July 18, 2016

Among the more plunderous cybercrime gangs is a group known as “Carbanak,” Eastern European hackers blamed for stealing more than a billion dollars from banks. Today we’ll examine some compelling clues that point to a connection between the Carbanak gang’s staging grounds and a Russian security firm that claims to work with some of the world’s largest brands in cybersecurity.

The Carbanak gang derives its name from the banking malware used in countless high-dollar cyberheists. The gang is perhaps best known for hacking directly into bank networks using poisoned Microsoft Office files, and then using that access to force bank ATMs into dispensing cash. Russian security firm Kaspersky Lab estimates that the Carbanak Gang has likely stolen upwards of USD $1 billion — but mostly from Russian banks.

Image: Kaspersky

Image: Kaspersky

I recently heard from security researcher Ron Guilmette, an anti-spam crusader whose sleuthing has been featured on several occasions on this site and in the blog I wrote for The Washington Post. Guilmette said he’d found some interesting commonalities in the original Web site registration records for a slew of sites that all have been previously responsible for pushing malware known to be used by the Carbanak gang.

For example, the domains “weekend-service[dot]com” “coral-trevel[dot]com” and “freemsk-dns[dot]com” all were documented by multiple security firms as distribution hubs for Carbanak crimeware. Historic registration or “WHOIS” records maintained by Domaintools.com for all three domains contain the same phone and fax numbers for what appears to be a Xicheng Co. in China — 1066569215 and 1066549216, each preceded by either a +86 (China’s country code) or +01 (USA). Each domain record also includes the same contact address: “williamdanielsen@yahoo.com“.

According to data gathered by ThreatConnect, a threat intelligence provider [full disclosure: ThreatConnect is an advertiser on this blog], at least 484 domains were registered to the williamdanielsen@yahoo.com address or to one of 26 other email addresses that listed the same phone numbers and Chinese company.  “At least 304 of these domains have been associated with a malware plugin [that] has previously been attributed to Carbanak activity,” ThreatConnect told KrebsOnSecurity.

Going back to those two phone numbers, 1066569215 and 1066549216; at first glance they appear to be sequential, but closer inspection reveals they differ slightly in the middle. Among the very few domains registered to those Chinese phone numbers that haven’t been seen launching malware is a Web site called “cubehost[dot]biz,” which according to records was registered in Sept. 2013 to a 28-year-old Artem Tveritinov of Perm, Russia.

Cubehost[dot]biz is a dormant site, but it appears to be the sister property to a Russian security firm called Infocube (also spelled “Infokube”). The InfoKube web site — infokube.ru — is also registered to Mr. Tveritinov of Perm, Russia; there are dozens of records in the WHOIS history for infokube.ru, but only the oldest, original record from 2011 contains the email address atveritinov@gmail.com. 

That same email address was used to register a four-year-old profile account at the popular Russian social networking site Vkontakte for Artyom “LioN” Tveritinov from Perm, Russia. The “LioN” bit is an apparent reference to an Infokube anti-virus product by the same name.

Mr. Tveritinov is quoted as “the CEO of InfoKub” in a press release from FalconGaze, a Moscow-based data security firm that partnered with the InfoKube to implement “data protection and employee monitoring” at a Russian commercial research institute. InfoKube’s own press releases say the company also has been hired to develop “a system to protect information from unauthorized access” undertaken for the City of Perm, Russia, and for consulting projects relating to “information security” undertaken for and with the State Ministry of Interior of Russia.

The company’s Web site claims that InfoKube partners with a variety of established security firms — including Symantec and Kaspersky. The latter confirmed InfoKube was “a very minor partner” of Kaspersky’s, mostly involved in systems integration. Zyxel, another partner listed on InfoKube’s partners page, said it had no partners named InfoKube. Slovakia-based security firm ESET said “Infokube is not and has never been a partner of ESET in Russia.”

Presented with Guilmette’s findings, I was keen to ask Mr. Tveritinov how the phone and fax numbers for a Chinese entity whose phone number has become synonymous with cybercrime came to be copied verbatim into Cubehost’s Web site registration records. I sent requests for comment to Mr. Tveritinov via email and through his Vkontakte page.

