Chapter 14
Not everyone was happy with the process used. Marcus Sachs, director of the SANS Internet Storm Center, wrote to Brian Krebs in an email, "There are others out there who need to be cut off but we've got to find a better way to do it than by creating the virtual equivalent of a lynch mob."
Paul Ferguson of Trend Micro disagreed with Sachs and said that "this was a (good) example of the community policing itself."
ESTDomains.
Atrivo's biggest customer was the Estonian company ESTDomains, based in Tartu, Estonia (but registered as a US corporation in Delaware).
ESTDomains, as its name suggests, was a domain registrar that dealt almost exclusively with criminal elements engaged in setting up Internet scams. The princ.i.p.al of ESTDomains is Vladimir Tsastsin, who was convicted for credit card fraud, doc.u.ment forgery, and money laundering, and spent three years in an Estonian prison.
Krebs wrote a Security Fix blog post about Tsastsin and ESTDomains on September 8, 2008, wherein he quotes the head of Estonia's Computer Emergency Response Team (CERT), Hillar Aarelaid: To understand EstDomains, one needs to understand the role of organized crime and the investments coming from that, their relations to hosting providers in Western nations and the criminals who ply their trade through these services.
In other words, Tsastsin is one of the front men for Russian organized crime's entree into the lucrative world of Internet crime. Two months after Krebs's article outed him, ICANN pulled the plug on the right of ESTDomains to issue domain names, citing its CEO's criminal conviction as the cause.
ESTDomain: A 2009 Update On August 26, 2009, TrendMicro issued a report on another major cyber crime Internet services provider based in Tartu, Estonia (the report authors did not reveal the name), whose CEO (again, no name) was convicted for credit card fraud.
That sounds remarkably similar to Vladimir Tsastsin. This company also owns two US businesses that collectively engage in: Web hosting Advertising Internet traffic distribution Pay-per-click advertising Parking domain site hosting Interestingly, what is missing from that list is domain name registration, the one thing that Tsastsin is legally prevented from doing.
The influence and reach that this company has in the Internet underworld is pervasive, according to the TrendMicro report: It appears that the Estonian company controls every step between driving traffic to sites that contain DNS changer Trojans to maintaining rogue DNS servers. It also appears to maintain the foreign malicious IP addresses to which its victims are redirected to when they attempt to access a site such as Google.
And, finally, in order to avoid what happened to Atrivo/Intercage when its plug got pulled, this company has a network of hundreds of proxy servers distributed across 15 networks in multiple nations.
Lesson learned.
McColo: Bulletproof Hosting for the World's Largest Botnets.
The McColo story is even more instructive for cyber-conflict policymakers than Atrivo/Intercage. It perfectly ill.u.s.trates the key role that US-based businesses play in providing protected platforms for Russian organized crime enterprises that, in turn, are utilized as attack platforms by nonstate actors in nationalistic and religious actions.
McColo was formed by a 19-year-old Russian hacker and college student named Nikolai, aka Kolya McColo. Upon his death in a car accident in Moscow in September, 2007, the McColo company was taken over by McColo's friend "Jux," a "carder" (carders make their money in the underground market for stolen credit card data). The amount of money being made by McColo makes it likely that it attracted the attention of Russian mobsters, which puts an entirely new spin on the possible cause for Kolya McColo's car accident.
The graphic in Figure 8-4, created by Brian Krebs, ill.u.s.trates the extremely broad scope of McColo's collection of botnets and bad hosts in terms of spam and cyber crime. The following is Krebs's explanation of what the graphic depicts: The upper right-hand section of the graphic highlights the numeric Internet addresses a.s.signed to McColo that experts, such as Joe Stewart, the director of malware research for Atlanta-based SecureWorks, say were used by some of the most active and notorious spam-spewing botnets-agglomerations of millions of hacked PCs that were collectively responsible for sending more than 75 percent of the world's spam on any given day (for that sourcing, see the colorful pie chart at below, which is internet security firm Marshal.com's current view of the share of spam attributed to the top botnets). In the upper left corner of the flow chart are dozens of fake pharmacy domains that were hosted by McColo.
