SEATTLE ?€” In the high-stakes game pitting fleet-fingered Russian hackers against the giants of American e-commerce and law enforcement, the Russians have been winning almost every time. But according to a grand jury indictment filed against two young Russian nationals in Seattle this week, the FBI may finally be in for some payback.
The list of computer crimes that have been linked back to various Russian hackers features some of the most infamous attacks of the last 10 years.
In October 2000, a sustained break-in of Microsoft's highest-security networks was traced back to an IP address in St. Petersburg. In January of that same year, an unidentified Russian hacker calling himself Maxus stole more than 300,000 credit card numbers from CD Universe in an extortion bid, but was never caught. Vladimir Levin, a young Russian mathematician, illegally transferred $12 million from Citibank's computers in the mid-1990s, a crime that eventually led to his three-year prison sentence in Florida starting in 1999.
All of these crimes, however, pale in comparison to the sheer size and scope of a hacking and extortion web that was so large that the FBI took the unusual step of warning the public about it in a March 2001 press release before its investigation was finished. In the release, the bureau cited the ongoing danger from several organized hacker groups from Eastern Europe, specifically Russia and Ukraine, who were responsible for stealing more than 1 million credit card numbers and attacking the networks of over 40 businesses in 20 U.S. states.
The announcement was met with the usual fatalism from security experts like Clint Kreitner, CEO of the Center for Internet Security, who believes there is "simply no way to stop the hacking epidemic." The FBI begs to differ.
In fact, the FBI has had custody of two prize suspects in the case, a pair of young and allegedly very criminal-minded hackers from the city of Chelyabinsk since Nov. 10.
In a grand indictment released to the public in Seattle this week, the FBI and the District Attorneys Office of the district of Western Washington outlined how Alexei Ivanov, 20, and Vasily Gorshkov, 25, spent two years victimizing American businesses, only to be lured to their arrest in Seattle by an unprecedented FBI undercover sting operation.
The indictment names Gorshkov and Ivanov as suspects in 20 counts of computer-related theft, extortion and fraud ?€” part of a shockingly mercenary two-year assault on American businesses, banks and even school districts. The documents allege that the two men stole tens of thousands of credit card numbers and other sensitive files from vendors ranging from PayPal, the world's largest online payment company, to the Central National Bank of Waco, Texas.
Their medium may have been high-tech, but Gorshkov and Ivanov's alleged method of choice was decidedly old-school: extortion. Whenever they broke into a network, they would copy sensitive data and then contact the network administrators, demanding anywhere from $15,000 to $100,000 to be "security consultants" who would protect the network against other hackers and prevent the sensitive information from being published on the web. If they received no for an answer, their letters would get more and more threatening. And in at least one occasion, the duo were hired on as consultants at an unnamed e-commerce company they had hacked into, but they went ahead and published the credit card numbers anyway.
"These are unsavory characters, no question about it," says Kreitner, whose Center for Internet Security was contacted by the FBI to help coordinate a patch that businesses could use to fix the particular security vulnerabilities that Gorshkov and Ivanov were exploiting. "These crimes are the cyber-version of how the mob used to extort money from mom and pop stores."
If that's the case, then the operation to catch the two Chelyabinsk natives would have made Elliot Ness proud. According to the indictment, the FBI had known for some time that Ivanov was linked to assorted acts of hacking and extortion. But without jurisdiction in Russia or reliable extradition policies, the FBI had very little hope of reaching Ivanov as long as he remained nestled safely in the southern Urals. The task was to lure him to the United States.
Last June, the FBI established a bogus computer security firm that they named, fittingly enough, Invita. They leased office space in downtown Seattle and immediately called Ivanov in Russia about possible employment as a hacker.
FBI affidavits filed as part of the indictment claim that Ivanov told Invita about his group of hackers in halting English, boasting that when the hackers come across a vulnerable network, "they can fix it, and they can broke it." Ivanov then offered to "broke" Invita's network to demonstrate his hacking prowess. He succeeded in hacking the system, and Invita invited Ivanov and his partner Gorshkov to Seattle to discuss employment.
On Nov. 10, Gorshkov and Ivanov flew to Seattle and went directly to a two-hour "job interview" with undercover FBI agents who were posing as Invita staff. The Russians were asked to further demonstrate their hacking skills on an IBM Thinkpad provided by the agents. The hackers happily complied and communicated with their home server back in Chelyabinsk, unaware that the laptop they were using was running a "sniffer" program that recorded their every keystroke.
