05
Aug 15

Inside the $100M ‘Business Club’ Crime Gang

New research into a notorious Eastern European organized cybercrime gang accused of stealing more than $100 million from banks and businesses worldwide provides an unprecedented, behind-the-scenes look at an exclusive “business club” that dabbled in cyber espionage and worked closely with phantom Chinese firms on Russia’s far eastern border.

In the summer of 2014, the U.S. Justice Department joined multiple international law enforcement agencies and security firms in taking down the Gameover ZeuS botnet, an ultra-sophisticated, global crime machine that infected upwards of a half-million PCs.

Thousands of freelance cybercrooks have used a commercially available form of the ZeuS banking malware for years to siphon funds from Western bank accounts and small businesses. Gameover ZeuS, on the other hand, was a closely-held, customized version secretly built by the ZeuS author himself (following a staged retirement) and wielded exclusively by a cadre of hackers that used the systems in countless online extortion attacks, spam and other illicit moneymaking schemes.

Last year’s takedown of the Gameover ZeuS botnet came just months after the FBI placed a $3 million bounty on the botnet malware’s alleged author — a Russian programmer named Evgeniy Mikhailovich Bogachev who used the hacker nickname “Slavik.” But despite those high-profile law enforcement actions, little has been shared about the day-to-day operations of this remarkably resourceful cybercrime gang.

That changed today with the release of a detailed report from Fox-IT, a security firm based in the Netherlands that secretly gained access to a server used by one of the group’s members. That server, which was rented for use in launching cyberattacks, included chat logs between and among the crime gang’s core leaders, and helped to shed light on the inner workings of this elite group.

The alleged ZeuS Trojan author, Yevgeniy Bogachev, Evgeniy Mikhaylovich Bogachev, a.k.a. "lucky12345", "slavik", "Pollingsoon". Source: FBI.gov "most wanted, cyber.

The alleged ZeuS Trojan author, Yevgeniy Bogachev, Evgeniy Mikhaylovich Bogachev, a.k.a. “lucky12345”, “slavik”, “Pollingsoon”. Source: FBI.gov “most wanted, cyber.

THE ‘BUSINESS CLUB’

The chat logs show that the crime gang referred to itself as the “Business Club,” and counted among its members a core group of a half-dozen people supported by a network of more than 50 individuals. In true Oceans 11 fashion, each Business Club member brought a cybercrime specialty to the table, including 24/7 tech support technicians, third-party suppliers of ancillary malicious software, as well as those engaged in recruiting “money mules” — unwitting or willing accomplices who could be trained or counted on to help launder stolen funds.

“To become a member of the business club there was typically an initial membership fee and also typically a profit sharing agreement,” Fox-IT wrote. “Note that the customer and core team relationship was entirely built on trust. As a result not every member would directly get full access, but it would take time until all the privileges of membership would become available.”

Michael Sandee, a principal security expert at Fox-IT and author of the report, said although Bogachev and several other key leaders of the group were apparently based in or around Krasnodar — a temperate area of Russia on the Black Sea — the crime gang had members that spanned most of Russia’s 11 time zones.

Geographic diversity allowed the group — which mainly worked regular 9-5 hour days Monday through Friday — to conduct their cyberheists against banks by following the rising sun across the globe — emptying accounts at Australia and Asian banks in the morning there, European banks in the afternoon, before handing the operations over to a part of the late afternoon team based in Eastern Europe that would attempt to siphon funds from banks that were just starting their business day in the United States.

“They would go along with the time zone, starting with banks in Australia, then continuing in Asia and following the business day wherever it was, ending the day with [attacks against banks in] the United States,” Sandee said.

Image: Timetemperature.com

Image: Timetemperature.com

Business Club members who had access to the GameOver ZeuS botnet’s panel for hijacking online banking transactions could use the panel to intercept security challenges thrown up by the victim’s bank — including one-time tokens and secret questions — as well as the victim’s response to those challenges. The gang dubbed its botnet interface “World Bank Center,” with a tagline beneath that read: “We are playing with your banks.”

The business end of the Business Club's peer-to-peer botnet, dubbed "World Bank Center."

