Saturday 12 April 2014

Zeus Criminals charged in Omaha, Nebraska

Legal documents analayzed below are available at the bottom of this DOJ article: Nine Charged in Conspiracy to Steal Millions of Dollars using Zeus Malware
We've talked about Zeus in this blog for many years, including some good arrests, such as Major Zeus Bust in the UK: Nineteen Zbot Thieves Arrested. But we now have names for the ring leaders of the biggest Zeus case of all time, Operation Trident BreACH. We knew the aliases of the Ring Leaders publicly thanks to Microsoft's work back in 2012 (see Microsoft DCU, FS-ISAC and NACHA vs. Zeus) but who were these mystery men: tank and petr0vich?
Now we know ... more anyway ... Two Ukrainian members of the Jabber Zeus gang stood in federal court in Omaha, Nebraska last week to plead "Not Guilty" after being extradicted from the UK. Yuriy Konovalenko and Yevhen Kulibaba are among the nine people listed in the indictments that have been sealed since August of 2012. The list of defendents is:

  • Yvacheslav Igorevich Penchukov, AKA tank, AKA father
  • Ivan Viktorvich Klepikov, AKA petr0vich, AKA nowhere
  • Alexey Dmitrievich Bron, AKA thehead
  • Alexey Tikonov, AKA kusanagi
  • Yevhen Kulibaba, AKA jonni
  • Yuriy Konovalenko, AKA jtk0
  • John Doe #1, AKA lucky12345
  • John Doe #2, AKA aqua
  • John Doe #3, AKA mricq
DOJ is still seeking four of the named criminals, and still has not publicly acknowledged the names of the three John Does. If you have information on these, please reach out to the FBI!
Tank == Vyacheslav Igorevich Penchukov, 32, of Ukraine, who allegedly coordinated the exchange of stolen banking credentials and money mules and received alerts once a bank account had been compromised.
Petr0vich == Ivan Viktorvich Klepikov, 30, of Ukraine, the alleged systems administrator who handled the technical aspects of the criminal scheme and also received alerts once a bank account had been compromised.
TheHead == Alexey Dmitrievich Bron, 26, of Ukraine, the alleged financial manager of the criminal operations who managed the transfer of money through an online money system known as Webmoney.
Kusunagi== Alexey Tikonov, of Russia, an alleged coder or developer who assisted the criminal enterprise by developing new codes to compromise banking systems.
Although jonni is only now coming to trial in the United States, the Metropolitan Police of London arrested Kulibaba and his wife Karina Kostromina back in October of 2011, as we learned from KrebsOnSecurity in his article ZeuS Trojan Gang Faces Justice. Yuriy Konovalenko, AKA Pavel Klikov, was also in custody in the UK and was "due to be sentenced" according to Krebs' article.
Many of the crimes covered in this indictment are well known to us already, largely due to the work of journalist Brian Krebs. While Krebs was still at the Washington Post writing his Security Fix column, he made Zeus a household name.
Selected Victims:
  • Bank of America
  • Bullitt County Kentucky - Security Fix, Brian Krebs, July 2009. -- Bullitt County had $415,000 stolen from their accounts after being infected by Zeus.
  • Doll Distributing of Des Moines, Iowa
  • First Federal Savings Bank of Elizabeth Town, Kentucky
  • Franciscan Sisters of Chicago, (Homewood, Illinois)
  • Husker AG, LLC of Plainview, Nebraska
  • Key Bank of Sylvania, Ohio
  • ODAT LLC, d/b/a Air Treatment Company
  • Parago, Inc of Lewisville, TX
  • Salisbury Bank & Trust of Salisbury, MA
  • Town of Egremont, Mass
  • Union Bank and Trust of Lincoln, Nebraska
  • Union Bankshares of Ruther Glen, VA
  • United Dairy, Inc of Martins Ferry, OH
The version of Zeus at the heart of this investigation communicated stolen credentials to a server located on the IP address 66.199.248.195 at Ezzi.net in Brooklyn, NY. An FBI Agent interviewed Mohammed Salim in September 2009, who confirmed that the server in question, called the Incomeet server, was custom built for a Russian company "IP-Server Ltd" in Moscow, whose POC was "Alexey S." Extensive chat logs were recovered from the server with four separate search warrants - September 28, 2009, December 9, 2009, March 17, 2010, and May 21, 2010. Those web servers showed the criminals discussing their conspiracy, including many instances of the criminals trading login credentials for bank accounts. Those chats also showed that the criminals closely follow Brian Krebs! Tank and Aqua are shown discussing his Bullitt County article linked above and saying "They laid out the entire scheme! I'm really pissed! They exposed the entire deal!"
Doll Distributing had $59,222 stolen from them in two occasions. One of those wire transfers went to "Pandora Service, LLC" and to "Kodash Consulting." FBI Agents interviewed Heidi Nelson and Renee Michelli, the proprietors of those organizations who had believed they were acting as "Financial agents" for a Russian software company. In other words, they were money mules.
All of the victims named above were discussed in the chat logs by the criminals charged in this case.
I especially enjoyed learning how TANK was identified by name. In the chat, on July 22, 2009, he announced that his daughter, Miloslava, had been born and gave her birth weight. A records search of Ukrainian birth records only showed one girl named Miloslava with that birth weight born on that day. Her father was Vyacheslav Igorevich Penchokov. This was enough to seize the computers from Tank's home, which confirmed it was the same person!
Petr0vich was discovered because of mentions of the email address "theklutch@gmail.com" in the chat logs. Gmail was subpoenaed to get records for this email account, which showed "92.242.127.198" had been used to log in to that email address at least 790 times. The secondary email for that account, "petr0vich@ua.fm", was given when the account was created November 24, 2004. Several other addresses were used to login to both the petr0vich jabber account on the Incomeet server and the Gmail address, including 209.160.22.135. Similar techniques were then used to find the computers located at those IP addresses. Ivan Viktorovich Klepikov was found to be living in Donetsk, Ukraine.
TheHead stated his real name in the chat, and gave his gmail account as "alexey.bron@gmail.com". He was telling the truth.
Kusunagi gave a phone number in the chat, and found that phone number on a public webpage where Alexey Tikonov's real name and contact information were given. He lived in Tomsk, Russia. He also used his Kusanagi identity to post videos where WHOIS information related to those videos location confirmed his location.
Jonni and Jtk0 were identified by Detective Sergeant Simon Williams of the Metropolitan Police of London.

No comments:

Post a Comment