Figure 8-5 shows an expanded view of the upper-right corner of this graphic, which lists the botnet command and control servers (C&C) hosted on networks provided by McColo. It controls the world's largest botnets, which collectively run millions of infected hosts (individual computers infected by malware) that generate an estimated 75% of the world's spam according to TraceLabs, a division of the UK security firm Marshall.
Figure 8-4. McColo hosting of cyber bad actors Figure 8-5. Botnet C&C servers hosted on McColo When McColo was de-peered (i.e., dropped by its Internet backbone providers, Global Crossing, Hurricane Electric, and Telia), worldwide spam rates dropped by 67% overnight.
According to the FBI, US losses to Internet crime in 2008 amounted to $246.6 million. Since spam is the princ.i.p.al source of income for cyber criminals, McColo going offline represented a significant loss of revenue to criminal organizations, but it didn't last long.
The authors of the botnets simply found other bandwidth resellers to take McColo's place. In fact, the entire issue of unvetted bandwidth reselling represents a serious national security risk that must be addressed if nations want to begin to stem the tide of distributed denial of service (DDoS) attacks generated by botnets against their websites. This is particularly true for the US government.
Russian Organized Crime and the Kremlin.
David Satter is a recognized authority on Russian organized crime, and I highly recommend his book Darkness at Dawn (Yale University Press).
Satter recently wrote an article on the suspected ties between Russian organized crime and the Russian police as seen in the rising unsolved murder rate of journalists in the Russian Federation whose work had become too problematic for the authorities to manage ("Who Murdered These Russian Journalists?," Forbes.com, December 26, 2008). Satter used the case of the murdered journalist Anna Politkovskaya to ill.u.s.trate his point.
He tells how Sergei Sokolov, Russia's
Charges related to planning the reporter's murder were also brought against a former major in a police unit whose job it was to fight organized crime.
That same major was charged four years earlier with the torture and kidnapping of a Russian businessman. His reported accomplice was a former FSB colonel.
On February 19, 2009, the trial ended with no convictions. One month earlier, on January 19, Stanislav Markelov, Anna Politkovskaya's lawyer, was shot to death as he left a news conference located less than half a mile from the Kremlin. No one has been charged with his murder.
There is a lengthy list of unsolved murders of journalists, businessmen, political opponents, and other figures over the past few years that should make anyone who envisions taking on organized crime reconsider.
The relevance of this broad look at Russian organized crime in a book about cyber warfare is to help establish a better understanding of the relations.h.i.+p between these criminal organizations and Russian government officials. That relations.h.i.+p doesn't change because the landscape moves from the streets of Moscow to the virtual world of the Internet. Cybers.p.a.ce simply becomes another domain in which organized crime can operate with the same ruthlessness and violence that they do elsewhere.
Understanding this is vital for Western government policymakers who may still believe that cyber wars are being fought by bored teenage hackers.
The links between Russian organized crime, Russian intelligence, and the Russian government are fairly well doc.u.mented, but its extension into cyber crime is not. Affected governments need to conduct additional investigations into this problem and coordinate a.s.sets.
Chapter 9. Investigating Attribution.
A well-designed, defensible network should have a number of monitoring elements available for forensic a.n.a.lysis when it is attacked or compromised. For example, most networks will have deployed intrusion detection systems, firewall and router traffic logs, and access logs contained on the server itself. There exists a bevy of tools and techniques that can allow an investigator to gain further insight using open source data. This includes routing information from the border gateway protocol (BGP), [37] domain name system (DNS), darknet monitoring, blacklist services (such as those offered by Spamhaus, CBL, etc.), and, to a lesser degree, Internet registry information (e.g., ARIN, RIPE, APNIC, etc.).
