Did Russian hackers manage to steal tens of millions of dollars from Citigroup? While The Wall Street Journal reports that the FBI is investigating the alleged loss, the financial organization denies losing money in such a security breach. It may take awhile to uncover the truth, but reports of the attack have cast yet another spotlight into the shadowy world of cybercrime. This report, adapted from a cover package by NEWSWEEK's Russia-language partner,Russky Newsweek, takes a closer look at those behind this global threat. (Click here for a look at the world's top 10 spammers).
The assaults may seem to be political. In 2007, a cyberattack on Estonia, home of the popular Internet phone company Skype, paralyzed the country's entire government. Then, when the Russia-Georgia conflict flared in 2008, software suddenly became available to anyone wanting to wage their own personal cyberwar on the Georgian capital of Tbilisi. And later that year, Lithuania too became a cyber-victim when it vetoed negotiations between Russia and the European Union. Indeed, NATO takes the threat of cyber-warfare so seriously that it signed off on a special report on the topic during its parliamentary assembly last October. "Although there is no conclusive evidence that the cyberattacks in Georgia were executed or sanctioned by the Russian government," the NATO report notes, "there is no evidence that it tried to stop them, either."
Russian lawmaker Nikolai Kovalyov angrily dismisses these allegations as propaganda from the Cold-War era. "The report does not contain a single piece of evidence of the mythical Russian cyberthreat or a Russian trail from the cross-border cyberattacks," he says. Still, NATO has little doubt that—official or no—the attacks have a common Russian thread: the Russian Business Network (RBN), a shadowy cyberstructure that is reported to have sold hacking tools and software for accessing U.S. government systems. According to the NATO investigators, however, political subversion is little more than a sideline for these hackers. Their real goal: stealing money through scams, spam, and infiltrating the networks of Western banks.
Reportedly started by someone operating under the name "Flyman," RBN is known as the mother of cybercrime among online investigators. François Paget, senior expert for the McAfee company, says that RBN began as an Internet provider and offered "impenetrable" hosting for $600 a month. This meant a guarantee that it would not give out information about its clients, no matter what business they were in. Aleksandr Gostev, director of Kaspersky Labs, a global research and threat analysis center, believes that RBN's servers are located in Panama. "Confidential data about clients can be obtained only by a court decision," a Newsweek source familiar with the situation says. "But what court do you apply to if criminal ties are discovered? A Panamanian court?"
Paget says that RBN was once known as the most active criminal group in the virtual world. Crime researchers are uncertain as to whether RBN itself was a real organization or whether it just offered a virtual home to cybergangs. According to one study, the network comprised 406 addresses and 2090 domain names by the end of 2007. That same year, the group—hounded both by Russian and American law-enforcement agencies—seemed to disappear. That, however, may have been an illusion. RBN may have vanished, but the host organization gave birth to multiple evil offspring operated by Russian expats and deployed on servers in China, Turkey, Ukraine, and the United States. "The world got about 10 RBNs," says Gostev.
The original RBN was behind the cyberattack on Estonia, Paget says, and, according to a study by the U.S. Cyber Consequences Unit (US—CCU), one of its successors was behind the virtual assault on Georgia. RBN's real money, though, is believed to come from sources that include spam, child porn, online casinos, and phishing scams to steal bank passwords and card numbers. One of RBN's most prosperous businesses is Internet pharmacies, with the international organization Spamhaus naming Canadian Pharmacy as the main propagator of criminal cyberschemes. Sources in the market say that this is a drug-selling network comprising several dozen virtual pharmacies making sales, mostly to the U.S. The name of the main Web site to which the pharmacies relay their orders—glavmed.com—is distinctly Russian; the illegally-copied medications are said to be made in India. Those who order from these sites are likely to have their e-mail addresses harvested and sold to spammers, who then inundate them with offers for everything ranging from pharmaceuticals to porn. According to Dmitry Golubov, who describes himself as the leader of the Internet Party of Ukraine, a group of 20 to 25 people account for 70 percent of the world's spam. "A database of active e-mails costs money," says Golubov. "For example, a million addresses of purchasers of access to porn resources costs $25,000 to $30,000."
Golubov prefers not to discuss his own Internet profits, although he too is said to have been part of RBN. The McAfee company calls him the No. 1 carder—hackers who steal from bank cards—in the world. In a conversation with Russky Newsweek, however, Dmitry Golubov denied everything. "On September 29, 2009, the Solomensky District court in Kiev dropped the criminal case against me for lack of corpus delicti," he says, adding that he is not aware that he is in trouble with the law outside Ukraine.
Like the original RBN, many of its spinoffs are under scrutiny. The company Hoster McColo, registered in California, was pushed offline following a petition by the U.S. Federal Trade Commission (FTC) citing it for spam and what is known as distributed denial of service attacks. (The company's founder, racer Nikolai McColo, was killed when he crashed into a metal pillar during one of his high-speed nighttime drives in Moscow in 2007.) Another RBN affiliate, the Atrivo company, had its license revoked and was disconnected from the Internet on a charge of disseminating porn and viruses and theft of information. EstDomains, an Estonian subsidiary of the "mother of cyberterrorism," suffered a similar disconnect at the FTC's initiative, when the host 3FN, a Russian-language service created by a native of Latvia, was forced out of operation. And last January the company Ukrtelegrup, another mainstay of cybercrime, bit the dust. It had been accused of creating a program that made it possible to steal users' personal information, including financial data.
The hacker community, however, doesn't believe that RBN is dead. "RBN's cause is alive even now," one authoritative member insists. Certainly, the cause counts for more than the location. After the attack on Estonia, Russian lawmaker Kovalyov noted angrily that 60 percent of the disruptive traffic came from the United States and 30 percent from China. Only 10 percent came from Russia, he said. That Estonia was attacked primarily from American territory hardly means that the culprits were on American soil. In effect, hackers can operate virtually from anywhere in the world. Via viruses, hackers create "botnets" that utilize zombie PCs in foreign lands to send out spam, or, say, launch a cyberattack. In other words, unsuspecting users become the source of the malicious traffic—and physical distance no longer offers any protection against crime or political subversion.