(In Russia, luxury cars and cybercrime seem to go hand-in-hand)
Did RIPE NCC and Russian police aid the Russian Business Network? In short, yes and no.
But first, the back story. If you weren’t already aware, the Russian Business Network was (and is – more on that later) a massive criminal enterprise operating out of St. Petersburg, Russia. They have been implicated in activities ranging from malware distribution to money laundering all the way to child pornography. In the past, they’ve been
associated with installs of the infamous MPack exploit kit, C&C operations of the Storm Worm botnet, and,
more recently, the ubiquitous ZeuS crimeware package. These are the kind of folks that give “organized cyber crime” its name.
As you can probably guess, there have been some substantial efforts undertaken to have these guys brought-down. The
Russian Business Network (Exploit) Blog has kept-up the pressure on the RBN throughout its lengthy history, as has
Spamhaus, Brian Krebs with
SecurityFix, and many other researchers and vendors. Likewise, law enforcement officials in both the US and Russia have been working to track-down the group’s members, known for driving around St. Petersburg in a bulletproof, black Audi R8.
Or have they?
Comments made by members of the
FBI and
SOCA (UK’s Serious Organised Crime Agency) at this week’s RSA Europe Conference (FBI Supervisory Special Agent Keith Mularski and Andy Auld of the SOCA, to be more exact) have had a mixed reception among news agencies and the blogosphere. Some have portrayed them as pointing fingers at Internet registrar RIPE NCC and the Russian police as being complicit to the crimes of the RBN. Others have put a more positive spin on things, detailing the plans made for greater cooperation between US and UK authorities.
So what’s the real situation?
First, let’s examine what was actually said. It seems that only Auld’s statements have elicited controversy, whereas Mularski is quoted speaking in regards to cooperation amid governments and it IT security industry. The following are Auld’s words taken from
eWeekEurope, who had the most extensive quotations out of the bunch:
“An entity like Russian Business Network – a criminal ISP and recognized as such by just about every media outlet worldwide that covers these things – RBN was registered as [a] local internet registry with RIPE, the European body allocating IP resources to industry.”
“RIPE was being paid by RBN for that service, for its IP allocation. Essentially what you have – and I make no apologies for saying this is – if you were going to interpret this very harshly RIPE as the IP allocation body was receiving criminal funds and therefore RIPE was involved in money laundering offences.”
“What we are talking about is a purpose-built criminal ISP – built for and used by criminals and a highly profitable organization at that. This is organized crime. Don’t be confused with the idea that is a hobby industry or cottage industry, this was a proper organized crime syndicate that just so happened to have an e-crime component to its criminal portfolio.”
“All we could get there was a disruption, we weren’t able to get a prosecution in Russia. Our biggest concern is where did RBN go? Our information suggests that RBN is back in business but now pursuing a slightly different business model which is bad news.”
“Where you have got LIRs (Local Internet Registries) set up to run a criminal business- that is criminal activity being taken by the regional internet registries themselves. So what we are trying to do is work with them to make internet governance a somewhat less permissive environment for criminals and make it more about protecting consumers and individuals.”
“We strongly believe that this organization had not only the local police but the local judiciary and local government in St. Petersburg firmly in its pocket; that meant, when we tried to investigate RBN, we met significant hurdles – quite obvious hurdles – when trying to deal with Russian law enforcement to tackle the operation.”
Harsh? Yes, by all accounts. However, the blame being dished-out is directed at two very separate groups: RIPE NCC, and local Russian police and judiciaries.
I can see why RIPE’s defenders have been less than pleased with the media portrayal of the presentation. From ZDNet’s slightly heavy-handed article:
Ripe NCC said the RBN used a front organisation that was accepted as an LIR in 2006. The regional internet registry dealt only with this organisation, which was registered outside Russia. The organisation passed all of the necessary checks, which are backed by a very strict set of guidelines, according to Ripe.
"The RBN was accepted as an LIR based on our checklists," Paul Rendek, Ripe NCC head of external relations, told ZDNet UK in an email statement. "Our checklists include the provision of proof that a prospective LIR has the necessary legal documentation, which proves that a business is bona fide. Additionally, we request network plans, justification for need of IP address space and even go as far as to request receipts for technology and machinery that allows the management of address space."
This seems reasonable. Granted, RIPE’s reaction time, upon learning of its RBN links, can certainly be criticized by those closer to the situation than myself. However, professional cyber criminals in the same sphere as the RBN are experienced fraudsters, acting behind proxies, shell corporations, and a host of other obfuscation services to keep their dealings appearing as legitimate as possible. RIPE admits they were fooled, and Auld himself prefaced his statement with “if you were going to interpret this very harshly.” I think that speaks volumes, but has been lost in presumptive headlines and tweets.
As for Russian authorities and judiciary officials…that’s something only the professionals are privy-to. Based on my limited experience with the subject, however, and a myriad of stories about the same, I’m not surprised. St. Petersburg was the source of one of the first large-scale cyber crimes in 1994, which netted criminals more than $10 million from Citibank via phone (as described at BlackHat 2009
here). Russia in general has been a popular launching pad for organized crime, and the movement into cyber crime is nothing more than diversification.
Regardless of geographic location, cyber crime is a booming business. Kudos to Auld and Mularski for taking the world that they investigate and bringing it out into the public sphere, as well as discussing ways in which greater cooperation can take place. The Internet has no borders, and law enforcement must learn how to operate on a cooperative, international scale as has never been done before.