Pittsburgh FBI agents help to nab Russian-based cybercrime schemes
FBI cyber agents in Pittsburgh helped bring down two Russian-based cybercrime schemes that infected more than a half-million computers around the world and stole more than $100 million in the United States alone.
The Tribune-Review has learned how federal investigators here shut down the cyberattacks by teaming up with private cybersecurity companies and university experts to poison the hackers' computers. Then the agents formed an international coalition to shut down servers and search computers used by the cyberattackers. Even amid recent unrest in eastern Ukraine, officials there cooperated by conducting searches.
On Monday, U.S. Attorney David Hickton of the Western District of Pennsylvania announced that the scamming operations — “Gameover Zeus” and “Cryptolocker” — had been neutralized. Investigators have started alerting victims, many of whom do not know their computers were compromised.
The victims include Haysite Reinforced Plastics in Erie, which lost nearly $200,000; a Massachusetts police department that paid a $750 ransom in bitcoins to free up its computers and banks across the nation, including one in Florida that lost $7 million in one day.
“The staggering dollar losses and destruction wrought by ‘Gameover Zeus' and ‘Cryptolocker' made it necessary for the United States to take action now using every possible legal tool,” Hickton said at a news conference with Justice Department officials in Washington.
Two weeks ago, Hickton appeared in Washington when federal charges were announced against five Chinese military hackers for allegedly stealing computer secrets of several Pittsburgh-area corporations and the United Steelworkers headquarters. The Trib revealed that hundreds of other U.S. companies not involved in that indictment have been hacked. The cyber investigation operations are unrelated, but both originated in Western Pennsylvania.
“We ran this all out of Pittsburgh,” said J. Keith Mularski, the FBI's supervisory special agent in charge of cyber crime. “We kind of put ourselves on the map, I guess.”
Gameover Zeus allowed hackers to trick victims into logging into bank websites to give up passwords and personal information, which the cyber thieves used to execute wire transfers from bank accounts before victims noticed. The FBI estimated 500,000 to 1 million computers worldwide are infected with the software, about a quarter of them in the United States. Illegal wire transfers often exceeded $1 million. With Cryptolocker, the software locked the victim's computer files and demanded a ransom to release them. Since emerging a year ago, the program has infected more than 230,000 computers — half in the United States — and collected more than $27 million in ransoms.
A criminal indictment from Western Pennsylvania charged Evgeniy Mikhailovich Bogachev with tricking an employee of Haysite Reinforced Plastics in Erie to download Gameover Zeus. Hackers then stole online banking credentials from three employees and wired $198,234 to a so-called “money mule” in Atlanta. That person transferred the stolen money to bank accounts in Great Britain.
A man who answered the phone at Haysite on Monday evening referred questions to a supervisor who could not be reached for comment.
Feds fight back
The FBI opened its investigation in 2011, led by two members of the Pittsburgh Field Office Cyber Squad: Elliott Peterson and Steve Lampo. They traced the attacks to the Russian Black Sea resort town of Anapa. The FBI identified Bogachev, 30, there as a Russian mastermind behind the attacks. He uses the online names “Slavik” and “Lucky12345.”
Bogachev remains at large and has been added to the FBI's most-wanted list. The agency has engaged Russian authorities about Bogachev's whereabouts and possible arrest, said Deputy Attorney General James Cole.
“Bogachev is a true 21st-century criminal who commits cybercrimes across the globe with the stroke of a key,” Cole said.
The Justice Department's civil complaint also cited four hackers identified only by their online handles. A separate but related criminal case filed in Nebraska and unsealed on Monday named Bogachev and eight co-conspirators in Russia, Ukraine and the United Kingdom.
A related civil suit filed by the Justice Department in Pittsburgh seeks a temporary restraining order against Bogachev and four other Russian or Ukraine defendants. Among the victims of their Cryptolocker ransom scheme, the suit says, is an unidentified insurance company in Pittsburgh that lost an estimated $70,000 because critical business files were damaged in a November 2013 cyberattack and it had to send employees home while the computer system was repaired.
Secretly, since early 2012, the FBI has been monitoring Gameover Zeus attacks and alerting banks to avoid thefts, Mularski said. Attackers typically shut down the victim bank's online operations while making the illegal wire transfers, he said.
Banks have 24 hours to notice the thefts and recall the wired money. The FBI helped get back more than $20 million, Mularski said.
The FBI also worked to neutralize the attacks. It teamed up with two private cybersecurity companies — CrowdStrike, based in Irvine, Calif., and Dell SecureWorks in Atlanta — along with experts at Carnegie Mellon University and Georgia Institute of Technology.
The problem was “incredibly complex” because the hackers did not have a centralized control system and had multiple layers to their attack, said Dmitri Alperovitch, the co-founder and chief technology officer at CrowdStrike. The company sent a team to Pittsburgh to work with the FBI.
“This was really unprecedented in that we were working hand-in-hand in the same space,” Alperovitch said.
The government and private contractors began an operation to sever the infected computers from the criminal network and redirect them to a court-approved government server.
On May 7, Ukrainian authorities seized key Gameover Zeus command centers in the city of Donetsk, where fighting over Russian influence has been intense recently.
Beginning on Friday and continuing through the weekend, the FBI in Pittsburgh coordinated the seizure of computer in Canada, France, Germany, Luxembourg, the Netherlands, Ukraine, Japan and the United Kingdom. Officials in Pittsburgh worked with Europol, the European Union's law enforcement agency, and its European Cybercrime Centre.
The raids freed more than 300,000 computers and dismantled the infrastructure for the two attacks, officials said.
Andrew Conte and Bobby Kerlik are staff writers for Trib Total Media.
Show commenting policy
TribLive commenting policy
You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.
We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.
While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.
We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers.
We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.
We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.
We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.
We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.
- Outbound 376 reopened after man on exit sign caused closure
- Harrison shines again as Pirates clip Reds, 2-1
- Consumer spending dips 0.1% in July as auto sales pull back
- Steelers claim former Cowboys cornerback Webb
- Secret judicial ruling blocks release of sexually explicit emails
- Veteran Keisel settles into role with Steelers
- Healthy PA expands number of recipients but cuts benefits
- High school roundup: Greensburg Salem shocks Gateway in opener
- Pitt’s obscure opener still matters
- Franklin Regional security guard fighting to get job back
- Pirates notebook: Lambo recalled to bolster bench