Episode 140 - Malicious Life

(/)
(https://itunes.apple.com/us/podcast/malicious-life/id1252417787?mt=2)
(https://play.google.com/music/listen?
u=0#/ps/Ihctwu3bhyydpydo5x4dxg2vqou)
(https://www.stitcher.com/podcast/malicious-life/e/53413297)
(https://open.spotify.com/show/1KHIsaZ9mX0NbzPrfId00q)
(https://malicious.life/feed/podcast/)
Operation Flyhook, Part 1
LISTEN BELOW
SEASON 3 / EPISODE 140
(https://twitter.com/home?
status=https://malicious.life/episode/episode-140/)
(https://www.facebook.com/sharer/sharer.php?
u=https://malicious.life/episode/episode-140/)
(https://www.linkedin.com/shareArticle?
mini=true&url=https://malicious.life/episode/episode-
140/&title=Operation Flyhook, Part
1&summary=Alexey Ivanov was exactly the kind of
person to benefit from the early-2000's dot-com
boom: He was bright, talented, and knew his stuff.
His only problem was the fact that he was born in
Chelyabinsk, a sleepy Russian town in the middle of
nowhere…when he sent his resume to American
companies, nobody was willing to bet on him.<br />
Alexey came up with a 'brilliant' idea: hacking
American corporations, and then blackmailing them
- forcing them to hire his services as a 'security
consultant.')
(https://www.reddit.com/submit?
url=https://malicious.life/episode/episode-
140/&title=Operation Flyhook, Part 1)
Alexey Ivanov was exactly the kind of person to
benefit from the early-2000's dot-com boom: He
was bright, talented, and knew his stuff. His only
problem was the fact that he was born in
Chelyabinsk, a sleepy Russian town in the
middle of nowhere…when he sent his resume to
American companies, nobody was willing to bet
on him.
Alexey came up with a 'brilliant' idea: hacking
American corporations, and then blackmailing
them - forcing them to hire his services as a
'security consultant.'
EPISODE 22 (https://malicious.life/episode/episode-22/)
EPISODE 27 (https://malicious.life/episode/episode-27-shamoon/)
EPISODE 38 (https://malicious.life/episode/ep-38-dave-kennedy-the-psychological-principles-of-social-engineering/
EPISODE 40 (https://malicious.life/episode/ep-40-the-fall-of-mt-gox-part-1/)
EPISODE 44 (https://malicious.life/episode/decss-hackers-vs-hollywood/)
EPISODE 49 (https://malicious.life/episode/us_vs_gary_mckinnon/)
EPISODE 50 (https://malicious.life/episode/pa_bell_youth_international_party_line/)
EPISODE 51 (https://malicious.life/episode/operation-softcell/)
EPISODE 52 (https://malicious.life/episode/conficker-worm/)
EPISODE 55 (https://malicious.life/episode/malicious-life-operation-aurora-part-1/)
EPISODE 57 (https://malicious.life/episode/ep57-listeners-survey-special/)
cious.life/episode/episode-
EPISODE 60 (https://malicious.life/episode/lodrina_cherne_on_stalkerware/)
EPISODE 62 (https://malicious.life/episode/gozi-part-2/)
EPISODE 63 (https://malicious.life/episode/gozi_b_side_amit_serper_sam_curry/)
EPISODE 65 (https://malicious.life/episode/ep65-human-side-channels/)
EPISODE 89 (https://malicious.life/episode/episode-89-2/)
EPISODE 94 (https://malicious.life/episode/episode-93-2/)
EPISODE 95 (https://malicious.life/episode/95/)
EPISODE 99 (https://malicious.life/episode/jan_sloots_data_compression_system/)
Marcus Hutchins: A Controversial Hero
(https://malicious.life/episode/episode-138/)
In Defense Of The NSA [ML B-Side]
LATEST
EPISODE EPISODES >(https://malicious.life/episode/episode-139/)
108 (https://malicious.life/episode/episode-108/)
Operation Flyhook,
EPISODE 110 (https://malicious.life/episode/episode-110/) Part 1
(https://malicious.life/episode/episode-140/)
EPISODE 139 (https://malicious.life/episode/episode-139/) EPISODE 140
Hosted By
Ran Levi
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technolo‐
gy, and worked as an electronics engineer and programmer for several High Tech companies
in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads
as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion
Machines; The Little University of Science: A book about all of Science (well, the important
bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Special Guest
Ray Pompon
Director F5 Labs, Threat Research, for F5 Networks
Twenty years in infosec matching security requirements to business objectives, identifying

