Saturday, August 1, 2020

Malware Author Pleads Guilty for Role in Transnational Cybercrime Organization Responsible for more than $568 Million in Losses

Cybercrime Organization Victimized Millions in all 50 States and Worldwide in One of the Largest Cyberfraud Enterprises Ever Prosecuted by the Department of Justice

An author of malicious computer software and a member of the Infraud Organization pleaded guilty today to RICO conspiracy, announced Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division. 

Valerian Chiochiu, aka “Onassis,” “Flagler,” “Socrate,” and “Eclessiastes,” 30, pleaded guilty before U.S. District Court Judge James C. Mahan in the District of Nevada.  Chiochiu is a national of the Republic of Moldova, but resided in the United States during the period of the conspiracy.  His plea came just over a month after the co-founder and administrator of Infraud, Sergey Medvedev of Russia, separately pleaded guilty on June 26.  Sentencing for Chiochiu has been scheduled for Dec. 11.

Infraud was an Internet-based cybercriminal enterprise engaged in the large-scale acquisition, sale, and dissemination of stolen identities, compromised debit and credit cards, personally identifiable information, financial and banking information, computer malware, and other contraband.

“Over the course of seven years, Infraud and its alleged conspirators created a sophisticated cybercriminal racketeering scheme that victimized individuals, merchants, and financial institutions to the tune of over half a billion dollars in losses,” said Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division.  “The Justice Department is committed to unmasking cyber criminals and their criminal organizations that use the internet for fraudulent schemes.”

“HSI and our partners are at the forefront of combating financial crimes and illicit activities spread on the Internet,” said Special Agent in Charge Francisco Burrola for the U.S. Immigration and Customs Enforcement’s Homeland Security Investigations (HSI) Las Vegas Office.  “While criminal operators may continue to grow the reach of their criminal activity, ultimately they do not escape the reach of law enforcement. We continue to investigate, disrupt, and dismantle hidden illegal networks that pose a threat in cyberspace.”

According to the indictment, the Infraud Organization was created in October 2010 by Medvedev and Svyatoslav Bondarenko, aka “Obnon,” “Rector,” and “Helkern,” 34, of Ukraine, to promote and grow interest in the Infraud Organization as the premier destination for “carding” —purchasing retail items with counterfeit or stolen credit card information — on the Internet.  Under the slogan, “In Fraud We Trust,” the organization directed traffic and potential purchasers to the automated vending sites of its members, which served as online conduits to traffic in stolen means of identification, stolen financial and banking information, malware, and other illicit goods.  It also provided an escrow service to facilitate illicit digital currency transactions among its members and employed screening protocols that purported to ensure only high quality vendors of stolen cards, personally identifiable information, and other contraband were permitted to advertise to members.  In March 2017, there were 10,901 registered members of the Infraud Organization.

Bondarenko currently remains a fugitive.  

According to the indictment, Chiochiu provided guidance to other Infraud members on the development, deployment, and use of malware as a means of harvesting stolen data.  As part of his plea agreement, Chiochiu admitted to authoring a strain of malware known to the computer security community as “FastPOS”.

During the course of its seven-year history, the Infraud Organization inflicted approximately $2.2 billion in intended losses, and more than $568 million in actual losses, on a wide swath of financial institutions, merchants, and private individuals, and would have continued to do so for the foreseeable future if left unchecked. 

The investigation was conducted by the Las Vegas Office of U.S. Immigration and Customs Enforcement’s Homeland Security Investigations and the Henderson, Nevada Police Department.  The U.S. Attorney’s Office for the Central District of California also provided assistance with Chiochiu’s case.  Deputy Chief Kelly Pearson and Trial Attorneys Chad W. McHenry and Alexander Gottfried of the Criminal Division’s Organized Crime and Gang Section are prosecuting the case.

Cyber Yankee exercise trains Connecticut Guard, local utilities in virtual threats

Story by Staff Sgt. Steven Tucker, 103rd Airlift Wing, Public Affairs, Bradley Air National Guard Base

WINDSOR LOCKS, Conn. – Airmen and Soldiers from the Connecticut National Guard joined other Guardsmen from throughout New England, as well as state and federal partner agencies, for exercise Cyber Yankee, sharpening their readiness in one of today’s most dynamic battlefields—cyberspace.

