Published on December 5th, 2016 | by Elpida Tsiaka0
‘Avalanche’ network dismantled in international cyber operation
On December 1st, 2016, Europol supported law enforcement authorities from 30 countries in dismantling an international bulletproof criminal server infrastructure. The network was used for malware attacks and money mule recruiting campaigns and caused an estimated EUR 6 million in damages on online banking systems in Germany alone. The overall monetary losses associated with malware attacks performed using the Avalanche network are estimated to be in the hundreds of millions of Euros worldwide.
The global effort to take down this network relied on the close cooperation of prosecutors and investigators with cybersecurity authorities and private partners. As a result, five individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. In addition, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800 000 domains seized, sinkholed or blocked.
On the action day, Europol hosted a command post at its headquarters in The Hague. From there, representatives of the involved countries worked together with Europol’s European Cybercrime Centre (EC3) and Eurojust officials to ensure the success of such a large-scale operation.
In preparation for this joint action, the German Federal Office for Information Security (BSI) and the Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie (FKIE) analysed over 130 TB of captured data and identified the server structure of the botnet, allowing for the shut-down of thousands of servers and, effectively, the destruction of the entire network.
The successful dismantlement of the criminal server infrastructure was supported by Interpol, the Shadow Server Foundation, the Registry of Last Resort, ICANN and domain registries involved in the takedown phase. Swift cooperation was of the essence: the criminal network’s central servers changed domain names and moved every 5 minutes, across borders and around the world.
For more information here