How Russia’s War in Ukraine Helped the FBI Solve One of the Biggest Cybercrime Cases in Years

By Lukas I. Alpert

Investigators nabbed a key figure behind Raccoon Infostealer malware in the Netherlands after fleeing fighting in Ukraine

Three weeks after Russia began dropping bombs on Ukraine in late February, a talented young computer programmer named Mark Sokolovsky got into a Porsche Cayenne with his girlfriend to get away from the fighting.

The duo traveled through Poland and then Germany before stopping in the Netherlands, where they thought they were safe. Little did they know that the US Federal Bureau of Investigation and investigators in Europe had been watching them from the start.

Sokolovsky, 26, was named late last year in a sealed indictment in Texas federal court that alleged he was a key figure behind a ubiquitous type of malware known as Raccoon. Infostealer who prosecutors say infected millions of computers worldwide, stealing financial credentials and money from countless victims.

A few days after Sokolovsky entered the country, Dutch police arrested him in Amsterdam for computer fraud, wire fraud, money laundering and identity theft. He faces more than 20 years in prison if convicted and remains in detention in the Netherlands while fighting extradition proceedings that would send him to the United States.

Messages left for Niels Van Schaik, the Dutch lawyer representing Sokolovsky in his extradition proceedings, were not immediately returned.

The existence of the case remained under wraps until last week, when authorities announced Sokolovsky’s arrest as part of an effort to find possible victims. After his arrest, investigators said they managed to crack a giant cache of stolen data amounting to millions of email addresses and logins.

As part of their announcement, prosecutors and the FBI announced the creation of a website where people suspected of being victims can check whether their personal information is among the data recovered by investigators.

“This is a very, very important global case,” said Ashley Hoff, the U.S. attorney for the Western District of Texas, where the case was filed.

“We steal, you deal”

Raccoon Infostealer is an increasingly popular class of program called Malware-as-a-Service, or MaaS. The programmers who develop the Maas programs usually do not steal people’s information themselves, but rather license the software to other cybercriminals who use it to scam people. A copy of all stolen information was also kept by Raccoon operators.

Like any type of legitimate software, Raccoon Infostealer offered round-the-clock customer support and released frequent programming updates, according to cybercrime experts. The cost was $75 per week or $200 per month.

Raccoon Infostealer first appeared in early 2019 and was first offered for sale on Russian-language platforms popular with cybercriminals and later also on English-language platforms. Displaying itself with the slogan “We steal, you treat”, it made a splash, and it quickly appeared on the radar of cybersecurity experts.

“Because it was distributed as MaaS or Malware-as-a-Service, it was not used by a single threat actor or group, but by multiple cybercriminals, so it was quite widespread,” said Oleg Skulkin of Group-IB, a Singapore-based cybersecurity company. “For most cybercriminals, it’s much easier to buy or rent malware. It’s just cheaper.”

In March, shortly after Sokolovsky’s arrest, Raccoon operators sent a message to customers saying they had to close because Russia’s war in Ukraine had disrupted operations.

“Unfortunately, due to the ‘Special Operation’, we will have to shut down our Raccoon Stealer project,” the band said. “Our team members who were responsible for the critical components of the product are no longer with us. Thank you for this experience and this time, for every day, unfortunately everything, sooner or later, the end of the world happens to everyone.”

In Russia – especially at the start of the invasion of Ukraine – President Vladimir Putin forced people to use the term “special operation” to describe the invasion. Those who called it a war or an invasion risked a significant prison sentence.

While many cybersecurity actors have interpreted Raccoon’s arrest message to mean that key programmers were killed early in the fighting, it may instead be a reference to Raccoon’s arrest. Sokolovsky.

Raccoon operators did not immediately return a message seeking comment. They released a statement following news of Sokolovsky’s arrest last week that they did not know him personally and that when he disappeared in March ‘of course we thought the worst’ .

A few months later, a new version of the now compromised software was relaunched, with some critical adjustments to its programming, experts said.

On the run

Sokolovsky is from the city of Kharkiv in eastern Ukraine and attended university there. At the start of the war, the city was heavily bombarded by Russian forces.

According to an account on a blog run by respected cybersecurity journalist and analyst Brian Krebs, authorities were able to connect Sokolovsky to Raccoon through his iCloud (AAPL) account, which had been used to set up some accounts related to the malware.

This allowed authorities to track Sokolovsky’s movements, Krebs reported. It also allowed them to recover a photograph of Sokolovsky holding a large stack of cash next to his face.

For months, investigators observed Sokolovsky going back and forth between Kharkiv and Kyiv, the Ukrainian capital. Then, at the end of March, he landed in Poland, near the border with Germany. A photo was taken of Sokolovsky driving in Germany in a Porsche Cayenne with his girlfriend in the passenger seat.

At the time, Ukrainian men under the age of 60 were not allowed to leave Ukraine, as they were conscripted to fight the Russian invaders. Investigators believe Sokolovsky may have bribed him out of the country, Krebs reported.

Days later, authorities were able to focus on Sokolovsky in Amsterdam after his girlfriend posted photos of them together on Instagram, Krebs reported.

In September, a Dutch court accepted a US request to extradite Sokolovsky to Texas to face charges, but he appealed the decision.

Global reach

Prosecutors say that while Sokolovsky played a key role in developing the Raccoon program, he had several accomplices. Italian and Dutch authorities have been involved in the investigation, prosecutors said.

Among the data recovered by the FBI was some 50 million unique identifying information, including email addresses, bank account IDs, cryptocurrency addresses and credit card numbers, prosecutors said. . They say they don’t believe they found all of the data stolen via Raccoon Infostealer and are continuing to investigate.

Some of the data recovered included login credentials for several US companies and for members of the military with access to armed forces systems, according to court documents.

-Lukas I. Alpert

 

(END) Dow Jones Newswire

11-01-22 1701ET

Copyright (c) 2022 Dow Jones & Company, Inc.

About Norma Wade

Check Also

Hope for G-20 consensus dims as Russia bristles at ‘unacceptable language’ over Ukraine invasion

Russia and the United States failed to agree on the language of a joint statement …