02
Oct 10

Ukraine Detains 5 Individuals Tied to $70 Million in U.S. eBanking Heists

facebooktwittergoogle_plusredditpinterestlinkedinmail

Authorities in Ukraine this week detained five individuals believed to be the masterminds behind sophisticated cyber thefts that siphoned $70 million – out of an attempted $220 million — from hundreds of U.S.-based small to mid-sized businesses over the last 18 months, the FBI said Friday.

At a press briefing on “Operation Trident Breach,” FBI officials described the Ukrainian suspects as the “coders and exploiters” behind a series of online banking heists that have led to an increasing number of disputes and lawsuits between U.S. banks and the victim businesses that are usually left holding the bag.

The FBI said five individuals detained by the Security Service of Ukraine (SBU) on Sept. 30 were members of a gang responsible for creating specialized versions of the password-stealing ZeuS banking Trojan and deploying the malware in e-mails targeted at small to mid-sized businesses.

Investigators say the Ukrainian gang used the software to break into computers belonging to at least 390 U.S. companies, transferring victim funds to more than 3,500 so-called “money mules,” individuals in the United States willingly or unwittingly recruited to receive the cash and forward it overseas to the attackers. In connection with the investigation, some 50 SBU officials also executed eight search warrants in the eastern region of Ukraine this week.

Friday’s media briefing at the FBI Hoover building in Washington, D.C. was designed to give reporters a clearer view of the sophistication of an organized crime group whose handiwork had largely escaped broader national media attention until this week. On Wednesday, authorities in the United Kingdom charged 11 people there – all Eastern Europeans – with recruiting and managing money mules. Then on Thursday, officials in New York announced they had charged 92 and arrested 39 money mules, including dozens of Russians who allegedly acted as mules while visiting the United States on student visas.

According to sources familiar with the investigation, the arrests, charges and announcements were intended to be executed simultaneously, but U.K. authorities were forced to act early in response to intelligence that several key suspects under surveillance were planning to flee the country.

SBU officials could not be reached for comment. But FBI agents described the Ukrainian group as the brains behind the attacks. Gordon M. Snow, assistant director of the FBI’s Cyber Division, said the individuals detained by the SBU are thought to have worked with the developer of the ZeuS Trojan to order up custom-made components and versions of ZeuS.

For example, security researchers identified one ZeuS variant that was specific to the Ukrainians known as JabberZeuS because it alerted the gang via Jabber instant message whenever online banking credentials for customers of specific institutions were stolen.

Snow said this week’s law enforcement action was a particularly big deal because of the unprecedented level of cooperation from foreign governments, particularly Ukraine and the Netherlands.

“We worked with legal attachés in 75 countries, and we are very proud of the level of coordination that took place to get this done,” Snow said.

Pim Takkenberg, team leader for the Netherlands Police Agency’s High Tech Crime Unit, said his group played a “small but important role” in helping to identify the hackers by monitoring the miscreants’ use of Dutch infrastructure.

“We helped in connecting all the dots together,” Takkenberg said in a phone interview. “The Netherlands provide for a large portion of the critical internet infrastructure, of which we can monitor certain parts. When criminals are unaware of the fact that they use Dutch infrastructure, that gives us good investigative opportunities. In this particular case we had an interest of our own, since the ZeuS malware made a lot of Dutch victims as well.”

The FBI’s Snow said the investigation began in May 2009, when FBI agents in Omaha, Neb. were alerted to automated clearing house (ACH) batch payments to 46 separate bank accounts through the United States.

I will continue to follow this important story in the days ahead, particularly as more information about the Ukrainian suspects is made public. Stay tuned.

Tags: , , , , , ,

19 comments

  1. “We worked with legal attachés in 75 countries, and we are very proud of the level of coordination that took place to get this done,” Snow said.
    And so they should be – it must have been a logistical nightmare!
    Let’s hope we see lots more of this international cooperation going forward – it’ll make the world – not just the eworld – a much safer place.

  2. > officials in New York announced they had charged 92 and arrested 39 money mules

    Brian, could you tell me, please, where did these numbers come from? I thought they said they arrested 10 now and 10 earlier and charged 37 (and there where not only mules).

    [Sorry for my English]

    • Igor- Check the third graphic in this article. That was provided by the FBI on Friday.

      • Brian,

        Including the graphics was great. It looks like the FBI has been getting some good infographic tools & artists to aid their investigations and prosecutions before judges and juries.

        Any diagrams by sector of the 390 US companies? They were targeting SMB &
        small institutions per your reports a few months back but I would like to see the % when the data is available. Such data is helpful to local chambers of commerce to educate them on the threat.

        So too for diagrams of where the money is suspected to have went. The cash flows amoungst suspects & banks in the 75 countries cited would be highly insightful.

