You're reading: Ukraine postures with cybercrime ring arrests, but increased enforcement needed

One could almost hear the collective sighs of computer security experts earlier this month, as Ukrainian authorities proudly touted the arrests of Ukraine-based cybercriminals who stole more than a quarter of a billion dollars from bank accounts around the world, only to release them on bail shortly after. House arrest has been ordered for a few of them.

The Security Service of Ukraine,
known by the SBU acronym, on April 16 announced that members of the
international criminal hacker group were arrested nearly a month earlier. They
are suspected of stealing more than $250 million from the accounts of domestic
and foreign financial institutions. The investigation was conducted jointly
with Russia’s Federal Security Service and involved the Kyiv Prosecutor’s
Office and UniCredit-Ukrsotsbank.

The cybercrime ring, comprised of 20
individuals between the ages of 25 and 30, including 16 Ukrainians, used the
internet and self-developed malicious software, known as malware, to steal
money from bank accounts.

Members of the group were separately
responsible for developing specific parts of the malware and worked
independently in such cities as Kyiv, Zaporizhia, Lviv and Kherson. The parts
were sent to the server of the group’s kingpin, an unidentified 28-year-old
Russian national, residing in Odesa, where the final product was assembled.

The group’s malware was specifically
designed to steal the banking credentials of businesses, their logins,
passwords and data from the popular Russian accounting software 1C.

One of the investigators involved in
the case told Kommersant newspaper that after the group obtained the
information of a business it would study it for days or weeks before issuing
fake payments from the victim businesses to its shell companies.

Some of those arrested also are
suspected of masterminding the Trojan Carberp malware that was used to steal
some $60 million rubles ($2 million) from Russian bank accounts last year.
Those cybercriminals were bold enough in 2012 to offer the Trojan online to be
used for $2,000 to $10,000 a month, or to be purchased in full for $40,000.

Authorities arrested members of the
group in their respective cities on March 19 and confiscated the hi-tech
equipment used in the crimes.

A criminal case has been opened
against the cybercrime ring on the charges of unauthorized interference in the
work of computers, automated systems and computer and telecommunication
networks, offenses punishable by up to six years in prison.

Security Service of Ukraine officers search the apartment of a person allegedly involved in a cybercrime ring that netted some $250 million.

Legal leniency

However, if history is any
indication, it’s unlikely the group will receive such severe punishment. After
all, plenty of cyber criminals operating in Ukraine before them embezzled
millions and walked free.

“Under the new criminal procedure
code, economic crimes are not serious, so the detainees are now under house
arrest, some were released on bail,” Kommersant newspaper quoted an SBU
spokesperson as saying, following the March 19 arrests.

In fact, Ukraine’s track record of
cybercrime enforcement is bad at best, looking more like a catch-and-release
program than a crackdown, experts say.

Brian Krebs, author of KrebsOnSecurity.com, a popular daily blog on cybercrime
and computer security, said this is another reason cybercrime persists in
Eastern Europe.

“To me, it doesn’t seem to be a
problem of lack of laws,” Krebs told the Kyiv Post. “It’s lack of regular
enforcement of those laws, and seeing prosecutions through to sentencing and
justice.”

In October 2010, Ukrainian
authorities working in conjunction with U.S. and U.K. law enforcement agencies
apprehended five Ukrainians for using malware called the Zeus Trojan,
infiltrated computer systems around the world and stole some $70 million. But
within months of the bust, the five arrested were released by Ukrainian
authorizes pending an investigation.

The best example of Ukrainian
authorities’ catch-and-release practices came in 2005, when Dmitry Golubov,
known by the nickname “script,” an alleged hacker accused of trading credit
card details stolen from websites, was detained in Ukraine. Investigators in
the U.S. pushed hard at the time to get him on trial, but when the case came to
court, he was released.

Golubov told the Kyiv Post in 2010
that the FBI had asked then-Ukrainian Interior Minister Yuriy Lutsenko to
arrest him, providing as evidence a scanned copy of his passport accompanied
with the text “I Dmitry Golubov, leading hacker, I hack banks, but I have
nothing to fear because the police with me at the same time, and in order for
you to believe me that I am not afraid I show you my passport, as well as my
home address and home phone,” which was found on a website.

