Media Coverage

Andromeda has been active at least since 2011, and was notorious for infecting computers around the globe to form a botnet. With the help of partners—including the FBI, Microsoft, and others—Europol intercepted the internet traffic between Andromeda-infected computers and the command servers to which the malware was communicating. All that traffic was then “sinkholed” and redirected to servers under the investigators’ control, giving law enforcement a detailed view of the malware’s activities. “Andromeda was also sometimes used to download up to 80 other malware families onto infected victim computers,” according to The Shadowserver Foundation, a group of security experts that also helped dismantle the Andromeda botnet.

The Justice Department announced Monday that it had successfully targeted a man prosecutors called “one of the world’s most notorious criminal spammers,” a Russian hacker known as Peter Yuryevich Levashov, also known as Peter Severa, or “Peter of the North.” Levashov had long run the Kelihos botnet, a global network of infected computers that collectively flooded email inboxes worldwide with spam, stole banking credentials from infected users, and spread malware across the internet.

Last month, KrebsOnSecurity identified U.K. citizen Daniel Kaye as the likely real-life identity behind a hacker responsible for clumsily wielding a powerful botnet built on Mirai, a malware strain that enslaves poorly secured Internet of Things (IoT) devices for use in large-scale online attacks. Today, a German court issued a suspended sentence for Kaye, who now faces cybercrime charges in the United Kingdom.

Grasso described to the crowd how it took the efforts of the FBI, German federal police, Ukrainian law enforcement, U.S. CERT, ShadowServer and other companies to bring down Avalanche.

BLACK HAT USA – Las Vegas – Tom Grasso, unit chief of the FBI’s cyber division, took the Black Hat stage to discuss the processes and partnerships leading up to the massive Avalanche takedown in December 2016.

Responsibility for the Australian Internet Security Initiative (AISI) has shifted been from the Australian Communications and Media Authority to CERT Australia from 1 July. Responsibility for the Australian Internet Security Initiative (AISI) has shifted been from the Australian Communications and Media Authority to CERT Australia from 1 July. The data is drawn from a range of sources, including Microsoft, the Spamhaus Project and the Shadowserver Foundation.

Special report The WannaCrypt ransomware worm, aka WanaCrypt, WannaCry or Wcry, today exploded across 74 countries, infecting hospitals, businesses including Fedex, rail stations, universities, at least one national telco, and more organizations. “IP addresses from our sinkhole have been sent to FBI and ShadowServer so affected organisations should get a notification soon,”

From 2009 to 2016, a cybercrime network called Avalanche grew into one of the world’s most sophisticated criminal syndicates. It resembled an international conglomerate, staffed by corporate executives, advertising salespeople and customer service representatives. Our study of Avalanche, and of the groundbreaking law enforcement effort that ultimately took it down in December 2016, gives us a look at how the cybercriminal underground will operate in the future, and how police around the world must cooperate to fight back.

The Kelihos botnet is no more. Or at least that’s what authorities hope happens, after attempting to bring it down three times in the past, but to no avail. This time around, the takedown attempt has more chances of succeeding because authorities arrested Kelihos’ main maintainer, a Russian national known as Pyotr Levashov, or Peter Severa. This time around, US authorities, with help from the Shadowserver Foundation and CrowdStrike, hope this fourth takedown attempt works better.

As part of the operation, security researchers and the FBI teamed up to dismantle the Kelihos botnet itself, targeting three domains used to run the network—gorodkoff.com, goloduha.info, and combach.com—and redirecting traffic from infected computers to new servers controlled by authorities and the ShadowServer Foundation, a volunteer anti-cybercrime group, a process that’s known in cybersecurity circles as “sink-holing.”