BRYAN SCHRODER Acting United States Attorney YVONNE LAMOUREUX ADAM ALEXANDER Assistant U.S.Attorneys Federal Building&U.S.Courthouse 222ヽ Vest Seventh Avenue,#9 Anchorage,Alaska 99513-7567 Phone:(907)271‐ 5071 Fax:(907)271-1500 E― Mail:vvonne.lamoureuxChsdoi.gov ETHAN ARENSON HAROLD CHUN Trial Attorneys Computer Crilne and lntellectual Property Section 1301 New York Avenue,NW Washington,DC 20530 Phone:(202)514‐ 1026 Fax:(202)514‐ 6113 E― ⅣIaill ethan.arensonCを LSdoi.gov harold.chun@usdoi.gov IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF ALASKA IN RE APPLICATION OF THE ) UNITED STATES OF AMERICA FOR ) Case No.3:17‐ mJ-00136-DMS AN ORDER AUTHORIZING THE ) INSTALLATION AND USE OF PEN )FILED UNDER SEAL REGISTERS AND TRAP AND ) TRACE DEVICES ) APPLICATION The United States ofAmerica,moving by and through its undersigned cOunsel, respectfully subllnits under seal this ex parte application for an order pursuant to 18 U.S.C.§ §3122 and 3123,authorizing the installation and use of pen registers and trap and trace devices ("pen-trap devices") to record, decode, and./or capture dialing, routing, addressing, and signaling information associated with each communication to or from the substitute servers and other infrastructure established by the Government pursuant to the Temporary Restraining Order and Order to Show Cause signed by this Court in the matter of United States v. Peter Yuryuvich Levashov. ("TRO"). In support of this appiication, the United States asserts: 1. This is an applicationl, made under 18 U.S.C. $ 3122(aX1), for an order under 18 U.S.C. $ 3123 authorizing the installation and use of a pen register and a trap and trace device ("pen-trap device"). 2. Such an application must include three elements: (1) "the identity of the attorney for the Government or the State law enforcement or investigative officer making the application"; (2) "the identity of the law enforcement agency conducting the investigation"; and (3) "a certification by the applicant that the information likely to be obtained is relevant to an ongoing criminal investigation being conducted by that agency." 18 U.S.C. $ 3122(b). 3. The undersigned applicant is an "attorney for the government" as defined in Rule 1(b)(1) of the Federal Rules of Criminal Procedure. It is not clear that the Pen Register and Tlap and Trace Act's prohibition against the "installation" or "use" ofa "pen register" or a "trap and trace device" applies to the unique facts presented to the Court here. See, e.g. Capitol Records Inc. v. Thomas-Rasset, 2009 WL 1664468, *g (D. Minn. 2009) ("the Pen Register Act cannot be intended to prevent individuals who receive electronic communications from recording the IP information sent to them. If it did apply in those cases, then the Internet could not function... ."). Nonetheless, the United States is applying for a Pen Register and Trap and Trace Order out of an abundance of caution in order to be certain that its conduct will not violate the Act. 1 3:17-mj-00136-DMS 2 4. The law enforcement agency conducting the investigation is the Federal Bureau of Investigation ("FBI"). 5. The applicant hereby certifies that the information likely to be obtained by the requested pen-trap devices is relevant to an ongoing criminal investigation being conducted by the FBI. 6. This Court is a "court of competent jurisdiction" under 13 U.S.C. 3122G)(2) because $ it $ "has jurisdiction over the offense being investigated," 18 U.S.C. 3127(2XA)(i). ADDITIONAL INFORMATION 7. Other than the three elements described above, federal law does not require that an application for an order authorizing the installation and use of a pen register and a trap and trace device specifiz any facts. The following additional information is provided to demonstrate that the order requested falls within this Court's authority to authorize the installation and use of a pen register or trap and trace device under 18 U.S.C. g 3123(a)(1). 8. A "pen register" is "a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted." 18 U.S.C. A "trap and trace device" $ 3127(3). is "a device or process which captures the incoming electronic or other impulses which identi$r the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identifir the source of a wire or electronic communication." 18 U.S.C. $ S12Z(4). 3:17-mJ-00136¨ ]DLIS 3 9. In the traditional telephone context, pen registers captured the destination phone numbers of outgoing calls, while trap and trace devices captured the phone numbers of incoming calls. Similar principles apply to electronic communications, as described below. 