Russian cyber crime kingpin sought after worldwide server raids

Businesses urged to take action after a worldwide raid on GameOver Zeus servers

Authorities are seeking a suspected Russian cyber crime kingpin after a worldwide co-ordinated operation of unprecedented scale to shut down botnet command and control servers.

Security industry representatives have praised Operation Tovar, in which multiple countries and organisations worked together, pooling resources and intelligence to attack a common target.

But businesses should take immediate action to defend against the GameOver Zeus Trojan because cyber criminals could restore the botnet within a fortnight, cyber crime fighters have warned.

The botnet has also been distributing CryptoLocker ransomware that locks victims’ computers, offering to restore them if ransom money is paid.

The UK government, US government, Microsoft, Symantec and Trend Micro have posted advice on how to protect business and personal computers, including links to malware removal tools.

Businesses have been advised to test their incident responses and business continuity plans and work with their IT departments to educate employees on the potential threat.

Action against cyber crime

The international action comes just two weeks after a smaller multi-national operation in which the National Cyber Crime Unit (NCCU) co-ordinated the arrest of 17 UK Blackshades malware suspects.

At the time, NCCU deputy director Andy Archibald said the Blackshades operation would be the followed by other multi-national operations aimed at disrupting cyber crime operations.

Disruptive action has been pioneered by Microsoft, which is one of several private sector businesses that took part in the operation, and has been tasked with removing the malware from up to a million computers.

The National Crime Agency’s NCCU has indicated that collaboration with private sector companies is one of its key strategies to tapping into the skills and resources vital to international cyber crime fighting.

Russian Evgeniy Bogachev is suspected of being the ringleader behind the botnet distributing data-stealing Trojan GameOver Zeus, also known as GOZeus or P2PZeus.

The US has charged Bogachev with conspiracy, wire, bank and computer fraud, and money laundering, reports the BBC.

Bogachev was last known to be residing in Anapa, Russia, and according to the US Department of Justice, co-operation with Russian authorities has been “productive”.

Update security before GameOver Zeus is reactivated

GameOver Zeus is believed to be responsible for the fraudulent transfer of hundreds of millions of pounds globally.

Estimations put the number of infected computers in the UK at around 15,500. But many more are potentially at risk, security experts have warned.

UK internet service providers (ISPs) are expected to contact customers known to have been affected, either by letter or email, from this week.

“By making use of this two-week window, huge numbers of people in the UK can stop that from happening to them,” said the NCCU’s Archibald.

“Our message is simple: update your operating system, update your security software and use it, and think twice before clicking on links or attachments in unsolicited emails,” he said.

Update your operating system, update your security software and use it

Andy Archibald, NCCU

Rik Ferguson, global vice-president of security research at Trend Micro, said victims and potential victims should make use of this window of opportunity, where the criminals have been weakened, to bring their systems fully up to date

“The ultimate goal of the activity is to prevent infected computers from communicating with one another, significantly weakening the criminal infrastructure.

“While this blow is effective, it is not permanent, and we expect the malicious networks to return to their former strength within a week, if not days,” he said.

Carl Leonard, senior manager at Websense Security Labs, also urged businesses and consumers to take advantage of the short window of opportunity Operation Tovar has afforded them.

“For individuals, now is the time to run threat detection technologies and for businesses to check their threat dashboards for indicators of compromise.

“As we have been tracking this with our real-time systems we have found that the malware authors are dynamic in their use of Zeus and are always looking for new opportunities to build up their malicious bots.

“If your company is infected, you need to do your best to remediate before the bad guys do their best to regain control of their botnet,” he said.

International crime-fighting partners

Archibald warned that those committing cyber crime affecting the UK are often highly skilled and operating from abroad.

“To respond to this threat, the NCA is working closely with law enforcement colleagues all over the world and developing important relationships with the private sector,” he said.

The NCA has been working with international law enforcement partners, including the FBI and Europol, as well as partners from the banking, internet security and ISP sectors.

Archibald said anyone who suspects they have lost money through malware such as GameOver Zeus and Cryptolocker should report it to the police’s Action Fraud centre.

Read more on Hackers and cybercrime prevention