Cybersecurity Case Study: Microsoft Digital Crimes Unit.
The Microsoft Digital Crimes Unit is a cybercrime prevention organisation operating on a global scale. In this case study, we explore its practices, its innovations and the takedowns it has helped coordinate over the years. In addition, we take a closer look into the malicious threats they have helped to neutralise and discover the extent of global cybercrime prevention efforts.
MS Digital Crimes Unit Origins
Following the success of Microsoft’s Global Security Strategy and Protections team, MS moved decisively to establish the Digital Crimes Unit in 2008. Comprising of skilled legal professionals, investigators and forensic analysts, the Digital Crimes Unit shoulders the responsibility of cybercrime prevention. Led initially by a former federal prosecutor, Richard Boscovich, the DCU has gone on to play a pivotal role. They are guided by several key tenants:
An understanding that cybercrime prevention requires collaboration between law enforcement and a host of various industries. This collaboration comes in the form of sharing information, resources and a shared motive to prevent cybercrime on a global scale.
Gain further insight into cybercrime prevention with our cybersecurity listicle 10 Ways to Prevent Cyber Attacks.
In order to fulfil its mission, the DCU deployed innovative technologies and established new cybercrime protocols and initiatives. The DCU utilise the below technologies in their efforts:
- PhotoDNA: a technology that analyses image files and produces an unrepeatable signature for each image. PhotoDNA is used in the fight against child abuse and exploitation
- Machine Learning: machine learning algorithms parse patterns from large datasets to identify cyber threats. Moreover, this technology is used to predict future cyber threats that traditional methods may miss
- Forensic Analysis Tools: the tools used to gather evidence of cybercrime and prosecute cyber criminals. Investigators will use forensic imaging software, file analysis and network analysis tools to prosecute a suspect
- Malware Analysis Tools: malware analysis and risk eradication tool
- Botnet Disruption Tools: designed to disrupt and ultimately neutralise botnets. They can take control of the botnet’s traffic and send it to a server they control, therefore countering its ability to carry out attacks
- Threat Intelligence Platforms (TIP): a centralised platform to organise intelligence, prioritise and act on insights regarding a threat landscape
- Open-source Intelligence (OSINT) Tools: a collection of social listening tools for dark web search engines and forums
If you’re seeking to find out more about multilayered security systems, read our article on Cisco Umbrella.
Legal and Policy Expertise
The DCU’s legal and policy experts combined their efforts to develop strategies and deliver on their objectives. These included policy, cybersecurity advocacy and input into legislative proposals. See the initiatives below:
- Coordinated Malware Eradication: a centralised reporting technology that signals and shares information about malware incidents. This system was developed in concert with law enforcement, industry partners and stakeholders to encourage a multi-disciplined effort to prevent malware infections
- Cyber Threat Intelligence Programs (CTIP): a real-time alarm system to enable a timely response to emerging threats and protect vulnerable end users
- Digital Crimes Academy: a training program for law enforcement and stakeholders involving cybercrime investigation and digital forensics upskilling. Attendees can access resources, master cybersecurity tools, online courses and in-person training
- Cybersecurity Policy and Advocacy: alongside law enforcement and cybersecurity partners, MS drew attention to cybercrime and influenced policy around it
Cybercrime affects aspects of business and public institutions, and as its sophistication increases it has become an international problem. The Digital Crimes Unit seeks to coordinate its efforts with a wide variety of professionals, on a global scale.
Firstly, MS have a responsibility to protect and inform their users in regard to cyber criminality. A safer environment translates into a better experience with MS products and user awareness reduces the damages caused by cyber-attacks.
MS Digital Crimes Unit Takedowns
Over the years, the DCU has been pivotal in neutralising the threat of organised cybercrime groups. Takedowns neutralise botnets and prevent them from doing further harm. As a result, they protect typical end-users, businesses and organisations by limiting financial and personal loss.
Waledac Botnet A.K.A. “Storm Botnet”
Believed to have originated from eastern Europe the Waledac sent spam phishing emails, targeting recipients’ personal information i.e logins and credit card details. In addition, it also infected other computers with malware and enabled cybercriminals to access banking information and dangerously sensitive data.