10. The Internet is a global network of computers and other devices. Devices directly connected to the Internet are identified by a unique Internet Protocol (*IP')address. This number is used to route information between devices. Generally, when one device requests information from a second device, the requesting device specifies its own IP address so that the responding device knows where to send its response. 11. On the Internet, data transferred between devices is not sent as a continuous stream, but rather it is split into discrete packets. Generally, a single communication is sent as a series of data packets. When the packets reach their destination, the receiving device reassembles them into the complete communication. Each packet has two parts: a header with routing and control information, and a payload, which generally contains the content of the transmitted communication. 12. The packet header contains non-content dialing, routing, addressing and signaling information, including IP addresses and port numbers. Both the IP address of the requesting device (the source IP address) and the IP address of the receiving device (the destination IP address) are included in specific fields within the packet header, as are source and destination port numbers. On the Internet, IP addresses and port numbers function much like telephone numbers and area codes - 3:17-mj-00136-DMS 4 often both are necessary to route a communication. Sometimes these port numbers identiSz the type of service that is connected with a communication, such as email or web-browsing, but often they identifir a specifi.c device on a private network. In either case, port numbers are used to route data packets either to a specific device or a specific process running on a device. Thus, in both cases, port numbers are used by computers to route data packets to their final destinations. 13. The headers of data packets also contain other dialing, routing, addressing and signaling information. This information includes the transport protocol used (there are several different protocols that govern how data is transferred over networks); the flow label (for the most recent version of the Internet Protocoi suite, called IPv6, the flow labei helps control the path and order of transmission of packets); and the packet size. THE RELEVANT FACTS 14. The United States government, including the FBI, is investigating the use of malicious computer software known as Kelihos to steal user credentiais and to force infected computers to join computers - a "botnet" - a network of other compromised and distribute spam messages. The investigation concerns possible violations by Peter Yuryevich Levashov, aka Petr Levashov, Peter Severa, Petr Severa, and Sergey Astakhov of, inter alia, 18 U.S.C. $$ gZ1 (conspiracy to commit fraud and related activity in connection with computers and flaud and related activity in connection with electronic e-mail), 1030 (flaud and related activity in 3:17-mj-00136-DMS 5 connection with computers), 1037 (fraud and related activity in connection with electronic e-mail), 1343 (wire fraud), and 2511 (illegal wiretapping). 15. The conduct being investigated involves the illegal use of computers infected with malicious software known as Kelihos. To further the investigation, and to implement the disruption plan authorized by the TRO, investigators need to obtain the dialing, routing, addressing, and signaling information of communications sent by the Kelihos malware to the substitute servers and other infrastructure established a**acld \e.e'la. '[t-,, D) ,t-t-r7 by the Government pursuant to the TROT Such evidence will hdlp to establidfr the' number and identity of victim computers and assist with remediation to be undertaken by the private sector. 16. The pen-trap devices sought by this application will record, decode, and./or capture diaiing, routing, addressing, and signaling information the Kelihos malware sends to the substitute servers and other infrastructure established by the Government pursuant to the TRO, including the date, time, and duration of the communication. GOVERNMENT REQUESTS 17 . For the reasons stated above, the United States requests that the Court enter an Order authorizing the installation and use of pen-trap devices to record, decode, and./or capture the dialing, routing, addressing, and signaling information described above for each communication sent by the Kelihos malware to the substitute servers and other infrastructure established by the Government pursuant to the TRO, to inciude the date, tirne, and duration of the communication. The United 3:17-ln〕 -00136-DⅣIS 6 States does not request and does not seek to obtain the contents of any communications, as defined in 18 U.S.C. $ 2510(8). 