Internet registry RIPE NCC turned a blind eye to cybercrime, and Russian police corruption helped the perpetrators get away with it, according to the UK Serious Organised Crime Agency
Amsterdam-based Internet registry organisation RIPE NCC has been singled out for its involvement with notorious criminal network provider Russian Business Network (RBN) by the UK’s Serious Organised Crime Agency.
The registrar took money from the well-known criminal organisation, and subsequently corruption in the Russian police allowed the network’s organisers to escape SOCA’s clutches according to Andy Auld, head of intelligence for the agency’s e-crime department, speaking at the RSA Conference Europe security event this week in London.
RIPE NCC denies any wrong-doing and Auld explained that the registrar wasn’t actually being investigated for its involvement with RBN – but as the registry body had accepted payment from the Russian criminal organisation, it could be seen by some as having been complicit in criminal activities, he said.
“An entity like Russian Business Network – a criminal ISP and recognised as such by just about every media outlet worldwide that covers these things – RBN was registered as local internet registry with RIPE, the European body allocating IP resources to industry,” explained Auld.
The SOCA officer argued that any company that does business with a known cyber-criminal organisation such as RBN could itself be open to accusations of acting illegally.
“RIPE was being paid by RBN for that service, for its IP allocation,” he said. “Essentially what you have – and I make no apologies for saying this is – if you were going to interpret this very harshly RIPE as the IP allocation body was receiving criminal funds and therefore RIPE was involved in money laundering offences,” said Auld.
Serious organised crime – not a cottage industry
RBN’s systems were used to host child pornography and at its peak, according to SOCA, the organisation hosted around one third of all the “pay-per-view” child pornography in the world. The rest of the illegal network was devoted to malware including systems to control botnets.
“What we are tallking about is a purpose-built criminal ISP – built for and used by criminals and a highly profitable organisation at that,” said Auld. “This is organised crime. Don’t be confused with the idea that is a hobby industry or cottage industry, this was a proper organised crime syndicate that just so happened to have an e-crime component to its crimial portfolio.
As well as SOCA, the FBI and Dutch and German law-enforcement groups were involved in the investigation of RBN last year. However as the investigation continued the group behind RBN set up a “disaster recovery plan” to ensure that it could continue operating if its existing systems were shut down. This plan was set in motion in November 2008 but according to SOCA it was able to shut-down the new systems before RBN was able to migrate over to them.
“All we could get there was a disruption, we weren’t able to get a prosecution in Russia,” admitted Auld. “Our biggest concern is where did RBN go? Our information suggests that RBN is back in business but now pursuing a slightly different business model which is bad news.”
Auld added that other registries also had some connection to RBN which could similarly be construed as illegal – although he admitted that SOCA preferred to work with these companies than seek to prosecute them.
“We are not actually treating it [RIPE] that way but if you want to interpret it that way the same would apply to both ARIN [American Registry for Internet Numbers] APNIC [Asia-Pacific registry], AFRINIC [African registry] and so on,” he said.
According to SOCA, it is actively working with internet registry organisations to make sure that they don’t, whether intentionally or unintentionally, end up aiding criminals and harming consumers.
“Where you have got LIRs (Local Internet Registries) set up to run a criminal business- that is criminal actvity being taken by the regional internet registries themselves. “So what we are trying to do is work with them to make internet governance a somewhat less permissive environment for criminals and make it more about protecting consumers and individuals,” added Auld.
RBN looked legitimate, says RIPE NCC
In response to the comments that it could be accused of being involved in criminal activity, Paul Rendek, head of external relations and communications at RIPE NCC said that the organisation has very strict guidelines for dealing with LIRs.
“The RBN was accepted as an LIR based on our checklists,” he said.” Our checklists include the provision of proof that a prospective LIR has the necessary legal documentation, which proves that a business is bona fide.”
Renek maintained that RIPE has had a good relationship with SOCA and other law-enforcement organisations. “We have always cooperated with SOCA, and continue to work very closely with relevant criminal investigation bodies to ensure investigations can be carried out as swiftly and efficiently as possible in order to ensure best practice Internet governance is adhered to and criminal activity is identified and dealt with in the appropriate manner,” he added.
SOCA also attributed some of the blame for failing to prosecute any members of RBN as being down to corruption on the part of police in St.Petersburg who, Auld alleged, appeared to have agreed to protect the criminal gangs behind the network.
“We strongly believe that this organisation had not only the local police but the local judiciary and local government in St. Petersbeg firmly in its pocket that meant when we tried to investigate RBN we met significant hurdles – quite obvious hurdles – when trying to deal with Russian law enforcement to tackle the operation,” said Auld.
Earlier this month, US law enforcement agencies got much better international co-operation in shutting down a phishing ring based in Egypt.