4 min Security

International ‘Operation Endgame’ deals sensitive blow to cyber criminals

Insight: Security

International ‘Operation Endgame’ deals sensitive blow to cyber criminals

A major international police operation called ‘Operation Endgame’ has disrupted a massive system of botnets. Cybercriminals used these to carry out ransomware attacks on businesses and government services, causing millions of euros worth of damage.

Hundreds of servers were seized, some 2,000 Internet domains confiscated, and 69 million euros worth of cryptovalauta frozen. Four arrests have also been made, although the manhunt for the brains behind the operation continues.

The operation occurred between May 27 and 29 and involved cooperation between investigative agencies in Germany, France, the United Kingdom, Denmark, the Netherlands and the United States. Authorities in Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland and Ukraine also cooperated by performing on-site searches, making arrests, seizing or shutting down servers and questioning suspects. France, Germany and the Netherlands led the operation.

Seizures and arrests

In the Netherlands, police seized 33 servers in one raid. Three people were arrested in Ukraine and one in Armenia. The main suspects are still at large for now, as they are believed to be in Russia or other places where they are more difficult to catch for police in Western Europe or the U.S. However, eight fugitives have been added to Europol’s ‘Most Wanted’ list because of the operation, reports this European police organization on its website. These individuals were already wanted by German authorities.

Europol says the operation has a major impact on the global network of dropper ecosystems, used to infect computers with malware.

Photo: Europol

Cryptocurrency exchanges also taken down

Two criminal cryptocurrency exchanges have also been taken offline. The criminals involved were said to have facilitated these. These markets allow criminals to exchange cryptocurrencies against each other or regular currencies. The suspects behind these exchanges are to stand trial in the US.

Several briefings and coordination rounds were held between the organizations involved in preparing for the operation. When it was time to go into action ‘in the field’, the parties set up a virtual command post to coordinate operations between Armenian, French, Portuguese, and Ukrainian agents. In addition to the investigative agencies, several private security companies, including BitDefender, Computest, Fox-IT, and Northwave, also cooperated.

Police forces purged more than ten thousand infected computer systems of malware. Although infected, these computers had not yet been attacked by criminals.

Tip: Genesis Market: how did it operate and how was it taken down?

Different botnets used

Through a ‘dropper’ ecosystem, the cybercriminals infected millions of computers and made them part of botnets. These botnets were used to install ransomware on the infected devices. Hundreds of millions of dollars were captured through such attacks. This would be a ‘conservative estimate,’ police said. Victims include educational institutions, hospitals, and companies, according to Dutch state broadcaster NOS.

Europol’s website says the botnets involved include IcedID, Smokeloader, SystemBC, Bumblebee, Pikabot, and Trickbot. They all have their own roles in the malware network, although these sometimes overlap. For example, SystemBC facilitates anonymous communication between an infected system and command-and-control servers.

Bumblebee delivers and executes payloads on compromised systems, and Smokeloader acts as a downloader to install additional malware on infected systems. IcedID, also known as BokBot, and Pikabot, are trojans that gain initial access to infected computers, enabling ransomware deployments, remote takeovers, and data theft.

Operation is not yet completed

The operation is not yet completed. According to Europol, interested parties should visit the Operation Endgame website, where future actions will be reported. However, it seems unlikely that the investigative agencies will reveal their next move.

The website seems more like a PR tool, with a countdown timer and the message ‘This is season 1 of Operation Endgame’. The main purpose is probably to deter criminals and reassure citizens that the authorities are on top of things.

Read also: FBI and European authorities neutralize MooBot: spying platform for Russia