From Russia With LØpht
The Russian hacker Alexey Ivanov flew to Seattle for a job interview with a tech company. It turned out to be the FBI.
Had Alexey Vladimirovich Ivanov been born in Chicago rather than Chelyabinsk, he'd likely be well on his way to joining the geek elite. His three-page résumé lists computer skills that would dazzle any Silicon Valley headhunter. According to his employment history, Ivanov began working at a regional telephone company in Russia while still in his mid-teens, installing Web servers and Cisco routers. His programming talents include tricky languages like C++ and Perl, and he has mastered 18 different operating systems, from Linux to Solaris.
But Chelyabinsk, a Stalinist burg located in the Ural Mountains, is a pretty bleak place to grow up. The town has twice endured nuclear catastrophean arms plant dumped waste in a local lake for years, and in 1957 a nearby nuclear weapons factory showered the vicinity with 70 tons of radioactive dustmaking Chelyabinsk one of the world's most polluted cities. Investors run from its poisonous legacy, so Chelyabinsk relies on the basics of a Soviet-era economy, munitions and metallurgy. "There is not actually too much places where person can use his computer skills for significant amount of money," sighs Ivanov, 21, who mastered computers while horsing around in a lab at a Chelyabinsk university, where his mother once taught history. "It is very difficult to get a job."
Given his dim prospects in Russia, the e-mails that Ivanov began receiving in June 2000 seemed especially wondrous. The messages came from Invita Security, a Seattle-based company on the lookout for "security talent"an industry euphemism for hackers. Invita was familiar with Ivanov's work as co-founder of a kontora, or unofficial company, known as tech.net.ru. Part Web design firm, part freelance security consultancy, tech.net.ru was reputed to be an audacious cracker of American networks. After compromising a company's servers, Ivanov would contact its system administrator and request moneyusually upwards of $5,000in exchange for revealing security holes.
The Invita executives said they were seeking hackers who could exploit security flaws in the networks of potential clients, who would then feel a need to enlist Invita's services. The company especially welcomed foreign hackers, who could operate beyond the reach of the FBI; it asked Ivanov to prove his prowess by hacking Invita's own computers, which he did with ease. Impressed, Invita asked Ivanov and his 26-year-old tech.net.ru partner, Vasiliy Gorshkov, to fly to Seattle to discuss job offers.
On November 10, 2000, just hours after landing at SeaTac Airport, Ivanov and Gorshkov were arrested and charged with conspiracy, computer fraud, hacking, and extortion. Invita was not a shady security company at all, but part of an ingenious FBI sting designed to ensnare the two Russians. To federal prosecutors, the pair were among the Internet's most brazen outlaws. Ivanov now sits in a Hartford prison, preparing for a trial that could help define a wide-open area of law. The case could also help determine how far investigators patrolling cyberspace's anarchic nooks and crannies can bend privacy rules, international treaties, and constitutional law governing searches and seizures.
For the FBI, luring Ivanov and Gorshkov to the United States was a first,small victory in the campaign against the cybercrime that flourishes behind the former Iron Curtain. Russia, Ukraine, and Romania are hotbeds for hackers, many of whom get their start pirating Western software; in Russia, where nearly 90 percent of software is bootlegged, a Microsoft Windows CD retails for less than $2. Since online fees in Russia can hit $1.20 per houra steep price in a country where even college professors like Ivanov's mother earn about $150 a monthkids often steal Internet Service Provider passwords using tips most likely gleaned from the 50,000-circulation Khaker, one of Russia's most popular hacker magazines. An epidemic of stolen passwords forced America Online and CompuServe to abandon their Russian operations in 1997.
In the West, mischievous teen geeks usually mature into law-abiding adultstoday's password thief is tomorrow's Java programmer. In Russia, however, where as many as half of the country's software companies may have collapsed in 1998, upward mobility through legitimate tech work is rare. "There is a very large group of educated individuals in Eastern Europe, people that have degrees in computer science, in mathematics," says Arif Alikhan of the computer crimes section at the U.S. Attorney's office in Los Angeles. "And I think the economic circumstances sometimes make it very, very attractive to commit crimes."
