At the Black Hat Security Conference held in Las Vegas this month, a security firm has released new details on the illegal hacking activities of cybercrime kingpin Evgeniy Mikhailovich Bogachev, better known as Slavik. Dutch firm Fox IT presented new insight into the workings the leader of one of the world’s most notorious and successful online criminal gangs. Specifically, in addition to bilking banks out of over $100 million, it appears that Bogachev also conducted espionage. Analysts suspect that his foray into spying was backed by the Russin government. To date, despite the $1 million bounty placed on Bogachev by the FBI, he has evaded capture.
Bogachev is widely believed to be leader of the uber-secretive criminal ring known as the Business Club. Members of the Club used the malware program Zeus to steal from banks from 2011-2014. Specifically, Bogachev ran the Gameover Zeus operation which infected up to 1 million machines connected over peer-to-peer networks. The malware stole bank logins and the Club’s operations resulted in the theft of over $100 million from banks all over the world. The hackers were also responsible for developing and implementing the Cryptolocker ransomware that infected and locked down more than 234,000 personal computers. The operation acquired more than $27 million in ransom payments. Both the Gameover Zeus operation and the Cryptolocker operation were shut down last spring after Bogachev was indicted.
Following that major law enforcement operation which required the collaboration of Fox IT, Dell SecureWorks and the FBI, analysts began sifting through what they had collected. They were extremely impressed by the evolution of the illegal operations. Andy Chandler, vice president of Fox IT, stated that “The maturity of how they evolved could have been an example out of a Harvard business book . . .The Business Club . . . used their criminal talents to expand from retail banking to commercial banking and branch off to new areas like espionage and ransomware.” Research reveals that the Business Club is the first entity to beat a two-pronged authentication system with “hybrid token-grabber attacks,” known in the business as The World Bank Center.
The details surrounding Bogachev’s espionage are what lead analysts to believe he may be avoiding capture because he has the protection of the Russian government. Specifically, analysis has indicated that Bogachev or one of his clients sought out data regarding foreign governments that would have significant interest to Putin. Michael Sandee, principal security expert at Fox IT discovered commands that sought files related to foreign intelligence officials in Turkey, Ukraine and Georgia. Russia’s interest in these countries is likely due to Putin’s recent military activity in the regions.
Analysts also believe that Bogachev conducted this espionage without working with his fellow Business Club members. Sandee believes the separation between Bogachev and the other members had to do with the fact that Bogachev was spying on countries that these members were from, including Ukraine. Moreover, Bogachev was the only one who managed the back ends of the botnets responsible for gathering the sought-after information.
These factors have led to speculation that Bogachev is somehow protected by Russia as long as he does not turn against the country. In its whitepaper released at the Black Hat conference, Fox IT stated that it “could speculate that due to this part of his work he had obtained a level of protection, and was able to get away with certain crimes as long as they were not committed against Russia. This of course remains speculation, but perhaps it is one of the reasons why he has as yet not been apprehended.”