A reverse hack of criminally controlled servers based in Canada by a team of RCMP engineers helped halt a piece of malicious software that has supported international cyberattacks for years.
Their work, dubbed Project Cipher, was part of a multi-national law-enforcement effort in early 2021 to disable Emotet – malicious software designed to exploit computer networks for money.
No other country was able to hack into any of their servers," says S/Sgt. Peter Hawkins, who leads the RCMP's Cybercrime Investigative Team in Quebec. "
Once we were able to do it, we shared our technique with the other countries."
Emotet has been used in high-profile ransomware cases where computer-network owners – usually large institutions such as private businesses, government departments or universities – were prevented from accessing their own data until a ransom was paid.
A report by the cyber-security company Emsisoft says Canada had 4,257 ransomware attacks in 2020, resulting in reported losses totalling hundreds of millions of dollars.
That's why we spend years trying to track this," says Hawkins. "
By the time it gets to the ransom stage and there's an attack, we are limited in what we can do."
The work that led to Emotet's takedown began in March 2020.
Co-ordinated by Europol and the European Union Agency for Criminal Justice Cooperation, the investigation also included Dutch, German, French, British, American, Lithuanian and Ukrainian law enforcement.
Their collaborative efforts identified more than 200 servers – a computer that collects and sends information across local and international networks – around the world.
Two of those servers, called Tier 2s, were in Montreal, while 13 Tier 1s were elsewhere in Canada. Other servers, known as Tier 3s, were located in Europe.
Together, they had unique roles in a spider-web of viral connectivity: a collection of internet-linked computers piloted by Emotet malware, which lead to the creation of a botnet of infiltrated computers that cyber criminals controlled and instructed to instigate attacks that infected more than 1.7 million computers.
Arriving as attachments in emails from seemingly trusted sources, the malware, if activated, could spread on networks, access private data and steal passwords, while sending that information back to the criminals.
Multiple servers also helped conceal identities and locations, says Hawkins, noting Emotet was responsible for 60 per cent of cyberattacks worldwide.
Jason Greeley, director of cybercrime with Federal Policing Criminal Operations, says neutralizing the malware protects Canadians from small-time scams to large-scale criminal behaviour.
Cybercriminals are organized criminals. These aren't just kids in some dark basement somewhere," he says. "
The profits from this type of malware fund everything from narcotics, to weapons to human trafficking."
Getting to work
By the summer of 2020, the Tactical Operations Section, which operates as part of the RCMP's Technical Operations in National Headquarters, assembled a team of engineers and computer experts to tackle Emotet.
It was the team's job to figure out the servers, understand the encryption and how to circumvent the multiple passwords," says Insp. Nic Gagné, Officer in Charge of the Tactical Operations Section.
He says the technical working group brainstormed for months, eventually developing a specialized technique to infiltrate the malware's infrastructure to gain access to the servers without the criminals' knowledge.
It all involved reverse engineering of malware and developing a tailored solution to gain access to the server's data set," says Francis Papineau, a software engineer with the RCMP's Covert Access and Intercept Team. "
It was pretty tough with multiple levels of encryption. This is the stuff you don't learn about in school."
By November, the team was confident it could infiltrate the servers, and the international operation to disrupt Emotet began on Jan. 26, 2021.
International officials were able to take control of the servers and Emotet to prevent the criminals from spreading the malware. The malware was also tricked into downloading and installing software that prevented the criminals, who controlled the servers, from communicating with infected computers.
The malware was neutralized April 25 when it was prompted to self-erase.
If we took away access to the criminals' tools, the servers, we knew that would have a huge impact on their operation, and it did," says Hawkins.
Greeley adds the RCMP's international partners are very appreciative of the team's work.
The RCMP, the team in Quebec, were able to stand up and display their talents," says Greeley. "
And that did not go unrecognized."
Gagné also credits the talented group of technical personnel and investigators for their work and commitment to the law-enforcement goals of the RCMP.
We have a lot of smart minds and talented people here," says Gagné. "
They could probably be making a lot more in the private sector, but they're here and believe in the important work that needs to be done."