Initially, I received a friendly reply from Mr. Tveritinov via email expressing curiosity about my inquiry, and asking how I’d discovered his email address. In the midst of composing a more detailed follow-up reply, I noticed that the Vkontakte social networking profile that Tveritinov had maintained regularly since April 2012 was being permanently deleted before my eyes. Tveritinov’s profile page and photos actually disappeared from the screen I had up on one monitor as I was in the process of composing an email to him in the other.

Not long after Tveritinov’s Vkontakte page was deleted, I heard from him via email. Ignoring my question about the sudden disappearance of his social media account, Tveritinov said he never registered cubehost.biz and that his personal information was stolen and used in the registration records for cubehost.biz.

“Our company never did anything illegal, and conducts all activities according to the laws of Russian Federation,” Tveritinov said in an email. “Also, it’s quite stupid to use our own personal data to register domains to be used for crimes, as [we are] specialists in the information security field.”

Turns out, InfoKube/Cubehost also runs an entire swath of Internet addresses managed by Petersburg Internet Network (PIN) Ltd., an ISP in Saint Petersburg, Russia that has a less-than-stellar reputation for online badness.

For example, many of the aforementioned domain names that security firms have conclusively tied to Carbanak distribution (e.g., freemsk-dns[dot].com) are hosted in Internet address space assigned to Cubehost. A search of the RIPE registration records for the block of addresses at 146.185.239.0/24 turns up a physical address in Ras al Khaimah, an emirate of the United Arab Emirates (UAE) that has sought to build a reputation as a tax shelter and a place where it is easy to create completely anonymous offshore companies. The same listing says abuse complaints about Internet addresses in that address block should be sent to “info@cubehost.biz.”

This PIN hosting provider in St. Petersburg has achieved a degree of notoriety in its own right and is probably worthy of additional scrutiny given its reputation as a haven for all kinds of online ne’er-do-wells. In fact, Doug Madory, director of Internet analysis at Internet performance management firm Dyn, has referred to the company as “…perhaps the leading contender for being named the Mos Eisley of the Internet” (a clever reference to the spaceport full of alien outlaws in the 1977 movie Star Wars).

Madory explained that PIN’s hard-won bad reputation stems from the ISP’s documented propensity for absconding with huge chunks of Internet address blocks that don’t actually belong to it, and then re-leasing that purloined Internet address space to spammers and other Internet miscreants.

For his part, Guilmette points to a decade’s worth of other nefarious activity going on at the Internet address space apparently assigned to Tveritinov and his company. For example, in 2013 Microsoft seized a bunch of domains parked there that were used as controllers for Citadel online banking malware, and all of those domains had the same “Xicheng Co.” data in their WHOIS records.  A Sept. 2011 report on the security blog dynamoo.com notes several domains with that Xicheng Co. WHOIS information showing up in online banking heists powered by the Sinowal banking Trojan way back in 2006.

“If Mr. Tveritinov, has either knowledge of, or direct involvement in even a fraction of the criminal goings-on within his address block, then the possibility that he may perhaps also have a role in other and additional criminal enterprises… including perhaps even the Carbanak cyber banking heists… becomes all the more plausible and probable,” Guilmette said.

It remains unclear to what extent the Carbanak gang is still active. Last month, authorities in Russia arrested 50 people allegedly tied to the organized cybercrime group, whose members reportedly hail from Russia, China, Ukraine and other parts of Europe. The action was billed as the biggest ever crackdown on financial hackers in Russia.


36 thoughts on “Carbanak Gang Tied to Russian Security Firm?

  1. Jim

    “allegedlyl” tiptoed past the spell checker in the last paragraph.

  2. Janitor

    Great job, Brian and Guilmette. Kaspersky’s is everywhere – partenering the fraudsters while investigating behind the stage. =)

    Is there a link between PIN and RBN?

  3. Mike

    Thanks Brian.

    Now that we know these website addresses, these things can be easily filtered out and I wont have to be bothered with any of it again. I can move on with a sense of peace. It’s just a shame that more people wont do that. Most people don’t seem to care about doing anything more than updating (which is not going to filter these things out at all).

  4. Bob

    Cubehost also was the hoster responsible for cryptolocker infrastructure which is the same group as zeusp2p/gameover.