18. The United States further requests that the Court authorize the foregoing installation and use for a period of sixty days from the date of the Court's Order, pursuant to 18 U.S.C. $ 3123(c)(1). 19. The United States further requests that this application and any resulting Order be sealed until further order of the Court, pursuant to 18 U.S.C. $ 3123(d)(1). 20. The United States further requests that the Clerk of the Court provide the Department of Justice with certified copies of this application and Order, and provide copies of this Order to the FBI upon request. 21. The foregoing is based on information provided to me in my officia1 capacity by agents of the FBI. I declare under penalty of perjury that the foregoing is true and correct. Executed on April 4,2077. By' BRYAN SCHRODER Acting United States Attorney KENNETHA. BLANCO Acting Assistant Attorney General Lamoureux LAMOURETIX ADAMALEXANDER Assistant U.S. Attorneys District of Alaska By:/s/ Ethan Arenson ETIIAN ARENSON HAROLD CHUN Trial Attorneys Computer Crime and Intellectual Property Section /s/ Yvonne WONNE 3:17-mj-00136-DMS 7 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF ALASKA UNITED STATES OF AMERICA ) ) Plainti鶴 ) ) V. ) PETER YURⅦ VICH LEVASHOV, ) ) Case No.3:17-cv‐ 00074‐ TⅣ IB FILED EX PARπ AND UNDER SEAL a/k/a``Petr Levashov,"``Peter SeveFa," ) “ Petr Severa,'l and``Sergey AstakhOv'',) ) Defendant. ) ) Plaintitt the united States OfAmerica,has flled a cOmplaint fOr ittunct市 e relief pursuant to 18 UoSoC.§ §1345 and 2521,based On the Defendant's vi01atiOns of18 U.S.C.§ §1343 and 2511.The Government has also luoved θ χPα rι θfor a TenlpOrary Restraining Order and an Order tO ShOw Cause Re Prelinlinary ll巧 unCtion pursuant to Rule 650))ofthe Federal Rules Of Civil Procedures and 18 U,S.C.§ §1345(a)(1)and 2521. Having Ieviewed the papers, cleclaration, and. memorandum filed in support of the Government's Motion for a Temporary Restraining Order and Order to Show Cause le Preliminaly Injunction, the Court hereby makes the following finclings of fact and conclusions of law: 1. thele is This Court has jurisdiction over the subject matter of this case and good cause to believe that it will have jurisdiction over all parties hereto; case 3:i-7-cv-00074-TMB *SEALED* Document l-0 Filed aHOSllT page 1 of 9 the Complaint states a claim upon which relief may be granted against the Defendant under 18 U.S.C. 2. SS 134b and2b2l. There is good cause to believe that the Defendant has engaged in and is likely to engage in acts or practices that violate 18 U.S.C. S$ 1343 and 2b11, and that the Government is, therefore, likely to prevail on the merits of this action. 3. There is good cause to believe that, unless the Defendant is restrained and enjoined by Order of this Coult, immediate and iueparable harm will result from Defendant's ongoing violations of 18 U.S.C. S$ 1343 and 2511. The evidence set forth in the Government's Memorandum of Law, and the accompanying cleclaration, demonstrate that the Government is tikely to prevail on its claim that the Defendant has engaged in violations of 18 U.S.C. a- Sg 1B4B and 2511 by: intentionally infecting hundreds of thousands of computers with malicious software ("malware") designed" to steal user credentials from infected computers and to enlist those computers into the I(elihos "botnet" (a network of other infected computels controlled by the Defendant); b. using i{elihos malware to propagate spam email messages that promote counterfeit drugs, pump-and-dump stock schemes, fraudulent employment opportunities, and other frauds; and U.S. v. Leyashov 3:17-cv-00074-TNIB 2 Case 3:17-cv-00074-TMB *SEALED* Document 10 Filed 04/05/17 page 2 of g c. using Kelihos malwale to install other malware variants on infected computers, including ransomware and banking Trojans; and d. using Keiihos malware to intercept victims'communications, including online credentials, without authorization. 4. caLrse There is good cause to believe that if such conduct continues, it r,vill irreparable harm to both indivicluats ancl br'rsinesses ln the United States. 