Euro Security Watch with Mathew J. Schwartz

Anti-Malware , Technology

Report: Russian Espionage Piggybacks on Cybercrime Circumstantial Evidence Ties Alleged Gameover Zeus Mastermind to Spies
Report: Russian Espionage Piggybacks on Cybercrime
Still at large: Alleged Russian hacker Evgeniy M. Bogachev.

Little is known about Evgeniy M. Bogachev, the alleged hacker and Gameover Zeus botnet mastermind who has a record-setting $3 million FBI cybercrime bounty on his head. There are clues, however, that he's been helping Russian intelligence agencies, according to a new report.

See Also: How to Scale Your Vendor Risk Management Program

That's hardly a shocking revelation. For years, I've heard from security researchers - including experts based in Russia - that there's a simple quid pro quo for Russian hackers: Don't attack Russia, and do help the state's security services by "moonlighting" on the QT if they come calling. Play along, and you'll be left to go about your hacking business, including carte blanche to steal funds from foreign banks (see Russian Cybercrime Rule No. 1: Don't Hack Russians).

Beyond allegedly enjoying running a banking Trojan botnet empire, Evgeniy M. Bogachev appears to like cats. Source: FBI

The FBI says Bogachev, 33, resides openly in Anapa, a Black Sea coast resort town in southern Russia. The bureau says Bogachev also owns luxury cars, often drives a Jeep Cherokee, enjoys boating - and apparently also cats. An FBI file photo of the alleged hacker shows him holding a Bengal cat while he wears leopard-skin pajamas.

But the price on Bogachev's head seems to reflect, in part, the paucity of what's known about the man, his purported tendency to avoid physical meetings or use his real name, as well as the FBI's ongoing inability to arrest him.

"He was very, very paranoid," J. Keith Mularski, an FBI supervisor in Pittsburgh whose investigation led to the indictment of Bogachev in 2014, tells The New York Times. "He didn't trust anybody."

Now, however, a New York Times report offers further insights into what Bogachev's relationship might be with Russian intelligence agencies, suggesting that the security services might have been piggybacking on banking malware to raid high-value PCs for intelligence.

Many of the tidbits contained in the report, however, are not exactly earth-shattering.

Apparent Family Man

Running an alleged, thriving banking Trojan empire, for example, was reportedly a busy, full-time job, with Bogachev complaining of exhaustion and "having too little time for his family," former hacker Aleksandr Panin told The New York Times.

Panin, a Russian national who's in a federal prison in Kentucky for wire fraud and bank fraud, was the chief developer behind the notorious SpyEye banking malware, and says he used to communicate with Bogachev online. "He mentioned a wife and two kids as far as I remember," Panin said.

Austin Berglas, who was an assistant special agent in charge of cyber investigations at the FBI's New York field office until 2015, told The New York Times that investigators had uncovered a possible connection between Bogachev and Russian intelligence. Berglas says the FBI - while spying on a computer used by Bogachev - saw him provide a copy of his passport to a suspected Russian intelligence agent, which could have indicated that the alleged hacker was being recruited or protected. But when it comes to definitively proving that there might have been any such relationship, "that was the closest we ever came," Berglas said.

Much of the other information presented in the new report also appears circumstantial, at best. For example, it cites Dutch cybersecurity firm Fox-IT as saying that beginning in 2011, PCs infected by Gameover Zeus began getting searched for files tied to ripped-from-the-headlines events. Ahead of Russia's military intervention in the Ukraine in 2014, according to Fox-IT, PCs infected by Bogachev's malware were used to seek out top-secret files form Ukraine's security service, the SBU, as well as to search for information about government security officials. Fox-IT couldn't be immediately reached for comment.

Such searches, however, could indicate that Russian intelligence agencies were using the cover of banking Trojans to raid government systems. Or the searches might reveal Bogachev and his associates, acting as mercenaries, having been given a laundry list of systems to infect and searches to run on PCs. Or the searches might simply be the work of cybercriminals seeking to find anything of value on infected PCs that they could offer to the highest bidder.

Of course, it's possible that the U.S. government knows more than it's revealing.

In December 2016, the Obama administration announced sanctions against Russia in retaliation for the Russian government's alleged attempt to interfere with the U.S. presidential election and singled out six individuals in particular. Obama, in a statement issued at the time, said two of the Russian individuals - one of whom was Bogachev - were being sanctioned by the secretary of the treasury "for using cyber-enabled means to cause misappropriation of funds and personal identifying information."

Gameover Zeus Days

Whether Bogachev is assisting Russian espionage agencies, he's already been indicted not once, but twice - first in August 2012 under the nickname "lucky12345," by a federal grand jury, and then under his true name in May 2014 on such charges as conspiracy, unauthorized computer access, wire and bank fraud, and money laundering.

The FBI tied Gameover Zeus to more than $100 million in losses and the theft of 30 terabytes of data, perpetrated with the help of malware that got installed on victims' PCs, which was designed to steal online bank account access credentials and related information. Some Gameover Zeus attacks also installed CryptoLocker ransomware as a coup de grace on infected computers, generating additional revenue for the gang.

The FBI launched a related investigation into the gang's activities in 2009. "While Bogachev knowingly acted in a role as an administrator, others involved in the scheme conspired to distribute spam and phishing emails, which contained links to compromised websites," according to the FBI. "Victims who visited these web sites were infected with the malware, which Bogachev and others utilized to steal money from the victims' bank accounts."

Investigators - including from Fox-IT, which shared its findings with the FBI - found that more than 50 cybercriminals, calling themselves the "Business Club," contributed to the Gameover Zeus operation, although it was led by just two individuals, including Bogachev (see Lessons from Gameover Zeus Takedown).

Cue the FBI's longstanding, "up to $3 million" bounty on the head of Bogachev - aka slavik, lucky12345, pollingsoon. Despite the bureau's Wild West move, however, the hacker remains at large, and his whereabouts apparently well known.

Disappearing Vacation Options

Bogachev has previously traveled abroad on Russian passports in the name of three different aliases, The New York Times reports. But if he's smart, he will have curtailed those activities, as alleged Russian hacking suspects traveling abroad have been arrested and extradited to the United States everywhere from Cyprus, the Czech Republic and Germany to Maldives, the Netherlands and Romania.

Unfortunately for Western law enforcement agencies, however, Russia doesn't extradite its citizens based on foreign indictments. So long as Bogachev sticks to his native country - and continues his alleged cooperation with Russian agencies - he seems likely to stay free.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network