/ Story Labs
News Center

Digital Detectives

by Jennifer Warnick
Inside Microsoft’s new headquarters for the fight against cybercrime.

Originally published on November 14, 2013.

Last year, an army of five million zombie computers began taking marching orders from an Eastern European cybercriminal kingpin.

These computers weren’t in a dank warehouse or an abandoned strip mall, but in homes and offices across 90 countries. The infected PCs belonged to a vast array of unwitting users who detected nothing out of the ordinary. Meanwhile, when its malevolent creators issued the command, the zombie army lurched to life.

The spread of a zombie army

Heat maps showing the intensity of the Citadel botnet by location. All told, Citadel malware was used to steal half a billion dollars from people and businesses.

The zombies recorded keystrokes, capturing login passwords and Social Security numbers, spying on financial information, and logging people’s most sensitive and personal information. In short order, the zombies could report back to their masters that your mother’s maiden name is Jones, you bank at Chase, and that you use a Battlestar Galactica-inspired password for several accounts. Then boom, a thief on the other side of the world is typing “Fr@ckCyl0ns!” to log in to your most important websites, stealing your hard-earned savings, your credit card numbers – perhaps even your identity.

Over the course of 18 months, this botnet (nicknamed Citadel) stole half a billion dollars from students and bankers, grandparents and businesses. This summer, the FBI, bank investigators, technology researchers and Microsoft teamed up to try to stop it.

50% of online adults

About half of online adults were cybercrime victims in the past year.

$500 billion

Cybercrime costs the global economy up to $500 billion annually.

20% of businesses

One in five small and medium businesses have been targeted.

In “separate but coordinated operations,” the coalition managed to shut down nearly 90 percent of the Citadel’s zombie computers. Richard McFeely, executive assistant director of the FBI’s Criminal, Cyber, Response, and Services Branch, said the efforts “will further develop our intelligence on international criminal hackers, enabling more actions in the coming months.”

“We wanted to protect our customers,” says Richard Boscovich, assistant general counsel for Microsoft’s Digital Crimes Unit (DCU). “As a result, we’re hopefully identifying or producing evidence that we can provide to national and international law enforcement so they can not only identify these criminals but apprehend them.”


by the numbers

cybercrime by the numbers video

Bosco, as most people call him, is a former lawyer with the U.S. Attorney’s Office in Miami. He came to Microsoft in 2008 as “not a big computer user” and somewhat unsure as to what direction his new job would take. That didn’t last long. Within months, he’d used a novel legal approach to help stop one of the world’s largest spambots (nicknamed Rustock) that was infecting up to 2.5 million computers a day.

In short, Boscovich asked a judge for a temporary restraining order against the spammers, which would require them to show up to a hearing to defend themselves. The spammers, of course, didn’t show, which opened the door for Microsoft to “win by default” and take control of hundreds of domains that spammers were using to infect computers. Working with Internet service providers, Microsoft then informed the infected customers and pushed out tools to help them clean their computers.

“They were basic, common law principles – well, maybe one or two modern laws – used in a totally unique way to address a 21st century problem,” Boscovich says. “That was the fun part. I never envisioned seizing computer servers used as a botnet command and control center by using the Lanham Act’s trademark violations.”

Meanwhile, in the forensics laboratory, Donal Keating – a bearded Irishman, purveyor of snappy one-liners and senior manager of forensics – talks about a recent call from one of Microsoft’s partners, a hardware manufacturer. A shipment of 3,600 of the partner’s laptops had been stolen, and they wondered if Keating could help. Each laptop had a unique activation code, and within ten minutes Keating had produced a map. In the lab he runs it in speeding time-lapse, and over the course of a few days, the map lights up with where each of the thousands of laptops had come online.

  • Donal Keating uses Microsoft PowerMap to visualize piracy data.
  • Investigators and analysts work in the Cybercrime Center’s malware laboratory.
  • The entrance to Microsoft’s new Cybercrime Center in Redmond, Wash.
  • David Finn walks visitors through the long, case study-filled hallway that leads into the Cybercrime Center.
  • Vishant Patel talks about the center’s ultra-secure evidence rooms and servers.
  • Donal Keating and his fellow Digital Crimes Unit employees work in the Cybercrime Center’s new forensics lab.
  • The entrance to the Cybercrime Center features a fingerprint composed of binary zeroes and ones.

