In May of this year, the publishing house Individuum published a book by journalist Daniil Turovsky “Invasion. A Brief History of Russian Hackers." It contains stories from the dark side of the Russian IT industry - about guys who, having fallen in love with computers, learned not just to program, but to rob people. The book develops, like the phenomenon itself - from teenage hooliganism and forum parties to law enforcement operations and international scandals.
Daniil collected materials for several years, some stories were published on Meduza, and Andrew Kramer from the New York Times received a Pulitzer Prize in 2017 for retelling Daniil’s articles.
But hacking, like any crime, is too closed a topic. Real stories are passed down only by word of mouth between people. And the book leaves the impression of an insanely curious incompleteness - as if each of its heroes could be compiled into a three-volume book of “how it really was.”
With the permission of the publisher, we are publishing a short excerpt about the Lurk group, which robbed Russian banks in 2015-16.
In the summer of 2015, the Russian Central Bank created Fincert, a center for monitoring and responding to computer incidents in the credit and financial sector. Through it, banks exchange information about computer attacks, analyze them and receive recommendations on protection from intelligence agencies. There are many such attacks: in June 2016, Sberbank estimated the losses of the Russian economy from cybercrime at 600 billion rubles - at the same time the bank established a subsidiary company, Bizon, which deals with the information security of the enterprise.
The first report on the results of Fincert’s work (from October 2015 to March 2016) talks about 21 targeted attacks on bank infrastructure; As a result of these events, 12 criminal cases were initiated. Most of these attacks were the work of one group, which was named Lurk in honor of the virus of the same name, developed by hackers: with its help, money was stolen from commercial enterprises and banks.
Police and cybersecurity specialists have been looking for members of the group since 2011. For a long time, the search was unsuccessful - by 2016, the group stole about three billion rubles from Russian banks, more than any other hackers.
The Lurk virus was different from those investigators had encountered before. When the program was run in the laboratory for testing, it did nothing (that's why it was called Lurk - from the English "to hide"). Later it turned out that Lurk is designed as a modular system: the program gradually loads additional blocks with various functionality - from intercepting characters entered on the keyboard, logins and passwords to the ability to record a video stream from the screen of an infected computer.
To spread the virus, the group hacked into websites visited by bank employees: from online media (for example, RIA Novosti and Gazeta.ru) to accounting forums. Hackers exploited a vulnerability in the system for exchanging advertising banners and distributed malware through them. On some sites, hackers posted a link to the virus only briefly: on the forum of one of the accounting magazines, it appeared on weekdays at lunchtime for two hours, but even during this time, Lurk found several suitable victims.
By clicking on the banner, the user was taken to a page with exploits, after which information began to be collected on the attacked computer - the hackers were mainly interested in a program for remote banking. Details in bank payment orders were replaced with the required ones, and unauthorized transfers were sent to the accounts of companies associated with the group. According to Sergei Golovanov from Kaspersky Lab, usually in such cases, groups use shell companies, “which are the same as transferring and cashing out”: the money received is cashed there, put into bags and left bookmarks in city parks, where hackers take them . Members of the group diligently hid their actions: they encrypted all daily correspondence and registered domains with fake users. “Attackers use triple VPN, Tor, secret chats, but the problem is that even a well-functioning mechanism fails,” explains Golovanov. - Either the VPN falls off, then the secret chat turns out to be not so secret, then one, instead of calling through Telegram, called simply from the phone. This is the human factor. And when you have been accumulating a database for years, you need to look for such accidents. After this, law enforcement can contact providers to find out who visited such and such an IP address and at what time. And then the case is built.”
The arrest of the Lurk hackers looked like an action movie. Employees of the Ministry of Emergency Situations cut off the locks in country houses and apartments of hackers in different parts of Yekaterinburg, after which FSB officers burst in screaming, grabbed the hackers and threw them on the floor, and searched the premises. After this, the suspects were put on a bus, taken to the airport, walked along the runway and taken onto a cargo plane, which took off for Moscow.
Cars were found in garages belonging to hackers - expensive Audi, Cadillac, and Mercedes models. A watch encrusted with 272 diamonds was also discovered. Jewelry worth 12 million rubles and weapons were seized. In total, police conducted about 80 searches in 15 regions and detained about 50 people.
In particular, all technical specialists of the group were arrested. Ruslan Stoyanov, an employee of Kaspersky Lab who was involved in the investigation of Lurk crimes together with the intelligence services, said that management looked for many of them on regular sites for recruiting personnel for remote work. The advertisements did not say anything about the fact that the work would be illegal, and the salary at Lurk was offered above the market one, and it was possible to work from home.
“Every morning, except weekends, in different parts of Russia and Ukraine, individuals sat down at their computers and began to work,” Stoyanov described. “Programmers tweaked the functions of the next version [of the virus], testers checked it, then the person responsible for the botnet uploaded everything to the command server, after which automatic updates took place on the bot computers.”
The consideration of the group's case in court began in the fall of 2017 and continued at the beginning of 2019 - due to the volume of the case, which contains about six hundred volumes. The hackers' lawyer, who is hiding his name, said that none of the suspects would make a deal with the investigation, but some admitted some of the charges. “Our clients did do work developing various parts of the Lurk virus, but many were simply not aware that it was a Trojan,” he explained. “Someone made part of the algorithms that could work successfully in search engines.”
The case of one of the hackers of the group was brought into separate proceedings, and he received 5 years, including for hacking the network of the Yekaterinburg airport.
In recent decades in Russia, the special services managed to defeat the majority of large hacker groups that violated the main rule - “Do not work on ru”: Carberp (stole about one and a half billion rubles from the accounts of Russian banks), Anunak (stole more than a billion rubles from the accounts of Russian banks), Paunch (they created platforms for attacks through which up to half of infections worldwide passed) and so on. The income of such groups is comparable to the earnings of arms dealers, and they consist of dozens of people in addition to the hackers themselves - security guards, drivers, cashers, owners of sites where new exploits appear, and so on.
Daniil collected materials for several years, some stories were published on Meduza, and Andrew Kramer from the New York Times received a Pulitzer Prize in 2017 for retelling Daniil’s articles.
But hacking, like any crime, is too closed a topic. Real stories are passed down only by word of mouth between people. And the book leaves the impression of an insanely curious incompleteness - as if each of its heroes could be compiled into a three-volume book of “how it really was.”
With the permission of the publisher, we are publishing a short excerpt about the Lurk group, which robbed Russian banks in 2015-16.
In the summer of 2015, the Russian Central Bank created Fincert, a center for monitoring and responding to computer incidents in the credit and financial sector. Through it, banks exchange information about computer attacks, analyze them and receive recommendations on protection from intelligence agencies. There are many such attacks: in June 2016, Sberbank estimated the losses of the Russian economy from cybercrime at 600 billion rubles - at the same time the bank established a subsidiary company, Bizon, which deals with the information security of the enterprise.
The first report on the results of Fincert’s work (from October 2015 to March 2016) talks about 21 targeted attacks on bank infrastructure; As a result of these events, 12 criminal cases were initiated. Most of these attacks were the work of one group, which was named Lurk in honor of the virus of the same name, developed by hackers: with its help, money was stolen from commercial enterprises and banks.
Police and cybersecurity specialists have been looking for members of the group since 2011. For a long time, the search was unsuccessful - by 2016, the group stole about three billion rubles from Russian banks, more than any other hackers.
The Lurk virus was different from those investigators had encountered before. When the program was run in the laboratory for testing, it did nothing (that's why it was called Lurk - from the English "to hide"). Later it turned out that Lurk is designed as a modular system: the program gradually loads additional blocks with various functionality - from intercepting characters entered on the keyboard, logins and passwords to the ability to record a video stream from the screen of an infected computer.
To spread the virus, the group hacked into websites visited by bank employees: from online media (for example, RIA Novosti and Gazeta.ru) to accounting forums. Hackers exploited a vulnerability in the system for exchanging advertising banners and distributed malware through them. On some sites, hackers posted a link to the virus only briefly: on the forum of one of the accounting magazines, it appeared on weekdays at lunchtime for two hours, but even during this time, Lurk found several suitable victims.
By clicking on the banner, the user was taken to a page with exploits, after which information began to be collected on the attacked computer - the hackers were mainly interested in a program for remote banking. Details in bank payment orders were replaced with the required ones, and unauthorized transfers were sent to the accounts of companies associated with the group. According to Sergei Golovanov from Kaspersky Lab, usually in such cases, groups use shell companies, “which are the same as transferring and cashing out”: the money received is cashed there, put into bags and left bookmarks in city parks, where hackers take them . Members of the group diligently hid their actions: they encrypted all daily correspondence and registered domains with fake users. “Attackers use triple VPN, Tor, secret chats, but the problem is that even a well-functioning mechanism fails,” explains Golovanov. - Either the VPN falls off, then the secret chat turns out to be not so secret, then one, instead of calling through Telegram, called simply from the phone. This is the human factor. And when you have been accumulating a database for years, you need to look for such accidents. After this, law enforcement can contact providers to find out who visited such and such an IP address and at what time. And then the case is built.”
The arrest of the Lurk hackers looked like an action movie. Employees of the Ministry of Emergency Situations cut off the locks in country houses and apartments of hackers in different parts of Yekaterinburg, after which FSB officers burst in screaming, grabbed the hackers and threw them on the floor, and searched the premises. After this, the suspects were put on a bus, taken to the airport, walked along the runway and taken onto a cargo plane, which took off for Moscow.
Cars were found in garages belonging to hackers - expensive Audi, Cadillac, and Mercedes models. A watch encrusted with 272 diamonds was also discovered. Jewelry worth 12 million rubles and weapons were seized. In total, police conducted about 80 searches in 15 regions and detained about 50 people.
In particular, all technical specialists of the group were arrested. Ruslan Stoyanov, an employee of Kaspersky Lab who was involved in the investigation of Lurk crimes together with the intelligence services, said that management looked for many of them on regular sites for recruiting personnel for remote work. The advertisements did not say anything about the fact that the work would be illegal, and the salary at Lurk was offered above the market one, and it was possible to work from home.
“Every morning, except weekends, in different parts of Russia and Ukraine, individuals sat down at their computers and began to work,” Stoyanov described. “Programmers tweaked the functions of the next version [of the virus], testers checked it, then the person responsible for the botnet uploaded everything to the command server, after which automatic updates took place on the bot computers.”
The consideration of the group's case in court began in the fall of 2017 and continued at the beginning of 2019 - due to the volume of the case, which contains about six hundred volumes. The hackers' lawyer, who is hiding his name, said that none of the suspects would make a deal with the investigation, but some admitted some of the charges. “Our clients did do work developing various parts of the Lurk virus, but many were simply not aware that it was a Trojan,” he explained. “Someone made part of the algorithms that could work successfully in search engines.”
The case of one of the hackers of the group was brought into separate proceedings, and he received 5 years, including for hacking the network of the Yekaterinburg airport.
In recent decades in Russia, the special services managed to defeat the majority of large hacker groups that violated the main rule - “Do not work on ru”: Carberp (stole about one and a half billion rubles from the accounts of Russian banks), Anunak (stole more than a billion rubles from the accounts of Russian banks), Paunch (they created platforms for attacks through which up to half of infections worldwide passed) and so on. The income of such groups is comparable to the earnings of arms dealers, and they consist of dozens of people in addition to the hackers themselves - security guards, drivers, cashers, owners of sites where new exploits appear, and so on.
