Malicious Life Podcast: Inside Operation Flyhook Part 2

To capture Alexey Ivanov and his business partner and bring them to justice, the FBI created an elaborate ruse: a fake company named Invita, complete with a fake website and a fake office building. Ray Pompon, a security professional, was brought in as an 'evil security consultant’ to convince Alexey to demonstrate his hacking skills on a pre-arranged honeypot - check it out...

Ray Pompon
About the Guest

Ray Pompon

Director Threat Research at F5 Networks

Ray specializes in matching security requirements to business objectives, identifying technical risks, and ensuring regulatory needs are met. 

With twenty-four years experience in designing and implementing scalable controls, systems and processes to meet business and compliance objectives, Ray builds complex network security designs and implementations with an emphasis on high-availability and security.

ran-levi-headshot
About the Host

Ran Levi

Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.

In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

About The Malicious Life Podcast

Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.

Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:

All Posts by Malicious Life Podcast

Malicious Life Podcast: Inside Operation Flyhook Part 2 Transcript

As a reminder, here’s the summary thus far:

In the Spring of 1999, Alexey Ivanov–a talented hacker from a little city in Russia–was applying to work for American companies. But he was also becoming a pretty good hacker on the side, working hustles on eBay and PayPal and cracking into small companies here and there.

By the Fall of 1999, Alexey Ivanov and his business partner, Vasiliy Gorshkov, were breaching American companies. They gained root access to servers, stole sensitive data, then “offered” to help “fix” those systems, for a fee. All the while, Alexey was still sending around his resume, hoping that someone would take a chance on a talented foreigner.

Finally, in the summer of 2000, he got his wish. A security startup called “Invita” was willing to take a chance on two talented Russians with a checkered history. The company invited them to America, for the final step in what would end in a formal job offer.

RAY ENTERS THE STORY

“[Ray] Kind of getting up to the part of the story where the FBI approached us with this mystery they had.”

That’s Ray Pompon, Director of F5 Labs. You heard him in our Part 1 episode. He’s about to become not just a commentator, but a participant in our story. We’ll have to back up a moment, first. 

It was the Fall of 2000 when Ray entered the frame. While Invita was making travel arrangements for their new Russian hires, he was working in Seattle, where the company operated.

“[Ray] So I was a newly minted security professional. I had already been in IT for at least a decade but also a network guy and like recently in the past – the latter ‘90s, I actually transitioned into an actual security in my job title.”

The late ‘90s and early 2000s were a very different kind of era for cybersecurity. As a newly minted security professional, Ray was battling the kind of threats we’d consider cute these days. 

“[Ray] people were still kind of getting used to this internet thing. A lot of cybercrime was in the form of like what we call now vandalism. There were like the ILOVEYOU bug and this kind of worms. It’s just kind of like graffitied across the internet. They didn’t actually steal anything or ransomware or anything like that although there were some – there was some crime going on. There was some low-level phishing kind of here and there and the FBI was still trying to get their hands around this. So we actually did some work with them.”

You’d think that working with the FBI would feel like some kind of James Bond movie. But to Ray, it was more like helping your mom figure out Zoom calls.

“[Ray] They would bring us things like we see this and they would describe some sort of like – a piece of a hack that happened or some sort of phenomenon. [. . .] It’s stuff that’s pretty commonplace now. I mean things that we would call like use of web bugs or web beacons and the use of proxies to relay web traffic. Key loggers, how those – you know, the various kinds of key loggers on public kiosks would work. You know, pivoting within a network once you get in and that kind of stuff.”

it sounds pretty unique at least as compared to today when they might have the technical know-how already within their four walls. Maybe I’m wrong on that.

“[Ray] No, no, you’re – yes. [. . .] I mean at the time, they really didn’t have a lot of technical folks. That would change within a few years. So we worked on a unique point in history.”

Ray became an early member of InfraGard–an organization that connects U.S. businesses with the FBI–and he worked on assignments that the FBI didn’t yet have the resources to prosecute on their own.

But nothing like the one he was about to get into now. For whatever confluence of reasons–the growing threat of cyber attacks, the damage to businesses, the lack of effective law enforcement, whatever–the FBI took a special interest in the hacker Alexey Ivanov.

“[Ray] There was kind of this feeling like, well, they can hack us at will.”

But enough was enough.

“[Ray] the FBI wanted to do this to sort of send a message to say, “We will get you. No matter where you are in the world, the FBI will find you and bring you to justice.””

They came up with a plan.

“[Ray] So the FBI actually sort of created a company, a fake company.”

