Light Dark
November 14, 2022 By Mike Elgan 3 min read
Risk Management

On the morning of July 9, 2012, the world braced for an “internet doomsday”: a full-scale crash of the global internet.

Except it didn’t happen. And that non-event represented the culmination of a long and successful coordinated action taken between a huge number of organizations, spearheaded by the FBI.

It was one of the most remarkable operations in the history of cyber crime, and it led to lasting changes in how professionals think about and defend against malicious cyberattacks.

Operation Ghost Click

The story began in 2007 when an unethical Estonia-based spam advertising company called Rove Digital started to use a new trojan malware called DNSChanger, which went on to infect more than four million computers in over 100 countries. Some half a million systems were infected in the United States alone. The drive-by malware was falsely presented to users as a codec required to watch videos but was, in fact, the DNSChanger trojan. DNSChanger infected systems at the boot sector level, making it hard to remove.

The malware changed computers’ DNS entries to point to Rove Digital’s own rogue name servers, where advertising was injected onto web pages and personal information was stolen. In some cases, DNSChanger also had the self-defense mechanism of blocking operating systems and anti-virus software from updating.

The perpetrators reportedly got $14 million from their scheme.

What happened next was astonishing. The FBI launched a two-year operation called Operation Ghost Click, coordinating the FBI, NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, the National High Tech Crime Unit of the Dutch National Police Agency, cybersecurity and technology specialists from Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, the University of Alabama at Birmingham and members of an ad hoc group of subject matter experts known as the DNSChanger Working Group (DCWG).

Preventing “internet doomsday”

After the investigation, on November 8, 2011, six Estonians were arrested, extradited to the United States and charged with participation in an Internet fraud ring. A seventh alleged conspirator, who is Russian, remained at large but was also charged with a wide range of crimes and placed on the FBI’s Cyber Most Wanted list. Their servers were seized and replaced with two new servers.

But the FBI did not remove the DNSChanger malware, which would disrupt the internet access of the many victims. Instead, they headed a widespread initiative, working with ISPs and others, to enable victims to safely remove the malware from their computer systems.

The FBI set up an office for victim assistance, with a hotline to call and a wide range of resources for understanding and remediating the effects of the DNSChanger malware.

Authorities also froze the criminals’ bank accounts and seized hard drives from more than 100 rogue servers in New York and Chicago data centers suspected of being part of the group’s command and control infrastructure.

Estimates suggest that the initiative was successful in an overwhelming number of instances, with just 41,800 systems still affected when the FBI pulled the plug on their servers.

That day, called “Internet Doomsday,” was Monday, July 9, 2012. But due to the combined efforts of Operation Ghost Click, doomsday was averted. No catastrophe took place.

In the end, the entire operation was one of the most successful law enforcement operations in the history of cyber crime.

How Operation Ghost Click changed cybersecurity

The entire operation was a success and changed how law enforcement approaches cyber crimes. Specifically, the operation taught them:

  • The power of law enforcement cooperation. Cyber crime tends to be international. Working with international police, sharing resources and coordinating efforts can prevent some criminals from finding safe havens abroad. Of course, this idea only goes so far, especially when rogue states protect cyber criminals. But to the greatest extent possible, cooperation is key.
  • The power of partnering with cybersecurity specialists at universities and security firms. Law enforcement agencies like the FBI have cybersecurity experts. But by bringing top experts wherever they are, including among the cyber crime victims (NASA, for example, was a major DNSChanger victim, and also partnered in the law enforcement operation), the cyber criminals can be truly outsmarted.
  • The value in creating ad hoc working groups (in this case, the DCWG). It’s a great idea to cobble together expert volunteers to deeply study specific, particularly dangerous malware, then share their findings with law enforcement.
  • Taking a broad view of cyber crime law enforcement. The FBI’s mission is to investigate crimes, not to commission DNS servers or maintain and publicize cybersecurity protection resources. But the entire operation was characterized by creative thinking and unusual actions, such as the decision to take over and replace DNS servers run by the criminals and keep them running until most victims could remove the malware.

A decade ago, the whole Operation Ghost Click, DNSChanger and “internet doomsday” event shocked and fascinated the internet and cybersecurity communities. Today it represents a textbook case on how to investigate, prosecute and, most importantly, protect the public from international cyber crime.

 |  |  |  |  |  |  |  | 
Mike Elgan

More from Risk Management
November 22, 2024

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

November 20, 2024

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature