Attacks/Breaches
4/10/2017
05:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

One of World's Most Wanted and Prolific Alleged Spammers Arrested

Suspected mastermind behind massive Kelihos botnet Petyr Levashov nabbed in botnet takedown operation.

The cybercrime underground is abuzz with the news that the infamous alleged spammer and Kelihos botnet operator Pyotr Levashov was arrested this weekend in Barcelona while on holiday there.

Levashov, a Russian citizen, was arrested by Spanish authorities via US cybercrime charges, and as part of a US Department of Justice takedown effort of the Kelihos botnet made up of tens of thousands of infected bots that distributed spam, stole login credentials, and installed ransomware and other malware. DoJ said it began blocking malicious domains tied to Kelihos on April 8.

The DoJ announced his arrest today as part of an effort to disrupt and take down Kelihos. "The operation announced today targeted an ongoing international scheme that was distributing hundreds of millions of fraudulent e-mails per year, intercepting the credentials to online and financial accounts belonging to thousands of Americans, and spreading ransomware throughout our networks," said Acting Assistant Attorney General Kenneth Blanco.

Levashov's arrest sparked alarm and chatter online among other big players in the Russian cyber underground concerned about their own unmasking and possible indictment or arrest. Vitali Kremez, director of research at Flashpoint, says his firm has witnessed some underground players planning to tighten up their own operations, and that their chatter also confirmed that Levashov is also known by the alias Peter Severa. Levashov/Severa is listed by Spamhaus as one of the 10 Worst Spammers in the world.

"We've been looking into him for quite some time," Kremez says. "He's one of the most wanted and prolific spammers who's ever operated in the Russian underground."

A source close to the case said Levashov's indictment will be unsealed tomorrow.

Not only is he behind spam and malware-rigged email campaigns, but Levashov also is tied to click-fraud and distributed denial-of-service operations. He's considered a spam service provider to various underground attackers. "He's been operating underground the past 20 years successfully evading prosecution," Kremez says.

Levashov was indicted in 2009 but not extradited to the US for operating the Storm botnet, a predecessor to Kelihos that was then the world's largest spamming botnet. He faced charges for spam to promote pump-and-dump penny stock schemes.

Adding to the intrigue surrounding his apprehension this weekend after nearly two decades of allegedly operating as one of the world's most prolific spammers and botnet operators, the AP reports that Levashov also may have ties to Russia's hacking and leaking of information in an attempt to interfere with the outcome of the 2016 US presidential election.

His wife was quoted by Russian state media outlet RT that her husband later told her by phone that he was arrested in connection with malware "linked to Trump's election win."

Given the notoriously grey area between cybercriminals and the Russian government, security experts say it's not a big stretch that Levashov could have had a hand in the hacking activities by Russia last year to influence the US presidential election. But there's no indication thus far of his involvement.

Flashpoint's Kremez says Levashov indeed has ties to the Russian government, but can't conclude that he was involved in the US election hacking operation. Levashov previously has been linked to pro-Russian government groups distributing spam including hacktivist group CyberBerkut. "He would be the perfect cybercriminal for hire with his email filters and other tradecraft to deliver email" spam campaigns, Kremez says.

Both Kelihos and CyberBerkut have operated pro-Russian government online campaigns spreading anti-Ukraine and pro-Russian rhetoric. CyberBerkut recruited pro-Russian government "cyberwarriors" to target Ukrainian websites in a distributed denial-of-service effort called Help Your Homeland, Kremez notes, and also is known for strategic leaks of information aimed at shaping public perception.

"And it's likely his botnet was also involved in the distribution of email spam linked to Russia's interference in the" US presidential campaign, he says.

If Levashov ultimately were to be investigated for any ties to the US election, it wouldn't be the first time he's dabbled in election-influence hacking. In 2012, his Kelihos botnet was used to send spam emails to Russian citizens with political messages and links to phony news stories about the then-presidential opponent to Vladmir Putin, Mikhail Prokhorov.

"The lines between criminals and nation-state in Russia are more blurred than places elsewhere. Levashov has been known to play on both sides of the line. In 2012, he used his spamming capabilities to slander Putin's opponents in the presidential election," says John Bambenek, manager of threat intelligence systems at Fidelis Cybersecurity.

But Bambenek isn't sold on Levashov's involvement in the US presidential campaign hacks. "The hacking of DNC and John Podesta's email wouldn't be terribly heavy lifts for him, but they're not really in his wheelhouse" of operations since those were more social media-centric campaigns, he says.

Headless Botnet

The good news is that the Kelihos takedown could result in less spam and malware-laden email in the short-term. "We may see less spam emails being distributed," Kremez predicts.

Levashov's arrest may not kill Kelihos in the long run - botnet disruptions often are temporary as botnets get reinvented - but it does have a chilling effect on cybercriminals, at least in the short-term. "Every arrest has people thinking, taking a step back," Fidelis' Bambenek says. "In some cases, they make improvements, in some cases, they make different decisions" to evade authorities, he says.

The fact that one of the most wanted cybercriminals in the world dared to venture outside of Russia and risk arrest and extradition in Spain suggests he may have become overly confident and complacent about his immunity to law enforcement.

"We've known about this guy for a long time. He has operated fairly openly since 1999. I know the Russian authorities had been informed about his operations," Kremez notes. Levashov may have even wrongly assumed the Russian government would protect him outside of Russia, he says.

Levashov faces wire fraud charges.

Related Content:

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Equifax CIO, CSO Step Down
Dark Reading Staff 9/15/2017
Cloud Security's Shared Responsibility Is Foggy
Ben Johnson, Co-founder and CTO, Obsidian Security,  9/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.