Law enforcement and Microsoft come together to bust a major malware attack
An eagle-eyed analyst's attention to detail triggers a milestone operation in Taiwan
It was a day like any other at the Taiwan office of Microsoft’s Digital Crimes Unit (DCU). Points of data from all corners of the internet flashed across a bank of monitors in a routine way. But then, an analyst spotted something unusual that he thought might be a new malware threat.
His suspicions proved right and triggered a landmark cybersecurity operation by law enforcement officers in Taiwan.
The DCU is at the forefront of Microsoft’s global commitment to protect customers and keep the internet safe. It shares multiple types of threat data — some in near-realtime — with public and private partners around the world.
Just like old-fashioned detectives searching for clues of wrongdoing, the DCU’s ranks of legal experts and analysts watch over our digital world.
They diligently monitor sophisticated intelligence-gathering dashboards and act fast when anything seems awry. It’s a constant 24/7 effort, and it paid off handsomely in Taiwan last August.
Botnet signals
Following DCU Taiwan’s initial observation, the team uncovered an unusual spike of botnet signals that had increased 100 times within one month. (A botnet is a network of computers and devices that a cybercriminal has infected with malicious software or malware. Once infected, criminals can control those computers and devices remotely and use them to commit crimes.)
The DCU team delved deeper by mapping more than 400,000 publicly available IPs and narrowed that information down to 90 suspicious IPs. An open data search of those 90 IPs further refined the analysis and revealed something alarming: One particular IP was associated with dozens of activities related to the distribution of malware, phishing emails, ransomware, and DDoS attacks.
To the team’s surprise, these activities correlated to as much as one terabyte (TB) of malicious content being sent out a week.
Working together
The DCU team alerted and briefed Taiwan’s Ministry of Justice Investigation Bureau (MJIB).
With the intelligence supplied by the DCU, MJIB agents tracked down the illegal VPN IP quickly and efficiently. They discovered that hidden accounts behind the illegal VPN were sending malware attacks from inside an office building in rural northern Taiwan.
Usually, cybercriminals use compromised PCs to launch cyberattacks. But this time, the source was identified as a LED light control console, a seemingly insignificant IoT device. The MJIB quickly shut it down and stopped it from spewing out more malware.
“This case marks a milestone. That’s because we were able to take down the IoT device and secure the breach to a limited range for those compromised computers in Taiwan, which is quite different from our previous global cooperation cases,” says Director Fu-Mei Wu, who leads the MJIB’s Information and Communication Security Division.
“Cyberattacks are getting increasingly serious. Through Microsoft’s efforts to gather intelligence and process data, we can investigate the perpetrators more efficiently, and further take legal action before criminals can get very far. This is a partnership based on mutual trust, and we are thankful that Microsoft is on our side.”
Director Wu and the MJIB have presented the Taiwan DCU team with a thank you certificate, showing appreciation for their intelligence capabilities and quick response in helping shut down the illegal VPN IP.
Microsoft’s DCU came up with a good lead. The MJIB then sprang into action and leveraged the DCU’s intelligence for a strong finish. The criminal activity was shut down and a stronger partnership was forged between Microsoft and a key Taiwanese law enforcement agency.
New types of cybercrime
A big increase in mobile devices and IoT devices connected to the internet in Taiwan has made the island of 23 million people vulnerable to new types of cybercrime.
The MJIB is busy with cases of computer intrusions and cyberattacks, with the trend increasing over the last two years. These hackers are targeting the government and the technology industry, trying to steal and leak confidential information and launch full information warfare campaigns.
The DCU Taiwan team now meets monthly with the MJIB to discuss trends, threats, and Microsoft’s cyber threat intelligence alerts. Both Microsoft’s customers and the general public stand to benefit, and as these partnerships continue to roll out in other countries, Microsoft’s fight to keep the internet a safer place remains more urgent than ever.
Global intelligence-sharing
In March of this year, Microsoft partnered with Computer Emergency Response Teams (CERTs) across 35 countries to disrupt another botnet, taking the additional step of coordinating with Internet Service Providers (ISPs) globally to rid their customers’ computers of the malware that allowed the botnet to operate.
The DCU has taken down 22 botnets since 2010. They have worked with ISPs, domain registries, government CERTs and law enforcement in Taiwan, Mexico, Colombia, India, Japan, France, Spain, Poland, and Romania, among others — doubling down on a commitment for a safer internet, not only for Microsoft’s customers but for citizens of a connected planet.
In addition to global botnet disruption operation as described above, the intelligence-sharing program proves to have additional value to local law enforcement agencies for their local cases too.