Posted on May 17 2019
Happy Friday...Spicy dropped a file…
There are only a few things in life that truly make me happy...for example:
- Triple Creme and/or unpasteurized cheese.
- Indictments, Superseding Indictment(s) and/or Cyber-crime Indictments that involves crypto-currency.
- Any hypothesis that evolves in to an actual fact pattern.
Like I said I’m a simple kind of Spicy...not.
As early as 2007 the cyber community had identified GOZI as a TrojanHorse and later determined it as a persistent threat. This TrendMicro Alert gives you a decent primer. TrendMicro also published the Related Malware
According to this January 23, 2013 SDNY DOJ-OPA Release which reads in part:
Gozi Virus infected over one million computers globally and caused tens of millions of dollars in losses. NIKITA KUZMIN, a Russian national who created the Gozi Virus, was arrested in the U.S. in November 2010 and pled guilty before U.S. District Judge Leonard B. Sand to various computer intrusion and fraud charges in May 2011. DENISS CALOVSKIS, a/k/a “Miami,” a Latvian national who allegedly wrote some of the computer code that made the Gozi Virus so effective, was arrested in Latvia in November 2012. MIHAI IONUT PAUNESCU, a/k/a “Virus,” a Romanian national who allegedly ran a “bulletproof hosting” service that enabled cyber criminals to distribute the Gozi Virus, the Zeus Trojan and other notorious malware, and conduct other sophisticated cyber crimes, was arrested in Romania in December 2012.
The SDNY DOJ-OPA Release goes on to explain GOZI and it’s successor versions:
The Gozi Virus
The Gozi Virus is malicious computer code or “malware” that steals personal bank account information, including usernames and passwords, from the users of affected computers. It was named by private sector information security experts in the U.S. who, in 2007, discovered that previously unrecognized malware was stealing personal bank account information from computers across Europe on a vast scale, while remaining virtually undetectable in the computers it infected. To date, the Gozi Virus has infected over one million victim computers worldwide, among them at least 40,000 computers in the U.S., including computers belonging to the National Aeronautics and Space Administration (“NASA”), as well as computers in Germany, Great Britain, Poland, France, Finland, Italy, Turkey and elsewhere, and it has caused tens of millions of dollars in losses to the individuals, businesses, and government entities whose computers were infected.
The Creation of the Gozi Virus
Kuzmin conceived of the Gozi virus in 2005 when he created a list of technical specifications for the virus and hired a sophisticated computer programmer (CC-1) to write its source code, which is the unique code that enabled the Gozi virus to operate. Once the Gozi virus had been coded, Kuzmin began providing it to co-conspirators in exchange for a weekly fee through a business he ran called “76 Service.” Through 76 Service, Kuzmin made the Gozi virus available to co-conspirators, allowed them to configure the virus to steal data of their choosing, and stored the stolen data for them. He advertised 76 Service on one or more Internet forums devoted to cyber crime and other criminal activities. Beginning in 2009, Kuzmin began to sell the Gozi virus outright to his co-conspirators.
U.S. V. Nikita Kuzmin, U.S. V. Mihai Ionut Paunescu, And U.S. V. Deniss Calovskis
This DOJ-OPA link will take you to the 2013 PowerPoint Presentation
The one interesting datapoint is the mimicking of “legitimate” websites vs “fictitious” website designed to trick the average users.
On April 26, 2016 the SDNY AUSA submitted the following six page letter (document no 44 for you docket watchers) to Judge Wood:
United States v. Nikita Kuzmin, 11 Cr. 387 (KMW)
The letter explain to a certain degree how Defendant Kuzmin provided “substantial assistance”... for the record the Government, as indicated in their April 2016 letter on page 5 sub-section/paragraph:
2. Substantial Assistance
Kuzmin provided substantial assistance to the Government, as set forth in a separate letter which the Government has submitted and respectfully requests to file under seal.
...submitted a follow up 5K1 letter and several other documents, document numbers 45 thru 48 respectively (ECF paywall), remain under-seal:
🌶SpicyFiles-Sidebar🌶..., did you happen to see who Kuzmin’s defense attorney was? Or who the SDNY AUA was? Kuzmin hired no other than Alan Futerfas (yes the current counsel of record for Trump Jr and the Trump Org...who also represented president Trump in his individual capacity during the Michael Cohen FBI raid)
The reason I took the time to walk you (albeit in an abbreviated fashion) through the original criminal case is I wanted to establish an informed predicate to address yesterday’s announcement. When viewed in the larger context, Kuzmin’s “substantial assistance” almost undoubtedly lead to the following take downs:
December 1, 2016 Europol (along with the FBI) Announced the
‘AVALANCHE’ NETWORK DISMANTLED IN INTERNATIONAL CYBER OPERATION
The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries. As a result, 5 individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. Also, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800 000 domains seized, sinkholed or blocked.