Performing a traceroute on each IP will show an experienced computer security engineer where the attacks originated from and what path the packets took to get to the target.
This chapter takes a rudimentary look at these computer forensic tools by way of some real-world examples.
Using Open Source Internet Data.
The following serves as an introduction to several key internetworking concepts. This is fairly complex subject matter, and will be discussed only at a very high level here.
The border gateway protocol (BGP) is widely characterized as the "glue of the Internet." Every Internet service provider uses BGP to move packets between source and destination nodes. Essentially, each BGP "speaking" router will dynamically maintain a table of network addresses, or "prefixes," which details network availability.
For the sake of the examples outlined in this chapter, there are three main concepts you should understand: Autonomous system "[A] collection of connected IP routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet" (*RFC 1930) I-BGP.
Internal Border Gateway Protocol; used to communicate routing information within a single autonomous system E-BGP.
External Border Gateway Protocol; used to communicate routing information between separate autonomous systems BGP data is a very powerful tool for attribution a.n.a.lysis. Using this information, it is possible for an investigator to identify the "source" network of an attack, as you'll read about in the upcoming case studies.
There are a number of ways to query BGP information that do not require access to an ISP router or knowledge of very specialized routing specifics. For example, using the Team Cymru IP to ASN service it is possible to retrieve global routing information, as shown in Figure 9-1.
Figure 9-1. Screenshot of a data request using Team Cymru's IP to ASN service The screenshot shows that IP address 4.2.2.1 is routed by autonomous system (AS) 3356, which is administered by Level 3 Communications. Another excellent resource is offered by RIPE.
The domain name system is another example of open source Internet data that can greatly aid an investigation into suspected intrusion IP addresses. DNS is a global hierarchal system, which allows a user to translate a common name (www.foo.com, for example) into an IP address. Based on its DNS name, it may be possible to uncover information that would help reveal the attacking IP address. For example, is the attacking machine a mail server or a web server? Could it be a router or a client machine located on a dial-up service? This information is very useful in determining technical attack attribution. There exist several online tools to a.s.sist in this search, including DomainTools.
It is also possible to leverage "black lists" to determine whether the suspect IP address has been a.s.sociated with any previous malfeasance, such as spamming, scanning, or malware infection. Several organizations offer these services, including Spamhaus and the SANS Internet Storm Center.
Background.
On January 18, 2009, a large-scale distributed denial of service (DDoS) attack began against Kyrgyzstan Internet service providers (ISPs). Key national web server site Asiainfo.kg and the Kyrgyzstan official domain registration service Domain.kg have been available only intermittently since that date.
Russian-based servers primarily known for cyber crime activity have been identified through IP a.n.a.lysis of the attacks on Kyrgyzstan. Figure 9-2 shows the Internet routing during the later stages of the Kyrgyzstan DDoS attacks.
Figure 9-2. Internet routing diagram for a set of autonomous systems in the KG attacks Figure 9-3 provides a BGP Internet traffic routing for the period of January 15, 2009, with a primary focus on highlighting the DDoS traffic against AS8511 Asiainfo of Kyrgyzstan. The BGP represents a route map for how Internet traffic should move from one ISP to another in the most efficient way.
Figure 9-3. BGP routing map
What Is an Autonomous System Network?
Figure 9-3 is a diagram of packet flow through various autonomous system (AS) networks. If you look closely you'll recognize a few that are mentioned in the table that supports the diagram. Packets don't necessarily follow the maxim that says the shortest distance between two points is a straight line. In fact, that rarely happens. A traceroute is a sometimes complex path that packets take to move from the source to the destination. AS numbers act like intersections that help investigators discover the server networks that were used.
An AS number is linked to a block of IP addresses. These in turn are owned by a large Internet services company, such as The Planet, or a utility such as Qwest or ComCor TV, a Russian cable company.