'Ihere is also good cause to believe that the Defendant will continue to engage in such unlawful actions if not immediately restrained from doing so by Ord.er of this Court. 5. Based on the evidence cited in the Government's Memorandum of Law and accotnpanying declaration and exhibits, the Government is likely to be able to prove that the Defendant is engaged in activities that violate United States law ancl halm members of the public, and that the Defendant has continued his unlawful conduct despite the clear injury to members of the public. 6. There is good cause to believe that providing the Defendant with advance notice of this action would cause immediate and irreparabie damage to this Court's ability to grant effective final relief. Based on the evid.ence cited in the Governmeut's Memorandum of Law and accompanying declaration, there is cartse to believe that - if the Defendant goocl was to be notified in advance of this action ihe Defendant would relocate his servers and/or command and control U.S,v.Levashov 3:17‐ cv-00074¨ ThIB 3 Case 3:17-cv-00074-TMB★ SEALED* Document 10 Filed 04/05/17 Page 3 of9 - infrastructure, change the coding of his malware, or otherwise implement measures to blunt or defeat the Govelnment's planned disruption effort. 7 . The Government's request for this ex parte relief is not the result of any lack of diligence on the Governrnent's part, but instead is based upon the natule of Defendant's illegal conduct. Therefore, in accordance with Fed. R. Civ. P. 65(b), good cause and the interests of justice require that this Order be granted ivithout priol notice to Defendant, and accordingly, the Government is relieved of the cluty to provide the Defendant with prior notice of the Government's Applicntion. 8. The Government has demonstrated good cause to believe that Defendant has directed his illegal activity at individuals and businesses located in the District of Alaska by, among other things, infecting numerous computers in this District \,vith Kelihos, unlawfuily intercepting the communications of persons in this District, and by directing fraudulent spam email messages to persons in this District. 9' The Government has demonstrated good cause to believe that to imrnediately halt the injury caused by the Defendant, the Defendant must be prohibitecl from infecting computers with Kelihos and f::om communicating with existing computers infected lvith Kelihos. 10. The Government has demonstrated good cause to believe that the Defendant has used, and wili use in the future, the domain names gorodkoff.com, U.S. v. Levashov 3:17-cv-000?4-TiVIB 4 Case 3:17-cv-00074-TMB *SEALED* Document 10 Filed 04/05/17 page 4 of 9 goloduha.info, and combach.com to commit violations of 18 U.S.C. $$ 1343 and 2527 tn connection with the Kelihos malware. There is good cause to believe that to immediately hait the Defendant's itlegai activity and to prevent further harm to individuals and businesses in the United States, the gorodkoff.com, goloduha.info, and combach.com domains must be immediately: 1) made inaccessible to the Defendant; and 2) redirected to name-servers identified by the FBI. 11. There is good cause to permit service of documents filed in this case that have been unsealed by this Court, and any unsealed Orders entered by the court in response theleto, as provided below, given the exigency of the circumstances, the need for prompt reLief, and the fact that the Defendant will be in the custody of Spanish iaw enforcement. The government will provide notice thror,rgh each of the following methods, which provide due process, satisfir Fed. R. Civ. P. 4(0(3), and ale reasonably calculated to provide notice to the Defendant: a. personal service on the Defendant to be effected by u.s. or spanish law enforcement or, if personal service is impossible, by certified mail to the Defendant at the spanish custod.ial facility; b. personal service upon any attorney representing the Defeldant in Spain; c. via publication on the Internet rveb sites of the Department of Justice or the Federal Bureau of Investigation. U.S. v. Levashov 3:17-cv-00074-TNIB b case 3:l-7-cv-00074-TMB *SEALED* Document L0 Filed oUailu page 5 of 9 TEMPORARY RESTRAINING ORDEB AND ORDER TO SHOW CAUSE IT IS THEREFORE ORDERED that the Defendant, his representatives, and persons who are in active concert or participation with him are temporarily restrained and enjoined from using malicious software or code in furtherance of any scheme to commit wire fraud or to engage in unauthorized interception of electronic communications, and in particular, are