An excerpt from The Invasion. A Brief History of Russian Hackers"
In May of this year in the publishing house Individuum journalist Daniil Turovsky “Invasion. A Brief History of Russian Hackers. It contains stories from the dark side of the Russian IT industry - about guys who, having fallen in love with computers, learned not just to program, but to rob people. The book develops, like the phenomenon itself - from teenage hooliganism and forum parties to military operations and international scandals.
Daniil collected materials for several years, some stories , for retellings of articles by Daniel Andrew Kramer of the New York Times in 2017 received the Pulitzer Prize.
But hacking - like any crime - is too closed a topic. Real stories are passed only by word of mouth between their own. And the book leaves the impression of an insanely curiosity-increasing incompleteness - as if about each of its heroes you can put together a three-volume of "how it really was."
With the permission of the publisher, we publish a short excerpt about the Lurk group, which robbed Russian banks in 2015-16.
In the summer of 2015, the Russian Central Bank created Fincert, a center for monitoring and responding to computer incidents in the credit and financial sector. Through it, banks exchange information about computer attacks, analyze them and receive recommendations for protection from special services. There are many such attacks: Sberbank in June 2016 losses of the Russian economy from cybercrime in the amount of 600 billion rubles - at the same time, the bank acquired a subsidiary company "Bizon", which deals with the information security of the enterprise.
In the first the results of Fincert's work (from October 2015 to March 2016) describe 21 targeted attacks on the infrastructure of banks; As a result of these events, 12 criminal cases were initiated. Most of these attacks were the work of one group, which was named Lurk after the hacker-developed virus of the same name, which was used to steal money from commercial enterprises and banks.
Police and cybersecurity experts have been looking for members of the group since 2011. For a long time, the search was unsuccessful - by 2016, the group had stolen about three billion rubles from Russian banks, more than any other hackers.
The Lurk virus was different from those investigators had seen before. When the program was run in the lab for a test, it didn't do anything (which is why it was called Lurk—from the English "to lay low"). Later that Lurk is designed as a modular system: the program gradually loads additional blocks with different functionality - from intercepting characters entered on the keyboard, logins and passwords to the ability to record a video stream from the screen of an infected computer.
To spread the virus, the group hacked into websites visited by bank employees: from online media (for example, RIA Novosti and Gazeta.ru) to accounting forums. Hackers exploited a vulnerability in the system for exchanging advertising banners and distributed malware through them. On some sites, hackers put a link to the virus for a short time: on the forum of one of the accounting magazines, it appeared on weekdays at lunchtime for two hours, but even during this time Lurk found several suitable victims.
By clicking on the banner, the user was taken to a page with exploits, after which information was collected on the attacked computer - mainly the hackers were interested in the program for remote banking. The details in the payment orders of banks were replaced with the necessary ones, and unauthorized transfers were sent to the accounts of companies associated with the group. According to Sergey Golovanov from Kaspersky Lab, usually in such cases, groups use one-day companies, “which don’t care what to transfer and cash out”: they cash out the received money, put it in bags and leave bookmarks in city parks, where they are taken by hackers . The members of the group carefully concealed their actions: they encrypted all daily correspondence, registered domains for fake users. “Intruders use triple VPN, Tor, secret chats, but the problem is that even a well-established mechanism fails,” Golovanov explains. - Either the VPN will fall off, then the secret chat turns out to be not so secret, then one, instead of calling via Telegram, just called from the phone. This is the human factor. And when you have a database that has been accumulating for years, you need to look for such accidents. After that, law enforcement officers can contact providers to find out who went to such and such an IP address and at what time. And then things work out.”
Detention of hackers from Lurk like a fighter. Employees of the Ministry of Emergency Situations cut the locks in country houses and apartments of hackers in different parts of Yekaterinburg, after which the FSB officers burst in screaming, grabbed the hackers and threw them on the floor, and searched the premises. After that, the suspects were put on a bus, brought to the airport, escorted along the runway and taken to a cargo plane that flew to Moscow.
In garages owned by hackers, cars were found - expensive models of Audi, Cadillacs, Mercedes. They also found a watch encrusted with 272 diamonds. decorations worth 12 million rubles and weapons. In total, the police conducted about 80 searches in 15 regions and detained about 50 people.
In particular, all the technical specialists of the group were arrested. Ruslan Stoyanov, an employee of Kaspersky Lab, who was investigating Lurk crimes together with the special services, said that management searched for many of them on ordinary recruitment sites for remote work. The advertisements said nothing about the fact that the work would be illegal, and the salary in Lurk was offered above the market, and it was possible to work from home.
“Every morning, except weekends, in different parts of Russia and Ukraine, individuals sat down at computers and started working,” Stoyanov described. “The programmers tweaked the functions of the next version [of the virus], the testers checked it, then the person responsible for the botnet uploaded everything to the command and control server, after which the bot computers were automatically updated.”
The consideration of the group’s case in court began in the fall of 2017 and continued at the beginning of 2019 due to the volume of the case, which contains about six hundred volumes. A hacker's lawyer hiding his name that none of the suspects will make a deal with the investigation, but some admitted part of the charges. “Our clients did do some work on the development of various parts of the Lurk virus, but many were simply not aware that it was a Trojan,” he explained. “Someone did some of the algorithms that could work successfully in search engines.”
The case of one of the hackers of the group was taken to a separate proceeding, and he received 5 years, including for hacking into the Yekaterinburg airport network.
In recent decades in Russia, special services have managed to defeat most of the major hacker groups that violated the main rule - “Do not work on ru”: Carberp (stole about one and a half billion rubles from the accounts of Russian banks), Anunak (stole more than a billion rubles from the accounts of Russian banks), Paunch (they created platforms for attacks through which up to half of infections worldwide passed) and so on. The income of such groups is comparable to the earnings of arms dealers, and they include dozens of people in addition to the hackers themselves - security guards, drivers, cashers, owners of sites where new exploits appear, and so on.
Source: habr.com