WASHINGTON, March 12 (By Carl Schreck for RIA Novosti) – The online leak of US celebrities’ and government officials’ private financial details—including first lady Michelle Obama’s—has cast a fresh spotlight on .su, the Soviet Union’s old Internet domain suffix that security experts say has become a haven for cybercriminals two decades after the superpower’s collapse.
“It has definitely become a popular domain for cybercriminals, and not just in Russia,” Hemanshu Nigam, a former Justice Department prosecutor who runs the online security advisory firm SSP Blue, told RIA Novosti on Tuesday.
The purportedly stolen information was first posted on a website with a .su suffix Monday and included alleged personal and financial details for 17 US celebrities and politicians as of Tuesday afternoon.
The hackers posted Michelle Obama’s Social Security number, phone numbers, mortgage information and credit card details.
US Secret Service spokesman Brian Leary told RIA Novosti on Tuesday that his agency is investigating how Michelle Obama’s personal information wound up on the website.
Targets also included Vice President Joe Biden, Hollywood star and former California Gov. Arnold Schwarzenegger, socialite and reality television star Kim Kardashian, and former US first lady, senator and Secretary of State Hillary Clinton.
The Justice Department said Monday the US Federal Bureau of Investigation (FBI) is investigating how FBI Director Robert Mueller’s Social Security number, address and credit report were obtained and posted on the site, The Associated Press reported.
And the Los Angeles Police Department (LAPD) is investigating how Los Angeles Police Chief Charlie Beck’s financial information and address ended up on the website.
Cybercriminals began migrating to .su from the Russian domain suffix .ru several years ago because of pressure by US law enforcement authorities on their Russian counterparts to crackdown on Internet crime associated with the domain, Nigam said.
“The .ru domain was being used by criminals pretty ferociously,” he said.
Cybercriminals’ transition from .ru to .su domains was also noted last year by the Swiss security site Abuse.ch, which described the migration as emblematic of the cat-and-mouse game in which criminals seek out new top-level domains (TLDs), the technical term for the part of a web address’ suffix to the right of the period.
“Criminals have already noticed that their domains are getting shut down much faster,” the website wrote. “So they started to look for another [top-level domain] to use for their dirty business and found a TLD that nearly has been forgotten: the TLD .su.”
The .su suffix was originally created in September 1990 during the twilight of the Soviet Union. The country broke apart 14 months later, but the little-used .su was never scrapped.
Many of the sites registered under the .su domain are dedicated to Soviet themes—Stalin.su, for example—and the web suffix was even snapped up by the pro-Kremlin youth group Nashi for its Nashi.su website.
As of Jan. 13, of this year, there were 116,257 websites registered under the .su domain.
The .su domain is “one of a basket” of web address suffixes noted for “nefarious activities,” said Carl Herberger, vice president of security solutions for the Israel-based network security firm Radware’s operations in the Americas.
But many cybercriminals set up shop only temporarily at a given domain name, Herberger said.
“They’re on the move all the time,” he said.
A background search Tuesday on the origin of the site, which RIA Novosti is not identifying to protect the private information of those mentioned on the site, linked it to a California-based Internet provider (IP) address registered to CloudFare, a company that says it works to improve website performance, speed and security.
A CloudFare spokeswoman she was unaware of the site in question and was not at liberty to discuss client information.
She told RIA Novosti, however, that the company’s services are not designed to mask the identity of a sites’ owner, and if a site is found to be in violation of copyright or privacy law, it is company policy to release ownership information.
It is common for cybercriminals to mask their country of origin, so it is unlikely that this week’s purported theft of the celebrities’ and politicians’ financial information actually happened in Russia, cybersecurity expert John Sileo told RIA Novosti.
“They set it up in a country or a domain, making it look like it’s happening there from an [Internet provider] standpoint, because it kind of takes the heat off of where it’s actually happening,” he said.
“Why would you alert the police to the house you’re going to rob?”
Correspondent Sasha Horne contributed to this report.
Updated with a comment from the US Secret Service
