An international operation to disrupt the Emotet malware infrastructure has been successful. It was coordinated by Europol and Eurojust and involved law enforcement from the US (FBI), UK (NCA), Netherlands, Germany, France, Lithuania and Ukraine.
The operation saw the infrastructure disrupted from the inside as law enforcement gained access to servers. According to Europol: “To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy. It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside.
“The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.”
What will be interesting is how long Emotet will be down. Similar claims were made in October when a Microsoft-led group took down TrickBot. It was up and launching a raft of new attacks within six weeks.
What is Emotet?
Emotet started life as a banking trojan in 2014. It has transitioned and expanded as any successful business does. The phrase business is apt. What was once a piece of malware focused on capturing login details for banking has become the centre of a cybercrime network.
The success of Emotet has been the services it has provided to other cybercriminals. It rents out its infrastructure to allow others to launch ransomware, deliver other malware payloads and, at the same time, still expand and launch its own attacks.
Its ability to build out its botnets has come with other benefits. It has built a vast database of user credentials. That gives it the ability to build user profiles that quickly detect where people are reusing credentials. Alongside that, it has harvested a lot of PII, which allows it to deliver more focused attacks.
In a recent podcast, Matt Lock, Technical Director of Varonis, says that one of the reasons Emotet has been successful is its use of thread hijacking. “One of the techniques we’ve seen that’s been very successful of late is thread hijacking. This is where they’re sending emails that appear to be replies to an email thread that an employee or maybe just a home user has been having with somebody else. It’s very easy to trick somebody into thinking this is perfectly legitimate. This is enabling them to bypass a lot of protection that’s in place at the moment.”
The data that Emotet is gathering is not just for its use but also forms part of its sales to other cybercriminals.
How did the takedown take place?
All we know for sure is that statement from Europol at the top of the page. Somehow, law enforcement agencies gained access to the Emotet network and were able to take control. How exactly they did that is not being revealed.
However, Emotet has been selling off portions of its infrastructure over the last year. At one point Lock says Varonis saw a botnet of 10,000 machines being sold off for an attack against an Iranian bank. Other portions of the network with high-value targets have also been sold off to keep its network manageable.
Is this also about monetising their assets? Quite possibly. Lock said: “They’re actually looking at their estate, and carving it up into categories and chunks of how lucrative they can be. Not necessarily the smaller ones, but actually, the ones that can be quite targeted. It’s got to the point now where these botnets are so vast and so huge.”
It is always possible that part of this operation involved acquiring one of those pieces Emotet was selling off. This would have given the buyer a short window to access other parts of the network as the separation took place.
It could also have been as a result of intelligence from other sources. One of these could be someone already arrested who gave up the information for a lighter sentence. Another could be from another operation such as the takedown of TrickBot. It is known that TrickBot had been using part of the Emotet infrastructure. Could it be as simple as an administrator credentials left lying around?
The reality is that we are unlikely to know how this happened. Law enforcement agencies will want to keep the mechanism secret to protect other operations.
Can Emotet recover?
This is a big question. When a Microsoft led operation took down TrickBot, it was up again very quickly. Given that, it is not unreasonable to think that we will see Emotet back in action within a few weeks.
One thing that has become evident with these malware platforms is that they are sophisticated. They are run as an enterprise computing operation. There are backups and even recovery sites in place. It may also be that the owners of Emotet approach those they had sold infrastructure to, so they can buy or lease access to rebuild.
Industry comment
As might be expected, such a high profile action has resulted in an outpouring of comment from around the tech industry. Among some of the comment received include:
Chris Morales, Head of Security Analytics at Vectra, likened this to taking down a datacentre. “Taking down Emotet is the equivalent of taking down an AWS or Azure major datacenter. The immediate impact would be felt, but eventually, organisations leveraging that infrastructure would look to move services elsewhere.”
Cath Goulding, CISO Nominet comments: “It is hard to overstate the significance of the achievement announced by Europol today in bringing the Emotet botnet offline. Emotet was used as a springboard for a number of cyber criminal groups and attack techniques. The dismantling of its infrastructure will effectively kill a number of malicious operations, at least for the short term.”
Adolf Streda, Malware Analyst at Avast, said: ‘’The takedown of Emotet is a milestone in the fight against cybercrime. It has been using strong obfuscation methods to avoid being captured by antivirus solutions, and it has been offered by the original threat actors as malware-as-a-service to other cybercriminals. Having such a wide reach and many prevalent families linked to their infrastructure is why seeing it disarmed by the authorities is positive news for the world of cybersecurity.’’
Kelvin Murray, Senior Threat Research Analyst at Webroot: “Given the distributed nature of Emotet and the legal impunity that its masters have operated with for years, it is doubtful that this operation will end it entirely. However, it will make this huge criminal enterprise more complicated and expensive to run and help strengthen the cross-border co-operation desperately needed in the fight against cybercrime.”
Enterprise Times: What does this mean?
Chalk up one for law enforcement. For now, they will be celebrating their success even though they know Emotet will be back sooner rather than later. However, as important as this disruption is, of more importance will be the vast quantity of intelligence they will reap from the seized infrastructure.
That intelligence is likely to provide the who, where and when of those who used Emotet’s services. Like other major takedowns, especially dark web marketplaces, it will take time to decipher that intelligence. The various countries will then share that with other countries they believe they can trust. The net result will be other operations over the next year or two related to this operation.
