Malicious Life Podcast: Inside Operation Flyhook Part 1 Transcript
Do you ever wonder how different you’d be today if you grew up under a different set of circumstances?
Like, I can imagine, maybe, that I wasn’t born in Israel. So I might not have joined the Navy, which became so integral to the skill set I developed and the kind of man I am today. And, you know, I’m obsessed with history, but maybe I wouldn’t be so into it had I grown up in a less historically significant part of the world. I could’ve gone into a different line of work. Or what if, in another life, I grew up rich, and didn’t have to work at all? Then I could spend all my days doing what I really want to do…
INTRO TO ALEXEY
The year is 1999.
The internet is now in homes around the United States, and the world. Yahoo, Ebay, Amazon–what were just startups a few years earlier are now the hottest companies in the world. Really, any half-baked company with a “.com” at the end is running rampant in the stock market, even if all they do is sell toys or pet food. Whole new industries are popping up, and millions of jobs along with them. Everybody wants in.
The point here is that Alexey knew his stuff. He could’ve qualified for a job at any internet company in the world. But Alexey Ivanov was born into a different set of circumstances than you and I. He was a lot like us in other ways–bright, talented, technical–but, instead of being from America, or Germany, or Japan, Alexey was born in Russia. And not even Moscow, or St. Petersburg, but…
“[Ray] from a little place called Chelyabinsk which is kind of in the middle of nowhere in Russia.”
That’s Ray Pompon, Director of F5 Labs.
“[Ray] It was a little famous for a while because that’s where a meteor landed and it’s caught on film.”
There’s a lot of great footage of it on YouTube: a loud bang, people flying across rooms from the shockwave, building walls and roofs busting open, things flying, and the bright, godlike meteor that looked like God himself was coming down to visit earth. Talk about a cursed place.
“[Ray] it’s kind of like heavily polluted and there was a lot of kind of Soviet missiles, radioactive work there.”
Maybe if you or I grew up there–amid the radioactivity, the pollution, dodging meteors falling from space–we would’ve ended up like Alexey Ivanov and his friends.
“[Ray] these guys are really sharp technically. But they had nowhere to go with this. […] At the time, there was nothing to really do with this in Russia. There wasn’t a big tech industry.”
So what do you do, with all the potential in the world and nowhere to use it?
Alexey first tried what many of us in his position would: getting the hell out of Chelyabinsk. In April, 1999, he started looking for jobs in America. He did so, though, with a little twist. Rather than just applying to jobs one by one, he went to Dice.com–a careers website–and downloaded a database from their servers. “It was easy,” he later recalled. With the raw data, he didn’t have to drudge through job postings one by one. Quote: “I wrote some scripts, and in a few hours I was sending my resume to 5,000 jobs.”
Among those thousands of jobs, he got plenty of replies. But all of them went cold when Alexey revealed that he lived in Russia, had no experience working for American companies, and would need sponsorship to move. You could imagine how demoralizing it would’ve been: knowing he was good enough, yet still having no prospects. What was he to do–a computer whiz with nowhere to productively use his skills?
Perhaps you can tell where this is going.
ALEXEY STARTS HACKING
According to CSO Online, Alexey already had some experience with cybercrime by this point. Not long after graduating from Chelyabinsk Technical State University–one of the better schools in his region–he’d fallen in with a group of hackers who operated a company called “tech.net.ru.” Their specialty was a time-honored classic: stealing credit cards, then using them to buy things online.
“[Ray] they had built this entire bot infrastructure that would create fake accounts on PayPal and eBay and then hold auctions, fake auctions or real auctions with fake people to buy stuff.”
Botnets, credit card laundering, fake identities. The real trick, though, was the shipping process. tech.net.ru would use their stolen cards to order, say, books and CDs from Amazon or Barnes and Noble, and have them shipped to different locations in neighboring Kazakhstan. They’d hire young women to receive the packages, then a member of the company would make the hours-long trip to come pick them up and drive them back home. Then they re-sold the merchandise to stores around Chelyabinsk, which coveted the CDs in particular. (Evidently, much of the supply of commercial CDs in Chelyabinsk were cheap pirates from Bulgaria.)