The Hague 5/16/2019 News Conference
16 May 2019 Europol’s headquarters in The Hague,
“Netherlands Press conference to announce a major law enforcement action against a transnational organized cybercrime network behind $100 million malware attacks”
As the US Attorney’s Office for the Western District of Pennsylvania, Scott Brady started this was a two year Investigation (circa 2016 which was a spin off of the 2011 and 2013 Investigation, Indictments and eventual Guilty verdict) involving a coalition of six different Agencies and Countries all working together to take down the
GozNym Cyber-Criminal Network
🔹German Public Prosecutor’s Office of Verden Lower Saxony 🔹Prosecutor General’s Office of Ukraine 🔹Prosecutor General’s Office of Georgia🔹Centre for Combating Cybercrime of Moldova 🔹General Directorate for Combating Organised Crime of Bulgaria🔹 FBI’s Pittsburgh Field Office 🔹Eurojust 🔹Europol
Victims of the GozNym malware attacks include:
- An asphalt and paving business located in New Castle, Pennsylvania;
- A law firm located in Washington, DC;
- A church located in Southlake, Texas;
- An association dedicated to providing recreation programs and other services to persons with disabilities located in Downers Grove, Illinois;
- A distributor of neurosurgical and medical equipment headquartered in Freiburg, Germany, with a U.S. subsidiary in Cape Coral, Florida;
- A furniture business located in Chula Vista, California;
- A provider of electrical safety devices located in Cumberland, Rhode Island;
- A contracting business located in Warren, Michigan;
- A casino located in Gulfport, Mississippi;
- A stud farm located in Midway, Kentucky; and
- A law office located in Wellesley, Massachusetts;
Yesterday’s Indictment can be downloaded from the following DOJ hyperlinks:
I personally love it when the Justice Department publishes a map of the defendants
Per the DOJ-OPA Release No 19-531 a total of 10 defendants named:
was “arrested at the request of the United States while visiting Sri Lanka in February 2017. Following his arrest, Manokhin was released on bail but was required to remain in Sri Lanka pending the outcome of his extradition proceedings to the United States. In December 2017, Manokhin unlawfully absconded from Sri Lanka and successfully fled back to Russia prior to the conclusion of the extradition proceedings.”
is named as a GozNym conspirator in the newly unsealed indictment, although he is charged in a related Indictment filed in the Western District of Pennsylvania. Nikolov entered a guilty plea in federal court in Pittsburgh on charges relating to his participation in the GozNym conspiracy on April 10, 2019. He is scheduled to be sentenced on Aug. 30, 2019.
...apartment in Poltava, Ukraine was searched in November 2016 during a German-led operation to dismantle the network’s servers and other infrastructure. Kapkanov was arrested for shooting an assault rifle through the door of his apartment at Ukrainian law enforcement officers conducting the search. Through the coordinated efforts being announced today, Kapkanov is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network.
BEJESUS - what’s with Ukraine Criminals? The only quasi “Ukrainian” person I know is straight up bat shit crazy...like boil your bunny bat shit cray cray. They should have a warning label tattooed to their forehead warning people that they are certifiably INSANE maybe it’s the drugs or alcohol but that person is crazy and should be avoided at all cost. They are one of the worst emotional terrorist I know.
aka “NoNe,” and “none_1,” age 35, of Tbilisi, Georgia, was the primary organizer and leader of the GozNym network who controlled more than 41,000 victim computers infected with GozNym malware. Konovolov assembled the team of cybercriminals charged in the Indictment, in part by recruiting them through the underground online criminal forums. Marat Kazandjian, aka “phant0m,” age 31, of Kazakhstan and Tbilisi, Georgia, was allegedly Konovolov’s primary assistant and technical administrator. Konovolov and Kazandjian are being prosecuted in Georgia for their respective roles in the GozNym criminal network.
The remaining defendants are all Russian and are presently residing in Russia. I miss the days when our POTUS publicly rebuked Putin and Russian cyber criminals. Just imagine if we had a president who demanded that Russia extradited the dozens of cyber criminals back to America. Although this unprecedented global cooperation could very well make that “wish” a plausible reality. Meaning with enough global coalitions it would make these Russian Cyber Criminals less likely to vacation in Spain, Ibiza, Thailand, Turkey...
I have never understood why as soon as Indictments are unsealed by the DOJ that there isn’t a law (cough looking at you Congress) that automatically transmit the names and/or passport numbers to the US Treasury to place said Russian Cyber-Criminals on the (keyword here) codified Countering America's Adversaries Through Sanctions Act (CATSA) list of entities and persons under sanctions.
- Ukraine-/Russia-related Directive 1 (as amended on 09/29/2017)
- Ukraine-/Russia-related Directive 2 (as amended on 09/29/2017)
- Ukraine-/Russia-related Directive 4 (as amended on 10/31/2017)
- 13849 - Authorizing the Implementation of Certain Sanctions Set Forth in the Countering America’s Adversaries (September 20, 2018)
As the indictment alleges the Defendants ran a...
“complex transnational organized cybercrime network that used GozNym malware in an attempt to steal an estimated $100 million from unsuspecting victims in the United States and around the world has been dismantled as part of an international law enforcement operation. GozNym infected tens of thousands of victim computers worldwide, primarily in the United States and Europe.
This operation was highlighted by the unprecedented initiation of criminal prosecutions against members of the network in four different countries as a result of cooperation between the United States, Georgia, Ukraine, Moldova, Germany, Bulgaria, Europol and Eurojust.
The FBI Posters are...a bit jarring. As is some of the pictures look like they are oddly computer generated but probably are not but the low light pictures are straight out of a Horror Movie...it made my spine shudder for a split second <snort>
Honestly is there something wrong in the water supply in Russia? These guys look like they need a one week vacation of fun & sun in Palma de Mallorca...yes I want them to vacation in Spain so our International Counterparts can cuff & stuff them on to a DOJ airplane...back to “Murcia...
Again you can read yesterday’s DOJ Indictment here. At any rate I would not be surprised if we end up finding out that X-Agent aka Chopstick or the probability of GRU...because Russia and Malware.. plus the IRA welp they are like ipeanut butter and jelly.
Any who it’s Friday Night and imma gonna unplug and enjoy some family time...
While you're here, throw us a bone.
Mad Dog is thrilled to have Spicy in our PAC(k). We are proud to provide a space for her tireless, hard hitting, in-depth investigations. But we can’t do it without you.
Our numbers are growing. Our voices are being heard. Our campaigns are making a difference. Help us, and Spicy, continue to fight the good fight. Consider a donation to help support the work of Mad Dog PAC today.