Operation Tovar 'inspiring' cybercrime collaboration

Operation Tovar saw the US Department of Justice, the FBI, Europol and the UK's NCA work together to takedown the Gameover Zeus and CryptoLocker botnets, a fine example of international cyber-crime policing, according to experts.

The European Cybercrime Centre
The European Cybercrime Centre

The FBI-led Operation Tovar resulted in the arrest of alleged perpetrator Evgeniy Bogachev and saw law enforcement agencies take simultaneous action to take control of the group's peer-to-peer (P2P) command and control servers. 

The criminals were using two distinct versions of malware - the Gameover Zeus Trojan and CrytoLocker ransomware to infect up to 500,000 PCs worldwide, but that infrastructure is essentially now being controlled by the US Department of Justice (DoJ) within their own secure servers.

The DoJ, Europol and the UK's National Crime Agency were all involved in the project – as well as numerous universities and security vendors (including Dell SecureWorks, F-Secure, McAfee, Microsoft, Sophos and Trend Micro).

Some of those involved with the project celebrated the success at a McAfee event in London late last week, and highlighted Tovar as an ‘inspiring' example where various law enforcement work together to bring cyber-criminals to justice.

Paul Gillen, head of operations for the new European Cybercrime Centre, facilitated a lot of the European action on Operation Tovar from EC3 headquarters, and said that it was positive to see so many law enforcement agencies working together under one roof.

“We have to do this in partnership…Tovar is a really good example of getting private, academic and law enforcement together in one room, get one target and everybody pools their ideas. You take the knocks as they come – and there were knocks along the way to where we were [last] weekend (when the take-down happened).”

He added that, logistically, the take-down was ‘pretty good'. “Fundamentally, it was a lot easier than we all imagined. Police officers find their level and start working away – if someone has a problem, someone else has the answer. It was quite inspiring.

“To see it go from a stage 18 years ago to today where we have a European Cybercrime Centre funded by the EU where everybody came come there to the operation centre and share intelligence, is brilliant – that's where we should be going. I think we've turned a corner – we're going to be in a better position to work together.”

But he warned: “We won a battle at the weekend but the war will wage on.”

KPMG's partner for information protection Giles Watkins also saluted the collaborative work but said that this work would ‘only be as good as what the solutions industry provides'.

In an email to SCMagazineUK.com during the event, Deloitte's director of cyber security practise, Alex Petsopoulous, praised the action.

“This is some of the most proactive action from law enforcement that's been publicly acknowledged. The National Crime Agency (NCA) and American and European law enforcement agencies have forced criminal organisations to re-establish new command and control servers, which will take approximately two weeks. By taking over control of the network, they have essentially stopped further attacks from these networks, but this will only last until the attackers are able to regain control. 

But the panelists at the event were keen to stress that things will not stand still. Gillen said that while the action has disrupted the group's P2P infrastructure, cyber-criminals are likely to set-up new infrastructure "within four to six weeks" and once again rely on proxy nodes to hide their identify and location.  

Christian-Marc Liflander, policy advisor for the cyber defence section of NATO's Emerging Security Challenges Division, added: “The fact of life looking into the future is that we'll see a paradox – you will become more advanced but also more vulnerable.”

Local action needed

This vulnerability hasn't been helped by some countries that are not yet up to speed on cyber–crime. McAfee's ‘Net losses: Estimating the global cost of cybercrime' report highlighted that Argentina and Italy have no or poor reporting of cyber-crime, while the UK's Met Police is also behind in this regard. Mark Jackson, detective superintendent of the Met Police Cyber Crime Unit, even admitted at the first SC Congress London that it had work to do in this area.

Liflander told SCMagazineUK.com that some countries are behind on cyber-crime reporting – most notably Southern European countries - and said that continuous co-operation will be needed for them to get up to speed. “We can't afford to carry any floaters," he said.