The exercise trains interoperability of military and civilian agencies to combat potential cyberattacks to critical infrastructure utilities.

“The purpose of this exercise is for the military to train to interact with a mission partner that is a critical asset for the state,” said Capt. Frederick Bond, 103rd Air Control Squadron cyberspace operator and exercise Team 3 lead. “So for this exercise we’re working with an actual municipal water company in Hartford.”

Guardsmen on the exercise’s “Blue Teams” worked together with utilities in real-time to combat simulated cyberattacks from the exercise’s “Red Team,” which operated from this year’s exercise host state of New Hampshire. The
“Red Team” plays the role of the threat actors in the exercise scenario and stages “attacks” against the “Blue Teams” of Guardsmen throughout the New England states.

Cyber Guardsmen from organizations throughout the state, including the 103rd Air Control Squadron, 103rd Communications Flight, and 146th Rear Detachment, worked in several roles as part of a team at the Windsor Locks Readiness Center to identify and address these attacks.

“We received intel that potential threat actors may be using a certain capability to transfer files,” said Senior Airman Stephen LaLuna, 103rd Communications Flight cyber systems operations specialist. “So as we see the traffic that’s using it, that sets off a flag on our end to look deeper into that. If we determine it is malicious, we send it up the chain with our findings and recommendations to block it.”

The Guard’s cyber defense capabilities are another key asset in the state’s homeland defense mission, said Bond.

“If a large-scale attack happened against a power company, water company, or any other critical department around the state, we would be able to get activated and help them mitigate the threat,” said Bond. “It’s similar to when a storm comes and we help remove fallen trees or shovel snow from roofs to help get critical infrastructure going again.”

The exercise provides valuable training in preparing for cyber attack scenarios, said LaLuna.

“Everything is constantly changing, so we need to be able to adapt with the world,” said LaLuna. “This exercise is allowing us to learn how to identify these things as they’re being built in the real world by threat actors.”

Friday, July 31, 2020

Three Individuals Charged for Alleged Roles in Twitter Hack

Three individuals have been charged today for their alleged roles in the Twitter hack that occurred on July 15, 2020.

Mason Sheppard, aka “Chaewon,” 19, of Bognor Regis, in the United Kingdom, was charged in a criminal complaint in the Northern District of California with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer.

Nima Fazeli, aka “Rolex,” 22, of Orlando, Florida, was charged in a criminal complaint in the Northern District of California with aiding and abetting the intentional access of a protected computer.

The third defendant is a juvenile.  With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile.  Pursuant to the Federal Juvenile Delinquency Act, the Justice Department has referred the individual to the State Attorney for the 13th Judicial District in Tampa, Florida.

“The hackers allegedly compromised over 100 social media accounts and scammed both the account users and others who sent money based on their fraudulent solicitations,” said Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division.  “The rapid investigation of this conduct is a testament to the expertise of our investigators, our commitment to responding quickly to cyber attacks, and the close relationships we have built with law enforcement partners throughout the world.”

 “There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence,” said U.S. Attorney David L. Anderson for the Northern District of California.  “Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived.  Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it.  In particular, I want to say to would-be offenders, break the law, and we will find you.”

“Upon opening an investigation into this attack, our investigators worked quickly to determine who was responsible and to locate those individuals,” said San Francisco FBI Special Agent in Charge John F. Bennett. “While investigations into cyber breaches can sometimes take years, our investigators were able to bring these hackers into custody in a matter of weeks. Regardless of how long it takes us to identify hackers, we will follow the evidence to where it leads us and ultimately hold those responsible for cyber intrusions accountable for their actions. Cyber criminals will not find sanctuary behind their keyboards.”

