“Vladimir” came from a good family in Moscow. His parents both had advanced degrees and he was an academic star in high school.
He studied finance at his university and was equally well versed in computer science and physics. Smart, well spoken and personable, he could have been anything he wanted to be. But he chose to become a cyberthief.
Vladimir, an alias, preyed on wealthy Americans, said Mark Danner, a former U.S. intelligence officer, who is now a consulting manager for public safety and homeland security at NSI, a Washington, D.C.-based consulting group. Danner interviewed Vladimir in prison in an effort to put a face on the hacking menace.
“When it comes to the criminal world, the problem is that the faces of these perpetrators are really unknown,” he said at the Gov Sec conference in Washington, D.C. “They’re unknown in public and expert circles.”
While the federal government and Congress are making a push to toughen up the nation’s defenses in cyberspace, experts note that most of the vulnerabilities that thieves and spies are exploiting through the Internet are in the private sector, where state actors, criminal syndicates and hackers like Vladimir steal money and secrets with alarming regularity. Defense Department officials have warned companies doing business with the Pentagon to protect their data from foreign hackers.
A joint report from the Internet Security Alliance and the American National Standards Institute said chief financial officers and company leaders don’t appreciate the seriousness of the problem. Many simply do not want to invest the money needed to strengthen defenses against cybercrimes, despite government estimates that U.S. companies lost to network intrusions some $1 trillion in intellectual property from 2008 to 2009.
“The fact is that the current private-sector work force, most of whom will remain working for decades to come, is largely uneducated about cybersecurity,” said the report titled, “The Financial Management of Cyber Risk.”
Senior managers are what demographers call “digital migrants,” the report said. They do not have a good understanding of the issues involved. Further, company personnel see security as the realm of “the IT guys” and they do not take precautions to secure their information.
Gary Warner, director of research in computer forensics at the University of Alabama-Birmingham, said there is a mistaken belief that anti-virus software is enough to stop intrusions.
He has responded to companies that have asked for help when their computer systems have been infected with viruses. He discovered that they had malware installed in their systems that had been sending documents almost daily to cyberthieves for up to two and half years.
Since companies don’t understand the risks, they cannot calculate the costs, he said at the conference prior to the report’s release.
“The threat is all of your intellectual property — gone.”
Anti-virus programs only catch viruses that were created in the past. For the most part, they can’t catch what is sent out that day.
“The myth is that anti-virus products catch viruses. They don’t. They don’t work. Stop relying on them,” he said.
Vladimir provides an example of how these operators launch attacks, Danner said.
He first gravitated to the hacking underground at age 16. “There he found a world of colleagues, teachers, conspirators and entrepreneurs,” Danner said. Rising through the ranks and gaining prestige among peers requires neophytes to display the skills required to break into secure networks that contain valuable data.
The collaboration and synergies in hacker circles are as robust as any found in the best special operations and law enforcement teams. “The difference is they collaborate amongst themselves anonymously,” he added. Hackers have different specialties and work in teams, he said. They learn and share knowledge and tools among each other. “They are, in fact, a community of practice,” he said. “They conduct their reconnaissance and research in a strategic manner in a project management approach.”
The vast majority of their time is spent on operational planning, research and reconnaissance before they carry out an attack. Vladimir, for example, would never launch an operation that didn’t get laundered through at least 10 servers.
“And that makes it all the harder to identify what’s coming at us,” Danner said.
Vladimir specialized in bilking wealthy Americans. He read Forbes Magazine to glean names, broke into databases to grab former addresses, mother’s maiden names, social security numbers and other useful information. He had American co-conspirators, who specialized in making fake IDs and credit cards. They would apply for home equity loans and then abscond with the money.
“These cybercriminals — when they are at the top of their game — are highly competent. Not only technologically, but also in terms of tradecraft,” Danner said.
Vladimir boasted that it was easy to build a profile on U.S. residents.
“I was really impressed with his data harvesting skills. He was really on par with the best investigators and intelligence professionals,” said Danner, who interviewed Vladimir in a U.S prison.
He sometimes hired U.S.-based private investigators who unwittingly gathered information for him. Vladimir also had a well-placed connection in Russian law enforcement who protected him.
His tradecraft was good, but not good enough, Danner said. Vladimir became too greedy and was lured to the United States in a sting carried out by the Secret Service. He reminded Danner in the prison interview that it took a great deal of resources and manpower to capture him, but there are thousands of others out there just like him.
There is a nexus between these thieves and state actors, said Paul Joyal, NSI’s managing director for public safety and homeland security. “You can be a criminal, a member of an intelligence organization and a businessman all at the same time.”
The Russian Business Network, a crime syndicate better known as RBN, was deeply involved in a cyberattack on Georgia that began weeks before Russian forces invaded the nation in 2008, he said. Orders flowed down from political organizations to young hackers, who launched the attack using infrastructure provided by organized crime, Joyal said.
This “is an important lesson for DoD planners concerning war fighting capability,” Joyal added.
The Russian Business Network sells the Zeus malware, a program that infects computers, enslaves them in botnets, and can send as much as $10 million per week from U.S. accounts to Russia, said Warner, who has conducted extensive analysis on the program. That amount is bigger than all the physical bank robberies every year.
“And it’s not getting the appropriate response partly because we lack the manpower and we lack the tools,” Warner added.
When RBN was exposed in the media in 2005, it was reported that the syndicate had been crushed. “But it’s sort of like turning the light on in a kitchen full of roaches. All of them just scattered.”
When its command-and-control servers are exposed in one country, it migrates to another. Warner’s students have followed its virtual headquarters from Russia to the United Kingdom, Texas, Kazakhstan, Moldova, and back to Russia where it currently resides. For $1,400 to $6,000, anybody can buy Zeus, he said. The syndicate provides secure IP addresses for criminals as well.
Along with sending mass emails to the general public, Zeus can be used for “spear-phishing,” where government or company computers are targeted.
A scam might involve an email to a corporate executive that appears to be from the Department of Justice informing them that the company is under investigation.
Every computer in a company’s system may be targeted. They don’t have to go after “crown jewels,” Warner said. They can gather a little bit of data from all of the computers and put together a picture.
“Our best hope at the moment is that the enemy is drowning in data,” he added.
When it comes to defeating cyberthreats, the U.S. government is seriously undermanned, he added. There are currently 44,000 Turkish teenagers organized in a rigorous military-style community of hackers who are learning their tradecraft from each other. There are similar communities in Saudi Arabia with 100,000 members. Iraq has 40,000 members. China has more than 400,000 members “where you mentor each other in ways to attack the enemies of the state,” he said.
“We don’t have anything close to that in the United States. Any one of those communities has more trained cyberwarriors than our entire U.S. military,” Warner said.
As far as creating a domestic force to counter these legions of hackers — fighting fire with fire — there is a stigma to doing such work in the United States. It’s not a socially acceptable profession, but it is so in many of these nations, he said.
U.S. students could be trained to do offensive cyberoperations, but there is a chance they could use their skills for nefarious activities, he said.