Taking down Avalanche, a case study in international cooperation
Taking down Avalanche, a case study in international cooperation

International cooperation across all levels of government and law enforcement along with those agencies working closely with the cybersecurity industry is the only way to bring down cybercrime operations, a senior FBI official said at Black Hat 2017.

Tom Grasso, the FBI's unit chief for its Cyber Division, discussed the need for an even greater international effort to bring down the large, well run and widely dispersed criminal operations that are now active.

Grasso used the recently completed operation that brought down the Avalanche cloud hosting service that helped spread malware such as GozNym as an almost perfect example of how such cooperation can impact crime.

Bringing down Avalanche had a bit of everything, Grasso said, including an ending that more closely mirrored Hollywood than real life, but it also showed how the FBI, working with other entities around the world, led to the arrest of Gennady Kapkanov by Ukrainian police in December 2016. An event that included Kapkanov taking a shot at police with either an AK-47 or a pistol, both were found at the scene, as they entered his apartment and his final arrest as he stood on a ledge outside his third-floor apartment while trying to escape.

However, the main take away from this event was not that some cybercrimnals can be violent, but that it will take the combined efforts of nation-states, private security firms and local police to actually bring these malicious actors to justice.

“Criminals are very good at collaborating,” Grasso said during his talk pointing out that these people frequently ask for help in Dark Web forums. “We need to collaborate as good as they do and until we do we will always lose this battle.”

Grasso described to the crowd how it took the efforts of the FBI, German federal police, Ukrainian law enforcement, U.S. CERT, ShadowServer and other companies to bring down Avalanche.

The reason such a broad response is needed, he said, is because cybercriminals are not pimply faced teens living in their mom's basement, but in fact a group of highly organized criminal enterprises that purposefully spread their work around the world to make it harder for the FBI and others to track them, as well as, build in needed redundancies and obfuscation.

Avalanche was a perfect example of such a case. At its peak it affected 830,000 domains spread over 53 top level domains in 40 countries. The FBI and its international partners put together the case that led to the raid and arrest.

What Grasso did not mention is Kapkanov was released from custody by a Ukrainian judge, fled the country and cannot be found.

Avalanche was a cloud hosting service run by Kapkanov that was used to spread malware such as the banking trojan GozNym, which was responsible for $50 million in losses in the U.S.