“Weeks ago, one of the world’s most prolific social media platforms came under attack.  Various political leaders, celebrities, and influencers were virtually held hostage as their accounts were hacked,” said Kelly R. Jackson, IRS-Criminal Investigation (IRS-CI) Special Agent in Charge of the Washington D.C. Field Office.  “The public was confused, and everyone wanted answers.  We can now start answering those questions thanks to the work of IRS-CI cyber-crime experts and our law enforcement partners. Washington DC Field Office Cyber Crimes Unit analyzed the blockchain and de-anonymized bitcoin transactions allowing for the identification of two different hackers. This case serves as a great example of how following the money, international collaboration, and public-private partnerships can work to successfully take down a perceived anonymous criminal enterprise. Regardless of the illicit scheme, and whether the proceeds are virtual or tangible, IRS-CI will continue to follow the money and unravel complex financial transactions.”

“Today’s announcement proves that cybercriminals can no longer hide behind perceived global anonymity,” said Thomas Edwards, Special Agent in Charge, U.S. Secret Service, San Francisco Field Office. “The Secret Service remains committed to pursuing those responsible for cyber-enabled fraud and will continue to hold cyber criminals accountable for their actions.  This investigation is a testament to the strong partnerships between the Secret Service, the U.S. Attorney’s Office, the FBI, the IRS, as well as our state, local and international law enforcement partners.”

“Our identities and reputations are sacred. We will continue to aggressively defend and protect individuals, companies, and other entities from new-age cyber-fraud, especially those who scheme to hack, defraud and wreak havoc on U.S. citizens across the country,” said Caroline O’Brien Buster, Special Agent in Charge, U.S. Secret Service, Orlando Field Office. “The Secret Service believes that building trusted partnerships between the private sector and all levels of law enforcement is the proven model for success. I commend the exceptional work conducted by our law enforcement partners and the U.S. Attorney’s Office who worked diligently to hold these defendants accountable.”

As alleged in the complaints, the Twitter attack consisted of a combination of technical breaches and social engineering.  The result of the Twitter hack was the compromise of approximately 130 Twitter accounts pertaining to politicians, celebrities, and musicians.

The hackers are alleged to have created a scam bitcoin account, to have hacked into Twitter VIP accounts, to have sent solicitations from the Twitter VIP accounts with a false promise to double any bitcoin deposits made to the scam account, and then to have stolen the bitcoin that victims deposited into the scam account.  As alleged in the complaints, the scam bitcoin account received more than 400 transfers worth more than $100,000. 

This case is being investigated by the FBI’s San Francisco Division, with assistance from the IRS-Criminal Investigation Cyber Unit; the U.S. Secret Service, San Francisco and Headquarters; the Santa Clara County Sheriff’s Office and their REACT task force and the Florida Department of Law Enforcement.

The case is being prosecuted by Senior Counsel Adrienne Rose of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorneys William Frentzen and Andrew Dawson of the Northern District of California.

Additional assistance has been provided by the U.S. Attorney’s Office for the Middle District of Florida; the State Attorney for the 13th Judicial District in Tampa, Florida; the Criminal Division’s Office of International Affairs and Organized Crime and Gang Section; the United Kingdom’s Central Authority and National Crime Agency; Chainalysis and Excygent.

The allegations of a criminal complaint are merely an allegation.  All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

U.S. Attorney Anderson’s video statement can be viewed here.

Wednesday, July 29, 2020

Register for “Network Forensics: Challenges and Tools.”

This webinar, hosted by the Forensic Technology Center of Excellence (FTCoE) will be held Tuesday, August 12, from 1:00 - 2:00 pm ET.

In response to criminal investigations involving digital evidence, law enforcement needs forensically sound tools to acquire, evaluate, process, and present the data to the court. In the case of network forensics, challenges arise when the evidence is buried in large volumes of data. The financial burdens of purchasing and licensing proprietary tools to assist are not sustainable for law enforcement.

This webinar reviews a set of open-source tools, including snort, pcap, TcpDump, wireshark, and NetworkMiner. It also highlights a recent open-source toolkit, FileTSAR, developed by Purdue University. This user-friendly toolkit can extract digital evidence from large amounts of network traffic and reconstruct unencrypted files, web pages, emails, and VOIP. FileTSAR achieves great performance by leveraging Spark, ElasticSearch, Kafka, and Kibana.

Since existing tools all have their own limitations, the presenters will also discuss the challenges in network forensics. Potential workarounds will be given for law enforcement and future work is identified for researchers in the field.


