Inside a Private-Public Partnership that Helps Law Enforcement Nab the Bad Guys

On January 18 of this year, officials loaded Alexander Zhukov onto a flight headed for the U.S. That same day, the 38-year-old Zhukov appeared in federal court in Brooklyn, New York to face charges in one of the most wide-ranging and lucrative ad-fraud schemes ever perpetrated on the internet.

In its 13-count criminal indictment, the U.S. Attorney’s Office alleged that Zhukov, along with five others, was part of an underground cyber syndicate that, among other deeds, built a global bot-net, infecting 1.7 million personal computers, that defrauded the digital advertising industry out of as much as $36 million.

The crew allegedly did this by placing fraudulent ads on “spoofed” versions of real websites, then either directing their robot army to visit those sites and click ads, or simulating such visits with datacenter servers, creating the illusion that real humans were viewing the ads. They then reaped the revenues from deals with real-world advertisers.

The FBI’s Cyber Division in New York helped nab the bad guys, and coordinate the takedown of their bot-net, with crucial help from a public-private partnership with several tech companies, including Google, the bot-net detection firm White Ops, and Symantec.

They achieved this through the FBI’s National Cyber Forensics and Training Alliance, a public-private group that draws in dozens of tech companies and allows them to share data with cops and each other via a secure online portal as well as real-world meetings.

The Criminal Hunt Begins

In early 2017, White Ops, which tracks botnets and other mass infections online, first noticed an unusual malware making its way through cyber space. “We’re seeing bots all day, every day, and not everyone grabs our attention, but this one did,” says Michael Tiffany, co-founder of the six-year-old security outfit headquartered in New York City.

What was different about this infection, says Tiffany, “was the high level of virulence. It was operating with an extraordinary diversity of IP addresses, which differed month to month. These guys were doing something more sophisticated than the average bear. They were employing a higher level of sophistication to evade detection than we’d ever seen.”

Because of that evasive maneuvering, and because the sophisticated ad-fraud operation was composed to three sub operations designed to commit different kinds of ad fraud, the White Ops team named it 3ve (pronounced “eve”) and decided to call in the cavalry.

Calling in The Nerds

Symantec has a long history of working with law enforcement agencies around the world, going back some 15 years. It gets involved in criminal cases in one of two ways, says Symantec Technical Director Vikram Thakur, who helped found the company’s attack investigations team of global intelligence analysts: “Either we find something that we determine law enforcement is best positioned to tackle or else they come to us for help.”

What Symantec doesn’t do, Thakur points out, is share customer information with the authorities. “Our dealings are strictly on the technical aspects,” says Thakur. “We tell them how things are working, how a botnet is designed to do what it does, where the infrastructure is located. Then they go look under the rocks to find out who is behind it.”

Since 2010, the company has helped law enforcement break up cyber crime networks in at least eight major cases. Those include the botnets Waledac, Bamital, Ramnit, the ransomware Gameover Zeus, and the Bayrob gang that conned victims out of millions of dollars through online scams like fake car auctions, credit card theft, and cryptocurrency mining using infected computers. “That’s the longest-running case we’ve worked on,” says Thakur.

When FBI agents contacted Symantec about 3ve that same year, Symantec’s engineers had a head start. Four years earlier, in 2013, the company’s threat intelligence division had identified one of the malware Trojans, known as Kotver, that would be linked to 3ve.

More than a dozen Symantec specialists were involved, including engineers who broke down the threat in real time, analysts in the Security Technology and Response (STAR) team, and even the government affairs team.

Back then, Kotver was being used in ransomware attacks, locking up desktops and demanding payments from users in return for access to their encrypted files. By 2015, it had morphed into a botnet, performing click-fraud operations from infected computers.

As part of the FBI working group on 3ve, Symantec’s role was twofold: First, it explained how the malware 3ve did its job and helped identify the infrastructure, or servers, on which it was operating. Second, when it came time for the FBI and to take down the botnet on “go day,” Symantec created software fixes to clean up the 1.7 million infected computers.

Over the course of about 18 months, the working group was in constant email, phone, and secure portal contact, sharing information about shifts in the botnet (which operators perform to avoid detection) and other data. Symantec specialists were involved, including engineers who broke down the threat in real time, along with analysts in the Security Technology and Response (STAR) team, and even the government affairs team.

On “go day,” on October 22, 2018, the FBI began to “sink hole” internet domains used in the scheme by seizing control of 31 internet domains, and 89 servers in the US, as well as seizing several international bank accounts in Switzerland and elsewhere. As the feds carried out their work, Symantec looked for transfers of Kotver onto new servers to alert the FBI of a potential spread. Symantec also began the job of cleaning up infected users. “We wanted to inflict the maximum amount of damage on the botnet on go day,” says Thakur.

In the end, the eight suspects, three of whom were arrested, accounted for several key roles in the crime syndicate, among them the top boss, or “business and vision guy,” as Shakur explains. This included the creators of the malware, the infrastructure provider, and the people who set up a network of fake companies to launder the money at legit banks.