Man hailed as hero now a sus­pect

Mar­cus Hutchins, praised for slow­ing spread of Wan­naCry hack, is ac­cused of cre­at­ing Kronos virus.

Los Angeles Times - - BUSINESS - By Paresh Dave and Richard Win­ton

A widely cel­e­brated cy­ber­se­cu­rity re­searcher was in­dicted on charges of de­vel­op­ing soft­ware that has stolen bank­ing cre­den­tials from an un­told num­ber of peo­ple, pros­e­cu­tors said Thurs­day.

Mar­cus Hutchins, 22, who works for the Los Angeles se­cu­rity firm Kryp­tos Logic, was praised in May for his role in slow­ing the spread of ran­somware called Wan­naCry that was lock­ing files on com­put­ers around the world.

But fed­eral pros­e­cu­tors say that Hutchins, at least at one point in his ca­reer, had ma­li­cious in­tent. In a July 12 in­dict­ment un­sealed this week, Hutchins is de­scribed as hav­ing cre­ated, main­tained and mar­keted the Kronos bank­ing Tro­jan from July 2014 to July 2015.

The pro­gram — of­ten dis­trib­uted through doc­u­ment at­tach­ments in phish­ing emails — mon­i­tors con­sumers’ on­line brows­ing and leads them to fraud­u­lent web­sites de­signed to look like le­git­i­mate bank­ing ser­vices. Kronos then har­vests user­names, pass­words and other in­for­ma­tion from un­sus­pect­ing con­sumers. Sell­ers de­scribed Kronos as ca­pa­ble of evad­ing an­tivirus soft­ware and snoop­ing on the lat­est ver­sions of Chrome, Fire­fox and In­ter­net Ex­plorer.

Hutchins faces six counts re­lated to mal­ware dis­tri­bu­tion, in­clud­ing con­spir­acy to com­mit com­puter fraud and abuse and en­deav­or­ing to in­ter­cept elec­tronic com­mu­ni­ca­tions.

The FBI qui­etly ar­rested him Wed­nes­day as the Bri­tish res­i­dent pre­pared to fly out of Las Ve­gas, the site of De­f­con, one of the com­puter se­cu­rity in­dus­try’s big­gest con­fer­ences.

Hutchins was sched­uled to ap­pear in U.S. District Court in Las Ve­gas on Friday af­ter­noon.

The al­le­ga­tions from a two-year FBI in­ves­ti­ga­tion point to one of the cy­ber­se­cu­rity sec­tor’s most dis­tinc­tive traits: the revolving door be­tween those try­ing to stop at­tacks and those launch­ing them.

Peo­ple of­ten tran­si­tion be­tween hack­ing with ma­li­cious in­tent and work­ing as well-mean­ing in­ves­ti­ga­tors. The mis­chievous work of the past can be an as­set to com­pa­nies and law en­force­ment agen­cies look­ing to get an edge on new waves of crim­i­nals. But it also can mar the rep­u­ta­tion of the bur­geon­ing in­dus­try.

The blurred roles of cy­ber­se­cu­rity work­ers led to a fierce de­bate on so­cial me­dia Thurs­day among hack­ers and re­searchers. Hutchins’ de­fend­ers said law en­force­ment may have mis­in­ter­preted ac­tions Hutchins took to find a way to pro­tect against Kronos. Other in­dus­try in­sid­ers pointed to a trail of clues on Rus­sian fo­rums po­ten­tially im­pli­cat­ing Hutchins.

In an interview with the Los Angeles Times in June, Kryp­tos Logic Chief Ex­ec­u­tive Salim Neino said he hired Hutchins in 2016 af­ter dis­cov­er­ing the surfer and com­puter hob­by­ist’s blog. Since 2013, Hutchins has writ­ten a cou­ple of times al­most ev­ery month about new viruses and at­tacks, though never about Kronos.

Neino called Hutchins’ skill and ethics im­pres­sive and put him in charge of a divi­sion at the small firm. Kryp­tos Logic ac­knowl­edged a re­quest for com­ment Thurs­day but didn’t pro­vide a state­ment.

Hutchins, who lives in Eng­land, was on va­ca­tion in May when Wan­naCry, a sel­f­repli­cat­ing worm, sped across the In­ter­net, hi­jack­ing Win­dows ma­chines. It locked files and de­manded $300 to $600 for their re­lease.

But Hutchins jumped on­line and by chance, he has said, found a way to ef­fec­tively throw Kryp­tos Logic’s servers into the path of the on­com­ing at­tack.

The tac­tic acted like a tem­po­rary kill switch, giv­ing com­puter tech­ni­cians enough time to in­oc­u­late their sys­tems from be­com­ing in­fected.

Hutchins’ ef­fort led to col­lab­o­ra­tion with Bri­tish au­thor­i­ties and others in the cy­ber­se­cu­rity re­search com­mu­nity. Though a prom­i­nent blog­ger, his iden­tity hadn’t been widely known un­til Bri­tish tabloids re­vealed his name dur­ing the Wan­naCry in­ci­dent.

His ac­tions drew an of­fer of a year’s worth of free pizza from a Bri­tish food-de­liv­ery ser­vice as well as praise and a bounty from the se­cu­rity in­dus­try. Hutchins said he would do­nate his fi­nan­cial re­ward to char­i­ties.

The in­dict­ment — handed down by a grand jury in the Eastern District of Wis­con­sin — redacts the name of a sec­ond de­fen­dant, who is ac­cused of help­ing ad­ver­tise, sell and up­date the Kronos mal­ware. The undis­closed de­fen­dant posted a video ex­plain­ing how hack­ers could in­fect com­put­ers with Kronos and also of­fered to sell the pro­gram for $3,000 on hack­ing fo­rums, ac­cord­ing to court doc­u­ments.

Kronos was first made avail­able on­line in early 2014, in­clud­ing on Al­phaBay, a se­cret mar­ket­place for buy­ing drugs and other il­licit items. Last month, the Jus­tice Depart­ment seized Al­phaBay, which could be ac­cessed only through a spe­cial In­ter­net browser that scram­bles traf­fic.

Hutchins may have been un­masked dur­ing the Al­phaBay in­ves­ti­ga­tion. When fed­eral agents took down the ser­vice, they came into pos­ses­sion of its elec­tronic records and may have been able to trace who was be­hind Kronos’ cre­ation.

In a Twitter post last year, Hutchins pointed to Al­phaBay as a place to buy cannabis. Af­ter the website’s shut­down, he wrote in a sep­a­rate tweet, “They took a website off­line, who cares?”

Hutchins also had posted on Twitter about Kronos, ask­ing fol­low­ers June 13, 2014, whether “any­one got” a sam­ple of the pro­gram for re­search pur­poses.

Three days ear­lier, the undis­closed de­fen­dant con­spir­ing with Hutchins had sold a copy of Kronos for $2,000 worth of dig­i­tal cur­rency, pros­e­cu­tors say.

Kronos went on to af­fect con­sumers in Canada, Ger­many, Poland, France and the United King­dom, among other coun­tries, the Jus­tice Depart­ment said.

Orin Kerr, a pro­fes­sor of crim­i­nal pro­ce­dure and com­puter crime law at Ge­orge Wash­ing­ton Law School, said pros­e­cu­tors will be required to show for some of the charges “an in­tent to fur­ther the crime.”

Pros­e­cu­tors will have to show that Hutchins knew that the soft­ware would be used to aid in a crime. The act of selling mal­ware alone in it­self isn’t a crime, Kerr said.

Frank Aug­stein AP

MAR­CUS HUTCHINS was ar­rested as he pre­pared to leave Las Ve­gas.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.