Their fake company needed to seem real, so they registered it, set up a website and an IT network, booked an office space in a shared office building, and gave it a name: “Invita.”

“[Ray] where the joke was invite a hacker.”

Ah, the FBI. Such classic jokesters.

“[Ray] It was kind of silly.”

Invita was, purportedly, a cybersecurity startup. In fact, its sole purpose was to take advantage of Alexey Ivanov and Vasiliy Gorshkov’s greatest weakness.

“[Ray] They created a sting and said, “We’re going to hire these guys,”.”

It was a devilish trick.

Remember our last episode: before Alexey and Vasiliy started making real money, they were trying to get honest work in America. Even while he was hacking into companies, Alexey was still sending his resume out–sometimes to the very companies he was hacking! It didn’t ingratiate him with his victims, as he’d hoped, but it did provide the FBI with his real name, phone number and home address.

THE BRIEFING

“[Ray] and this was the briefing I was given. They basically said, OK, we’ve got these guys. We’re going to get them to come see us and we’re going to interview them. [. . .] They’re bringing them in over on an aero flight. So we know they won’t have guns. They will be completely unarmed. Like yeah, like hackers are going to be armed. But, you know – so we will know they’re safe and we’re going to be – we will have like agents with them as the job recruiter.”

The Invita representatives who drove them from the airport.

“[Ray] So we will have people with them the whole time. They will land at the airport. We will take them to the office. There will be a whole escort with them that they won’t even see. [. . .] We’re going to have a room. It’s going to be bugged with cameras and stuff and we’re going to interview them and we’re going to try to get them on tape, talking about the hack and talking about their capabilities.”

In order to build a case against Alexey and Vasiliy, the authorities needed proof that these guys really were behind the hacks of Speakeasy, OIB and all those other websites and banks that’d received an unsolicited “security evaluation” in the past two years. To prove that, they needed someone technical enough to talk to the hackers at their level.

“[Ray] But the problem is we’ve got a bunch of agents. We don’t have anybody who’s super technical at security and we need somebody like real world feet on the ground in that room with them, asking them these technical questions and responding in a way that makes sense, so that we can draw this out for them and said, “We want you Ray to pretend to be an evil security consultant that’s hiring these guys.”. I was like, “Well, I can do that. It sounds like fun,””

By the time Ray was briefed, the Russians were already packing their things. No time to waste.

“[Ray] They had brought me in late because of course compartmentalization. So sort of like within a few days, we were actually doing this thing.”

THE DAY OF

As Alexey and Vasiliy approached the West Coast, Ray joined up with the agents.

“[Ray] So I go to the FBI building which is in downtown Seattle and I see a lot of agents getting ready and they’ve got these special flak jacket things. You know, these like bulletproof vests and they have these special coats and they’re like, yeah, these coats, we have these like flaps. So we pull down. It says “FBI”.

So like we can essentially swarm out and like boom, we’re the FBI. It’s like wow, just like in the movies. Then they’re all like – you know, they’re putting on these flak jackets and radios and guns and stuff and I’m like, “Where’s mine?” They’re like, “Oh, don’t worry. You’re fine.” They’re not going to be armed. Then why are you wearing all this stuff? They’re like, “Oh, we just have to. It’s procedure.” I’m like, “OK. Maybe I’m a little more nervous about this than I thought.”

So we bundled up and there were four of us. There was me and another woman Melissa Malen. [. . .] We went onsite to – essentially this was an office and it was a shared office space. So it was one of those things. Kind of like when we have workspaces now where you would rent a room in a big giant cubicle farm. It had four walls and a door but it wasn’t like a separate office. So we went there and then the other two agents actually went to the airport to meet these guys.”

Teams of other agents scattered, out of sight, throughout the premises. The two agents headed for the airport were trailed by another FBI car, and a helicopter, both of which would be tracking Alexey and Vasiliy from the airport to the interview building.

“[Ray] They don’t do things – they don’t do half measures, the FBI. So I was starting to go like, oh, this is a really big thing.

So we go to the office and it’s set up like – well, like the way you think the FBI would set up an office. It was all neat and there were a couple of computers. They were laptops actually and a bunch of software packages and magazines. I remember turning to special agent Malen and going like, “You know, it just doesn’t look like a computer office or a techy office at a startup. It looks like something the FBI would set up. So first of all, we need to get some coffee cups in here.”

So I remember we went out to get coffee and a bunch of extra coffee and just kind of scattered it around the room. I went through and like started flipping through all the manuals and opening packages up and leaving things laying around like pulled open tech magazines and the dog ear pages and things like that, just to make it look lived in and as messy as I knew at the time techies were. They’re probably not any better now.