    Mr. Tveritinov has been very busy and now is wealthy ‘business’ man.

  5. Jim

    So, I wonder if the Taiwanese got good photos of that last heist. And how the Russians play into this group. And this hack is for all machines, or just a version of the machines. The initial article mentioned one version of ATM, now, I guess there has to be a way to separate the bank from the email, so one cannot influence the other.

  6. Richard Bartel

    I am a gumshoe investigator who goes beyond the forensics and tracks down the individual and “corporate” operators by following the money and utilizing honeypots and business sandboxes.

    I am thankful for Mr Krebs’ tenacious reporting and hard work. His disclosures generally provide reactions which become clues which help map criminal enterprises.

    I’m in northern Virginia as well and enjoy the challenge. What is new are governmental proxies and unnecessarily intrusive and ulterior motive surveillance which is becoming so pervasive as to become ineffectual. Michael Hayden suggests that the counterbalance must be real end to end encryption, which I believe will focus resources on the real threats and look at actual actors and their specific behaviors.

  7. Jim

    This is simply fascinating. The description of the disappearing pictures sounds like a Jason Bourne movie.

    There’s plenty of opportunity for criminals to use the Internet for their pursuits, however, with investigations like this, they will certainly think twice or devise more foolproof methods to conceal their identity.

    This is humorous too: “Our company never did anything illegal, and conducts all activities according to the laws of Russian Federation.” “Anything illegal” and “laws of the Russian Federation” all in the same sentence.

    1. Mike

      I thought the same thing, about bits disappearing, until I remembered that there is javascript for automatic page refresh checks. That made the whole mental image less interesting.

  8. Jim again

    Source of your graphic for this article: Image: Kaspersky

  9. Mahhn

    I am watching to see how quickly Kaspersky cuts ties with InfoKube. Their business is riding on it.

  10. JW

    Was the Kaspersky image used on purpose? Inquiring minds needs to know…..:)
    JW

  11. CG

    It does beg the question……how deep does the rabbit hole really go?

  12. IA Eng

    Ahhh the ties to past and future lies.

    If he claims his past was stolen, but was able to easily navigate to the location and delete any data there. It means he had to know the URL, the username and password, no ?

    Is he an insider threat? A plant from some other organization siphoning money which was stolen and giving it back to the parties who lost it?

    Looks like Brian gave him plenty of bait, and you know the ones which stink because the crook swallowed them without thinking.

  13. Caligula

    I certianly hope Mr. Krebs took some archive snapshots of Mr. Tveritinov’s social media page. It would be a shame if all that information was unavailable.

  14. kurt wismer

    not only did mcafee never cut ties with hbgary when hbgary was revealed to be writing/selling governmental malware, no other AV vendor ever called them out about it.

    as such, i have my doubts whether any organization (AV or not) currently partnering with infokube will bother cutting ties with them. the accountability one would expect just isn’t there.

  15. Ron G

    The thing that sets professional journalists (like Brian) apart from the dime-a-dozen hack bloggers who are on the Internet these days is that if a pro is going to accuse sombody of something “in print” then the pro will make contact with the guy first and give him a chance to respond, and/or to “set the record straight”. Brian did that, of course, in this case, and not only did the guy fail to even respond to Brian’s questions, but he promptly “disappeared” himself from social media. Could anything possibly be more confirming?

    And, also, BTW, yes… over time, there definitely HAS been a whole raft of very Bad Stuff operating out of that 146.185.239.0/24 block.

    So, now the sixty four thousand dollar question is: Given that Carbanak stole from *Russian* banks, is the FSB going to be having a little chat with Mr. Tveritinov? Or is he protected from on high? And will we ever even know, one way or the other? (As Brian told me privately, the Russians haven’t released the names of ANY of the supposedly fifty cybercriminals that they supposedly arrested back on June 1. That’s not exactly my definition of “transparency”.)

  16. JTK

    Headline: “Carbanak Gang Tied to Russian Security Firm?”

    Two “Russian security firms” mentioned in the article:
    1. “Russian security firm Kaspersky Lab…”
    2. “Russian security firm … Infocube”

    The lack of clarity regarding to which firm the headline was referring makes me wonder if I should be changing my security suite recommendations to clients…

    1. BrianKrebs Post author

      Sorry, but if you can’t read past the headline and the first paragraph, this article isn’t for you. Don’t you think that if I was saying Kaspersky was tied to Carbanak that the headline would name the company?

