Putin Discovers He Needs to Indict Another Russian Hacker

Back when Russian hacker Yevgeniy Nikulin got arrested in Prague in association with US charges of hacking Linked in and DropBox, Russia quickly delivered up its own, far more minor indictment of him to set off a battle over his extradition. Months alter, Nikulin’s legal team publicized a claim that an FBI Agent had discussed a deal with him, related to the hack of the DNC — a claim that is not as nuts as it seems (because a number of the people hacked had passwords exposed in those breaches). Whatever the reason, Russia clearly would like to keep Nikulin out of US custody.

And not long after Russian hacker Alexander Vinnik got detained in Greece related to the Bitcoin-e charges, Russia dug up an indictment for him too. Russia has emphasized crypto-currencies of late, so it’s understandable why they’d want to keep a guy alleged to be an expert at using crypto-currencies to launder money out of US hands.

What’s a more interesting question is why Russia waited so long to manufacture a Russian indictment for Pyotr Levashov, the alleged culprit behind the Kelihos bot, who is currently facing extradition to the US from Spain. Levashov was detained in April, but Russia only claimed they wanted him, too, a few weeks ago, around the same time Levashov started claiming he had spied on behalf of Putin’s party.

Perhaps it’s harder to manufacture a Russian indictment on someone the state had had no problem with before. Perhaps Russia has just decided this ploy is working and has few downsides. Or perhaps other events — maybe the arrest of Marcus Hutchins in August or the extradition back to the UK of Daniel Kaye in September — have made Levashov’s exposure here in the US even more problematic for Russia.

But I find it really curious that it took five months after Levashov got arrested for the Russians to decide it’d be worth claiming they want to arrest him too.

Update: Spain has approved Levashov’s extradition to the US.

MalwareTech’s FBI-Induced Tour to Milwaukee, WI

On Friday, WannaCry hero Marcus Hutchins (AKA MalwareTech) was granted bail by a Las Vegas judge; he will pay his bail on Monday, then have to travel, without a passport to show TSA, to Milwaukee for a court appearance Tuesday (I’m contemplating hopping the ferry for the hearing).

I’d like to focus on the venue, how it is that a British malware researcher came to be charged in Flyover USA for the crime of making malware.

Thomas Brewster-Fox wrote an important piece on Friday trying to figure out what a lot of people have been asking: what is Kronos, which a lot of researchers never really heard of. He notes that the malware was a bust in the criminal malware market.

The reduced price hints at another truth about Kronos: it was largely a failure amongst serious cybercriminals. There was early anticipation in 2014 it could go big, as prolific and profitable as one of its forbears, the banking malware known as Zeus. In an email to your reporter from RSA’s Daniel Cohen in 2014, he wrote: “Waiting to see whether Kronos turns into something. At this point it’s just a post on a forum, no sample or binary yet. It could be an interesting development if it does, as it would point to more movement away from the Zeus code.”

In the last 24 months, according to IBM global executive security advisor Limor Kessem, the Trojan emerged with a hefty $7,000 price tag in mid-2014, but actual attacks didn’t launch until the third and fourth quarter of 2015, when the company saw some Kronos malware campaigns hitting UK banks. “But after that timeframe, have not seen much more activity from the malware,” Kessem told Forbes.

“The very last time we saw Kronos activity was a small campaign in November 2016, when Kronos infected a very small number of machines mostly in Brazil, the UK, Japan, and Canada. At that particular time, we did not see fraudulent activity from Kronos, but rather, believe it was used a loader for other malware.

Importantly, IBM global executive security advisor Limor Kessem names the few places where the malware has been deployed: Some UK banks in the last two quarters of 2015 and then, in altered form and function, in a “very small number of machines” in Brazil, UK, Japan, and Canada.

So: UK, Brazil, UK, Japan, and Canada.

Not the US, as far as Kessem notes.

And in fact, the most commonly cited victim, the UK, is where Hutchins is from! Yet among the things the British National Cyber Security Centre — the folks who worked closely with Hutchins as he saved a bunch of NHS hospitals from being shut down due to the WannaCry malware — has been really circumspect about since Hutchins’ arrest is what the case is doing over here in the States.

We are aware of the situation. This is a law enforcement matter and it would be inappropriate to comment further.

So why are we seeing this case in the US — in Milwaukee, of all places?!?! — rather than in the UK where some of its few victims are?

The indictment against Hutchins includes just two actions he is alleged to have taken personally.

