TribLIVE

| News

 
Larger text Larger text Smaller text Smaller text | Order Photo Reprints

Pittsburgh FBI agents help to nab Russian-based cybercrime schemes

Guy Wathen | Tribune-Review - U.S. Attorney for the Western District of Pennsylvania David J. Hickton, shown in this file photo from May 20, 2014, is in Washington with top Justice Department leaders to talk about the criminal and civil cases stemming from worldwide hacking schemes.
<div style='float:right;width:100%;' align='right'><em>Guy Wathen | Tribune-Review</em></div>U.S. Attorney for the Western District of Pennsylvania David J. Hickton, shown in this file photo from May 20, 2014, is in Washington with top Justice Department leaders to talk about the criminal and civil cases stemming from worldwide hacking schemes.
- Federal officials released this map showing the locations of computer users in Pennsylvania who were victimized by the Russian malware Gameover Zeus on a single day in May 2013. The software sought to steal bank information to make illegal overseas wire transfers. In all, victims of the software attacks lost more than $100 million, according to a federal indictment unsealed on Monday.
Federal officials released this map showing the locations of computer users in Pennsylvania who were victimized by the Russian malware Gameover Zeus on a single day in May 2013. The software sought to steal bank information to make illegal overseas wire transfers. In all, victims of the software attacks lost more than $100 million, according to a federal indictment unsealed on Monday.
Google Images - Federal officials said a worldwide hacking scheme that stole more than $100 million was orchestrated by Russian mastermind Evgeniy Mikhailovich Bogachev, who is identified as living in this apartment building in the Black Sea town of Anapa, Russia. This image is courtesy of Google Images, which is responsible for the blurred portions of the photo as part of its effort to protect individual privacy.
<div style='float:right;width:100%;' align='right'><em>Google Images</em></div>Federal officials said a worldwide hacking scheme that stole more than $100 million was orchestrated by Russian mastermind Evgeniy Mikhailovich Bogachev, who is identified as living in this apartment building in the Black Sea town of Anapa, Russia. This image is courtesy of Google Images, which is responsible for the blurred portions of the photo as part of its effort to protect individual privacy.
- Victims of the Cryptolocker received ransom messages that looked like this, asking them to pay money to have the files removed from their computers. Victims of the scam included 120,000 computers users across the country – such as a Massachusetts police department, a Pittsburgh insurance company and a Florida restaurant operator.
Victims of the Cryptolocker received ransom messages that looked like this, asking them to pay money to have the files removed from their computers. Victims of the scam included 120,000 computers users across the country – such as a Massachusetts police department, a Pittsburgh insurance company and a Florida restaurant operator.

Email Newsletters

Click here to sign up for one of our email newsletters.

How to get help

Victims of the “Gameover Zeus” malware can go to a website created by the Department of Homeland Security: www.us-cert.gov/gameoverzeus. The malware for “Cryptolocker” has been shut down, but if your computer has been infected you will need to consult a computer service center expert.

Related Stories

Daily Photo Galleries

'American Coyotes' Series

Traveling by Jeep, boat and foot, Tribune-Review investigative reporter Carl Prine and photojournalist Justin Merriman covered nearly 2,000 miles over two months along the border with Mexico to report on coyotes — the human traffickers who bring illegal immigrants into the United States. Most are Americans working for money and/or drugs. This series reports how their operations have a major impact on life for residents and the environment along the border — and beyond.

By Andrew Conte and Bobby Kerlik
Monday, June 2, 2014, 10:51 a.m.
 

FBI cyber agents in Pittsburgh helped bring down two Russian-based cybercrime schemes that infected more than a half-million computers around the world and stole more than $100 million in the United States alone.

The Tribune-Review has learned how federal investigators here shut down the cyberattacks by teaming up with private cybersecurity companies and university experts to poison the hackers' computers. Then the agents formed an international coalition to shut down servers and search computers used by the cyberattackers. Even amid recent unrest in eastern Ukraine, officials there cooperated by conducting searches.

On Monday, U.S. Attorney David Hickton of the Western District of Pennsylvania announced that the scamming operations — “Gameover Zeus” and “Cryptolocker” — had been neutralized. Investigators have started alerting victims, many of whom do not know their computers were compromised.

The victims include Haysite Reinforced Plastics in Erie, which lost nearly $200,000; a Massachusetts police department that paid a $750 ransom in bitcoins to free up its computers and banks across the nation, including one in Florida that lost $7 million in one day.

“The staggering dollar losses and destruction wrought by ‘Gameover Zeus' and ‘Cryptolocker' made it necessary for the United States to take action now using every possible legal tool,” Hickton said at a news conference with Justice Department officials in Washington.

Two weeks ago, Hickton appeared in Washington when federal charges were announced against five Chinese military hackers for allegedly stealing computer secrets of several Pittsburgh-area corporations and the United Steelworkers headquarters. The Trib revealed that hundreds of other U.S. companies not involved in that indictment have been hacked. The cyber investigation operations are unrelated, but both originated in Western Pennsylvania.

