Goznym Takedown Shows the Anatomy of a Modern Cybercriminal Supply Chain

Credit to Author: Andy Greenberg| Date: Thu, 16 May 2019 15:58:33 +0000

For decades, the security industry has warned that the cybercriminal economy has been developing its own highly specialized, professional supply chain. But only when law enforcement tears the lid off a well-honed hacker operation—as they did today with the global Goznym malware crew—does the full picture of every interlinked step in that globalized crime network come into focus.

On Thursday, police in six countries along with the US Justice Department and Europol announced the takedown of Goznym—linked with another operation known as Avalanche, an associated cybercrime operation that was largely dismantled in 2016—including the arrest of five of its members across Bulgaria, Georgia, Moldova, and Ukraine. Five more alleged members remain at large in Russia. In total, the operation infected 41,000 computers with fraud-focused malware, and attempted to steal $100 million from victims in the US, though it's not clear exactly how much of that theft they successfully pulled off.

Speaking at a press conference at Europol's headquarters in the Hague, global law enforcement hailed the arrests as an "unprecedented" example of international cooperation. But the indictment also details just how distributed and specialized the tasks of profit-focused hackers have become, composed largely of loosely associated freelancers, each responsible for a single step in the exploitation of victims. "You look at what happened here. What was Goznym? What was Avalanche?" asked Steven Wilson, the head of the European Cybercrime Centre. "This was a supermarket of cybercrime services. You're looking at coders, malware developers, bulletproof hosters, a whole range of cybercrime services."

The indictment lays out that long chain of cybercrime specialists:

Despite law enforcement's description at times of the Goznym operation as a unified crew, most of those defendants seem to have worked as freelancers who offered their services on Russian-language cybercrime forums. "The Goznym network was formed when these individuals were recruited from these online forums and came together to use their specialized skills in furtherance of the conspiracy," FBI special agent Robert Allan Jones said in the press conference. The group appears to have coordinated their activities over online chat.

The globalized nature of that loose network required an equally global sort of cooperation among police and prosecutors across a half-dozen countries, sharing evidence and synchronizing arrests, according to Eurojust official Gabriele Launhardt. "This kind of international cooperation is perhaps unprecedented. This is a sign that judiciary and police can and will always cope with however big a cybercrime organization can be, bringing down its infrastructure," Launhardt said. "To sum up, criminals cooperate across borders, and we will do the same, so no one escapes justice."

Left unspoken in those remarks about global coordination, of course, is that fully half of the defendants in the case have in fact escaped justice—in Russia, one country that doesn't seem to have cooperated at all in the investigation. As global as cybercrime crackdowns have become, the cybercriminals themselves remain more global still. And some hide behind borders where Western law enforcement still can't reach.