Note that the headline is a question and the article doesn't describe how he was found.
I'd guess that it was as a result of tracing and following the money from information retrieved after the LockBit infrastructure was compromised earlier in the year:
It's likely that UKUSA intelligence assets in Eastern Europe were able to draw a bead on him as the result of increased attention paid to the region over the last two years, and the fact that he's been really successful at making himself known to Western cybersecurity professionals.
That being said, sanctions and polite extradition requests have to have the Russians laughing at this point. These people are waging warfare against critical infrastructure in the US and its allied nations. It's time we take actions that can be counted on to discourage the technically-gifted in Russia from hacking for their government.
I don't think a drone attack is necessarily the ideal solution but a "civilian" that shuts down a hospital is a terrorist if they did it on their own and an enemy combatant if they got help from their state.
The American Heritage dictionary defines terrorism as:
> The use of violence or the threat of violence, especially against civilians, in the pursuit of political goals.
The FBI has two definitions:
> International terrorism: Violent, criminal acts committed by individuals and/or groups who are inspired by, or associated with, designated foreign terrorist organizations or nations (state-sponsored).
> Domestic terrorism: Violent, criminal acts committed by individuals and/or groups to further ideological goals stemming from domestic influences, such as those of a political, religious, social, racial, or environmental nature.
Where's the pursuit of an ideological goal? These guys are ransomwaring whoever has money and bad security, right? Seems like equal opportunity extortion, rather than terrorism to me.
I don't see how that would make me feel like it was terrorism?
Terrorism isn't just things I don't like. If a group is ransoming whatever IT systems they can, for the purposes of gaining money, it just doesn't feel like terrorism to me. Unless there's some evidence otherwise, it's just extortion.
I don't like extortion, and if I suffered acute harm due to extortion, I'd be more upset, but I still wouldn't try to claim extortion is terrorism.
It's different if the ransomers are demanding that the invasion of Musicland by Bookland be stopped, and targeting infrastructure as way to get their message out, and using ransoms to help the plight of the Musicians.
> I don't like extortion, and if I suffered acute harm due to extortion, I'd be more upset, but I still wouldn't try to claim extortion is terrorism.
That makes you an outlier.
IANAL, but in a number of jurisdictions under common law (including the United States), when a person is killed - in this example, a patient dying because of EMR corruption/unavailability - in the commission of another crime - extortion - it is considered murder under the felony murder doctrine[0].
Now, again, IANAL and the minds of judges and jurors are fickle, but it seems to me if you could prove a relationship between "Guy in Russia locks a Cerner Millennium or Epic Systems database" and "Patient who was in the hospital died because information in database could not be accessed", you could possibly convict them of murder even though they only wanted money out of it, because you could potentially convince the court that as a hacker, the person in Russia should have known that this would necessarily bring about the risk of patient harm. After all, isn't that what makes the EMR worth encrypting to them?
It's also worth noting that terrorist organizations routinely take people hostage to extract ransoms that then get used to finance their operations. The fact that the terrorist organization in this case is likely to be the Russian SVR is immaterial. They are a government under a ton of sanctions and are looking to replenish funds however they can. Cryptocurrency is incredibly useful if you're looking to evade international sanctions.
Sure, it could be murder, that still doesn't make it terrorism. Extortion leading to murder isn't terrorism. If it's coming at the direction or for the benefit of Russia, perhaps it could be espionage or sabotage, but I still don't think it's terrorism. IMHO, Russia is waging a war of aggression / conquest, quite possibly outside the rules of war and international law, but that doesn't really feel like terrorism either.
Offtopic, I also kind of wonder when it becomes murder for the health systems to not protect their IT, but I'm not trying to deflect; that's a question for some other thread.
I'm not familiar with all the laws against terrorism, but let's go with this one [1]?
It's not international terrorism (1), because it meets clause A, but not B or C.
It's not domestic terrorism (5), because it meets clause A and C, but not B.