Tuesday, July 28, 2020

Nominees for Northcom, Spacecom Posts Testify at Confirmation Hearing

July 28, 2020 | BY JIM GARAMONE , DOD News

Air Force Lt. Gen. Glen D. VanHerck and Army Lt. Gen. James H. Dickinson testified before the Senate Armed Services Committee as part of the confirmation process to be U.S. Northern Command commander and commander of the U.S. Space Command, respectively.

VanHerck is currently the director of the Joint Staff in the Pentagon, and Dickinson serves as Spacecom's deputy commander.

If confirmed, VanHerck will also command the North American Aerospace Defense Command. He would also be the third Air Force officer in a row to hold the position. He would succeed Air Force Gen. Terrence J. O'Shaughnessy.

People swathed in medical gear speak.

Dickinson would replace Space Force Gen. John W. "Jay" Raymond. Raymond currently serves as chief of space operations and Spacecom commander.

While Space Command is DOD's newest combatant command, established just last year, Northcom is not that much older, standing up in October 2002 in response to the attacks of 9/11.

The command is responsible for the defense of the homeland, and at today's hearing, VanHerck said "no mission is more sacred."

The command is also the military lead for support to civilian agencies and has provided aid during Hurricane Katrina, fires in the western U.S. and the current response to the COVID-19 pandemic.

The global situation is much more complicated than when the command was formed with very real threats from actors across all domains, VanHerck said. "We must remain prepared to meet the threats head on defend our homeland from an increasingly assertive set of peer competitors, rogue nations and nonstate actors, who are committed to creating a new world order and influencing our freedoms and our way of life," he told the Senate panel.

A rocket launches into space.

With his NORAD hat, VanHerck will command a binational agency that has defended North America for 62 years. If confirmed, he will work closely with Canadian defense officials to strengthen the already strong bonds between the two countries. He also pledged to continue outreach to Mexican defense officials.

"If confirmed, I commit … that I will provide my best military advice and candid views on the issues and challenges we face, and I will ensure that Northcom remains postured to defend the homeland and ready to provide timely support to civil authorities in order to eliminate suffering and ensure the safety of the American people," he said.

Dickinson has been intimately involved with the setup of Spacecom since it was a proposal. The command is less than a year old, but it had to hit the ground running, he noted. "I know well the tremendous responsibilities levied upon this command and it's incredible joint warfighters as I reflect on the responsibilities of the new position for which I've been nominated," he told the senators. 

It is not that long ago that the idea of space as a warfighting domain would have been denigrated, he said. "Frankly, I'm amazed at where we are today," the general said. "Just over a year ago, during General Raymond's nomination hearing, he testified of the great alignment in our nation with acknowledging space as a warfighting domain, just like land, air, sea and cyber. Based on that alignment. We as a nation took bold steps towards protecting and defending our critical space capabilities by establishing U.S. Space Command and subsequently standing up the U.S. Space Force to better organize, train and equip our space warfighters."

Men unfurl command flag.

Dickinson said the new domain is facing "the most significant transformation in the history of U.S. national security space programs. The scope, scale and complexity of the threats to our space capabilities are real and concerning."

Space is not a benign environment, he said, with near-peers and others threatening the foundational domain. "We no longer have the luxury of assuming our access to an ability to leverage the space domain is a given," he said. 

The goal for the new command is deterrence – Dickinson said he wants to ensure conflict does not extend into space. "The best way I know how to prevent that from happening is be prepared to fight and win if deterrence were to fail," he said.

U.S. Space Effort's Future Hinges on Private Industry

July 28, 2020 | BY C. Todd Lopez , DOD News

When the United States sent men to the moon in the 1960s, the effort was largely driven by the government. But the future of the U.S. space effort will be agile innovators in the private sector who partner with the government, the Space Force's chief scientist said.

"We're very much at a precipice where private investment in space is driving the technology, not necessarily government investment as it has been in the past," Dr. Joel B. Mozer said today during a virtual panel discussion at the Center for Strategic and International Studies in Washington.

A rocket launches from the ground. A large billow of smoke billows out from the bottom of the rocket.

