Europol has helped coordinate an international law enforcement take-down of a cyber criminal network that targeted financial and businesses institutions, attacking some 41,000 victims with its GozNym malware.
Law enforcement in Bulgaria and Germany as well as Georgia, Moldova, Ukraine and the United States were involved in the bust. Five were arrested in Bulgaria, Moldova, Russia and Ukraine. The remaining five defendants are all Russian nationals. They remain wanted by the FBI, prosecutors said.
The group targeted predominately financial institutions and businesses organisations, nabbing some $100,000 million. A criminal Indictment returned by a federal grand jury in Pittsburgh, USA charged ten members of the GozNym criminal network with conspiracy to commit a range of crimes including money laundering.
(The group used Nymaim; a malware dropper which infected systems through the use of exploit kits from malicious links or emails and Gozi, a web injection module that lets users obtain login credentials via a web injection module targeting web browsers.)
An IBM X-Force security report notes that: “On the attack landscape, GozNym was highly active from the get-go, and by summer of 2016, a mere four months after its launch, it was a rising threat in the cybercrime arena. The actors operating GozNym targeted banks in Europe and North America, focusing on businesses and robbing millions in fraudulent wires. They were aggressive and fast to spread the malware to different countries”
The cyberattack group GozNym were known on online criminal forums where they would offer their specialised technical skills and services to the highest bidder. The criminal network GozNym is effectively dismantle as five of its members have been arrested and are facing charges not just in the US, but in several European jurisdictions as well.
Meanwhile another five defendants are on the run and wanted by the FBI.
Europol state that: “The GozNym network was formed when these individuals were recruited from the online forums by the GozNym leader who controlled more than 41,000 victim computers infected with GozNym malware.”
“The leader of the GozNym criminal network, along with his technical assistant, are being prosecuted in Georgia by the Prosecutor’s Office of Georgia and the Ministry of Internal Affairs of Georgia.”
GozNym Brought Down by the Fall of the Avalanche
The fall of the Avalanche network in 2016 was crucial to the lead up to the arrests made this week. The Avalanche network was a secure hosting service used by more than 200 cybercriminals, with records showing that it hosted at least 20 different malware campaigns.
That network was busted when its administrator in Ukraine was arrested following a Germany-led operation that was tasked with dismantling the criminal network’s servers and infrastructure.
IBM X-Force notes that: “Avalanche just happened to also serve GozNym attacks, and the law enforcement operation designed to dismantle it was not only about domain takedown, it was also about taking down Avalanche’s criminal customers.”
Europol played a critical part in supporting what it called an, ‘unprecedented, international law enforcement operation,’ that saw police forces and prosecution offices from the US and all over Europe come together to shut done this cybercriminal network.
The operation was conducted by the United States Attorney’s Office for the Western District of Pennsylvania and the FBI’s Pittsburgh Field Office. While in Europe several agencies were involved in the investigation such as the Public Prosecutor’s Office Verden (Germany), the Prosecutor’s Office of Georgia, Prosecutor General’s Office of Ukraine and the Office of the General Prosecutor of Bulgaria.