        It would be interesting if any was used to finance foreign/domestic terrorists, women & child slavery rings, or narcotic operations.

      • Yes, I’ve noticed it already, but I am not sure I understand it right. It says there were 92 individuals charged and 39 arrested in USA, and NY officials talked about 37 and 20. Maybe the difference (55 charged and 19 arrested) is just not related to NY?

        Well, anyway, that was a good job and great cooperation between US and Ukraine authorities. I would rather say – unexpected cooperation, if I’ve not read this:
        http://www.pcworld.com/article/190837/fbi_embeds_cyberinvestigators_in_ukraine_estonia.html

        • I may have the numbers wrong – but this is how I understand it… 37 were charged by the US Attorney’s Office + 36 were charged Manhattan district attorney’s office = 73 + the 19 from the UK = 92. Of those facing federal charges 20 were arrested and 17 remained at large as of Thursday. If you again add in the 19 from the UK to the 20 arrested in the US = 39… That’s the only way I can figure out the 92 charged and 39 arrested…

          Someone please correct me if I’ve misspoken as to how those numbers came to be.

          • It seems you wrong about “19 from the UK” part, at least. First and foremost, as the graphic says, 92 was charged in US alone. More than that, in the UK, there were *arrested* 20 (first reports said about 19), but 9 of them were not charged.

  3. It will be interesting to watch the ‘follow-through’ fr/ the Ukrainian govt. Malware is a plus, if an off-the-books plus, for the Ukrainian economy. It absorbs a portion of the highly trained technical demographic. It’s not in the nation’s economic interest to crack down. On the other hand, it is in their interest politically, to maintain friendly relations w/ the EU & US.

    Also, the distribution of victims demonstrates the ‘superior customer care’ of American banks.

    • I actually checked a while ago whether this is true. The official documents show that the Ukrainian economy isn’t well (as we all know). Still, the millions in malware money are much too small to play a role in the overall stream of incoming money. So Ukraine shouldn’t have a problem shutting these operations down – assuming that the authorities are not on the payroll of the criminals. Otherwise we might see some arrests but it won’t be the important people.

  4. Great graphics Brian! I just wished the FBI would use the word criminal instead of Hacker. Yes I know that is a pipe dream now; but all of us in IT are hackers!

    Even though it is too late to take the word back, I am compelled to correct its usage where ever I see it. Call me Don Quixote, I don’t mind!

  5. Awesome story, great reporting. Thanks.

    Dan

  6. hi, i’m new to this blog apologies if this has already been answered. i’m curious to know if the attacked online banking sites used multifactor authentication. pretty scary to think that these businesses lost millions of dollars that were only protected by a username/password.

  7. I don’t have too much hope for those Ukrainians getting any serious punishment. A little payment under $50K per head, and all of them will get suspended sentences – like in the RBS WorldPay case – http://www.bloomberg.com/news/2010-09-08/russian-hacker-pleshchuk-receives-suspended-sentence-fine-for-atm-scheme.html

  8. They thought that they were going to outsmart the authorities, but guess what they thought wrong !

  9. SBU have made an announcement today (at last): http://www.sbu.gov.ua/sbu/control/uk/publish/article?art_id=102542&cat_id=39574 (in Ukraine)

    But it seems there is nothing new in there.

  10. hackers is not a bad word, just the media got it wrong, the bad guys are crackers (cracked software, etc) and in the “olden days” they were phreakers.

  11. I have known for some time about blocks of bad IP addresses in the Netherlands that was beginning to make me wonder if the Dutch authorities were ever going to do anything about it. Well, I guess they have. Now that I have regenerated my Host 2 IP database I will see if there is a drop off in the Netherland IPs (there is more than Zeus there) of compromised servers and even PCs. I would have blocked the relevant IP addresses in my PAC filter but getting a fix on what was servers (can only block by name in the hosts file or black list in PAC filter by pattern) or PCs (block by IP) was fairly difficult:

    http://www.HostsFile.org/
    http://www.SecureMecca.com/

    You don’t throw the baby out with the bath water. I finally gave up on IP blocks for the Netherlands. I caution that it remains to be seen how many of the Zeus people this nabbed. There are quite a few other Zeus groups that have different patterns than the ones this group was using. But this was a big group if not the biggest group. This is the web site for the people spear-heading the effort to fight Zeus here:

    https://zeustracker.abuse.ch/

    If their map changes and the number of C and Cs drop then you will know how successful the effort was. Do not let that 43.26% detection rate fool you. When a new version of Zeus hits the street the detection frequently drops to zero and they perturb the binaries (change variable names, etcetera) sometimes multiple times per day to avoid detection. Actually, that goes for almost all of the malware out there right now, not just Zeus. So remain vigilant.