The U.S. government, in its pursuit of advancements and participation in the space domain, can contribute through investments in science, technology, infrastructure and science, technology, engineering and math — or STEM — education, Mozer said, as well as through development of policies and regulations that strengthen space efforts.

Defense Department officials must have a unique perspective on space, how it can be used, and what must be done to achieve national security objectives, Mozer said.

"Firstly, it's going to shape the environment that we operate in and will evolve our mission to protect U.S. interests both here on Earth and beyond in the future," he explained. "Second, many of the technological innovations that are now coming and will continue to come from entrepreneurs and industrialists in the space business are from those entrepreneurs. We must harness those innovations for our mission to support the joint fight when we're called upon to do so."

Finally, Mozer said, those involved in the military's pursuit of space must overmatch America's strategic competitors.

"Space is now a warfighting domain," he said. "We must work with industry, as well as our allies, to protect our ability to operate in that domain and to defend our capabilities and ensure that they're there when needed as well as to ensure that the technological advantage in space goes to freedom-loving states who desire to keep space lines of commerce open for all."

A rocket takes off from a launch pad.

In May, NewSpace New Mexico sponsored a four-day conference to discuss civil, commercial and national security space strategy. That conference produced the nearly 90-page report "State of the Space Industrial Base Report 2020."

Mozer, one of the report's authors, said 10 recommendations regarding the future of space — six for the U.S government and four for industry — were the key takeaways.

The No. 1 recommendation, Mozer said, is that the U.S. government develop and endorse a whole-of-government "North Star" vision and strategy for the industrial development of space and that a presidential task force be established to execute that strategy.

"This recommendation is particularly important, and I believe that we're getting there," Mozer said. "In recent years and months, we've seen a lot of action and direction in this direction."

As examples of progress, he cited NASA's Artemis mission, which plans to put the first woman and the next man on the moon by 2024. The establishment of the Space Force is also an example of progress.

A rocket takes off from a launch pad.

"There's a lot of thought being put into this 'North Star' vision, and we're laying some groundwork for it," he said. "However, it is still significant that this recommendation came out on top from the workshop. It tells me that we still have some work to do to describe this future vision, a vision that the nation could get behind and adopt."

The "North Star" vision must be specific about what the United States wants its future in space to look like, and U.S. officials must make sure the decisions they make now move the nation toward a future in space that Americans can aspire to and be proud of, Mozer said.

Other nations, specifically China, already have a long-term vision of the future of space and are making investments toward their own visions, he noted.

"The importance of such a vision is that it has the potential to derive national pride and to instill a culture of progress, and it highlights the value of STEM education for aspiring youth," he said. "There's lots of benefits of such a vision. The value is immense of a 'North Star' vision, and the consequences of a lack of such visual are potentially disastrous."

Monday, July 27, 2020

Maryland Man Sentenced to Four Years in Federal Prison for Ruthless Cyberstalking Campaign Against Former Girlfriend

Ahmed Kazzelbach Engineered Elaborate Scheme that Resulted in his Former Girlfriend Being Falsely Arrested by the Police and Disqualified from her Health Insurance Plan

Baltimore, Maryland – Chief U.S. District Judge James K. Bredar today sentenced Ahmad Kazzelbach, age 26, of Pasadena, Maryland, to four years in federal prison, followed by three years of supervised release, on the federal charges of cyberstalking and intentional damage to a protected computer. 

The sentence was announced by United States Attorney for the District of Maryland Robert K. Hur; Special Agent in Charge Jennifer C. Boone of the Federal Bureau of Investigation, Baltimore Field Office; Chief Melissa R. Hyatt of the Baltimore County Police Department, and Anne Arundel County State’s Attorney Anne Colt Leitess.

According to Kazzelbach’s plea agreement, beginning in June 2015, Kazzelbach and the victim both worked at Company A, an insurance broker located in Glen Burnie, Maryland, and in December 2015 began a romantic relationship, moving into a shared apartment.  In late May 2016, the victim ended her relationship with Kazzelbach.  Although Kazzelbach moved out of their shared apartment, he subsequently began a year-long scheme to harass the victim by compromising her personal online accounts, forging policy cancellation letters on behalf of her clients, and filing false reports with law enforcement that ultimately resulted in the victim being wrongfully arrested and incarcerated on multiple occasions.

Specifically, on July 25, 2016, Kazzelbach created an e-mail account that mimicked the victim’s real e-mail address and within 10 minutes, changed the name on the victim’s Apple account to the fake e-mail address he had created.  Two days later, Kazzelbach initiated a password reset, locking the victim out of the account which controlled certain settings on her iPhone, as well as access to the photos, music, and videos associated with her account.  Kazzelbach also accessed the victim’s Instagram account and changed a portion of her user name to “whore,” and accessed the victim’s online student loan account and changed the account e-mail address to the fake address he had created.

Kazzelbach also admitted that in late August 2016, he used a fax machine at Company A to send two letters purporting to cancel supplemental health insurance policies belonging to two of the victim’s clients, whose information Kazzelbach had accessed through his position at Company A.  On August 28, 2016, Kazzelbach accessed the victim’s own online health insurance account, to which she had previously given Kazzelbach limited access for initiation purposes, and made unauthorized changes to the victim’s race, pregnancy status, and income.  The change in income resulted in the victim being disqualified from the plan in which she had enrolled, potentially modifying or impairing her medical care.

On September 1 and October 1, 2016, Kazzelbach attempted to access the victim’s bank account and tax-filing account, respectively, using a proxy server, which can be used to hide an electronic device’s true location or identity.  However, investigators were able to identify the true Internet Protocol (IP) address from which the attempts were made and determined that the account was subscribed to by Kazzelbach’s father at a residence where Kazzelbach was then residing.

On September 30, 2016, Kazzelbach sent a text message to the victim in which he disguised his real identity by using a “spoofing” program, which used computer software to make it appear as though the message originated from a Florida-based cell phone number that did not belong to Kazzelbach.  In the message, Kazzelbach wrote, “Prepare yourself for what’s coming…the last 3 months were just the beginning.  I have bigger plans for you…I love how easily manipulated you can be.”

As detailed in his plea agreement, Kazzelbach filed a petition for a protective order against the victim on December 10, 2016, in the District Court of Maryland for Anne Arundel County, falsely alleging that the victim had physically abused him and made violent threats in text messages and on social media.  A temporary protective order was granted on December 13 and a hearing on a final protective order was scheduled for December 29, 2016.  Between December 13 and December 29, Kazzelbach contacted Anne Arundel County on four occasions to falsely report that the victim was continuing to harass and threaten him in violation of the temporary protective order.  Based on Kazzelbach’s sworn statement, and on text messages, and phone calls on Kazzelbach’s phone that he had spoofed to make it appear that the victim had contacted him, when in fact, she had not, the court issued four arrest warrants for the victim.  On December 29, 2016, the final protective order against the victim was granted, effective for a period of one year.  Then, between December 29, 2016 and June 2017, Kazzelbach made 14 additional false reports to law enforcement, causing seven more criminal actions to be filed against the victim in Anne Arundel and Baltimore Counties, and resulting in her false imprisonment for four nights.

In March 2017, the Anne Arundel County prosecutor handling Kazzelbach’s case asked for Kazzelbach’s consent to download the contents of his iPhone, but Kazzelbach refused.  The prosecutor told Kazzelbach that if he did not permit a full search of his phone, the Anne Arundel charges against the victim would be dismissed.  In response, Kazzelbach began making false reports to Baltimore County instead.  In May 2017, the Anne Arundel charges against the victim were dismissed.  Baltimore County Police officers subsequently began their own investigation and determined that no attempted or completed text messages were sent from any of the victim’s accounts on the dates and times alleged by Kazzelbach.

United States Attorney Robert K. Hur commended the FBI Baltimore Cyber Task Force (CTF), the Baltimore County Police Department, and the Anne Arundel County State’s Attorney’s Office for their work in the investigation.  Mr. Hur thanked Assistant U.S. Attorneys Jeffrey J. Izant and P. Michael Cunningham, who prosecuted the case and thanked Assistant U.S. Attorney Zachary Myers for his assistance.