“Fortunately the court didn’t take
that evidence seriously,” Golubov told Kyiv Post.

Shortly after his arrest, Golubov
was bailed out by two Party of Regions lawmakers, Volodymyr Demiokhin and
Volodymyr Makeyenko.

Golubov maintained his innocence,
saying he was cleared due to lack of evidence and even claiming he was himself
the victim of identity theft.

Lutsenko told the Kyiv Post in 2010
that he couldn’t comment as he didn’t have the exact details in front of him,
but said “The most probable (reason) is corruption and this atmosphere of
criminal impunity that we see in the country. It’s so much like the ’90s when
all the criminals who had political protection were released.”

Ironically, after being released,
Golubov went on to found the Internet Party of Ukraine, a political party whose
platform is stamping out corruption and bureaucracy and implementing an
“electronic government.”

Dmitry Ivanovich Golubov, known as “Script,” was arrested in 2005 by Ukrainian police, who provided this photo to the US Postal Inspection Service at the time. The USPIS said Golubov was one of the masterminds behind East European carding rings.


A recent photo of Dmitry Golubov from the website of the Internet Party of Ukraine, which he founded.

Cybercrime a growing concern

A quick look at the Federal Bureau
of Investigation’s top seven most wanted cybercriminals shows four with ties to
Ukraine and warns that they may even be living or operating in Kyiv.

“From what I saw, Ukraine is one of
the largest centers of cybercrime,” Krebs told the Kyiv Post. “Not only much of
the criminal network is located here, but also considerable flows of dollars
obtained by hacking go here.”

According to a report by German
telecommunications operator Deutsche Telekom published in February, Ukraine is
fourth worst in the world in terms of cybercrime, after Russia, Taiwan and Germany.
The report stated that nearly half of all programs run on Ukrainian servers are
malware.

To further highlight the growing
concern of cybercrime, the company launched a digital world map, which shows
cyberattacks as they happen in real-time. In a mere five minutes on Thursday,
April 18, the Kyiv Post observed more than a dozen attacks on websites and
network services worldwide that originated in Ukraine.

A member of Ukraine’s Interior
Ministry explained to Kommersant newspaper that the rise in cybercrime is a
natural process. In 2012, the spokesperson told the newspaper, there were 139
cases of unauthorized withdrawals of online banking funds, resulting in losses
of more than $116 million.

“We managed to return 80 percent of
that amount, – a significant portion of it without delay – within two hours of
the crimes (taking place),” the spokesperson added.

Natalia Synyavskaya, head of the National
Bank of Ukraine department on information technologies and payment systems said
at a press conference in Kyiv earlier this year that the total number of
fraudulent card transactions in 2012 increased from 2011 by 47 percent, and the
volume of these transactions increased by 20 percent.

According to her, 57 banks were
affected by such transactions. That’s six times higher than in 2011, accounting
for 40 percent of the total number of banks in the country.

Sinyavskaya stressed that the volume
of fraudulent card transactions amounted to only 0.002 percent of the total volume of
card transactions, but eluded that in reality that number might be much higher.

“Many banks are trying not to show
actual damages, so it is difficult to estimate the true volume,” she added.

The most recent incident with ties
to Ukrainian cybercriminals exploited the recent tragedy in Boston that killed
three and injured more than 100 people and did not use fraudulent cards.

Within emails disguised as news
alerts, spammers from Ukraine and Latvia sent malware that claimed to contain a
link to video footage of the two explosions that occurred at the Boston
Marathon on April 15, Naked Security, a news website supported by the internet
security company Sophos, reported.

The company’s security products
detected a Windows Trojan horse in the messages that infected the recipients’
computers after clicking the provided link, the report said. If installed, the
malware makes changes to the registry and installs files that allow hackers to
gain remote access to the infected computers.

No arrests in that case have been
made, nor has there been any indication on the part of Ukrainian authorities
that an investigation is underway.