Russian mafiosi recruit hackers to plunder credit card numbers from e-commerce sites, but freelance electronic blackmail is also commonplace. Last March, for example, the Justice Department warned that hacker gangs in Russia and Ukraine had stolen more than 1 million credit card numbers from American servers. In October 2000, a cyber-raid on Microsoft that exposed top-secret source code was traced to St. Petersburg. And in August of the same year, two Kazakh men were arrested in London for trying to extort $200,000 from Michael Bloomberg, the billionaire turned New York City mayor, whose passwords they had filched.
Prosecutors allege that tech.net.ru's schemes ranged from larceny to blackmail. A government trial brief states that Ivanov and Gorshkov set up a website, PayPai.com, to trick customers of the online payment service PayPal. Thousands of PayPal users got e-mails with links to PayPai.com, where they were prompted to enter their account details, including user names and passwords. The lawyers say the two Russians used the account information to purchase computer parts and other goods, which they had shipped to nearby Kazakhstan.
In the Wild Westlike Russian hinterlands, hustling like this is part of the survival game. But tech.net.ru may have been unusually reckless and greedy. Ivanov is said to have hacked into perhaps dozens of American networks, exploiting unpatched holes in Windows NT servers and using programs like LøphtCrack, a legendary tool developed by a hacker collective based in Cambridge, Mass., that's often used to crack passwords. According to prosecutors, Ivanov would then notify a network's system administrator of lapses, identifying himself as a member of "The Expert Group of Protection Against Hackers." The e-mail would end with a not-so-subtle demand for a payoff in exchange for tips on how to improve security.
If an administrator didn't respond favorably, Ivanov allegedly turned cranky. On February 3, 2000, for example, after a Connecticut company called the Online Information Bureau rebuffed his initial solicitation, Ivanov sent a follow-up:
Unwilling companies were punished. According to the government's brief, after an ISP called Speakeasy Network repeatedly refused to pay Ivanov for his discoveries, "Ivanov and/or his co-conspirators then deleted files on one of Speakeasy's main computers. In addition, a few months later, a customer of Speakeasy named BP Radio learned that credit card information from its customers had been posted on a Russian website. Speakeasy lost BP Radio's business as a result."
For a supposed mastermind, however, Ivanovknown online as "subbsta"was surprisingly carefree with his identity. Along with his request for a $1,000- to $1,500-a-month job as a "security consultant," he sent photos of himself to Speakeasy. He also befriended Jim Fitzgerald, network manager at CTS Network Services, a San Diegobased ISP that Ivanov hacked in the fall of 1999. Unlike Speakeasy, CTS hired Ivanov as an independent contractor and even gave him a shell account, which enabled him to store files on the company's machines. Fitzgerald and Ivanov corresponded frequently about security issues via e-mail and Internet Relay Chat, which allows for real-time conversations. Had tech.net.ru been a bit less bold, it might have evaded FBI scrutiny. Companies hate to admit they've been hacked, so they seldom report intrusions. "If some guy comes in and roots your box and defaces your server, people would like to know who that is," says Greg Shipley, the chief technology officer of Neohapsis, a Chicago-based security firm. "But if it involves tracking the intruder across five countries and 20 machines, most people just don't pursue it unless there are huge monetary losses." Yet if a hacker demands too much, Shipley adds, then "he's asking for it."
By the summer of 2000, tech.net.ru seemed to be asking for it. The growing list of alleged victims included ISPs in Washington, Ohio, and Connecticut, as well as banks in Los Angeles and Waco. Stephen C. Schroeder, an assistant U.S. attorney in the Western District of Washington, says that Russian authorities were contacted several times without result. "The last time I checked, we do not have an extradition treaty with Russia," he says. "In the e-mail correspondence both to the undercover people and to the victims, the taunt was repeated over and over again'We're in Russia, you can't touch us, the FBI can't get us in Russia.'" The Russian interior ministry's "Department R," which fights cybercrime, can barely keep up with the kontoras in St. Petersburg and Moscow, much less police a distant outpost like Chelyabinsk.
