by Ariana Eunjung Cha, Fall 2002 IRP Fellow
Second of three stories
Reprinted with permission of The Washington Post
Jon Morgenstern’s nightmare began with an e-mail. It arrived in his computer’s mailbox on July 15, 2000, and its basic message was this: Your security has been compromised. We would like to help you.
Morgenstern, president of E-Money Inc., a Washington-based provider of technology for online payment transactions, immediately suspected the message’s underlying meaning. It was a threat.
His fears were confirmed the next day when a youthful-sounding man called and asked Morgenstern if he had received the e-mail. The man identified himself as “Alex,” said he was from Russia and part of something called the “Expert Group of Protection Against Hackers.” He said he had gotten access to the firm’s customer database, including credit card information, and would be happy to ensure that further intrusions were not possible — as long as E-Money would pay him $500,000 to do so.
As proof that E-Money’s computer had been broken in to, he asked Morgenstern to go to one of his servers and look for a system file containing some digital graffiti. Morgenstern had no trouble finding the file.
It said: “Alex was here.”
So began a series of transatlantic telephone, e-mail and instant message exchanges about how to resolve the situation. In the ensuing back-and-forth between Morgenstern and his attackers, a kind of easy rapport developed that would ultimately lead to the arrest of two members of the “Expert Group” and allow U.S. officials to gain new insight into an overseas hacking networks that to this day continues to terrorize American businesses.
Hacking has reached crisis levels in the past few years — the average U.S. company is attacked 30 times a week, according to the online security firm Symantec Corp. Most are not serious; they are efforts to scan computer networks for vulnerabilities. Still, a significant number — about 15 percent — are actual attempted or successful intrusions.
Morgenstern, meanwhile, was conflicted. He didn’t want to pay any extortion fee but he was determined not to let the hackers ruin his company’s reputation either. He was worried that news of even a minor break-in might spook customers. After all, E-Money was built on trust.
Morgenstern hired an expensive security consultant from Silicon Valley to respond to the hackers and ordered his systems administrators to do a complete analysis of the E-Money systems for other vulnerabilities, tasks that he estimates ended up costing his company more than $1 million in fees, lost business and new computer equipment.
Meanwhile, Morgenstern tried to negotiate with the hackers. The $500,000 demand to “assist in repairing the system” became $250,000, then $150,000, and then $75,000. But when he still wouldn’t pay, Morgenstern said, the hackers launched a new type of attack, bombing the company’s network with so much bogus traffic that it caused his network to slow so much that legitimate transactions could not get processed.
Morgenstern then called the FBI.
To the agency, it was a familiar story. The FBI for many months had been tracking organized hacker groups in Russia, the Ukraine and other countries who had been trying to extort money from operators of Web sites. In particular, references to the “Expert Group” kept coming up. “The number of victims and losses involved made us take notice,” remembered Charlie Mandigo, an FBI agent who was one of the supervisors of the investigation of the extortion cases. By the next year, the problem would become severe enough that the FBI would issue an unusual alert about the spree, which they said netted more than 1 million credit card numbers. The agency pleaded with firms to better secure their systems.
The FBI’s Don Cavender, who worked on the cases, said the breadth of the attacks showed the need for more trained cybercrime investigators. In part as a response to these case, the FBI recently doubled its staffing to 700 agents, supplementing the 200 trained agents the Secret Service employs.
The local field office of the FBI sent two agents to help Morgenstern. They came by E-Money’s offices and brought equipment so that Morgenstern could record all his conversations with Alex and a friend who called himself Victor, or Vladimir. Over several weeks, the FBI agents came by and sat next to Morgenstern at his Dupont Circle headquarters and his Gaithersburg home, listening in on his negotiations, their vigil fortified by one Diet Pepsi after another.
They advised him to keep notes, drag out the negotiations and gather as much information as possible about the guys he was dealing with.
Morgenstern said he spoke to them at least four times a week, or often more. It was always Alex or Victor who initiated the conversation, claiming to be dialing in from a satellite phone they had commandeered.
The first few conversations followed this formula: Alex would begin by offering to lower the price for “protection” from hacking. Each time Morgenstern would make up different excuses about why he couldn’t pay.
“My board is made up of very strict guys and they want to meet you and put you on a long-term retainer,” Morgenstern told them. (With only 15 employees, E-Money did not, in fact, have a board.) “We need you in the United States. Or how about a more neutral place — Finland? Denmark?” Morgenstern asked. (He was hoping officials in those countries would be more cooperative about letting U.S. authorities arrest the hackers.)