When AS networks agree to carry one another's traffic, it's known as "peering." Peering can occur in a few different ways, but typically it is either through swaps or some form of payment arrangement.
It's important to note that just because these packets traveled through a Russian network, it doesn't convey any geopolitical responsibility or "evidence." The StopGeorgia.ru forum was, after all, hosted on a US-based server in Plano, TX, but no one is suggesting that the US government was involved in the cyber attacks against Georgian government websites.
For the purpose of investigating cyber attacks, the path is not nearly as revealing as the source. In the case of the attack data provided by individuals from ASIAINFO in Kyrgyzstan, some of the IPs resolved to Russian sources; for example, 78.37.132.241 was one of many attacking IPs, and it resolved to an AS network in St. Petersburg, Russia. Another IP (83.167.116.135) originated with Comcor TV in Moscow. Yet another, 86.60.88.191, originated in Riyadh, Saudi Arabia, and is blacklisted by a number of spam-tracking organizations.
In addition to running a traceroute on an attacking IP, it's important to look at the timeline of conditions taking place within the country that is experiencing a cyber attack. The following timeline was created to help determine attribution in the 2009 Kyrgyzstan DDOS attacks. As of this writing, there is still no confirmation as to the party or parties responsible. What follows is merely my hypothesis of the most likely culprit, as published on the IntelFusion blog in January 2009.
Timeline of political events.
January 17: Prominent opposition leader detained in Kyrgyzstan January 17: Political confrontation intensifies; opposition activists form new coalition United People's Movement (UPM) January 19: Two opposition leaders detained and charged January 19: Russia presses Kyrgyzstan to close US base January 20: Kyrgyzstan Opposition denied use of Parliament Press Center January 21: Kyrgyzstan government targets opposition.
January 22: Journalists ordered to file personal information.
January 22: Kyrgyz Opposition Party denied registration.
a.n.a.lysis.
The Kyrgyz cyber attacks during the week of January 18, 2009, fall right in line with an escalating series of repressive political actions by the Bakiev government against this latest attempt to form an opposition political party-the UPM. Bakiev should know, since it was the Tulip Revolution in 2005 (and the last time that DDoS attacks were utilized in Kyrgyzstan) that brought him to power.
Opposition leader Omurbek Tekebaev has pointed out the similarities between 2005 and 2009: "Both then and now, you could see people mistrusted those in power, who lacked moral authority. Both then and now, public opinion was completely controlled by the authorities, and there was persecution of journalists and dissidents, criminal persecution of political opponents," he said in an IWPR article.
This appears to be a cyber operation for hire by the Bakiev government against its political opposition to control information access. The likely culprits are Russian hackers with moderate skill levels who regularly engage in cyber crime.
There is no evidence that the Russian government is directly involved; however, Moscow has complete control over the servers owned by JSC and Golden Telecom. To date, no action has been taken by the Russian Federation (RF) to deny access to these servers by Russian hackers.
Alternate views.
Don Jackson of SecureWorks, an information and network services security provider based in Atlanta, GA, looked at the same evidence and came to a different conclusion. Jackson wrote in the SecureWorks Research blog on January 28, 2009, that the Kyrgyzstan DoS attack was a way for the Kremlin to influence Kyrgyz President Kurmanbek Bakiyev to close the Manas airbase, thus denying the US military effort in Afghanistan a key airport facility.
The problem with this alternate view is that the Kremlin had a much more powerful lever with which to influence the Bakiyev government: money. The Kyrgyz economy was being hard hit by the global economic crash of late 2008/2009, and the Kremlin offered an aid package of $2 billion US in loans if Kyrgyzstan were to close Manas. The Kyrgyz Parliament agreed, and US forces were to be out of the base by August 1, 2009.
As of this writing, there is yet a new twist. On June 25, 2009, the Kyrgyz parliament ratified a new agreement with the US government for the continued use of the Manas airbase to transport supplies to Afghanistan. The price tag? $60 million for one year, more than triple the old rate.