Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/20/2017
07:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Russian National Receives 5 Years In Jail For Role In 'Citadel' Attacks

Mark Vartanyan is the second individual to be sent to prison in connection with Citadel.

A US federal court in Atlanta this week sentenced Russian national Mark Vartanyan to five years in prison for his role in developing, improving and distributing Citadel, a malware kit that was used to steal an estimated $500 million from individuals and financial institutions worldwide.

Vartanyan, who also used the moniker "Kolypto," had previously pleaded guilty to computer fraud charges in March 2017 after being extradited to the US from Norway last December.

Federal authorities had charged Vartanyan with developing, improving, maintaining, and distributing Citadel while residing in Ukraine and later in Norway between August 2012 and June 2014. During that period, he uploaded numerous files consisting of Citadel software, components, updates and patches all with the intent to improve the malware's functionality.

Vartanyan was arrested in Norway in October 2014. He will receive credit for time spent in custody since then which means he will be eligible for release in less than three years.

"Mark Vartanyan utilized his technical expertise to enable Citadel into becoming one of the most pernicious malware toolkits of its time," US Attorney John Horn said in a statement announcing the sentence Wednesday. "For that, he will serve significant time in federal prison."

Citadel first surfaced in 2011 and was assembled using leaked source code for the Zeus, a banking Trojan. It was initially made available to cybercriminals on an invitation-only basis on multiple Russian-language online forums.

The malware was designed to steal payment card data, personal data, and information for logging into bank accounts. It was typically installed on victim computers in the form of a drive-by-download, though cybercriminals employed multiple other infection methods as well. For instance, the creators of the malware bundled it into pirated versions of Windows XP installed on computers sold in multiple countries. In many cases, Citadel blocked infected computers from accessing antimalware sites making it harder to detect and remove the malware.

In all, cybercrimnals infected some 11 million systems globally with Citadel and turned the systems into remotely controlled bots. The malware's victims included organizations such as Citigroup, Bank of America, American Express, and Wells Fargo.

In June 2013 Microsoft announced that the company, along with the FBI and law enforcement authorities from multiple countries, had managed to severely disrupt Citadel operations by shutting down more than 1,400 botnets associated with the malware. At the time, Microsoft had noted that cybercriminals were using fraudulently obtained signing keys for Windows XP to bundle Citadel into the operating system.

Even after that cooperative operation though, Citadel continued to be a threat. 

In 2014 for instance, security researchers reported seeing the malware being used to attack the password managers used by many organizations to store and secure their online account credentials. The same year, IBM researchers said they had observed a Citadel variant being use to conduct cyberspying operations against petrochemical companies in the Middle East. Last year, security vendor Heimdal Security said it had discovered the malware being used in a modified form to attack banks in France.

Vartanyan is the second individual sentenced to jail time for activities connected to Citadel malware.

In September 2015, another Russian national, Dimitry Belorossov was sentenced to four-and-a-half years in prison for developing, distributing and installing Citadel on computers worldwide. Belorossov pleaded guilty to operating a Citadel botnet comprising of over 7,000 infected systems including those belonging to multiple US banks, financial institutions, and a federal court in Georgia.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...