The FBI agents' descriptions of the meeting portray Ivanov and Gorshkov as not only blissfully ignorant of their impending arrest, but also somewhat cocky about their hacking skills. At one point in the meeting, as Gorshkov glibly detailed how he and Ivanov extorted money from a U.S. Internet service provider after hacking into its servers, he told the room of undercover agents that "the FBI could not get them in Russia."
A few hours later, Gorshkov and Ivanov both sat in custody at the FBI's Seattle office while agents busily downloaded incriminating files from their Chelyabinsk servers, using the user names and passwords recorded earlier by the FBI's sniffer program. In all, according to court documents, the FBI downloaded and archived more than 1.5 gigabytes of incriminating files and scripts ?€” so much material that court documents estimated it could take up to 1 million pages to print the files out.
In an interview from his offices on the 51st floor of a downtown Seattle skyscraper, Assistant District Attorney Stephen Schroeder, who was trained specifically to prosecute computer crime cases, admitted that despite the apparent success of the sting, "it's not a technique we'll be able to use very often."
After all, wire reports and articles about the indictment are proliferating on Russian news web sites, and the message board at www.xakep.ru, the web site for Russia's Khaker Magazine, was filled with recriminations and warnings similar to this message posted by one anonymous user: "Watch out Russian hackers! You see what kind of low-life tactics the Americans are capable of, so work more carefully!"
So while it's unlikely that other veteran hackers will be flying to America for job interviews anytime soon, even the current case against Gorshkov and Ivanov may be difficult to litigate.
Ken Kanev, the Seattle attorney who is defending Gorshkov, has already filed a pretrial motion challenging the use of the seized computer files in the trial, saying that the FBI's use of passwords to access Gorshkov's personal files in Chelyabinsk was like "picking up a key to a locked container," and the FBI should have had a search warrant before they downloaded the files.
The list of computer crimes that have been linked back to various Russian hackers features some of the most infamous attacks of the last 10 years.
In October 2000, a sustained break-in of Microsoft's highest-security networks was traced back to an IP address in St. Petersburg. In January of that same year, an unidentified Russian hacker calling himself Maxus stole more than 300,000 credit card numbers from CD Universe in an extortion bid, but was never caught. Vladimir Levin, a young Russian mathematician, illegally transferred $12 million from Citibank's computers in the mid-1990s, a crime that eventually led to his three-year prison sentence in Florida starting in 1999.
All of these crimes, however, pale in comparison to the sheer size and scope of a hacking and extortion web that was so large that the FBI took the unusual step of warning the public about it in a March 2001 press release before its investigation was finished. In the release, the bureau cited the ongoing danger from several organized hacker groups from Eastern Europe, specifically Russia and Ukraine, who were responsible for stealing more than 1 million credit card numbers and attacking the networks of over 40 businesses in 20 U.S. states.
The announcement was met with the usual fatalism from security experts like Clint Kreitner, CEO of the Center for Internet Security, who believes there is "simply no way to stop the hacking epidemic." The FBI begs to differ.
In fact, the FBI has had custody of two prize suspects in the case, a pair of young and allegedly very criminal-minded hackers from the city of Chelyabinsk since Nov. 10.
In a grand indictment released to the public in Seattle this week, the FBI and the District Attorneys Office of the district of Western Washington outlined how Alexei Ivanov, 20, and Vasily Gorshkov, 25, spent two years victimizing American businesses, only to be lured to their arrest in Seattle by an unprecedented FBI undercover sting operation.
The indictment names Gorshkov and Ivanov as suspects in 20 counts of computer-related theft, extortion and fraud ?€” part of a shockingly mercenary two-year assault on American businesses, banks and even school districts. The documents allege that the two men stole tens of thousands of credit card numbers and other sensitive files from vendors ranging from PayPal, the world's largest online payment company, to the Central National Bank of Waco, Texas.
Their medium may have been high-tech, but Gorshkov and Ivanov's alleged method of choice was decidedly old-school: extortion. Whenever they broke into a network, they would copy sensitive data and then contact the network administrators, demanding anywhere from $15,000 to $100,000 to be "security consultants" who would protect the network against other hackers and prevent the sensitive information from being published on the web. If they received no for an answer, their letters would get more and more threatening. And in at least one occasion, the duo were hired on as consultants at an unnamed e-commerce company they had hacked into, but they went ahead and published the credit card numbers anyway.
