WASHINGTON -- The FBI and the Justice Department on Wednesday began dismantling a ring of international computer thieves who stole hundreds of millions of dollars worldwide by infecting over 2.3 million computers with malicious software. It was the biggest such enforcement action U.S. authorities have ever taken against cyber criminals.
FBI officials said investigators were able to execute a digital sting of their own -- taking control of several of the malicious computer servers and sending commands to make them stop transferring pirated data.
Millions of dollars were stolen from U.S. computer users, said the officials, who spoke on condition of anonymity because the investigation is continuing.
The investigators were trying to contain a malware program called Coreflood, which has been around for at least a decade and can record key strokes, allowing cyber criminals to take over unsuspecting computers and steal passwords, banking and credit card information.
Investigators seized five major computer servers that were controlling hundreds of thousands of infected computers, and also seized 29 domain names used by the botnet to communicate with those servers. A botnet is a network of infected computers.
Describing the operation, FBI officials said they essentially broke the link between the cyber thieves and the infected computers. When the malware sent a message back to the Coreflood control sites asking what to do with all the data it had gathered from a computer, investigators responded with their own message: Send nothing. Shut down.
As a result, FBI officials said they are comfortable that a significant portion of the Coreflood botnet has been disabled, but the program is still running on the infected computers.
Officials said they did not notify computer owners that they had been compromised, and no personal information was gathered by U.S. officials during the digital communications.
The malware exploits a vulnerability in computers running Windows operating systems and allows those that are infected to be controlled remotely. And some 1.8 million of the infected computers are in the United States; the remainder in countries around the world.
Thirteen defendants, identified only as John Does, were accused in a civil complaint of engaging in wire fraud, bank fraud and illegal interception of electronic communications. Officials would not say what country the attack came from, but agreed it was consistent with cybercrime activity from Eastern Europe.
The court order authorized the government to respond to signals sent from infected computers in the U.S., a move designed to stop the Coreflood software from running. The purpose is to prevent further harm to hundreds of thousands of unsuspecting users of infected computers.
The thieves engaged in wire transfers from the infected computers to steal $115,000 from a Michigan real estate company; $78,000 from a law firm in South Carolina; $151,000 from an investment company in North Carolina; and $241,000 from a defense contractor in Tennessee.
The exact extent of the financial loss caused by the Coreflood botnet is not known, because of the large number of computers infected and the quantity of data stolen.
Computer users can go to the Microsoft website to learn how to clean the malware from their computers.