Clause B is the same for both
> B) appear to be intended—
(i) to intimidate or coerce a civilian population;
(ii) to influence the policy of a government by intimidation or coercion; or
(iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping;
Ransomware doesn't appear to be intended to do any of those things to me.
Do you have a reference that says this is terrorism?
The thing is you start out with knowing what this person did and you reason from that if it is ok to kill him.
But if you whack him what the international public would see is an american missile in a smouldering crater in some civilian suburb. That is an act of war. And not the shadowy kind which is already happening. That forces the Russians to also react in kind (otherwise they look weak.)
The Russians would also work hard to spread misinformation about what you did. They would say you got the wrong person, or that you got innocent bystanders. Probably both. They would also say it was an extrajudicial killing where the executive played judge, jurry, and executioner in one. And you know what? They would be right.
And even if everyone agrees that you got the right person, and he was a bad one, and there was no collateral damage in your initial attack it can still lead to innocent deaths. Let me tell you about Ukraine International Airlines Flight 752 [1]. What happened is that the US assasinated Major General Qasem Soleimani. Undeniably a military target. Arguably a bad one. Iran in retaliation lobbed some ballistic missiles to a US base. Due to luck nobody died there. All is well, isn’t it? No, not really. The iranian air defence following their retaliation was understandably on full alert. Somebody panicked and mistook a civilian airliner for an incoming american cruise missile and shot them down. 176 innocent civilians are now dead. It is a tragedy.
Did the US killed those 176 civilians? No they didn’t. The proximal fault lies with the panicking Iranian air defences. But these are the kind of forces you are playing when you are talking about drone assasinating randoms.
Framing ransomeware attacks on hospitals as a "facet of life" is a deeply ridiculous statement. You can oppose drone strikes without saying absurd things.
Precisely. They're attacking hospitals. If you're operating a systematic campaign to cause misery, injury, or death to civilians in either war or peacetime, that's a crime against humanity[0]. I'd say locking up the data of a hospital, impeding their ability to treat innocent civilians, counts.
What'd we do with people who committed those crimes during WWII in the name of an expansionist, ultra-nationalist regime?
My guess is that many of these attackers work at least in cooperation with the Russian government.
It would certainly serve their strategic interests and would align with the Russian Federation’s status as a mafia state. Use criminals to hack opposing countries’ computers, degrading their society. Then, use a cut of the ransom paid to ease the blow of sanctions. In exchange the government gives you more resources to continue your work and provides cover against international law enforcement efforts to stop you.
If those “civilians” would like to avoid Western reprisals for attacking digital infrastructure (particularly the infrastructure that innocent patients need to receive treatment at hospitals), they should cease immediately. Otherwise I have absolutely no problem with handling them like we did Nazis after WWII: hunting them down wherever they are and punishing them for their crimes.
It seems pretty obviously untenable from a "is a big escalation" perspective, especially with a nuclear power. Like neither practical and probably not moral. But especially not practical given that other similar suppliers are Chinese or Israeli firms.
We have a not quite and ally fighting a war, I'm sure they will take a donation of 10 missiles and one will go off course from a nearby military target [wink wink] and hit this address for us.
If it's the Ukranian military doing the launching and the targets are KGB/FSB or otherwise aiding the Russian government, that's not a war crime. It's hitting a legitimate military target.
But please feel free to snark on the US military; I know that's cheap karma around here.
No, targeting opposing warfighters (the hackers are certainly such) is not a war crime, even if they attempt to hide among civilian populations. Nor is lying about the specifics of your targeting.
If bombing a hacker's house isn't a war crime, is a Russian missile hitting a mall in LA, because a colonel working in logistics took his kids shopping there also kosher, or..?
I assume the triumphant press release would be something like 'a number of confirmed enemy fighters killed'.
It's always interesting to see warhawks (who have never been the victims of war) do their best to expand the list of who they consider acceptable enemy targets are, with no regard to what this means to them, domestically.
