Background
Group-IB played a crucial role in identifying the individual behind the Dragon botnet, which was responsible for relentless distributed denial-of-service (DDoS) attacks on prominent organizations, including those in the industrial and financial sectors. Group-IB investigators identified the individual behind the entire enterprise, who was subsequently arrested, convicted, and sentenced.
This case was especially notable as, for the first time, the cybercriminal underworld was sent the clear message that Group-IB would do all in its power to ensure that their digital crimes would not go unanswered.
Behind the scenes
One day, a representative from a prominent bank in the CIS region shared with us that their financial institution had fallen victim to blackmail by an unidentified individual. Our assignment was not only to identify the perpetrator but also to proactively prevent similar attacks and demonstrate that such criminal activities could be legally punished.
Back in the day the Dragon botnet was used to conduct a DDoS attack against one of the top-10 largest banks in the CIS region. The attack was carried out using a previously unknown botnet that was subsequently discovered by Group-IB High-Tech Crime Investigation unit.
Impact
The individual orchestrating the attack was apprehended in December 2012, after Group-IB helped local law enforcement take down one of the largest known DDoS botnets, successfully halting its operations in the process.
The time elapsed from contacting Group-IB to the apprehension of the perpetrator was remarkably short, as the entire operation – from engagement to the suspect’s arrest – was completed within a month. This was a particularly unique case in the country’s digital crime history because, as of 2012, there were fewer than a dozen such recorded cases.
Storyline
Botnets burst onto the cybercriminal scene in the first decade of the 21st century as a key weapon of choice for generating large-scale and relentless distributed denial-of-service attacks (DDoS).
Between 2011 and 2012, the Dragon botnet began to thrive in the Russian criminal underground. It was used to launch DDoS attacks on a wide range of organizations, including those in the financial and industrial sectors.
On September 12th 2012, Group-IB was contacted by a major financial corporation that owns several banks. One of these banks was being subject to sustained DDoS attacks orchestrated by an unknown threat actor. Following a period of reconnaissance, Group-IB was able to obtain the threat actor’s identity and location, both of which were forwarded to the relevant law enforcement agencies.
Group-IB discovered that the attacker was a 24-year-old individual from the town of Sayansk, who was renowned for managing a large botnet that he used as a DDoS service. A piece of botnet malware, known as Dragon, that was used to infect devices was available for anyone to purchase for the price of USD $900 on popular contemporaneous underground forums, such as xakepok[.]net and xakepinter[.]net.
The attacker typically attracts clients by advertising DDoS attacks on dark web hacker forums. His regular clientele includes individuals from Russia and its neighboring countries, along with even the United Kingdom.
Group-IB experts traced the chain of attack from the start to the end. First, several devices infected with the Dragon malware, which were then used as part of the botnet to attack the victim’s infrastructure, were identified. Then, Group-IB experts conducted digital forensics and examined the found malware samples.
Using these samples, our investigators were able to identify a botnet command and control server (C2), which in turn made it possible to identify its administrator.
Between 2000 and 2010 a large number of cybercriminals behaved much more frivolously than they do at the present time and left many personal traces online, making an investigator’s task to deanonymize a cybercriminal that much simpler. Following the apprehension of the botnet owner, Group-IB uncovered numerous underground connections between various DDoS attackers and botnet suppliers.
Figure 3. Screenshot of the threat actor’s ICQ/QIP contact list taken from a 2012 television report about the arrest of the Dragon botnet owner. The disclosure of these nicknames created a significant buzz on underground forums.
In the cases seen by Group-IB investigators, the attacker from the town of Sayansk leveraged BlackHole – one of the most popular exploits at the time that exploited security flaws to install malicious software onto a device.
The BlackHole exploit kit was released on Malwox, an underground Russian hacking forum in 2010. In 2012, it became the most prevalent web threat: 29% of all web threats detected by Sophos and 91% by AVG were linked to this exploit kit. BlackHole was designed to deliver a malicious payload to a victim’s computer. The kit incorporates tracking mechanisms so that people maintaining the kit know considerable information about the victims arriving at the kit’s landing page. The information tracked includes the victim’s country, operating system, browser and which piece of software on the victim’s computer was exploited.
Figure 4. Vintage screenshot from Group-IB slidedeck related to the Dragon Eye operation. 2012. Source: ZeroSecurity.org
Group-IB used proprietary technology that they had developed called Botnet Intelligence for monitoring the infected computers and extracted information about the C2 servers. This product, during 2011 alone, prevented more than 3,000 digital banking thefts and DDoS attacks from legit ISP networks Over the coming years, this product evolved to become Group-IB Threat Intelligence.
Figure 1. Group-IB discovers the Dragon botnet portal in 2012.
The botnet owner used exploit kits to backdoor hacked sites that fed their botnet. He offered paid access to hisDDoS botnet Dragon to several cybercriminals, and the commands to the botnet were sent via email or instant messages.
During Dragon’s operations, the attackers charged around USD $100 to take down a live website. However, the attacker’s pricing structure showed his flexibility and the multiple options available to clients. For a DDoS attack lasting one day, the cost was USD $50, while a week-long attack was priced at USD $300 and a month-long attack at USD $1,000. The attacker noted on the underground forum where the service was advertised that the pricing varied according to the complexity of the targeted resource. According to Group-IB experts, the damage caused could be in the tens of thousands of dollars.
Figure 2. Method of placing an order from the botnet owner. Source: Group-IB, 2012. Translation of the text: -We want to make the order -Resource (for attack)? -uralmetalcompany.ru
Through their research, Group-IB investigators identified that one of the Dragon botnet’s victims was the Russian industrial company UralMetallCompany.
And justice for all
During the investigation, the accused admitted his guilt and revealed detailed schemes for committing cyber attacks. A computer examination conducted by Group-IB forensics experts confirmed his guilt in committing a series of crimes in the field of high technology.
The arrested bot owner was prosecuted under Act 272 of the Criminal Code. The imposed punishment was a two-year suspended sentence. Group-IB took down the large botnet, bringing an end to the era of the Dragon once and for all .The Dragon’s eye closed for good…
Conclusion
Dragon Eye was one of the first cases led by the Group-IB High-Tech Crime Investigation unit that demonstrated the punishment that lay in wait for those who perpetrate cyberattacks in the post-Soviet space, where such cases were few and far between at that time. Following its mission to fight against cybercrime, a small private company, at that time, was able to uncover a new, previously unknown botnet used for targeted attacks that crippled the infrastructure of victims.
For the first time, Group-IB showcased to the market that even for such crimes, control and anonymity on the Internet can be debunked as a myth provided that you possess the necessary technologies, know how to connect the dots, and constantly test hypotheses.
It’s worth noting that this case stirred up a lot of discussion on hacker forums, where the arrest of a fairly well-known threat actor— the organizer of DDoS attacks— was extensively debated for a long time.