Another Russian Hacker (Probably) Not Affiliated with the DNC Hack

When news came out that the Russian hacker Pyotr Levashov had been arrested in Barcelona, people assumed, based in part on what Levashov allegedly told his wife after being questioned, that he had a role in the DNC hack. (Update: Here’s the RT story that reported it, which doesn’t appear to have been posted on the UK or US RT sites, and which doesn’t exactly correlate to some of the reports. Here’s the complaint.)

RT quoted Maria Levashova as saying armed police stormed into their apartment in Barcelona overnight, keeping her and her friend locked in a room for two hours while they quizzed Levashov.

She said when she spoke to her husband on the phone from the police station, he told her he was told he had created a computer virus that was “linked to Trump’s election win.”

Ms Levashova didn’t elaborate, and the exact nature of the allegations weren’t immediately clear.

DOJ has released the application associated with the Rule 41 search warrant they’re using to take down Levashov’s Kelihos botnet, and the unredacted part of the application supports no such thing. There is one paragraph with a mostly redacted description of how his customers use his botnet.

The rest of the application is consistent with Levashov working with pharma spammers, ransomware crooks, and those seeking money laundering online mules (though that’s not inconsistent with Levashov cooperating with Russian intelligence in some way).

As noted, the government is using a Rule 41 warrant to redirect computers Levashov’s botnet has hijacked to send their traffic into a sinkhole, along with a Pen Register to cover obtaining the IP addresses of the infected computers. The justification for using Rule 41 is that his botnet operates peer to peer. I expect we’ll see more analysis about the necessity of using Rule 41 for this purpose. In any case, while some of the more sophisticated investigation of this case was done in New Haven, and while there are reportedly Connecticut computers that have been infected by the botnet, for some reason the case is being charged in Anchorage, AK (though there are definitely victims there, too, and the AK-based Agent who wrote the application also had a role in the investigation). As more Rule 41 cases get charged we’ll see some interesting jurisdictional questions.

The one other surprising part of this indictment is how crappy this guy’s operational security is. The Luxembourg based IP address he used with his botnet tied to his iCloud account, which in turn tied through a common IP to his Google account, which in turn tied to his Foursquare account. All of this was done under his own or closely associated names.

Which might work fine if you were a Russian based hacker that did enough favors for the state to remain safe from prosecution. Until such time as you decide to take your wife and kid on a vacation to Spain.

One more point: When credential thief Yevgeniy Nikulin was arrested in Prague in October, the Russians quickly filed a competing arrest request for a minor 2009 bank account hack. The competing requests are being weighed by a Czech judge as we speak, but it seemed that the Russian request was an attempt to keep Nikulin out of US custody.

Thus far, there has been no hint of anything similar happening with Levashov.

5 replies
  1. seedeevee says:

    Are “cybercriminals” as described in the paperwork an actual class of criminal? How many other Xcriminal classes are there? Seems needlessly makeuppish.

    . . . . and Russia’s alleged “interference in the election” . . . .

    • RickR says:

      Cybercrime is, by definition, committed with computer(s) and network(s). As for classes you can probably take all the usual classes in the real world and prefix “cyber” on them.
      It is makeuppish. Legislation has yet to be refined and jurisdictional issues greatly complicate the situation.
      Levashov’s thing is creating botnets then selling access to them as a service for spamming. His Kelihos botnet is associated with election meddling during the 2012 Russian election by sending emails linking to fake news that a Putin opponent was gay. Oddly, Russia’s RT news outlet seems to want to associate Levashov with the DNC hack while we (the West) are treating his alleged crimes as unrelated to national security.
      Go figure.

  2. Summerstorm says:

    There is also a possibility American officials want to discuss botnets with him to gain more insight into the business, the players, the customers, and so on. The ‘arrest’ may just be a cover to get him into quarantine for discussions.

  3. SpaceLifeForm says:

    “As noted, the government is using a Rule 41 warrant to redirect computers Levashov’s botnet has hijacked to send their traffic into a sinkhole, along with a Pen Register to cover obtaining the IP addresses of the infected computers. The justification for using Rule 41 is that his botnet operates peer to peer.”

    OMG, where to start? (not attacking Marcy. This is total abuse of Rule 41 by government)—-000-.html

    This is Yet Another Legal Attempt at Retro Cover. Trying to justify that which the TLAs are already doing.

    Here is the $64 Quadrillion question:

    Is an ip packet that is in-flight anyones property?

    And if so, who is the owner of said property?

    And then, how can you get a legally legit warrant on a packet?’

    Ruke 41 says *nothing* about ip packet capture. Nor does it say anything about legally hacking BGP, which must be the case if they can sinkhole the ip packets. Which also means that any ISP’s routers are already controlled via BGP posioning from upstream
    or the ISP had to be forced to direct the traffic vIa an NSL. (bet on posioning).

    There is likely no way they can obtain the ip address of the infected machines. Most are probably behind a NAT router. Unless the packets have the real ip behind the NAT embedded in the packet. And why do they even care? If it is really p2p, then it is really being tunneled and certainly double encrypted (outer TLS, inner secret). And if tunneled and double encrypted, then maybe the protocol is already known. See Vault7.

    So, best they can do is inform the ‘customer’ that there are one or more infected nachines on their network.

    If the government really wanted to stop this botnet, they would provide the proper signatures to the antivirus/antimalware follks, and the infected nachines would be found in short time.

    If this is really Vault7 stuff, they maybe they want to monitor the situation. The infected machines may very well have other malware (think rootkit / APT).

    But it still appears to be abuse of Rule 41.

  4. maybe ryan says:

    I’m not sure how you would even get to (probably), with a 15 line description of the criminal and crime in which 11 lines are redacted. We have to presume there is some security reason that the 11 lines are redacted. It’s unlikely to be because it provides PII.

    With his wife saying “linked to Trump’s win” and the indictment providing no contradictory information, I’d say the most likely explanation is that they arrested him for activities related to subverting the US election. Ockham and all.

Comments are closed.