Ukrainian hackers arrested for carrying out cross-border DDoS attacks
Ukrainian hackers arrested for carrying out cross-border DDoS attacks
Two Ukrainian nationals were sentenced to five years in prison for launching powerful DDoS attacks on popular dating site Anastaciadate.com in 2015 after cyber-security experts provided clinching evidence of their involvement to Ukrainian authorities.

In September 2015, popular dating site Anastaciadate.com suffered a series of DDoS attacks that rendered it inaccessible to users for four to six hours every day. Having demonstrated their capability, hackers contacted the firm and demanded US$10,000 (£7,234) in exchange for stopping further attacks.

While investigating the DDoS attack, experts at Russia-based data security firm Group-IB confirmed that the attack was carried out by Ukrainian nationals Gayk Grishkyan and Inna Yatsenko. They also found that the two hackers targeted other prominent firms like US-based Stafford Associated that leased data centre and hosting facilities and another firm named PayOnline, and demanded ransom ranging from £723 to £7,234.

In fact, they found that Inna Yatsenko ran a marriage agency which collaborated with Anastaciadate.com between 2013 and 2015, thereby suggesting that data obtained from the website could have been used to conduct the DDoS attack in 2015.

When Anastaciadate.com received another ransom demand in November 2016, Group-IB confirmed that the demand was made by the same Ukrainian actors and provided detailed evidence confirming the same to the firm. Subsequently, a complaint filed by the firm helped Ukrainian authorities arrest the two hackers and an analysis of data stored in their confiscated devices confirmed their involvement in the crimes. After they pleaded guilty, they were sentenced to five years in prison.

“This is the first large-scale international DDoS-extortion case in Ukraine, which was solved from the support of Group-IB experts and brought to court. This precedent is in many respects indicative: it demonstrates the coordinated and effective cooperation of international partners, which has enabled us to achieve the common goal and bring the case to court," said Ilya Sachkov, CEO of Group-IB.

"No matter where the crime is committed - on the street, at the bank or on the Internet - the perpetrator will be punished. It is essential to understand that under no circumstances should anyone pay ransom to criminals and thereby sponsor crime," she added.

In the past few years, a large number of enterprises and government departments in the UK suffered large-scale DDoS attacks carried out by Russian hackers who were allegedly sheltered by the Russian government. Will the conviction of Ukrainian hackers pave the way for more cross-border actions against malicious actors, whether or not they are sponsored by rogue nations?

In an email to SC Magazine UK, Joseph Carson, chief security scientist at Thycotic, replied in the negative.  "The prosecution of cyber-criminals in Ukraine does not change the current political and cyber-relationship between the UK and Russia or North Korea when it comes to cyber-attacks. At the moment, these relationships only appear to be getting worse and cyber-attacks will become more aggressive. Governments who deny involvement or provide safe haven for cyber-criminals will continue to be places where cyber-attacks will continue to grow and thrive," he said.

Adding that even though cyber-criminals based in Ukraine will be more cautious about how they perform cyber-attacks, the conviction of the two hackers will not change the status quo anywhere else.

"To prevent a major catastrophe, governments and nation-states need to work together with full cooperation and transparency to ensure that cyber-attribution is possible and that they hold each other responsible for the actions of criminal organisations carrying out cyber-attacks from within their borders. 

"Recently at the World Economic Forum, it was announced that a new Global Center for Cyber-security would be launched. This should focus on establishing cooperation between governments so that attribution is possible in the future - if a cyber-crime has been committed, the governments involved should work together in a manner similar to how Interpol works today," he added.

Dr Johannes Ullrich, dean of research, SANS Institute, told SC Magazine UK that the conviction of the two Ukrainian hackers had more to do with AnastasiaDate having links to the country than any change of heart on part of Ukrainian authorities.

"It helped that AnastasiaDate had links to the Ukraine. Group-IB and Qrator labs, the two companies AnastasiaDate engaged to investigate the attacks are both based out of Russia and have links to the Ukraine which probably made it easier to interact with local prosecutors.

"I think this was a special case based on the nature of the victim, and the fact that the attackers appear to have had no connections to local organised crime. I do not think that this marks a shift from prior policy," he said. 

According to James Houghton, CTO at ThinkMarble, it will be difficult for cyber-security experts in the UK to pin-point the location of attackers in the first place, forget about bringing them to justice.

“Whilst, in this case, there appears to be a digital footprint left behind potentially providing investigating authorities the proverbial “fingerprint on the smoking gun”, the general view of the hacking community, that we have exposure to, is that they are not concerned by these recent events and continue to believe they can successfully avoid and evade even cross-border authorities.

"There are various layered techniques used to truly obfuscate identities and geographical locations that are currently outside the abilities of the most technologically advanced track and trace tools," he said.