Attacks/Breaches

7/20/2017
07:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Russian National Receives 5 Years In Jail For Role In 'Citadel' Attacks

Mark Vartanyan is the second individual to be sent to prison in connection with Citadel.

A US federal court in Atlanta this week sentenced Russian national Mark Vartanyan to five years in prison for his role in developing, improving and distributing Citadel, a malware kit that was used to steal an estimated $500 million from individuals and financial institutions worldwide.

Vartanyan, who also used the moniker "Kolypto," had previously pleaded guilty to computer fraud charges in March 2017 after being extradited to the US from Norway last December.

Federal authorities had charged Vartanyan with developing, improving, maintaining, and distributing Citadel while residing in Ukraine and later in Norway between August 2012 and June 2014. During that period, he uploaded numerous files consisting of Citadel software, components, updates and patches all with the intent to improve the malware's functionality.

Vartanyan was arrested in Norway in October 2014. He will receive credit for time spent in custody since then which means he will be eligible for release in less than three years.

"Mark Vartanyan utilized his technical expertise to enable Citadel into becoming one of the most pernicious malware toolkits of its time," US Attorney John Horn said in a statement announcing the sentence Wednesday. "For that, he will serve significant time in federal prison."

Citadel first surfaced in 2011 and was assembled using leaked source code for the Zeus, a banking Trojan. It was initially made available to cybercriminals on an invitation-only basis on multiple Russian-language online forums.

The malware was designed to steal payment card data, personal data, and information for logging into bank accounts. It was typically installed on victim computers in the form of a drive-by-download, though cybercriminals employed multiple other infection methods as well. For instance, the creators of the malware bundled it into pirated versions of Windows XP installed on computers sold in multiple countries. In many cases, Citadel blocked infected computers from accessing antimalware sites making it harder to detect and remove the malware.

In all, cybercrimnals infected some 11 million systems globally with Citadel and turned the systems into remotely controlled bots. The malware's victims included organizations such as Citigroup, Bank of America, American Express, and Wells Fargo.

In June 2013 Microsoft announced that the company, along with the FBI and law enforcement authorities from multiple countries, had managed to severely disrupt Citadel operations by shutting down more than 1,400 botnets associated with the malware. At the time, Microsoft had noted that cybercriminals were using fraudulently obtained signing keys for Windows XP to bundle Citadel into the operating system.

Even after that cooperative operation though, Citadel continued to be a threat. 

In 2014 for instance, security researchers reported seeing the malware being used to attack the password managers used by many organizations to store and secure their online account credentials. The same year, IBM researchers said they had observed a Citadel variant being use to conduct cyberspying operations against petrochemical companies in the Middle East. Last year, security vendor Heimdal Security said it had discovered the malware being used in a modified form to attack banks in France.

Vartanyan is the second individual sentenced to jail time for activities connected to Citadel malware.

In September 2015, another Russian national, Dimitry Belorossov was sentenced to four-and-a-half years in prison for developing, distributing and installing Citadel on computers worldwide. Belorossov pleaded guilty to operating a Citadel botnet comprising of over 7,000 infected systems including those belonging to multiple US banks, financial institutions, and a federal court in Georgia.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
7 Ways to Keep DNS Safe
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Locked device, Ha! I knew there was another way in.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-15137
PUBLISHED: 2018-07-16
The OpenShift image import whitelist failed to enforce restrictions correctly when running commands such as "oc tag", for example. This could allow a user with access to OpenShift to run images from registries that should not be allowed.
CVE-2017-17541
PUBLISHED: 2018-07-16
A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.4 and below versions, FortiAnalyzer 6.0.0, 5.6.4 and below versions allows inject Javascript code and HTML tags through the CN value of CA and CRL certificates via the import CA and CRL certificates feature.
CVE-2018-1046
PUBLISHED: 2018-07-16
pdns before version 4.1.2 is vulnerable to a buffer overflow in dnsreplay. In the dnsreplay tool provided with PowerDNS Authoritative, replaying a specially crafted PCAP file can trigger a stack-based buffer overflow, leading to a crash and potentially arbitrary code execution. This buffer overflow ...
CVE-2018-10840
PUBLISHED: 2018-07-16
Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry() function. An attacker could exploit this by operating on a mounted crafted ext4 image.
CVE-2018-10857
PUBLISHED: 2018-07-16
git-annex is vulnerable to a private data exposure and exfiltration attack. It could expose the content of files located outside the git-annex repository, or content from a private web server on localhost or the LAN.