WFC and police investigation
Dear customers, friends and colleagues. Your attention is invited to the story with the continuation.
The story of the arrest of our servers by the police in the summer of 2013 is very instructive not only for us, but also for all hosters, as well as those who are interested in the work of hosting companies. Since the investigation by the police of the case is almost completed, we consider it possible to publish some materials that shed light on the causes and chronology of the incident. At once, we say that the unlikely event that occurred was the confluence of several unlikely circumstances. We just fell under the rink of the company, conducted by the FBI and Microsoft.
Our company was registered in Canada in 2009 and has operated since that time as part of Canadian law as a hoster (under the brand cadedic.ru). Like all hosters, we respond to abuses, especially to serious ones, and follow our security policy. According to Canadian law, we allow the placement of content that does not pose a threat to the functioning of computers and communication networks. Our reaction to abuses such as spam, botnets, spread of viruses, carding coincides with the generally accepted one - it is blocking abuzny servers and warning the client about the inadmissibility of such activities, and in case of repeated cases - denial of service and breaking the contract without compensation.
For us, the beginning of the story was the placement of one of our clients (or, as a version, his account was hacked) by the Citadel botnet control center on our server. Citadel's botnet was originally created as a specialized criminal system. Citadel consists of agents and a management center. The agent spreads like a virus, is installed on the victim’s computer and is self-propagating. Sitting on the victim's computer, the agent logs the keyboard and browsers. When the victim enters the online banking agent saves the access data. The control center from time to time connects to the agent and receives data that it stores in a known place only. That is, it is pure crime.
')
In April-May 2013, the criminals used the data stolen from customers and transferred about 300 million dollars from their accounts. The customers of Citigroup and JPMorgan banks suffered. It was a slap in the face of Uncle Sam, which was immediately reacted. The FBI immediately launched an investigation and on June 5 brought down a network of control centers located in the United States .
On June 8 in New York, several people were arrested, former citizens of the USSR, who are accused of creating and managing this network. The FBI sent a warning letter to the police of all countries asking them to carefully monitor and destroy the Citadel botnet control centers.
On May 13 a git placed the Citadel Network Managing Center on a virtual server located in our network. After receiving an abuse from Spamhouse, we deleted it. On the 14th of June, Spamhouse again detected Citadel on our server. Unfortunately, we were in the process of preparing for the move to a new data center and did not respond to this complaint instantly. The brave Canadian policemen from E-Division turned out to be faster and on June 14, 2013 at 15.30 Vancouver time they had already received the Court Order and turned off ALL of our servers.
Next, we will insert bills from the Warrant search, which our lawyers finally got. Fully publish the document is not possible - it has 32 pages. The document was written by a police officer investigating. Without translation.
So, the development of events was as follows.
As you can see, these events we could neither assume nor stop. Naturally, all employees of our data center were in shock, everyone went under suspicion of involvement in crime. The police took fingerprints on the telecommunications closets and interrogated all the people who had ever touched our closets, in general, the entire data center personnel and contractors. At the moment, all suspicions of our comrades removed.
All servers returned by August 2013 and we started to restore the service.
Chronicle of events:
June 14, 2013 - placing the botnet on the server, the police receive a Court Order;
June 15, 2013 - seizure of all servers, interrogations of data center employees;
June 16, 2013 - interrogation of company owners, involvement in the case of Bull Housser;
June 17 and 18, 2013 - drafting petitions, statements, explanations;
June 19, 2013 - receiving a copy of Court Order directly from the court, a statement of non-involvement in criminal activities;
June 20 - moving to a new place, installing racks, connecting electricity, etc .;
June 22, 2013 - returns of switches, billing servers and the first server from VPS clients;
June 29, 2013 - return of 16 servers, mostly dedicated;
July 5, 2013 - 25% of all servers are returned;
July 9, 2013 - 95% of all servers are returned;
July 22, 2013 - all servers are returned, except for two;
August 02, 2013 - the last two servers are returned.
To the credit of the Canadian police, we can say that they acted politely, they treated our property carefully, fulfilled their promises, answered phone calls and e-mail quickly.
Although we are not to blame for what happened, nevertheless, we apologized to all the victims of the Canadian police and said that we continue our work as if nothing had happened. All remaining customers were offered bonuses. All project data and backups were returned. We regularly kept our clients informed and informed about the current status of work on the restoration of the service. Some of our clients from those who forcedly left us because of this story, appreciated our sincerity, diligence and attitude towards clients, and came back. But the most part, of course, moved to new hosting sites and we want to say thanks to all the hosters who accepted our clients and helped them restore the efficiency of client projects. Still, mutual assistance from industry colleagues, despite the competition for the customer, is a great force.