“We ran this all out of Pittsburgh,” said J. Keith Mularski, the FBI's supervisory special agent in charge of cyber crime. “We kind of put ourselves on the map, I guess.”

Gameover Zeus allowed hackers to trick victims into logging into bank websites to give up passwords and personal information, which the cyber thieves used to execute wire transfers from bank accounts before victims noticed. The FBI estimated 500,000 to 1 million computers worldwide are infected with the software, about a quarter of them in the United States. Illegal wire transfers often exceeded $1 million. With Cryptolocker, the software locked the victim's computer files and demanded a ransom to release them. Since emerging a year ago, the program has infected more than 230,000 computers — half in the United States — and collected more than $27 million in ransoms.

A criminal indictment from Western Pennsylvania charged Evgeniy Mikhailovich Bogachev with tricking an employee of Haysite Reinforced Plastics in Erie to download Gameover Zeus. Hackers then stole online banking credentials from three employees and wired $198,234 to a so-called “money mule” in Atlanta. That person transferred the stolen money to bank accounts in Great Britain.

A man who answered the phone at Haysite on Monday evening referred questions to a supervisor who could not be reached for comment.

Feds fight back

The FBI opened its investigation in 2011, led by two members of the Pittsburgh Field Office Cyber Squad: Elliott Peterson and Steve Lampo. They traced the attacks to the Russian Black Sea resort town of Anapa. The FBI identified Bogachev, 30, there as a Russian mastermind behind the attacks. He uses the online names “Slavik” and “Lucky12345.”

Bogachev remains at large and has been added to the FBI's most-wanted list. The agency has engaged Russian authorities about Bogachev's whereabouts and possible arrest, said Deputy Attorney General James Cole.

“Bogachev is a true 21st-century criminal who commits cybercrimes across the globe with the stroke of a key,” Cole said.

The Justice Department's civil complaint also cited four hackers identified only by their online handles. A separate but related criminal case filed in Nebraska and unsealed on Monday named Bogachev and eight co-conspirators in Russia, Ukraine and the United Kingdom.

A related civil suit filed by the Justice Department in Pittsburgh seeks a temporary restraining order against Bogachev and four other Russian or Ukraine defendants. Among the victims of their Cryptolocker ransom scheme, the suit says, is an unidentified insurance company in Pittsburgh that lost an estimated $70,000 because critical business files were damaged in a November 2013 cyberattack and it had to send employees home while the computer system was repaired.

Secretly, since early 2012, the FBI has been monitoring Gameover Zeus attacks and alerting banks to avoid thefts, Mularski said. Attackers typically shut down the victim bank's online operations while making the illegal wire transfers, he said.

Banks have 24 hours to notice the thefts and recall the wired money. The FBI helped get back more than $20 million, Mularski said.

Teaming up

The FBI also worked to neutralize the attacks. It teamed up with two private cybersecurity companies — CrowdStrike, based in Irvine, Calif., and Dell SecureWorks in Atlanta — along with experts at Carnegie Mellon University and Georgia Institute of Technology.

The problem was “incredibly complex” because the hackers did not have a centralized control system and had multiple layers to their attack, said Dmitri Alperovitch, the co-founder and chief technology officer at CrowdStrike. The company sent a team to Pittsburgh to work with the FBI.

“This was really unprecedented in that we were working hand-in-hand in the same space,” Alperovitch said.

The government and private contractors began an operation to sever the infected computers from the criminal network and redirect them to a court-approved government server.

On May 7, Ukrainian authorities seized key Gameover Zeus command centers in the city of Donetsk, where fighting over Russian influence has been intense recently.

Beginning on Friday and continuing through the weekend, the FBI in Pittsburgh coordinated the seizure of computer in Canada, France, Germany, Luxembourg, the Netherlands, Ukraine, Japan and the United Kingdom. Officials in Pittsburgh worked with Europol, the European Union's law enforcement agency, and its European Cybercrime Centre.

The raids freed more than 300,000 computers and dismantled the infrastructure for the two attacks, officials said.

Andrew Conte and Bobby Kerlik are staff writers for Trib Total Media.

Subscribe today! Click here for our subscription offers.

 

 


Show commenting policy

Most-Read Stories

  1. Pirates acquire pitcher Blanton from Royals for cash
  2. Teenage boys arrested in connection with armed robberies in Shadyside
  3. Peduto blasts Wolf’s plan to borrow $3B to shore up pensions
  4. Starkey: Garoppolo baffles Steelers
  5. Pittsburgh authority hires firm to end long vacancy at North Shore retail space
  6. Tight ends’ role in Steelers passing game continues to lessen but players remain selfless
  7. ‘Greed is not criminal,’ says judge in McCullough trial
  8. Work release inmate walks away from Armstrong County Jail
  9. Connellsville man arrested for firing handgun at city’s East Park
  10. Police: Avonmore mayor found stranger’s lost wallet, took cash from it
  11. Multiple delays to slow travel between Alle-Kiski Valley, Greensburg