Tracking down cybercriminals responsible for one of the largest Internet server hacks in history took collaboration from officials from more than 100 countries, including the FBI, the Dutch National Police Agency, and the Estonian Police and Border Guard Board.
FBI Pittsburgh Supervisory Special Agent Thomas Grasso relied on a much smaller team to warn affected users about the hack. However, that historic public/private collaboration is being held up as a model that could be used to protect the nation's reservoirs, electricity grids and other critical infrastructure.
"The DNS Changer Working Group was a tremendous success, and yes, I believe it can be a model for future industry collaboration in protecting the online infrastructure," said Chris Roosenraad, co-chairman of the Messaging, Malware and Mobile Anti-Abuse Working Group -- a San Francisco-based industry organization.
"An important aspect of the process that needs to be replicated, however, is that the working group was specifically focused. The DNS Changer Working Group was chartered to enable consumers to stay online, notify them of their infection and then give them the tools to clean themselves up. Like the DNS Changer Working Group, future collaboration also needs to be technically focused, finite in scope and fixed in length to be effective."
If you ask Agent Grasso, the collaboration that built the DNS Changer Working Group was a lot easier than one might think.
"It wasn't as challenging as I think some people may think something like that would be," Agent Grasso said. "As it turns out we're really lucky. There are a lot of people out there outside of law enforcement that are in private sector, and their [lives] revolve around keeping the Internet safe, keeping it secure. They want to help with problems like this. They don't want to see millions of people get disconnected from the Internet; they want to find a solution."
As it was, those private and public partners didn't come together until a problem rose where collaboration was the only solution.
In 2007, FBI officials learned that hackers found their way into a DNS server -- a server that translates a website's address from words to numerical IP addresses that link to the actual site. The hijacked server, which was linked to more than 4 million Internet users, could send users to the websites they were looking for, but replaced legitimate online ads on those sites with their own. The investigation, dubbed Operation Ghost Click, estimated that cybercriminals stole at least $14 million through the malware, called DNSChanger, which infected approximately 4 million computers in more than 100 countries.
Once six ringleaders of the conspiracy were arrested in Estonia last November, Agent Grasso and others in the FBI's cybercrime division realized they would have to shut down the compromised server to resolve the issue once and for all. But they knew that if users were suddenly shut out, they wouldn't recognize malware was the problem and would most likely bombard Internet service providers with troubleshooting calls.
So rather than cutting millions off the Internet in one fell swoop, Agent Grasso decided to bring industry stakeholders to the table to help stem the disaster by reaching users directly.
"There are always challenges when you bring different groups together, especially people that have different interests and backgrounds," he said. "But here in Pittsburgh we do a lot of outreach to the private sector from the FBI and we're lucky we have some really good relationships already with a number of different Internet service providers and companies out there. More or less, it was just reaching out to those resources, those contacts we already have, those trusted partners we're used to working with and saying to them, we want you guys to help us with this problem."
After the team came together, the FBI redirected infected computers to safe temporary servers and formed a plan to let users know about the problem without shutting them out of cyberspace immediately. They gave Internet service providers IP addresses for infected users so they could contact them directly and created the DNS Changer Working Group website so users could check for infection themselves. With the help of a media blitz informing the public of the issue, the group reduced the estimated number of infected users in the United States from 500,000 last November to around 65,000 when the temporary servers finally were shut down in July.
In October, Agent Grasso received the inaugural J.D. Falk Award from the Messaging, Malware and Mobile Anti-Abuse Working Group for his work. The organization named the award after Falk, a longtime member of the working group, because of his passion for online safety, end-user security and collaboration. The company's board of directors includes representatives from AT&T, Comcast, Cox Communications, Facebook and PayPal, to name a few.
The fact that he was rewarded for collaboration by a group that includes direct corporate rivals on its board of directors wasn't lost on Agent Grasso. If anything, it reinforced to him that public and private stakeholders are finally understanding how dependent they are upon one another to ensure the safety of a nation.
"It's important for people in the FBI and government to understand they don't hold the keys to fixing all these problems," Agent Grasso said. "We have a certain role that we play, people out in private sector have a role they play. And, really, if we're going to keep the Internet safe and secure it's not going to be something one person does or one organization does. It's going to happen because of collaborations like this."
Deborah M. Todd: email@example.com or 412-263-1652.