Concluding a four year long investigation of various multinational law enforcement agencies including Europol, the FBI and the US Justice Department, international criminal infrastructure platform known as ‘Avalanche' has been dismantled.
The Avalanche network was used as a delivery platform to launch and manage mass global malware attacks and money mule recruiting campaigns. It has caused an estimated £5 million (6 million euros) in damages in concentrated cyber-attacks on online banking systems in Germany alone.
In addition, the monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of euros worldwide, although exact calculations are difficult due to the high number of malware families managed through the platform.
The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries. As a result, five individuals were arrested, 37 premises were searched, and 39 servers were seised.
Victims of malware infections were identified in over 180 countries. Also, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800,000 domains seised, sinkholed or blocked.
On the action day, Europol hosted a command post at its headquarters in The Hague. From there, representatives of the involved countries worked together with Europol's European cyber-crime Centre (EC3) and Eurojust officials to ensure the success of such a large-scale operation.
In addition Europol supported the German authorities throughout the entire investigation by assisting with the identification of the suspects and the exchange of information with other law enforcement authorities. Europol's cyber-crime experts produced and delivered analytical products.
Eurojust's Seconded National Expert for cyber-crime assisted by clarifying difficult legal issues that arose during the course of the investigation. Several operational and coordination meetings were also held at both Europol and Eurojust.
Julian King, European Commissioner for the Security Union, said: "Avalanche shows that we can only be successful in combating cyber-crime when we work closely together, across sectors and across borders. Cyber-security and law enforcement authorities need to work hand in hand with the private sector to tackle continuously evolving criminal methods. The EU helps by ensuring that the right legal frameworks are in place to enable such cooperation on a daily basis."
Rob Wainwright, Europol Director, said: “Avalanche has been a highly significant operation involving international law enforcement, prosecutors and industry resources to tackle the global nature of cyber-crime. The complex trans-national nature of cyber-investigations requires international cooperation between public and private organisations at an unprecedented level to successfully impact on top-level cyber-criminals. Avalanche has shown that through this cooperation we can collectively make the internet a safer place for our businesses and citizens.”
The criminal groups have been using the Avalanche infrastructure since 2009 for conducting malware, phishing and spam activities. They sent more than one million emails with damaging attachments or links every week to unsuspecting victims.
The investigations commenced in 2012 in Germany, after encryption ransomware infected a substantial number of computer systems, blocking users' access. Millions of private and business computer systems were also infected with malware, enabling the criminals operating the network to harvest bank and email passwords.
With this information, the criminals were able to perform bank transfers from the victims' accounts. The proceeds were then redirected to the criminals through a similar double fast flux infrastructure, which was specifically created to secure the proceeds of the criminal activity.
The loss of some of the network's components was avoided with the help of its sophisticated infrastructure, by redistributing the tasks of disrupted components to still-active computer servers. The Avalanche network was estimated to involve as many as 500,000 infected computers worldwide on a daily basis.
What made the 'Avalanche' infrastructure special was the use of the so-called double fast flux technique. The complex setup of the Avalanche network was popular amongst cyber-criminals, because of the double fast flux technique offering enhanced resilience to takedowns and law enforcement action.
Malware campaigns that were distributed through this network include around 20 different malware families such as Goznym, Marcher, Matsnu, Urlzone, Xswkit, and Pandabanker. The money mule schemes operating over Avalanche involved highly organised networks of “mules” that purchased goods with stolen funds, enabling cyber-criminals to launder the money they acquired through the malware attacks or other illegal means.
In preparation for this joint action, the German Federal Office for Information Security (BSI) and the Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE) analysed over 130 TB of captured data and identified the server structure of the botnet, allowing for the shutdown of thousands of servers and, effectively, the collapse of the entire criminal network.
The successful takedown of this server infrastructure was supported by INTERPOL, the Shadowserver Foundation, Registrar of Last Resort, ICANN and domain registries involved in the takedown phase. INTERPOL has also facilitated the cooperation with domain registries. Several antivirus partners provided support concerning victim remediation.