GameOver ZeuS criminals spied on Turkey, Georgia, Ukraine and OPEC

The criminals behind the GameOver ZeuS Botnet didn't just steal $100 million from banks -- they also spied on several countries on behalf of Russia, according to a Black Hat presentation Wednesday by an FBI agent and two other security experts.

These countries included Ukraine, Turkey, Georgia, and OPEC members, according to FBI special agent Elliott Peterson.

The gang, which called itself Business Club, had two leaders, one of whom was Evgeniy Bogachev who is still uncaught. The FBI is offering a $3 million reward for information leading to Bogachev's arrest.

[ Follow all the stories out of Black Hat 2015 ]

Two security companies -- CrowdStrike and Fox-IT -- helped in the investigation.

"We track the top 200 criminals in the world who are responsible for 80 percent of the 7-figure cyberfraud in the world," said Fox-IT product director Eward Driehuis.

According to Driehuis, Bogachev has been on the company's radar since 2006.

"We have analysts doing investigations and building trust relations with the criminals," he said. "We invest a lot of time in order to get as close to them as we can."

Investigators also try to surround the criminals with their own infrastructure, such as virtual private networks.

He declined to talk in more specifics about either the technology or the identities used by the investigators.

The Business Club criminal group was particularly secretive.

"This club was a highly, highly trusted environment and was very difficult to get into," he said. "And the infrastructure was well protected and well obfuscated. They were keeping it as tight as possible."

According to Peterson, the Business Club was composed of mostly Russians and Ukrainians, and partnered with more than 20 other groups who provided third-party services.

The first version of the Zeus botnet appeared in 2005 and was sold as a crimeware kit. A second version of Zeus came out in 2009, then was followed by Murofet and Licat in 2010 and finally the peer-to-peer GameOver Zeus in 2011.

The focus was on corporate banking, with additional attacks specific to affiliates. Individual operators often deployed other malware, such as CryptoLocker.

However, unusually for a financial botnet, the network was also used for espionage aimed at countries of political or economic interest to Russia, including the Ukraine, Georgia, Turkey and the OPEC states.

In Georgia, a former Soviet Republic located on the Black Sea, the group targeted intelligence agencies and other government agencies. Intelligence information was also the group's focus in the Ukraine, which became a target during the recent conflict with Russia.

Government agencies were also the target in Turkey, but the group also looked at information related to the conflict in Syria.

According to Michael Sandee, Fox-IT's principal security expert, the Russian government may have allowed Bogachev to get away with his financial crimes because he was involved in espionage activities on its behalf.

"This of course remains speculation, but perhaps it is one of the reasons why he has as yet not been apprehended," Sandee said in a detailed report about the Business Club's methods and operations.

Join the CSO newsletter!

Error: Please check your email address.

Tags CrowdStrikecyber attacksFox-ITespionagezeusblack hatlegalfbicybercrime

More about CrowdStrikeFBI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts