It was a day like any other at the Taiwan office of Microsoft’s Digital Crimes Unit (DCU). Points of data from all corners of the internet flashed across a bank of monitors in a routine way. But then, an analyst spotted something unusual that he thought might be a new malware threat.

His suspicions proved right and triggered a landmark cybersecurity operation by law enforcement officers in Taiwan.

The DCU is at the forefront of Microsoft’s global commitment to protect customers and keep the internet safe. It shares multiple types of threat data — some in near-realtime — with public and private partners around the world.

Just like old-fashioned detectives searching for clues of wrongdoing, the DCU’s ranks of legal experts and analysts watch over our digital world.

MJIB headquarters

They diligently monitor sophisticated intelligence-gathering dashboards and act fast when anything seems awry. It’s a constant 24/7 effort, and it paid off handsomely in Taiwan last August.

Botnet signals

Following DCU Taiwan’s initial observation, the team uncovered an unusual spike of botnet signals that had increased 100 times within one month. (A botnet is a network of computers and devices that a cybercriminal has infected with malicious software or malware. Once infected, criminals can control those computers and devices remotely and use them to commit crimes.)

The DCU team delved deeper by mapping more than 400,000 publicly available IPs and narrowed that information down to 90 suspicious IPs. An open data search of those 90 IPs further refined the analysis and revealed something alarming: One particular IP was associated with dozens of activities related to the distribution of malware, phishing emails, ransomware, and DDoS attacks.

To the team’s surprise, these activities correlated to as much as one terabyte (TB) of malicious content being sent out a week.

Working together

The DCU team alerted and briefed Taiwan’s Ministry of Justice Investigation Bureau (MJIB).

With the intelligence supplied by the DCU, MJIB agents tracked down the illegal VPN IP quickly and efficiently. They discovered that hidden accounts behind the illegal VPN were sending malware attacks from inside an office building in rural northern Taiwan.

Usually, cybercriminals use compromised PCs to launch cyberattacks. But this time, the source was identified as a LED light control console, a seemingly insignificant IoT device. The MJIB quickly shut it down and stopped it from spewing out more malware.

“This case marks a milestone. That’s because we were able to take down the IoT device and secure the breach to a limited range for those compromised computers in Taiwan, which is quite different from our previous global cooperation cases,” says Director Fu-Mei Wu, who leads the MJIB’s Information and Communication Security Division.

“Cyberattacks are getting increasingly serious. Through Microsoft’s efforts to gather intelligence and process data, we can investigate the perpetrators more efficiently, and further take legal action before criminals can get very far. This is a partnership based on mutual trust, and we are thankful that Microsoft is on our side.”



Article Source