Based in silicon valley, california, security brief is a blog by chris louie. his posts discuss current information security affairs

Who Watches the Watchmen? Untrained Law Enforcement Ripe for Cybercrime Abuse

Who Watches the Watchmen? Untrained Law Enforcement Ripe for Cybercrime Abuse

60% of something is better than 100% of nothing! How many times has this phrase been used to describe a situation that’s too good to be true? Whether it’s a protection scheme from organized crime or ransomware demanding a small payment to decrypt your Bitcoin private keys, it is generally best to avoid putting yourself in situations than having to make Sophie’s choice. 

24-year-old Ukrainian Ivan Turchynov had it all: a house in Ukraine in a district equivalent to Beverly Hills, an extravagant gold clock collection, a Bentley, and a goose that kept laying golden eggs. During World War II, it was said that loose lips sink ships and during a drunken stopper one night, Turchynov’s loose lips would lead to his eventual downfall. Turchynov boasted that he had found a way into business PR (public relations) and newswire services and could obtain material non-public information before it hit the newswire. This information would be worth a fortune in the right hands. His audience, made up mostly of other similarly aged hackers, took interest and wanted into his operation. 

gold clock.jpg

Turchynov and his new cyber-infantry used every trick in the book to obtain access to PR and newswire services: spearphishing, SQL Injection, drive-by downloads, and social engineering to name a few. Through their attack campaigns, they were quite successful in breaching the organizations Business Wire, PR Newswire, and Marketwired, gaining a foothold into their networks and expanding their reach over time. Data-stealing malware sucked up unpublished press releases and exfiltrated it back to the attackers. The attackers had no easy way to monetize the data, so they enlisted Moscow-based traders to execute trades based on the information they obtained, in exchange for a 40% cut of the profits. This activity fits the very definition of insider trading, which most famously Martha Stewart was convicted of and served jail time. 

The case of Turchynov and his associates demonstrates how an old insider trading technique has simply adopted to the digital age. Approximately 10 years ago, staff that worked at television station NBC would obtain advanced scripts of influential stock trader Jim Cramer’s show that would air on CNBC the next day. Stocks mentioned during Jim Cramer’s show with a buy recommendation would typically see a nice bounce upwards the next trading day, affectionally known as the Cramer Bounce. The staff members that obtained advance scripts leaked the information to traders in exchange for a cut of the profits, similar to Turchynov’s scam. However, the method for obtaining the material non-public information changed for the digital age.

The US Secret Service is not only tasked with protecting the President of the United States, but also protecting the financial infrastructure of the country by fighting money counterfeiting and severe stock market manipulation. In 2012, the US Secret Service alerted PR Newswire that their systems may be compromised and a cyber forensics team was brought in to investigate and Turchynov’s malware was detected and removed. In a 1-2 punch to the young hacker, not only was his golden goose dead, his clients were now exposed, since law enforcement authorities could now track trades with the timing of when PR Newswire obtained the material non-public information and unmask their identities. Shortly after PR Newswire was cleaned, the US Secret Service reached out to their Ukranian counterparts to ask them to scoop up Turchynov and extradite him to the US to face charges. Unsurprisingly, the Ukrainian intelligence service thanked the US for their information then went dark. This was not completely unexpected, as Ukraine is resistant to extradite their own citizens to other countries. Somewhat surprising, Turchynov and his goons were never charged in Ukraine either.

In true Pablo Escobar fashion, the Ukrainian intelligence service threatened Turchynov with extradition to the US unless he continued his insider trading scheme with the intelligence agents now as the beneficiaries. Faced with the “Gold or Lead” ultimatum, Turchynov quickly handed over his house, Bentley, and clock collection over to the agents as a down payment for their future work together. Even with the new security controls installed after the discovery of the initial breach, the hacking crew found new ways back into the networks of PR and newswire companies and the scam continued under the oversight of corrupt Ukrainian intelligence agents. The scam would continue through 2016, when a member of the hacking syndicate made the mistake of traveling to Cancun, Mexico, was scooped up and extradited to the US to face charges. There exists no honor among thieves and the syndicate turned against itself and eventually collapsed under its own weight. Illicit trading gains according to public records totaled more than $100 million USD, although the true number is believed to be much higher.

Just a few months after Ukrainian intelligence agents were turning material non-public information into cold hard cash, US authorities captured the founder and administrator of illicit goods site Silk Road. Dread Pirate Roberts, also known by his real world identity as 29 year old Ross Ulbricht was arrested in October 2013. Unbeknownst to Ulbricht at the time, he was being extorted by corrupt US DEA and Secret Service agents. 