The only thing that’s probably missing was a bunch of Nerf guns. Yeah. So I helped – we dressed the stage a little bit.”

The room was bugged, but not quite like they do it in the movies.

“[Ray] I hope I’m not giving away any secrets. I hope they change things. But there was essentially a laptop case and if you remember those old big canvass square suitcase-looking bags, that’s what a laptop case looked like back in 2000. The mesh itself had like a little kind of secret one-way mirror kind of thing. But it was just the dark mesh where the lens was inside the bag. So it was essentially a laptop bag laying on the shelf that had a camera in it and then I kid you not. It was like – and this lamp here is a microphone.

It was very get smart. Maybe that’s what they just told me. Maybe there was better stuff going on. But – and I was just like, “Are you sure?” and like, no, no, that’s fine. We know how to do this. This is fine. This will work. I was like, “All right.” “

It would have to do, at least. The time was now.

MEETING THE RUSSIANS

Pompon turned to Malen.

“[Ray] She was like, “All right. They’re here.””

And so it was: Two Russian hackers, posing as ordinary security experts, thinking they were walking into a job interview…  An ordinary security expert posing as their recruiter… An FBI agent posing as his colleague… The magic-shop-quality briefcase on the counter playing cameraman, and all the other agents scattered in cars, helicopters, and other rooms around the site–watching intently, awaiting any wrong move.

You couldn’t script it any better for a movie.

“[Ray] So finally these guys come to the door and the first thing that struck me was, oh my god, they’re young. They are really young. Alexey was 19.”

19 years old. Our whole story–of hacking, theft, and international intelligence operations–for a teenager. Still, a mature teenager, you’d have to say. More football team than computer club: square-headed, dark blonde hair shaved into a military cut, and the kind of big, broad nose that, if you punched it, might hurt you more than it hurt him.

His buddy, Vasiliy, looked more at home at a Seattle tech incubator. A 24 year old, good looking guy: thin, chiseled jawline, five o’clock shadow, short hair already starting to recede.

“[Ray] Alexey was the tech guy and then Vasiliy who was 24 was kind of the biz dev guy. They both were somewhat technical but that’s how it kind of was and Vasiliy spoke more English than Alexey. So he was kind of the guy who talked and talked business. He talked about things and then he would tell Alexey to do things.”

Ray began the “interview.” It didn’t get off on the right foot, though.

“[Ray] They were kind of I would say not hung over from alcohol but probably hung over from the flight. It might have been alcohol too.”

You can’t blame the guys–they’d just spent two whole days in transit. To try and even out, the Russians reached to light up some cigarettes.

“[Ray] That was another thing. It was like oh, yeah, yeah, in America, you don’t smoke inside an office.”

They didn’t like that. At one point, Alexey and Vasiliy excused themselves for a bathroom break, just to go smoke. They weren’t as covert as they thought, of course, with dozens of FBI agents secretly tracking their every move.

THE INTERVIEW

But the toughest part of the interview, for Ray, was that Alexey and Vasiliy just didn’t want to talk about hacking.

“[Ray] So they were actually more interested in showing us the website they were building. They were building this kind of an ecommerce platform and they were like, yeah, look at this, look at this. We want to do this. We want to program this and we got these forums and it was just like yeah, yeah, yeah, tell us about the hacking.”

The whole point of this elaborate operation was to get Alexey and Vasiliy show off their hacking skills. To get them to talk about their adventures, and recreate their methods on a honeypot, that could be cross-referenced with evidence from those past incidents. But hacking was the last thing Alexey and Vasiliy actually wanted to talk about.

“[Ray] I think for them it was like – it was a way for them to kind of like earn money and it was whatever way they could and this was the easiest way but they’re really wanting to get jobs in the tech industry and get a part of what we call the bubble after it burst, the 1.0. You know, because you would see all these cool companies were starting to form.”

And yet, there was more to it than this. All this time, we’ve been talking about Alexey’s search for a job at an American company. But it wasn’t just the glamour and the money that motivated them to get out of their hometown. As Ray listened to them talk, another motive became clear… 

“[Ray] They were afraid of being caught.”

Not caught by the Americans, to be clear, but caught in their own country.

“[Ray] We kind of got the impression meaning like if they were caught in Russia, they would be recruited, which is kind of what we see now.

