Meet Cyclosa, the Gang Behind 2013’s Biggest Data Thefts

Last year, security reporter Brian Krebs discovered that a group of attackers managed to compromise multiple companies, steal sensitive customer data and sell the details through an online identity theft store known as SSNDOB. The attackers broke into the networks of a number of major consumer and business data aggregators as well as a software development firm. Krebs revealed that the attackers then put the stolen data for sale on SSNDOB, allowing their customers to buy personal details belonging to US and UK citizens.

Symantec looked into the attacks conducted by the group behind SSNDOB, who we call the Cyclosa gang. During our investigations, we managed to identify one of the owners of the service who claims in online forums to be Armand Arturovich Ayakimyan, a 24-year-old man from Abkhazia. As we looked further into this case, we learned how he started as a visitor to a cybercrime forum looking for information on how to conduct attacks to operating a major identity theft operation. Not only that, but Symantec also found that the Cyclosa gang breached a number of other firms, including a Georgian government agency, a credit union and a bank.

Who is Armand?
Armand was born on August 27, 1989 in Abkhazia, a disputed territory in the Caucasus that borders Russia and Georgia. Both Abkhazia and a number of other regions nearby were beset with conflicts between 1991 and 1993. One conflict was the War in Abkhazia from 1992 to 1993, a dispute involving Abkhazia and Georgia over the region’s independence. According to our research, Armand moved from the capital of Abkhazia, Sukhumi, to the nearby Russian city of Sochi in early 2010 just before launching SSNDOB.

On one of Armand’s social media profiles, which has since been deleted, he says he is skilled in Web development and IT. He also appears to be a fan of the online role player game EVE Online.

Armand appears to have made a few career moves throughout his adult life, including working in a photo studio and becoming a sales manager for a cosmetics firm. He also considered using his technical skills for legitimate work, as he discussed creating an online dating service and a real estate website for properties in Abkhazia. However, neither of these services became a reality. In 2013, Armand appeared to be working at a church in Russia.

Armand’s early cybercrime life
Before 2007, Armand may have been involved in fraud, targeting Australian citizens’ financial details. While Armand appeared to have some abilities to conduct cybercrime, he still needed to learn more to run bigger financial scams.  

In 2007, he registered an account on a cybercrime forum and asked other users for advice on how to steal people’s data through their unsecured WiFi connection. Another user told him to use a search engine to do more research on the matter, suggesting that Armand still had a lot to learn.

Towards the end of that year, Armand had started to sell stolen information, offering “fresh reports” on these forums for US$2.50. He continued to seek advice on a number of attack methods, such as how to hijack chat accounts.

In 2008, he began to explore the use of remote access Trojans to obtain information from compromised computers. He requested encryption services for the popular Pinch Trojan along with a joiner, which would allow him to hide the malware and bundle it with other programs. During this year, Armand began to target US and UK citizens, hoping to make more money in the process.

Partners in crime
At the start of 2009, evidence emerged of Armand’s partnership with three other people who used the handles “Tojava”, “JoTalbot” and “DarkMessiah” on cybercrime forums. There may be other players involved with this organization but these four individuals appear to be the main actors in this group. The four of them carried out numerous acts of cybercrime, such as conducting malware-based search engine optimization and pay-per-click schemes. They also bought and sold hijacked chat accounts, botnet traffic, and personal and financial information. Armand’s relationship with Tojava was vital for the formation of SSNDOB. Tojava was allegedly responsible for introducing Armand to the world of cybercrime and carding. We believe that Tojava created many of SSNDOB’s technical features, such as its search engine and its social security number query scripts.

Around this time, Armand said that he “found” access to a “large FTP site,” giving him a point of entry to several travel agencies’ websites. He asked other forum members for advice on how to make the most of this access. Two months later, Armand advertised the sale of a database of 75,000 to 85,000 expired Russian passports, along with FTP space or accounts and the “rights” to a compromised server. This may have been the Cyclosa gang’s first major breach of a company.

Establishing SSNDOB
Soon after the breach of the travel agencies, Armand and Tojava were seen expressing interest in opening an online identity theft store and seeking tools to check and process card payments. Along with this, the pair continued to update the Cyclosa gang’s attack capabilities, seeking malware that could wipe hard drives thoroughly enough to avoid police detection and looking into getting high volumes of US and UK botnet traffic.

By the end of the year, Armand registered SSNDOB’s first domain using, oddly enough, his real first and last name and his phone number. At the start of 2010, SSNDOB was officially open for business. It sold personal data records from US$0.50 to US$2.50 and offered credit and background checks from US$5 to US$15.

The breaches
To keep their store stocked, the Cyclosa gang had to continue to attack companies for their databases of personal data. Along with the major breaches covered in Krebs’ report, Symantec found that the Cyclosa gang compromised a number of other firms. In May 2012, the Cyclosa gang breached a US-based credit union. A few months later, they compromised a bank based in California, USA, and a Georgian government agency. While the Georgian agency may not have a lot of information pertaining to US and UK citizens, it’s possible that this attack was of personal interest to the Cyclosa gang, considering Armand’s background.

SSNDOB revealed
In March 2013, SSNDOB had a setback, as Krebs first exposed the store in an investigative report. Three days after Krebs released the article, Armand deleted his profile on European social network VK.

However, despite this, the Cyclosa gang did not stop their activities. They went on to register a new domain name for SSNDOB and compromised an employee’s computer at a Nigerian financial institution with a presence in the UK. Throughout 2013, the Cyclosa gang stole data from major data brokers, along with a software development company. Considering how the attackers’ continued to escalate their activities in 2013, this may not be the last we hear of the Cyclosa gang.

The following infographic charts the path Armand made, taking him from a one man operation to an organized cybercrime gang.

cyclosa_infographic_past_to_present_v2.png

Symantec protection
Symantec has the following protections in place for the attacks mentioned in this blog:

AV

IPS