The business end of the Business Club’s peer-to-peer botnet, dubbed “World Bank Center.” Image: Fox-IT

CHINESE BANKS, RUSSIAN BUSINESSES

Aside from their role in siphoning funds from Australian and Asian banks, Business Club members based in the far eastern regions of Russia also helped the gang cash out some of their most lucrative cyberheists, Fox-IT’s research suggests.

In April 2011, the FBI issued an alert warning that cyber thieves had stolen approximately $20 million in the year prior from small to mid-sized U.S. companies through a series of fraudulent wire transfers sent to Chinese economic and trade companies located on or near the country’s border with Russia.

In that alert, the FBI warned that the intended recipients of the fraudulent, high-dollar wires were companies based in the Heilongjiang province of China, and that these firms were registered in port cities located near the Russia-China border. The FBI said the companies all used the name of a Chinese port city in their names, such as Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Donging, and that the official name of the companies also included the words “economic and trade,” “trade,” and “LTD”. The FBI further advised that recipient entities usually held accounts with a the Agricultural Bank of China, the Industrial and Commercial Bank of China, and the Bank of China.

Fox-IT said its access to the gang revealed documents that showed members of the group establishing phony trading and shipping companies in the Heilongjiang province — Raohe county and another in Suifenhe — two cities adjacent to a China-Russia border crossing just north of Vladivostok.

Remittance slips discovered by Fox-IT show records of wire transfers that the Business Club executed from hacked accounts in the United States and Europe to accounts tied to phony shipping companies in China on the border with Russia.

Remittance slips discovered by Fox-IT show records of wire transfers that the Business Club executed from hacked accounts in the United States and Europe to accounts tied to phony shipping companies in China on the border with Russia. Image: Fox-IT

Sandee said the area in and around Suifenhe began to develop several major projects for economic cooperation between China and Russia beginning in the first half of 2012. Indeed, this Slate story from 2009 describes Suifenhe as an economy driven by Russian shoppers on package tours, noting that there is a rapidly growing population of Russian expatriates living in the city.

“So it is not unlikely that peer-to-peer ZeuS associates would have made use of the positive economic climate and business friendly environment to open their businesses right there,” Fox-IT said in its report. “This shows that all around the world Free Trade Zones and other economic incentive areas are some of the key places where criminals can set up corporate accounts, as they are promoting business. And without too many problems, and with limited exposure, can receive large sums of money.”

Remittance found by Fox-IT from Wachovia Bank in New York to an tongue-in-cheek named Chinese front company in Suifenhe called "Muling Shuntong Trading."

Remittance found by Fox-IT from Wachovia Bank in New York to an tongue-in-cheek named Chinese front company in Suifenhe called “Muling Shuntong Trading.” Image: Fox-IT

KrebsOnSecurity publicized several exclusive stories about U.S.-based businesses robbed of millions of dollars from cyberheists that sent the stolen money in wires to Chinese firms, including $1.66M in Limbo After FBI Seizes Funds from Cyberheist, and $1.5 million Cyberheist Ruins Escrow Firm.

The red arrows indicate the border towns of  Raohe (top) and Suifenhe (below)

The red arrows indicate the border towns of Raohe (top) and Suifenhe (below). Image: Fox-IT

KEEPING TABS ON THE NEIGHBORS

The Business Club regularly divvied up the profits from its cyberheists, although Fox-IT said it lamentably doesn’t have insight into how exactly that process worked. However, Slavik — the architect of ZeuS and Gameover ZeuS — didn’t share his entire crime machine with the other Club members. According to Fox-IT, the malware writer converted part of the botnet that was previously used for cyberheists into a distributed espionage system that targeted specific information from computers in several neighboring nations, including Georgia, Turkey and Ukraine.

Beginning in late fall 2013 — about the time that conflict between Ukraine and Russia was just beginning to heat up — Slavik retooled a cyberheist botnet to serve as purely a spying machine, and began scouring infected systems in Ukraine for specific keywords in emails and documents that would likely only be found in classified documents, Fox-IT found.

“All the keywords related to specific classified documents or Ukrainian intelligence agencies,” Fox-IT’s Sandee said. “In some cases, the actual email addresses of persons that were working at the agencies.”

