The UK’s National Crime Agency (NCA) is leading an international collaboration between law enforcement and private sector firms to fight bank theft malware.
The first project of its kind brings together partners including the FBI, Europol, BAE Systems Applied Intelligence, GCHQ, Dell SecureWorks, Kaspersky Lab and the German Federal Police.
The partners are working together to combat the Shylock Trojan by disrupting the infrastructure enabling cyber criminals to use the malware to raid bank accounts.
The disruption action includes seizing computer servers which form the command and control system for the Trojan, and taking control of the domains Shylock uses for communication between infected computers.
Investigators from the NCA, FBI, the Netherlands, Turkey and Italy gathered to co-ordinate action in their respective countries, in concert with counterparts in Germany, Poland and France.
The disruption action is being conducted from the operational centre at the European Cyber Crime Centre (EC3) at Europol in The Hague.
Read more about the NCA and NCCU
- UK operation nets 17 suspected Blackshades cyber attackers
- UK to help lead world fight against cyber crime
- NCA competition launches 2015 Cyber Security Challenge UK
- NCA begins major cyber recruitment campaign
- NCA notches up first phishing conviction
- NCA changed UK cyber crime fighting, says NCCU head
- Legitimate users of Tor need not worry, says NCA
- NCA investigates “deep web” after UK Silk Road arrests
- BT, GCHQ and NCA set challenge to find UK cyber defenders
- British man arrested over hacking into US military systems
EC3 has provided a unique platform and operational rooms equipped with state-of-the-art technical infrastructure and secure communication means, as well as cyber analysts and cyber experts to assist the operation.
“In this way we have been able to support frontline cyber investigators, co-ordinated by the UK’s NCA, and working with the physical presence of the United States’ FBI and colleagues from Italy, Turkey and the Netherlands, with virtual links to cyber units in Germany, France and Poland,” said Troels Oerting, head of EC3.
Hath not a hacker eyes?
Shylock - so called because its code contains excerpts from William Shakespeare’s Merchant of Venice - has infected at least 30,000 computers running Microsoft Windows worldwide.
The NCA is co-ordinating the operation because intelligence suggests Shylock has targeted the UK more than any other country, although the suspected developers are based elsewhere.
Victims are typically infected by clicking on malicious links that download and install the malware. The malware then accesses funds held in business or personal accounts, and transfers the money to the criminal controllers.
According the NCA, Windows users who receive automatic updates do not need to take any action, as the updates will ensure infected computers are cleaned automatically.
Windows users who do not get automatic updates or who would like to learn more about how to check their computers and remove infection can visit the Microsoft support site.
Andy Archibald, deputy director of the NCA’s National Cyber Crime Unit (NCCU), said the disruptive phase of the operation is intended to have a significant effect on the Shylock infrastructure.
“This operation demonstrates how we are using partnerships across sectors and across national boundaries to cut cyber crime impacting the UK,” Archibald said.
Private sector collaboration
The NCCU sees a deeper, more defined and developed relationship with private sector businesses as crucial, not only to identify crimes and patterns of criminal activity, but also to tap into specialist skills.
“We need to be able to go to organisations in the private sector and ask to work with people with the skills we need in some of our investigations,” Archibald told Computer Weekly in a recent interview.
“Industry can bring things to the table that we may not be aware of, and we will work with the private sector within the law if the solution to an operation is something the private sector can take the lead on,” he said.
The latest operation follows the first collaborative action involving the NCCU in mid-May that resulted in the arrest of 17 suspected users of Blackshades malware, which is designed to take control of computers and steal information.
The operation tested some of the principles the NCCU has been working on around international co-ordination and collaboration.
Archibald said the operation in May also demonstrated that, despite the well-known challenges to working in multiple jurisdictions, it is possible to share information and co-ordinate action around a common goal.