Apple's iCloud key in takedown of notorious Russian botnet operator

Posted:
in iCloud edited February 2018
Data from Apple's iCloud service was used to identify, and potentially locate and arrest, the operator of the Kelihos botnet, a system notorious for its association spam networks and criminal conspirators, according to U.S. court documents unsealed on Monday.




According to an affidavit and related court documents filed with the U.S. District Court for the District of Alaska, federal agents requested access to Russian iCloud user Peter Levashov on suspicion of his connection with Kelihos, reports The Verge. Kelihos is in part a malware that infects victims' computers to host spam, more malware and other malicious content.

In an affidavit in support of a search warrant, FBI Special Agent Elliott Peterson said investigators suspected Levashov of operating Kelihos under the aliases "Peter Severa" and "Severa." After what appears to be a significant search effort, agents were able to connect Levashov and Severa through ICQ numbers, Jabber messages, email addresses, forum posts and onine payments.

Data gleaned from two servers linked to the Kelihos botnet, which were seized in Luxembourg, pointed to Levashov's mail.ru account, as well as other email hosting sites including Apple's iCloud. Citing frequent connections to a common IP address, Peterson believes Levashov used the servers as a proxy for his various business dealings, including renting access to the botnet.

Apple agreed to the warrant on the day of its request. Investigators sat on the mountain of evidence collected for about a year, when Levashov traveled from Russia to Spain on vacation last April. Once in the extraditable country, local authorities arrested the so-called bot king. Levashov was arraigned in Connecticut federal court on Friday.

How, exactly, investigators detected Levashov's movements over the one-year period is left unmentioned, but the report notes Peterson's warrant request included information relating to "login IP addresses associated with session times and dates." This data could conceivably have been used to track the suspect when he entered Spain.

Apple is notoriously protective of its customers' data, and the company's privacy practices have only become more stringent in light of recent friction with governmental agencies. The company has published annual reports detailing government requests for information, and in 2014 released a set of guidelines for said data requests.

Still, Apple does comply with valid search warrants and national security orders, as evidenced by the Levashov case.

Comments

  • Reply 1 of 20
    Interesting story - even from a non-Apple perspective.
    fallenjtracerhomie3airnerdwatto_cobrajony0
  • Reply 2 of 20
    What a waste of an arrest.  They should have just nailed his nuts high up a wall.
    watto_cobrajony0
  • Reply 3 of 20
    Quite unsettling how easily the US can monitor anyone, anywhere around the world. Especially nabbing someone who you think would be clued up on security etc.
  • Reply 4 of 20
    Well , that’s why you use VPNs .
    Apple doesn’t protect your damn IP addresses.
    stanthemanwatto_cobranht
  • Reply 5 of 20
    LatkoLatko Posts: 398member
    Good action. However, I don't see the difference with the US (Texas?) murderer case where they refused to cooperate with FBI. And how would this align with privacy policies anyway ?
  • Reply 6 of 20
    davidwdavidw Posts: 2,036member
    Latko said:
    Good action. However, I don't see the difference with the US (Texas?) murderer case where they refused to cooperate with FBI. And how would this align with privacy policies anyway ?
    The difference being that the data here is in the criminal's iCloud account, located on Apple's servers and is unencrypted. Apple has access to this data. Whereas the Texas murder data that the FBI wanted was on the murderer's personal iPhone and encrypted. Apple has no real access to data on an iPhone that is password protected. The iPhone do not belong to Apple. Thus a search warrant for Apple to turn over the data wouldn't do any good. It would take a court order to force Apple to help the FBI hack into the iPhone.
    edited February 2018 airnerdrandominternetpersonracerhomie3watto_cobrajony0
  • Reply 7 of 20
    ksecksec Posts: 1,569member
    davidw said:
    Latko said:
    Good action. However, I don't see the difference with the US (Texas?) murderer case where they refused to cooperate with FBI. And how would this align with privacy policies anyway ?
    The difference being that the data here is in the criminal's iCloud account, located on Apple's servers and is unencrypted. Apple has access to this data. Whereas the Texas murder data that the FBI wanted was on the murderer's personal iPhone and encrypted. Apple has no real access to data on an iPhone that is password protected. The iPhone do not belong to Apple. Thus a search warrant for Apple to turn over the data wouldn't do any good. It would take a court order to force Apple to help the FBI hack into the iPhone.
    So Data on iCloud is practically unsave?
  • Reply 8 of 20
    airnerdairnerd Posts: 693member
    Two things:

    1) They probably tracked him by watching his  name on airline reservation lists, I doubt he drove to spain.  

