Attacks/Breaches

4/10/2017
05:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

One of World's Most Wanted and Prolific Alleged Spammers Arrested

Suspected mastermind behind massive Kelihos botnet Petyr Levashov nabbed in botnet takedown operation.

The cybercrime underground is abuzz with the news that the infamous alleged spammer and Kelihos botnet operator Pyotr Levashov was arrested this weekend in Barcelona while on holiday there.

Levashov, a Russian citizen, was arrested by Spanish authorities via US cybercrime charges, and as part of a US Department of Justice takedown effort of the Kelihos botnet made up of tens of thousands of infected bots that distributed spam, stole login credentials, and installed ransomware and other malware. DoJ said it began blocking malicious domains tied to Kelihos on April 8.

The DoJ announced his arrest today as part of an effort to disrupt and take down Kelihos. "The operation announced today targeted an ongoing international scheme that was distributing hundreds of millions of fraudulent e-mails per year, intercepting the credentials to online and financial accounts belonging to thousands of Americans, and spreading ransomware throughout our networks," said Acting Assistant Attorney General Kenneth Blanco.

Levashov's arrest sparked alarm and chatter online among other big players in the Russian cyber underground concerned about their own unmasking and possible indictment or arrest. Vitali Kremez, director of research at Flashpoint, says his firm has witnessed some underground players planning to tighten up their own operations, and that their chatter also confirmed that Levashov is also known by the alias Peter Severa. Levashov/Severa is listed by Spamhaus as one of the 10 Worst Spammers in the world.

"We've been looking into him for quite some time," Kremez says. "He's one of the most wanted and prolific spammers who's ever operated in the Russian underground."

A source close to the case said Levashov's indictment will be unsealed tomorrow.

Not only is he behind spam and malware-rigged email campaigns, but Levashov also is tied to click-fraud and distributed denial-of-service operations. He's considered a spam service provider to various underground attackers. "He's been operating underground the past 20 years successfully evading prosecution," Kremez says.

Levashov was indicted in 2009 but not extradited to the US for operating the Storm botnet, a predecessor to Kelihos that was then the world's largest spamming botnet. He faced charges for spam to promote pump-and-dump penny stock schemes.

Adding to the intrigue surrounding his apprehension this weekend after nearly two decades of allegedly operating as one of the world's most prolific spammers and botnet operators, the AP reports that Levashov also may have ties to Russia's hacking and leaking of information in an attempt to interfere with the outcome of the 2016 US presidential election.

His wife was quoted by Russian state media outlet RT that her husband later told her by phone that he was arrested in connection with malware "linked to Trump's election win."

Given the notoriously grey area between cybercriminals and the Russian government, security experts say it's not a big stretch that Levashov could have had a hand in the hacking activities by Russia last year to influence the US presidential election. But there's no indication thus far of his involvement.

Flashpoint's Kremez says Levashov indeed has ties to the Russian government, but can't conclude that he was involved in the US election hacking operation. Levashov previously has been linked to pro-Russian government groups distributing spam including hacktivist group CyberBerkut. "He would be the perfect cybercriminal for hire with his email filters and other tradecraft to deliver email" spam campaigns, Kremez says.

Both Kelihos and CyberBerkut have operated pro-Russian government online campaigns spreading anti-Ukraine and pro-Russian rhetoric. CyberBerkut recruited pro-Russian government "cyberwarriors" to target Ukrainian websites in a distributed denial-of-service effort called Help Your Homeland, Kremez notes, and also is known for strategic leaks of information aimed at shaping public perception.

"And it's likely his botnet was also involved in the distribution of email spam linked to Russia's interference in the" US presidential campaign, he says.

If Levashov ultimately were to be investigated for any ties to the US election, it wouldn't be the first time he's dabbled in election-influence hacking. In 2012, his Kelihos botnet was used to send spam emails to Russian citizens with political messages and links to phony news stories about the then-presidential opponent to Vladmir Putin, Mikhail Prokhorov.

"The lines between criminals and nation-state in Russia are more blurred than places elsewhere. Levashov has been known to play on both sides of the line. In 2012, he used his spamming capabilities to slander Putin's opponents in the presidential election," says John Bambenek, manager of threat intelligence systems at Fidelis Cybersecurity.

But Bambenek isn't sold on Levashov's involvement in the US presidential campaign hacks. "The hacking of DNC and John Podesta's email wouldn't be terribly heavy lifts for him, but they're not really in his wheelhouse" of operations since those were more social media-centric campaigns, he says.

Headless Botnet

The good news is that the Kelihos takedown could result in less spam and malware-laden email in the short-term. "We may see less spam emails being distributed," Kremez predicts.

Levashov's arrest may not kill Kelihos in the long run - botnet disruptions often are temporary as botnets get reinvented - but it does have a chilling effect on cybercriminals, at least in the short-term. "Every arrest has people thinking, taking a step back," Fidelis' Bambenek says. "In some cases, they make improvements, in some cases, they make different decisions" to evade authorities, he says.

The fact that one of the most wanted cybercriminals in the world dared to venture outside of Russia and risk arrest and extradition in Spain suggests he may have become overly confident and complacent about his immunity to law enforcement.

"We've known about this guy for a long time. He has operated fairly openly since 1999. I know the Russian authorities had been informed about his operations," Kremez notes. Levashov may have even wrongly assumed the Russian government would protect him outside of Russia, he says.

Levashov faces wire fraud charges.

Related Content:

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12026
PUBLISHED: 2018-06-17
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in tur...
CVE-2018-12027
PUBLISHED: 2018-06-17
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said ...
CVE-2018-12028
PUBLISHED: 2018-06-17
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an e...
CVE-2018-12029
PUBLISHED: 2018-06-17
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but befor...
CVE-2018-12071
PUBLISHED: 2018-06-17
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.