CyberEye: FBI shares lessons of Zeus botnet ring takedown
- By William Jackson
- Jul 22, 2011
The FBI, in cooperation with cybersecurity experts and law enforcement officials in the United Kingdom, Europe and Ukraine, last year busted a Zeus botnet ring believed responsible for trying to illegally transfer $220 million from U.S. banks.
They managed to get $70 million, but Operation Trident BreACH succeeded in bringing charges against 92 persons and making 39 arrests, including the five suspected ring leaders in Ukraine as well as mules in the United States and United Kingdom believed to be moving the money.
The operation was a learning experience in the complex task of policing the Internet. The first lesson: you don’t have to be a genius to use the Internet to steal millions.
Related coverage:Can we fight cyber crime like the Untouchables fought Capone?
“I have been continually unimpressed with the skill level and computer knowledge” of criminals engaged in computer crime, even the programmers, said Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham and a frequent contributor to investigations. “But they get the job done.”
Warner was one of a panel, which included FBI agents Dean Kinsman and Michael Eubanks, that summed up the lessons learned from Trident BreACH at last week’s FOSE conference in Washington. The great lesson of the operation, one of the most successful takedowns of organized online criminals to date, is that despite the complexities of international law enforcement agencies on different continents can cooperate and get results.
Over the last year the FBI has participated in five or six major investigations with Ukrainian authorities, said Kinsman, supervisory special agent with the criminal section of the FBI’s Cyber Division. This runs counter to the common perception that the former Soviet states are a lawless haven for cyber criminals.
“Ukraine is a hotspot of cybercrime,” Kinsman said, but “we can get a lot done.” Authorities there are cooperative, although hindered by a lack of funding and resources.
Online law enforcement is not easy, even on the U.S. side. The Zeus Trojan, a malware suite commonly used for stealing banking information that can be used to transfer money from a victim’s account, has been around since at least 2005. But its very ubiquity hindered law enforcement efforts. It was not until research by Warner and others demonstrated links in the “ownership” of 840 known command and control servers that the widespread Zeus botnets began to look like something that law enforcement could get its collective arms around.
It also helps if there is a lot of money involved. In 2009 a bank in Omaha noticed suspicious payments through the Automated Clearing House (or ACH, hence the unusual spelling of Trident BreACH) to 46 bank accounts. A Bronx bank later reported similar transfers to accounts of temporary U.S. workers. All totaled, some $220 million in attempted transfers were discovered from compromised bank accounts to the accounts of mules who had been hired to move the stolen money to contacts overseas. About $70 million of the transfers were successful.
Because each transfer had to be relatively small — under $10,000 to avoid U.S. reporting regulations — and each mule is typically used only one or two times, the operation was labor intensive. The 92 people originally charged in the operation are only the tip of the iceberg, although investigators hope that tip includes the heads of the organization.
“We don’t know the total number” of people involved, Warner said. “It is clearly over 6,000 people.”
International cooperation is improving, and in the last two years the FBI has placed legal attaches in U.S. embassies in Ukraine, Romania, Estonia and the Netherlands to aid investigations, Kinsman said. But even with goodwill, investigations are hampered by the distances involved, differences in national laws and the frequent lack of formal cooperative agreements and treaties.
Cleaning up the Internet completely might not be possible. But Operation Trident BreACH and other recent civil actions demonstrate that if the stakes are high enough the good guys can score victories.
William Jackson is freelance writer and the author of the CyberEye blog.