Cyber True Crime: The Affiliate Part 3
Welcome back to Part 3 of the cyber true crime series The Affiliate. In Parts 1 and 2 we went over how a ransomware gang typically operates, how an organization finds out they have been the target of a NetWalker ransomware attack and how one becomes involved in the criminal organization. In this installment, you’ll learn how an international server works and how the Affiliate used them.
To read Part 1, click here.
To read Part 2, click here.
How to be Anonymous
If someone is trying to commit a crime, one of their top priorities – if not their #1 priority – should be not getting caught. This is why someone would use an international server, as it would look like they were committing illegal activities in another country. Whatever you search on the Internet is done through a server that tracks and logs this history. That’s why if it’s suspected that you’ve committed a crime, the authorities may contact your Internet service provider and seize your electronic devices to check what exactly you’ve been up to.
So, what are the benefits of using an international server? For one thing, they are fairly easy to get. A simple online search provides multiple options for folks who hope to shield their online actions from scrutiny. Two of the top reasons someone would want to use an international server are to protect their anonymity and avoid censorships that may exist where they currently reside. They would be looking for countries that have strong regulations around privacy and feature liberal views towards policies. It would also be a good idea to research the country you hope to use for your international server’s treaties with your country of residence, for example (we’ll return to this one in a little bit).
If the goal is to be invisible on the internet, the Affiliate did a pretty good job at covering his tracks. First, as we covered in Part 2, by communicating to targeted organizations through a Tor Panel, it should have been difficult for authorities to track his Internet activity. The fact that NetWalker members also didn’t use their real names, but used a User ID, made it even more challenging to track their identity. However, the Affiliate made a fatal mistake that helped authorities track him down.
Hiding Behind an International Server
As the FBI became aware of Vachon Desjardins’ criminal activity, surveillance was conducted against the first international server they believed to be in his possession. This server was found to contain “an abundance of hacking tools, including those to preform reconnaissance, elevate privileges and steal information from a computer or network.” The server also contained what is known as a “build” – folders containing customized ransomware packages to be deployed on targeted organizations. Through their investigation, the FBI found that each folder or “build” contained “all the tools necessary to execute a ransomware attack” that could link the Affiliate to the targeted organizations we’ll be analyzing in Part 4. FBI investigators found 12 builds on the first server alone.
However, this wasn’t the only server the Affiliate was using. FBI investigators discovered a second international server through fake email addresses that tied him to the server. It’s through the web history of this server that investigators found NetWalker User ID 128 (or the Affiliate) had registered on the NetWalker forum discussed in Part 2.
Through their investigation, the FBI determined that both international servers 1 and 2 resolved to a telecommunications provider in Poland and are referred to as Poland Server #1 and Poland Server #2 respectfully. And this is where the Affiliate made his first mistake. Because of the Mutual Legal Assistance Treaty that exists between Poland and the United States, the FBI were able to ask for official copies of these servers and Polish officials provided these copies in September of 2020. A Mutual Legal Assistance Treaty is an agreement between two or more countries which states that the countries involved will cooperate, share and exchange information with the mutual goal of justice in mind. Not something you’d want if you were committing cyber crimes and trying to cover your tracks.
Once the FBI had access to Poland Server #1 and Poland Server #2, they conducted a forensic analysis on both servers. It would seem, based on the evidence compiled by the FBI, that the Affiliate had attempted to wipe the contents of Poland Server #1 - unfortunately they forgot to empty the recycle bin. The recycle bin for Poland Server #1 contained data that could link the accused to the attacks conducted against 3 of the 5 targeted organizations we’ll discuss in Part 4.
As the FBI continued their investigation into the NetWalker Tor Panel and NetWalker Blog, they were able to locate a third international server hosting this data in Bulgaria, referred to as the Bulgaria Server. And this is where the Affiliate made another mistake. Bulgaria also has a Mutual Legal Assistance Treaty with the United States, meaning that FBI investigators were able to receive a copy of the Bulgaria Server in September of 2020. They found that the Affiliate used this server to populate the NetWalker Tor Panel and Blog.
The Bulgaria Server became an indispensable resource for uncovering the extent of the Affiliate’s involvement with the NetWalker Tor Panel and Blog. An FBI forensic analyst found that the Bulgaria Server “appears to be the backend server” to both the Tor Panel and Blog. A backend server typically contains “all raw information that is used to run a website,” meaning that the Affiliate likely played an important role in the running of both.
The Bulgaria Server had detailed information relating to the NetWalker Blog, such as when the blog entries were created and close to 500 screenshots of sensitive information that had been stolen from targeted organizations. Through their investigation, the FBI concluded that 302 of those screenshots could be tied to the Affiliate through the metadata of those screenshots, and that he was the author or creator of 73. According to an unsealed FBI document, “metadata can include the date when a file was created, modified, the identity of the user who created, modified, or accessed the file, the location where the file was created and other information.” Unfortunately, not all files contain all possible forms of metadata and it can be deleted either partially or in full.
Stay tuned for Part 4 where we’ll go over the 5 organizations that were targeted by NetWalker Ransomware and how they are tied to the Affiliate.
The More you know
Understanding what motivates criminals, who they are and how they work is a vital part of building a more resilient organization. It helps make cybersecurity more real for everyday people and helps individuals and organizations develop plans to better protect themselves from cyber threats. Please consider sharing this series to help more people understand 21st-century crime and how to protect themselves.