Overnight, the different listeners we had open were reporting data being sent by the crawler. We had mail files, several document and spreadsheets files, configuration files (host file, info stored on the registry of several machines, etc.) and a matrix map of how the computers were connected to each other or network architecture. It was a crude map, but it was invaluable to us if we decided to start moving inside the attacker’s network.

While Y kept an eye on the computers, D and I began checking the files sent. They were in Russian, or at least Cyrillic. That was to be expected, given where the team was operating. This also meant we needed someone who could translate this information for us.

The spreadsheets had a lot of IP addresses. When we checked a bunch we realized these were addresses belonging to several EU banks and financial institutions across the EU.

The network map showed us that we were dealing with a simple network, no domain controllers apparently, and with each computer connected to a proxy of sorts that acted as gateway to the internet. We managed to get an external IP. A simple whois showed us that it belonged to a Russian internet provider, so nothing we could gain from that. Still, having an external address gave us a way to start pinpointing the location of the bad guys.

We compiled all this into a simple SITREP and sent it to the security department of our customer and their legal department.

In the meantime, the guys on the ground were getting ready for the SDR. The previous night they instructed the principals on where to go after they left the hotel: some random stops for “phone calls,” back to the hotel to get a “forgotten laptop,” the coffee place, and finally the office. All of the principals were to take a slightly different route. The guys would split and follow the execs from different angles and would complement each other on the chokepoints to see whether they could remain hidden.

The next two days were spent trying to extract more information from the attacker’s network, feeding them false documents from the exec’s computers and working on the counter-surveillance operation. The guys observed the same 3 teenagers on 4 different spots and chokepoints. They managed to take some pictures of 2 of the guys. One of them was carrying a laptop under his arm. The other two seemed to be there for security; they were 2 big boys. We sent all this to the customer as well.

When we finally got the translation of the Russian documents (the customer had them translated for us), we could tell these were lists of names, addresses and other bits of information about people working on the different banks and corporations that were listed on the spreadsheets. The legal guys sent us a note with the translations saying that they were going to bring all this to Interpol for possible action. Based on experience, Russian crime is a tough one to deal with so I wasn’t sure Interpol would do anything.

The next day we received a call from the security director of the company we were helping. He wanted to know whether we could give them control of the backdoor we installed on the bad guys’ network. I told him that it was a matter of changing the config and sending an update to it. I asked if he wanted us to continue helping with this, but he declined and stated that his department would take it from there. I asked him what his plans were, but he refused to comment on this.

Well, after some change of config and a small intro to our listener, we surrendered control of our backdoor to the customer.

After some analysis of what we knew, we all concluded that by chance we managed to uncover a criminal operation that touched several organizations across the EU. Our simple security assessment turned VIP digital protection, ended up turning into a full Intel gathering operation. Not bad for a simple project.

The guys returned home and we all went to celebrate with Vodka.

Note: I realize this was sort of anticlimactic and somewhat meh… Most projects are. Occasionally you have ops where you get to go in with the SOF operators or LE, but these are the exception…

(Featured Image Courtesy: Telecomramblings.com)