But as the days went by, the tenor of the conversations changed. The men went from sounding arrogant and angry to gradually becoming more chatty. Sometimes the hackers would call Morgenstern at home. Morgenstern said his young son became so used to the odd-hours phone calls that he would often pick up and shout “Dad, it’s Alex on the phone again!”
Morgenstern told them about life in the United States and they in turn told him about life in Russia.
Alex said he was fresh out of school and had had trouble finding a job and had little money for food or clothes. Victor said he was older, married with a child. Their personalities were evident in their choice of e-mail addresses: Alex was “megapunk” while Victor used a more generic name, “accessd.”
Alex seemed okay with his situation, once saying that he could “live like a king here” on the money he made from American companies. But Victor was more uneasy.
“You don’t understand how hard I work. I work 72 hours at a time and I have all my programmers [to care for]. They are sleeping here and then we work more and more . . . . Jon, you think I like to do this for a living?” Morgenstern recalled Victor saying.
Alex and Victor described how they were forced by men with “leather jackets” and “big guns” to work for a crime group and that he was supposed to get 50 cents per credit card number. The problem, they said, was that they often didn’t get paid.
Then one day Victor said something that threw Morgenstern off completely: He told him to forget about the extortion fee. He simply asked for a visa and employment in the United States.
“Please get job from America,” Morgenstern remembered Victor telling him. “John, I will fix up your system and you will never get anyone attack you again. I need to bring my wife and little child.”
Victor confirmed his intentions in a follow-up e-mail a few days later, on Sept. 15: “I have made a decision to come and visit you in USA whenever will happen to me. I am [expletive] tired of hiding. I will take a risc [sic]. I think I can trust you. . . . I want to get a job to forget about my criminal past. . . . I can departure next week.”
Morgenstern, who is a lawyer, empathized with their situation. He offered to serve as the men’s representative and tried to broker an offer of immunity from the FBI if the two were to come to the United States and find honest work. He put them in touch with an agent who said he would talk to them about the possibility.
The attacks abruptly stopped and Morgenstern never heard from the men again.
By the summer of 2000, about the time Morgenstern’s systems had been hacked, the United States had come to view the “Expert Group” as a major threat to the country’s financial networks. People identifying themselves as members of the group had claimed responsibility for some of attacks on some of the country’s most critical companies — Western Union, PayPal and a series of regional banks. Investigators worried that perhaps the extortion demands represented only part of what the group was trying to accomplish. They feared the hackers had control of other computer networks that no one knew about and that they were attempting to creating a “credit card production system” that they could tap at any time. The attacks seemed to be coordinated by someone who knew more about money laundering than the average hacker, someone who could turn the credit card numbers in to goods and then sell the goods to generate cash.
“One of the more disturbing trends we were beginning to see was an increased level of cooperation between the Russian hacker community and traditional organized crime,” said Shawn J. Chen, a U.S. attorney in Connecticut who worked on the case.
More than a dozen U.S. attorneys and FBI agents from Connecticut, Washington, California and New Jersey convened a series of brainstorming conferences about how to stop them.
For months the law enforcement group had been pursuing conventional methods of trying to capture the Russian hackers. They suspected at least some of the hacks were being conducted by someone named Alexey Ivanov. He was so bold that he had been sending his resume and picture around to companies he was trying to extort. While authorities were investigating an incident at CTS Network Services in Seattle, which had “hired” Ivanov as a consultant, they found 38,000 partial credit card numbers from E-Money databases on one of the hacker’s computer accounts.
The Justice Department sent a letter through diplomatic channels asking that Ivanov be detained and questioned. There was no response. They sent a follow-up inquiry. Again, no response.
To catch Ivanov, U.S. authorities couldn’t very well go to Russia and grab him so they had to figure out a way to get him here, recalled Stephen Schroeder, one of the main U.S. attorneys on the case.
“We do not have an extradition treaty with Russia so unless they were found outside of Russia our ability to deal with them would be limited,” said Schroeder, who recently retired.
The United States has taken the lead in recent years on trying to get countries to cooperate in cybercrime investigations. It came to an agreement with other G-8 nations, which represent the governments of the world’s biggest industrialized countries, to create a way for them to more easily share information and to make Internet service providers save data about break-ins. U.S. authorities have also sent attorneys and agents to travel around the world to train foreign intelligence officials about how to investigate such crimes. They are urging other countries to draft laws making hacking illegal.
But in the end it is up to individual nations to decide whether they want to help.
Morgenstern’s pleas for the Russian programmers to meet him to discuss a business contract was just one of the ways the FBI was working behind the scenes to try to get the hackers to a place where they could be arrested. His conversations with the hackers along with those of other victims yielded valuable clues about the group’s personality and hierarchy, allowing the U.S. government to invent what must have been seemed to Ivanov as an opportunity he couldn’t refuse.
