Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Russian hackers raid largest online gaming operation and destroy data in blackma

Russian hackers raid largest online gaming operation and destroy data in blackma

by Nikola Strahija on February 24th, 2003 Three weeks ago, in a stunning raid, Russian hackers seized control of the servers that support one of the Internet's largest online gaming operations, demanding a ransom. It was a real-life, high-tech version of the movie Ocean's Eleven. By the time the ransom was paid, one key server -- the one containing all operational data for 120 Internet gaming sites and a long list of consulting clients -- seemed to be stripped of its data.


At stake were all the operational records of a gambling empire. "We didn't even have the names of customers," says Juan Bonilla, executive vice-president of Grafix Softech F.A. of San Juan, Costa Rica. "We lost everything." To make matters worse, little, if any, of the data had been backed up off-site. Grafix Softech was losing an estimated US$75,000 a day in profits, and the incident left it open to lawsuits from customers whose businesses relied on Grafix Softech's services. What could have been a major disaster became a bump in the corporate road. In an amazing feat of ingenuity, CBL Data Recovery Technologies Inc. of Markham, Ont., managed to recover all the lost data. It was a close call, admits Bill Margeson, president of CBL.

"We got the hard drives late Sunday, Feb. 9. By Tuesday, we were ready to throw in the towel; it looked hopeless," he says. "Then on Wednesday, on a conference call, one of our guys in San Diego had this terrific insight. One of our London guys added to it, and by Friday we were able to get Juan back on a plane to Costa Rica with all the records restored." The trouble started Feb. 5, when all of the sites supported by Grafix Softech suddenly went down. The company's support staff found that Russian hackers had managed to bypass firewalls and other security systems and insert a virus into the five servers Grafix uses for its online operations. Four of them support the sites and one contains all operational data. The virus encrypted all information on the servers. "It was akin to hacking into the Pentagon," Mr. Margeson says. "Grafix had state-of-the-art security. These hackers were ingenious." The hackers demanded a ransom in return for the key to the encryption code. Grafix paid up. Mr. Bonilla flatly refuses to discuss the amount of the ransom. In fact, he will not even confirm that one was demanded. Paying the ransom did not mark the end of the company's problems. On Feb. 6, the hackers supplied a key to undo the encryption. It worked for the four servers supporting Internet operations, but had the opposite effect on the server containing the operational data. Grafix called CBL in Markham.

The encryption key or the way Grafix support staff used it deleted almost all the data from the database server.

"The hackers sort of said 'too bad' and suggested Grafix use an industrial program to restore the data," Mr. Margeson says. "It did not work."

By Sun., Feb. 9, the situation looked bleak. CBL used the Internet to connect remotely with Grafix servers in Costa Rica to inventory the problem, Mr. Margeson says.

"We were able to show that there would not be a quick fix. There were 11 separate problems, some caused by the hackers, some caused by Grafix's own attempts to recover data," he says. "We told Juan to bring the hard drives to Toronto as quickly as he could get here."

Mr. Bonilla packed five 36-gigabyte hard drives and a 54-gigabyte database into his carry-on luggage and flew from San Juan to San Salvador to Havana to Toronto, via the only flights available. By 9:30 p.m. Sunday night, the hard drives and database were in CBL's Markham laboratory and a round-the-clock race for a solution began.

"We had great difficulty right from the start," Mr. Margeson says. "There were great patches of data missing and what was still on the disk was garbled. There was just too much empty space; there was nothing to piece together."

Then, late on Tues., Feb. 11, during a conference call, one of CBL's San Diego staff came up with the answer. Data on SQL servers are contained in 32-kilobyte pages, all of which are numbered in sequence. If CBL could just look for page numbers, it could retrieve all those tiny pages and then reassemble them in order. The fact that the data had been deleted from the drives would not be an impediment: Deleted data can be recovered as long as it has not been overwritten, Mr. Margeson explains. All that changes with deleted data is the path to that data.

The task was akin to taking all the pages from an encyclopedia, throwing them in the air, and then reassembling them and rebinding them in the proper order. CBL wrote a software program that did just that.

"On Monday, we thought we could recover some of the data. On Tuesday, we figured we would be lucky to recover any of it. By late Wednesday we knew we could recover everything," Mr. Margeson says.

The next day, Mr. Bonilla was on his way back to San Juan, recovered data in hand. Grafix was back in business that weekend.

"I am very grateful to CBL," Mr. Bonilla says. "They performed almost a miracle and did it for a reasonable fee." The cost to Grafix was $35,000, charged on a no-cure-no-fee basis.

While CBL is, of course, pleased to earn the money, the real kick was the learning experience, Mr. Margeson says. "We learned new technology big time with this one. This project punched way beyond the limits for us."

- article avilable at http://www.securitynewsportal.com/ -


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »