A joint cyber security task force comprising of personnel from U.S. and European law enforcement agencies has succeeded in taking down the Andromeda botnet that had spread to millions of IoT devices.
The Andromeda botnet had infected two million IoT devices and was using those devices to spread malware to many more devices around the world.
The destruction of the Andromeda botnet is the largest successful operation conducted by law enforcement agencies after a joint operation by the FBI, the Drug Enforcement Agency and the Dutch National Police led to the busting of two of the most popular malware-trading marketplaces on the Dark Web in July this year.
In a press statement, the Europol announced that the operation to destroy Andromeda was conducted by the FBI in close cooperation with the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust and several private-sector partners.
What was Andromeda?
Hackers behind the botnet created a network of as many as two million infected computers and tried to use it to distribute other malware families. The malware spread so quickly that enforcement agencies had to track down and block over one million infected machines every month.
The cyber operation behind the Andromeda botnet was so large that researchers and agencies had found its association with as many as 80 malware families before it was finally eliminated.
‘This is another example of international law enforcement working together with industry partners to tackle the most significant cyber criminals and the dedicated infrastructure they use to distribute malware on a global scale. The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us,’ said Steven Wilson, the Head of Europol’s European Cybercrime Centre.
Europol added that the Andromeda botnet was born after hackers created an international criminal infrastructure known as Avalanche which was subsequently used as a delivery platform to launch many new malware families as well as money mule recruitment campaigns.
Avalanche was finally destroyed exactly a year ago following a four-year joint operation conducted by the Public Prosecutor’s Office Verden and the Luneburg Police in Germany, the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice, the FBI, Europol, Eurojust and global partners.
The operation to eliminate the Andromeda botnet also resulted in sinkholing of 1500 domains of the malicious software, as well as the capturing of approximately 2 million unique Andromeda victim IP addresses from 223 countries. Sinkholing basically mean redirecting traffic between infected computers and a criminal infrastructure to servers controlled by law enforcement authorities.
Commenting on the threat posed by large botnets like Andromeda, Hervé Dhelin, SVP Strategy at EfficientIP, said that businesses must prepare to limit the impact of such malware attacks if they believe they could be a victim and would like to keep their businesses up and running.
‘A flu shot will not completely prevent you from catching the flu, but it will help. Likewise, our DNS server is able to absorb 60 times more (that is 17 million queries per second) than most solutions, including regular firewalls, already in place. These basic solutions are not enough to withstand large-scale attacks like the Mirai and Andromeda malware. Businesses today need more advanced protection,’ he added.