DDoS Protection , Next-Generation Technologies & Secure Development , Security Operations

Police Reveal Botnet Herders' Disaster Recovery Secrets

Cybercriminals Increasingly Tap Backup Botnets, Bitcoins

Steven Wilson, head of Europol's EC3 (Photo: Mathew Schwartz/ISMG)

Over the past few years, police in Europe and the United States have scored some notable botnet-busting successes, disrupting malicious infrastructure and in some cases also identifying and arresting the "botnet herders" and other cybercriminals involved (see Dorkbot Botnets Get Busted).

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

But other cybercrime gangs and fraudsters who rely on botnets and malware to generate illegal profits have been adapting. "What we're seeing is the bad guys are starting to learn from this," said Steven Wilson, head of the European Cybercrime Center at Europol - the EU's law enforcement agency - at a recent cybersecurity conference. "They now have their disaster recovery plans. They're the ones who can be back up and running within a day to two days."

Wilson delivered those remarks in his keynote presentation at the May 10 "International Conference on Big Data in Cyber Security" hosted by Edinburgh Napier University in Scotland. He provided some new insights into law enforcement agencies' cybercrime-related investigative techniques. Wilson has led EC3 since January. Previously, the 30-year veteran of Police Scotland oversaw all cyber and cyber-enabled crime investigations across Scotland.



Steven Wilson, who heads Europol's EC3, discusses cybercrime trends at the May 10 conference.

Criminals' reliance on backup botnets was also described by Andy Settle, head of special investigations at security firm Forcepoint, formerly known as Raytheon Websense, who told the conference that many gangs are "preparing smaller botnets as a resilient infrastructure so that I can lose one, and I still have six to seven of them." Keeping fully functional backup botnets small means they frequently evade detection by security researchers or law enforcement agencies, he added.

Botnet-using criminals, of course, have an economic incentive to utilize disaster recovery best practices to keep their malicious infrastructure humming. Indeed, botnets can generate outsize profits for gangs who steal online banking credentials to commit fraud, infect PCs with ransomware or turn infected "zombie" endpoints into spam, phishing and distributed denial-of-service attack relays.

Wilson said that disrupting botnets via sinkholing - forcibly redirecting infected, "zombie" endpoints to servers controlled by authorities, thus blocking attackers' access to them - can give law enforcement agencies new insights into how the latest botnets are being built and deployed, provided they can master related "big data" challenges.

"In the last two to three years, we've seen significant developments with botnets - 3 million, 4 million, 5 million controlled computers. The amount of data that's coming from the sinkholing that we do to prevent the actual attacks from them, again we've got a massive resource in there to look at," he said. "The important thing for us is to look at this and say, 'How can we actually more effectively analyze that data?' But [it's] volumes beyond the comprehension of what we've ever dealt with before. And for me ... big data analytics is the way to go forward regarding this."

Battling Bitcoin-Using Criminals

Wilson said police have also made strides when it comes to battling criminals who use bitcoins (see Europol Announces DD4BC Arrests). In part, he said, that's been aided by analyzing the blockchain, which is the public record of every bitcoin transaction. While the pseudo-anonymous cryptocurrency system doesn't list users' names, past cases have revealed that law enforcement agencies do have some capabilities - which they have not publicly detailed - to analyze and cross-reference bitcoin transactions and other information to help them better follow the money.

Eamonn Keane, a detective inspector with Police Scotland's cybercrime unit, told conference attendees that it's well known that authorities continue to find new ways to infiltrate dark net forums to bust bitcoin-using criminals. "Are law enforcement in there? Absolutely. That's been charted already with regards to Silk Road, Silk Road 2," he said. "We have a mandate to protect you in the real world; increasingly it's moving into the online environment."

EC3's Wilson said many bitcoin-related arrests have been the result of police working with academics to better analyze blockchain transactions (see Tougher to Use Bitcoin for Crime?). Going forward, he hopes that such analysis will help authorities more rapidly spot signs of criminal cryptocurrency use. "There are opportunities in there to predict what's happening and to actually target offenders from that side of things," he said.

Emerging Cybercrime Trends

Steven Wilson details how Europol's European Cybercrime Center is tracking and disrupting cybercriminals.

Wilson credits many recent cybercrime investigation success stories, in part, to the EU Joint Cybercrime Action Task Force, or J-CAT, which brings together representatives from nine of the EU's biggest member states, as well as representatives from other countries, with a dedicated prosecutor from Eurojust, the EU agency that handles cross-border judicial cooperation relating to criminal matters.

That combination has "has allowed us to actually cut through the bureaucracy, the differences in legislation, to actually tackle cyber criminality," Wilson said.

In 2015, JCAT took on 20 of the top-level police cases - or "jobs" - in Europe and the United States and successfully concluded nine of them with arrests, he said. "I would suggest that these jobs going back probably three or four years ago were ones that I thought actually probably would never be detected, or could have taken four or five years [to detect]," he said.

Europol Gets Expanded Powers

Beyond the launch of EC3 in 2013, European officials have continued to double down on the type of information sharing and cross-border coordination that it provides, especially when battling terrorism, child sexual abuse and exploitation, as well as cyber-enabled crime (see How Do We Catch Cybercrime Kingpins?).

Fight against terrorism: Parliament to vote on updated powers for Europol https://t.co/cBoFH1ITAG #EPlenary pic.twitter.com/70hdoe6OIc — European Parliament (@Europarl_EN) May 10, 2016

On May 11, the European Parliament adopted a new regulation that includes new powers for Europol that are designed to help it more quickly - and easily - tackle cross-border terrorism and organized crime. "The new EU regulation will make it easier for Europol to set up specialized units to respond immediately to emerging terrorist threats and other forms of serious and organized crime," Europol said in a statement.

Europol said the new powers will enable it to function as "the EU's information hub" and better coordinate between law enforcement agencies in Europe and beyond, aided by the European Counter Terrorism Center and the EU Internet Referral Unit.