But Ivanov's apparent carelessness gave the FBI its break. Some victimized companies passed along e-mails in which Ivanov made little or no attempt to conceal his identity or contact information. Ivanov's lawyers say Fitzgerald gave key aid to the inquiry by handing the FBI a copy of the contents of the Russian's CTS shell account, where he had imprudently stored 38,000 credit card numbers. Ivanov's biggest misstep, of course, was leaping at Invita's offer; he was so excited by the opportunity that he even suggested bringing his "business partner"the previously unknown Gorshkovto the meeting. At Invita's "headquarters," the two Russians were asked to hack a test network. The quicker, more computer-savvy Ivanov did most of the work. Meanwhile Gorshkov, his tongue loosened by 30 hours of travel and a touch of vodka, gabbed nonstop. While the boyish-looking Ivanov tapped away on his Toshiba laptop and listened to Russian pop music, the balding Gorshkov mused to FBI agents about the availability of pirated software in Chelyabinsk ("You can buy it almost in any shop ... even in supermarket, where they sell milk"), fishy banking practices in Kazakhstan ("There are a lot of, ah, companies of people in Russia that can help you to open any offshore firm or accounts"), the history of tech.net.ru ("Actually, our firm is, initially, it was created as hackers' club"), and the sinister ways of Russia's domestic intelligence agency, a successor to the KGB ("If they take you, you'll go to jailor you'll work for them").
But the agent posing as Invita's president had little success in getting the two to incriminate themselves more specifically. When the agent asked about whether the Russians had access to stolen credit card numbers, for example, Gorshkov answered like a lawyer: "We'll never, when we're here, we'll never say that we got access to credit card numbers ... The fact is that, that this kind of question is better discussed in Russia." He also laughingly dodged questions about how tech.net.ru was bankrolled: "Well, it, it's, ah, sort of personal question, and here in America not talk about it." Hoping to interest Invita in his Web design skills, Ivanov showed off an e-commerce site he'd designed for a photo developer. The best tipoff he gave the FBI was an account of how one company paid him $4,000 for demonstrating how a hacker might steal money from its electronic accounts. "They think I can, ah, do something bad for company," said Ivanov. "And, ah, because this, they sent, ah, packs of money to me. For trust."
Extracting confessions from the Russians was not the sting's main goal, however. The Invita network was outfitted with a "sniffer," a surveillance program that logged Ivanov's and Gorshkov's key strokes as they worked. When the pair accessed their home machines in Chelyabinsk to download hacking tools, the sniffer covertly recorded their user names and passwords. The FBI then used that information to hack the Russians' machines and capture 250 gigabytes worth of evidence. They did so without informing Russian authorities, despite a 1997 G-8 agreement that states, "Investigation and prosecution of international high-tech crimes must be coordinated among all concerned States, regardless of where harm has occurred."
On December 1, 2000, three weeks after the arrests, the FBI got a warrant to examine the data they had remotely seized. Investigators found a surfeit of evidenceover 50,000 credit card numbers swiped from American servers, computer-generated attack logs, and security tools like LøphtCrack. They also discovered that the suspects had opened several ISP accounts under the name "Greg Stivenson." In October 2000, a hacker by that name had written several e-mails to officials at PayPal, revealing a rash of security holes. One e-mail translated from Russian concluded: "Now with regard to questions of security, I can help, but all security questions will be decided not by a mere 'thank you,' because a 'thank you' doesn't put food in your mouth."
Gorshkov was held in Seattle to face federal charges in the Western District of Washington, while Ivanov was taken cross-country to stand trial in the District of Connecticut, home base for one of the companies he's accused of hacking. The Connecticut court appointed a veteran Hartford attorney, C. Thomas Furniss, as Ivanov's counsel, and he zeroed in on the question of whether Ivanov may be prosecuted in an American court for a crime he's accused of committing from abroad over the Internet. Furniss points out that no applicable federal laws explicitly address whether U.S. courts can try foreign cybercriminals. "The U.S. doesn't have the power to decide this case," he insists. "The allegation is that he did a bunch of stuff from Russia using the Internet. No country, including the U.S., owns the Internet."
In response, the U.S. government says to forget the ethereal images conjured up by the word "cyberspace." The prosecutor Schroeder argues that American courts can try Ivanov for the same reason that they can try a man who stood on the Canadian side of the border and shot someone in Washington State. "That's a pretty good analogy for sitting in Russia and victimizing networks or servers in the U.S.," he says. He also stresses language in the Computer Fraud and Abuse Act, which was amended in 1996 to expand the reach of federal law to crimes involving any computer "used in interstate or foreign commerce or communication." That authority allows the United States to prosecute foreign hackers who attack American networks, the prosecutor argues.
