Cybersecurity: Crime and Espionage

The GameOver Zeus/CryptoLocker Indictment

By Paul Rosenzweig
Tuesday, June 3, 2014, 11:42 AM

Following up on last weeks indictment of 5 Chinese PLA members for economic espionage, the Department of Justice continued yesterday its apparent prosecutorial offensive against cyber criminals.  The case, brought again in W.D. Pa. charges a Russian gang led by Evgeniy Bogachev with operating a huge botnet, known as GameOver Zeus.  Comprising perhaps as many as 1 million slave computers, the GOZ botnet is one of the largest ever encountered.  More than 300,000 of the computers have been freed from the network.   Apparently, the principal purpose behind the GOZ botnet was to implant CryptoLocker, a piece of malicious software that locked a user out from the computer unless and until he paid a ransom to regain access -- often as much as $700.  Up to $27 million in ransom was collected.

Some notable points about this indictment:

  • It required cooperation with a number of other countries including, surprisingly, Ukraine.  According to the Washington Post report, over the weekend, Ukrainian authorities seized servers in Donetsk, which as readers of this blog know is contested territory.  If so, this seems a remarkable commitment from an unstable government.
  • As with the Chinese indictments this case was bought in Pittsburgh (WDPA) which is an odd location to choose.  Apparently, the office is developing an expertise in cyber crime.  The indictment alleges that some of the victims were in the district, but it seems as though most of them were outside.  I guess if you have a good place, and a good opportunity, you choose your venue strategically.
  • The indictment was brought in a parallel with an ex parte civil complaint that sought authority for the government to engage in a malware disruption plan.  Though nobody is in a position to challenge this type of action, I have my doubts as to its lawfullness.  It requires acceptance of novel theories of law both relating to the jurisdiction of the court and to the court’s authority to order equitable relief of the sort needed to destroy the botnet. Most notably, the government sought (and received) authority to send software commands to computers owned by private individuals that had, unknowingly, been infected. As support for this action, the government relied on two statutes, 18 USC 1345 and 2531, that broadly spoke to its authority to enjoin fraudulent activity but did not specifically speak to the applicability of the law to computer networks.
  • As with the Chinese, we may well doubt that Bogachev will ever see the inside of a courtroom -- though he is more likely to do so, in my judgment, than the Chinese PLA defendants.

All of which is not to complain really -- for this is really an effective use of law enforcement.  At a minimum one of the largest botnets we know of has been beheaded.  And the aggressive use of criminal law again sends a signal that the US is willing to take steps in defending its networks that it has heretofore been a bit reluctant to take.