Cops Swarm Global Cybercrime Botnet Infrastructure in 2 Massive Ops

Europol undertook dropper malware botnet takedown while US law enforcement dismantled a sprawling cybercrime botnet for hire.

A website seized notice
Source: Jeffrey Blackler via Alamy Stock Photo

Europol and the US Department of Justice are claiming big wins against a large swath of the global cybercrime botnet infrastructure.

Europol coordinated the international effort to neutralize dropper botnet infrastructure for malware strains including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot, the agency said in a statement. The multinational law enforcement operation, which Europol described as the "largest ever operation against botnets," lasted from May 27 to May 29, and resulted in the takedown of more than 100 servers suspected of being used to distribute ransomware and other malware. The takedown also netted the arrest of four suspects thought to be associated with the botnet.

"The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds," Europol's statement said. "This approach had a global impact on the dropper ecosystem."

Within hours, the Department of Justice successfully shut down the "911 S5" botnet-for-hire operation and arrested its operator. The botnet is suspected to have quietly infiltrated and hijacked more than 19 million IP addresses to build a botnet used in all sorts of fraud and other unspeakable cybercrimes, according to the DoJ statement.

The 911 S5 botnet includes a "client interface," which is used by cybercriminals to launder money earned by illicit means and illegally send it out of the US, according to the DoJ. In addition, the US estimated that the IP addresses linked to 911 S5 were behind 560,000 scam unemployment insurance claims, racking up losses of more than $5.9 billion. The botnet also helped run up millions in payments from US pandemic relief programs as well as various other scams, the DoJ said.

"Working with our international partners, the FBI conducted a joint, sequenced cyber operation to dismantle the 911 S5 Botnet — likely the world's largest botnet ever," FBI Director Christopher Wray said in a statement on the botnet operation.

Cybersecurity professionals applaud the coordinated and concerted effort to disrupt the fundamental cybercrime infrastructure, but also acknowledge there's still work to be done.

"The recent actions taken against botnets have deep implications for the cybersecurity industry," says Chris Morales, CISO for Netenrich. "These operations disrupt the core infrastructure of cybercrime, targeting networks of compromised devices that are often used for malicious activities, such as DDoS attacks and data theft."

The worst-case scenario that could emerge after these law enforcement crackdowns on botnets is that the group could reconstitute its network with the millions of devices that remain infected, according to Toby Lewis, Darktrace's global head of threat analysis.

"Attackers could regain command of a seized domain and swiftly reactivate the compromised devices that have been lying in wait," Lewis says. "Law enforcement must remain vigilant, closely monitoring for any signs of the criminals attempting to establish new command and control servers or resurging botnet activity."

But that worst-case possibility is unlikely to emerge, considering the arrests of the botnet operations top leadership, says John Bambenek, president at Bambenek Consulting.

"An arrest takes a criminal out of play which, depending on how much of the group was arrested, means those given campaigns aren't coming back," Bambenek says. "Eliminating such a large botnet, assuming they did it in a way that uninstalls the malware and secures the machine, means the criminal ecosystem will have to rebuild significant capacity for malware delivery."

Beyond diminished network capacity, Bugcrowd's founder and chief strategy officer, Casey Ellis, explains there is a psychological cost being inflicted on the botnet ecosystem in the aftermath of the takedowns.

"The material impact to attackers is that [international law enforcement] just had it laid out to them, very clearly, that there’s a capable, resourced, and persistent threat in play on the defender side," Ellis says.

Tom Gorup, vice president of security services at Edigo, is also encouraged by the collaborative work of law enforcement to disable global botnet operations. But he hedges his enthusiasm with a warning that the fight is far from over for the cybersecurity community.

"The fact that law enforcement was not only able to take down the attacker infrastructure, but also incarcerate individuals involved is tremendous," Gorup explains. "Although this take down is certain to have a positive impact on the safety of the Internet, our jobs aren’t finished yet. Unfortunately, there are many more botnets similar to this."

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights