What Real Collaboration on Cyber Security Looks Like

We are publishing this story in two installments. Here is Part II.

When I sat down in Pittsburgh last October to talk to Scott Brady, the U.S. attorney for the Western District of Pennsylvania, and Charles “Tod” Eberle IV, chief of his national security and cyber crime section, they couldn’t tell me about the announcement that was 10 days away. They could only tell me that it would be big. And it was.

The Justice Department arranged a 30-minute press conference in Washington to announce the unsealing of an indictment that charged six military intelligence officers in Russia’s GRU with a long list of cyber attacks. The assaults they allegedly carried out interfered with a French election, shut down Ukraine’s power grid, and nearly torpedoed the South Korean Olympics. The most notorious was NotPetya, the global attack that is estimated to have caused $10 billion in damages. The group, known as Sandworm, was the subject of Andy Greenberg’s book by that name. And Brady’s signature was on the indictment.

But even if I’d known this, it wouldn’t have drawn my attention away from the matter I’d come to Pittsburgh to discuss. It was a case that, unlike the Sandworm attacks, received almost no publicity in the United States. There were no big press conferences in Washington. In fact, almost all of the legal action occurred far away, in countries you wouldn’t expect to be prosecuting cyber criminals for crimes involving U.S. businesses. And that was the point.

The U.S. victims were mostly small or medium-size companies. Many of the others were in Western Europe. But the gang that attacked them was in Eastern Europe, in places U.S. law enforcement can’t reach. Some were in Russia, some in Georgia, others in Ukraine, Moldova, and Bulgaria. Only one of those countries has an extradition treaty with the United States. The group’s weapon of choice was GozNym (pronounced goes-neem) malware, which combines the names of the Nymaim strain of malware and the Gozi banking trojan. The leader of the gang actually leased access to the malware from the developer in Russia. It allowed them to steal banking credentials from victim companies and wire funds to accounts they controlled.

There were 11 members in all, but it’s not clear how many had even met—or knew each other’s real names. They belonged to Russian-speaking underground forums, which served as meetups for cyber criminals. Like the gang in the movie ”Ocean’s Eleven,” the leader recruited them for their skills and specialties. Investigators described it as “cyber crime as a service.” One was good at spamming out phishing links. Another encrypted the malware to make it hard to detect after it had been injected into networks. Others known as “cashers” moved the money out of accounts, and “drop masters” provided drop accounts in which to stash the funds. The ringleader, who was based in Georgia, didn’t need to check their resumes; their reputations preceded them. And their interactions were online.

We were sitting in Brady’s office, socially distanced around a conference table, as we discussed the skills of these cyber criminals. Brady is a very big baseball fan, which was reflected in his office decor. Leaning against the wall next to him was a large framed painting of the late, great Pittsburgh Pirate Roberto Clemente. Across the office was an actual seat from the old Forbes Field, where Clemente played.

“So,” I said, continuing our discussion about the GozNym crew, “were they an all-star team?”

“They might not have been the ’27 Yankees” (who swept the Pirates in the World Series), Brady said with a smile. “But they’re probably the Big Red Machine.”

As I absorbed Brady’s artful use of the Cincinnati team color, I turned to Eberle. “It’s a small world,” he said. “The highest level actors are well known by everyone in the cyber criminal underground. I would say, according to the FBI, this was one of the more prolific groups at the time.”

Maybe the gang had dreams of going undefeated. They were far away from the companies they’d victimized. But Brady and Eberle had a different idea, even though they were warned that the odds were long. Recognizing the legal constraints, they found international partners and collaborated. You might say they joined an all-star team of their own. One in which the players left their egos at home.

‘Don’t Even Bother with That Country’

I’d first heard about this case at a cyber security conference in early March 2020, just before the Covid pandemic shut down in-person events. It was at the University of South Carolina School of Law. Tod Eberle spoke alongside Brian Stevens, the special agent he partnered with from the FBI’s Pittsburgh field office. What caught my attention was something Eberle said that day, which he repeated in Brady’s office. He spoke about the resistance he’d faced when he broached the idea of pursuing criminals in Ukraine and Georgia.

“I’ll be honest with you,” Eberle said, “there were some folks who told us, ‘Don’t even bother dealing with that country. I tried working with them, and it went nowhere.’” I asked if this advice came from prosecutors or investigators. “Both,” he said. “I mean, I don’t want to point the finger at anyone in particular, but that was the general feedback. ‘Don’t bother.’ Now, though, we’re all realizing that this can be successful if you put the time and the commitment into it.”

I was surprised that Brady was willing to devote resources to this longshot. But he was all in, he said. Brady, who was not confirmed as U.S. attorney until December 2017 (and left office on Feb. 26, 2021, following the change in administrations), frequently praised Eberle’s work on the matters we were discussing. He deferred to Eberle often as I asked about events that preceded his arrival. The U.S. attorney job was actually Brady’s second tour of duty in the office. The two men arrived together as assistant U.S. attorneys in 2004. Eberle loved it from day one. He’s never made plans to leave. Brady also loved it, he said, but he returned to private practice in 2010. That was the year David Hickton began his six-year stint as U.S. attorney.

It was Hickton who started the cyber crime section. His predecessor, Mary Beth Buchanan, had identified cyber as an area that demanded attention, Eberle said. But the work was handled by the white-collar group. Hickton broke it out, and pushed it onto the nation’s center stage in 2014, when Pittsburgh unsealed the country’s first indictment against a nation-state. Five members of the People’s Liberation Army (PLA) of China were charged with stealing confidential economic data from U.S. companies. Ultimately, the indictment helped the Obama administration pressure China to agree to curtail economic espionage (as opposed to the “normal” spying that all countries do).

A week later Hickton indicted a Russian hacker named Evgeniy Bogachev, whose gang was said to have launched attacks with the help of a vast botnet of infected computers known as GameOver Zeus. Among the companies he allegedly victimized were a number from Western Pennsylvania. The indictment was the last step before the culmination of a lengthy international push to destroy that criminal infrastructure. More than a dozen countries participated, and the FBI’s Pittsburgh field office was deeply involved. The effort succeeded, but only after a monumental struggle. It was an important achievement for international cooperation, though Bogachev, who never seems to leave Russia, remains at large.

It Started with Avalanche

The Western District of Pennsylvania built on these successes, and in the process built a name for itself (along with the FBI’s Pittsburgh field office). It continued to issue indictments against both employees of nation-states and criminal gangs. Some of the targets, like Bogachev, not only stole money from companies but also spied for their governments on the side, which gave them an aura of invincibility. In 2016, near the end of Hickton’s run, his office contributed to the sinking of another huge botnet. This one, called Avalanche, was a “bulletproof” hosting service that registered malicious domains for cyber criminals and hosted their executable malware files on its servers. It also helped its “customers” launder their plunder through money mule campaigns. About 20 flavors of malware were used by gangs that availed themselves of the service. One of them was GozNym.

Avalanche’s administrator was based in Ukraine, but the companies the gangs attacked were scattered around the United States and Western Europe. Germany began investigating Avalanche in 2012, following a devastating ransomware attack there. As attacks linked to Avalanche spread, more countries opened investigations. And Europol, which supports EU states battling terrorism and cyber crime, was contacted by law enforcement agencies, while Eurojust, which facilitates judicial cooperation, was contacted by prosecutors. They helped coordinate countries’ responses.

GozNym malware attacks hit Western Pennsylvania in a big way in the spring of 2016. It took a while for investigators to determine the source of the problem. As the FBI’s Brian Stevens explained in a webinarproduced by the University of South Carolina School of Law called “Fighting Cybercrime: Is Your Organization a Soft Target?”, banks were reporting attempts to transfer large sums without the authorization or knowledge of the companies supposedly moving the funds. Their credentials and passwords were being stolen through phishing links that, once clicked, downloaded this sophisticated malware that allowed the criminals to log in and operate computers as if they were the legitimate users. One Pennsylvania businessalmost had $400,000 wired to an unknown account in Bulgaria before it was thwarted by the bank. It was only after the FBI ordered a forensic examination of a victim’s machine that they learned the type of malware involved, Stevens said in the webinar.

The plan to take down the botnet involved seizing, blocking, and sinkholing—redirecting traffic from infected computers to servers controlled by law enforcement—800,000 malicious domains. But before the international effort began, the prosecutors and investigators in Pittsburgh asked the Europeans to slow down. “We would like to find out who’s behind this,” Eberle recalled telling them. Additional investigation led to the Avalanche administrator in Ukraine, Eberle told me. And the way to prosecute him, they figured, was to go after one of the malware gangs that used his service. “So that’s how the Avalanche investigation led to the GozNym investigation,” he explained.

Building a Partnership

Eberle’s office had indicted cyber criminals knowing they were never going to stand trial. Those five members of China’s PLA, for example, were never going to turn themselves in, or take a vacation in a country from which they could be extradited. The PLA indictment was designed to make a political statement and was part of a U.S. strategy to induce China to reach a bilateral agreement not to engage in economic espionage. (For more on this subject, see my recent article in Lawfare.)

But this was different. Five of the 11 GozNym gang members were Russians, but it did not appear they were working for their government. So this was not a matter of calling out a nation-state. And the five in Russia were basically untouchable. What was the point? That’s what the naysayers had asked Eberle. The point was that Brian Stevens was doing a bang-up job of investigating. And he was in touch with Jörn Bisping, the German investigator who had been working on the Avalanche case from the beginning, and was very much open to collaboration. And so was Frank Lange, the German prosecutor Bisping worked closely with throughout. And if the others were open to collaboration, there was a lot they might be able to accomplish.

For example, they might be able to prosecute some of these guys. Not in the U.S., but somewhere. "Look,” Eberle explained to me, “we want to be able to extradite where possible. But where we can't extradite, we need to be able to build these trusting relationships and get buy-in from these countries that we might not have had close relationships with before.” Countries like Ukraine, Georgia, and Moldova. “It's a big ask of them, because the victims in these cases are not in Ukraine, and they're not in Georgia.” But if the United States can supply important evidence and support the investigations and prosecutions, it could be a win-win, Eberle reasoned.

Eberle arranged meetings with his counterparts in The Hague, where Europol and Eurojust are based. He and Stevens wanted to demonstrate their commitment, and establish working relationships with the people who were in a position to use the evidence they were developing. And there’s nothing quite like meeting face to face, he said.

He also recognized the need to communicate his respect for the work the others would have to shoulder. It was a lesson he’d learned from past mistakes, he said. When he first started working with prosecutors abroad, he tended to view their joint work as a U.S. investigation. He kept the evidence he’d acquired to himself, and was reluctant to share it. When he needed their help imaging a server or interviewing a witness, he found there wasn’t much excitement on the other end. There were often long delays. But when he opened up and started treating his counterparts as equal partners, everything changed. In this case, he recognized that their only chance of succeeding was to share everything. And if they managed to successfully prosecute anyone, the lion’s share of the credit was going to go to the prosecutors and investigators directly involved, not to their American helpers. He and Stevens were OK with that.

Eberle offered another insight into how they were able to make progress. I asked him if there had been breakthrough moments during the investigation where he recognized how to proceed, and he surprised me with his answer. “There was always such a focus on the technical aspects and trying to identify the servers that are involved, and trying to see the NetFlow traffic,” he said. “But really what we found is our best approach has been old-fashioned techniques.” As they pursued leads, they often found they didn’t have probable cause to make an arrest. But they did have probable cause to search a suspect’s residence. So they contacted the local investigators to make arrangements, and Brian Stevens flew over to accompany them.

There’s was nothing fancy about this. It was just aggressive investigation that Eberle had used pursuing drug cases for years. But it led to two of their first big breaks. In September 2016, Eberle and Stevens had amassed evidence that Krasimir Nikolov was part of the GozNym conspiracy. But not enough to arrest him. So they asked the local authorities to search his residence. Stevens flew out, and when he and local law enforcement entered the apartment, they found Nikolov’s laptop booted up and connected to the GozNym administrative panel that listed victims’ banking credentials. Bingo: probable cause to arrest him and the names of victim companies. The other big break was that Nikolov was the only gang member who lived in a country that had an extradition treaty with the United States. Within minutes Eberle had a criminal complaint signed and his Office of International Affairs was requesting Nikolov’s arrest in Varna, Bulgaria. Extradition proceedings soon followed, and Nikolov spent Christmas in a cell in Pittsburgh.

By that time, Avalanche was frozen in its tracks. The attack was launched on the last day of November. In a press release, Europol listed 30 countries that were involved in the operation. It credited Germany for leading the charge—specifically the Public Prosecutor’s Office in Verden and the Luneburg Police—“in close cooperation with” Eberle’s office, DOJ, the FBI, and Europol and Eurojust. Shadowserver Foundation also played a key role behind the scenes. Avalanche caused 6 million euros in damages from cyber attacks on banking systems in Germany alone, the statement said, and hundreds of millions of euros worldwide from malware attacks conducted over the network. “Avalanche shows that we can only be successful in combating cybercrime when we work closely together, across sectors and across borders,” said Julian King, European Commissioner for the Security Union. Some months later, Jörn Bisping and Frank Lange were awarded the 2017 J.D. Falk Award by the Messaging Malware Mobile Anti-Abuse Working Group for “spearheading” the effort.

It would be a mistake to say that Avalanche was the easy part. There was nothing easy about conducting 37 searches, making five arrests, seizing 39 servers and taking down 221 additional servers through abuse notifications over four years. But a multinational partnership had taken down the GameOver Zeus botnet, so at least there was a precedent. Working with Ukraine and Georgia to prosecute men who had not harmed citizens of those countries, on the other hand, was a different matter. It was hard to predict how it would go. That would become clear soon enough.

NEXT: In Part II, U.S. investigators and prosecutors, flush from the success of helping take down a botnet, face very different challenges. They seek international partners to pursue members of the GozNym malware gang in the only places available: where they live. The Pittsburgh crew is about to find out whether the colleagues who warned they’d never succeed were right.