On the morning of July 9, 2012, the world braced for an “internet doomsday”: a full-scale crash of the global internet.

Except it didn’t happen. And that non-event represented the culmination of a long and successful coordinated action taken between a huge number of organizations, spearheaded by the FBI.

It was one of the most remarkable operations in the history of cyber crime, and it led to lasting changes in how professionals think about and defend against malicious cyberattacks.

Operation Ghost Click

The story began in 2007 when an unethical Estonia-based spam advertising company called Rove Digital started to use a new trojan malware called DNSChanger, which went on to infect more than four million computers in over 100 countries. Some half a million systems were infected in the United States alone. The drive-by malware was falsely presented to users as a codec required to watch videos but was, in fact, the DNSChanger trojan. DNSChanger infected systems at the boot sector level, making it hard to remove.

The malware changed computers’ DNS entries to point to Rove Digital’s own rogue name servers, where advertising was injected onto web pages and personal information was stolen. In some cases, DNSChanger also had the self-defense mechanism of blocking operating systems and anti-virus software from updating.

The perpetrators reportedly got $14 million from their scheme.

What happened next was astonishing. The FBI launched a two-year operation called Operation Ghost Click, coordinating the FBI, NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, the National High Tech Crime Unit of the Dutch National Police Agency, cybersecurity and technology specialists from Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, the University of Alabama at Birmingham and members of an ad hoc group of subject matter experts known as the DNSChanger Working Group (DCWG).

Preventing “Internet Doomsday”

After the investigation, on November 8, 2011, six Estonians were arrested, extradited to the United States and charged with participation in an Internet fraud ring. A seventh alleged conspirator, who is Russian, remained at large but was also charged with a wide range of crimes and placed on the FBI’s Cyber Most Wanted list. Their servers were seized and replaced with two new servers.

But the FBI did not remove the DNSChanger malware, which would disrupt the internet access of the many victims. Instead, they headed a widespread initiative, working with ISPs and others, to enable victims to safely remove the malware from their computer systems.

The FBI set up an office for victim assistance, with a hotline to call and a wide range of resources for understanding and remediating the effects of the DNSChanger malware.

Authorities also froze the criminals’ bank accounts and seized hard drives from more than 100 rogue servers in New York and Chicago data centers suspected of being part of the group’s command and control infrastructure.

Estimates suggest that the initiative was successful in an overwhelming number of instances, with just 41,800 systems still affected when the FBI pulled the plug on their servers.

That day, called “Internet Doomsday,” was Monday, July 9, 2012. But due to the combined efforts of Operation Ghost Click, doomsday was averted. No catastrophe took place.

In the end, the entire operation was one of the most successful law enforcement operations in the history of cyber crime.

How Operation Ghost Click Changed Cybersecurity

The entire operation was a success and changed how law enforcement approaches cyber crimes. Specifically, the operation taught them:

  • The power of law enforcement cooperation. Cyber crime tends to be international. Working with international police, sharing resources and coordinating efforts can prevent some criminals from finding safe havens abroad. Of course, this idea only goes so far, especially when rogue states protect cyber criminals. But to the greatest extent possible, cooperation is key.
  • The power of partnering with cybersecurity specialists at universities and security firms. Law enforcement agencies like the FBI have cybersecurity experts. But by bringing top experts wherever they are, including among the cyber crime victims (NASA, for example, was a major DNSChanger victim, and also partnered in the law enforcement operation), the cyber criminals can be truly outsmarted.
  • The value in creating ad hoc working groups (in this case, the DCWG). It’s a great idea to cobble together expert volunteers to deeply study specific, particularly dangerous malware, then share their findings with law enforcement.
  • Taking a broad view of cyber crime law enforcement. The FBI’s mission is to investigate crimes, not to commission DNS servers or maintain and publicize cybersecurity protection resources. But the entire operation was characterized by creative thinking and unusual actions, such as the decision to take over and replace DNS servers run by the criminals and keep them running until most victims could remove the malware.

A decade ago, the whole Operation Ghost Click, DNSChanger and “internet doomsday” event shocked and fascinated the internet and cybersecurity communities. Today it represents a textbook case on how to investigate, prosecute and, most importantly, protect the public from international cyber crime.

More from Risk Management

OneNote, Many Problems? The New Phishing Framework

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes.Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued.While this novel notes approach will eventually be phased out as phishing defenses catch up, current conditions…

The Role of Finance Departments in Cybersecurity

Consumers are becoming more aware of the data companies collect about them, and place high importance on data security and privacy. Though consumers aren’t aware of every data breach, they are justifiably concerned about what happens to the data companies collect. A recent study of consumer views on data privacy and security revealed consumers are more careful about sharing data. The majority of respondents (87%) say they wouldn’t do business with companies that appear to have weak security. Study participants also…

What Does a Network Security Engineer Do?

Cybersecurity is complex. The digital transformation, remote work and the ever-evolving threat landscape require different tools and different skill sets. Systems must be in place to protect endpoints, identities and a borderless network perimeter. The job role responsible for handling this complex security infrastructure is the network security engineer. In a nutshell, the network security engineer is the person who is responsible for the design and implementation of the organization’s security system, ensuring there are no gaps or vulnerabilities for…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…