The US Justice Department has said it is working to dismantle the sprawling Kelihos botnet, a global computer network of tens of thousands of infected computers that sent millions of spam emails, harvested users' login credentials and installed various malicious software every year. The Russian computer programmer allegedly in control of the massive botnet, Pyotr Levashov, was arrested in Spain over the weekend.
The Justice Department said Levashov controlled the botnet, which targeted computers running the Microsoft Windows operating system, since approximately 2010. US court documents made public on Monday (10 April) described the 36-year-old as "one of the world's most notorious criminal spammers".
"The operation announced today targeted an ongoing international scheme that was distributing hundreds of millions of fraudulent emails per year, intercepting the credentials to online and financial accounts belonging to thousands of Americans, and spreading ransomware throughout our networks," Acting Assistant Attorney General of the Justice Department's criminal division Kenneth Blanco said in a statement.
"The ability of botnets like Kelihos to be weaponised quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives."
Russian government-backed broadcaster RT reported Levashov was detained in Spain on a US warrant and quoted his wife, Maria Levashov, as saying he was being linked to the recent US election hacking attacks. Last year, Washington accused Moscow of attempting to meddle in the US election via cyberattacks. Earlier this year, US intelligence agencies accused President Vladimir Putin of orchestrating an "influence campaign" to hurt Hillary Clinton's bid for the White House and help Donald Trump win the presidency. The Kremlin has continued to dismiss the allegations.
A Justice Department official told Reuters that Levashov's arrest was a criminal matter and the action against the botnet was not related to the election.
Officials said the Kelihos botnet collected user credentials by intercepting network traffic and scouring infected computers for usernames and passwords. The stolen data was then used to further Levashov's spamming operation that was advertised on multiple online criminal forums.
Levashov was also known to rent out the massive network of infected computers to other online criminals.
At times the botnet swelled to more than 100,000 infected computers and was used to carry out various spam attacks including advertising counterfeit drugs, "pump-and-dump" stock fraud schemes, work-at-home scams and other fraudulent activity. It also injected various malicious software onto victims' computers such as ransomware and malware to intercept users' bank account details and passwords.
Cybersecurity experts say Levashov also went by the aliases Peter Severa and Peter of the North. KrebsOnSecurity reports that "there is ample evidence" that he is also the cybercriminal behind the Waledac spam botnet.
In 2009, Levashov was charged with operating the notorious "Storm" botnet, Kelihos' predecessor. According to anti-spam organisation Spamhaus, Levashov is listed as one of the World's Ten Worst Spammers and "one of the longest operating criminal spam-lords on the internet" at No 6.
To liberate "victim computers", US authorities obtained court orders to take measures to neutralise the botnet by establishing substitute servers to receive the automated requests from the criminal botnet operator and block any further commands attempting to regain control of these computers.
US authorities said they worked with security firm Crowdstrike and The Shadowserver Foundation to analyse the evolving malware code. The operation to take down the Kelihos botnet used a recent judicial change that allows the FBI to obtain a single search warrant to remotely access computers or devices in multiple districts at once.
A Justice Department official said the warrant was used as a legal precaution. The official noted that Kelihos-infected computers were not infiltrated by investigators but were redirected to a substitute server, known as a "sinkhole", to cut off the connection between the compromised devices and the botnet operator.