technical risks, and ensuring regulatory needs are met.
Twenty four years experience in designing and implementing scalable controls, systems, and
processes to meet business and compliance objectives
Twenty five years building complex network security designs and implementations with an em‐
phasis on high-availability and security
Do you ever wonder how different you’d be today if you grew up under a different set of
circumstances?
Like, I can imagine, maybe, that I wasn’t born in Israel. So I might not have joined the Navy,
which became so integral to the skill set I developed and the kind of man I am today. And,
you know, I’m obsessed with history, but maybe I wouldn’t be so into it had I grown up in a
less historically significant part of the world. I could’ve gone into a different line of work. Or
what if, in another life, I grew up rich, and didn’t have to work at all? Then I could spend all
my days doing what I really want to do…
INTRO TO ALEXEY
The year is 1999.
The internet is now in homes around the United States, and the world. Yahoo, Ebay, Amazon–
what were just startups a few years earlier are now the hottest companies in the world. Really,
any half-baked company with a “.com” at the end is running rampant in the stock market,
even if all they do is sell toys or pet food. Whole new industries are popping up, and millions
of jobs along with them. Everybody wants in.
Alexey Ivanov is exactly the kind of person to benefit from the boom because, when it comes
to coding, he’s little short of prolific. According to his CV, Alexey’s either good or proficient in
HTML, Javascript, SQL, C, C++, Assembler, good or excellent with MS-DOS, Linux, Solaris,
every version of Windows, with a comprehensive understanding of LAN, WAN, DNS, TCP/IP
FTP, DNS, equally proficient with IBM, Sun Microsystems, HP and Cisco hardware. And that’s
just a sampling from a much longer list–to read out his entire CV now would take too long.
The point here is that Alexey knew his stuff. He could’ve qualified for a job at any internet
company in the world. But Alexey Ivanov was born into a different set of circumstances than
you and I. He was a lot like us in other ways–bright, talented, technical–but, instead of being
from America, or Germany, or Japan, Alexey was born in Russia. And not even Moscow, or
St. Petersburg, but…
“[Ray] from a little place called Chelyabinsk which is kind of in the middle of nowhere in
Russia.”
That’s Ray Pompon, Director of F5 Labs.
“[Ray] It was a little famous for a while because that’s where a meteor landed and it’s
caught on film.”
There’s a lot of great footage of it on YouTube: a loud bang, people flying across rooms from
the shockwave, building walls and roofs busting open, things flying, and the bright, godlike
meteor that looked like God himself was coming down to visit earth. Talk about a cursed
place.
“[Ray] it’s kind of like heavily polluted and there was a lot of kind of Soviet missiles, ra‐
dioactive work there.”
JOB HUNT
Maybe if you or I grew up there–amid the radioactivity, the pollution, dodging meteors falling
from space–we would’ve ended up like Alexey Ivanov and his friends.
“[Ray] these guys are really sharp technically. But they had nowhere to go with this. […]
At the time, there was nothing to really do with this in Russia. There wasn’t a big tech
industry.”
So what do you do, with all the potential in the world and nowhere to use it?
Alexey first tried what many of us in his position would: getting the hell out of Chelyabinsk. In
April, 1999, he started looking for jobs in America. He did so, though, with a little twist. Rather
than just applying to jobs one by one, he went to Dice.com–a careers website–and down‐
loaded a database from their servers. “It was easy,” he later recalled. With the raw data, he
didn’t have to drudge through job postings one by one. Quote: “I wrote some scripts, and in a
few hours I was sending my resume to 5,000 jobs.”
Among those thousands of jobs, he got plenty of replies. But all of them went cold when
Alexey revealed that he lived in Russia, had no experience working for American companies,
and would need sponsorship to move. You could imagine how demoralizing it would’ve been:
knowing he was good enough, yet still having no prospects. What was he to do–a computer
whiz with nowhere to productively use his skills?
Perhaps you can tell where this is going.
ALEXEY STARTS HACKING