“[Ray] there’s a lot of thought here in this. You know, a lot of enterprise, entrepreneurial thinking.”
Carding was pretty small game. It was much more fun and, usually, more profitable, to hack companies directly. Like, for example, when they targeted a new payment processing startup called PayPal. Alexey was the brains behind that one. It was a three-pronged approach: First, they installed malware onto eBay that collected email addresses associated with customers who used PayPal. Second, they set up their own domain: PayPal.com, but with an uppercase “i” instead of a lowercase “L,” with a homepage that copied the real thing as closely as possible. Next, the hackers emailed those eBay customers, promising a $50 prize they could claim by logging into the mirror site. The customers who fell for it handed their PayPal logins straight to tech.net.ru. Easy as that.
It wasn’t quite as lucrative as it sounds, though. As Alexey later said, quote: “We weren’t really malicious. We could have sent it to thousands of people, but we only sent it to 150. We got about 120 passwords. We did that mainly for fun.”
Alexey wasn’t what you’d call a prolific hacker at this point. He was small-time. But that might be because his heart just wasn’t in it. The same year he was hacking PayPal accounts, he was sending out resumes to get a real, honest job in the tech industry. But, as we said, it just wasn’t working out.
It was only at the apex of these two paths: down one, trying to find honest work, and the other, making ends meet through dishonest means, that Alexey Ivanov came up with the idea that earned him a Malicious Life episode. As he told CSO Online, quote: “I thought: ‘Why don’t I convince [companies] about my skills, and in order for me to convince them, I have to demonstrate them.’” End quote.
Alexey’s idea–for how to “demonstrate” his skills to potential employers–was inspired by one of the earliest hacks he’d ever pulled off.
It was December, 1997. He was still a student when he and a friend breached the servers of a local ISP, then downloaded a database of usernames and passwords. The teenagers didn’t do anything nefarious with the data–it was mostly just an exercise in whether they could pull it off. They notified the ISP and, remarkably, their victim offered them jobs. The salary was only about $75 a month, so they turned it down, but it was the seed of something much bigger.
ALEXEY’S HACKER M.O.
“[Ray] it’s kind of like a precursor of what we would see in ransomware where people’s networks are get broken into. Stuff would get messed with and then they would get potentially like a blackmail note or a ransom note to say like hey, we got your stuff. Pay us some consulting fees, like $50,000, and we will tell you what we did, we will tell you how to fix it and we will give you back your data.”
A prosecutor for the United States Department of Justice wrote about what it was like to be at the receiving end of one of Alexey’s famous security “consultations.” Here’s the slightly oversimplified account, from “How to be a Digital Forensic Expert Witness.” Quote:
“[L]ate one evening you get a telephone call from your work that something is wrong with the computer network. When you arrive and review the logs, you learn that someone has gained access to your system, grabbed the password file, and FTP’d it to an IP address registered in Russia. You also learn that the intruder probably gained initial access through a still active account that had been assigned to a former employee. Once the intruder elevated his privileges to system administrator, he installed a sniffer to capture user names and passwords. Using an employee account, the intruder gained access to a server that processed credit card transactions of customers, and FTP’d a large file back to Russia.
You remove the sniffer and are in the process of changing all of the user names and passwords on your system when someone contacts you by way of Internet Relay Chat (IRC). “You system securities suck,” the message tells you. The messenger then introduces himself as an expert in computer security living in Russia, and offers to fix the holes in your security for a fee of $5,000 (US). After consulting with management and the company lawyers, you reply to the Russian “expert” that you do not do business with criminals. That night your web server crashes, effectively shutting down the Internet-based portion of your business. “
“[Ray] In some cases people didn’t pay. Like more things would get deleted or destroyed and data would go somewhere. But they really didn’t know what was going on.”
