In November 2011, the FBI-led Operation Ghost Click raided malicious servers run by the Rove Digital cyber group. This was only after the group had leveraged the DNSChanger Trojan to infect over four million computers and generate over $14 million in illicit profits. At the time, the operation was billed as the biggest cyber criminal takedown in history.

How did the DNSChanger infect so many machines before detection? How did authorities work together to stop this attack cold in its tracks? And what lessons did the security community learn from the DNSChanger incident? Let’s find out.

What is DNSChanger?

DNSChanger is a DNS hijacking Trojan launched by the Estonian cyber gang Rove Digital. It’s believed the Trojan’s malicious activity began in 2007. The malware works by modifying a computer’s Domain Name System (DNS) settings. Malware authors can then redirect internet users to fraudulent websites.

An infected download disguised as a video codec distributed the DNSChanger malware. When visiting a rogue website (the majority were pornographic sites), users were lured to click on a link or popup in order to download the codec to watch a video. Once a victim clicked the malicious link, the DNSChanger Trojan unleashed its payload.

Upon modifying the infected computer’s DNS configuration, the malware could point them to rogue name servers operated through affiliates of Rove Digital. These rogue name servers primarily supported advertising sold by Rove. Advertisers then paid for the traffic thinking it came through legitimate clicks.

Worldwide, DNSChanger infected over 4 million computers in more than 100 countries. There were about 500,000 infections in the U.S., including computers belonging to individuals, businesses and government agencies such as NASA.

How did the DNSChanger takedown occur?

On the day of the takedown, Estonian police arrested Rove Digital ringleader Vladimir Tsastsin and five other actors. Meanwhile, U.S. authorities disabled the command-and-control network, including rogue DNS servers in New York and Chicago.

One problem the authorities faced was that the rogue DNS servers were still providing name resolutions for millions of infected computers. To resolve this issue, the FBI commissioned the Internet Systems Consortium to replace the rogue servers with legitimate DNS servers, thus protecting the users’ internet access from interruption.

Operation Ghost Click was a complex international investigation. Its success relied on strong working relationships between law enforcement, private industry and international partners. The FBI, NASA’s Office of Inspector General, the Estonian Police, nearly a dozen private and public sector partners and many more all banded together to make the operation work. Even Facebook and Google notified users that their Mac or PC computers could be infected.

Coordinated efforts with a twist

Since cyber gangs can launch attacks from anywhere, international teamwork has become increasingly necessary to stop attackers. For instance, in January 2021 Europol announced the EMOTET takedown. The operation was the result of a collaborative effort between authorities in the Netherlands, Germany, the US, the UK, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

EMOTET was one of the most sophisticated and long-lasting cyber crime services ever. What began as a banking Trojan in 2014, the malware evolved into a reliable attack resource for threat actors worldwide. Via infected email attachments, EMOTET opened the door to computer systems on a global scale. Once they established unauthorized access, they sold access to other threat groups to execute further malicious activities such as data theft and ransomware.

A coordinated multinational team worked to gain control of the EMOTET infrastructure and disrupt it from the inside. The infected machines were then redirected toward a law-enforcement-controlled infrastructure. Ironically, authorities deployed a DNS sinkholing method to intercept DNS requests attempting to connect to known malicious or unwanted domains. Using this method, a controlled IP address points to a sinkhole server defined by the DNS sinkhole administrator. This was a unique and new approach to effectively disrupt the activities of malicious actors.

New global models against cyber crime

With the war in Ukraine, the global risks of cyber crime have never been higher. At the top of the agenda are threats to critical infrastructure. However, attacks on hospitals, local governments and companies cause trouble at every level, even threatening to disrupt macroeconomic stability.

For this reason, many political and business leaders are calling for new paradigms to stem the rising tide of attacks. Some strategies include:

  • More unified diplomatic efforts and agreements to combat cyber crime
  • Continued and increased collaboration to create strong public-private partnerships
  • Strengthening actions of law enforcement and accountability
  • International, multinational efforts to hold rogue nations accountable.

Hit them where it hurts

While the DNSChanger and Operation Ghost Click were historic in their scope, it took years before action was taken against the cyber actors. The result was a physical raid and arrests.

Still, other methods, like the at-a-distance disruption of EMOTET may become more common — that is, hacking the hackers. Also, sanctioning affiliated entities could stem the tide of attacks. During the takedown of Hydra, the world’s largest darknet marketplace, part of the operation included sanctioning over 100 virtual currency addresses used to conduct illicit transactions.

Protection against DNS hijacking

Some steps organizations can take to prevent DNS hijacking include:

  1. DNS flushing: Regularly clearing your DNS cache will remove all entries on your local system. This can delete any invalid or compromised DNS records that could direct you to malicious sites.
  2. nslookup: This is a program and command code that server administrators can use to find out the IP address of a specified hostname. nslookup offers protection against phishing attacks and lets users confirm website validity.
  3. DNS leaks test: When you use secure VPNs or privacy services, you may find they are poorly configured and default DNS servers are still being used. This means anyone monitoring network traffic will be able to log your activity for malicious purposes. Running a DNS leak test ensures you have a closed VPN tunnel for secure network traffic.

Looking forward

New strategies and cultural shifts will be required to face growing international cyber threats. At a minimum, this includes individual responsibility coupled with strong alliances, tactics and policies. Only a united front will keep attackers at bay.

More from Risk Management

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

How I got started: Ransomware negotiator

4 min read - Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses.Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware attacks on organizations.Ransomware negotiators possess a unique blend of technical expertise, psychological insight and negotiation skills that allow them to navigate the high-stakes environment of ransomware…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today