“It is believed GOZ [GameOver Zeus] is responsible for more than one million computer infections, resulting in financial losses of more than $100 million.”
FBI ‘wanted poster’ for Mr Bogachev
According to the NYT, Dutch Intel Agencies have provided information to the US IC regarding the “Russian hacking” of the 2016 US election. On 29 December 2016, OFAC (the US Office of Foreign Assets Control ) has updated the ‘Specially Designated Nationals List’ to include four members of the GRU and two hackers ( Belan Aleksei and Evgeniy Bogachev).
Until now, it was not known what information the “Dutch Intel Agencies” could have provided to the US IC and why these two cyber-criminals were listed by the OFAC? The answers to these questions just surfaced in a Dutch newspaper. And by the way, this new information also sheds some light on the story of FSB Colonel Sergey Mikhailov. Follow us on Twitter: @INTEL_TODAY
The many puzzling pieces of the Russia Hacking Theory
In a very short period of time, we have witnessed an unusual series of events. The US has accused a Russian Intelligence Agency to conduct cyber-attacks related to the 2016 Presidential election, the Russian authorities have jailed most members of a hacker group known as ‘Shaltay Boltay’ and three FSB officers as well as one of their top cyber-security expert from Kaspersky Lab are accused of high treason.
Most media have assumed that these events are related. Surely, the timing of these events seems to indicate some link between them. But what is this link, if any? After all, the GRU is accused of the cyber-attacks, not the FSB.
According to a recent piece in the NYT, Dutch Intel Agencies have provided information to the US IC. [ThreatConnect has identified six of the eight addresses as originating from servers owned by King Servers in Dronten, the Netherlands.]
RELATED POST: Inside the Intrigue of ‘Russia’s Cyberattacks’
On 29 December 2016, OFAC (the US Office of Foreign Assets Control ) has updated the ‘Specially Designated Nationals List’ to include four members of the GRU and two hackers.
The four GRU individuals are the Head of the agency and three of his Deputy Chiefs.
The two hackers are:
BELAN, Aleksey Alekseyevich (a.k.a. Abyr Valgov; a.k.a. BELAN, Aleksei; a.k.a. BELAN, Aleksey Alexseyevich; a.k.a. BELAN, Alexsei; a.k.a. BELAN, Alexsey; a.k.a. “Abyrvaig”; a.k.a. “Abyrvalg”; a.k.a. “Anthony Anthony”; a.k.a. “Fedyunya”; a.k.a. “M4G”; a.k.a. “Mag”; a.k.a. “Mage”; a.k.a. “Magg”; a.k.a. “Moy.Yawik”; a.k.a. “Mrmagister”), 21 Karyakina St., Apartment 205, Krasnodar, Russia; DOB 27 Jun 1987; POB Riga, Latvia; nationality Latvia; Passport RU0313455106 (Russia); alt. Passport 0307609477 (Russia) (individual) [CYBER2].
BOGACHEV, Evgeniy Mikhaylovich (a.k.a. BOGACHEV, Evgeniy Mikhailovich; a.k.a. “Lastik”; a.k.a. “lucky12345”; a.k.a. “Monstr”; a.k.a. “Pollingsoon”; a.k.a. “Slavik”), Lermontova Str., 120-101, Anapa, Russia; DOB 28 Oct 1983 (individual) [CYBER2].
Aleksei Belan is on the FBI WANTED list since September 2012. Evgeniy Bogachev was indicted under the nickname “lucky12345” by a federal grand jury in the District of Nebraska on charges of Conspiracy to Participate in Racketeering Activity in August 2012.
At the time, there was no known reason to believe that these two individuals worked for the Russian State, let alone that they participated in the DNC alleged hacking.
RELATED POST: Intel Report Suspiciously Anachronistic
Evgeniy Bogachev: “The most wanted cyber criminal in the world”
The 33-year-old is thought to be the mastermind behind arguably the most sophisticated cybercrime network the world has ever seen.
At his height, Mr Bogachev had control of more than a million computers around the world and was responsible for creating a network of infected computers that he used to siphon millions of dollars from the bank accounts of unsuspecting people and foreign businesses.