> Russian missile hitting a mall in LA, because a colonel working in logistics took his kids shopping there also kosher
No, because it violates "Proportionality". In this definition, even the very anti-war ICRC admits that it is sometimes necessary to kill civilians to achieve military objectives. https://casebook.icrc.org/highlight/targeting-under-internat... - The law they cite is "expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated".
Where you draw the line is to be litigated. Is destroying the entire apartment block to get a single hacker justified? Probably not. A single-residence home, even if his wife and kids are there? If they're an important enough military target, for sure.
It seems pretty obvious that America is playing by the rule of "We have the power, so you're going to do what we say" when it comes to these scenarios. I find it hard to imagine, for example, an assassination on an American official of rank similar to Qasem Soleimani would result in nearly as timid of a response as Iran gave.
> The Act authorizes the president of the United States to use "all means necessary and appropriate to bring about the release of any U.S. or allied personnel being detained or imprisoned by, on behalf of, or at the request of the International Criminal Court".
> This authorization led to the act being colloquially nicknamed "The Hague Invasion Act", as the act allows the president to order U.S. military action, such as an invasion of the Netherlands, where The Hague is located, to protect American officials and military personnel from prosecution or rescue them from custody.
I don't see how your comment contradicts the statement "The us generally will extradite if your justice system isn't corrupt. There are exceptions, but everyone has them."
The fact that there is a US law to prevent US service members specifically from being detained by the ICC specifically, has little bearing on the statement that "The US generally will extradite".
These are the most meaningful exemptions. Sure, it'll extradite petty criminals, but it absolutely won't extradite politically useful[1] criminals, and will absolutely not allow the latter to have a fair trial.
If that's acceptable and civilized behavior, I don't see why you can complain that Russia won't extradite a politically useful[1] criminal.
[1] In the sense that their crimes are furthering the state's geopolitical agenda.
That's a reasonable argument. I think that the response that comes next is "the Russian geopolitical agenda is bad", but that's a separate topic - I think you've convinced me on this point.
I don't understand how a hacker that's targeting US infrastructure would be considered an "opposing warfighter" in the context of the Russia-Ukraine war?
Please go into detail about how this would be implemented, with particular attention to what could go wrong at each stage of the process and what the consequences would be, especially consequences originating from stakeholders who possess nuclear weapons and whose territory you are proposing to exert military force against, and compare the difficulty and expense of implementation in terms of expected value to the magnitude of what might be gained by a successful operation of this kind.
Yes, I mean "you clearly did not think about this and your idea is very, very, very bad."
I seem to have forgotten the part where the US is at war with Russia. Pray tell, what day was it declared? Should I be running for my crazy prepper bunker?
But I'm glad that you mentioned the proxy war that is being fought right now, that's one example of how you can respond to a country's bad behavior without actually starting a war with it. There are many others.
"appeasing brutes like russia has a long history of not working" is a true statement that, in this context, does not do any of the work one would like a true statement to do, but it does do much of the work that one would like a statement to do if one were behaving with malice and dishonesty. It collapses the critique it's replying to into an inaccurate summary ("all of the things you said amount to 'appeasing Russia'") and uses a weighted, emotionally loaded verb to do so ("appeasing"). What this response actually says is "all of the problems that sedev pointed out are irrelevant because Russia is bad," and I am not surprised that you didn't say that out loud because when it's said directly, it's obviously wrong.
There are a large number of options. Doing nothing is not a valid option. Given that Russia and Ukraine are already at war, which makes all attacks on the table and so Ukraine should be considering this as a message. (it may not be the best use of Ukraine's limited stock of missiles, but the serious threat that Ukraine is looking into it usefully forces Russia to move their defense to defend against this attack)
Every time there is an article from krebsonsecurity I wonder what is - if any - Brian Krebs' opsec in real-life. I mean, I guess that messing with this kind of cybercriminals can actually lead to retaliations/vengeance IRL, no?
