The Cybersecurity 202: International law enforcement took down a leading cybercrime gang

Emotet is one of the world's biggest cybercriminal organizations with affiliates around the world including in Ukraine.

Law enforcement shut down Emotet's "botnet," a network of infected computers used by criminals to scale up their hacking operations, by knocking out all its servers at once, isolating the infections. Computers were then redirected toward “law enforcement-controlled infrastructure.”  

“This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime,” Europol said in a news release.

Being able to knock out all the computers at once was key to making sure the network didn't just move to backup services.

“If you are able to knock them all out in a certain way, in a way that they go from about a hundred in number to zero and stay that way, then you have effectively isolated the infections and killed the botnet,” James Shank, chief architect of community services at  Team Cymru, said in an email.

Team Cymru worked alongside law enforcement to track down the computers at the top of the command and recruited network operators to help with the takedown.

Ukrainian police arrested two hackers involved and is taking measures to arrest other associated with the crimes, Wired reported.

Botnets allow hackers to send malware at scale, supercharging their operations. Emotet's operators delivered victims emails attachments with infected documents, which, if downloaded, distributed malware allowing hackers to gain access to victims' banking and other financial information. Once a computer is infected, hackers use it to send more malicious emails, creating a network effect.

The Emotet takedown has a wide-reaching impact.

Emotet was involved in roughly 30 percent of all malicious emails by the end of 2019, according to a threat report released by Proofpoint in 2020. In December, Emotet emails reached roughly 100,000 users a day, Check Point reported.

Emotet also sent “payloads,” or packets of malware, from other notorious hacking operations. Partners included Russia-based operation Trickbot, which is known for an increasingly popular form of malware called ransomware that hackers use to take over the computer systems of organizations like hospitals and schools.

The takedown hobbles Trickbot and those other hacking operations that used Emotet's services.

Killing a botnet for good can be a huge challenge.

Even if law enforcement was able to take out Emotet's network for now, there are ways for the operation to make a comeback, Kimberly Goody, senior manager of cybercrime analysis at FireEye's Mandiant Threat Intelligence says.

That could include building back up its network through new waves of malicious emails and infecting new computers or merging with other hacking operations.

Goody says that key to that answer is who authorities arrested and what their role in the organization was.

“What's important to look for is how important were those individuals to the Emotet operation and if they were important individuals, are there others that have access to the source code?” she says. “Because if not that would prevent them from being able to rebuild the botnet as easily.”

Arresting hackers is often a difficult task for U.S. law enforcement in these kinds of operations. Many are located in countries unwilling to assist with the arrests, like Russia. 

The Emotet takedown isn't the only recent example of international cooperation against cybercriminals.

The U.S. Justice Department announced yesterday a coordinated effort to disrupt the hacker gang behind NetWalker a dangerous and popular form of malware.

The FBI arrested one high-profile individual allegedly involved in criminal activity and Bulgarian authorities worked with U.S. authorities to take down online infrastructure supporting the operation. As with the Emotet takedown, it's unclear how long-lasting the impact of the operation will be.

Other recent examples highlight law enforcement challenges.

Experts say it's too early to evaluate how successful law enforcement efforts will be in the long run. But recent history shows that hackers can be quick to rebound from intervention.

U.S. Cyber Command launched efforts to disrupt Trickbot in October, as Ellen Nakashima first reported. The agency hoped to limit threats of ransomware attacks against state or local election offices. 

Microsoft separately launched its own efforts with the same goal in mind that month, but security researchers quickly questioned the plan's effectiveness, Jay Greene reported. A follow-up effort with global partners further hobbled the operation, but the group quickly resurfaced on newly infected devices, as Ellen and Jay reported.

Cybersecurity professionals see the Emotet operation as progress.

“I think this does shows a lot of international cooperation,” says Goody, pointing to the combined takedowns and arrests. “I do think in this case it has the potential to have more impact because of that.”

Other cybersecurity professionals agreed.