The botnet grew at a staggering pace. Having first appeared in 2008, Waledac reportedly infected 70,000-90,000 computers and consequently, became a global threat. Law enforcement, industry partners and the Digital Crimes Unit married their expertise and in 2010, they seized control of Waledac. Microsoft executed a strategy called a “sinkhole operation”. Thanks to the sinkhole, Microsoft seized control of the botnet’s domain names and redirected traffic from infected computers to their own servers. As a result, communications between infected computers could be analysed, furthermore, the DCU then gathered information about infected computers and the botnet operators.
During its period of activity from 2006-2011, the Rustock botnet was the sender of over 48% of spam emails. Rustock would capitalise on link clicks, information access and drive-by downloads to silently infect a computer.
The damages caused were not limited to individual computer users; businesses and organisations were also targeted. It’s estimated that billions of emails were sent daily, resulting in significant revenues for organised crime gangs.
Similar to our previous botnets, the Kelihos relied on infected or “zombie” computers to spread infection. After infecting a computer, Kelihos receives commands from the central command and control server. Moreover, Kelihos had a sophisticated layered infrastructure which enabled it to evade detection and evade takedown attempts. Moreover, its architecture was peer-to-peer(P2P) and infected computers communicated directly with each other instead of your traditional centralised server. Importantly, Kelihos had no single point of failure. This meant that no single component, function or process could cause the system to fail.
In further evasive tactics, a domain generation algorithm (DGA) generated a large number of random domain names. The Kelihos server constantly fluctuated between domains to avoid detection. In addition, a technique called “fast-flux” would rapidly change the IP address attached to the domain names in use. Despite a failed takedown attempt in April 2011 and a brief resurrection in 2012, there have been no reports of the Kelihos botnet being active since.
In January 2012, Russian citizen Andrey Sabelnikov was identified as one of the creators of the botnet. After being released on bail in 2013, Sabelnikov eventually pleads guilty to a single charge of conspiracy to commit computer fraud and subsequently reached a settlement with Microsoft in exchange for his cooperation in the case.
ZeroAccess utilised a P2P architecture and exhibited more resilience to takedowns than traditional botnets. It utilised a custom-built protocol that enabled its bots to communicate and continually update. ZeroAccess bot could pass on new instructions, configuration data and new peer addresses, therefore making it difficult to identify the true location of the command and control servers and decipher its communication.
First discovered in 2011, ZeroAccess was unique for its high level of sophistication and by 2012 it had become one of the largest botnets in the world. Estimated to have infected millions of computers and consequently stolen millions of dollars through its click-fraud operations. By July 2013, Microsoft’s partnership with law enforcement and partners, conducted a takedown of the botnet’s servers and attempted to disrupt its infrastructure. Since the takedown, researchers and cybersecurity professionals have observed a sharp decline in ZeroAccess appearances but variants continue to emerge.
One of the largest and most adaptable botnets in the world, the Necurs botnet was a wholesale distributor of malware, a consistent source of phishing attacks and a procurer of personal information on a massive scale. Necur has infected an estimated nine million computers worldwide.
While the original location for Necurs is unknown many believed it to have been controlled by a Russian cybercriminal gang. Initially, the botnet came to the attention of a group of cybersecurity experts in 2012 who were able to gain insight into its operations and various attack capabilities.
By 2014, Necurs upgrades its malware delivery platform, to include ransomware and banking trojans. Subsequently, researchers in 2017 discovered that Necurs distributed the prevalent banking trojan Dridex and the Locky and Jaff ransomware.
Finally, in 2020, Microsoft seized control of its domains and IP address. Not only disrupting the botnet’s infrastructure but preventing the cybercriminals from launching new iterations of Necurs.
In conclusion, cybercriminal infrastructure, evasion tactics and technological innovation are concerning. However, the impressive cooperation of the DCU and its partners has pathed the way for optimism. The global tech industry is taking serious steps to tighten the net on criminality and their methods are improving every day. Moreover, businesses of all sizes are investing in cybersecurity tools and educating their workforce on cyber threats. The fight against cyber criminality will rage on for the foreseeable future but tech is rising to meet it.
If you require an experienced and knowledgeable IT consultation, our experts are waiting to hear from you. We have product and service offerings to neutralise potential threats, empower your workforce and protect your business. Fill out the form below to get in touch.