Apple's iCloud key in takedown of notorious Russian botnet operator
Data from Apple's iCloud service was used to identify, and potentially locate and arrest, the operator of the Kelihos botnet, a system notorious for its association spam networks and criminal conspirators, according to U.S. court documents unsealed on Monday.
According to an affidavit and related court documents filed with the U.S. District Court for the District of Alaska, federal agents requested access to Russian iCloud user Peter Levashov on suspicion of his connection with Kelihos, reports The Verge. Kelihos is in part a malware that infects victims' computers to host spam, more malware and other malicious content.
In an affidavit in support of a search warrant, FBI Special Agent Elliott Peterson said investigators suspected Levashov of operating Kelihos under the aliases "Peter Severa" and "Severa." After what appears to be a significant search effort, agents were able to connect Levashov and Severa through ICQ numbers, Jabber messages, email addresses, forum posts and onine payments.
Data gleaned from two servers linked to the Kelihos botnet, which were seized in Luxembourg, pointed to Levashov's mail.ru account, as well as other email hosting sites including Apple's iCloud. Citing frequent connections to a common IP address, Peterson believes Levashov used the servers as a proxy for his various business dealings, including renting access to the botnet.
Apple agreed to the warrant on the day of its request. Investigators sat on the mountain of evidence collected for about a year, when Levashov traveled from Russia to Spain on vacation last April. Once in the extraditable country, local authorities arrested the so-called bot king. Levashov was arraigned in Connecticut federal court on Friday.
How, exactly, investigators detected Levashov's movements over the one-year period is left unmentioned, but the report notes Peterson's warrant request included information relating to "login IP addresses associated with session times and dates." This data could conceivably have been used to track the suspect when he entered Spain.
Apple is notoriously protective of its customers' data, and the company's privacy practices have only become more stringent in light of recent friction with governmental agencies. The company has published annual reports detailing government requests for information, and in 2014 released a set of guidelines for said data requests.
Still, Apple does comply with valid search warrants and national security orders, as evidenced by the Levashov case.
According to an affidavit and related court documents filed with the U.S. District Court for the District of Alaska, federal agents requested access to Russian iCloud user Peter Levashov on suspicion of his connection with Kelihos, reports The Verge. Kelihos is in part a malware that infects victims' computers to host spam, more malware and other malicious content.
In an affidavit in support of a search warrant, FBI Special Agent Elliott Peterson said investigators suspected Levashov of operating Kelihos under the aliases "Peter Severa" and "Severa." After what appears to be a significant search effort, agents were able to connect Levashov and Severa through ICQ numbers, Jabber messages, email addresses, forum posts and onine payments.
Data gleaned from two servers linked to the Kelihos botnet, which were seized in Luxembourg, pointed to Levashov's mail.ru account, as well as other email hosting sites including Apple's iCloud. Citing frequent connections to a common IP address, Peterson believes Levashov used the servers as a proxy for his various business dealings, including renting access to the botnet.
Apple agreed to the warrant on the day of its request. Investigators sat on the mountain of evidence collected for about a year, when Levashov traveled from Russia to Spain on vacation last April. Once in the extraditable country, local authorities arrested the so-called bot king. Levashov was arraigned in Connecticut federal court on Friday.
How, exactly, investigators detected Levashov's movements over the one-year period is left unmentioned, but the report notes Peterson's warrant request included information relating to "login IP addresses associated with session times and dates." This data could conceivably have been used to track the suspect when he entered Spain.
Apple is notoriously protective of its customers' data, and the company's privacy practices have only become more stringent in light of recent friction with governmental agencies. The company has published annual reports detailing government requests for information, and in 2014 released a set of guidelines for said data requests.
Still, Apple does comply with valid search warrants and national security orders, as evidenced by the Levashov case.
Comments
Apple doesn’t protect your damn IP addresses.
1) They probably tracked him by watching his name on airline reservation lists, I doubt he drove to spain.
2) I always read about these mega-spammer being taken down but never a decrease in the amount of spam I get. Must just be a vicious vacuum that is constantly filled when a void occurs.
The media is all upset the "The Memo" was release which pointed to how our government spies on Americans, and they felt this was wrong since it may tell our enemies how our spy systems work. But here they are doing the exact same thing. Yeah I am curious how they caught the guy, but it does not matter how they caught him and no one needs to know how so they can easily catch the next guy.
This is the same way they caught the guy who running a onlinestore on the darknet which sold drugs in the US, They tracked his movement based on this IP and date and time of access.
Edit: I didn't give Apple enough credit for protecting our data. See the link Macgui provided below for the real scoop: https://support.apple.com/en-us/HT202303
Google ,Facebook, Amazon & Twitter actually make money by selling your data and twitter has been seen abusing its user data.Apple is the last company who wants to see your personal information.
If it's stored ANYWHERE, eventually it can be found!
It makes no difference if this guy was using an Iphone, Android phone, Blackberry, Mac, Windows computer, etc. They would have found him as this guy (like all of us on these sites) is constantly engaging with the modern world with credit cards, tech devices, airline travel, high end vacations, etc. Therefor, he is leaving a digital trail.
.
No sense getting all upset about it. It's just how it goes. Just about everyone in the world benefits from modern technology -- even folks without electricity and internet. One trade off is governments can find you if you choose to use mobile technology and and the internet. That's why terror groups now use burner phones w/encrypted chat programs. But even the leaders of these terror organizations now only use couriers.
Oh, and I got one more for you! You are all being tracked by Google no matter if you use an Android device, Chrome Browser, or another search engine. Look up "Browser Fingerprinting."
Deal with it! Or stop using this tech!
it's possible that they want this guy to flip so they can use him to spy on Russia. That way they can use him to see what kind of activity is originating from there to disrupt our infrastructure.