordered his systems administrators to do 
a complete analysis of the E-Money systems for other vulnerabilities, 
tasks that he estimates ended up costing his company more than $1 
million in fees, lost business and new computer equipment.

Meanwhile, Morgenstern tried to negotiate with the hackers. The 
$500,000 demand to "assist in repairing the system" became $250,000, 
then $150,000, and then $75,000. But when he still wouldn't pay, 
Morgenstern said, the hackers launched a new type of attack, bombing 
the company's network with so much bogus traffic that it caused his 
network to slow so much that legitimate transactions could not get 
processed.

Morgenstern then called the FBI.

To the agency, it was a familiar story. The FBI for many months had 
been tracking organized hacker groups in Russia, the Ukraine and other 
countries who had been trying to extort money from operators of Web 
sites. In particular, references to the "Expert Group" kept coming up. 
"The number of victims and losses involved made us take notice," 
remembered Charlie Mandigo, an FBI agent who was one of the 
supervisors of the investigation of the extortion cases. By the next 
year, the problem would become severe enough that the FBI would issue 
an unusual alert about the spree, which they said netted more than 1 
million credit card numbers. The agency pleaded with firms to better 
secure their systems. 

The FBI's Don Cavender, who worked on the cases, said the breadth of 
the attacks showed the need for more trained cybercrime investigators. 
In part as a response to these case, the FBI recently doubled its 
staffing to 700 agents, supplementing the 200 trained agents the 
Secret Service employs.

The local field office of the FBI sent two agents to help Morgenstern. 
They came by E-Money's offices and brought equipment so that 
Morgenstern could record all his conversations with Alex and a friend 
who called himself Victor, or Vladimir. Over several weeks, the FBI 
agents came by and sat next to Morgenstern at his Dupont Circle 
headquarters and his Gaithersburg home, listening in on his 
negotiations, their vigil fortified by one Diet Pepsi after another.

They advised him to keep notes, drag out the negotiations and gather 
as much information as possible about the guys he was dealing with. 

Morgenstern said he spoke to them at least four times a week, or often 
more. It was always Alex or Victor who initiated the conversation, 
claiming to be dialing in from a satellite phone they had 
commandeered.

The first few conversations followed this formula: Alex would begin by 
offering to lower the price for "protection" from hacking. Each time 
Morgenstern would make up different excuses about why he couldn't pay.

"My board is made up of very strict guys and they want to meet you and 
put you on a long-term retainer," Morgenstern told them. (With only 15 
employees, E-Money did not, in fact, have a board.) "We need you in 
the United States. Or how about a more neutral place -- Finland? 
Denmark?" Morgenstern asked. (He was hoping officials in those 
countries would be more cooperative about letting U.S. authorities 
arrest the hackers.)

But as the days went by, the tenor of the conversations changed. The 
men went from sounding arrogant and angry to gradually becoming more 
chatty. Sometimes the hackers would call Morgenstern at home. 
Morgenstern said his young son became so used to the odd-hours phone 
calls that he would often pick up and shout "Dad, it's Alex on the 
phone again!"

Morgenstern told them about life in the United States and they in turn 
told him about life in Russia.

Alex said he was fresh out of school and had had trouble finding a job 
and had little money for food or clothes. Victor said he was older, 
married with a child. Their personalities were evident in their choice 
of e-mail addresses: Alex was "megapunk" while Victor used a more 
generic name, "accessd."

Alex seemed okay with his situation, once saying that he could "live 
like a king here" on the money he made from American companies. But 
Victor was more uneasy.

"You don't understand how hard I work. I work 72 hours at a time and I 
have all my programmers [to care for]. They are sleeping here and then 
we work more and more. . . . Jon, you think I like to do this for a 
living?" Morgenstern recalled Victor saying.

Alex and Victor described how they were forced by men with "leather 
jackets" and "big guns" to work for a crime group and that he was 
supposed to get 50 cents per credit card number. The problem, they 
said, was that they often didn't get paid.

Then one day Victor said something that threw Morgenstern off 
completely: He told him to forget about the extortion fee. He simply 
asked for a visa and employment in the United States.

"Please get job from America," Morgenstern remembered Victor telling 
him. "John, I will fix up your system and you will never get anyone 
attack you again. I need to bring my wife and little child."