A screenshot posted on the Naked Security website shows an email sent indiscriminately to recipients this week with a link that infects computers with malicious software when clicked.

Further challenges persist

One challenge in curbing cybercrime
is that technology is outpacing legislation, making it harder for governments
to stay ahead of criminals, experts say.

Basic legal framework that exists in
Western countries doesn’t exist in Ukraine and Russia. Although the government
here took steps toward that in March, when it approved a bill of amendments to
the Ukrainian law “On the bases of the national security of Ukraine” concerning
the cyber security of the country.

“The specialists say that adoption
of the bill lays the legal basis for the further rule-making activity at the
legislative level aimed at creating and improving the national cyber security
system and fighting cybercrime,” a Cabinet of Ministers’ press release read.

 Authorities say the bill should serve as a
legal basis for further rulemaking designed to create, improve and control the
national security in cyberspace. Critics, however, have said the bill doesn’t
go far enough in a country many have long referred to as a haven for hackers.

“I think that many other countries
have more reason to be called a haven for cybercrime,” Vladimir Kukovsky,
Executive Director of the Ukrainian Internet Association, told the Kyiv Post.
“Although (I) fully agree that Ukraine has enough problems in this area.”

Krebs believes the problems are more
deeply rooted in Eastern European society as well as the current economic
climate.

“Like many other Eastern European
countries that were once part of the Soviet Union, Ukraine has a high
percentage of individuals who are very well educated in math and science, and a
mastery of these subjects generally predisposes one to skills at computing and
programming,” he explained. “Combine these skills with a lackluster jobs
market, and you have a lot of young men who are quite educated and talented yet
are unemployed or else underemployed. In such an environment, cybercrime can be
something of a ‘no brainer’ for those who find themselves stuck with relatively
few options but to work in low skill, low-paying jobs.”

“Cybercrime offers the opportunity
for relatively high incomes, provided the hacker learns quickly, has or
develops decent ‘street smarts’ and works hard,” he added. “Indeed, nearly all
of the cybercrime suspects in Ukraine that I have studied and researched had
legitimate day jobs that made them comparatively paltry incomes.”

The latest in cybercrime

While there are few new developments
in terms of methodology on the part of cybercriminals, there has been a shift
in their areas of focus, Krebs said.

Fake antivirus attacks have become
rarer occurrences, while ransomware attacks, in which malicious software
infects a computer’s system and paralyzes it until a ransom is paid to the
malware’s creator, are on the rise.

At the same time there has been a
greater focus on filing false tax returns on unsuspecting Americans via the
Internal Revenue Service, as well as increasing organization and profit from
malware-driven cyberheists that steal hundreds of thousands of dollars from
small business victims in one fell swoop.

One new area of focus by
cybercriminals is the Bitcoin marketplace. 

Bitcoin, decentralized digital
currency that enables instant electronic payments to anyone, anywhere in the
world, was first introduced in 2009.

Cybercriminals have designed new
malware that is infecting computers using Skype in order to build a botnet, a
group of malware infected computers used without their owners’ knowledge to
perform tasks such as sending spam, large enough to begin mining the digital
currency.

The malware was discovered earlier
this month by researchers at Kaspersky Labs, an information technology security
company headquartered in Moscow, who found that its creators – most likely
operating from Eastern Europe – had used it to seize control of hundreds of
computers across Ukraine, Germany, Poland, Russia, Spain and other countries.

Krebs doesn’t believe the cybercrime
situation in Ukraine and other former Soviet countries will improve much unless
and until the countries’ leaders begin to show a greater respect for the rule
of law and democratic processes, including arresting, prosecuting and punishing
convicted cyber crooks with meaningful sentences.

“A greater respect for and adherence
to a rule of law will eventually encourage more foreign investment, which
Ukraine almost certainly needs and would hugely benefit from,” Krebs said.
“Building a homegrown Silicon Valley of sorts in Ukraine would offer many of
those tempted by cybercrime a potential route to a more legitimate and
lucrative lifestyle while still being able to make a living programming and
hacking.”

Kyiv Post staff writer Christopher J. Miller can be reached at
[email protected], or on Twitter at @ChristopherJM.