Nine months after German police raided a Cold War-era bunker and shut down the group operating the cybercriminal service, command-and-control (C2) traffic and other network data continue to attempt to use the Internet address space assigned to the group, according to an analysis published by the SANS Technology Institute on Tuesday.
The analysis, part of a master's thesis, found that many telltale signs of the cybercrime operation continued to trickle in through the Internet. Much of the traffic appears to be related to potential botnet C2 servers, which could have been hosted at the operation but also includes phishing activity, pornographic content, advertising fraud, and potential signs of denial-of-service attack operations.
The analysis shows that automate cybercriminal infrastructure will continue to produce traffic and could provide defenders with information on computers infected with botnet clients and other compromised hosts, says Karim Lalji, a managing security consultant at Canadian telecommunications firm TELUS and author of the report.
"While this isn't anything new, it does astonish me how much activity is still going on almost nine months after the hosting facility was raided by law enforcement," Lalji says. "The servers were literally taken off the property and ripped apart by forensic analysts, yet there's still so much traffic."
The analysis yields interesting insight into the scale of operations of a well-known cybercriminal operation. A significant number of cybercriminal operations that used the CyberBunker services appear to have left behind their automated infrastructure, and that — despite being closed down the prior year — many continue to reach out to the shuttered service.
"One thing we tried to keep in mind is that the networks haven't been 'active' in several months, so while attempts to uncover drug market activity, stolen goods, and illicit content yielded few results, they were very likely there at some point," Lalji says. "The data also had to be sampled due to the sheer size."
The CyberBunker operated in Germany is the second such facility raided by police. In 2013, the first CyberBunker — based in Amsterdam and operated by some of the same people — was shut down by police, following extended distributed denial-of-service attacks against anti-spam coalition SpamHaus.
The facility shut down in 2019, dubbed "CyberBunker 2.0" by the group operating the service, was based on three-acre property in the German town of Traben-Trarbach. In a massive operation, more than 650 federal police officers, including a tactical unit, raided the property in September 2019, reportedly seizing 200 servers, a variety of other technology, and cash. Seven people were arrested, and warrants were issued for another six people. The raid resulted in the shutdown of several dark-market sites, including major sellers of drugs and narcotics.
SANS gained access to the three subnets after the owner of the network sold them a hosting provider, which allowed SANS to capture traffic for analysis.
The analysis filtered out the typical "background noise" that any server connected to the Internet might encounter, including brute-force attacks, vulnerability scans, and searches for open ports. The SANS honeypot system used a network sniffer, instances of Apache web servers and FTP servers, and a firewall.
Lalji warned that only some signs of illegal activity could be captured and that it would be difficult to come to firm conclusions as to what had been hosted on the network.
"Analyzing these requests provides strong indications about network activity but does not necessarily yield conclusive results," Lalji wrote in the report. "Additionally, the adversary group's arrests took place six months before this analysis, increasing the likelihood of a reduction in active illegal traffic in the period leading up to this examination."
One interesting finding, however, is the outsized role that sources in Brazil apparently had as customers of CyberBunker. The analysis showed that Brazil is a top source and destination of packets received by the SANS honeypot. While the volume of network data coming from Brazil put the country at the top of the list, much of the data was produced by a few large sources, Lalji says.
"While there is likely a much bigger variety, a few of the IP top talkers that have geodata associated with Brazilian IPs are associated with DNS," Lalji says.
Other interesting aspects of the analysis include that at least one botnet using the service appeared to hide C2 traffic in Internet Relay Chat traffic passed over the Web (port 80). SANS detected traffic from more than 7,000 unique source addresses. The traffic included as part of the requests almost 2,000 computer names, the report stated.
"This type of traffic pattern is generally too precise to be human-generated," Lalji stated in the analysis. "Based on the behavior of this traffic, it is highly likely to be a result of an IRC botnet, which has traditionally been a popular technique used by adversaries."