On January 27th, a coordinated global law enforcement operation took down a notorious malware network that is said to have generated billions of dollars in losses by infiltrating thousands of computers around the world and selling access to those computers to other criminal gangs.
The malware network is called, ‘EMOTET.’
How the EMOTET worked is intriguing for sure, and I would urge you to visit some links in this post to get a detailed understanding of what the criminals did.
But the focus of this post will be to reinforce the absolute necessity for organizations public and private to step-up their game in training their personnel to become proficient at screening their electronic communications before opening anything.
The volume of intellectual property and other data stolen since EMOTET first appeared on the scene in 2014 is staggering.
According to the Europol press release:
“EMOTET has been one of the most professional and long-lasting cybercrime services out there. First discovered as a banking Trojan in 2014, the malware evolved into the go-to solution for cybercriminals over the years.
“The EMOTET infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorized access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware.”
HOW DID EMOTET DO IT?
Essentially, it started like it always starts—through impersonation. It tricks a person into believing that the email attachment or link is from a legitimate source.
Once the person opens up the link or attachment, they infect the computer with the malware. And, as a result, the victim passes the malware onto other computers it is communicating with that also get absorbed by the malware ‘botnet.’
I am reminded of the Iranian spear-phishing operation of universities, and a few government agencies in 2018:
The New York Times then reported, “The spear-phishing emails purported to be from professors at one university to those at another and contained what appeared to be authentic article links. But once clicked on, the links steered the professors to a malicious Internet domain that led them to believe they’d been logged out of their systems and that asked them to enter their log-in credentials.“
- 31.5 terabytes of academic data and IP stolen
- $3-4 Billion value to procure data and IP by affected U.S. universities
- 144 U.S. universities
- 176 universities across 21 foreign countries
- Targeted 100,000 professor accounts around the world
- 8,000 professor email accounts in the U.S. alone
- 47 domestic and foreign private sector companies, and
- 5 U.S. government agencies
HOW SMART WERE THE EMOTET CRIMINALS?
Very smart. They created an automated email system that sent thousands and thousands of emails daily with authentic-looking pitches to unsuspecting victims.
And even if an organization eventually learned of the intrusion, and set up a protection system to recognize the bogus emails, EMOTET would change their look and get in and stay in.
CYBER DETECTION TRAINING
What is the most effective defense against this type of cyber intrusion?
The continuous training of personnel to recognize signs of a potential intrusion is imperative.
In this short video, titled, ‘Phishing tricks crooks use to make you open malware email attachments ‘ a cybersecurity expert details the problem and explains that, “People are the new perimeter.”
MALWARE DETECTION PROFICIENCY EVALUATION
I would argue that personnel should be evaluated, in part, for their capacity to pick up signs of a potential intrusion and how to respond. If the candidate or employee does not test well, then this should be taken into consideration.
What is the benefit of having an employee that’s a terrific worker, yet does not have the capacity to keep from letting devastating malware through the front door of your organization?
Employees need to become ‘hacker detection profilers.’
If an organization trains an employee to recognize hacker activity indicators, and that training is persistent, it raises the security perimeter exponentially.
Another cybersecurity expert said in his video titled, ‘EMOTET is Dead,’ “organizations… [should] really focus on behavioral detection as opposed to a signature-based approach which bad guys are so well-schooled at avoiding nowadays.”
We need to keep our eye on what drives the flood of malware intrusions into personal and organizational computers; it is not always cyber wizardry, (like the recent Solar Winds supply chain infiltration) but human behavior.
Finally, we applaud the global law enforcement coordination that brought this massive criminal network down, The Netherlands, Germany, France, Lithuania, Canada, the United States, and the United Kingdom. In these global-cyber times, this kind of transnational coordination is critical.
Disclaimer: IPPIBlog.com is offered as a service to the professional IP community. While every effort has been made to check information in this blog, we provide no guarantees or warranties, express or implied, with regard to content provided in IPPIBlog.com. We disclaim any and all liability and responsibility for the qualification or accuracy of representations made by the contributors or for any disputes that may arise. It is the responsibility of the readers to independently investigate and verify the credentials of such person and the accuracy and validity of the information provided by them. This blog is provided for general information purposes only and is not intended to provide legal or other professional advice.