Victor confirmed his intentions in a follow-up e-mail a few days 
later, on Sept. 15: "I have made a decision to come and visit you in 
USA whenever will happen to me. I am [expletive] tired of hiding. I 
will take a risc [sic]. I think I can trust you. . . . I want to get a 
job to forget about my criminal past. . . . I can departure next 
week."

Morgenstern, who is a lawyer, empathized with their situation. He 
offered to serve as the men's representative and tried to broker an 
offer of immunity from the FBI if the two were to come to the United 
States and find honest work. He put them in touch with an agent who 
said he would talk to them about the possibility.

The attacks abruptly stopped and Morgenstern never heard from the men 
again.

By the summer of 2000, about the time Morgenstern's systems had been 
hacked, the United States had come to view the "Expert Group" as a 
major threat to the country's financial networks. People identifying 
themselves as members of the group had claimed responsibility for some 
of attacks on some of the country's most critical companies -- Western 
Union, PayPal and a series of regional banks. Investigators worried 
that perhaps the extortion demands represented only part of what the 
group was trying to accomplish. They feared the hackers had control of 
other computer networks that no one knew about and that they were 
attempting to creating a "credit card production system" that they 
could tap at any time. The attacks seemed to be coordinated by someone 
who knew more about money laundering than the average hacker, someone 
who could turn the credit card numbers in to goods and then sell the 
goods to generate cash.

"One of the more disturbing trends we were beginning to see was an 
increased level of cooperation between the Russian hacker community 
and traditional organized crime," said Shawn J. Chen, a U.S. attorney 
in Connecticut who worked on the case.

More than a dozen U.S. attorneys and FBI agents from Connecticut, 
Washington, California and New Jersey convened a series of 
brainstorming conferences about how to stop them.

For months the law enforcement group had been pursuing conventional 
methods of trying to capture the Russian hackers. They suspected at 
least some of the hacks were being conducted by someone named Alexey 
Ivanov. He was so bold that he had been sending his resume and picture 
around to companies he was trying to extort. While authorities were 
investigating an incident at CTS Network Services in Seattle, which 
had "hired" Ivanov as a consultant, they found 38,000 partial credit 
card numbers from E-Money databases on one of the hacker's computer 
accounts.

The Justice Department sent a letter through diplomatic channels 
asking that Ivanov be detained and questioned. There was no response. 
They sent a follow-up inquiry. Again, no response.

To catch Ivanov, U.S. authorities couldn't very well go to Russia and 
grab him so they had to figure out a way to get him here, recalled 
Stephen Schroeder, one of the main U.S. attorneys on the case.

"We do not have an extradition treaty with Russia so unless they were 
found outside of Russia our ability to deal with them would be 
limited," said Schroeder, who recently retired.

The United States has taken the lead in recent years on trying to get 
countries to cooperate in cybercrime investigations. It came to an 
agreement with other G-8 nations, which represent the governments of 
the world's biggest industrialized countries, to create a way for them 
to more easily share information and to make Internet service 
providers save data about break-ins. U.S. authorities have also sent 
attorneys and agents to travel around the world to train foreign 
intelligence officials about how to investigate such crimes. They are 
urging other countries to draft laws making hacking illegal.

But in the end it is up to individual nations to decide whether they 
want to help.

Morgenstern's pleas for the Russian programmers to meet him to discuss 
a business contract was just one of the ways the FBI was working 
behind the scenes to try to get the hackers to a place where they 
could be arrested. His conversations with the hackers along with those 
of other victims yielded valuable clues about the group's personality 
and hierarchy, allowing the U.S. government to invent what must have 
been seemed to Ivanov as an opportunity he couldn't refuse.

That turned out to be a potential job offer from a fake company called 
Invita Technologies. Invita claimed to be looking to partner with a 
security firm to provide consulting services to U.S. companies. 
Investigators sent a flattering letter to Ivanov, telling him they had 
heard good things about him and were considering him as a candidate. 
He would need to come to their offices in Seattle for an interview.

> From Ivanov's perspective, the offer must have seemed magical: Finally 
someone recognized his talents and was offering to bring him to 
America.

Ivanov contacted Invita and agreed, asking if he also could bring 
along his "business partner," a Vasiliy Gorshkov whose name the FBI 
officials hadn't heard before. The company responded yes. It would pay 
all of Ivanov's expenses, but his associate Gorshkov would need to buy 
his own plane ticket. Gorshkov gladly shelled out the money.

