Russian Hackers — Evgeniy Bogachev aka “Umbro” aka “Lucky12345”

“It is believed GOZ [GameOver Zeus] is responsible for more than one million computer infections, resulting in financial losses of more than $100 million.”

FBI ‘wanted poster’ for Mr Bogachev

According to the NYT, Dutch Intel Agencies have provided information to the US IC regarding the “Russian hacking” of the 2016 US election. On 29 December 2016, OFAC (the US Office of Foreign Assets Control ) has updated the ‘Specially Designated Nationals List’ to include four members of the GRU and two hackers ( Belan Aleksei and Evgeniy Bogachev).

Until now, it was not known what information the “Dutch Intel Agencies” could have provided to the US IC and why these two cyber-criminals were listed by the OFAC? The answers to these questions just surfaced in a Dutch newspaper. And by the way, this new information also sheds some light on the story of FSB Colonel Sergey Mikhailov. Follow us on Twitter: @INTEL_TODAY

The many puzzling pieces of the Russia Hacking Theory

In a very short period of time, we have witnessed an unusual series of events. The US has accused a Russian Intelligence Agency to conduct cyber-attacks related to the 2016 Presidential election, the Russian authorities have jailed most members of a hacker group known as ‘Shaltay Boltay’ and three FSB officers as well as one of their top cyber-security expert from Kaspersky Lab are accused of high treason.

Most media have assumed that these events are related. Surely, the timing of these events seems to indicate some link between them. But what is this link, if any? After all, the GRU is accused of the cyber-attacks, not the FSB.

According to a recent piece in the NYT, Dutch Intel Agencies have provided information to the US IC. [ThreatConnect has identified six of the eight addresses as originating from servers owned by King Servers in Dronten, the Netherlands.]

RELATED POST: Inside the Intrigue of ‘Russia’s Cyberattacks’

On 29 December 2016, OFAC (the US Office of Foreign Assets Control ) has updated the ‘Specially Designated Nationals List’ to include four members of the GRU and two hackers.

The four GRU individuals are the Head of the agency and three of his Deputy Chiefs.

The two hackers are:

BELAN, Aleksey Alekseyevich (a.k.a. Abyr Valgov; a.k.a. BELAN, Aleksei; a.k.a. BELAN, Aleksey Alexseyevich; a.k.a. BELAN, Alexsei; a.k.a. BELAN, Alexsey; a.k.a. “Abyrvaig”; a.k.a. “Abyrvalg”; a.k.a. “Anthony Anthony”; a.k.a. “Fedyunya”; a.k.a. “M4G”; a.k.a. “Mag”; a.k.a. “Mage”; a.k.a. “Magg”; a.k.a. “Moy.Yawik”; a.k.a. “Mrmagister”), 21 Karyakina St., Apartment 205, Krasnodar, Russia; DOB 27 Jun 1987; POB Riga, Latvia; nationality Latvia; Passport RU0313455106 (Russia); alt. Passport 0307609477 (Russia) (individual) [CYBER2].

BOGACHEV, Evgeniy Mikhaylovich (a.k.a. BOGACHEV, Evgeniy Mikhailovich; a.k.a. “Lastik”; a.k.a. “lucky12345”; a.k.a. “Monstr”; a.k.a. “Pollingsoon”; a.k.a. “Slavik”), Lermontova Str., 120-101, Anapa, Russia; DOB 28 Oct 1983 (individual) [CYBER2].

Aleksei Belan is on the FBI WANTED list since September 2012. Evgeniy Bogachev was indicted under the nickname “lucky12345” by a federal grand jury in the District of Nebraska on charges of Conspiracy to Participate in Racketeering Activity in August 2012.

At the time, there was no known reason to believe that these two individuals worked for the Russian State, let alone that they participated in the DNC alleged hacking.

RELATED POST: Intel Report Suspiciously Anachronistic

Evgeniy Bogachev: “The most wanted cyber criminal in the world”

The 33-year-old is thought to be the mastermind behind arguably the most sophisticated cybercrime network the world has ever seen.

At his height, Mr Bogachev had control of more than a million computers around the world and was responsible for creating a network of infected computers that he used to siphon millions of dollars from the bank accounts of unsuspecting people and foreign businesses.

The US government has bounty of $US3 million  on his head for any information that leads to his capture.

In December, the Obama administration announced sanctions against Mr. Bogachev along with five others in response to a belief that Russia used cyber hacking to influence the outcome of the latest presidential election.

A joint Dutch Police – FBI – FSB Operation

Since 2009, FSB agents have been visiting the Netherlands, where they have also been meeting with officials of the FBI.

The cooperation with the FSB and FBI started in 2009 to apprehend cybercriminals. It is unique for Russians and Americans, who still meet in the Netherlands, to exchange information on this scale.

Their relationship has been tense since the annexation of Crimea by Russia. Due to the sensitivity of the meetings, the police rooms where they were held were turned inside out afterwards by sweeper teams checking for bugging devices.

The first criminal the Dutch police and the Russians tried to track down, was the Russian hacker Evgeniy Bogachev.

The end of ZeuS

The first case in which Dutch police and Russian FSB cooperated the ZeuS trojan horse malware.

Many of the criminals involved were known to use servers of the Dutch hosting company Leaseweb. The company offers relatively anonymous and cheap services as well as high-speed connections.

To communicate, these criminals often used the messenger service ICQ, which is still popular in Russia and Eastern Europe, despite the fact that it doesn’t use encryption.

In late 2008, the Dutch Police asked other countries for the ICQ numbers of known cyber criminals. Within 3 months, authorities from the US, Germany, Britain, the Ukraine and Russia provided a total of 436 ICQ numbers.

In January 2009, the public prosecutor and an examining judge approved the interception of communications associated with these numbers.

After collecting the messages associated with the 436 ICQ numbers and subsequently analysing them, it came out that one particular ICQ number acted as the leader of the cyber crime network. In one of the intercepted conversations this person even admitted to be the designer of the ZeuS malware.

The police gave him the codename “Umbro”, but he himself used aliases like Lucky12345, Monstr, Slavik, IOO, Pollingsoon, and Nu11.

De Volkskrant story doesn’t tell how the police found out the real identity of “Umbro” and it was only in 2014, under the international law enforcement Operation Tovar, that he was identified as Evgeniy Mikhailovich Bogachev, born October 28, 1983.

Already in 2013, investigators noticed that the ZeuS virus wasn’t just used for stealing money anymore, but also for finding out very specific information about government officials of Russia’s neighbors.

Dutch police and the FBI became convinced that “Umbro”  (Bogachev) had started working for Russian intelligence too. [ELECTROSPACES]

US Sanctions & the arrest of FSB Sergei Mikhailov

The story explains why, after the hack of the Democratic National Committee (DNC) in 2016, the US government put Bogachev on a list of sanctioned individuals.

Bogachev has not been arrested, probably because he is useful for Russian intelligence operations.

FSB Colonel Sergei Mikhailov was the most important Russian contact for the Dutch police. Mikhailov was  arrested in early December 2016. According to Russian press reports, Mikhailov and Kaspersky expert Ruslan Stojanov have leaked classified information to US intelligence.

RELATED POST: Inside the Intrigue of ‘Russia’s Cyberattacks’

REFERENCES

The Russian hacker with a $4 million bounty on his head — News.com.au

Dutch police works together with Russia’s FSB, despite political tensions — Volkskrant

A Shakeup in Russia’s Top Cybercrime Unit — KrebsonSecurity

Treason charges against Russian cyber experts linked to seven-year-old accusations — Reuters

The FSB Purge: Two Narratives — emptywheel

Reuters Confirms Krebs’ Supposition on Russian Treason Charges —  emptywheel

A Voice Cuts Through, and Adds to, the Intrigue of Russia’s Cyberattacks — NYT

Obama Administration Rushed to Preserve Intelligence of Russian Election Hacking — NYT

RELATED POST: Russian Media Reveal Identity of Third FSB Officer Arrested on Charges of Treason

RELATED POST: WHO IS Shaltay-Boltay? Ruslan Stoyanov

RELATED POST: RUSSIA: FSB Shaken by a Major Reshuffle

RELATED POST: WHO IS Shaltay-Boltay? FSB Major Dmitry Dokuchaev

RELATED POST: WHO IS Shaltay-Boltay? FSB Colonel Sergey Mikhailov

RELATED POST: WHO IS Shaltay-Boltay? Konstantin Teplyakov and Aleksandr Filinov

RELATED POST: WHO IS Shaltay-Boltay? Alexander Glazastikov

RELATED POST: WHO IS Shaltay-Boltay? Irina Shevchenko (‘Alice’)

RELATED POST: WHO IS Shaltay-Boltay? Vladimir Anikeev (‘Lewis’)

RELATED POST: The ‘Humpty Dumpty’ Case: “Six Characters in Search of an Author”

RELATED POST: The Moscow Four: What story hides behind the arrest of Russia’s top cybercrime investigators?

=

Russian Hackers — Evgeniy Bogachev aka umbro aka Lucky12345

This entry was posted in Cyber-Security, Cybercrime, DNC & Podesta Leaks, FBI, Hacking, Russia and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s