Click Here podcast - 129. LockbitSupp tells us: UK and US have got the wrong guy
"In an interview, LockbitSupp, head of the Lockbit cybercrime operation, told us that the U.S., U.K. and Australia have the wrong guy — he’s not Dmitry Khoroshev, the 31-year-old Russian national they’ve charged with hacking. What’s more, he says more attacks are coming."
Reading article by Brian it always shows me how much information is „out there“. Sure this is cyber security / dark web we are talking about but there are companies hoarding gigabytes of data that was released, leaked at some point. In this case sure that is nice, but just always makes me wonder about the future and how open and public everything is.
>Financial sanctions levied against Khoroshev by the U.S. Department of the Treasury listed his known email and street address (in Voronezh, in southwest Russia), passport number, and even his tax ID number (hello, Russian tax authorities).
Laughable. The only RU Govt related outcome for him will be recruitment to RU cyber warfare (if he isn't already there already) in exchange for keeping his profits.
Now his identity being this public, I don't think he will be able to live a "normal" life anymore. If recruited in exchange for protection, he will need to relocate and get a new identity at a minimum.
What a great opportunity for old school criminals not afraid of using violence to try getting their fair share of the profits.
If by normal you mean constant monitoring by multiple intelligence services and free only at the whim of a dictator who will cash him in whenever it is expedient.
But you are missing the point, if Snowden had 100+M USD in crypto he would be in constant danger of being kidnapped.
That is literally what RU CW do. I'm saying that, like most RU cyber criminals, he will be recruited to act for the state of he isn't already doing so.
Why redirect though? He's causing pain to people who refused friendship with the top bully, that might very well be considered good enough. Some baron in the system might be allowed to take a cut.
The latter might actually be related to the "how?": someone could have leaked something to make the guy require more protection.
Getting doxxed like this means that anyone can beat the ever living private key out of his mouth knowing there are millions of dollars in his wallet. With the current economy, there's probably a great motivation to do this too, especially for the mid level authority.
>only RU Govt related outcome for him will be recruitment to RU cyber warfare
Unless he has any specialized skill or his previous infrastructures are still intact, I figure he'd be just as replaceable as any code monkey in any other industry.
Did I miss it? (The article is dense.) I'm not seeing how the authorities identified him. I see lots of identifying information from disparate sources, which when taken collectively does seem damning. But not how it all got put together, nor any discussion of why now.
I mean the guy offered his own $10m bounty if you could track him down.
I knew back when the Boeing data got out, that it was a fatal mistake and he'd be hunted down. It obviously wasn't easy since the $10m would have been enough incentive for the army of internet super sleuths. I don't care at all about what the bits and pieces are, what I want to know is the HOW. as per the title
No one knows for sure. There’s no published direct link between the two identities. However, the article identifies years worth of ransom crypto transactions / bank deposits + FBI deep infiltration of LockBit as important advantages.
He messaged Omniscient / "the admin" on a HackForums / another HF clone site, asking about a PII dump with his own personal Gmail being specified, inquiring about GREP help.
When the entire DB leaked, his personal message was the most obvious one.
You all think these people are cyber geniuses, but really, just sufficiently advanced scum bags in socioeconomically-disadvantaged, politically convenient areas to operate these neo-scams.
I went poring through international news while looking for old friends recently, and the utter fear and revulsion the world had against "hackers" 20 years ago is wild to contemplate.
Federal prosecutors were using CFAA against people submitting bug reports against Microsoft products, the news was amplifying things out of control, and the FBI was extraditing foreign citizens over practices that are commonplace to SV business models today.
It's astounding that what amounts to a "hacker mindset" is mere curiosity and reason, and how well it has been stamped out of the general populace.
I'd guess that it was as a result of tracing and following the money from information retrieved after the LockBit infrastructure was compromised earlier in the year:
https://www.theguardian.com/technology/2024/feb/20/uk-and-fb...