DNSChanger and the Global Scope of Cybersecurity
In November 2011, the FBI-led Operation Ghost Click raided malicious servers run by the Rove Digital cyber group. This was only after the group had leveraged the DNSChanger Trojan to infect over four million computers and generate over $14 million in illicit profits. At the time, the operation was billed as the biggest cyber criminal takedown in history.
How did the DNSChanger infect so many machines before detection? How did authorities work together to stop this attack cold in its tracks? And what lessons did the security community learn from the DNSChanger incident? Let’s find out.
DNSChanger is a DNS hijacking Trojan launched by the Estonian cyber gang Rove Digital. It’s believed the Trojan’s malicious activity began in 2007. The malware works by modifying a computer’s Domain Name System (DNS) settings. Malware authors can then redirect internet users to fraudulent websites.
An infected download disguised as a video codec distributed the DNSChanger malware. When visiting a rogue website (the majority were pornographic sites), users were lured to click on a link or popup in order to download the codec to watch a video. Once a victim clicked the malicious link, the DNSChanger Trojan unleashed its payload.
Upon modifying the infected computer’s DNS configuration, the malware could point them to rogue name servers operated through affiliates of Rove Digital. These rogue name servers primarily supported advertising sold by Rove. Advertisers then paid for the traffic thinking it came through legitimate clicks.
Worldwide, DNSChanger infected over 4 million computers in more than 100 countries. There were about 500,000 infections in the U.S., including computers belonging to individuals, businesses and government agencies such as NASA.
On the day of the takedown, Estonian police arrested Rove Digital ringleader Vladimir Tsastsin and five other actors. Meanwhile, U.S. authorities disabled the command-and-control network, including rogue DNS servers in New York and Chicago.
One problem the authorities faced was that the rogue DNS servers were still providing name resolutions for millions of infected computers. To resolve this issue, the FBI commissioned the Internet Systems Consortium to replace the rogue servers with legitimate DNS servers, thus protecting the users’ internet access from interruption.
Operation Ghost Click was a complex international investigation. Its success relied on strong working relationships between law enforcement, private industry and international partners. The FBI, NASA’s Office of Inspector General, the Estonian Police, nearly a dozen private and public sector partners and many more all banded together to make the operation work. Even Facebook and Google notified users that their Mac or PC computers could be infected.
Since cyber gangs can launch attacks from anywhere, international teamwork has become increasingly necessary to stop attackers. For instance, in January 2021 Europol announced the EMOTET takedown. The operation was the result of a collaborative effort between authorities in the Netherlands, Germany, the US, the UK, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.
EMOTET was one of the most sophisticated and long-lasting cyber crime services ever. What began as a banking Trojan in 2014, the malware evolved into a reliable attack resource for threat actors worldwide. Via infected email attachments, EMOTET opened the door to computer systems on a global scale. Once they established unauthorized access, they sold access to other threat groups to execute further malicious activities such as data theft and ransomware.
A coordinated multinational team worked to gain control of the EMOTET infrastructure and disrupt it from the inside. The infected machines were then redirected toward a law-enforcement-controlled infrastructure. Ironically, authorities deployed a DNS sinkholing method to intercept DNS requests attempting to connect to known malicious or unwanted domains. Using this method, a controlled IP address points to a sinkhole server defined by the DNS sinkhole administrator. This was a unique and new approach to effectively disrupt the activities of malicious actors.
With the war in Ukraine, the global risks of cyber crime have never been higher. At the top of the agenda are threats to critical infrastructure. However, attacks on hospitals, local governments and companies cause trouble at every level, even threatening to disrupt macroeconomic stability.
For this reason, many political and business leaders are calling for new paradigms to stem the rising tide of attacks. Some strategies include:
While the DNSChanger and Operation Ghost Click were historic in their scope, it took years before action was taken against the cyber actors. The result was a physical raid and arrests.
Still, other methods, like the at-a-distance disruption of EMOTET may become more common — that is, hacking the hackers. Also, sanctioning affiliated entities could stem the tide of attacks. During the takedown of Hydra, the world’s largest darknet marketplace, part of the operation included sanctioning over 100 virtual currency addresses used to conduct illicit transactions.
Some steps organizations can take to prevent DNS hijacking include:
New strategies and cultural shifts will be required to face growing international cyber threats. At a minimum, this includes individual responsibility coupled with strong alliances, tactics and policies. Only a united front will keep attackers at bay.
Jonathan Reed is a freelance technology writer. For the last decade, he has written about a wide range of topics including cybersecurity, Industry 4.0, AI/ML…
4 min read – As with many other aspects of life and business, 2022 held fewer overall surprises in cybersecurity than in recent years — thank goodness. Instead, many trends brewing over the past few years began to take clearer form. Some were unexpected,…
5 min read – 2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets…
3 min read – The White House’s National Security Council (NSC) is working on an ambitious project to improve consumer Internet of Things (IoT) security through industry-standard labeling. If successful, the labeling system will replace existing frameworks across the globe. Modeled after the EPA’s…
With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…
The RomCom RAT has been making the rounds — first in Ukraine as it went after military installations, and now in certain English-speaking countries such as the United Kingdom. Initially a spear-phishing campaign, the RomCom attack has evolved to include domain and download spoofing of well-known and trusted products. In this piece, we’ll break down current RomCom realities, dive into the problems with digital doppelgangers and offer advice to help secure software downloads. RomCom Realities Despite the name, there’s no…
When it comes to data protection laws, the United States has long lagged behind Europe, whose General Data Protection Regulation (GDPR) came into effect in 2018 as the gold standard in data protection. Also, in 2018, California passed the California Privacy Protection Act, further expanding it to the California Privacy Rights Act (CPRA) in 2020. In August 2022, a new federal bill — the American Data Privacy and Protection Act (ADPPA) — passed Congress with a landslide 53-2 vote. The…
In 2023, the global annual cost of cyber crime is predicted to top $8 trillion, according to a recent Cybersecurity Ventures report. This seemingly enormous figure might still be a major underestimate. In 2021, U.S. financial institutions lost nearly $1.2 billion in costs due to ransomware attacks alone. That was a nearly 200% increase over the previous year. If we continue at that rate, next year could see global costs approaching $16 trillion. Why might costs be so high? Here…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.
How DNSChanger Changed Cybersecurity – Security Intelligence
