Feds in Pittsburgh dismantle Avalanche malware syndicate |

Feds in Pittsburgh dismantle Avalanche malware syndicate

Stephanie Strasburg | Tribune-Review
Allegheny County District Attorney Stephen A. Zappala Jr.

A vast computer hacking network known as Avalanche allowed criminals to hit victims around the world and in Western Pennsylvania, including an Allegheny County agency and two local businesses, investigators said Monday.

Digital files in the Allegheny County District Attorney's Office were locked by ransomware until county workers paid the attackers six Bitcoins, or about $1,400, to have them unlocked. Federal investigators did not identify any victims, but a spokesman for District Attorney Stephen A. Zappala Jr. confirmed that his office was the agency infected with the malware-infected computer.

“The Allegheny County District Attorneys Office was the victim of a recent cyber crime referenced earlier today by the United States Attorneys Office,” Zappala said in a statement. “As technology continues to evolve, so does crime, and criminals are going to take advantage of that technology to always find new ways to victimize individuals, businesses and government agencies. As no cases were compromised as a result of this breach, we consider what happened more of a nuisance than anything else.”

The Avalanche online crime scheme lived up to its name by leaving a broad swath of destruction, touching 189 countries, infecting 500,000 computers at any moment and sending 1 million fraudulent emails a week, investigators said. More than 830,000 bad internet domains have been disabled. At least 20,000 infected computers were in the United States.

“This is the first time that we have aimed to and achieved the destruction of a criminal cyber infrastructure while disrupting all of the malware systems that relied on it to do harm,” acting U.S. Attorney Soo Song said during a press briefing at the FBI's Pittsburgh field office. “If Avalanche was the bridge that allowed malware to proliferate around the world, through this operation we seized control of the bridge and imploded it.”

Companies in New Castle and Carnegie also were hit when employees were tricked into clicking on an invoice attachment that downloaded malware allowing criminals to discover the victims' banking credentials.

Criminals were able to get a Pittsburgh bank to wire $387,000 to a bank in Bulgaria in the Carnegie case. The attackers attempted seven wire transfers with the New Castle company to steal $243,000.

Officials did not identify any of the victims by name.

“The globalness of this — because it's affecting the whole world — is what makes it very important and very unique,” said J. Keith Mularski, the FBI's supervisory special agent for cyber crime in the Pittsburgh office.

Avalanche was operated by two defendants going by the names Flux and Flux2, who advertised their capabilities on online criminal forums, according to partially redacted federal court documents unsealed Monday.

Prosecutors said in the filings that the defendants are committing wire fraud, bank fraud and other crimes, but no criminal charges have been filed against anyone linked to the fraud.

“For years, sophisticated cyber criminals have used our own technology against us — but as their networks have grown more complex and widespread, criminals increasingly rely on an international infrastructure as well,” Assistant Attorney General Leslie Caldwell said in a statement. “Now a multinational law enforcement coalition has turned the table on the criminals.”

Reporters on Friday were allowed inside the FBI's command center at the National Cyber-Forensics & Training Alliance, a Second Avenue nonprofit, as the operation was taking place. Mularski described the operation by showing on computer screens where infected computers were being discovered, and other FBI investigators stood at the back of the room.

A heat map showing the locations of infected computers lit up over Europe, Japan and urban areas in the United States.

The operation to take down Avalanche followed similar cases out of Pittsburgh in which investigators disrupted the GameOver Zeus malware and the Darkode criminal marketplace. This case involved at least twice as many countries as the previous ones, Mularski said.

“From a coordination standpoint, it's bigger,” he said. “It's a different type of operation where we had to use the civil aspect.”

The investigation of Avalanche started with police officials in Germany, who came to Pittsburgh in July 2015, seeking assistance. It culminated with a takedown that started Wednesday and involved Europol, the European police agency, and investigators and prosecutors in more than 40 countries. Agents from the Pittsburgh field office were in Germany as the operation took place.

The investigation has netted five arrests and led to premises searches at 37 locations, Europol reported. Authorities seized 39 computer servers and knocked 221 servers offline.

Song declined to say where the arrests or searches took place, saying the criminal investigation remains ongoing.

The German investigators sought help from officials in Pittsburgh because of the local “will and expertise” to take on complicated cyber criminal cases, Song said. Federal prosecutors have not indicted anyone in the case but did seek a civil court injunction to allow investigators to take down the network, she added.

The Pittsburgh field office relies “very heavily on industry” for collaboration, said Bob Johnson, special agent in charge of the FBI's Pittsburgh field office. He said the German investigators came to Pittsburgh because of local officials' track records with these cases and because of relationships like the one with the National Cyber-Forensics & Training Alliance, which brings public and private investigators together.

Attackers could rent the Avalanche services to mask their online activity, Mularski said. More than 20 kinds of malware were distributed through Avalanche botnets.

“Avalanche was one of the leading anonymization services,” Mularski said. “By taking that off, we have made the cost of doing business for the criminals much higher.”

Criminal groups have been using Avalanche since 2009, and German police began investigating in 2012 after ransomware was used to lock victims' computer systems, Europol said.

By infecting millions of private and business computers, criminals could discover victims' banking and credit card information, and they could remotely control the machines to launch denial of service attacks against other systems, including banks, according to the CERT division of the Software Engineering Institute at Carnegie Mellon University.

Criminals targeted 40 major financial institutions, and they used Avalanche to run money mule schemes in which people transported and laundered stolen money and merchandise, CERT said.

The computer emergency response team posted software that computer users can run to determine whether their equipment has been compromised. The agency also posted information about what victims should do if they find a malware infection.

After it obtained a federal court order, the FBI was able to block infected computers from communicating with the Avalanche controllers. It is not able to remove the malware from victims' computers, Mularski said.

Andrew Conte is a Tribune-Review contributing writer and director of the Center for Media Innovation at Point Park University.

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.