    2) I always read about these mega-spammer being taken down but never a decrease in the amount of spam I get.  Must just be a vicious vacuum that is constantly filled when a void occurs. 
    watto_cobrajony0
  • Reply 9 of 20
    maestro64maestro64 Posts: 5,043member
    I never understood why the media prints and shares information on how they catch these guys, stop telling the criminal how they are being caught.

    The media is all upset the "The Memo" was release which pointed to how our government spies on Americans, and they felt this was wrong since it may tell our enemies how our spy systems work. But here they are doing the exact same thing. Yeah I am curious how they caught the guy, but it does not matter how they caught him and no one needs to know how so they can easily catch the next guy.
    watto_cobra
  • Reply 10 of 20
    maestro64maestro64 Posts: 5,043member
    "but the report notes Peterson's warrant request included information relating to "login IP addresses associated with session times and dates."

    This is the same way they caught the guy who running a onlinestore on the darknet which sold drugs in the US, They tracked his movement based on this IP and date and time of access. 
  • Reply 11 of 20
    ksec said:
    davidw said:
    Latko said:
    Good action. However, I don't see the difference with the US (Texas?) murderer case where they refused to cooperate with FBI. And how would this align with privacy policies anyway ?
    The difference being that the data here is in the criminal's iCloud account, located on Apple's servers and is unencrypted. Apple has access to this data. Whereas the Texas murder data that the FBI wanted was on the murderer's personal iPhone and encrypted. Apple has no real access to data on an iPhone that is password protected. The iPhone do not belong to Apple. Thus a search warrant for Apple to turn over the data wouldn't do any good. It would take a court order to force Apple to help the FBI hack into the iPhone.
    So Data on iCloud is practically unsave?
    If by that you mean that privileged users at Apple can access your data and files, and with a valid court order, will provide it to various authorities, then yes it's unsafe.  The same is true for anything to upload to virtually any cloud service unless it specifically promises encryption and you hold the key.  Welcome to the 21st century.

    Edit: I didn't give Apple enough credit for protecting our data.  See the link Macgui provided below for the real scoop:  https://support.apple.com/en-us/HT202303
    edited February 2018 linkmanracerhomie3
  • Reply 12 of 20
    ksec said:
    davidw said:
    Latko said:
    Good action. However, I don't see the difference with the US (Texas?) murderer case where they refused to cooperate with FBI. And how would this align with privacy policies anyway ?
    The difference being that the data here is in the criminal's iCloud account, located on Apple's servers and is unencrypted. Apple has access to this data. Whereas the Texas murder data that the FBI wanted was on the murderer's personal iPhone and encrypted. Apple has no real access to data on an iPhone that is password protected. The iPhone do not belong to Apple. Thus a search warrant for Apple to turn over the data wouldn't do any good. It would take a court order to force Apple to help the FBI hack into the iPhone.
    So Data on iCloud is practically unsave?
    That is why you should use Local iTunes Backup. Even besides this knowledge, Apple has no incentive  to sell or abuse your data. 
    Google ,Facebook, Amazon & Twitter actually make money by selling your data and twitter has been seen abusing its user data.Apple is the last company who wants to see your personal information.
    watto_cobra
  • Reply 13 of 20
    macguimacgui Posts: 2,350member
    ksec said:
    So Data on iCloud is practically unsave?
    https://support.apple.com/en-us/HT202303
    randominternetpersonwatto_cobra
  • Reply 14 of 20
    macgui said:
    ksec said:
    So Data on iCloud is practically unsave?
    https://support.apple.com/en-us/HT202303
    Thank you (times 100) for posting this link.  I hadn't realized the extent to which data we store on Apple's servers are inaccessible to anyone at Apple.  A good quick read for anyone.
    watto_cobra
  • Reply 15 of 20
    adm1 said:
    Quite unsettling how easily the US can monitor anyone, anywhere around the world. Especially nabbing someone who you think would be clued up on security etc.
    This has been well documented in the internet and mobile phone age.  If one chooses to use the internet and mobile devices, then one is leaving a digital trail.  I find the symbiotic relationship between governments and technology companies interesting in that the govts "wink wink" at technology companies collecting, storing, profiling, and profiting from all of our personal information.  In return, all of the tech companies (including mobile phone companies and ISPs) cooperate with the govts in some manner upon request.