Furniss's motion to dismiss was denied, but he is considering an appeal. Meanwhile, the 58-year-old lawyer asked for a tech-savvy co-counsel to help him sort through the case. He got attorney Morgan Rueckert, a 32-year-old former tech-support worker at the University of Connecticut Law School. Rueckert says that Ivanov's e-mails to companies in which he'd found security holes were not extortionate, but part of the normal give-and-take between system administrators and the computer whizzes who find their weak spots: "My sense is that many system administrators, some part of them has that same hacking ethic that the hackers do. [They'll] communicate with hackers, they'll enter dialogues with them. In some cases they want to know about security holes that hackers find, and they are willing to pay hackers to disclose security holes so long as there's no damage done and customer or financial information is not compromised."
Rueckert points to Ivanov's warm e-mail relationship with CTS's Jim Fitzgerald as an example of this sort of symbiosis. Fitzgerald allowed Ivanov to maintain a CTS e-mail account in addition to the shell account. Yet when the FBI came knocking, Rueckert says, Fitzgerald turned his back on Ivanov. He helped the bureau trample on his friend's rights under the Fourth Amendment, which limit the government's power to search and seize property while investigating a crime. And he helped the bureau do an end-run around the Electronic Communications Privacy Act, which requires federal agents to obtain a specific warrant or other order before searching a suspect's data. The FBI had a grand-jury subpoena to obtain "any and all information regarding the e-mail address" that Ivanov maintained at CTS. But the order did not mention Ivanov's shell account, a separate digital entity. Fitzgerald illegally handed over the shell account's contents without prompting, Rueckert says, so all of the investigation's subsequent findings must be kept out of court.
But Gorshkov's plight in Washington indicates that courts are inclined to grant cybercops substantial leeway. Gorshkov's attorneys argued that by waiting to get a warrant until after the data was downloaded, the government overstepped its search-and- seizure authority when it hacked tech.net.ru. They also argued that the FBI violated Russian law, which strictly forbids un-authorized trespass on hard drives. Russia's intelligence agency concurred in a November report which called the FBI's actions "illegal and criminal," though the Russian government has not protested the U.S. prosecution of Gorshkov and Ivanov.
In an order issued last May, U.S. District Judge John C. Coughenour summarily crushed the defense. The government's hack was not a search entitled to Fourth Amendment protection, he wrote, because the files remained on Gorshkov's computer in Chelyabinsk. Coughenour also said that even if the Fourth Amendment did apply to data in a foreign country, the government had good reason to conduct a warrantless search.
"Basically, the ruling says that our police officers can obtain unauthorized access to a computer for law-enforcement purposes, despite the fact that it' s overseas or under the jurisdiction of another country," says Jennifer Granick of Stanford Law School's Center for Internet and Society. "That could come back to haunt us, when [foreign police] log onto our citizens' computers [in America] to take evidence to try them under their laws." Russian intelligence agents, for example, might now feel at liberty to hack American machines in the guise of "investigation."
With the evidence from the Invita sting before the jury, Gorshkov stood little chance. His lawyers called just three witnesses. One of them contended that tech.net.ru was merely a Web design firm. "He identified a Web page that they had designed for a company," recalls Schroeder, who prosecuted the case. "That Web page, incidentally, was hosted on a hacked box that belonged to a school [district] in Michigan." The hack traced back to a computer registered to tech.net.ru. The jury deliberated for less than a day before finding Gorshkov guilty on all 20 counts of the indictment. He is scheduled to be sentenced in June.
Ivanov, meanwhile, is still being held without bail in Hartford, awaiting a trial date. Visa issues and money woes have prevented his family from visiting the United States, so he spends most of his time writing letters home in longhand. He was recently allowed some use of a laptop (no printer, no modem) to assist in preparing for trial. For a young man whose pursuit of a tech job in America may cost him many years behind barshe faces a likely sentence of between 10 and 20 years if convictedthe young Russian maintains a strangely sunny outlook. "I tried to find a job in U.S. since I was about 18," says Ivanov, whose lawyers would not allow him to discuss the specifics of his case. "I could not say that it was easy. The main reason for this was, of course, to get more money for job. Eventually I was successful, and now I have three free meals every day."
His supporters back home have not been as sanguine. As news of the Invita sting spread throughout Eastern Europe's hacker scene, angry notes flooded Khaker's online message board. "Watch out Russian hackers!" warned one anonymous poster. "You see what kind of lowlife tactics the Americans are capable of, so work more carefully!"