MEET THE ARCHITECTS OF DATA THEFT
TVER, RUSSIA. Sasha Panin called himself “Gribodemon,” and his evil works in the world of cybercrime have bedeviled millions. Panin is a 20-something Russian computer whiz who until a few years ago lived in obscurity with his grandmother in this struggling riverside city. Working from a Moscow apartment, federal prosecutors say, Panin developed SpyEye, one of the most destructive computer software programs ever launched in the Internet’s criminal underworld, the dark Web where hackers ply their trade. Panin’s software tool kit, which sold for a few thousand dollars on underground websites, systematically infected more than 1.4 million computers, where it collected bank account credentials, credit card numbers, passwords and personal identification numbers.
The world’s cybercriminals — from lone hackers like Panin, who supply the software tools, to elaborate, multilevel crime syndicates that steal billions of dollars every year — wreak havoc on computer systems: Witness the data heists that struck Target and Neiman Marcus during the holiday shopping season last year. An examination of Panin’s case, his lifestyle, his eccentric ambitions and his ultimate capture by U.S. authorities reveals how youthful hackers hiding be- hind anonymous screen names in unlikely corners of the world can use personal computers and programming skills to create malicious software, called malware, to penetrate computers at global corporations, financial institutions and governments — and steal your credit card numbers or even your identity.
The threat from hackers for hire, state-sponsored cyberintrusions and organized cyber syndicates is so dire that Director of National Intelligence James Clapper lists cybersecurity as the greatest global threat, edging out terrorism and weapons of mass destruction. To catch Panin, who awaits sentencing in a U.S. prison after pleading guilty this year to bank and wire fraud, FBI agents crisscrossed the globe, hacked into computers and posed as cybercrooks themselves. The investigation is chronicled in criminal and civil court records and cyber-research reports examined by USA TODAY.
To crack the case, agents sifted through millions of lines of computer code, wrestled with law enforcement officials in Thailand, Bulgaria and Britain, and finally waited patiently for Panin to leave Russia before they could bring him to justice, leaving his family in shock. The young Sasha dreamed, his mother, Inessa Rozova, told USA TODAY, of creating artificial intelligence while obsessing over transhumanism, a cultural movement bent on transforming human life through technology. “When he was 16, he told me he wanted to do everything possible to live forever,” Rozova said. Unbeknown to her, the sweet boy with the keen mind who bought her a tea kettle with his first paycheck had an alter ego as Gribodemon, one of the most destructive and prolific hackers in the world. Rozova said she had no idea her son had become a hacker until she learned of his arrest in June by authorities in the Dominican Republic, acting on an Interpol warrant from the United States. The hacker had been visiting a friend there.
Panin’s capture and guilty plea represent one of law enforcement’s great successes in the battle against cybercrime. But U.S. efforts to catch criminals are often stymied by layers of encryption, secret screen names and uncooperative foreign governments. Panin’s case illustrates the intricate, sprawling tangle that U.S. law enforcement must unravel to find and prosecute hackers who prey on American consumers, banks and retailers. “To be a hacker all you really need is a computer and an Internet connection. You can reach anonymously into a victim’s bank account from halfway around the world,” says U.S. Attorney Sally Quillian Yates, whose office in Atlanta prosecuted Panin. “We have to chase their digital footprint
Hackers like Panin write thousands of lines of computer code to develop malware tool kits — ready-made software packages that are as easy to operate as the legitimate software sold off the shelf at Best Buy or Office Depot. Once they’re ready, the tool kits are sold in underground Web forums. There, criminals use the onion router, known as TOR, to conceal the location of the computer servers hosting their websites. TOR ensures privacy by randomly routing computer messages through several places on the Internet, wrapped in encrypted code, so no single point can link the source to the destination. The tool kits are “very easy, very customizable,” says Roel Schouwenberg, principal security researcher at Kaspersky Lab, which helps businesses defend against malware.
Once hackers have used malware to infiltrate a computer, they can interfere with its operating system to see what the user does, capture any data they want and install their own software. In the Target case, for example, cyberthieves penetrated point-of-sale credit card readers and Target’s internal computer system to steal credit card data and personal information, including PINs, e-mail addresses and phone numbers, from as many as 110 million Target customers, putting them at risk of bogus credit card charges, identity theft or fraud. The hackers who hit Target used an off-the-shelf tool kit, Schouwenberg noted. Among the creators of the tool kits, “there’s something of a philosophy,” Schouwenberg says. “They say, ‘We are only creating the weapons … not pulling the trigger.’ ”
Indeed, at Konyayev College where Panin studied computer science, teacher Larisa Ishkova recalls his work as “exceptional” and says students admire and respect him. “The kids are proud of him, not because he broke the law but because they see hacking as the height of mastery of computer science,” Ishkova says.
THE CREATION OF SPYEYE
SpyEye arrived Jan. 10, 2010, when the hacker known as Gribodemon pitched it for sale on www.darkode.com , an underground marketplace, court documents say. For years, that forum had been Slavik’s domain and the ZeuS malware reigned. ZeuS, created in 2007, had infected more than 13 million computers and had been used to steal over $100 million, according to court papers filed by Microsoft in 2012. “SpyEye made its notoriety by going after and competing with ZeuS,” says Wade Williamson, a senior threat researcher at the computer firm Shape Security. SpyEye is top-shelf malware. The tool kit automates the collection of confidential personal and financial information using multiple approaches, including a keystroke logger and data grabbers. A basic SpyEye tool kit sold for $1,000; top-of-the-line versions cost up to $8,500.
The FBI estimates Gribodemon had 150 clients, including one client known as “Soldier” who allegedly used the software to steal $3.2 million from bank accounts over six months. Federal agents say that Panin sent his clients more than 80 e-mails from his Gmail account with SpyEye updates and security patches, and that he provided after-sale maintenance, updates and technical support as well. SpyEye can hijack Web browsers or present fake bank Web pages that prompt users to enter their logins and passwords. SpyEye also could scan infected computers for credit card data. By October 2010, the hacker behind ZeuS gave his source code to Gribodemon and the two hackers merged their operations. Afterward, Slavik disappeared. The FBI investigation into SpyEye caught its first break in February 2011, when agents seized and searched a SpyEye server near Atlanta that Hamza Bendelladj, Gribodemon’s online collaborator, allegedly operated from Algeria. That server controlled more than 200 computers infected with SpyEye, including computers connected to 253 banks in North Carolina, New York, California and Virginia. That summer, FBI informants communicated with Gribodemon on www.darkode.com to purchase a SpyEye tool kit. They paid $8,500. By December, agents had enough evidence of criminal acts for a 23-count indictment against Bendelladj, but they still didn’t have a name for SpyEye’s creator. A grand jury indicted “John Doe.”
THE UPBRINGING OF ‘GRIBODEMON’
Aleksandr Andreevich “Sasha” Panin was born in Tver in 1989, two years before the Soviet Union collapsed. He was in fifth grade when his parents divorced and he moved into his grandmother’s two-room apartment. Panin did well in school, showing particular aptitude for math and computers. In this city of 400,000 people 100 miles north of Moscow, programmers are in demand and earn a healthy living, Ishkova said. But after graduation, Panin found his skills weren’t needed. He attended a local institute but dropped out after six months. After school, he moved to Moscow and traveled abroad. His mother is unsure what he was doing and where he was. Now he writes from prison.
t sure when he started to think about dedicating himself to transforming life through technology. for cybercrime and has embedded agents in police departments in Estonia, Romania and Ukraine where some young programmers turn to cybercrime for lack of opportunity. Panin fits that profile, says Arkady Bukh, a lawyer who represents Panin and several other convicted Russian hackers.
Prosecutor Yates sees hackers like Panin differently. “We’re not talking about misunderstood genius here. These are not just nerdy kids up to mischief in their parent’s basement,” Yates says. “They are breaking in and they are stealing.”
Key to catching cybercriminals are the white-hat cybergeeks who work as computer security researchers, identifying the suspicious bits that signal malware among the billions of bits that make up computer code. In the SpyEye case, the FBI and Justice Department cited the work of Trend Micro, a computer security firm in Dallas, which has 1,200 threat researchers trying to stop malware attacks. SpyEye caught Trend Micro’s attention four years ago, says Rik Ferguson, vice president of security research. After identifying the signature characteristics of the malware and mapping out its infrastructure, company researchers infiltrated an underground forum often visited by SpyEye and his customers, says Loucif Kharouni, a senior threat researcher at Trend Micro. Gribodemon and a coder he worked with known online as ‘bx1’ periodically let slip e-mail addresses and information about instant messenger accounts. On one SpyEye server, Kharouni retrieved and decoded the configuration files that made the software operate. Among the bits, he found an online handle “bx1,” an e-mail address and login credentials for virtest, a detection-testing service used by cybercriminals. Kharouni matched that information with handles used in the underground forum to tie the computer code to one of Gribodemon’s collaborators. Trend Micro turned the information over to law enforcement.
The FBI in February 2011 sear-seized a SpyEye computer in Georgia that allegedly showed communications between the Atlanta-based server and infected computers around the world. In June and July 2011, FBI undercover employees purchased a tool kit from Gribodemon and, following his instructions, paid for it with money transferred to Liberty Reserve, a Costa Rica-based money processor. t know he had been identified. Russia does not have an extradition treaty with the U.S. so agents had to wait until he left Russia. Thai authorities arrested Bendelladj on Jan. 5, 2013, in Bangkok as he traveled from Malaysia to Egypt. He was extradited in May to face the U.S. charges. He pleaded not guilty. Panin pleaded guilty Jan. 28 and will be sentenced on April 29.
Leinwand Leger reported from Washington. Contributing: Alexei Kosorukov of Komsomolskaya Pravda
A photo of Sasha Panin is displayed in his grandmother’s home in Russia.
PHOTOS BY BRENDAN HOFFMAN FOR USA TODAY
Young Sasha dreamed of creating artificial intelligence.
Inessa Rozova, Sasha Panin’s mom, above and left, says her sweet boy bought her a tea kettle with his first paycheck. She had no idea he was a hacker until his arrest.
Nina Rozova, Sasha Panin’s grandmother, gazes at a church from her two-room home in Tver, Russia, where they lived.
PHOTOS BY BRENDAN HOFFMAN FOR USA TODAY
Computer science teacher Larisa Ishkova works with students at Kanyayev College. She taught Sasha Panin, calling him “exceptional” in class.
CED Solutions provides training and certification for MCSD: SharePoint 2013 Applications Developer; MCSE: SharePoint 2013; Cisco CCNA; Cisco CCNP; Cisco CCNA Security; Cisco CCNP Security; Cisco CCNA Voice; Cisco CCNP Voice; Microsoft MCSA: Windows 2012 Server; MCSA: Windows 2008 Server; MCSA: SQL 2012 Server; MCSE: Business Intelligence SQL 2012 Server; MCSE: Data Platform SQL 2012 Server; MCSE: Desktop Infrastructure Windows 2012 Server; MCSE: Server Infrastructure Windows 2012 Server; MCPD: 6 Cert Visual Studio Developer; MCSD: Windows Store Apps C#; MCSD: Windows Store Apps HTML5; IT Healthcare Technician and many more.