Symantec Helps Law Enforcement Take Down Cyber Criminals

When it comes to combatting online fraud, data theft, malware and other cyber security threats, no single entity – government or private – has all the answers. With the ongoing escalation in volume, diversity and sophistication of cyber attacks, the need for public and private organizations to partner together to limit the attacks and take out bad actors is more important now than ever.

Symantec understands this need well. While the cyber security firm’s mandate and activities remain focused on protecting its customers’ digital environments and data, Symantec regularly gains unique insight into attackers’ strategies as well as the infrastructure and tools they employ. On numerous occasions over the years, Symantec has shared that knowledge with the FBI and other law enforcement agencies around the world to help them identify and shut down the attackers’ operations.

In one recent case, Symantec and several other cyber security firms provided support to the FBI as it sought to dismantle a cyber crime ring that was running a global ad-fraud botnet. The ring had infected as many as 700,000 consumer and data center computers with two types of malware that, together, created counterfeit websites and generated fraudulent traffic to the advertisements on those sites.

All told, the fake visitors generated click-through ad revenue of more than $35 million, paid by businesses unaware that their ads were never actually viewed by real people. The U.S. Attorney’s Office of the Eastern District of New York outlined the scheme in a November 2018 press release that also announced the dismantlement of the network and the arrest of the scheme’s perpetrators.

Symantec was in a prime position to lend assistance to the investigation because it had tracked one of the main malware botnets – called Kovter – since 2013. The bot started out as a ransomware vehicle before changing its payload to support the ad fraud scheme, explains Vikram Thakur, technical director with Symantec’s Security Technology and Response (STAR) organization.

“We made sure our customers were protected from Kovter and moved on,” Thakur says. “Then, in 2017, the FBI asked if Symantec would be willing to participate in a task force to gather information on how Kovter worked, the infrastructure it was using, and ways to identify it at a larger scale than just our Symantec customer base.”

Over the following year, Symantec provided the FBI with technical advice and participated in in-person conferences with the agency as well as other industry partners to pool their knowledge and devise a game plan. Later, when the Department of Justice was ready to make its arrests and shut down the network, Symantec provided the FBI with a tool that affected users could freely download to remove the botnet from their machines.

Symantec cooperates with several law enforcement organizations, both in the US and around the globe. For example, Symantec has partnered with the European Cyber Crime Center of Europol and engaged in a number of international operations such as the takedown of Ramnit and Avalanche botnets, the Wannacry outbreak and the no-more-ransomware project.  

Symantec is in a position to provide assistance to law enforcement entities  thanks to its large portfolio of cyber security tools, its global user base, and its extensive in-house expertise. Among its strengths, the company operates six security operations centers (SOCs) around the world, offering managed security services, incident response and other offerings to institutional users of cyber security products. As part of their operations, the SOCs monitor close to 200 billion logs each day.

When it comes to countering threats – or aiding law enforcement – the SOCs’ operations are tightly integrated with those of the STAR organization. For its part, STAR oversees research and development for all of Symantec’s security technologies, helping the company’s product teams build-in protections for any new threats identified.

As part of its operations, STAR collects and aggregates technical data that the Symantec products generate and uses it to create a “data lake” of cyber security-relevant information – Symantec’s Global Intelligence Network. Using its response centers located around the world, the STAR group monitors malicious code reports from more than 130 million Internet-connected systems, receives data from 240,000 network sensors in more than 200 countries, and tracks more than 25,000 known vulnerabilities.

“From a customer – or law enforcement – view, our SOC and STAR services are inextricably intertwined,” says John Lionato, vice president of global operations at Symantec, a role in which he oversees the global SOCs and their services. “Combined, the two organizations have more than 1,000 engineers, analysts and other ‘cyber warriors’ behind the pointy end of the stick.”

Although it might not be obvious, along with its technical expertise and deep visibility, Symantec’s global footprint also serves as a key strength when it comes to identifying and understanding some threats, Lionato says.

“In the world of the Internet, you would imagine location is irrelevant,” he says. “In real life, being closer the adversary, both physically and culturally, can make a world of difference.” For example, Lionato explains, when examining malicious code, a native language speaker may be able to spot telltale identifiers or vernacular errors that another investigator might miss.

Symantec understands that helping law enforcement agencies can be a long-term engagement, a partnership that can last year. In one example, Symantec started working with the FBI in 2007 on an investigation into a fraud operation, dubbed “Bayrob,” in which people sent thousands of dollars to a fake website in the belief they were purchasing cars. That case wasn’t wrapped up until late 2016, with the arrest of the three Romanian men behind the scheme. “Our team must have met law enforcement in person at least a dozen times during the course of their investigation,” Thakur says.

“We look at it as our corporate and social responsibility,” he continues. “We’re not just protecting our customers, but the broader community. We’re in this to make life hell for the attackers.”