Attacks/Breaches

7/20/2017
07:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Russian National Receives 5 Years In Jail For Role In 'Citadel' Attacks

Mark Vartanyan is the second individual to be sent to prison in connection with Citadel.

A US federal court in Atlanta this week sentenced Russian national Mark Vartanyan to five years in prison for his role in developing, improving and distributing Citadel, a malware kit that was used to steal an estimated $500 million from individuals and financial institutions worldwide.

Vartanyan, who also used the moniker "Kolypto," had previously pleaded guilty to computer fraud charges in March 2017 after being extradited to the US from Norway last December.

Federal authorities had charged Vartanyan with developing, improving, maintaining, and distributing Citadel while residing in Ukraine and later in Norway between August 2012 and June 2014. During that period, he uploaded numerous files consisting of Citadel software, components, updates and patches all with the intent to improve the malware's functionality.

Vartanyan was arrested in Norway in October 2014. He will receive credit for time spent in custody since then which means he will be eligible for release in less than three years.

"Mark Vartanyan utilized his technical expertise to enable Citadel into becoming one of the most pernicious malware toolkits of its time," US Attorney John Horn said in a statement announcing the sentence Wednesday. "For that, he will serve significant time in federal prison."

Citadel first surfaced in 2011 and was assembled using leaked source code for the Zeus, a banking Trojan. It was initially made available to cybercriminals on an invitation-only basis on multiple Russian-language online forums.

The malware was designed to steal payment card data, personal data, and information for logging into bank accounts. It was typically installed on victim computers in the form of a drive-by-download, though cybercriminals employed multiple other infection methods as well. For instance, the creators of the malware bundled it into pirated versions of Windows XP installed on computers sold in multiple countries. In many cases, Citadel blocked infected computers from accessing antimalware sites making it harder to detect and remove the malware.

In all, cybercrimnals infected some 11 million systems globally with Citadel and turned the systems into remotely controlled bots. The malware's victims included organizations such as Citigroup, Bank of America, American Express, and Wells Fargo.

In June 2013 Microsoft announced that the company, along with the FBI and law enforcement authorities from multiple countries, had managed to severely disrupt Citadel operations by shutting down more than 1,400 botnets associated with the malware. At the time, Microsoft had noted that cybercriminals were using fraudulently obtained signing keys for Windows XP to bundle Citadel into the operating system.

Even after that cooperative operation though, Citadel continued to be a threat. 

In 2014 for instance, security researchers reported seeing the malware being used to attack the password managers used by many organizations to store and secure their online account credentials. The same year, IBM researchers said they had observed a Citadel variant being use to conduct cyberspying operations against petrochemical companies in the Middle East. Last year, security vendor Heimdal Security said it had discovered the malware being used in a modified form to attack banks in France.

Vartanyan is the second individual sentenced to jail time for activities connected to Citadel malware.

In September 2015, another Russian national, Dimitry Belorossov was sentenced to four-and-a-half years in prison for developing, distributing and installing Citadel on computers worldwide. Belorossov pleaded guilty to operating a Citadel botnet comprising of over 7,000 infected systems including those belonging to multiple US banks, financial institutions, and a federal court in Georgia.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Game Change: Meet the Mach37 Fall Startups
Ericka Chickowski, Contributing Writer, Dark Reading,  10/18/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.