International Operations Target Cybercrime Networks in Asia and Europe

May 22, 2017

An operation targeting cybercrime across Asia has resulted in the identification of nearly 9,000 Command and Control servers and hundreds of compromised websites, including government portals.

The operation, run out of the INTERPOL Global Complex for Innovation, brought together investigators from Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam to share information on specific cybercrime situations in each country. Additional cyber intelligence was also provided by China.

Experts from seven private sector companies – Trend Micro, Kaspersky Lab, Cyber Defense Institute, Booz Allen Hamilton, British Telecom, Fortinet and Palo Alto Networks – also took part in pre-operational meetings in order to develop actionable information packages.

Information provided by the private sector combined with cyber issues flagged by the participating countries enabled specialists from INTERPOL’s Cyber Fusion Centre to produce 23 Cyber Activity Reports. The reports highlighted the various threats and types of criminal activity that had been identified, and outlined the recommended action to be taken by the national authorities.

Analysis identified nearly 270 websites infected with a malware code which exploited a vulnerability in the website design application. Among them were several government websites, which may have contained personal data of their citizens.

A number of phishing website operators were also identified, including one with links to Nigeria, with further investigations into other suspects still ongoing. One criminal based in Indonesia selling phishing kits via the Darknet had posted YouTube videos showing customers how to use the illicit software.

The threats posed by the 8,800 servers found to be active across eight countries included various malware families including those targeting financial institutions, spreading ransomware, launching Distributed Denial of Service (DDoS) attacks and distributing spam. Investigations into the servers are ongoing.

Meanwhile, a joint investigation by Spanish and British law enforcement authorities, coordinated by Europol and its Joint Cybercrime Action Taskforce (J-CAT), has resulted in the dismantling of an international cybercrime group involved in the design, development and selling of sophisticated software tools to render all types of malicious malware infecting thousands of computers worldwide undetectable by security products.

As a result of the investigation, five individuals were arrested (three in Spain and two in the United Kingdom), and various premises searched in Barcelona, the Canary Islands and Liverpool. As a result of the searches in Spain, investigators seized six hard drives, a laptop, two external storage devices, eight Bitcoin mining devices and numerous documents.

The tools developed by the crime group were used worldwide for the distribution of Remote Access Trojans and key loggers – malicious software that takes full control of the victim’s computer stealing private and personal information. The tools were promoted on hacking forums in exchange for payments, usually in Bitcoins.

Investigations revealed that the criminal group has carried out its illicit activities since mid-2013, producing substantial profits.

Kylie Bull began her career in television news at ITN in the UK before moving to print journalism. She has been an editor at IHS Jane's for sixteen years, where she continues today, and was recently the managing editor at Homeland Security Today. Bull has reported on a wide variety of security, geopolitical and counterterrorism subjects and has interviewed world leaders such as Russian President Vladimir Putin and UK Prime Minister Theresa May.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.