Imagine for a moment that you are the chief financial officer of a small American business.
You are sitting at your desk sometime in 2009. You are doing your job. You are answering emails.
Here's one from the Internal Revenue Service with the subject line “Tax Statement” and a message about underreported income. Don't want to get crosswise with the IRS, you think, and click on a link.
The link leads to nothing. You try again. Still nothing.
Odd, you think. Then you immediately forget about it.
Several weeks or months later, you are sitting at your desk, doing your job, when the phone rings.
It's an agent from the Omaha office of the FBI.
He asks: Did you just authorize a withdrawal of $30,000 into a personal checking account?
No, you say, as your eyes widen and your pulse quickens. Why?
This is how you learn you've been robbed.
And not just robbed, but robbed repeatedly. Robbed so stealthily, so completely, that you didn't even realize the money was missing.
This, roughly, is how dozens of small businesses and nonprofits — even an Iowa Catholic diocese — learned from the Omaha office of the FBI in 2009 and 2010 about a group of Ukrainian hackers, malicious software named Zeus and a plan to steal $70 million seemingly ripped from the pages of a futuristic thriller.
Weysan Dun, the FBI's special agent in charge in Omaha, agreed to share his version of this very real case, dubbed Operation Trident Breach, during his last week in office. The 30-year FBI veteran officially retired from the bureau Friday.
He agreed to talk extensively about Operation Trident Breach for the first time in part because he and the FBI view it as a success.
The investigation began in Omaha and eventually involved 100 agents working out of the Omaha office. It ultimately led to 64 arrests in several countries, although computer security experts believe the cybercrime's masterminds are still free in Ukraine.
And Dun agreed to detail Operation Trident Breach because, quite simply, it frightens him.
Dozens of chief financial officers clicked on fake IRS emails and unwittingly helped a previously unknown group of cybercriminals unleash what is still the biggest heist of its kind in U.S. history.
And here's the truly scary part: Operation Trident Breach is a metaphorical drop in what seems to Dun and other law enforcement officials to be a bottomless bucket.
The computer systems of Nebraska and U.S. companies, both big and small, are attacked daily.
Crime syndicates and foreign governments, chiefly China and Russia, carted off nearly $1 trillion in money, intellectual property and other proprietary information last year, said Gen. Keith Alexander, head of the National Security Agency.
And far too often, Dun believes, we serve as the de facto guide for these thieves, practically escorting them into our bank accounts, giving them the combinations to our safes and politely looking the other way as they walk with the loot out the front door.
“The current state of affairs has to change,” Dun said. “Most people aren't at all aware of how vulnerable they are.”
The phone rang and Justin Kolenbrander, the FBI agent in charge of the Omaha Cyber Crime task force, picked it up.
An employee of a financial company — a man who had previously completed an FBI training program for private industry — was on the other end of the line.
He told Kolenbrander he had noticed a pattern of about four dozen suspicious withdrawals from several banks. Kolenbrander took the tip to Dun, his boss.
“Look into it,” Dun said.
That's how the investigation that came to be known as Operation Trident Breach began in 2009.
Within weeks, Kolenbrander and another Omaha-based FBI agent, James Craig, realized they had a gargantuan fish on the line. It quickly became clear that dozens of small businesses and nonprofits around the country were losing money in the same fashion.
The Omaha agents traced the movement of the money to various spots in the United States and ultimately to Ukraine, though at first it wasn't clear who was on the receiving end.
(A request to speak to Kolenbrander and Craig was denied because, Dun said, parts of the investigation still are open.)
The pattern the agents unraveled went as follows:
Someone in charge of finances at a small business or nonprofit would receive an email, usually purporting to be from the Internal Revenue Service, the Federal Deposit Insurance Corp. or the company's bank.
The criminals chose smaller companies on purpose. Fortune 500 companies tend to have robust defenses against cybercrime.
“They weren't trying to go after Microsoft for a reason,” Dun said.
Dun shared several examples of these fake emails — commonly known as “spear phishing” — and noted how realistic they looked.
Spear phishing can be far more advanced than the IRS scam, said Brian Krebs, a cybercrime expert who has written extensively about Operation Trident Breach.
In a more recent case, four employees at a company simultaneously received and opened emails, complete with an Adobe PDF file attachment, that looked as if they had come from one of the company's clients. The company lost more than $100,000 from the resulting cybertheft.
“These are really hard to defend against, because they aren't tech issues you can solve with software or hardware,” Krebs said. “The hackers learn about a relationship and use that trust. ... They found out where people expect to get emails from and they go in sideways.”
In the pattern that the Omaha FBI agents were following, if an employee clicked on the fake IRS email, a malicious software, or malware, would infect the computer. Within minutes, the victim's computer would be controlled by a variant of Zeus, a famed piece of malware first observed by experts in 2007.
Zeus essentially can take over a victim's computer, allowing the criminal to see everything, including banking passwords and other seemingly secure information.
Even worse, it allows the person controlling Zeus to emulate the victim online.
As the FBI watched, the Ukrainian criminals used Zeus to steal dozens of chief financial officers' online identities, withdraw money from their business accounts and place it in personal checking accounts scattered across the United States.