Sergey Gorshkov, Vasiliy's older brother by two years and now 29, 
remembers that Vasiliy couldn't stop smiling after he received the 
letter. "It seemed like a dream come true to him, to all of us," 
Sergey said in a recent interview.

A "company" representative picked them up from the airport in November 
2000, took them to what looked like an ordinary office building. 
There, the hackers were asked to prove their skills.

The FBI secretly videotaped the encounter. The grainy black-and-white 
video shows two young men in the heavy, puffy coats they brought with 
them from Chelyabinsk -- outerwear that looked out of place in the 
mild weather of Seattle. Company employees flit around them in the 
8-by-20-foot room asking if they want drinks or anything else to make 
them comfortable. They muse about the price of cigarettes, the 
weather. Then the real conversation begins.

Gorshkov takes charge, telling the officials that the two men are 
experienced hackers. He describes past exploits as Ivanov sits 
silently tapping away at the keyboard of his laptop and later at one 
of the "company's" computers, apparently analyzing various Web sites 
and their security vulnerabilities while playing snippets of pop 
music.

An undercover FBI agent asks: "So how often have you hacked into 
computer systems and have you ever found or taken credit card 
numbers?"

Gorshkov avoids the question. He chuckles, then says, "These things 
are better talked about in Russia."

But as the conversation drags on for an hour or so, he becomes bolder.

Gorshkov: "We don't think about the FBI at all. Because they can't get 
us in Russia."

FBI: "Right."

Gorshkov: "Your guys don't work in Russia."

Unbeknownst to Gorshkov and Ivanov, the agents had installed onto the 
"company's" computers a program that logged the young men's keystrokes 
as they were accessing the tech.net.ru systems in Russia. That allowed 
U.S. law enforcement to obtain the hackers' passwords.

At about 5 p.m., the company officials offer to take Gorshkov and 
Ivanov to the flat that has been rented for them. After a short drive, 
the car doors burst open and someone shouts: "FBI -- Get out of the 
car! Get out of the car with your hands behind your back," according 
to a transcript of the taped encounter. There's garbled conversation 
and then one of the hackers -- it isn't clear which one -- starts 
pummeling the vehicle.

"It's not my car," one of the FBI agents says. "Yeah, you can hit it. 
I don't care."

A few hours later it was over. Gorshkov and Ivanov were in jail. And 
FBI computer specialists were preparing to enter the hackers' 
computers in Russia. They would eventually download 2,700 megabytes of 
data -- hacking programs, extortion letters, credit card numbers -- to 
help them build their case.

Morgenstern didn't hear about the arrests until early 2001, a few 
months after they happened. By that time, he had managed to sell his 
business for a tidy sum to a competitor (he still serves as an 
executive). He wasn't sure whether Gorshkov and Ivanov were in fact 
the men he talked to on the phone but he knew they were somehow linked 
because they all identified themselves as part of the "Expert Group." 
He had mixed feelings about the sting. He was angry at the men for 
jeopardizing his business but he had come to understand that perhaps 
they had little choice in doing what they did.

"It isn't their fault that they were born in a place where they don't 
have opportunities," Morgenstern said.

Gorshkov pleaded innocent but was found guilty of conspiracy, computer 
fraud, hacking and extortion. Last fall, he was sentenced to three 
years in prison and ordered to pay $700,000 in restitution. In a plea 
agreement, Ivanov acknowledged hacking into 16 companies, including 
E-Money, as well as a scheme to defraud payment service PayPal by 
using stolen credit card numbers to set up accounts. Ivanov is likely 
to be sentenced this summer and faces up to 20 years in prison and a 
$250,000 fine.

The FBI sting operation was held up as a example of the ingenuity of 
American law enforcement. Two of the agents who set up the sting -- 
Marty Prewett and Michael Schuler -- won outstanding criminal 
investigation awards from the agency's director.

But there was still a little problem.

In a series of interviews with investigators that took place over the 
next year, Ivanov acknowledged that he hacked E-Money but that he was 
not Alex and Gorshkov was not Victor as U.S. authorities initially had 
believed. Someone else had been on the phone with Morgenstern, he 
claimed, and that someone else was still in Russia.


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.