That turned out to be a potential job offer from a fake company called Invita Technologies. Invita claimed to be looking to partner with a security firm to provide consulting services to U.S. companies. Investigators sent a flattering letter to Ivanov, telling him they had heard good things about him and were considering him as a candidate. He would need to come to their offices in Seattle for an interview.
From Ivanov’s perspective, the offer must have seemed magical: Finally someone recognized his talents and was offering to bring him to America.
Ivanov contacted Invita and agreed, asking if he also could bring along his “business partner,” a Vasiliy Gorshkov whose name the FBI officials hadn’t heard before. The company responded yes. It would pay all of Ivanov’s expenses, but his associate Gorshkov would need to buy his own plane ticket. Gorshkov gladly shelled out the money.
Sergey Gorshkov, Vasiliy’s older brother by two years and now 29, remembers that Vasiliy couldn’t stop smiling after he received the letter. “It seemed like a dream come true to him, to all of us,” Sergey said in a recent interview.
A “company” representative picked them up from the airport in November 2000, took them to what looked like an ordinary office building. There, the hackers were asked to prove their skills.
The FBI secretly videotaped the encounter. The grainy black-and-white video shows two young men in the heavy, puffy coats they brought with them from Chelyabinsk — outerwear that looked out of place in the mild weather of Seattle. Company employees flit around them in the 8-by-20-foot room asking if they want drinks or anything else to make them comfortable. They muse about the price of cigarettes, the weather. Then the real conversation begins.
Gorshkov takes charge, telling the officials that the two men are experienced hackers. He describes past exploits as Ivanov sits silently tapping away at the keyboard of his laptop and later at one of the “company’s” computers, apparently analyzing various Web sites and their security vulnerabilities while playing snippets of pop music.
An undercover FBI agent asks: “So how often have you hacked into computer systems and have you ever found or taken credit card numbers?”
Gorshkov avoids the question. He chuckles, then says, “These things are better talked about in Russia.”
But as the conversation drags on for an hour or so, he becomes bolder.
Gorshkov: “We don’t think about the FBI at all. Because they can’t get us in Russia.”
Gorshkov: “Your guys don’t work in Russia.”
Unbeknownst to Gorshkov and Ivanov, the agents had installed onto the “company’s” computers a program that logged the young men’s keystrokes as they were accessing the tech.net.ru systems in Russia. That allowed U.S. law enforcement to obtain the hackers’ passwords.
At about 5 p.m., the company officials offer to take Gorshkov and Ivanov to the flat that has been rented for them. After a short drive, the car doors burst open and someone shouts: “FBI — Get out of the car! Get out of the car with your hands behind your back,” according to a transcript of the taped encounter. There’s garbled conversation and then one of the hackers — it isn’t clear which one — starts pummeling the vehicle.
“It’s not my car,” one of the FBI agents says. “Yeah, you can hit it. I don’t care.”
A few hours later it was over. Gorshkov and Ivanov were in jail. And FBI computer specialists were preparing to enter the hackers’ computers in Russia. They would eventually download 2,700 megabytes of data — hacking programs, extortion letters, credit card numbers — to help them build their case.
Morgenstern didn’t hear about the arrests until early 2001, a few months after they happened. By that time, he had managed to sell his business for a tidy sum to a competitor (he still serves as an executive). He wasn’t sure whether Gorshkov and Ivanov were in fact the men he talked to on the phone but he knew they were somehow linked because they all identified themselves as part of the “Expert Group.” He had mixed feelings about the sting. He was angry at the men for jeopardizing his business but he had come to understand that perhaps they had little choice in doing what they did.
“It isn’t their fault that they were born in a place where they don’t have opportunities,” Morgenstern said.
Gorshkov pleaded innocent but was found guilty of conspiracy, computer fraud, hacking and extortion. Last fall, he was sentenced to three years in prison and ordered to pay $700,000 in restitution. In a plea agreement, Ivanov acknowledged hacking into 16 companies, including E-Money, as well as a scheme to defraud payment service PayPal by using stolen credit card numbers to set up accounts. Ivanov is likely to be sentenced this summer and faces up to 20 years in prison and a $250,000 fine.
The FBI sting operation was held up as a example of the ingenuity of American law enforcement. Two of the agents who set up the sting — Marty Prewett and Michael Schuler — won outstanding criminal investigation awards from the agency’s director.
But there was still a little problem.
In a series of interviews with investigators that took place over the next year, Ivanov acknowledged that he hacked E-Money but that he was not Alex and Gorshkov was not Victor as U.S. authorities initially had believed. Someone else had been on the phone with Morgenstern, he claimed, and that someone else was still in Russia.