In one of the more curious cybercrime announcements of recent times, Interpol’s Asian centre says it has “identified” 8,800 servers used as command & control (C2) for all sorts of bad things including DDoS attacks and distributing ransomware and spam.
You read that correctly. Interpol hasn’t disrupted these servers, merely passed information on their whereabouts and malevolent purpose to police forces in eight countries, including Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam.
The operation isolated the C2 by working back from 270 websites infected with malware, assisted by intelligence and know-how from a number of cybersecurity companies.
Among them were several government websites which may have contained personal data of their citizens.
Individual criminals were also identified in Nigeria and Indonesia, which hints that arrests might be forthcoming.
It sounds like a modest achievement until you remember that Asia is a favoured geography for malware hosting infrastructure (including servers used to attack other parts of the globe) but, historically, underwhelming levels of cross-border co-operation.
If action at national level in the countries affected eventually sees the servers disappear forever, it’s not something to be sniffed at.
The bigger picture is that Interpol’s Global Complex for Innovation (IGCI), opened in Singapore in 2015, is signalling that it’s up and running and able to make a difference – however emblematic.
Cybercrime can be mitigated by technology, of course, but few doubt importance of going after it at the roots, both the servers and the people who run and profit from them.
It’s a massive challenge because these people can base themselves anywhere in the world, and introducing legal hazard into their lives requires the sort of co-operation police forces and governments aren’t used to.
Founded as long ago as 1923 as the International Criminal Police Commission (ICPC), Interpol is turning out to be a useful tool in the battle against cybercrime.
Cybersecurity companies like it because its regional centres act as an independent broker that allows them to put aside commercial considerations. Police forces value it because it means they can have a relationship with one centre instead of possibly dozens of national operations.
But its biggest significance is it gets the private and public sectors to work together, the former with intel and the latter with legal authority.
Recent Interpol cybercrime operations have included disrupting the Avalanche botnet late last year, and the takedown of the Simda botnet two years ago. Between times were the arrests of individuals accused of being behind the infamous DD4BC DDoS extortion racket, and a global operation across Interpol’s divisions to rid the world of the one-million strong Dorkbot botnet.
Only days ago, Europol’s European Cybercrime Centre (EC3) announced it had coordinated an operation between UK and Spanish police that saw the arrest of five people accused of distributing Remote Access Trojans (RATs) and keyloggers.
We should interpret the identification of 8,800 C2 servers as good PR for Interpol but also, to quote Interpol’s chief superintendent Chan, “a blueprint for future operations”.