Defendant MARCUS HUTCHINS created the Kronos malware. (¶4a)


In or around February 2015, defendants MARCUS HUTCHINS and [redacted] updated the Kronos malware. (¶4d)

All the other overt actions described in the indictment were done by Hutchins’ as yet unknown (even to him, per reports!) and still at-large co-defendant. That includes this action:

On or about June 11, 2015, defendant [redacted] sold a version of the Kronos malware in exchange for approximately $2,000 in digital currency. [emphasis mine]

Most the other charges — counts three through six — cite that June 11 sale. So it’s that sale, in which Hutchins was not alleged to be involved and the alleged perpetrator of which hasn’t yet been arrested, that seems to be the core of the crime.

This Beeb article, by far the most detailed accounting of Hutchins’ arraignment, provides these details.

Prosecutors told a Las Vegas court on Friday that Mr Hutchins had been caught in a sting operation when undercover officers bought the code.

They claimed the software was sold for $2,000 in digital currency in June 2015.

Dan Cowhig, prosecuting, also told the court that Mr Hutchins had made a confession during a police interview.

“He admitted he was the author of the code of Kronos malware and indicated he sold it,” said Mr Cowhig.

The lawyer claimed there was evidence of chat logs between Mr Hutchins and an unnamed co-defendant – who has yet to be arrested – where the security researcher complained of not receiving a fair share of the money.

From this, it might be safe to assume that some law enforcement officer, possibly working undercover in the Eastern District of WI, bought a bunch of shit off AlphaBay in 2015, including a copy of (a version of) the Kronos malware. The purchase (and the version of code) wasn’t sufficiently interesting last year to arrest Hutchins when (I believe) he came for the Las Vegas cons.

Nor was it interesting enough to the UK, where some of Kronos’ few victims are, to prosecute the sale (which, because conspiracy laws are not as broad as they are here in the US, might not have reached Hutchins in any case, and certainly wouldn’t have exposed him to decades of incarceration).

But this year, in the days after the Alpha Bay seizure (and several months after Hutchins helped to shut down WannaCry), prosecutors presented that $2000 sale to a grand jury in ED WI, after which an arrest warrant was sent out to Las Vegas, just in time to arrest Hutchins on his way out of the country, after most the unruly hackers had departed from Las Vegas.

Arresting Hutchins only as he left — and playing whack-a-mole moving him from one detention center to another — gave authorities the opportunity to interview Hutchins without an attorney, where — prosecutor Dan Cowhig claims, Hutchins “made a confession,” — not that he “created the Kronos malware,” which is what the indictment alleges, but instead that he “was the author of the code of Kronos malware.” That “confession” sounds like the kind of thing an overly helpful person might explain if asked to explain this tweet in circumstances where he didn’t have a lawyer.

So here’s what may be going on.

In the aftermath of the AlphaBay seizure, authorities in the US decided to wade through what they could charge from past purchases off the marketplace, and either remembered or stumbled on this remarkably minor sale. Perhaps because of Hutchins’ fame, or perhaps because someone is unhappy about Hutchins’ fame, it was prioritized in a way it otherwise would not have been. And, as always, the US used convenient travel as a way to nab foreign alleged hackers to pull into America’s far more onerous than its allies criminal justice system.

It’s not even clear, however, that that explains the Milwaukee venue. Recall that DOJ first charged Pyotr Levashov (and therefore first deployed its now legally sanctioned Rule 41 warrant) for the Kelihos botnet in Alaska, even though he’ll be tried in CT if he’s ever extradited to the US. The FBI reorganized the way they investigate cyber crimes in 2014 (no longer tying the investigation to the geography of the crime) and with Rule 41 and international crimes, they’ll be able to do so far more in the future. But at least with Levashov, there were victims referenced in the complaint, whereas here, the only act that may have taken place in ED WI is that purchase, if it even did.

All that said, the venue is a far less interesting question than whether the FBI really has evidence tying Hutchins to intending his code to be used for malware, or if they’ve just made a horrible mistake.

Turns Out Alaskans Won’t Get to See Russian Hacker Pyotr Levashov from Their Windows

Earlier this month, DOJ got some good press by releasing the first known Rule 41 nationwide hacking warrant. It targeted Pyotr Levashov, who ran a big botnet infecting tons of Americans’ computers. He was arrested on April 9 in Barcelona and DOJ shut down the botnet.

The good press continued when EFF lauded the way the Rule 41 hacking warrant was handled. I’m not aware that anyone has reviewed the Pen Register application that went along with the warrant, about which I have more concerns, but having EFF’s blessing goes some way to rolling out a new authority without controversy.

