sign in sign up
<<
Home , Cybercrime

Operation Avalanche A closer look

April 2017 Operation Avalanche: a closer look

Key threats EC3 supported the investigation by facilitat- A German investigation into an OCG called Avalanche ing secure information exchange, providing involved in , and spam activities com- in-depth analysis and advanced digital foren- menced in 2012, after a wave of sic support, and fostering cooperation be- infected a substantial number of systems, tween law enforcement and private partners. blocking users’ access. The investigation exposed the ex- istence of a highly sophisticated technical infrastructure that was used to infect millions of private and business computer systems with malware (e.g. banking Trojans and ransomware), enabling the criminals operating during the following coordination meeting. The op- the network to harvest bank and e-mail passwords. erational and coordination meetings served to plan a global joint action day and to clarify legal issues and With this information, the criminals were able to concepts related to this form of cybercriminality. perform bank transfers from the victims’ accounts. The proceeds were then redirected to the criminals Impact - cure the proceeds of the criminal activity. In addition The Avalanche infrastructure had been used since tothrough launching an infrastructure and managing specifically mass global created malware to seat- 2009, causing an estimated EUR 6 million in dam- tacks, the Avalanche network was used for money ages in concentrated on mule recruiting campaigns. The Avalanche infra- systems in Germany alone. In addition, the monetary structure was set up in a way that was highly resil- losses associated with malware attacks conducted ient against takedowns and law enforcement action over the Avalanche network were estimated to be in the hundreds of millions of euros worldwide, al-

Eurojust(through so-called and ‘double fast-flux’ technology). large number of malware families managed through thethough platform. exact Initially, calculations an action were day difficult was foreseen due to thefor The need for broad international cooperation arose 2015. This action day was postponed to late 2016 in 2015. The German prosecution and law enforce- ment authorities approached and Europol through close cooperation with the US authorities. for support. While at this point in time certain actions to allow for an identification of the perpetrators, against parts of the network had taken place, wide- While initial sovereignty concerns were raised by the ranging cooperation had not been established, nor fact that servers subject to takedown were located in various jurisdictions, discussions among the relevant authorities resolved the matter. Similarly, concerns were Severalhad the perpetratorsoperational beenand identified.coordination meetings, raised that, under various participating countries’ legis- which brought together a large number of Member lation, the seizure of so-called unborn domains was not States and third States, including the USA and Azer- possible. Eurojust’s Seconded National Expert on Cyber- baijan, were held at Europol and Eurojust, with both was able to inform the national authorities that - in this case the problem would not arise, as the status ordination meeting, a level II meeting, attended ex- of the domains in question would change from unborn ceptionallyagencies cooperating by German closely. and US Prior prosecutors to the finaland law co to born by the time the actions took place. His advisory role towards the National Desks and national authori- limited group of countries that would not be present ties continued throughout the investigation. Addition- enforcement officers, was held at Eurojust, with a ally, he provided contact details of judicial authorities in countries outside of Eurojust’s contact network.

Eurojust supported the work of the involved Private sector judicial authorities by mapping out the legal requirements to effectuate the necessary in- terventions, as well as facilitating the draft- partners was initiated to allow for the analysis of over ing and timely execution of letters of request. Cooperation with several non-profit and private sector structure of the , leading to the shutdown of serv- ers130 and TB ofthe captured collapse data of the and entire identification criminal network. of the server

Operation Avalanche: a closer look 1 The partners included the German Fraunhofer-Institut A multi-faceted für Kommunikation, Informationsverarbeitung und Er- Public-private approach to Detect Disrupt partnerships gonomie, the Shadowserver Foundation, Registrar of fighting Last Resort and the Corporation for Assigned It takes a Network to Names and Numbers (ICANN). Other partners, such Defeat a Network as and the Ibero-American Network for In- Stop the Criminality ternational Legal Cooperation (IberRed), also played and Stop the Criminals an important role, particularly in preparation of the Awareness Addressing common joint action day. IberRed served as a liaison to Spanish- raising, cybercrime challenges to cross- prevention, victim Prevent Deter border cyber speaking countries, mainly in South America. mitigation investigations Results

On the action day in November 2016, Europol hosted removing the malware from their and to a command post, in which Eurojust participated and prevent further illegal access. provided immediate support to the judicial authori- ties involved in the action day. At the command post, Lessons learned - gether with representatives of the involved countries To help the involved countries with their investigations, andthe German private prosecutorindustry partners and to ensureofficers the worked success to close cooperation between Eurojust and Europol in or- of such a large-scale operation. This global effort to ganising joint meetings saved both time and money. take down the network involved the crucial support of prosecutors and investigators from 29 countries. This operation showed that only when public and private entities collaborate as a team can a large and sophisticated criminal network be taken down. Cy- bercrime truly is a global phenomenon and requires cooperation between authorities, which is sometimes

networks of practitioners. most efficiently established by tapping into regional A business model lies behind every successful cyber- crime venture. By targeting the business model of the Avalanche network and devising ways of interfering with the perpetrators and the technical infrastructure, as well as identifying and supporting the victims, one of the most sophisticated cybercrime networks of the past years was effectively shut down. The operations premises were searched, and 39 servers were seized. yielded valuable insights into the cybercriminal busi- As a first result, five individuals were arrested, 37 ness model. At the same time, the trust built among 180 countries. In addition, 221 servers were put off- the cooperating public and private entities will prove Victims of malware infections were identified in over providers. Over 800 000 domains associated with the cybercrime. Since the action day, the approach in the criminalline through infrastructure notifications were sinkholed, sent toand the dedicated hosting caseto be has an been invaluable regarded asset as inbest the practice future fightamongst against cy- webpages were created for the public to assist in bercrime investigators and prosecutors.

The lead prosecutor, Mr Frank Lange, said: Having trustworthy and quick international cooperation, beyond the traditional means of legal assistance, was essential to Avalanche’s success. Eurojust and EC3 played an important role in establishing the atmosphere for cooperation between judicial participants and police. The organisation of coordination meetings at Eurojust and operational meetings at Europol, as well as their further support by forwarding information and letters of request to the correct recipients, laid the groundwork for a truly multinational approach. We are really grateful. © ZKI Lüneburg

Operation Avalanche: a closer look 2 Eurojust

, Johan de Wittlaan 9, 2517 JR The Hague, Netherlands Phone:Catalogue +31 70 number 412 5000 - E-mail: [email protected] - Website: www.eurojust.europa.euDoi : QP-01-17-801-EN-N • : 978-92-9490-158-3 • : 10.2812/816706