prohibited from running, controlling, or cotnmunicating with software known as Kelihos, on any computer not owncd by the Defendant. IT IS FURTHER ORDERED that the Government shall establish substitute server(s) and other computer infrastructure as specified in the Govelnment's Mernorandum of Law that, in conjunction with the relief ordered below, will replace the Defendant's coinmancl and controi infr.astructure for the Kelihos botnet and sever the Defendant's connection to the infected computers in the Kelihos botnet. Pursuant to the Pen Register Trap and Trace Order signed by this Coult, the Government is authorizedto coliect dialing, routing, addrcssing and signaling ("DRAS") information from the Kelihos-infected computers that connect to the infrastructure created pursuant to this Order. The Government shall ensure that no eiectronic content or other non-DRAS information is collected when victim computels connect to the infrastructure established pursuant to this Order. U.S. v. Levashov 3:17-cv-00074-TN{B 6 Case 3:17-cv-00074-TMB *SEALED* Document 10 Filed 04/05/17 Page 6 of 9 IT IS FURTHER ORDERED that, with respect to the domains gorod koff. com, goloduha. i nfo, and combach.com, the app licable Domain Registry identified below shall take the following actions: .COm VeriSign, Inc. VeriSign, Inc. 12061 Bluemont Wav Reston,VA 20190 .info Afilias USA, Afllias USA,Inc. Building 3,Suite 105 300ヽrelsh Road Inc. Horsham,PA 19044 1. Take aII reasonable measures to redirect the domains to the substitute servers which r,vili be identified by the FBI; 2. Take all reasonabie measures to propagate the foregoing changes thiough the Domain Name System as quickly as practicable; 3. Prevent any further modification to, or transfer of, the clomains r,vithout the previous authorization of this Court; 4. Refrain from providing any notice or warning to, or communicating in any way r.vith Defendant or Defendant's representatives and refrain from disclosing this Older until such time as this Order is no longer und.er seal, except as necessary to execute this Order; 5. Provide reasonable assistance in implementing the terms of this Order and take no action to fi'ustrate the implementation of this order. U.S.v.Levashov 3:17-cv-00074‐ TⅣ IB 7 Case 3:17‐ cv-00074-TMB'SEALED' Document10 F‖ ed 04/05/17 Page 7 of9 IT IS FURTHER ORDERED that copies of the Court Filings shall be served by each of the following methods: a. personal service on the Defendant to be effected by U.S. or Spanish law enforcement or, if personal service is impossible, by certified mail to the Defendant at the spanish ctrstodial facility; b. personal service upon any attorney representing the Defendant in Spain; c, via publication on the Internet web sites of the Department of Justice ol the Federal Bureau of Investigati.on. IT IS FURTHER ORDERED that pursuant to Federal Rule of Civil Proceclure 65(b) that the Defendant shall appear before this Court on April L2, 20L7 at 2:00 p.m. to show cause, if there is any, why this Court should not euter a Preliminary Injunction, pending final ruling on the Complaint against the Defendant, enjoining him from the conduct temporarily restrained by the preceding provisions of this Order. IT IS FURTHER ORDERED that the Defendant shail file with the Court and serve on the Government any answering affidavits, pleadings, motions, expert reports or declarations and/or legal memoranda no later than two (2) days prior to the hearing on the Government's request for a preliminary injunction. The Government may file responsive or supplemental pleadings, materials, affi.davits, or memoranda with the Court and serve the same on counsel for the Defend.ant no U.S. v. Levashov 3:17-cv-00074-TMB 8 Case 3:l-7-cv-00074-TMB *SEALED* Document i-0 Filed O4l05t!t page 8 of g later than one (1) day prior to the preliminary injunction hearing in this matter. Provided that service shali be performed by personal or overnight delivery, facsimile or clectronic mail, ancl cl.ocuments sh*rll be delivered so that they shall be received by the other parties no later than 4:00 p.m. (Eastern Time) on the appropriate dates listed in this paragraph. IT IS FURTHEIT ORDEI{ED that this Order shall expire on the 12th day of April2017, at 2:00 p.m. [not to exceed 14 days], subject to the further order of this Courl. Enteredthis3Vl這 y ofAp五 1,2017 at 2 1今 5p・ m.,in Anchorage,慮 aska. TI1/10THY M. U.S.v.LevashOv 3:17‐ cv‐ 00074‐ ThIB I Case 3:17-cv-00074-丁 MB'SEALEDキ Document 10 Filed 04105117 Page 9 of 9