Last week, DOJ announced the indictment, last Thursday, of Levashov. Whereas the Rule 41 warrant was submitted in Alaska, the indictment (and much of the investigation) was done in New Haven. Levashov was charged with eight different counts. Of note, the indictment includes two conspiracy-related charges against Levashov without naming any co-conspirators.

What I find interesting about all this is that there’s a still sealed complaint, dated March 24, against Levashov in the New Haven docket, with its own affidavit.

So I’m wondering why the Rule 41 action was taken in Alaska whereas the prosecution (assuming Levashov is extradited) appears slotted for New Haven.

The Alaska affidavit makes abundant reference to the investigative activities in New Haven. It describes that New Haven FBI Agents tested the Kelihos malware, identified how Kelihos harvested credentials, and tracked how Kelihos installed WinPCAP to intercept traffic.

It also includes a footnote describing other cases against Levashov.

I am also aware that an indictment was filed in 2007 in the Eastern District of Michigan for conspiracy to commit electronic mail fraud, mail fraud, and wire fraud in violation of 18 U.S.C. $$ 371, 1037(a)(2)-(a)(B), 1037(b)(2)(C), 1341, and 1343 and several substantive counts of violating 18 U.S.C. $$ 1037(a)(2), 1037(b)(2)(C), and Section 2. That indictment remains pending. I am also aware that a criminal complaint fi1ed in the U.S. District Court for the District of Columbia, which in 2009 charged LEVASHOV in his true name with two substantive counts of violating 18 U.S.C. $$ 1030(a)(5)(A)(i), 1030(a)(5)(B)(i), 1030(a)(5)(A)(i) and 1030(a)(5XBXV), as well as one count of conspiracy to commit these offenses in violation of 18 U.S.C. $ 371. These charges resulted from LEVASHOV’s operating the Storm Botnet from January 2007 until September 22,2008. That botnet, like that which is the subject of this prosecution, sent spam to facilitate pump and dump schemes and the purchase of grey market pharmaceuticals. Because the government was unable to apprehend and detain LEVASHOV, it dismissed the complaint in 2014.

But it doesn’t mention the complaint, which had already been filed, in CT — unless that’s what the almost paragraph long redaction in the affidavit was.

One possible explanation for the jurisdictional oddity is just that DOJ could. To test their new authorities, perhaps, they chose to obtain a warrant in a totally different jurisdiction from the one they were prosecuting in, just to lay out the precedent of doing so. And as noted, it’s possible the big redacted passage in the AK affidavit explains all this.

I’d feel better about that if the FBI affidavit submitted in AK hadn’t (possibly) hidden the already existing complaint in CT, though.

I’ve got a question into DOJ and will update if they provide an explanation. But for now, know that Alaska won’t get to host a high profile hacking trial after all.

Upated, fixed DOJ announce date h/t EG.

The Kelihos Pen Register: Codifying an Expansive Definition of DRAS?

As I noted in yesterday’s post on the arrest of Pyotr Levashov, the government used a Rule 41 warrant (“in an abundance of caution,” they explained in the application) to authorize the redirection of infected computers to the FBI sinkhole. As that was the first public use of the newly expanded authority, I expect there to be a lot of commentary about its use.

I’m just as interested in the Pen Register/Trap and Trace application accompanying the warrant, however. It authorizes the sinkhole to obtain the IP and routing address for infected computers, so the government can inform ISPs of the infection. I’m interested in it for the way it transcribes phone technology onto packet headers.

9. In the traditional telephone context, pen registers captured the destination phone numbers of outgoing calls, while trap and trace devices captured the phone numbers of incoming calls. Similar principles apply to electronic communications, as described below.

10. The Internet is a global network of computers and other devices. Devices directly connected to the Internet are identified by a unique Internet Protocol (*IP’)address. This number is used to route information between devices. Generally, when one device requests information from a second device, the requesting device specifies its own IP address so that the responding device knows where to send its response.

11. On the Internet, data transferred between devices is not sent as a continuous stream, but rather it is split into discrete packets. Generally, a single communication is sent as a series of data packets. When the packets reach their destination, the receiving device reassembles them into the complete communication. Each packet has two parts: a header with routing and control information, and a payload, which generally contains the content of the transmitted communication.

