Back to all videos

Tracking the Jabber Zeus cybercrime gang - Cyber Hack: Evil Corp Ep2, BBC World Service podcast

By BBC World Service

Cybercrime InvestigationMalware AnalysisInternational Law Enforcement CooperationDigital Forensics
Share:

Key Concepts

  • Zeus Malware: A sophisticated piece of malware used for cybercrime, particularly for stealing financial information and conducting fraudulent transactions.
  • Automated Clearing House (ACH) Transfers: An electronic network for financial transactions in the United States, often used for direct deposit and bill payments.
  • Phishing Scam: A fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising oneself as a trustworthy entity in an electronic communication.
  • Malware: Malicious software designed to disrupt, damage, or gain unauthorized access to computer systems.
  • Jabber: An open-source instant messaging protocol that was used by cybercriminals for secure communication.
  • IP Address: A unique numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.
  • Money Mules: Individuals who are hired to transfer or receive illegally obtained money on behalf of criminals, often without knowing the full extent of the criminal activity.
  • Federal Security Service (FSB): Russia's principal security agency and successor to the KGB.
  • Security Service of Ukraine (SBU): Ukraine's security and intelligence agency.
  • High Tech Crime Unit (HTCU): A specialized unit within law enforcement agencies focused on investigating cybercrimes.
  • Splunk: A powerful software platform for searching, monitoring, and analyzing machine-generated big data, often used in cybersecurity investigations.

The Zeus Cybercrime Storm: Into the Storm

This episode of "Cyber Hack, Season 3: Evil Corp" details the initial stages of a massive FBI investigation into a sophisticated cybercrime operation known as the "Zeus" malware. The narrative follows rookie FBI Special Agent Jim Craig as he is thrust into the heart of this complex case, which spans years and continents.

The Genesis of the Investigation

  • Initial Assignment and Discovery: Special Agent Jim Craig, newly graduated from the FBI Academy in 2008 and initially assigned to the Joint Terrorism Task Force in Omaha, Nebraska, stumbles upon a series of suspicious electronic bank transfers.
  • Automated Clearing House (ACH) Fraud: The complaints involve fraudulent ACH transfers, a critical but often overlooked component of the US banking system responsible for billions of daily transactions. The FBI, considering it a routine matter, assigns the complaint to the new agent.
  • Pattern Recognition: As Craig investigates, he uncovers a pattern of American businesses losing significant amounts of money. The funds are siphoned off and funneled into accounts of seemingly fake employees.
  • Victim Profile: The targeted companies appear random, including a dairy in Ohio, a building supply company in Maine, and a beer distributor in Iowa, highlighting the broad reach of the operation.
  • Scale of the Problem: Hundreds of thousands of dollars are vanishing weekly, with the FBI initially having little information about the perpetrators or their location, suspecting a large criminal network.

The Zeus Malware Emerges

  • Full-Time Dedication: The escalating losses and victim count lead to Craig being moved to work on the cybercrime case full-time. It quickly becomes apparent that this is the largest cybercriminal case in the FBI's history.
  • Forensic Analysis and Phishing: Forensic examination of victim computers reveals that the attacks often begin with phishing scams. Hackers send mass emails, and those who click malicious links infect their computers with malware.
  • Malware Functionality: This malware grants hackers control over infected devices, enabling them to initiate fraudulent transactions. The stolen money is then funneled through "money mules" across the United States and subsequently transferred overseas.
  • Profitability: The criminals are making hundreds of thousands of dollars per week with minimal effort, effectively turning American companies into their personal cash machines.
  • Naming the Threat: By mid-2009, the cybersecurity community begins to identify and name the prevalent malware: Zeus. Its power and profitability are widely recognized.