Further events developed as follows: the first thing was to restore the service, load capacity. Then we decided not to leave the case without consequences and get a legal assessment of the actions of the police on behalf of the state of Canada.
It was not easy. It was difficult to find a law company that would decide on a lawsuit against the police in such a delicate matter that threatens to reach the highest court of Canada - Royal Bench Court. However, after almost a year of searching and dozens of negotiations, such a company was found.
It was also difficult to find an expert who would agree to testify against the police in court. This also took a long time. Here we must say unpleasant words addressed to former compatriots working at Microsoft. We turned to several people with the expectation of help, especially since they are experts in the field of security. After examining the issue, they ALL in turn said that yes, the police were wrong, but they would not testify in court and referred to corporate standards, possible consequences and unwillingness to spoil their comfortable life. They wanted to attract as experts Kaspersky Lab as a highly respected company in the west. Unfortunately, our calls to them, letters and calls remained unanswered. It was very sad to be without support.
In the end, we found a security expert, an Iranian by birth, who is known in his circles and is a reputable botnet researcher. He, as soon as he heard about the essence of the matter, immediately agreed to participate in the case.
So, the lawsuit was prepared, the expert will find, the amount of the lawsuit has been determined.
In early November 2014, we filed a lawsuit with the Vancouver District Court and filed a lawsuit with the respondents - the Canadian Police Law Department.
At present, the court has registered the application and the Defendants are obliged to answer by mid-January 2015 whether they want a pre-trial hearing and a possible agreement or are ready to begin legal proceedings.
The court will last for a long time, a few years, according to the plan should be completed in 2017, if there are no appeals, or in 2019, if appeals to the High Court will be filed. So we stock up on popcorn and wait.
We will publish information on the progress of the trial in this article.
Initially, we planned to bring to the claim all the clients who suffered, but due to the peculiarities of Canadian legislation, we cannot do this. However, in case of success of our claim, any such client will be able to file a claim with the Canadian police with reference to our precedent.
Thanks to everyone who read to the end. Success to you in your business.
Posted on October 27, 2017:
Dear colleagues, customers, friends!
On November 30 of this year, the first meeting of the court to consider the claim of our company against the police will be held. All those who suffered as a result of the actions of the police are invited to join the lawsuit. To do this, write us a letter with the subject “I join the lawsuit” and enter your login in our billing directly in the subject line. We will send you detailed instructions on what needs to be done and what data to prepare.
The story of the arrest of our servers by the police in the summer of 2013 is very instructive not only for us, but also for all hosters, as well as those who are interested in the work of hosting companies. Since the investigation by the police of the case is almost completed, we consider it possible to publish some materials that shed light on the causes and chronology of the incident. At once, we say that the unlikely event that occurred was the confluence of several unlikely circumstances. We just fell under the rink of the company, conducted by the FBI and Microsoft.
Our company was registered in Canada in 2009 and has operated since that time as part of Canadian law as a hoster (under the brand cadedic.ru). Like all hosters, we respond to abuses, especially to serious ones, and follow our security policy. According to Canadian law, we allow the placement of content that does not pose a threat to the functioning of computers and communication networks. Our reaction to abuses such as spam, botnets, spread of viruses, carding coincides with the generally accepted one - it is blocking abuzny servers and warning the client about the inadmissibility of such activities, and in case of repeated cases - denial of service and breaking the contract without compensation.
For us, the beginning of the story was the placement of one of our clients (or, as a version, his account was hacked) by the Citadel botnet control center on our server. Citadel's botnet was originally created as a specialized criminal system. Citadel consists of agents and a management center. The agent spreads like a virus, is installed on the victim’s computer and is self-propagating. Sitting on the victim's computer, the agent logs the keyboard and browsers. When the victim enters the online banking agent saves the access data. The control center from time to time connects to the agent and receives data that it stores in a known place only. That is, it is pure crime.
')
In April-May 2013, the criminals used the data stolen from customers and transferred about 300 million dollars from their accounts. The customers of Citigroup and JPMorgan banks suffered. It was a slap in the face of Uncle Sam, which was immediately reacted. The FBI immediately launched an investigation and on June 5 brought down a network of control centers located in the United States .
On June 8 in New York, several people were arrested, former citizens of the USSR, who are accused of creating and managing this network. The FBI sent a warning letter to the police of all countries asking them to carefully monitor and destroy the Citadel botnet control centers.
On May 13 a git placed the Citadel Network Managing Center on a virtual server located in our network. After receiving an abuse from Spamhouse, we deleted it. On the 14th of June, Spamhouse again detected Citadel on our server. Unfortunately, we were in the process of preparing for the move to a new data center and did not respond to this complaint instantly. The brave Canadian policemen from E-Division turned out to be faster and on June 14, 2013 at 15.30 Vancouver time they had already received the Court Order and turned off ALL of our servers.
