The operation which concluded June 9 resulted in the arrest of 49 suspected members of the criminal group. Fifty-eight properties were searched, as well laptops, hard disks, telephones, tablets, credit cards and cash, SIM cards, memory sticks, forged documents and bank account documents.
The operation It was coordinated by Europol’s European Cybercrime Center (EC3) and Eurojust, led by the Italian Polizia di Stato (Postal and Communications Police), the Spanish National Police, the Polish Police Central Bureau of Investigation and supported by UK law enforcement bodies. Parallel investigations revealed international fraud totaling EUR 6 million, accumulated within a very short time.
The modus operandi used by this criminal group is the so-called man-in-the-middle, and involved repeated computer intrusions against medium and large European companies through hacking (malware) and social engineering techniques.
Once access to companies’ corporate email accounts was secured, the offenders monitored communications to detect payment requests. The company’s customers were then requested bythe cybercriminals to send their payments to bank accounts controlled by the criminal group. These payments were immediately cashed out through different means. The suspects, mainly from Nigeria, Cameroon and Spain, transferred the illicit profits to outside the European Union through a sophisticated network of money laundering transactions.
To enable swift coordination and communication between the different officers involved in this transnational operation, a coordination center was established at Europol’s headquarters in The Hague. Representatives from law enforcement agencies participating in the bust were present in the coordination center, facilitating international information exchange along with Eurojust. At the same time, Europol specialists provided operational support on the ground in Italy and Spain, through the deployment of Europol mobile offices.
The Joint Cybercrime Action Taskforce, hosted at the European Cybercrime Centre at Europol, played a key role in the coordination of this investigation.
Meanwhile, Kaspersky Lab revealed a cyber attack on its corporate network also hit high profile victims in Western countries, the Middle East and Asia.
In early spring 2015, Kaspersky Lab detected a cyber-intrusion affecting several of its internal systems. Following this finding, the company launched an intensive investigation, which led to the discovery of a new malware platform from one of the most skilled, mysterious and powerful threat actors in the APT (advanced persistent threat) world called "Duqu."
Kaspersky Lab believes the attackers were confident that it was impossible to discover the cyber attack. The attack included some unique and earlier unseen features, and almost didn’t leave traces.
The attack exploited zero-day vulnerabilities, and after elevating privileges to domain administrator, the malware is spread in the network through MSI (Microsoft Software Installer) files which are commonly used by system administrators to deploy software on remote Windows computers.
The cyber attack didn’t leave behind any disk files or change system settings, making detection extremely difficult. Kaspersky Lab said the philosophy and way of thinking of the “Duqu 2.0” group is a generation ahead of anything seen in the APT world.
But Kaspersky Lab wasn’t the only target of this powerful threat actor. Other victims have been found in Western countries, as well as in countries in the Middle East and Asia. Most notably,some of the new 2014-2015 infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal.
The threat actor behind Duqu appears to have launched attacks at the venues where the high level talks took place. In addition to the P5+1 events, the Duqu 2.0 group launched a similar attack in relation to the 70th anniversary event of the liberation of Auschwitz-Birkenau. These meetings were attended by many foreign dignitaries and politicians.
Kaspersky Lab performed an initial security audit and analysis of the attack. The audit included source code verification and checking of the corporate infrastructure. The audit is still ongoing and will be completed in a few weeks.
Besides intellectual property theft, no additional indicators of malicious activity were detected. The analysis revealed the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected.
Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services.