Cracking the Code: Jabber and the Brooklyn Server

  • Technical Clues: Cybersecurity specialist Lawrence Baldwin, who previously identified clues in the Zeus code, gains insight into the hackers' secret communications.
  • Brian Krebs' Reporting: In July 2009, journalist Brian Krebs publishes a significant article in The Washington Post detailing how Zeus hackers stole over $400,000 from Bullitt County, Kentucky.
  • Investigating Malicious Code: Jim Craig delves deeper into the malicious code, identifying unusual network traffic on ports 5222 and 5223.
  • Jabber Traffic Identification: Further research reveals these ports are synonymous with Jabber traffic, a protocol used for instant messaging. This leads investigators to believe they are dealing with a central server where hackers communicate.
  • Server Location: The IP address of this server is traced to an IT company in Brooklyn, New York.
  • Warrant and Data Seizure: FBI agents, armed with a warrant, seize data from the servers at the Brooklyn IT company.
  • The Jabber Server Archive: The seized data, sent to Jim Craig in Omaha, turns out to be a massive archive of the hackers' communications. A computer specialist exclaims, "Oh my God, you guys got their Jabber server. All their communications are on here."
  • A Treasure Trove of Evidence: This discovery provides Jim with an archive of past conversations, names, numbers, dates, and times, representing a "jaw-dropping" and "case-breaking" moment.

Deciphering the Data and Building the Team

  • Language Barrier and Code-Breaking: The vast amount of data is primarily in Russian and Ukrainian. The team faces challenges understanding the hackers' coded language and slang. Jim begins learning Russian himself.
  • Hacker Dictionary: A "hacker dictionary" is developed to quickly understand messages.
  • Data Overload: The sheer volume of information, including email addresses, IP addresses, and messages, makes the process of identifying leads painstakingly slow.
  • Team Expansion: As a new agent, Jim recruits senior agents, other individuals, and professional support staff to assist in sifting through spreadsheets of data points. His team grows to about a dozen people.
  • The Jigsaw Puzzle Analogy: The team faces the "digital equivalent of a million-piece jigsaw puzzle," struggling to organize the information and identify the individuals behind the Jabber chat.
  • Frustration and Lack of Productivity: The manual process of scrolling through spreadsheets is described as "not sexy" and "not productive," while the hackers continue their operations.

The Breakthrough: Splunk and Identifying Key Players

  • Introducing Splunk: Jim calls in a private contractor, a former marine specializing in electronic forensics, who introduces the team to Splunk, a powerful indexing tool.
  • Pattern Recognition with Splunk: Splunk ingests the Jabber chat data and begins to make sense of it, surfacing patterns that connect handles to IP addresses, IP addresses to emails, and emails to bank accounts.
  • Generating Leads: This sophisticated software generates crucial leads, identifying individuals, their discussions, and associated contact information.
  • Identifying "Aqua" and "Tank": The investigation identifies two prominent figures pulling the strings: aliases "Aqua" and "Tank." These are the same individuals Brian Krebs exposed in his article.
  • Arrogance and Continued Operations: Despite the public exposure, the hackers show no signs of slowing down, which is attributed to arrogance. Their conversations reveal discussions about spending their ill-gotten gains, including Tank's purchase of a high-priced BMW.
  • Tank's Slip-Up: In a message dated July 22, 2009, Tank reveals his daughter's birth, including her name and weight. This seemingly small detail provides a crucial lead.
  • Identifying Tank: Jim contacts the Ukrainian Security Service (SBU) to investigate hospitals and medical records. This leads to the identification of "Tank" as Vyacheslav Penchukov.

Expanding the Investigation: The UK and "Mr. Pizza"