According to CSO Online, Alexey already had some experience with cybercrime by this point.
Not long after graduating from Chelyabinsk Technical State University–one of the better
schools in his region–he’d fallen in with a group of hackers who operated a company called
“tech.net.ru.” Their specialty was a time-honored classic: stealing credit cards, then using
them to buy things online.
“[Ray] they had built this entire bot infrastructure that would create fake accounts on
PayPal and eBay and then hold auctions, fake auctions or real auctions with fake peo‐
ple to buy stuff.”
Botnets, credit card laundering, fake identities. The real trick, though, was the shipping
process. tech.net.ru would use their stolen cards to order, say, books and CDs from Amazon
or Barnes and Noble, and have them shipped to different locations in neighboring Kaza‐
khstan. They’d hire young women to receive the packages, then a member of the company
would make the hours-long trip to come pick them up and drive them back home. Then they
re-sold the merchandise to stores around Chelyabinsk, which coveted the CDs in particular.
(Evidently, much of the supply of commercial CDs in Chelyabinsk were cheap pirates from
Bulgaria.)
“[Ray] there’s a lot of thought here in this. You know, a lot of enterprise, entrepreneurial
thinking.”
Carding was pretty small game. It was much more fun and, usually, more profitable, to hack
companies directly. Like, for example, when they targeted a new payment processing startup
called PayPal. Alexey was the brains behind that one. It was a three-pronged approach: First,
they installed malware onto eBay that collected email addresses associated with customers
who used PayPal. Second, they set up their own domain: PayPal.com, but with an uppercase
“i” instead of a lowercase “L,” with a homepage that copied the real thing as closely as possi‐
ble. Next, the hackers emailed those eBay customers, promising a $50 prize they could claim
by logging into the mirror site. The customers who fell for it handed their PayPal logins
straight to tech.net.ru. Easy as that.
It wasn’t quite as lucrative as it sounds, though. As Alexey later said, quote: “We weren’t real‐
ly malicious. We could have sent it to thousands of people, but we only sent it to 150. We got
about 120 passwords. We did that mainly for fun.”
Alexey wasn’t what you’d call a prolific hacker at this point. He was small-time. But that might
be because his heart just wasn’t in it. The same year he was hacking PayPal accounts, he
was sending out resumes to get a real, honest job in the tech industry. But, as we said, it just
wasn’t working out.
ALEXEY’S IDEA
It was only at the apex of these two paths: down one, trying to find honest work, and the oth‐
er, making ends meet through dishonest means, that Alexey Ivanov came up with the idea
that earned him a Malicious Life episode. As he told CSO Online, quote: “I thought: ‘Why
don’t I convince [companies] about my skills, and in order for me to convince them, I have to
demonstrate them.’” End quote.
Alexey’s idea–for how to “demonstrate” his skills to potential employers–was inspired by one
of the earliest hacks he’d ever pulled off.
It was December, 1997. He was still a student when he and a friend breached the servers of a
local ISP, then downloaded a database of usernames and passwords. The teenagers didn’t
do anything nefarious with the data–it was mostly just an exercise in whether they could pull it
off. They notified the ISP and, remarkably, their victim offered them jobs. The salary was only
about $75 a month, so they turned it down, but it was the seed of something much bigger.
ALEXEY’S HACKER M.O.