"These are unsavory characters, no question about it," says Kreitner, whose Center for Internet Security was contacted by the FBI to help coordinate a patch that businesses could use to fix the particular security vulnerabilities that Gorshkov and Ivanov were exploiting. "These crimes are the cyber-version of how the mob used to extort money from mom and pop stores."
If that's the case, then the operation to catch the two Chelyabinsk natives would have made Elliot Ness proud. According to the indictment, the FBI had known for some time that Ivanov was linked to assorted acts of hacking and extortion. But without jurisdiction in Russia or reliable extradition policies, the FBI had very little hope of reaching Ivanov as long as he remained nestled safely in the southern Urals. The task was to lure him to the United States.
Last June, the FBI established a bogus computer security firm that they named, fittingly enough, Invita. They leased office space in downtown Seattle and immediately called Ivanov in Russia about possible employment as a hacker.
FBI affidavits filed as part of the indictment claim that Ivanov told Invita about his group of hackers in halting English, boasting that when the hackers come across a vulnerable network, "they can fix it, and they can broke it." Ivanov then offered to "broke" Invita's network to demonstrate his hacking prowess. He succeeded in hacking the system, and Invita invited Ivanov and his partner Gorshkov to Seattle to discuss employment.
On Nov. 10, Gorshkov and Ivanov flew to Seattle and went directly to a two-hour "job interview" with undercover FBI agents who were posing as Invita staff. The Russians were asked to further demonstrate their hacking skills on an IBM Thinkpad provided by the agents. The hackers happily complied and communicated with their home server back in Chelyabinsk, unaware that the laptop they were using was running a "sniffer" program that recorded their every keystroke.
The FBI agents' descriptions of the meeting portray Ivanov and Gorshkov as not only blissfully ignorant of their impending arrest, but also somewhat cocky about their hacking skills. At one point in the meeting, as Gorshkov glibly detailed how he and Ivanov extorted money from a U.S. Internet service provider after hacking into its servers, he told the room of undercover agents that "the FBI could not get them in Russia."
A few hours later, Gorshkov and Ivanov both sat in custody at the FBI's Seattle office while agents busily downloaded incriminating files from their Chelyabinsk servers, using the user names and passwords recorded earlier by the FBI's sniffer program. In all, according to court documents, the FBI downloaded and archived more than 1.5 gigabytes of incriminating files and scripts ?€” so much material that court documents estimated it could take up to 1 million pages to print the files out.
In an interview from his offices on the 51st floor of a downtown Seattle skyscraper, Assistant District Attorney Stephen Schroeder, who was trained specifically to prosecute computer crime cases, admitted that despite the apparent success of the sting, "it's not a technique we'll be able to use very often."
After all, wire reports and articles about the indictment are proliferating on Russian news web sites, and the message board at www.xakep.ru, the web site for Russia's Khaker Magazine, was filled with recriminations and warnings similar to this message posted by one anonymous user: "Watch out Russian hackers! You see what kind of low-life tactics the Americans are capable of, so work more carefully!"
So while it's unlikely that other veteran hackers will be flying to America for job interviews anytime soon, even the current case against Gorshkov and Ivanov may be difficult to litigate.
Ken Kanev, the Seattle attorney who is defending Gorshkov, has already filed a pretrial motion challenging the use of the seized computer files in the trial, saying that the FBI's use of passwords to access Gorshkov's personal files in Chelyabinsk was like "picking up a key to a locked container," and the FBI should have had a search warrant before they downloaded the files.
A Message from The Moscow Times:
Dear readers,
We are facing unprecedented challenges. Russia's Prosecutor General's Office has designated The Moscow Times as an "undesirable" organization, criminalizing our work and putting our staff at risk of prosecution. This follows our earlier unjust labeling as a "foreign agent."
These actions are direct attempts to silence independent journalism in Russia. The authorities claim our work "discredits the decisions of the Russian leadership." We see things differently: we strive to provide accurate, unbiased reporting on Russia.
We, the journalists of The Moscow Times, refuse to be silenced. But to continue our work, we need your help.
Your support, no matter how small, makes a world of difference. If you can, please support us monthly starting from just $2. It's quick to set up, and every contribution makes a significant impact.
By supporting The Moscow Times, you're defending open, independent journalism in the face of repression. Thank you for standing with us.
Not ready to support today?
Remind me later.
Remind me later.
×
Remind me next month
Thank you! Your reminder is set.
We will send you one reminder email a month from now. For details on the personal data we collect and how it is used, please see our Privacy Policy.