    If it's stored ANYWHERE, eventually it can be found!

    It makes no difference if this guy was using an Iphone, Android phone, Blackberry, Mac, Windows computer, etc.  They would have found him as this guy (like all of us on these sites) is constantly engaging with the modern world with credit cards, tech devices, airline travel, high end vacations, etc.  Therefor, he is leaving a digital trail.

    No sense getting all upset about it.  It's just how it goes.  Just about everyone in the world benefits from modern technology -- even folks without electricity and internet.  One trade off is governments can find you if you choose to use mobile technology and and the internet.  That's why terror groups now use burner phones w/encrypted chat programs.  But even the leaders of these terror organizations now only use couriers.

    Oh, and I got one more for you!  You are all being tracked by Google no matter if you use an Android device, Chrome Browser, or another search engine.  Look up "Browser Fingerprinting."

    Deal with it! Or stop using this tech!
    StrangeDaysfastasleepwatto_cobra
  • Reply 16 of 20
    maestro64 said:
    I never understood why the media prints and shares information on how they catch these guys, stop telling the criminal how they are being caught.

    The media is all upset the "The Memo" was release which pointed to how our government spies on Americans, and they felt this was wrong since it may tell our enemies how our spy systems work. But here they are doing the exact same thing. Yeah I am curious how they caught the guy, but it does not matter how they caught him and no one needs to know how so they can easily catch the next guy.
    Don't blame the media, blame the government agency who shared the info with them. They could have just left a "no comment" statement and redact all of the technical info on how this guy was nabbed. 

    it's possible that they want this guy to flip so they can use him to spy on Russia. That way they can use him to see what kind of activity is originating from there to disrupt our infrastructure. 
  • Reply 17 of 20
    As I understand it, per reports from some pretty sketchy sources, this guy has claimed to have been funded by both the Trump campaign AND the Russian government at the same time during the 2016 election. Mueller is also rumored to be looking into coordination between the GOP, the Trump campaign and the Russian government to target and inundate independent voters in specific voting districts with spam, presumably orchestrated by this guy. My point is that this is not just a sideshow. If this guy has corroborating evidence and chooses to flip to shorten his sentence, he could bring down the President of the United States.
    fastasleep
  • Reply 18 of 20
    fastasleepfastasleep Posts: 6,408member
    airnerd said:
    Two things:

    1) They probably tracked him by watching his  name on airline reservation lists, I doubt he drove to spain.  

    2) I always read about these mega-spammer being taken down but never a decrease in the amount of spam I get.  Must just be a vicious vacuum that is constantly filled when a void occurs. 
    I dunno, I was just wondering if a botnet got taken down a couple months ago, when my spambox went down to ~40-60 emails a day versus ~400-500-something at its peak. I spent the better part of a year with my email host refining an exclusion list and isolating false positives, etc which was a nightmare. Finally it's totally manageable.  Hoping someone got nailed for it whenever I read these kinds of reports. :)
    watto_cobra
  • Reply 19 of 20
    fastasleepfastasleep Posts: 6,408member
    maestro64 said:
    I never understood why the media prints and shares information on how they catch these guys, stop telling the criminal how they are being caught.

    The media is all upset the "The Memo" was release which pointed to how our government spies on Americans, and they felt this was wrong since it may tell our enemies how our spy systems work. But here they are doing the exact same thing. Yeah I am curious how they caught the guy, but it does not matter how they caught him and no one needs to know how so they can easily catch the next guy.
    It's not the "exact same thing" in any way though. Corroborating IP addresses/times with the investigation's data recovered from servers isn't some new technique that we're just finding out about. And it wasn't the media that was upset, it was primarily the intelligence community fearing that operations or operatives involved in ongoing investigations into a foreign superpower meddling in our internal elections might be compromised. Not really the same, is it?
  • Reply 20 of 20
    ksecksec Posts: 1,569member
    macgui said:
    ksec said:
    So Data on iCloud is practically unsave?
    https://support.apple.com/en-us/HT202303
    Well as long as it is encrypted, then I think that is fair and fine. Because the article read as If Apple followed the court order and gave every data they have. It should have specify they gave every Encrypted data they have.
    edited February 2018
Sign In or Register to comment.