You know, and they would be kind of forced to work for the state to do their hacking. So they were like – you know, they were trying to stay under the radar of that and that’s why they saw coming to America and getting this job was really like a foothold to bring over more of their friends to do this and to do legitimate work. I mean I honestly think they would do whatever they could to just be successful. [. . .] So I started to feel kind of like, oh, wow, you know, this could have been me if I were living in some country and a place where maybe the rules didn’t matter so much.”

Say what you want about these kids, but you’ve got to empathize with the position they were in. Back in Russia, they were targets of the FSB. Now in America, they were about to be railed by the FBI.

With some prodding, Ray turned the conversation to hacking, and convinced Alexey to demonstrate his skills. With Vasiliy translating, the 19 year-old got to work on what he didn’t realize was a honeypot. The FBI tracked all his logins, all his commands, all his keystrokes, which lined up perfectly with the profile they’d put together from his previous attacks.

He may as well have put the handcuffs on his own wrists.

ARREST

“[Nate] when they left the room, did you guys say cordial goodbyes? Was it dramatic?

[Ray] Yeah. So that was a – it was very undramatic because they – as the FBI explained, they were not going to bust them in front of me. They don’t like to give up their undercover agents because you never know. So what they did is they left the room.”

Alexey and Vasiliy were exhausted. Understandably.

“[Ray] So they’ve been off the flight. They’ve been wired the whole time. You know, went right to this interview. So they’re like, OK, now we’re going to go back to the hotel.”

Alexey and Vasiliy got in the “Invita” car, headed for their accommodations. On the ride, they got to look out at Seattle one last time–at those tall buildings where programmers were building innovative and exciting websites, and engineers were designing new kinds of machines. The kinds of buildings they’d been waiting to work in for years.

But then the car stopped suddenly and, right on schedule, a black van pulled up alongside. I think you know what happens next.

FALLOUT

The Ivanov sting, codenamed “Operation Flyhook,” actually resulted in not two, but three indictments. There was Alexey, and Vasiliy, and a gentleman by the name Michael Schuler. 

Schuler, an agent of the FBI’s Seattle office, was not indicted in the American court system but, rather, by the FSB–the Federal Security Service of Russia. Evidently, Russia wasn’t too happy about American law enforcement spying on two of their citizens, luring them out of the country under false pretenses, and arresting them without mentioning a word about it beforehand.

“[Ray] There was a feeling that, well, we can’t cooperate because then they will just grab them and that would actually have been Alexey and Vasiliy’s kind of nightmare if they would have been caught by the agency. So they didn’t tell them they were doing this.”

It wasn’t just that the FBI took action against Russian citizens without informing Russian law enforcement, though. By keylogging Alexey’s breach into their honeypot, the FBI obtained the credentials Alexey used to communicate with his network back in Chelyabinsk. They used that information to log in and obtain all of the data Alexey had stolen over the years. And then they went one step further–copying all of it, and deleting the originals.

“[Ray] So to the Russians’ eyes, they also hacked and they stole a password and they actually put out a warrant on the agents involved in that case and said, “You have hacked in Russia,” and those agents to this day cannot actually go to Russia because they are considered cybercriminals there.”

CONCLUSION

Ultimately, though, Operation Flyhook was a success. Through guile, and by crossing a few lines, the FBI got their guys. And they became attuned to a critical weak point in their agency–technical computer expertise–that they wouldn’t leave unaddressed much longer.

“[Ray] Soon after that, the FBI started to build their own expertise in this area and now they’re – you know, some of the best in the world work there. [. . .] Now they – I don’t see them really coming into – for someone like me.”

For Ray, Operation Flyhook was a dramatic and borderline life changing chapter in his cyber career.

“[Ray] IAlways consider myself more of a blue collar IT security guy than some super expert. So it was an amazing opportunity to see this and to meet these guys in a context that I don’t think I could ever really be again where they didn’t see me as the enemy or anything. They saw me as somebody they could really kind of talk to. To learn that perspective and see that, that was something that it stayed with me my whole life.”

Both Alexey and Vasiliy were charged with multiple crimes and, ultimately, convicted. Both were ordered sentences of three years in prison and, between them, nearly 1.5 million dollars in restitution.

But then their sentences passed and, guess what? They were still in America.

And remember how, early on, Alexey would auto-send his resume to thousands of companies at once? Then, how he started hacking companies, as if that was going to get him on their good sides? He always did have a funny way of looking for work. This time around he fell for the most elaborate ruse in cybercrime history, and spent three years in prison for it.

And yet, inadvertent as it may have been, this time, it actually worked. By 2005, he was living and holding down a steady job in New England.

It’s all he ever really wanted.