  • UK Involvement: Lawrence Baldwin, still monitoring the Jabber server, notices discussions about hacks in the United Kingdom. He alerts UK banks.
  • Scale of UK Fraud: British police report hundreds of victims, thousands of unlawful online banking transactions, and hundreds of money mule accounts. Approximately £4.2 million (nearly $5.5 million) was stolen between October 2009 and early 2010 from UK victims alone.
  • The Mule Operator: Baldwin observes that someone is organizing the money mules and managing accounts within the UK, but lacks specific identifying information.
  • The Domino's Clue: Baldwin notices a connection to Dominos.co.uk. Investigating a pizza order, he finds an order number but encrypted payment details.
  • Passing the Clue to the Met: Baldwin forwards this information to London's Metropolitan Police Service (the Met).
  • Detective Sergeant Simon Williams: Detective Sergeant Simon Williams of the Met's counter-terrorism unit takes on the Zeus case.
  • Thomas the Tank Engine Toy: The Jabber chat reveals a UK-based member of the crew asking for a Thomas the Tank Engine toy for his son.
  • CCTV and Identification: The Met police investigate sales of the toy, narrow down locations, and seize CCTV footage. They identify a man purchasing the toy using the fake alias "Pavel Klikov."
  • Pizza Delivery Confirmation: Surveillance on Klikov's address reveals a pizza delivery from the same pizzeria that Baldwin had flagged. This confirms Klikov's identity and links him to the crime.
  • Identifying "Mr. Pizza": The pizza order leads to the identification of Pavel Klikov's real name as Yuriy Konovalenko, nicknamed "Mr. Pizza." His role is identified as the UK-based money mule coordinator.
  • Transnational Operation: This confirms the Jabber Zeus crew is a transnational organization, with Mr. Pizza being a senior member in the UK.
  • Money Mule Activity: Surveillance shows Konovalenko being picked up by money mules who visit multiple banks to create accounts and withdraw stolen funds.

The Global Manhunt: Ukraine and the Path to Arrests

  • Eastern European Network: The investigation reveals a web of accounts in Poland, Romania, Moldova, and Russia, with the money ultimately landing in Ukraine.
  • Jim Craig in Ukraine: By summer 2010, Jim Craig travels to Kyiv, Ukraine, to coordinate efforts and lay the groundwork for simultaneous raids.
  • Intelligence on Tank: Craig now knows Tank's real name (Vyacheslav Penchukov) and his address in Donetsk, Ukraine. Tank is believed to be in charge of the operation in Ukraine, while "Aqua" is likely in Russia, managing money mules.
  • International Cooperation: The investigation involves multiple jurisdictions, including a server base in the Netherlands.
  • Meeting with the FSB: Jim meets with agents from Russia's Federal Security Service (FSB) in Kyiv to foster cooperation and gather intelligence on "Aqua." The meeting is described as a "friendly law enforcement sit down" in a pre-invasion era context.
  • Meeting at the Dacha: The head of Ukraine's SBU hosts a meeting at his country house (dacha) with agents from the SBU, FSB, the Dutch High Tech Crime Unit, and the FBI.
  • Planning Coordinated Raids: The day is spent strategizing how to take down the Jabber Zeus crew, with specific targets identified.
  • The "Toast" Dinner: A lavish dinner at the dacha involves numerous toasts, particularly with vodka, to fallen comrades. Jim resorts to filling his glass with water to keep up.
  • Optimism for Success: Jim leaves the dacha convinced that this alliance will lead to the downfall of the Jabber Zeus crew.
  • Planned Raids: A date is set for September 29, 2010, for coordinated raids in Ukraine, Russia, and beyond, with British police planning simultaneous action against Mr. Pizza and others in London.
  • The Reckoning: The investigation has progressed from a seemingly boring case to a global manhunt, with real names and addresses of hackers now known.
  • A Warning: However, months earlier in Donetsk, Vyacheslav Penchukov (Tank) had already received a warning: "They know your real names. They know your handles. They know you are in Donetsk, and so be careful." This foreshadows potential complications in the planned arrests.

Conclusion

The episode highlights the intricate and painstaking process of investigating a large-scale cybercrime operation. It showcases the evolution of a rookie agent into a key player in a global manhunt, the critical role of technical tools like Splunk, and the challenges of international law enforcement cooperation. The narrative builds towards a planned series of arrests, but ends with a hint of impending danger and the possibility that the criminals may have been tipped off.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "Tracking the Jabber Zeus cybercrime gang - Cyber Hack: Evil Corp Ep2, BBC World Service podcast". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video