Dismantling one of the world's most insidious computer viruses required complex and fast-paced tactics that will be the blueprint for U.S. law enforcement's future cyberbattles.
By the time authorities claimed victory over Gameover Zeus last week, they had reverse-engineered how the virus communicated, seized command-and-control servers overseas and engaged in cyber battle with the hackers to keep them from re-establishing contact with their fast evaporating network.
“This was the most sophisticated hacking disruption we have attempted to date,” said Leslie Caldwell, the assistant attorney general in charge of the U.S. Justice Department’s criminal division. “It was a hand-to-hand combat type of situation.”
The takedown of Gameover Zeus illustrates how U.S. law enforcement is adapting to the threat of increasingly sophisticated cyber crime. Slapping handcuffs on a hacker and seizing his or her computers is no longer enough. In this case, the virus -- which the FBI said had been used to siphon more than $100 million from U.S. consumers and businesses over three years -- was designed to survive such disruptions.
FBI officials said confronting such a network would have been difficult, if not impossible, a few years ago because the bureau didn’t have the technical expertise or the manpower to address it.
The operation was successful, in part, FBI officials said, because the bureau has shifted the way it approaches global cyber crime by boosting the number of agents trained in cyber security, deploying them more widely and by working more closely with experts in private industry.
Computer crimes cut “across every responsibility the FBI has,” Director James Comey testified last month before Congress. “The challenge we face with cyber is that it blows away normal concepts of time and space and venue, and requires us to shrink the world just the way the bad guys have.”
Stopping the hacker behind Gameover Zeus wasn’t enough. While federal prosecutors in May charged a 30-year-old Russian programmer named Evgeniy Bogachev in the case, they still had to kill the virus.
FBI agents in Pittsburgh, Omaha and Washington spearheaded the investigation. The bureau was joined by law enforcement officials in Canada, Britain, Ukraine, the Netherlands and Luxembourg in the final assaults on nefarious servers.
Consultants at private companies including CrowdStrike Inc., Dell Corp.’s SecureWorks, Microsoft Corp. (MSFT), McAfee Inc., and Symantec Corp. (SYMC) were joined by specialists from Carnegie Mellon University and Georgia Tech, who provided key technical assistance.
It was “the largest fusion of law enforcement and industry partner cooperation ever undertaken in support of an FBI cyber operation,” Robert Anderson Jr., an executive assistant director at the bureau, said.
A variant of a virus first detected in 2007 that operated in a fairly standard fashion by infecting a computer and then communicating with a server controlled by hackers, Gameover Zeus operated like a hydra. According to federal authorities, it was controlled by a tightly knit group based primarily in Russia and Ukraine.
Once a computer was infected, often after its user clicked on a malicious link or e-mail attachment, it became a “bot” and started communicating with other infected computers as part of a “botnet.” While communicating with each other, the bots also passed along stolen banking information to servers that relayed that data to the hackers.
The hackers committed their cyber burglary by exploiting the security hole bored by Gameover Zeus. When they determined the time was right, the hackers transfered funds from compromised bank accounts -- frequently in excess of $1 million -- through third parties known as “money mules.”
The virus was particularly insidious because it was designed to survive attacks. If authorities separately captured a bunch of bots, relay servers or even the hacker’s main computers, the rest of the system could keep operating until communication was re-established.
The FBI estimated that Gameover Zeus eventually infected as many as 1 million computers, about 250,000 in the U.S., and had access to financial accounts that held about $2 billion.
While Gameover Zeus mostly targeted computers operated by businesses, it was delivering a malware instrument called Cryptolocker that hit individuals, too. The virus encrypted a computer’s files and then demanded a fee, sometimes as much as $700, to release the documents, pictures or other personal information it was holding for ransom.
The operation to defeat it had to be carried out faster than the hackers could react. In court papers, the FBI said the hackers were capable of taking “simple, rapid steps to blunt or defeat the Government’s planned disruption.”
The first part of the operation took place in secret -- in government and private computer labs -- as engineers figured out ways to stop the bots from communicating with each other and then finding a way to block its failsafe mode.
“We reverse engineered the malware,” said Adam Meyers, vice president of intelligence for CrowdStrike, a cyber security firm based in Laguna Niguel, California. “We found a way to prevent the adversary from putting in new commands to that network. Instead of talking to the hackers, they were talking to us.”
After additional testing ensured the technical phase would work, the consultants and U.S. law enforcement officials were ready to start seizing computers and servers in the network.
The first were command and control servers in the Ukrainian cities of Kiev and Donetsk on May 7. Although U.S. agents wanted to hit those servers closer to the start of the main operation on May 29, they decided they didn’t have a choice because the turmoil in Ukraine meant access couldn’t be guaranteed, according to two senior U.S. law enforcement officials who asked for anonymity because they were not permitted to talk about active investigations.
The FBI and consultants next examined the seized computers and learned more about how Gameover Zeus operated, and they tweaked their technical techniques to disrupt the network, the officials said.
Within days, Justice Department prosecutors and federal agents were on the phone with representatives of major Internet service providers and domain registries, alerting them to a pending court order that would require them to block infected computers from communicating with the hackers in Russia.
On May 19, federal prosecutors filed charges against Bogachev. Nine days after that, prosecutors obtained a court order in the U.S. permitting the government to redirect malware communications from the infected computers to its own servers. The order also allowed the government to gather information on what computers had been infected and to pass that information along to companies that could alert the victims.
To ensure Bogachev couldn’t take steps to save his network, the operation was carried out in secret.
Starting on Friday, May 30, law enforcement officials began what they described as fast-paced weekend of coordinated seizures of computers around the globe. They hit servers in Canada, France, Germany, Luxembourg, Ukraine and the U.K. As they took down the servers, the hackers caught on to what was transpiring and unsuccessfully tried to reclaim their bots through new servers and other methods, which the FBI and cyber experts blocked on the fly.
The weekend-long cyber duel freed more than 300,000 computers from the botnet, said Justice Department officials, who added they were working with Russian authorities to arrest and extradite Bogachev. They conceded that he and other hackers could still start over. Even so, the officials said, authorities had delivered a financial blow to the hackers’ enterprise -- severing them from $2 billion just waiting to be stolen.