      1. SeymourB

        Probably just did a find for “security firm”.

        Actual reading is a lost art.

    2. Mahhn

      Seeing how KL has helped against these malware crims I strongly doubt they have any kind of involvement. Not to mention they make more money than the crims running an anti-crim company. Still, I want to see them cut ties even letting the suspect child company deploy their product.

  17. Ron G

    Here is a short but helpful clarification regarding the Emirate of Ras al Khaimah, one of the emirates comprising the United Arab Emirates, for the benefit of those of you who, like me, didn’t know a bloody thing about it until now:

    http://bit.ly/29JToUm

    “…the Cayman Islands of the Gulf…”

  18. Throwaway Name

    Krebs, you write great articles and are a smart guy, and this is an excellent blog about a rather technical subject.

    So why do you think so many of your commenters seem like totally morons? You seem to attract a certain breed of survivalist luddite pensioners. You’d think they found your blog while googling for help using their printer or something.

    1. Darron Wyke

      Because in IT, you get all kinds. You get plenty of sharp people, but you also get those that parrot ‘good ideas’ and think they’re God’s gift to IT.

  19. niki

    Hi, if it was possible to track someone using WHOIS will be great, but the world we live in is much worse than that. Sounds good when someone appears to make mistakes in the distance past, but it’s almost impossible in this case.
    Most likely…
    1.This guy has involved himself in some activity, but the results are light years behind the 1 billion you are dreaming about.
    1.1.He may hacked some companies giving them the idea to become his clients, but we are still missing 1 billion…
    1.2.He may be not that good (can’t write a good virus himself-less likely) and have payed for the payloads in some forums and used them for this “hacking” purpose…but obviously he can’t be the only one, and that’s where the 1 billion goes…(if these calculations are correct at all).
    2.About the domains? the only reason for similar whois information in creating such domains/hostings/ is that you have ordered it in forums. The guy takes the order and installs the server page or control panel into the domain. This process is not done by most clients by themselfs. And when you want to spend some time you auto paste the intel into forms, creating great mix of “investigation information” on over 1000 domains, used by many different clients. This is actually funny if you look from these guys’s perspective.
    3.well the cubehost – this should be the mistake in the past. That one test order for some product bought over the forums. Used for short time, reused legally and forgotten.
    4.Still it’s not the end of the world. Anyone can use his data to register a domain.
    5.People who use social networks with their real personal data are making mistakes obviously.

  20. Wknight

    I wonder if these firms are linked to RBN & is this person Mr. Tveritinov is actually the chap “Flyman” who owned RBN as is alleged to be the nephew of a Russian politican. Interesting.

  21. Pete

    Brilliant investigating and reporting (as usual), Brian. Thanks!

  22. Teh Fools

    Oh them fools from the SWIFT development center, if only they have protected those DLL libraries with tools like PELock or similar, those hackers would have a hard day trying to patch it 😉

  23. goy

    This criminals get orders from rotchilds who based city of london! I think its obvous

  24. Zen

    Here is address of that person : 614000, Пермский край, г. Пермь, ул. Советская, д. 104-503,

    nfobroker.ru/organisations/283722.pdf

    It is really strange that person playing big crime games and know about IT Security , dropping so many traces online and live so public life. Also, if he directly involved into such big money stealing scheme, why he is live as average person, not like mr. Ponch ( Krebs investigation also ). I’m thinking that there is some misleading information in the process of investigation.

    1. 56

      not his address. this is shell office address, probably nothing in there.

  25. Hillarys Server

    This is how the Taiwanese police did an amazing job at busting the russian ATM heist ring. A key player in this breakthrough were a couple of Taiwanese that saw suspicious activity and followed the foreigners wearing face masks back to their car and wrote down the license plate number. Then using their robust public CCTV camera system, police tracked 6 sets of criminals throughout Taiwan.

    http://www.scmp.com/news/china/money-wealth/article/1999019/how-taiwanese-police-cracked-nt83-million-atm-heist

Comments are closed.