Pittsburgh FBI Helps Dismantle International Cybercrime Network

The operation was dismantled as the result of a joint operation between the FBI in Pittsburgh and the National Cyber Forensic and Training Alliance.

by Paula Reed Ward, Pittsburgh Post-Gazette / December 6, 2016
Photo Courtesy of Shutterstock

(TNS) -- An international cyber crime operation using malware to steal from private computer users all over the world has been dismantled as the result of a joint operation including the FBI in Pittsburgh and the National Cyber Forensic and Training Alliance.

German state police sought the FBI’s help in July 2015, and today, Soo Song, the acting U.S. attorney for the Western District of Pennsylvania, announced the scope of the investigation, which resulted in the destruction of Avalanche, the computer server infrastructure used by more than a dozen criminal enterprises around the world to anonymously host their malicious software.

Ms. Song estimated that hundreds of millions of dollars around the world has been lost through Avalanche since it began operating in 2009. An international investigation began four years ago.

According to Ms. Song, there were approximately 250,000 infected computers found in 189 countries around the world. About 20,000 of those were in the United States, she said. She identified three victims of the illegal activity in the Western District, including the Allegheny County District Attorney’s Office, which was forced to pay six Bitcoins — digital currency worth at the time about $1,400 — to unlock one of its computers. The machine had been infected by malicious software known as ransomware.

"The Allegheny County District Attorneys Office was the victim of a recent cyber crime referenced earlier today by the United States Attorneys Office,” said Mike Manko, a spokesman at the DA’s office, in a statement. “As technology continues to evolve, so does crime, and criminals are going to take advantage of that technology to always find new ways to victimize individuals, businesses and government agencies. As no cases were compromised as a result of this breach, we consider what happened more of a nuisance than anything else.”

Two companies -— one in New Castle and one in Carnegie -— also had their banking information stolen through malware. They stood to lose hundreds of thousands of dollars each. But alert banking officials halted transfers that were occurring, Ms. Song said. Neither company suffered any actual loss, she said. Ms. Song would not identify them.

The operation included investigators taking control of the servers being used by the Avalanche malware and redirecting the infected computers to an FBI-controlled server, an operation called “sinkholing.” A user’s computer becomes infected, often, by the person clicking on a link that appears to be legitimate.

Once the malware is in the computer, it uses an Internet domain to relay its information to those controlling it. Investigators were able to take control of about 800,000 domains, blocking more than 675,000 of them, said J. Keith Mularski, an FBI supervisory special agent. The agency then contacts the relevant Internet Service Provider to inform them of the infected computer systems to help remediate the problem, he said.

Robert Johnson, the Pittsburgh FBI special agent in charge, said the work was done through collaboration of law enforcement and private industry and involved 40 different Internet registries across the world.

No one has been indicted in the United States for these actions, but five people have been arrested internationally.

“This is just one group that we took down,” Mr. Mularski said. “This is one organization we’ve tackled.”

The National Cyber Forensics Training Alliance, based in Pittsburgh’s South Oakland neighborhood, brings public, private and academic experts together to find and eliminate cyberthreats.

©2016 the Pittsburgh Post-Gazette Distributed by Tribune Content Agency, LLC.

Platforms & Programs