12. The packet header contains non-content dialing, routing, addressing and signaling information, including IP addresses and port numbers. Both the IP address of the requesting device (the source IP address) and the IP address of the receiving device (the destination IP address) are included in specific fields within the packet header, as are source and destination port numbers. On the Internet, IP addresses and port numbers function much like telephone numbers and area codes often both are necessary to route a communication. Sometimes these port numbers identify the type of service that is connected with a communication, such as email or web-browsing, but often they identify a specific device on a private network. In either case, port numbers are used to route data packets either to a specific device or a specific process running on a device. Thus, in both cases, port numbers are used by computers to route data packets to their final destinations.

13. The headers of data packets also contain other dialing, routing, addressing and signaling information. This information includes the transport protocol used (there are several different protocols that govern how data is transferred over networks); the flow label (for the most recent version of the Internet Protocol suite, called IPv6, the flow label helps control the path and order of transmission of packets); and the packet size. [my emphasis]

I’m sure the FBI has used similar PRTTs hundreds of times, including (perhaps especially) in the FISA context. But I’m not aware of one that has been made public. Moreover, the application of the PRTT is different here than in many contexts, because the sinkhole, not an ISP, will be obtaining the data requested.

I raise that because the PRTT asks for information — such as the use of a port number to ID a device running on a private network — that might be considered content to an ISP. If such an order were presented to an ISP, then, the request would arguably go beyond what a user had voluntarily shared with a third party, and therefore what should be available using a PRTT. (This paper from Matt Blaze and others from last year explains this in detail, though the paper notes that port numbers are specifically permitted by DOJ’s Electronic Surveillance Manual.) The data is necessary to the intent here, because FBI is trying to ID which devices have been infected. But it’s not clear the legal case is sound.

Yet the application describes it as dialing, routing, addressing, and signaling information (the DRAS definition at the base of PRTT law) without an explanation of this technical distinction, and without a discussion of what it means that the FBI sinkhole, and not an ISP, is collecting the data.

I suspect one reason the government has made all the materials associated with Levashov public is to codify their use. And that’s true as much for this use of the PRTT as it is for the Rule 41 warrant.

Another Russian Hacker (Probably) Not Affiliated with the DNC Hack

When news came out that the Russian hacker Pyotr Levashov had been arrested in Barcelona, people assumed, based in part on what Levashov allegedly told his wife after being questioned, that he had a role in the DNC hack. (Update: Here’s the RT story that reported it, which doesn’t appear to have been posted on the UK or US RT sites, and which doesn’t exactly correlate to some of the reports. Here’s the complaint.)

RT quoted Maria Levashova as saying armed police stormed into their apartment in Barcelona overnight, keeping her and her friend locked in a room for two hours while they quizzed Levashov.

She said when she spoke to her husband on the phone from the police station, he told her he was told he had created a computer virus that was “linked to Trump’s election win.”

Ms Levashova didn’t elaborate, and the exact nature of the allegations weren’t immediately clear.

DOJ has released the application associated with the Rule 41 search warrant they’re using to take down Levashov’s Kelihos botnet, and the unredacted part of the application supports no such thing. There is one paragraph with a mostly redacted description of how his customers use his botnet.

The rest of the application is consistent with Levashov working with pharma spammers, ransomware crooks, and those seeking money laundering online mules (though that’s not inconsistent with Levashov cooperating with Russian intelligence in some way).

As noted, the government is using a Rule 41 warrant to redirect computers Levashov’s botnet has hijacked to send their traffic into a sinkhole, along with a Pen Register to cover obtaining the IP addresses of the infected computers. The justification for using Rule 41 is that his botnet operates peer to peer. I expect we’ll see more analysis about the necessity of using Rule 41 for this purpose. In any case, while some of the more sophisticated investigation of this case was done in New Haven, and while there are reportedly Connecticut computers that have been infected by the botnet, for some reason the case is being charged in Anchorage, AK (though there are definitely victims there, too, and the AK-based Agent who wrote the application also had a role in the investigation). As more Rule 41 cases get charged we’ll see some interesting jurisdictional questions.

The one other surprising part of this indictment is how crappy this guy’s operational security is. The Luxembourg based IP address he used with his botnet tied to his iCloud account, which in turn tied through a common IP to his Google account, which in turn tied to his Foursquare account. All of this was done under his own or closely associated names.

Which might work fine if you were a Russian based hacker that did enough favors for the state to remain safe from prosecution. Until such time as you decide to take your wife and kid on a vacation to Spain.

One more point: When credential thief Yevgeniy Nikulin was arrested in Prague in October, the Russians quickly filed a competing arrest request for a minor 2009 bank account hack. The competing requests are being weighed by a Czech judge as we speak, but it seemed that the Russian request was an attempt to keep Nikulin out of US custody.

Thus far, there has been no hint of anything similar happening with Levashov.