Next, we will insert bills from the Warrant search, which our lawyers finally got. Fully publish the document is not possible - it has 32 pages. The document was written by a police officer investigating. Without translation.
So, the development of events was as follows.
As you can see, these events we could neither assume nor stop. Naturally, all employees of our data center were in shock, everyone went under suspicion of involvement in crime. The police took fingerprints on the telecommunications closets and interrogated all the people who had ever touched our closets, in general, the entire data center personnel and contractors. At the moment, all suspicions of our comrades removed.
All servers returned by August 2013 and we started to restore the service.
Chronicle of events:
June 14, 2013 - placing the botnet on the server, the police receive a Court Order;
June 15, 2013 - seizure of all servers, interrogations of data center employees;
June 16, 2013 - interrogation of company owners, involvement in the case of Bull Housser;
June 17 and 18, 2013 - drafting petitions, statements, explanations;
June 19, 2013 - receiving a copy of Court Order directly from the court, a statement of non-involvement in criminal activities;
June 20 - moving to a new place, installing racks, connecting electricity, etc .;
June 22, 2013 - returns of switches, billing servers and the first server from VPS clients;
June 29, 2013 - return of 16 servers, mostly dedicated;
July 5, 2013 - 25% of all servers are returned;
July 9, 2013 - 95% of all servers are returned;
July 22, 2013 - all servers are returned, except for two;
August 02, 2013 - the last two servers are returned.
To the credit of the Canadian police, we can say that they acted politely, they treated our property carefully, fulfilled their promises, answered phone calls and e-mail quickly.
Although we are not to blame for what happened, nevertheless, we apologized to all the victims of the Canadian police and said that we continue our work as if nothing had happened. All remaining customers were offered bonuses. All project data and backups were returned. We regularly kept our clients informed and informed about the current status of work on the restoration of the service. Some of our clients from those who forcedly left us because of this story, appreciated our sincerity, diligence and attitude towards clients, and came back. But the most part, of course, moved to new hosting sites and we want to say thanks to all the hosters who accepted our clients and helped them restore the efficiency of client projects. Still, mutual assistance from industry colleagues, despite the competition for the customer, is a great force.
Further events developed as follows: the first thing was to restore the service, load capacity. Then we decided not to leave the case without consequences and get a legal assessment of the actions of the police on behalf of the state of Canada.
It was not easy. It was difficult to find a law company that would decide on a lawsuit against the police in such a delicate matter that threatens to reach the highest court of Canada - Royal Bench Court. However, after almost a year of searching and dozens of negotiations, such a company was found.
It was also difficult to find an expert who would agree to testify against the police in court. This also took a long time. Here we must say unpleasant words addressed to former compatriots working at Microsoft. We turned to several people with the expectation of help, especially since they are experts in the field of security. After examining the issue, they ALL in turn said that yes, the police were wrong, but they would not testify in court and referred to corporate standards, possible consequences and unwillingness to spoil their comfortable life. They wanted to attract as experts Kaspersky Lab as a highly respected company in the west. Unfortunately, our calls to them, letters and calls remained unanswered. It was very sad to be without support.
In the end, we found a security expert, an Iranian by birth, who is known in his circles and is a reputable botnet researcher. He, as soon as he heard about the essence of the matter, immediately agreed to participate in the case.
So, the lawsuit was prepared, the expert will find, the amount of the lawsuit has been determined.
In early November 2014, we filed a lawsuit with the Vancouver District Court and filed a lawsuit with the respondents - the Canadian Police Law Department.
At present, the court has registered the application and the Defendants are obliged to answer by mid-January 2015 whether they want a pre-trial hearing and a possible agreement or are ready to begin legal proceedings.
The court will last for a long time, a few years, according to the plan should be completed in 2017, if there are no appeals, or in 2019, if appeals to the High Court will be filed. So we stock up on popcorn and wait.
We will publish information on the progress of the trial in this article.
Initially, we planned to bring to the claim all the clients who suffered, but due to the peculiarities of Canadian legislation, we cannot do this. However, in case of success of our claim, any such client will be able to file a claim with the Canadian police with reference to our precedent.
Thanks to everyone who read to the end. Success to you in your business.
Posted on October 27, 2017:
Dear colleagues, customers, friends!
On November 30 of this year, the first meeting of the court to consider the claim of our company against the police will be held. All those who suffered as a result of the actions of the police are invited to join the lawsuit. To do this, write us a letter with the subject “I join the lawsuit” and enter your login in our billing directly in the subject line. We will send you detailed instructions on what needs to be done and what data to prepare.
Source: https://habr.com/ru/post/244887/
All Articles