In November 2011, the FBI-led Operation Ghost Click raided malicious servers run by the Rove Digital cyber group. This was only after the group had leveraged the DNSChanger Trojan to infect over four million computers and generate over $14 million in illicit profits. At the time, the operation was billed as the biggest cyber criminal takedown in history.

How did the DNSChanger infect so many machines before detection? How did authorities work together to stop this attack cold in its tracks? And what lessons did the security community learn from the DNSChanger incident? Let’s find out.

What is DNSChanger?

DNSChanger is a DNS hijacking Trojan launched by the Estonian cyber gang Rove Digital. It’s believed the Trojan’s malicious activity began in 2007. The malware works by modifying a computer’s Domain Name System (DNS) settings. Malware authors can then redirect internet users to fraudulent websites.

An infected download disguised as a video codec distributed the DNSChanger malware. When visiting a rogue website (the majority were pornographic sites), users were lured to click on a link or popup in order to download the codec to watch a video. Once a victim clicked the malicious link, the DNSChanger Trojan unleashed its payload.

Upon modifying the infected computer’s DNS configuration, the malware could point them to rogue name servers operated through affiliates of Rove Digital. These rogue name servers primarily supported advertising sold by Rove. Advertisers then paid for the traffic thinking it came through legitimate clicks.

Worldwide, DNSChanger infected over 4 million computers in more than 100 countries. There were about 500,000 infections in the U.S., including computers belonging to individuals, businesses and government agencies such as NASA.

How Did the DNSChanger Takedown Occur?

On the day of the takedown, Estonian police arrested Rove Digital ringleader Vladimir Tsastsin and five other actors. Meanwhile, U.S. authorities disabled the command-and-control network, including rogue DNS servers in New York and Chicago.

One problem the authorities faced was that the rogue DNS servers were still providing name resolutions for millions of infected computers. To resolve this issue, the FBI commissioned the Internet Systems Consortium to replace the rogue servers with legitimate DNS servers, thus protecting the users’ internet access from interruption.

Operation Ghost Click was a complex international investigation. Its success relied on strong working relationships between law enforcement, private industry and international partners. The FBI, NASA’s Office of Inspector General, the Estonian Police, nearly a dozen private and public sector partners and many more all banded together to make the operation work. Even Facebook and Google notified users that their Mac or PC computers could be infected.

Coordinated Efforts With a Twist

Since cyber gangs can launch attacks from anywhere, international teamwork has become increasingly necessary to stop attackers. For instance, in January 2021 Europol announced the EMOTET takedown. The operation was the result of a collaborative effort between authorities in the Netherlands, Germany, the US, the UK, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

EMOTET was one of the most sophisticated and long-lasting cyber crime services ever. What began as a banking Trojan in 2014, the malware evolved into a reliable attack resource for threat actors worldwide. Via infected email attachments, EMOTET opened the door to computer systems on a global scale. Once they established unauthorized access, they sold access to other threat groups to execute further malicious activities such as data theft and ransomware.

A coordinated multinational team worked to gain control of the EMOTET infrastructure and disrupt it from the inside. The infected machines were then redirected toward a law-enforcement-controlled infrastructure. Ironically, authorities deployed a DNS sinkholing method to intercept DNS requests attempting to connect to known malicious or unwanted domains. Using this method, a controlled IP address points to a sinkhole server defined by the DNS sinkhole administrator. This was a unique and new approach to effectively disrupt the activities of malicious actors.

New Global Models Against Cyber Crime

With the war in Ukraine, the global risks of cyber crime have never been higher. At the top of the agenda are threats to critical infrastructure. However, attacks on hospitals, local governments and companies cause trouble at every level, even threatening to disrupt macroeconomic stability.

For this reason, many political and business leaders are calling for new paradigms to stem the rising tide of attacks. Some strategies include:

  • More unified diplomatic efforts and agreements to combat cyber crime
  • Continued and increased collaboration to create strong public-private partnerships
  • Strengthening actions of law enforcement and accountability
  • International, multinational efforts to hold rogue nations accountable.

Hit Them Where It Hurts

While the DNSChanger and Operation Ghost Click were historic in their scope, it took years before action was taken against the cyber actors. The result was a physical raid and arrests.

Still, other methods, like the at-a-distance disruption of EMOTET may become more common — that is, hacking the hackers. Also, sanctioning affiliated entities could stem the tide of attacks. During the takedown of Hydra, the world’s largest darknet marketplace, part of the operation included sanctioning over 100 virtual currency addresses used to conduct illicit transactions.

Protection Against DNS Hijacking

Some steps organizations can take to prevent DNS hijacking include:

  1. DNS flushing: Regularly clearing your DNS cache will remove all entries on your local system. This can delete any invalid or compromised DNS records that could direct you to malicious sites.
  2. nslookup: This is a program and command code that server administrators can use to find out the IP address of a specified hostname. nslookup offers protection against phishing attacks and lets users confirm website validity.
  3. DNS leaks test: When you use secure VPNs or privacy services, you may find they are poorly configured and default DNS servers are still being used. This means anyone monitoring network traffic will be able to log your activity for malicious purposes. Running a DNS leak test ensures you have a closed VPN tunnel for secure network traffic.

Looking Forward

New strategies and cultural shifts will be required to face growing international cyber threats. At a minimum, this includes individual responsibility coupled with strong alliances, tactics and policies. Only a united front will keep attackers at bay.

More from Risk Management

Container Drift: Where Age isn’t Just a Number

Container orchestration frameworks like Kubernetes have brought about untold technological advances over the past decade. However, they have also enabled new attack vectors for bad actors to leverage. Before safely deploying an application, you must answer the following questions: How long should a container live? Does the container need to write any files during runtime? Determining the container’s lifetime and the context in which it runs is critical, especially when hosting an internet-facing service. What is Container Drift? When deploying…

OneNote, Many Problems? The New Phishing Framework

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes. Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued. While this novel notes approach will eventually be phased out as phishing defenses catch up,…

The Role of Finance Departments in Cybersecurity

Consumers are becoming more aware of the data companies collect about them, and place high importance on data security and privacy. Though consumers aren’t aware of every data breach, they are justifiably concerned about what happens to the data companies collect. A recent study of consumer views on data privacy and security revealed consumers are more careful about sharing data. The majority of respondents (87%) say they wouldn’t do business with companies that appear to have weak security. Study participants…

What Does a Network Security Engineer Do?

Cybersecurity is complex. The digital transformation, remote work and the ever-evolving threat landscape require different tools and different skill sets. Systems must be in place to protect endpoints, identities and a borderless network perimeter. The job role responsible for handling this complex security infrastructure is the network security engineer. In a nutshell, the network security engineer is the person who is responsible for the design and implementation of the organization’s security system, ensuring there are no gaps or vulnerabilities for…