“[Ray] it’s kind of like a precursor of what we would see in ransomware where people’s
networks are get broken into. Stuff would get messed with and then they would get po‐
tentially like a blackmail note or a ransom note to say like hey, we got your stuff. Pay us
some consulting fees, like $50,000, and we will tell you what we did, we will tell you
how to fix it and we will give you back your data.”
A prosecutor for the United States Department of Justice wrote about what it was like to be at
the receiving end of one of Alexey’s famous security “consultations.” Here’s the slightly over‐
simplified account, from “How to be a Digital Forensic Expert Witness.” Quote:
“[L]ate one evening you get a telephone call from your work that something is wrong
with the computer network. When you arrive and review the logs, you learn that some‐
one has gained access to your system, grabbed the password file, and FTP’d it to an
IP address registered in Russia. You also learn that the intruder probably gained initial
access through a still active account that had been assigned to a former employee.
Once the intruder elevated his privileges to system administrator, he installed a sniffer
to capture user names and passwords. Using an employee account, the intruder
gained access to a server that processed credit card transactions of customers, and
FTP’d a large file back to Russia.
You remove the sniffer and are in the process of changing all of the user names and
passwords on your system when someone contacts you by way of Internet Relay Chat
(IRC). “You system securities suck,” the message tells you. The messenger then intro‐
duces himself as an expert in computer security living in Russia, and offers to fix the
holes in your security for a fee of $5,000 (US). After consulting with management and
the company lawyers, you reply to the Russian “expert” that you do not do business
with criminals. That night your web server crashes, effectively shutting down the Inter‐
net-based portion of your business. “
“[Ray] In some cases people didn’t pay. Like more things would get deleted or de‐
stroyed and data would go somewhere. But they really didn’t know what was going
on.”
Alexey and his friends hit websites, companies, banks.
OIB/SPEAKEASY
When he gained root access to the servers of the Online Information Bureau–“OIB”–of Ver‐
non, Connecticut, he was able to steal tens of thousands of credit cards and merchant ac‐
count information. When the OIB refused to pay a $10,000 fee, he wrote them an email. This
is a verbatim reading, quote:
“[n]ow imagine please Somebody hack you network (and not notify you about this), he
downloaded Atomic software with more than 300 merchants, transfer money, and after
this did ‘rm –rf’ and after this you company be ruined.”
To clarify, “rm -rf” is a command in Linux that wipes all the data in a directory, all at once, re‐
cursively. Alexey’s probably referring to a scenario where a hacker runs ‘rm -rf’ in the root
folder, wiping out OIB’s entire database in an instant.
Anyway, the message continues, quote:
“I don’t want this, and because this I notify you about possible hack in you network, if
you want you can hire me and im always check security in you network. What you think
about this.”
An ISP and e-commerce company called SpeakEasy experienced something similar. In Octo‐
ber ‘99, Alexey gained admin access to their IT systems, most notably the databases where
they held credit card information. Afterwards, Alexey emailed the company, recommending
they hire him to perform a security review of the systems he’d just hacked. After refusing to
do so for two months, the discourse escalated into threats. In the last week of December,
SpeakEasy lost access to some of their IT systems.
And so, at the turn of the millennium, Alexey Ivanov was slowly becoming one of the most
prolific corporate hackers in the world. To expand his “security reviews” business, he part‐
nered with a more business-oriented hacker–Vasiliy Gorshkov–also from his hometown. To‐
gether, their cybersecurity business was becoming more and more sophisticated, and prof‐
itable. Their targets couldn’t stop them. law enforcement couldn’t stop them.
“Invita Security” was a company based in Seattle, near the University of Washington. It was a
high-tech, forward thinking network security startup. You’d think, based on that description,
that they might have been hired to stop Alexey and Vasiliy. But you’d be exactly wrong. In‐
stead, they were in the market for “security talent,” and liked the look of Alexey’s long, im‐
pressive resume. They wanted to hire him.
They reached out to arrange an intro call. Vasiliy was the one who picked up. He spoke the
better English of the two.
On the phone, Vasiliy suggested that, rather than a more conventional evaluation process, In‐
vita should let him and Alexey hack into their network. After all, if they could defeat the securi‐
ty company’s own security systems then, surely, it would prove their worth, much more than
any job interview could. Invita agreed to the terms. They spent some time preparing for the
test and then, in October, challenged the Russians to beat them.
It wasn’t a fair fight. Alexey, with Vasiliy by his side, managed to breach the Invita network in
mere minutes. And that was all the evidence Invita needed.
They made the visa and travel arrangements so that Alexey and Vasiliy could come and inter‐
view in-person for security analyst/consultant roles. On November 9th, Alexey and Vasiliy said
goodbye to their families and, finally, after all this time, headed off to America. They were
thrilled, curious, and nervous. On the flight, Alexey ordered drinks to celebrate.
After nearly 48 hours of traveling in all, their plane landed in Seattle-Tacoma International Air‐
port. The Russians stepped off the plane, grabbed their suitcases, and were greeted by some
representatives from Invita. Together, the corporate reps and their prospective new hires took
the half hour or so drive to the company’s offices. Along the way, Alexey and Vasiliy gazed out
the windows at the city that was going to be their new home. One wonders what they were
thinking in those moments–two kids who’d never made it far out of Chelyabinsk, let alone
America. They drove past the office buildings housing new technology companies, and the
downtown restaurants and shops thriving off the new economy. Maybe their hacking days
were over. Maybe, instead of attacking these companies, they could be working for one of
them.
After about a half hour’s drive, they arrived at their destination–a shared office building, with
rows of little startups tucked away in booths. They walked by their soon-to-be colleagues, to‐
wards Invita’s offices.
Or so they thought.
“[Ray] They don’t do things – they don’t do half measures, the FBI. So I was starting to
go like, oh, this is a really big thing.”
© All Rights Reserved to Cybereason Inc. 2019

Episode 140 - Malicious Life

Uploaded by

Copyright:

Available Formats

You might also like

Episode 140 - Malicious Life

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Episode 140 - Malicious Life

Uploaded by

Copyright:

Available Formats

(/)

SEASON 3 / EPISODE 140

Twenty years in infosec matching security requirements to business objectives, identifying

Operation Flyhook, Part 1

That’s Ray Pompon, Director of F5 Labs.

Perhaps you can tell where this is going.

ALEXEY STARTS HACKING

ALEXEY’S HACKER M.O.

Alexey and his friends hit websites, companies, banks.

Anyway, the message continues, quote:

© All Rights Reserved to Cybereason Inc. 2019

You might also like