International efforts in the fight against global cybercrime: Disrupting cybercriminal operations

by Mark Thomas

12 October 2020

Hand working on a laptop keypad

In April 2020, NTT signed an agreement to enter into Microsoft’s Cyber Threat Intelligence Program (CTIP). This is a voluntary, free-of-charge, information-sharing initiative intended to enable sharing limited types of cyberthreat information.

As part of our collaboration, our Global Threat Intelligence Center (GTIC) has been working closely with Microsoft’s Digital Crimes Unit to analyse TrickBot malware, its botnets, and command and control infrastructure with the purpose of taking disruptive actions against this threat. This includes ongoing malware analysis, reverse engineering, rogue infrastructure mapping and detailed network forensic analysis.

Appearing in late 2016, TrickBot is one of the world’s most notorious banking trojans and botnets (a botnet comprises networked systems infected with malicious software leveraged by cybercriminals to gain access and control computers). The malware is designed to access and steal personally identifiable information, including bank and other online account details. It also attempts to spread across compromised networks, infecting other devices, and may attempt to download additional malicious content such as ransomware, remote access tools or other post-exploitation toolkits. Recently it has been linked to interference in the upcoming US election with potential ties to nation-state and other cybercriminal syndicates.

A global effort

Cybercrime is a global challenge, and any effective response requires solid coordination between the public and private sector, involving law enforcement agencies across multiple international jurisdictions. This week’s actions to globally disrupt TrickBot through a multi-pronged approach – utilizes both legal and technical means across multiple jurisdictions.

We have been actively tracking Trickbot for a number of years, through ongoing threat intelligence research collaboration between the GTIC, Security Operation Centers (SOCs), and NTT Secure Platform Labs. With access to our global internet backbone traffic along with applied threat intelligence, machine learning and advanced analytics, we are ideally positioned to identify and map botnet infrastructure – extending our reach well beyond that of our clients and partners.

Woman wearing headphones sitting at a computer
Insight into global internet traffic patterns gives us a unique perspective of botnets and cybercriminal activity

Using our unique telemetry, our analysts were able to discover TrickBot infrastructure communications, uncovering the complex relationships between compromised victim machines and adversary-controlled infrastructure. We have been sharing this threat intelligence as part of this engagement to support coordinated efforts in disrupting cybercriminal operators and their infrastructure.

Delivering integrated threat intelligence

NTT Group Managed Security Service (MSS) clients already benefit from our integrated approach to threat intelligence and botnet infrastructure detection. With our MSS Threat Detection service, our clients experience rapid threat detection and response through our ability to discover the latest cyberthreats affecting their assets delivered from our multiple SOCs across the world.

Modern threats are without boundaries, so our approach to cyber-defense must be borderless too. Collaboration is essential in enhancing our ability to reduce threats by combining forces to fight cybercrime together. This week’s outcome is testament to the critical importance of global cooperation, collaboration and information-sharing. It’s essential in making progress to identify and bring cybercriminals to justice.

Countries across the globe continue to struggle with the continuous onslaught of cybercrime; impacting citizens, businesses, government and academic institutions. With society’s dependence on technology, the quantity and value of information stored online has only increased. So too, have efforts to steal and exploit that information. By taking a more proactive stance in fighting cybercrime, we can shift the economics of cybercrime into the defenders’ favour, making it more challenging and costly for adversaries to operate. In doing so, we are making efforts in contributing to society through our business and corporate activities – making the internet, and broader digital ecosystem, a safer place for everyone through our commitment to cybersecurity and ongoing contributions to international risk management initiatives.

Cybercriminals are agile. They will seek to re-platform, re-tool and re-engineer their offensive capabilities as well as supporting infrastructure. In light of recent operations, we’ll continue to enhance our detective technologies, as well as continue to monitor the actions of TrickBot malware developers and their anticipated innovations.

Mark Thomas

Mark Thomas

Global Head of Threat Intelligence, NTT Ltd.