The criminals behind the GameOver ZeuS Botnet didn’t just steal $100 million from banks -- they also spied on several countries on behalf of Russia, according to a Black Hat presentation Wednesday by an FBI agent and two other security experts.
These countries included Ukraine, Turkey, Georgia, and OPEC members, according to FBI special agent Elliott Peterson.
The gang, which called itself Business Club, had two leaders, one of whom was Evgeniy Bogachev who is still uncaught. The FBI is offering a $3 million reward for information leading to Bogachev’s arrest.
Two security companies -- CrowdStrike and Fox-IT -- helped in the investigation.
“We track the top 200 criminals in the world who are responsible for 80 percent of the 7-figure cyberfraud in the world,” said Fox-IT product director Eward Driehuis.
According to Driehuis, Bogachev has been on the company’s radar since 2006.
Fox-IT product director Eward Driehuis
“We have analysts doing investigations and building trust relations with the criminals,” he said. “We invest a lot of time in order to get as close to them as we can.”
Investigators also try to surround the criminals with their own infrastructure, such as virtual private networks.
He declined to talk in more specifics about either the technology or the identities used by the investigators.
The Business Club criminal group was particularly secretive.
“This club was a highly, highly trusted environment and was very difficult to get into,” he said. “And the infrastructure was well protected and well obfuscated. They were keeping it as tight as possible.”
According to Peterson, the Business Club was composed of mostly Russians and Ukrainians, and partnered with more than 20 other groups who provided third-party services.
The first version of the Zeus botnet appeared in 2005 and was sold as a crimeware kit. A second version of Zeus came out in 2009, then was followed by Murofet and Licat in 2010 and finally the peer-to-peer GameOver Zeus in 2011.
The focus was on corporate banking, with additional attacks specific to affiliates. Individual operators often deployed other malware, such as CryptoLocker.
However, unusually for a financial botnet, the network was also used for espionage aimed at countries of political or economic interest to Russia, including the Ukraine, Georgia, Turkey and the OPEC states.
In Georgia, a former Soviet Republic located on the Black Sea, the group targeted intelligence agencies and other government agencies. Intelligence information was also the group’s focus in the Ukraine, which became a target during the recent conflict with Russia.
Government agencies were also the target in Turkey, but the group also looked at information related to the conflict in Syria.
According to Michael Sandee, Fox-IT’s principal security expert, the Russian government may have allowed Bogachev to get away with his financial crimes because he was involved in espionage activities on its behalf.
“This of course remains speculation, but perhaps it is one of the reasons why he has as yet not been apprehended,” Sandee said in a detailed report about the Business Club’s methods and operations.