Suspected Andromeda botnet ringleader arrested
- 06 December, 2017 11:21
One of Eastern Europe’s most prolific cyber criminals has been arrested in a joint operation involving Belarus, Germany and the United States that aimed to dismantle a vast computer network used to carry out financial scams, officials have said.
National police in Belarus, working with the US Federal Bureau of Investigation, said they had arrested a citizen of Belarus on suspicion of selling malicious software who they described as administrator of the Andromeda network.
Andromeda is made up of a collection of botnets, or groups of computers that have been infected with viruses to allow hackers to control them remotely without the knowledge of their owners. These networks were in turn leased to other criminals to mount malware or phishing attacks and other online scams.
Swedish-American cyber security firm Recorded Future said they have “a high degree of certainty” that the arrested Belarussian is “Ar3s”, a prominent hacker in the Russian speaking cybercrime underground since 2004, who the firm has identified as the creator of the Andromeda botnet, among other hacking tools.
“Andromeda was one of the oldest malwares on the market,” said Jan Op Gen Oorths a spokesman for Europol, the European Union’s law enforcement agency. It estimated the malicious software infected more than one million computers worldwide every month, on average, dating back to at least 2011.
Although authorities in Belarus declined to name the suspected hacker and Europol and the FBI declined to comment, the firm Recorded Future identified Ar3s as Sergei Yarets, a 33-year-old man living in Rechitsa, near Gomel, the second largest city in Belarus.
Yarets could not be reached by phone or social media.
Yarets is identified on LinkedIn as technical director of OJSC “Televid”, a television broadcaster in southeastern Belarus.
A colleague at the company said Yarets had been arrested but declined to comment further.
A source at a government agency involved in the investigation said that the arrested hacker behind Andromeda was Yarets.
The Belarus Ministry of Internal Affairs in Minsk said officers had seized equipment from the hacker’s offices and he was cooperating with the investigation.
Information about the operation has been gradually released by Europol, the FBI and Belarus’s Investigative Committee over the past two days. No further arrests have been reported.
Cyber crime wholesaler
The shutdown of the Andromeda botnet, announced on 4 December, was engineered by a taskforce coordinated by Europol which included several European law enforcement agencies, the FBI, the German Federal Office for Information Security and agencies from Australia, Belarus, Canada, Montenegro, Singapore and Taiwan.
The police operation, which involved help from Microsoft and ESET, a Slovakian cyber security firm, was significant both for the number of computers infected worldwidew and because Andromeda had been used over a number of years to distribute scores of new viruses.
Belarus authorities said the man they arrested charged other criminals US$500 for each copy of Andromeda he sold to mount online attacks, and US$10 for subsequent software updates.
Microsoft said Andromeda charged US$150 for a keylogger to copy keystrokes to steal user names and passwords. And for US$250, it offered modules to steal data from forms submitted by web browsers, or the capacity to spy on victims using remote control software from German firm Teamviewer.
German authorities, working with Microsoft, had taken control of the bulk of the network, so that information sent from infected computers was rerouted to safe police servers instead, a process known as “sinkholing.”
Information was sent to the sinkhole from more than two million unique internet addresses in the first 48 hours after the operation began on 29 November, Europol said.
Owners of infected computers are unlikely to even know or take action. More than 55 per cent of computers found to be infected in a previous operation a year ago are still infected, Europol said.
(Reporting by Toby Sterling and Eric Auchard; Additional reporting by Andrei Makhovsky in Minsk, Jamillah Knowles in London and Mark Hosenball in Washington; Editing by Keith Weir, Angus MacSwan and Grant McCool)