“Europol’s announcement highlights the importance of global collaboration among countries and law enforcement to take decisive action to disrupt prolific botnets and stop cyber criminals,” CrowdStrike’s senior vice president of intelligence Adam Meyers said,

Meyers added that CrowdStrike Intelligence, which has been tracking Emotet since 2014, has already seen Emotet “substantially impacted” but cautions “it is unsure what future implications of the operations will look like.”

Shank also cautioned against thinking Emotet was dead for good.

“Our day one observations clearly show this activity is a success so far,” he wrote in an email. “Sadly botnets are notoriously resilient and botnet operators are motivated to rebuild their criminal enterprises. Only time will tell if we have seen the end of Emotet.”

Correction: This article was updated to clarify Cyber Command is not a part of the National Security Agency. 

The keys

The United States is looking ‘very urgently’ at the SolarWinds attack and implications, Blinken says on first day as top diplomat.

Newly confirmed Secretary of State Antony Blinken told reporters the SolarWinds attack and its implications were among the recent Russian actions of “deep concern” to American policymakers. Blinken, who made the remarks in his first news briefing with reporters at the State Department, said the hack was among the issues under review by the Biden administration.

“We’re looking very urgently as well at SolarWinds and its various implications,” Blinken said, continuing to keep the heat on Moscow one day after President Biden's call with Russian President Vladimir Putin, which also touched on the cyberattack.

At her Wednesday confirmation hearing to be Biden’s energy secretary, former Michigan governor Jennifer Granholm said the department will have “a person at a very high level that is responsible for making sure that the response to this is coordinated,” while also signaling her openness to hardening the security of the U.S. electrical grid. 

The Energy Department was among the federal agencies hacked during the breach, with its National Nuclear Security Administration and Federal Energy Regulatory Commission also reportedly believed to be have been hit.

The Justice Department says thousands were fooled into casting fake ballots by text message in 2016.

Right-wing social media influencer Douglass Mackey, who went by the name Ricky Vaughn, was charged with conspiring to push election misinformation in the run-up to the 2016 election. His ads appeared to be designed to target minority voters by duping them to into voting by text message, which is not a valid form of voting in the U.S. The Justice Department says that more than 4,900 unique phone numbers texted the phone number on or before Election Day.  If convicted, Vaughn could face up to 10 years in prison.

Education sector hit especially hard by cyberattacks, a new report says.

The education sector — which is now heavily reliant on online learning — is the hardest hit, identity management software firm Okta said today in a new report. 

“Sectors that are highly distributed right now, such as education, have a large attack surface with fewer financial resources than industries like healthcare, which are highly-regulated and often more tightly contained,” the report says, noting that its ratio of detected threats to authentications is twice as large as in finance and banking, and more than five times as large as in health care and pharmaceuticals. 

The U.S. government has taken notice, with the FBI and Department of Homeland Security issuing an alert last year on attacks on K-12 schools. Just this week, CISA launched a campaign to combat ransomware attacks, with a focus on K-12 schools and organizations responding to the coronavirus pandemic.

But there is some cause for celebration, Okta said, noting that security practices have improved in recent months. The company said fewer of its customers are using weak verification tools, such as SMS and security questions, and more are using its multi-factor authentication tool.

Two senators are reintroducing a bill to boost the National Guard's cyber support role.

The bill, which is being reintroduced by Sens. John Cornyn (R-Tex.) and Maggie Hassan (D-N.H.) would make it easier for the National Guard to help state and local governments improve cybersecurity infrastructure. 

They're hoping that a recent massive hack against the government will add urgency to the legislation.

“We have seen unprecedented cyberattacks throughout the country this past year — most notably the SolarWinds attack, but also cyberattacks on schools, hospitals, and state and local governments amid the COVID-19 pandemic,” Hassan said in a statement. “These attacks can be just as devastating as emergencies that the National Guard already provides assistance with…”

Daybook

Secure log off