Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/17/2015
11:50 AM
Fahmida Rashid, Contributing Editor
Fahmida Rashid, Contributing Editor
News
50%
50%

Darkode Shuttered But Cybercrime Still Alive And Well

Major international law enforcement takedown of exclusive criminal hacker forum highlights victory -- and challenges -- of global law enforcement of cybercrime.

Law enforcement authorities may have successfully shut down underground cybercrime forum Darkode and arrested dozens of members around the world, but it remains to be seen what the impact will be on the fight against international cybercrime.

The joint operation announced this week involved officials from the FBI, Europol, and 19 other countries, including Australia, Bosnia, Herzegovina, Brazil, Colombia, Israel, Germany, the United Kingdom, Nigeria, Sweden, Denmark, India, and Romania. The FBI arrested and indicted 12 individuals while the U.K.'s National Crime Agency arrested 28. The operation, known as Operation Shrouded Horizon, resulted in arrests, searches, and charges against 70 individuals across 20 countries worldwide.

“Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable,” said U.S. Attorney David J. Hickton of the Western District of Pennsylvania on Wednesday, when the indictments were announced.

Darkode was an invitation-only site where criminals could buy and sell stolen data such as personally identifiable information, server credentials, credit card information, and email addresses. Members could also buy, sell, and trade attack tools, information about software and hardware vulnerabilities, botnets, and malware to launch their own attacks.

"It was, in effect, a one-stop, high-volume shopping venue for some of the world's most prolific cyber criminals," the FBI said in its statement announcing the operation.

With between 250 to 300 active members, the forum was considered the most sophisticated English-speaking forum for cybercriminals. Members of the Lizard Squad, a group of pranksters who launched a series of crippling distributed denial of service attacks against Microsoft's Xbox 360 and Sony servers last Christmas, were allegedly active on the forum. It appears the two creators of SpyEye, Aleksandr Andreevich Panin of Tver, Russia, and Hamza Bendelladj, of Tizi Ouzou, Algeria, advertised the banking Trojan on Darkode. They pleaded guilty and are currently awaiting sentencing, the FBI said.

“Of the roughly 800 criminal Internet forums worldwide, Darkode represented one of the gravest threats to the integrity of data on computers in the United States and around the world," Hickton said.

Even so, it was not immediately evident what impact the Darkode takedown would have on global cybercrime.

While these operations feel like big victories for law enforcement, they are generally ineffective, says Bogdan Botezatu, a senior e-threat analyst at antivirus company BitDefender. Once a site shuts down, another site reach out to the customers and fill the void, he says. Cybercrime is not so different from street crime, as other dealers move in and pick up business after a drug dealer is arrested, he notes. Customers have plenty of other sources to get what they need.

"The authorities shut down this board, but everything will be back to normal in 6 months," Botezatu says.

Just because another forum will eventually take Darkode's place doesn't mean the police shouldn't be shutting down these criminal enterprises. Disrupting the supply chain will raise the cost of launching these attacks, says Tim Erlin, director of IT Security and Risk Strategy at Tripwire. "While it certainly doesn’t spell the end of the black market for stolen data and malware, it will make an impact in reducing overall threat for individuals and organizations," he says.

Among the 12 indicted in the US was the site's alleged administrator, a 27-year-old Swede named Johan Anders Gudmunds, whose online handles include Mafi, Crime, and Synthet!c. He was indicted for conspiracy, fraud conspiracy, and money laundering conspiracy, according to the indictment. Gudmunds allegedly operated his own botnet, which at times contained more than 50,000 computers, and used his botnet to steal data on approximately 200 million occasions, the FBI said.

Shutting down Darkode means there is a small window of opportunity for law enforcement to try to get others who escaped arrest as it will take some time for them to regroup elsewhere. Botezatu predicts that the criminals will just burrow deeper into the Dark Web when they resume operations, or just move to another one of the many existing forums.

This kind of law enforcement operation requires a tremendous amount of coordination, manpower, and time, Botezatu notes. Investigators spend time monitoring the suspects to gather intelligence before a takedown. The FBI said it was able to infiltrate the forum and interact with the members directly to collect evidence. While each country has different law enforcement entities and task forces, figuring out who to coordinate with and getting all the information to involved parties is a difficult task, he says.

The Darkode takedown just highlights the need for better coordination to speed up these operations, Botezatu says. If the criminal actors don't have the time to reestablish operations because law enforcement is moving quickly and shutting them down, then they don't have the opportunity to utilize sophisticated techniques to evade detection.

Cybercrime is thriving worldwide because there is no universal legal framework to make it easier for law enforcement to work together, Botezatu says. "We trace the attacks back to the operators and we can find the server the attacks originated from, but by the time we get the local police involved to take action, the criminals are long gone," he says.

The fact that the FBI was able to coordinate with authorities in 19 other countries even without an organized process in place shows that this kind of cooperation is still possible, and can be effective.

"Operation Shrouded Horizon is a prime example of why the most effective way to combat cybercrime—which operates globally—is a law enforcement response that also transcends national borders," the FBI said.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0173
PUBLISHED: 2019-08-19
Authentication bypass in the web console for Intel(R) Raid Web Console 2 all versions may allow an unauthenticated attacker to potentially enable disclosure of information via network access.
CVE-2019-11140
PUBLISHED: 2019-08-19
Insufficient session validation in system firmware for Intel(R) NUC may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVE-2019-11143
PUBLISHED: 2019-08-19
Improper permissions in the software installer for Intel(R) Authenticate before 3.8 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2019-11145
PUBLISHED: 2019-08-19
Improper file verification in Intel? Driver & Support Assistant before 19.7.30.2 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2019-11146
PUBLISHED: 2019-08-19
Improper file verification in Intel? Driver & Support Assistant before 19.7.30.2 may allow an authenticated user to potentially enable escalation of privilege via local access.