“The ‘aha’ moments are really fun,” Keating says, chuckling at the visitors’ wide eyes and open mouths.

Keating and others on the team say they’ve come to notice a strong relationship between counterfeit or pirated software and instances of malware. So has the FBI.

There are “significant risks posed to our citizens, businesses, and intellectual property by cyber threats and malicious software, which are often enabled by counterfeit and unlicensed software,” the FBI’s McFeely said following the Citadel operation.

However well-intentioned consumers may be, purchasing software from unknown vendors or downloading software from unreliable sources is a good way to become a member of the malware club. Or, as Keating puts it, “a self-selecting member of the posse.”

“If people are buying hokey stuff, or downloading pirated software, I can guarantee eventually they’ll end up with some of this jazz,” Keating says. “As the priest would say, it’s a lifestyle choice.”

Bottom line: Everyone wants the latest and greatest software, but nobody wants their computer to become a bank account-emptying zombie so “make sure you’re getting your stuff through a reputable supply chain,” Keating says.

pirated copy of office

In his office, Keating pulls out a large binder of his favorite “mug shots” – counterfeit discs and authentication keys. Some of them are obviously fakes (La Familia, the Mexican drug cartel-turned-software-counterfeiters, boldly stamps its initials right next to Microsoft’s name on its pirated copies). Other discs and certificates would fool most experts. Each time, the company takes complex steps to make its discs and authentication certificates more unique, criminals find a way to counterfeit.

“There’s a steady drumbeat of this stuff. In some cases, they’re using business intelligence exactly the same way we do,” Keating says. “Microsoft does something, the gangsters do something, Microsoft does something, the gangsters do something. It’s a sophisticated game.”

These ripped-from-the-headlines episodes and many others are highlighted at Microsoft’s new Cybercrime Center, opening today on the company’s Redmond campus. In many ways, the center – and what happens there – is like something straight out of a Hollywood script.

what is a


what is a botnet video

It's a world-class laboratory where a seasoned team of cybercrime investigators engage in a high-stakes game of chess, trying to stay a move or two ahead of the world’s most odious Internet criminals in an effort to make the web a safer place.

David Finn, associate general counsel for Microsoft’s DCU, ushers a group of visitors into the new facility.

The long hallway that leads into the center is appointed with video screens, news clippings and statistics with cybercrime facts and case studies, which act as a sort of Greek chorus to set the stage for what visitors will find inside.

“There are nearly 400 million victims of cybercrime each year. And cybercrime costs consumers $113 billion per year,” Finn says, pointing to a sign that outlines the impact of cybercrime. “We understand that there’s no one single country, business or organization that can tackle cyber security and cybercrime threats alone. That’s why we invest in bringing partners into our center – law enforcement agencies, partners and customers – into this center to work right alongside us.”

It’s a CSI kind of place, clearly equipped for its high-tech mission, but also airy and inviting with its modern glass, chrome, and wood. The Cybercrime Center is home to laboratories; offices and ultra-secure evidence rooms; and cutting-edge software and tools.

“It’s like a functional movie set,” says Finn, a former federal prosecutor in New York City who now leads the DCU team. “But there is real-life cybercrime going on, and these are real-life labs to fight it in a cutting-edge way. This is not a TV show – we have important cases we’re working on right now, right on the other side of the window.”

The center is home to a team of hand-selected experts who were, in their pre-Microsoft lives, federal prosecutors, police officers, technical analysts, bankers, engineers and physicists. They now work to make the Internet a safer place.

Crime + Internet=cybercrime, and this team has investigated (and is investigating) a broad array of digital villainy. Their investigations have brought them to the doorstep of the Russian mafia and a brutally violent Mexican narcotics cartel, as well as all manner of drug dealers, thieves, counterfeiters, pirates and child exploiters from all over the world. It’s easy to draw parallels with TV shows such as CSI but the similarities with Hollywood come to an end very quickly.

There’s no one country, business or organization that can tackle cybercrime threats alone. That’s why we invest in bringing partners into our center – law enforcement agencies, partners and customers – to work alongside us.

“What we do is where the TV meets the road,” says Brian Williams, a senior investigations manager based in Bangkok, Thailand. Williams was a 16-year veteran with the Royal Canadian Mounted Police when he joined Microsoft 13 years ago.

“Put it this way,” Williams says. “I’ve never solved a case in half an hour. That’s not the real world.”

Microsoft’s efforts to fight cybercrime have evolved and intertwined over the last 15 years, and teams from across the company have increasingly found overlap in their work.

“We started to recognize that our work could really benefit from creating a common workspace – a home not only where teams from across Microsoft could work closely together, but a place where partners and people from law enforcement could come as well,” says Brad Smith, Microsoft’s general counsel and executive vice president of Legal and Corporate Affairs.

Smith was also inspired and impressed by a visit to South Korea’s national cybercrime headquarters.

“I saw what they were doing in Seoul and realized that we have people with broader experience, but we weren’t providing our people with those kind of tools,” Smith says. Upon his return, he set out to change that.

The result, the new Cybercrime Center, is the perfect mixture of people, tools and technology, Smith says. Plus it’s a real-life showcase for what Microsoft’s business intelligence and big data tools can do.

Part of the reason the DCU team’s cases would never fit cleanly into a 30-minute television show, or even a two-hour movie, is that their work is deeply complicated. That said, the team has also had its share of Hollywood endings, including taking down a massive botnet; shining a light on the activities of international pirates, counterfeiters and criminals; and helping to fight child exploitation.

The team develops tools and techniques to track and catch cybercriminals of all stripes, and shares those with law enforcement from around the world. So far, Microsoft has helped take down or otherwise hobble seven botnets with ties to criminal organizations. A team of researchers at Microsoft, in cooperation with Dartmouth College, also developed PhotoDNA, a technology that creates a unique, fingerprint- like signature for digital images which can help in finding copies of an image. PhotoDNA was donated to the National Center for Missing and Exploited Children, and the tool is used by Facebook, Twitter, and other companies to find, report and eliminate thousands of online images of child pornography that would have otherwise gone undetected.

It’s an important partnership for global law enforcement, says Noboru Nakatani, executive director for INTERPOL’s Global Complex for Innovation.

Law enforcement agencies are often “reluctant to use new techniques,” and don’t always maximize current technology, Nakatani says. Criminals, however, are certainly maximizing the benefits of technology in their wrongdoing. With Microsoft’s guidance, police organizations can optimize the latest technology to pursue criminals who are using the same.

“We are looking at the same issues, which are quite global, and we have to coordinate a global response,” Nakatani says. (The new Cybercrime Center) “is a great sign that Microsoft is serious about (fighting) cybercrime, and serious about working with law enforcement.”

As with the take-down of the Citadel botnet, millions of people and businesses as well as the Internet-at-large stand to benefit from the company’s fight against cybercrime.

The new Cybercrime Center is a real-life showcase for what Microsoft’s business intelligence and big data tools can do.

“I believe that the work at the Cybercrime Center gives the company a great opportunity to do good for the world and do well for ourselves at the same time,” Smith says. “In part, the work of the Cybercrime Center focuses on making the internet a safer place that consumers, businesses, and law enforcement can fully utilize. At the same time, the Microsoft ecosystem of products and services benefits directly from the work that we do, ensuring that customers of Microsoft and users of Windows are protected.” In the Cybercrime Center’s conference room, Vishant Patel, senior manager of investigations, recaps the Citadel case and pulls up a map to show the spread of the botnet’s zombie army. Patel’s map on the massive multi-touch display is aglow with the locations of malware-infected computers. America is bright, as is Australia and Western Europe.

interior shot of the building

“Western Europe was by far the highest rate of infection,” Patel says.

On the map, Russia and Ukraine are nearly free of lights; that’s where the malware emerged.

“Most of this is the orchestration of a criminal gang there, and there are no malware attacks there because when they wrote the code for their botnet, they wrote it so it doesn’t run on Ukrainian or Russian language software,” Finn says. “The bad guys knew that would significantly insulate them from law enforcement in their own country. It also illustrates why it’s important to have a global force against cybercrime.”

And now, these veteran cybercrime fighters have a Hollywood-style, superhero-grade headquarters. The Cybercrime Center is a world-class command center for a team at the forefront of global internet security, Smith says.

“We’re defining a new field,” Smith says. “And we’re using our software, our data, our cloud services and our devices to help do that.”

Photos by Daniel Victor, Richard Worsfold, and Benjamin Benschneider / © Microsoft