Wednesday, October 22, 2014

Russian Business Network: Within the Shadows


Proposal by Sara Steinmetz
(not taking Module 2)



BACKGROUND
The Russian Business Network (RBN) is a cybercrime organization specializing in identity theft, child pornography, phishing schemes, spamming, denial of service attacks, profiteering and malware. The group is thought to be based in St. Petersburg, but has established remote branches around the world to better facilitate international crimes.
Its formal business model operates as an internet service provider offering web hosting services for others engaged in illegal activities. However, RBN is not a registered company, its domains are linked to anonymous addresses, and its owners are known only by nicknames.  According to the Economist, “Every major trojan in the last year links to RBN”.[1]

The Russian government has not supported outside efforts to shut the company down.[2] Groups operating on RBN’s servers are thought to be responsible for over half of all phishing related schemes.[3]  According to the security firm Semantic, RBN "is literally a shelter for all illegal activities, be it child pornography, online scams, piracy or other illicit operations.”
Furthermore, it is believed the group has strong ties to the Russia criminal underground and possibly the Russian government; it is even thought that the RBN's leader and creator, a 24-year-old known as Flyman, is the nephew of a powerful and well-connected Russian politician.
It has been questioned whether RBN may be involved in the recent mass data breaches at companies and retailers such as Target and Home Depot. After a 2014 attack against JPMorgan, the bank’s security team told Bloomberg News that they continue “to investigate the possibility that the hackers may have been aided or at least condoned by the Russian government, possibly as retaliation for U.S.-imposed sanctions.”[4]


IMPORTANT QUESTIONS
How are Russian hackers, particularly those affiliated with the Russian Business Network, recruited? How large are their networks? For whom do they facilitate theft? To whom do they sell stolen data? With what other groups or states do they work? Do they have ties to the Russian government? To what extent? Was RBN responsible for the recent data breach at Home Depot, or for the transmission of the stolen data? Was the attack condoned by Russia?

HYPOTHESIS
The Russian Business Network operates under full knowledge of and with some support from the Russian government and coordinates criminal activities against foreign targets. Some of these attacks may be retaliation for political acts.

DATA

I will need membership data for RBN and other major criminal organizations in Russia, along with information on both high and low-ranking government officials. Biographical data would be helpful as well to help analyze any specific attributes that may link RBN members and affiliates together (home town, school, family name, age, gender); this could help identify how they recruit and train new hackers, or build ties to other groups.


I will need data on RBN’s communications to determine contacts, both with the government and with other criminal networks. I will also need information regarding RBN’s financials to determine who is paying them for web hosting (which is largely believed to be a front). I may need the ability to break encryption disguising digital currency transactions, such as those conducted with Bitcoin, as this is a likely method of payment for RBN’s services (or access to the relevant data from someone in a position to oversee these transactions).

I will need to monitor RBN's networks for activity related to the data breaches, such as the attack against Home Depot. I can then track financials to see which organizations are buying/selling the data and analyze RBN’s role. An historical log of chatter leading up to Home Depot would be helpful, as well as data released in the months following the attack. Lacking historical access, it may be necessary to monitor traffic until there is another breach before we will be able to collect sufficient data on communications and financial transactions to compare before and after an attack.


Finally, it would be interesting to gather data on international condemnation of Russian activities, including speeches against the government, sanctions authorized by the United Nations, etc., to compare whether any of the cyber attacks have occurred shortly following any such public condemnation, thus indicating potential retaliation.

Clearly, the majority of this data would be nearly impossible to attain. The Russian Business Network has built its working model on its ability to remain hidden and untrackable; it is precisely because we do not have access to this information that they are able to continue to function. It would be interesting to know whether or not the Russia government has some of the membership data in its possession, even though they will not share it. It would however be fairly easy to gather information from public sources such as news articles to analyze whether any international activities have preceded or corresponded with known cyber attacks, perhaps linking them as retaliatory attacks.

What will be the most important network measures?

(1)  Subgroup and clique analysis will help pinpoint clusters of well-connected hackers, or potentially highlight different factions within RBN and across the Russian criminal underground. Attribute data here will be helpful to determine whether there are common links bringing the hackers together (hometown, school?).
(2) Centrality measures such as eigenvector centrality will be useful for identifying leaders within and across the networks. Can the groups be shut down more efficiently by targeting these identified leaders?
(3) Distance may allow us to gauge which groups operate with each other or through one another. This could be a particularly useful measure if attacks are routed through multiple networks or organizations in an effort to obscure their origins.

What will the SNA help you do (e.g. refocus or narrow field of research, identify interviewees, lead to organizational change?)

The SNA will help governments and policy makers identify the sources of massive data breaches and identity theft occurring internationally, and particularly in the United States, and allow policy makers to better combat and  ideally shut down these networks to impede future attacks. If it is shown that the attacks have been state-sponsored or occurring with state knowledge, it may be possible to encourage the international community to retaliate against the sponsoring state (e.g. Russia).



[1] http://www.economist.com/node/9723768
[2] http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101202461.html
[3] http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101202461.html

1 comment:

Peter said...

Really well done. This is a project that naturally lends itself to an SNA, and you've identified the key network and attribute data you would need to collect for such an analysis. You also successfully delineate the network measures that would answer your important questions. You would still need an overarching question that encapsulates your questions as they are written, but definitely a well-thought out project here.