Likewise, the keyword searches that Slavik used to scourt bot-infected systems in Turkey suggested the botmaster was searching for specific files from the Turkish Ministry of Foreign Affairs or the Turkish KOM – a specialized police unit. Sandee said it’s clear that Slavik was looking to intercept communications about the conflict in Syria on Turkey’s southern border — one that Russia has supported by reportedly shipping arms into the region.

“The keywords are around arms shipments and Russian mercenaries in Syria,” Sandee said. “Obviously, this is something Turkey would be interested in, and in this case it’s obvious that the Russians wanted to know what the Turkish know about these things.”

According to Sandee, Slavik kept this activity hidden from his fellow Business Club members, at least some of whom hailed from Ukraine.

“The espionage side of things was purely managed by Slavik himself,” Sandee said. “His co-workers might not have been happy about that. They would probably have been happy to work together on fraud, but if they would see the system they were working on was also being used for espionage against their own country, they might feel compelled to use that against him.”

Whether Slavik’s former co-workers would be able to collect a reward even if they did turn on their former boss is debatable. For one thing, he is probably untouchable as long as he remains in Russia. But someone like that almost certainly has protection higher up in the Russian government.

Indeed, Fox-IT’s report concludes it’s evident that Slavik was involved in more than just the crime ring around peer-to-peer ZeuS.

“We could speculate that due to this part of his work he had obtained a level of protection, and
was able to get away with certain crimes as long as they were not committed against Russia,” Sandee wrote. “This of course remains speculation, but perhaps it is one of the reasons why he has as yet not been apprehended.”

The Fox-IT report, available here (PDF), is the subject of a talk today at the Black Hat security conference in Las Vegas, presented by Fox-IT’s Sandee, Elliott Peterson of the FBI, and Tillmann Werner of Crowdstrike.

Are you fascinated by detailed stories about real-life organized cybercrime operations? If so, you’ll almost certainly enjoy reading my book, Spam Nation: The Inside Story of Organized Cybercrime – From Global Epidemic to Your Front Door.

Tags: , , , , , , , , ,

33 comments

  1. Great article as always! One point to correct though: there is no conflict between Ukraine and Russia. There is a civil war in Ukraine because east of country did not accept the coupe – illegal forceful change of power facilitated by Obama’s administration (admitted by Obama). Once we understand the root of the problem exactly as it was, we would be able to understand correctly many other things surrounding it.

    • A popular uprising against the thoroughly corrupt Yanukovich regime does not reflect a US-facilitated coup d’etat, and Russia has most certainly been the aggressor in supplying weapons and troops to the separatists in eastern Ukraine and Crimea, troll. Take your blather somewhere else (like Pravda).

      • I see you’re a big supporter of the ultra-transparent obama regime. Do you have to dig for your talking points, or do they feed you directly?

      • It is not a first time when americans do coups d’état in sovereign countries and cover them afterward as “people stand against communism” or “people stand against kleptocracy”. If you want to educate itself in used techniques of these coups you can google OPERATION PBSUCCESS.
        Ukraine always was corrupt and in contrary of popular beliefs selected methods (such as killing russian speaking citizens of Ukraine) won’t fix the corruption.

    • When I saw the street fighting the public brought against the “kleptocracy” he had going; I was dumbfounded to watch brave fighters literally crawling forward with no arms, and just junk to armor themselves against the then present regime. Now when you are that determined to throw the bums out – that says a LOT!!

      I couldn’t believe the bravery of the freedom fighters – I guarantee they would not fight for Obama that way – even our solders wouldn’t. They fight for freedom from crime, terrorists, and posers of illegitimate power.

  2. Crossover between cybercrime and surveillance by this one guy, Bogachev, is fascinating. Supports that oft-cited theory about Russian government tolerating former in order to harness the latter? Or is it a double-cross? Good character to add to the cast of my fantasy Spam Nation-inspired TV series.

  3. Krebs can you please link Fox-IT report and

    keep up the good work.

  4. Fantastic article, thank you.

  5. This is amazing reporting, Brian! You sure have pretty good contacts in the right places.

    Thanks for this!

  6. Great write-up Brian.

  7. It is an interesting read for sure.

    “…global crime machine that infected upwards of a half-million PCs.”

    How many of these machines were fully and completely up-to-date?

    From the report:
    “The result is that pages which are loaded by the
    browser, regardless of the source being an HTTP or
    HTTPS resource, can be modified prior to rendering
    by the browser.”

