His view has been backed by former Met Police Computer Crime Unit detective Adrian Culley, now a global security consultant with Damballa, who says the industry is rife with rumours that Russian organised crime groups have been offered immunity from prosecution by the Russian authorities, as long as they do not attack Russian citizens.
In a 3 February blog post, FireEye's Villeneuve said that the Target breach, which involved the theft of up to 40 million customer payment card details, has been tracked to an individual (known as ‘ree4') believed to be operating from Ukraine. The stolen card data, he adds, is already being sold on underground Russian-language forums.
Villeneuve stressed that Eastern Europe “is clearly a trouble spot” and revealed that cyber crime gangs are even joining together in networks known as ‘Partnerkas', with “little risk of prosecution”.
These Partnerkas use underground forums to link developers who create malware and exploits, the distributors who carry out spamming and black-hat search engine optimisation, and service providers who operate ‘bulletproof' hosting and botnets, said the FireEye exec.
“The ability to operate servers safe from law enforcement - known as bulletproof hosting - is essential for most botnet operators,” he said.
Adrian Culley at Damballa went further, telling SCMagazineUK.com: “It has long been rumoured in the security Industry that various Russian organised crime groups have been offered immunity from prosecution by Russian authorities and intelligence agencies as long as they do not attack Russian citizens or interests. Many botnets and organised crime groups continue to operate from Russia and Eastern Europe.”
Charlie McMurdie, ex-head of the Met Police Central e-Crime Unit (PCeU) and now a senior cyber crime adviser at PricewaterhouseCoopers, concurred with Culley and told SCMagazineUK.com that corruption has now spread to the cyber security world.
“I've heard those rumours as well. I don't know where they originate from but I think, putting cyber crime to one side, corruption is a significant issue and there are certain countries where corruption is more rife than others.”
She continued that such corruption, coupled with difficulties in working with foreign investigators to attribute and investigate attacks, can make “life far harder to actually investigate and prosecute these cases”.
Damballa's Culley said the cyber crime gangs are often “as structured, effective and efficient as legitimate business” and work across national borders. He highlighted the success of pan-European police agency Europol, and its cyber crime unit EC3, in helping national police forces overcome the “multi-jurisdictional nature of many of these criminal activities”. But damningly he added: “I am not aware of any direct dialogue between Europol and the Russian authorities regarding cyber crime matters. It would be very encouraging were this to take place in a meaningful way.”
Villeneuve said the Partnerka networks carry out crimes ranging from spam, fake anti-virus, click fraud and ransomware to operating rogue pharmacies and supporting extreme adult porn sites. He said: “In this model, development and distribution are shared among multiple actors. The partnerka supplies the product — whether malware binaries or pharmaceuticals — and the affiliate members distribute them,” he said.
The forums also serve those criminals selling “the spoils of their activities, such as stolen credit cards, banking information and credentials”. “This ecosystem is in full swing in the wake of the Target breach,” said Villeneuve.
The FireEye security researcher acknowledged that there have been police successes against East European cyber criminals, including the arrest of the co-founder of the notorious Chronopay payment service and last year's arrest of the Carberp gang and Paunch, the author of the widely used BlackHole exploit kit.
Furthermore, SCMagazineUK.com last month reported a major breakthrough against cyber crime when the details of more than 18,000 members of the ‘Verified' Eastern European cyber crime forum were leaked by a rival gang. EC3 helped Polish police arrest five Bulgarians accused of electronic payment card fraud targeting mainly UK citizens last month, while the agency worked with Microsoft and the FBI to disrupt the criminals behind the ZeroAccess botnet, thought to have infected over two million computers worldwide, the month before.
Despite this, Villeneuve cast doubt on whether current cyber criminals will be caught.
“With the recent news of breaches at additional retailers, researchers are investigating any possible connections to the Target breach. If they do, the bigger question is whether law enforcement can find and stop those responsible.”
PwC's McMurdie also pointed out that organisations themselves could and should be doing more to prevent these malware attacks.
“The malware isn't particularly sophisticated, and if the appropriate security systems process was actually embedded into organisations, then even with these types of major compromises, we should be doing far more to prevent these taking place in the first place,” she told SCMagazineUK.com. “We keep talking about the issues and the frustrations of investigating - but prevention's always better.”
SCMagazineUK.com contacted Europol and EC3 for their views but no-one was available at the time of writing.