To catch a cyberthief

Any long-time fan of Law & Order is intimately knowledgeable with how the American legal system operates –  well at least on TV.

Almost every episode starts out with some poor soul found dead, dying or badly beaten. Investigators show up, there is some witty banter about the victim, despite the still-warm body lying there on the ground in view of all. Next, the detectives track down various suspects, narrow it to one individual, a grand jury indicts that person and the police are sent to pick up the alleged criminal. More witty banter as the perp is walked to the undercover police car. Court room drama ensues and the person goes to jail.

Neat and tidy in an hour shortened by commercials.

However, during the past year federal law enforcement and various state attorney generals have started following a different script. One that stops right after the indictment is issued.

In the last few months of 2018, two Chinese nationals were indicted on cyberespionage charges, four Iranians were indicted for conducting a series of SamSam ransomware attacks, in October a team of Chinese intelligence agents were indicted for cyberespionage against U.S. and French jet engine manufacturers and in the highest profile case seven Russian GRU officers were indicted for their involvement in hacking myriad targets, including anti-doping organizations, Ukraine, the U.S. Democratic National Committee, Westinghouse Electric Company and the Organization for the Prohibition of Chemical Weapons.

On the surface, going through the motions of charging someone who is far out of reach may appear to be a colossal waste of time, manpower and money, but dig down one layer deeper and many good reasons for filing charges can be found.

“This is helpful. For far too long it’s been open season on the U.S. and this is a signal that the U.S. is organizing to protect itself,” says Monica Pal, CEO of 4iQ, a firm that scours the dark web looking for information to help unmask cybercriminals and notify those who have been compromised.

Not only is the criminal element being put on notice, but a bright light is being shone on the malicious activity of nations that harbor individuals launching attacks that they either directly support or turn a blind eye to.

“Indictments, while they are not closure, bring an important message to anyone committing cybercrimes that attribution and digital forensics evidence can be sufficient in bringing charges to those committing cybercrimes,” says Joe Carson, chief security scientist at Thycotic.

In addition, putting people under indictment closes off their escape routes, or even their ability to travel freely about the world. Countries with extradition treaties with the U.S. are less likely to harbor cybercriminals, leaving fewer countries he U.S. and its allies put pressure on to ensure future global cooperation in cyber responsibility, Carson says.

Getting picked up by the local authorities is always a possibility for a cybercriminal, even when they are doing something as innocuous as going on holiday.

In 2016 Ukrainian national Ruslan Yeliseyev was arrested while vacationing in Israel and then extradited to the U.S. and in 2017 Pyotr Levashov was taken into custody while on vacation in Barcelona on suspicion of being a notorious spam king and for his alleged involvement with the Kelihos Botnet.

The level of international cooperation that took place with these arrests is something law enforcement is counting on coming into play following the indictments of those currently out of the reach of American justice, such as the Chinese agents Zhu Hua (aka Afwar, CVNX, Alayos and Godkiller) and Zhang Shilong, (aka Baobeilong, Zhang Jianguo and Atreexp).

Each is believed to work for the cyberespionage group APT10 while also employed by the Chinese firm Huaying Haitai Science and Technology Development Company. During this period, the duo also acted in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau, the Department of Justice says.

Priscilla Moriuchi, director of
strategic threat development
at Recorded Future.

The U.S. government is attempting to accomplish several actions by putting these two in the spotlight and on notice, says Priscilla Moriuchi, director of strategic threat development at Recorded Future and former lead for the NSA’s East Asia and Pacific cyber threats office.

“In a larger context, these indictments are furthering three specific messages to Beijing. First, they continue to draw a clear line for China regarding what type of behavior is and is not acceptable for states to conduct in cyberspace. In particular, that leveraging government and military resources to conduct cyber operations in order to steal intellectual property from private companies is unacceptable,” she says.

Next, by taking the step of filing charges against individuals working for the Chinese government the Justice Department is showing the U.S. government continues to take the theft of personally identifiable information (PII) of its citizens seriously. This is especially timely, as Secretary of State Pompeo has attributed the Starwood Preferred Guest (SPG)/Marriott PII theft to China, Moriuchi says.

The move also signals to the Chinese that American officials are not blind to the fact that China has apparently not bothered to keep up its side of the recent cybersecurity agreement between the two nations, in which each promises to not steal data and intellectual property from private enterprises.

