Microsoft defends Citadel action after criticism over sinkholing

News by Dan Raywood

Microsoft has defended itself after criticism was leveraged following its takedown of the Citadel botnet.

Microsoft has defended itself after criticism was leveraged following its takedown of the Citadel botnet.


In early June, Microsoft, the FBI and other companies cut off communication between 1,462 Citadel servers and seized data and evidence from the botnet servers. However the technology giant was criticised for this action by a Switzerland-based researcher, who said that the disruption also ended research being done on the botnet by independent researchers.


They said that 'the problem with cyber crime is that it can't be solved with doing takedowns', and said that it is only possible to solve this issue by implementing legislation related to cyber crime, enforce them by getting bad actors arrested and implementing security by design on different layers,


“As outlined before, Shadowserver will no longer be able to inform network owners about several thousand Citadel infected computers because the Citadel domain names sinkholed by has been seized by Microsoft,” they said.


“According to Microsoft, their goal was to disturb Citadel botnet operations. In my opinion their operation didn't have any big noteworthy impact on Citadel, rather than disturbing research projects of several security researchers and non-profit organisations, including In my opinion, operation b54 was nothing more than a PR campaign by Microsoft.”


The researcher said that talking to other sinkhole operators saw them confirm that several dozen, and for some operators even hundreds of Citadel domain names they had sinkholed, have been seized by Microsoft.


“Calculating the numbers together, I can say that nearly 1,000 domain names out of the 4,000 domain names seized by Microsoft had already been sinkholed by security researchers,” they said.


“In fact these 1,000 domain names did no longer present a threat to internet users, but were actually used to help to make the internet a better place.”


In a statement sent to SC Magazine, Richard Boscovich, assistant general counsel of the Microsoft Digital Crimes Unit, said that the first priority for Microsoft and its partners, including our research partners, in this operation was to help ensure swift victim recovery from this malware.


“However, we are committed to providing essential information from our sinkholes to additional key researchers working to support victim remediation as quickly as possible, and to taking steps to evolve the coordination of such efforts in future operations,” he said.


Asked if he felt that this was a successful effort in disrupting a botnet in view of this criticism, Boscovich said: “We believe this was a very successful disruptive action, and are confident that we were able to sever most of the Citadel botnets we set out to target. This was also an extremely challenging operation, technologically and logistically, and we're extremely pleased with what we're seeing.


“As stated from the outset, the goal of this operation was to protect the public by strategically disrupting Citadel's operation, helping to quickly release victims from the threat, and making it riskier and more costly for the cyber criminals to continue doing business.


“As we have done in prior botnet operations, Microsoft is now able to use the intelligence gained from this operation to partner with organisations around the world to help rescue people's computers from the control of Citadel, helping to reduce the size of the ongoing threat that these botnets pose, and make the Internet safer for consumers and businesses worldwide.”


He went on to say that Microsoft was working closely with key researchers to further protect the public from Citadel, and the security research community is doing important work on monitoring this threat and other malware variants in the wild.


“Microsoft is working to get essential information from our system as quickly as possible to researchers such as Shadowserver to support victim notification, and most importantly, remediation,” he said.


“Microsoft's commitment to trustworthy partnership with the research and enforcement community to help protect the public from cyber threats remains unchanged. We will continue to partner with the security community around the world in our disruptive actions as we strive to help protect our customers and increase the risk and costs for cyber crime to both deter crime and put cyber criminals out of business.”



Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews