Inside Cyber Warfare - Jeffrey Carr [77]
That’s why it appeared that the RBN suddenly dropped from view. In reality it never went away; it just slipped back under the radar, away from any further media spotlight.
A Subtle Threat
Tell Krebs nice job on Atrivo, but if he’s thinking of doing McColo next, he’s pushing his luck.
Investigating the Russian mob is one thing, but when an investigation may hurt profits, that’s another, much more dangerous matter entirely. Shortly after his September 2008 coverage of Atrivo, Krebs received the aforementioned anonymous threat.
Atrivo is an interesting case study for this book because it illustrates one of the problems yet to be addressed in cyber conflicts. What happens when a country is being attacked by malware that sits on a server within its own borders?
Atrivo/Intercage
Atrivo, also known as Intercage, was a Concord, CA-based company that specialized in providing networks for spammers and other bad actors to use, many of which were associated with the Russian Business Network.
The RBN relied heavily on two networks hosted by Atrivo: UkrTeleGroup, which routed traffic through the Ukraine; and HostFresh, which routed traffic through Hong Kong and China.
A report by iDefense named Atrivo as having the highest concentration of malicious activity of any hosting company in the world.
Thanks to the concentrated efforts of independent researchers such as Jart Armin and James McQuaid, as well as Brian Krebs’s reporting of their work, Atrivo was dropped by its upstream providers and was effectively put out of business on September 22, 2008.
Not everyone was happy with the process used. Marcus Sachs, director of the SANS Internet Storm Center, wrote to Brian Krebs in an email, “There are others out there who need to be cut off but we’ve got to find a better way to do it than by creating the virtual equivalent of a lynch mob.”
Paul Ferguson of Trend Micro disagreed with Sachs and said that “this was a (good) example of the community policing itself.”
ESTDomains
Atrivo’s biggest customer was the Estonian company ESTDomains, based in Tartu, Estonia (but registered as a US corporation in Delaware).
ESTDomains, as its name suggests, was a domain registrar that dealt almost exclusively with criminal elements engaged in setting up Internet scams. The principal of ESTDomains is Vladimir Tsastsin, who was convicted for credit card fraud, document forgery, and money laundering, and spent three years in an Estonian prison.
Krebs wrote a Security Fix blog post about Tsastsin and ESTDomains on September 8, 2008, wherein he quotes the head of Estonia’s Computer Emergency Response Team (CERT), Hillar Aarelaid:
To understand EstDomains, one needs to understand the role of organized crime and the investments coming from that, their relations to hosting providers in Western nations and the criminals who ply their trade through these services.
In other words, Tsastsin is one of the front men for Russian organized crime’s entree into the lucrative world of Internet crime. Two months after Krebs’s article outed him, ICANN pulled the plug on the right of ESTDomains to issue domain names, citing its CEO’s criminal conviction as the cause.
ESTDOMAIN: A 2009 UPDATE
On August 26, 2009, TrendMicro issued a report on another major cyber crime Internet services provider based in Tartu, Estonia (the report authors did not reveal the name), whose CEO (again, no name) was convicted for credit card fraud.
That sounds remarkably similar to Vladimir Tsastsin. This company also owns two US businesses that collectively engage in:
Web hosting
Advertising
Internet traffic distribution
Pay-per-click advertising
Parking domain site hosting
Interestingly, what is missing from that list is domain name registration, the one thing that Tsastsin is legally prevented from doing.
The influence and reach that this company has in the Internet underworld is pervasive, according to the TrendMicro report:
It appears that the Estonian company controls every step