The FBI Takedown of Cyber Attack-For-hire Services is Coming. A Game Over Zeus Detector Takes Down 13 Cyberattack-for-Hire Services
When the FBI announced the takedown of 13 cyberattack-for-hire services yesterday, it may have seemed like just another day in law enforcement’s cat-and-mouse game with a criminal industry that has long plagued the internet’s infrastructure, bombarding victims with relentless waves of junk internet traffic to knock them offline. In fact, it was the latest win for a discreet group of detectives that has quietly worked behind the scenes for nearly a decade with the goal of ending that plague for good.
Yesterday’s takedowns, just four months after Operation Power Off, suggest the operations resulting from the group’s work may be accelerating. Richard is one of the group’s longest-standing members and warns that Big Pipes is still trying to find the booters that are still online. “We’re hoping that some of the people who were not taken down in this round get the message that perhaps it’s time they retired,” says Clayton. “If you weren’t seized this time, you might conclude you’ve pushed up your chance of being investigated. You might not want to wait and see what happens.”
When Allison Nixon met with the FBI agent who worked on the Game Over Zeus account, she came up with the idea for Big Pipes. Nixon suggested to Peterson that they collaborate to take on the growing problem of booter services: At the time—and still today—hackers were wreaking havoc by launching ever-growing DDOS attacks across the internet for nihilistic fun, petty revenge, and profit, increasingly selling their attacks as a service.
In some cases, attackers would use botnets of thousands of computers infected with malware. In others, they’d use “reflection” or “amplification” attacks, exploiting servers run by legitimate online services that could be tricked into sending large amounts of traffic to an IP address of the hackers’ choosing. The price for a subscription to a booter service can be as low as $20 dollars, and it’s usually used to hit rivals’ home connections. DDOS techniques caused serious damage to the internet service providers that dealt with those floods of traffic. In some cases, DDOS attacks aimed at a single target could take down entire neighborhoods’ internet connections; disrupt emergency services; or, in one particularly gruesome case, break automated systems at a chicken farm, killing thousands of birds.
Malwarebytes attributes five operations between 2020 and the present to the group, which it has dubbed Red Stinger, though the researchers only have insights into two of the campaigns conducted in the past year. The group’s motives and allegiance aren’t yet clear, but the digital campaigns are noteworthy for their persistence, aggressiveness, and lack of ties to other known actors.
The campaign that Malwarebytes calls “Operation Four” was aimed at a member of the Ukrainian military and other individuals who have less visible intelligence value. During this campaign, attackers compromised victims’ devices to exfiltrate screenshots and documents, and even record audio from their microphones. In Operation Five, the group targeted election officials who had run Russian referendums in disputed cities in Ukranian. One target was an adviser to Russia’s Central Election Commission, and another works on transportation—possibly railroad infrastructure—in the region.
“The malware and techniques used in this campaign are not particularly sophisticated, but are effective, and the code has no direct relation to any known campaigns,” Kaspersky researchers wrote.
“It’s happened in the past with different attackers that they infect themselves,” Santos says. “I think they just got lazy because they were undetected since 2020.”