Anti-Phishing, DMARC , Email Threat Protection , Fraud Management & Cybercrime

Admitted Russian Botnet Herder Receives 4-Year US Sentence

Russian National Maxim Senakh Was Extradited From Finland to Face US Charges
Admitted Russian Botnet Herder Receives 4-Year US Sentence

Russian national Maxim Senakh, 41, was sentenced Thursday to serve 46 months in U.S. federal prison after he pleaded guilty to helping run a global botnet campaign tied to millions of dollars in fraud.

See Also: Close the Case on Ransomware

Senakh, who's from Velikii Novgorod, Russia, is due to be deported to Russia after serving his sentence.

"Working within a massive criminal enterprise, Maxim Senakh helped create a sophisticated infrastructure that victimized thousands of internet users across the world," said Acting U.S. Attorney Gregory G. Brooker in a statement.

Senakh had pleaded guilty on March 28 to computer fraud and abuse, as well as wire fraud charges, before U.S. District Judge Patrick J. Schlitz in Minnesota federal court.

As part of his plea deal, Senakh admitted to participating in a cybercrime scheme that installed Ebury malware onto systems and harvested login credentials, allowing his gang to steal millions of dollars.

The investigation that collared Senakh was led by the FBI's Minneapolis field office, and the Justice Department thanked police in Finland; Germany's federal police office, the Bundeskriminalamt or BKA; the federal computer emergency response team of Germany, CERT-Bund; and cybersecurity firm ESET for assisting in the case.

Extradition From Finland

Senakh was indicted by a U.S. federal grand jury on Jan. 13, 2015, and arrested seven months later - on August 8 - at the request of U.S. authorities when he attempted to cross the border from Finland into Russia.

Senakh's detention earned a swift rebuke from Moscow, with foreign ministry spokeswoman Maria Zakharova labeling the arrest a "witch hunt." Foreign ministry spokesman Konstantin Dolgov, meanwhile, told Russian state news agency TASS that the detention was another example of "the illegal practice of detaining Russian nationals in other countries, launched by the American authorities."

Finland approved the U.S. extradition request in January 2016. At the time, Sanakh's attorney in Finland, Kustaa M. Tamminen, said his client would appeal the judgment with the European Court of Human Rights, and slammed Finnish authorities for subjecting his client to a potentially draconian prison sentence.

"It is surprising that the threat of penalty, which can be in this case more than 100 years of imprisonment for Mr. Senakh in the U.S., hasn't been regarded by the Finnish Ministry of Justice and Supreme Court as an obstacle for extradition; from the Finnish point of view such imprisonment would be very unreasonable," Tamminen told the Wall Street Journal at the time.

Ebury Botnet

As part of his plea agreement, Senakh "admitted that he supported the criminal enterprise by creating accounts with domain registrars which helped build the Ebury botnet infrastructure, and personally profited from traffic generated by the Ebury botnet," the Department of Justice says in a news release.

The botnet infrastructure, or command-and-control network, is used by botnet controllers - aka herders - to control infected systems, send further instructions or malicious code, as well as to exfiltrate stolen data. In the case of Ebury, Senakh admitted that tens of thousands of systems had been infected.

Security researchers say Ebury first appeared in 2012, if not earlier. The Linux, FreeBSD and Solaris-compatible malware "is a sophisticated backdoor used to steal OpenSSH credentials and maintain access to a compromised server," according to an analysis published by Marc-Etienne M.Léveillé, a security researcher at ESET.

As is typical with botnets, attackers didn't just steal victims' credentials for accessing online bank accounts and other services. According to his plea agreement, Senakh said he and his co-conspirators earned millions of dollars in revenue by also using the botnet to send spam, as well as commit click fraud - generating fake page views and clicks. To commit such fraud, gangs may register or work with unscrupulous advertising networks, generating fake clicks and page views which lead to revenue from the advertising networks from clients who place advertisements with them.

Linux Foundation Attack

Use of the Ebury malware has also been tied to a case involving a Florida man, Donald Ryan Austin, 28. A four-count indictment returned by a federal grand jury in June 2016 charged him with hacking into servers operated by the Linux Kernel Organization and the Linux Foundation, according to the Department of Justice.

"According to the indictment, Austin used that access to install rootkit and trojan software, as well as to make other changes to the servers," according to the Justice Department. In particular, Austin allegedly used a self-injecting rootkit called Phalanx to install the Ebury Trojan, in an apparent move to gain access to Linux kernel code-development systems and tamper with the code, the Register has reported.

FBI Highlights Deterrence Effect

Meanwhile, U.S. authorities have suggested that Senakh's arrest, extradition and incarceration will deter future cybercriminals. "The sentence handed down today sends a strong message to international cybercriminals who mistakenly believe they can prey on the American people with impunity," said FBI Special Agent in Charge Richard T. Thornton.

But while these types of arrests can waylay the criminals named in specific indictments, there's no evidence to suggest that they have led to a reduction in the number of individuals involved in internet-enabled crime, or a reduction in the losses attributed to such activities (see The Myth of Cybercrime Deterrence).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.