Alexey and his friends hit websites, companies, banks.
When he gained root access to the servers of the Online Information Bureau–“OIB”–of Vernon, Connecticut, he was able to steal tens of thousands of credit cards and merchant account information. When the OIB refused to pay a $10,000 fee, he wrote them an email. This is a verbatim reading, quote:
“[n]ow imagine please Somebody hack you network (and not notify you about this), he downloaded Atomic software with more than 300 merchants, transfer money, and after this did ‘rm –rf’ and after this you company be ruined.”
To clarify, “rm -rf” is a command in Linux that wipes all the data in a directory, all at once, recursively. Alexey’s probably referring to a scenario where a hacker runs ‘rm -rf’ in the root folder, wiping out OIB’s entire database in an instant.
Anyway, the message continues, quote:
“I don’t want this, and because this I notify you about possible hack in you network, if you want you can hire me and im always check security in you network. What you think about this.”
An ISP and e-commerce company called SpeakEasy experienced something similar. In October ‘99, Alexey gained admin access to their IT systems, most notably the databases where they held credit card information. Afterwards, Alexey emailed the company, recommending they hire him to perform a security review of the systems he’d just hacked. After refusing to do so for two months, the discourse escalated into threats. In the last week of December, SpeakEasy lost access to some of their IT systems.
And so, at the turn of the millennium, Alexey Ivanov was slowly becoming one of the most prolific corporate hackers in the world. To expand his “security reviews” business, he partnered with a more business-oriented hacker–Vasiliy Gorshkov–also from his hometown. Together, their cybersecurity business was becoming more and more sophisticated, and profitable. Their targets couldn’t stop them. law enforcement couldn’t stop them.
“Invita Security” was a company based in Seattle, near the University of Washington. It was a high-tech, forward thinking network security startup. You’d think, based on that description, that they might have been hired to stop Alexey and Vasiliy. But you’d be exactly wrong. Instead, they were in the market for “security talent,” and liked the look of Alexey’s long, impressive resume. They wanted to hire him.
They reached out to arrange an intro call. Vasiliy was the one who picked up. He spoke the better English of the two.
On the phone, Vasiliy suggested that, rather than a more conventional evaluation process, Invita should let him and Alexey hack into their network. After all, if they could defeat the security company’s own security systems then, surely, it would prove their worth, much more than any job interview could. Invita agreed to the terms. They spent some time preparing for the test and then, in October, challenged the Russians to beat them.
It wasn’t a fair fight. Alexey, with Vasiliy by his side, managed to breach the Invita network in mere minutes. And that was all the evidence Invita needed.
They made the visa and travel arrangements so that Alexey and Vasiliy could come and interview in-person for security analyst/consultant roles. On November 9th, Alexey and Vasiliy said goodbye to their families and, finally, after all this time, headed off to America. They were thrilled, curious, and nervous. On the flight, Alexey ordered drinks to celebrate.
After nearly 48 hours of traveling in all, their plane landed in Seattle-Tacoma International Airport. The Russians stepped off the plane, grabbed their suitcases, and were greeted by some representatives from Invita. Together, the corporate reps and their prospective new hires took the half hour or so drive to the company’s offices. Along the way, Alexey and Vasiliy gazed out the windows at the city that was going to be their new home. One wonders what they were thinking in those moments–two kids who’d never made it far out of Chelyabinsk, let alone America. They drove past the office buildings housing new technology companies, and the downtown restaurants and shops thriving off the new economy. Maybe their hacking days were over. Maybe, instead of attacking these companies, they could be working for one of them.
After about a half hour’s drive, they arrived at their destination–a shared office building, with rows of little startups tucked away in booths. They walked by their soon-to-be colleagues, towards Invita’s offices.
Or so they thought.
“[Ray] They don’t do things – they don’t do half measures, the FBI. So I was starting to go like, oh, this is a really big thing.”