    It is truly fascinating to watch so many people (especially the browser makers) fall all over themselves in an effort to make everything HTTPS when it so clearly DOES NOT even matter. Yes, I would rather banks and various financials to be dealt with over HTTPS, but such a push to make every little thing across the web like that is ludicrous.

    …and I’m not even that deep into the report yet!

    • I for one, am glad that it has become much more difficult for criminals to sniff email packets – so, at the very least, I am glad the trend is to protect traffic such as that.

    • Well Mike https certainly doesn’t make it any worse so why not? As far as I’m aware the only people who have any kind of legitimate complaint regarding everything going encrypted (or ‘dark’, right?) would be the those in the intelligence community who would rather monitor clear text communications than to have to actually do some work and deal with encryption.

    • SSL stripping has been around since 2009 (if not earlier). It basically involves a man-in-the-middle attack with the user’s browser being circumvented from obtaining an SSL connection and stripped SSL pages being sent back from the hacker.

      If you should be on a secure link and your browser is only showing HTTP not HTTPS then you may be the victim of SSL stripping.

      • There is a place for HTTP and a place for HTTPS. Painting that broadly is not a good idea and is likely to create problems. Not everything in existence needs to be on a secure link. That’s not to mention that from a certain standpoint, there really is no such thing as a secure link. That’s kinda what all this is about in the first place.

        • Some things may not require a secure link but it is better to do so. It may just be a blog you’re reading, so you don’t have any credentials that could be sniffed etc, but using just http makes it trivial for an attacker to inject code into the pages you are viewing. This code could exploit vulnerabilities in the browser and give the attacker full access to your computer.
          Using https it would still be possible for code to be injected if sslstrip is used, but it would at least then be noticeable to the end user.

          • If it were only that simple.

            most advertising is done over the cloud. Things that are brought in from various CDN’s and other websites. A growing percentage of what you view with your browser is not even coming from the site you think you pulled up. Being HTTPS has nothing to do with anything. All it takes is to get into the network of a contractor or vendor or advertiser or outsourcer or partner and you then have all the access you need. It seems no one has learned anything from the whole Target experience.

      • And to be careful, HTTPS spoofing, was and has been around about as long as stripping.
        Also keylogging, and several other spoofing have been noticed in the VPN, and etc. Plus the av people are a day late and a dollar short. And etc, etc, etc…and why aren’t I watching some of the preshows about the black hats.

  8. eastern european

    we are people that help the humanity knowledge. Just drink vodka and smoke cigarrettes

  9. 100M? Congress probably steals that much every week from the taxpayers.

  10. There are – how many, three? – security conferences running in Las Vegas. Are you going to any of them Brian? And if you do go, are you going to write up any of the sessions for us?

  11. Very interesting article. Especially curious is the government connection where Slavik’s commercial botnet has been used for Russian government’s spying. He might have been buying immunity from prosecution by sharing/selling intel.

  12. @noname THERE is a war in Ukraine and Putin all started, I watched VICE reports from the frontline and talked to a few russians, they are all confident it’s all USA’s fault, but I can’t see any USA military forces in the Ukraine, just regular russian army and GRU special forces before. Brian I think you should read about those organized trolls

    http://www.telegraph.co.uk/news/worldnews/europe/russia/11656043/My-life-as-a-pro-Putin-propagandist-in-Russias-secret-troll-factory.html

    And don’t let them sneak comments like this from @noname on your blog, entire world has seen what Putin did and still does in Ukraine and I hope one day he will be charged for that.

  13. I was actually sailing with Eugene last month in the black sea. He sends his warmest regards. He will never be extradited. He is blackmailing Russian politicians to make sure that never happens.

    • Never is a long time. I wouldn’t want to be in that position, somehow I would expect the bribe amounts keep going up.

  14. What you are naive.

    • Americans are always looking for great big conspiracies of the criminal variety — yet they never see the much larger conspiracies and far less trickle-down forms of oligarchy that rule over, bully, and control them — while doing their best to strip what was could have become a multi-cultural extravaganza down to a country marginalising, to the point of almost criminalising, any sort of actual culture, vibrancy, or joy that doesn’t require materialism.

      It actually makes me feel bad.