The US government has bounty of $US3 million on his head for any information that leads to his capture.
In December, the Obama administration announced sanctions against Mr. Bogachev along with five others in response to a belief that Russia used cyber hacking to influence the outcome of the latest presidential election.
A joint Dutch Police – FBI – FSB Operation
Since 2009, FSB agents have been visiting the Netherlands, where they have also been meeting with officials of the FBI.
The cooperation with the FSB and FBI started in 2009 to apprehend cybercriminals. It is unique for Russians and Americans, who still meet in the Netherlands, to exchange information on this scale.
Their relationship has been tense since the annexation of Crimea by Russia. Due to the sensitivity of the meetings, the police rooms where they were held were turned inside out afterwards by sweeper teams checking for bugging devices.
The first criminal the Dutch police and the Russians tried to track down, was the Russian hacker Evgeniy Bogachev.
The end of ZeuS
The first case in which Dutch police and Russian FSB cooperated the ZeuS trojan horse malware.
Many of the criminals involved were known to use servers of the Dutch hosting company Leaseweb. The company offers relatively anonymous and cheap services as well as high-speed connections.
To communicate, these criminals often used the messenger service ICQ, which is still popular in Russia and Eastern Europe, despite the fact that it doesn’t use encryption.
In late 2008, the Dutch Police asked other countries for the ICQ numbers of known cyber criminals. Within 3 months, authorities from the US, Germany, Britain, the Ukraine and Russia provided a total of 436 ICQ numbers.
In January 2009, the public prosecutor and an examining judge approved the interception of communications associated with these numbers.
After collecting the messages associated with the 436 ICQ numbers and subsequently analysing them, it came out that one particular ICQ number acted as the leader of the cyber crime network. In one of the intercepted conversations this person even admitted to be the designer of the ZeuS malware.
The police gave him the codename “Umbro”, but he himself used aliases like Lucky12345, Monstr, Slavik, IOO, Pollingsoon, and Nu11.
De Volkskrant story doesn’t tell how the police found out the real identity of “Umbro” and it was only in 2014, under the international law enforcement Operation Tovar, that he was identified as Evgeniy Mikhailovich Bogachev, born October 28, 1983.
Already in 2013, investigators noticed that the ZeuS virus wasn’t just used for stealing money anymore, but also for finding out very specific information about government officials of Russia’s neighbors.
Dutch police and the FBI became convinced that “Umbro” (Bogachev) had started working for Russian intelligence too. [ELECTROSPACES]
US Sanctions & the arrest of FSB Sergei Mikhailov
The story explains why, after the hack of the Democratic National Committee (DNC) in 2016, the US government put Bogachev on a list of sanctioned individuals.
Bogachev has not been arrested, probably because he is useful for Russian intelligence operations.
FSB Colonel Sergei Mikhailov was the most important Russian contact for the Dutch police. Mikhailov was arrested in early December 2016. According to Russian press reports, Mikhailov and Kaspersky expert Ruslan Stojanov have leaked classified information to US intelligence.
RELATED POST: Inside the Intrigue of ‘Russia’s Cyberattacks’
The Russian hacker with a $4 million bounty on his head — News.com.au
A Shakeup in Russia’s Top Cybercrime Unit — KrebsonSecurity
The FSB Purge: Two Narratives — emptywheel
RELATED POST: WHO IS Shaltay-Boltay? Ruslan Stoyanov
RELATED POST: RUSSIA: FSB Shaken by a Major Reshuffle
RELATED POST: WHO IS Shaltay-Boltay? FSB Major Dmitry Dokuchaev
RELATED POST: WHO IS Shaltay-Boltay? FSB Colonel Sergey Mikhailov
RELATED POST: WHO IS Shaltay-Boltay? Alexander Glazastikov
RELATED POST: WHO IS Shaltay-Boltay? Irina Shevchenko (‘Alice’)
RELATED POST: WHO IS Shaltay-Boltay? Vladimir Anikeev (‘Lewis’)
Russian Hackers — Evgeniy Bogachev aka umbro aka Lucky12345