“The bigger diplomatic and political landscape cannot be lost when looking at the recent indictments of APT10 in the U.S. for hacking. It appears the Chinese agreed to cyber non-aggression, but operations dating back to 2006 merely changed targets and kept going on a reduced but no-less-harmful scale. The charges against Zhu Hua and Zhang Shilong may or may never see them in a U.S. court, but that doesn’t matter. What matters is the perception of legality and the snipes used back-and-forth in the Game of Nations,” says Sam Curry, chief security officer, Cybereason.

Hua and Shilong or the others may never end up behind bars, but in one sense the indictments do keep them in a sort of house arrest situation, albeit a house the size of their nations.

“It is not the goal, but is simply just a consequence of indictments that leaves those committing the cybercrimes imprisoned in their own countries. The importance of indictments is to hold governments accountable and responsible for their actions in order to pressure for future cooperation,” Thycotic’s Carson notes.

Law enforcement ups its game

Shuman Ghosemajumder, CTO at Shape Security and formerly Google’s click fraud “czar”, is also encouraged by other indictments that have been handed down over what some might consider less serious charges, such as ad fraud. He believes this can be seen in the filing of charges that took place in November against eight individuals, each a resident of either Russia, Ukraine or Kazakhstan. Charges include wire fraud, money laundering conspiracy, aggravated identity theft, and conspiracy to commit computer intrusions.

These men comprised the 3ve cybercriminal operation that fraudulently has earned at least $36 million in ad view revenues since 2014, largely with the help of global botnets composed of machines infected with either Kovter or Boaxxe/Miuref malware. At its peak, 3ve was responsible for 3 billion daily ad bid requests and 700,000 active botnet infections, according to a report from Google and White Ops.

“The FBI’s indictment of criminals for advertising fraud represents an inflection point for the criminal justice system. Just a few years ago, the FBI did not have a great deal of experience in these types of crimes and rarely pursued them,” Ghosemajumder says.

3ve was indicted after a collective effort that combined the talents of law enforcement and the private sector, a point that should not be overlooked along with the fact that these actions were taken with the full knowledge that the indictments would not result in an immediate result.

“The way in which law enforcement, Google and White Ops approached this case — understanding that the long game was more important than short-term goals — was the right thing to do. Google, law enforcement, and other companies gathered evidence for a long time without taking concrete action against the actors,” Ghosemajumder said. “One of the areas in which the fraud-fighting industry had challenges in the past was demonstrating ‘damages.’ If we discovered fraud attempts simply because we detected the attempted fraudulent transactions and prevented advertisers from actually being harmed, it was difficult to make the case for a large damage amount. In this instance, it sounds like the fraudsters were successful because the advertisers could not be effectively protected by their systems, so there are damages to pursue.”

Although the indictment will send “a warning to other cybercriminal groups that governments will track and prosecute this behavior, it will also encourage companies to tighten up defenses and diversify tactics,” he said. “I don’t see this scaring other actors away, just teaching them.”

Ghosemajurnder says Google and White Ops took the right approach — understanding that the long game was more important than short-term goals and, along with law enforcement and other companies, gathering evidence for a long time without taking concrete action against the actors.

“Observable action would have indicated to the 3ve actors that they were being monitored which would have driven them underground or to retool in order to evade detection,” he contends. “That Google could not manage blocking these actors outright and required legal intervention is an indication of how difficult this problem is.”

Attacking cybercrime from multiple angles, while not new, is also important and something that must continue.

“I think it’s important to collaborate. To send out a joint message that there will be consequences and perhaps make them [cybercriminals] think twice,” says 4iQ’s Pal.

While it is no simple matter for the U.S. justice system to haul in those being indicted, the practice itself has not only been in use for quite some time but has proven effective says, John McClurg, vice president and ambassador-at-large at Cylance and former FBI agent.

“Probably one of the most dramatic examples of that would be the arrest and prosecution of [former Panama President] Manuel Noriega. Noriega was indicted by federal grand juries in Miami and Tampa on charges of racketeering, drug smuggling, and money laundering,” McClurg adds, noting it did take the American invasion of Panama to oust Noriega and bring him to final justice.

But with this precedent set, McClurg wonders what would happen if a hacking incident were to strike a particularly tender national security nerve.

“It begs the question as to what extent a recourse to similar measures might be necessary of making good on a hacking indictment, particularly if the hack is perceived as having touched on national security interests and was perpetrated by state actors,” he says.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.