Threat Management, Malware

Kelihos botnet crumbling following arrest, DoJ

Following the arrest in Spain of a Russian suspected of being a notorious spam king, U.S. authorities have begun unraveling the operation he's alleged to have controlled, the Kelihos botnet.

The 36-year-old man, Pyotr Levashov, on vacation in Barcelona with his family, was taken into custody over the weekend in a joint operation between Spanish and U.S. authorities.

While a connection has been hinted at in media reports that Levashov was involved in the hacking of the U.S. presidential election, the credibility of that charge seems to be losing steam as officials from the Justice Department on Monday stated that there was, in fact, no connection. However, speculation continues as investigations and announcements from authorities trickle out. The pending criminal case against Levashov remains under seal.

Whether he is tied to the hack of the U.S. presidential election, his alleged involvement as the operator of the Kelihos botnet received a blow today as the U.S. Department of Justice (DoJ) announced it had begun "an extensive effort to disrupt and dismantle the Kelihos botnet."

In court documents filed on Monday, Levashov is accused of being a spam king, indicted in 2009 for his activities in masterminding several spam operations, including the Storm botnet. At its peak in September 2007, Storm was estimated to be operational on one million to 50 million Windows computer systems worldwide – corralling the devices into a network that sent out hundreds of millions of spam emails and facilitated other malicious activities, including harvesting login credentials and installing ransomware and other malicious software. 

Like other such botnets, Kelihos is coded to hide its presence on targeted machines, enabling the malware to receive instructions from a remote server to initiate malicious actions, such as siphoning out data and transferring it to the botnet operators.

"The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives,” said Acting Assistant Attorney General Blanco in the DoJ statement.  

To proceed with their investigation, law enforcement authorities in the U.S. obtained warrants pursuant to recent amendments to Rule 41 of the Federal Rules of Criminal Procedure, which authorizes law enforcement to "redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server," according to the DoJ statement. This action is touted as enabling the government to get assistance for victims of the scam – in particular, in removal of the Kelihos malware from their computers, said the DoJ statement.

Severa, one of the oldest and most respected cybercriminals, operated on the criminal underground for the past 20 years successfully evading prosecution, Vitali Kremez senior cyber intelligence analyst and director of research at Flashpoint, told SC Media on Tuesday.

"As of now, the news of Severa's arrest is being thoroughly discussed within the top-tier Russian criminal underground implicating possible tightening of cybercrimials' own operational security in the aftermath of Severa's abrupt capture," Kremez told SC. 

Kremez, who specializes in researching and mitigating cyber incidents emanating primarily from the Eastern European cybercriminal ecosystem, said that by and large, Severa is known to have links to a pro-Russian hacktivist group called “Cyber Berkut,” which also had some apparent ties to Russian government operations designed to destabilize Ukraine. 

"Historically, one of Severa's Kelihos botnet campaigns played on pervasive anti-Western sentiment in Russia by advising spam targets to download a tool designed to attack Western governments. The subject of the phishing email reads: “Help your homeland.”

The Russian campaign leveraged a unique social engineering technique to entice victims to willfully install the malicious program on their computers, Kremez said. "The message in the email had a striking resemblance to the JUN14 announcement of Cyber Berkut, a pro-Russian hacktivist group operating out of Ukraine. At that time, Cyber Berkut was seeking to enlist the help of would-be cyberwarriors for DDoS attacks against Ukrainian government websites."

It is likely that the email message of the Kelihos spam was inspired by – or crafted to support – the crowd-sourcing appeal of pro-Russian Cyber Berkut, Kremez told SC.

As far as a potential link between Levashov and the hack of the U.S. presidential election, Kremez told SC that in his assessment, there was "low confidence" that the botnet is connected.

"By and large, we assess with low confidence that Severa's spam botnet might have been involved in email spam distribution linked to alleged interference of Russia in last year's U.S. election."

According to the civil complaint, Levashov allegedly operated the Kelihos botnet since approximately 2010.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.