On the morning of July 9, 2012, the world braced for an “internet doomsday”: a full-scale crash of the global internet.

Except it didn’t happen. And that non-event represented the culmination of a long and successful coordinated action taken between a huge number of organizations, spearheaded by the FBI.

It was one of the most remarkable operations in the history of cyber crime, and it led to lasting changes in how professionals think about and defend against malicious cyberattacks.

Operation Ghost Click

The story began in 2007 when an unethical Estonia-based spam advertising company called Rove Digital started to use a new trojan malware called DNSChanger, which went on to infect more than four million computers in over 100 countries. Some half a million systems were infected in the United States alone. The drive-by malware was falsely presented to users as a codec required to watch videos but was, in fact, the DNSChanger trojan. DNSChanger infected systems at the boot sector level, making it hard to remove.

The malware changed computers’ DNS entries to point to Rove Digital’s own rogue name servers, where advertising was injected onto web pages and personal information was stolen. In some cases, DNSChanger also had the self-defense mechanism of blocking operating systems and anti-virus software from updating.

The perpetrators reportedly got $14 million from their scheme.

What happened next was astonishing. The FBI launched a two-year operation called Operation Ghost Click, coordinating the FBI, NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, the National High Tech Crime Unit of the Dutch National Police Agency, cybersecurity and technology specialists from Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, the University of Alabama at Birmingham and members of an ad hoc group of subject matter experts known as the DNSChanger Working Group (DCWG).

Preventing “Internet Doomsday”

After the investigation, on November 8, 2011, six Estonians were arrested, extradited to the United States and charged with participation in an Internet fraud ring. A seventh alleged conspirator, who is Russian, remained at large but was also charged with a wide range of crimes and placed on the FBI’s Cyber Most Wanted list. Their servers were seized and replaced with two new servers.

But the FBI did not remove the DNSChanger malware, which would disrupt the internet access of the many victims. Instead, they headed a widespread initiative, working with ISPs and others, to enable victims to safely remove the malware from their computer systems.

The FBI set up an office for victim assistance, with a hotline to call and a wide range of resources for understanding and remediating the effects of the DNSChanger malware.

Authorities also froze the criminals’ bank accounts and seized hard drives from more than 100 rogue servers in New York and Chicago data centers suspected of being part of the group’s command and control infrastructure.

Estimates suggest that the initiative was successful in an overwhelming number of instances, with just 41,800 systems still affected when the FBI pulled the plug on their servers.

That day, called “Internet Doomsday,” was Monday, July 9, 2012. But due to the combined efforts of Operation Ghost Click, doomsday was averted. No catastrophe took place.

In the end, the entire operation was one of the most successful law enforcement operations in the history of cyber crime.

How Operation Ghost Click Changed Cybersecurity

The entire operation was a success and changed how law enforcement approaches cyber crimes. Specifically, the operation taught them:

  • The power of law enforcement cooperation. Cyber crime tends to be international. Working with international police, sharing resources and coordinating efforts can prevent some criminals from finding safe havens abroad. Of course, this idea only goes so far, especially when rogue states protect cyber criminals. But to the greatest extent possible, cooperation is key.
  • The power of partnering with cybersecurity specialists at universities and security firms. Law enforcement agencies like the FBI have cybersecurity experts. But by bringing top experts wherever they are, including among the cyber crime victims (NASA, for example, was a major DNSChanger victim, and also partnered in the law enforcement operation), the cyber criminals can be truly outsmarted.
  • The value in creating ad hoc working groups (in this case, the DCWG). It’s a great idea to cobble together expert volunteers to deeply study specific, particularly dangerous malware, then share their findings with law enforcement.
  • Taking a broad view of cyber crime law enforcement. The FBI’s mission is to investigate crimes, not to commission DNS servers or maintain and publicize cybersecurity protection resources. But the entire operation was characterized by creative thinking and unusual actions, such as the decision to take over and replace DNS servers run by the criminals and keep them running until most victims could remove the malware.

A decade ago, the whole Operation Ghost Click, DNSChanger and “internet doomsday” event shocked and fascinated the internet and cybersecurity communities. Today it represents a textbook case on how to investigate, prosecute and, most importantly, protect the public from international cyber crime.

More from Risk Management

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Tech Stack Diversity: Security Benefits and Costs

If your remit protects the information technology estate, you might be tired of the constant fire drills and reminders of upcoming disruptions. The barrage from cybersecurity vendors claiming "we have the solution" is almost equally exhausting. Start here: there is no magic bullet cybersecurity solution. If there was, its inventor would be a gazillionaire and have a list of enemies miles long. However, well-stacked solutions can significantly reduce your risk posture. The key is to place dependability over dependence, reduce…