Drug Enforcement Agency Special Agent Carl Force extorted and attempted to cash out hundreds of thousands of dollar's worth of the digital cryptocurrency Bitcoin through a Slovenian Bitcoin exchange named Bitstamp. Force was armed with everything he thought he needed for the cashout: fake IDs, passports, social security cards, bank statements, everything part and parcel an undercover DEA agent would likely have as part of his cover for an operation. Bitstamp’s internal security team flagged Force’s account for suspicious activity and alerted the authorities including his employer, the DEA. Their concerns went mostly unanswered until Bistamp’s general counsel contacted a cryptonerd that worked for the Internal Revenue Service (IRS). The IRS agent believed there was something suspicious going on, but did not feel there was enough evidence to warrant an investigation. That would change the very next day when Force requested Bitstamp to delete all of his transaction records.

Hoping to do the right thing, the IRS agent reached out to the US Secret Service liaison Shaun Bridges. Bridges was very defensive and combative from the first call which seemed suspicious in itself. A deeper dive into Force’s official file would prove a link between DEA’s Agent Force and US Secret Service Agent Bridges: they were both on a task force created to bring down the drug marketplace Silk Road. 

Shortly after Force went undercover posing as a drug kingpin, Force and Bridges arrested a Silk Road website administrator and convinced him to become a state’s witness, testifying against the founder Ross Ulbricht. During the interrogations, the Silk Road administrator gave up his administrator credentials and Force and Bridges took it upon themselves to help themselves to massive amounts (thought to be over $350,000 at the time) of Bitcoin from Silk Road seller accounts and transfer into their own personal accounts. From then on, Agent Force would play both sides, building a legitimate criminal case against Ulbricht, while extorting him at the same time. Agent Force went so far as to trick Ulbricht into hiring a hitman to kill the Silk Road administrator that turned states evidence. Bridges would also use his position of authority to try and cover up his crimes. Under the guise of investigating the demise of Japanese Bitcoin exchange MtGox, Agent Bridges attempted to steal and destroy his MtGox transaction record proving he stole Bitcoin that rightfully belonged to the US government.

In Mid-2015, the US government had Agents Force and Bridges dead to rights and they both plead guilty to a long list of criminal charges. Bridges attempted to mount the defense that Bitcoin was such a new technology at the time, the US government was not equipped to hold it in evidence and that he held it in his own personal account for safekeeping.  

force bridges.jpg

The cases against corrupt Ukrainian and US government agents really shines a light on a deficiency in our legal and law enforcement capabilities. I interviewed a local law enforcement official, who wished to remain anonymous, and he commented that technological and financial crimes are underreported and often not even thoroughly investigated. First-line investigators, are only equipped to take statements, collect evidence and pass the information onto the local financial crimes unit. The case backlog of the financial crimes unit is thought to be 3-5 years long. The financial crimes unit is the only branch that receives the training to recognize and investigate cryptocurrency and related technological crimes, which still seems to echo Bitstamp’s experience of having to go out of their way to find a crypto-savvy law enforcement resource to even understand the fact that a crime took place.

In addition to this massive backlog, a local FBI agent speaking at a community event confirmed this fact and expanded that only financial crimes with high dollar losses get the resources for an investigation. This is simply a function of resources and demand. If a local hardware store loses $60,000 USD, that could possibly be the end of the business, but the FBI and financial crimes units are not staffed and equipped to handle such a small dollar-amount loss.

One solution to this problem is to provide continual training for the US law enforcement community to recognize and understand cybercrime. If our law enforcement officials cannot understand the technology, they will not be able to realize a crime has taken place or how to investigate. With a self-proclaimed “Law and Order” president in office, the hope is that law and order extends into the cyber world. Months after his inauguration, President Trump signed an executive order imitating a comprehensive review of United States’ cyber capabilities, including the FBI. It would also be easy to simply increase budgets and resources, but it is equally important that cybersecurity is everyone’s responsibility. As crime evolves into the cyber world, so does the need for our law enforcement capability.

That Didn't Take Long: Apache Struts 2 Vulnerability Widely Exploited in Cryptojacking Campaign

That Didn't Take Long: Apache Struts 2 Vulnerability Widely Exploited in Cryptojacking Campaign

Better to be Lucky Than Good? After Not Petya, Shipping Company Maersk Saved by Power Outage

Better to be Lucky Than Good? After Not Petya, Shipping Company Maersk Saved by Power Outage