Often the companies learned they had been hacked — and in some cases lost hundreds of thousands of dollars — only when an Omaha FBI agent called and alerted them to the cybertheft.
How do you lose thousands of dollars without realizing it?
Sometimes companies don't balance their books on a daily basis, Krebs said. And sometimes the hackers actually make it appear that companies paid, say, their employees instead of placing money in the checking accounts of complete strangers.
“These guys are good,” he said.
FBI agents followed the money trail to a group of Eastern European young adults who previously had entered the United States, usually on forged student visas.
These so-called “money mules” would open checking accounts, wait until the Ukrainian ringleaders (using Zeus) transferred money from the businesses into those accounts and then walk into the banks to make what often appeared to be completely legitimate withdrawals.
They would then wire most of the stolen money to Ukraine or the United Kingdom, sometimes using Western Union, and keep maybe a 10 percent cut for themselves.
The mules often end up being the weak link of big cyberheists such as the one investigated during Operation Trident Breach, Krebs said.
They tend to be young and prone to bouts of stupidity, sometimes flaunting new cars or new clothes.
In one instance, a mule held up a pile of $100 bills, had a friend snap a photo and posted it on her Facebook profile, said Gary Warner, director of research in computer forensics for the University of Alabama-Birmingham, in an NBC report.
Warner was out of the country and unavailable for comment for this story.
The FBI and a number of outside experts, including Warner, tracked the use of the malware. They eventually proved that the hallmarks of this particular type of Zeus were linked to thousands of suspicious withdrawals and led back to one group of Ukrainian hackers.
As the bust neared, more than 100 FBI agents and computer specialists came to Omaha to work out of the office leading the investigation.
In late September 2010, Omaha agents flew to Ukraine, the Netherlands and London, helping to coordinate a massive international effort to arrest dozens of hackers, money launderers and mules in a one-day sweep.
On arrest day, Dun and several other agents helped direct the busts from a war room at Omaha FBI headquarters, located in a dark-windowed, three-story building in the southwest part of the city.
They nabbed 13 people in the United Kingdom, including several who helped to run the conspiracy.
They nabbed several dozen in the United States, mostly money mules; 27 have now been convicted in American courts.
In Ukraine, they nabbed five people — the big fish, detained with the help of an elite Ukrainian military unit.
It was the largest “automatic clearinghouse” bust in the history of the FBI, and it was started and led by the little-known Omaha office.
Since joining the FBI in 1982, Dun has put violent East Coast drug lords behind bars and investigated high-profile corruption cases in Illinois. But Operation Trident Breach was one of the most important investigations of his three-decade career.
“Seventy million dollars,” he said during a break between packing up boxes in his office recently. “It would be absolutely impossible for a (street) gang to get away with that much money.”
Only one glitch: Krebs said the five Ukrainian masterminds were released after a brief detention. Dun won't discuss the arrests themselves, saying they are part of an ongoing investigation.
“These guys are still operating,” Krebs said. “Still very active. Still very sophisticated. ... If they aren't out in the open, they are definitely unfettered.”
Sometimes when Brian Krebs is on a plane, flying on the way to a consulting job or speaking engagement, he finds himself seated next to a small-business owner.
By the end of the flight he has told the business owner to quit using Windows for financial transactions, because it's the operating system most affected by Zeus.
Or he has persuaded the small-business owner to close his business bank account. Just use a personal one if possible, because it affords consumer protections that a business account won't, if you are hacked.
Or maybe the small-business owner gets off the plane a little shaken and uncertain about ever banking online again.
If Krebs happens to talk to a CEO of a larger company, he suggests a serious daylong seminar on computer security. He also suggests what he calls “regular fire drills” for cyberattacks, where an outside company is brought in to customize a spear phishing or other hypothetical attack on the company.
If an employee clicks on a link that unleashes the hypothetical computer virus, there's more training to be done, Krebs said.
“What if part of an employee's bonus was tied to how they did on these security assessments? People would really care about this stuff then.”
When Dun thinks about Operation Trident Breach and the FBI, his thoughts drift from that success to the 200 or 300 other, similar investigations the agency has open at any given time.
And what of the unknown number of masterminds living somewhere in the world, maybe out of the FBI's grasp, who are inventing even better ways to steal money? Or shut down the power grid of a major American city? Or disrupt our water supply?
“Just because it hasn't happened yet doesn't mean it can't,” Dun said. “The potential threat for terrorists (to use Zeus or other malware) is very real.”
One solution, he thinks, is a segmentation of the Internet, where the equivalent of a gated community is created for the financial sector and other areas deemed to need more security.
But even before that, Dun thinks, we need to collectively have our eyes widen and our pulse quicken at the thought of the drumbeat of financial cybercrime.
On some level, he thinks, we are all the chief financial officer, accidentally allowing thieves into our bank accounts, and unaware that we can't even see that the money is gone.
So do we want to sacrifice security for the ease of online financial transactions? Do we want to accept the risk of cybercrime as the 21st century risk of doing business?
“The offense is so far ahead of the defense here,” Dun said. “We really need to collectively realize this as a society. We need to figure out how to make this work.”
Contact the writer: