November 14, 2022 By Mike Elgan 3 min read

On the morning of July 9, 2012, the world braced for an “internet doomsday”: a full-scale crash of the global internet.

Except it didn’t happen. And that non-event represented the culmination of a long and successful coordinated action taken between a huge number of organizations, spearheaded by the FBI.

It was one of the most remarkable operations in the history of cyber crime, and it led to lasting changes in how professionals think about and defend against malicious cyberattacks.

Operation Ghost Click

The story began in 2007 when an unethical Estonia-based spam advertising company called Rove Digital started to use a new trojan malware called DNSChanger, which went on to infect more than four million computers in over 100 countries. Some half a million systems were infected in the United States alone. The drive-by malware was falsely presented to users as a codec required to watch videos but was, in fact, the DNSChanger trojan. DNSChanger infected systems at the boot sector level, making it hard to remove.

The malware changed computers’ DNS entries to point to Rove Digital’s own rogue name servers, where advertising was injected onto web pages and personal information was stolen. In some cases, DNSChanger also had the self-defense mechanism of blocking operating systems and anti-virus software from updating.

The perpetrators reportedly got $14 million from their scheme.

What happened next was astonishing. The FBI launched a two-year operation called Operation Ghost Click, coordinating the FBI, NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, the National High Tech Crime Unit of the Dutch National Police Agency, cybersecurity and technology specialists from Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, the University of Alabama at Birmingham and members of an ad hoc group of subject matter experts known as the DNSChanger Working Group (DCWG).

Preventing “internet doomsday”

After the investigation, on November 8, 2011, six Estonians were arrested, extradited to the United States and charged with participation in an Internet fraud ring. A seventh alleged conspirator, who is Russian, remained at large but was also charged with a wide range of crimes and placed on the FBI’s Cyber Most Wanted list. Their servers were seized and replaced with two new servers.

But the FBI did not remove the DNSChanger malware, which would disrupt the internet access of the many victims. Instead, they headed a widespread initiative, working with ISPs and others, to enable victims to safely remove the malware from their computer systems.

The FBI set up an office for victim assistance, with a hotline to call and a wide range of resources for understanding and remediating the effects of the DNSChanger malware.

Authorities also froze the criminals’ bank accounts and seized hard drives from more than 100 rogue servers in New York and Chicago data centers suspected of being part of the group’s command and control infrastructure.

Estimates suggest that the initiative was successful in an overwhelming number of instances, with just 41,800 systems still affected when the FBI pulled the plug on their servers.

That day, called “Internet Doomsday,” was Monday, July 9, 2012. But due to the combined efforts of Operation Ghost Click, doomsday was averted. No catastrophe took place.

In the end, the entire operation was one of the most successful law enforcement operations in the history of cyber crime.

How Operation Ghost Click changed cybersecurity

The entire operation was a success and changed how law enforcement approaches cyber crimes. Specifically, the operation taught them:

  • The power of law enforcement cooperation. Cyber crime tends to be international. Working with international police, sharing resources and coordinating efforts can prevent some criminals from finding safe havens abroad. Of course, this idea only goes so far, especially when rogue states protect cyber criminals. But to the greatest extent possible, cooperation is key.
  • The power of partnering with cybersecurity specialists at universities and security firms. Law enforcement agencies like the FBI have cybersecurity experts. But by bringing top experts wherever they are, including among the cyber crime victims (NASA, for example, was a major DNSChanger victim, and also partnered in the law enforcement operation), the cyber criminals can be truly outsmarted.
  • The value in creating ad hoc working groups (in this case, the DCWG). It’s a great idea to cobble together expert volunteers to deeply study specific, particularly dangerous malware, then share their findings with law enforcement.
  • Taking a broad view of cyber crime law enforcement. The FBI’s mission is to investigate crimes, not to commission DNS servers or maintain and publicize cybersecurity protection resources. But the entire operation was characterized by creative thinking and unusual actions, such as the decision to take over and replace DNS servers run by the criminals and keep them running until most victims could remove the malware.

A decade ago, the whole Operation Ghost Click, DNSChanger and “internet doomsday” event shocked and fascinated the internet and cybersecurity communities. Today it represents a textbook case on how to investigate, prosecute and, most importantly, protect the public from international cyber crime.

More from Risk Management

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today