The computer networks were infected with a form of malware that allowed the computers to be accessed and controlled remotely by hackers operating across the globe. The malware also tracked user keystrokes, which allowed hackers access to sensitive information to be used for identity theft, fraud and theft. More than five million people in over 90 countries were affected by the malware, according to estimates in a Microsoft press release.
The so-called Citadel Botnets represent one of the largest botnets in operation, according to Microsoft; despite shutting down 1,000 malicious networks, at least an estimated 400 remain active. Botnets are networks of infected computers which are forced to obey commands sent by hacker-controlled servers. The malware which allows hackers to control the infected networks runs in the computers' background processes, which can make identification of the infection difficult.
The shutdown of the Citadel Botnet networks comes after Microsoft filed a civil complaint against the cyber-crime syndicate and obtained a court order for the aggressive action. Despite the success of the operation, the members and especially the leaders of the organized crime group remain at large and unknown. Microsoft’s complaint names “John Doe No. 1” as the leader of the Citadel crime syndicate. According to Reuters, the only identifiable information is the hacker’s alias: Aquabox.
Investigators suspect that Aquabox operates out of Eastern Europe, but did not provide details. The Citadel malware is designed not to attack institutions in Russia and Ukraine, which suggests the crime group may be operating in that area and wants to avoid local law enforcement attention, Reuters said.
"Crimes used to happen through stickups, but today criminals use mouse clicks,” Greg Garcia, a consultant and former Department of Homeland Security cyber official, told Microsoft. Victims of the malware are often unaware that their system has been infected. The intelligence gathered during the coordinated network shutdown will help Microsoft and Internet Service Providers inform customers if their systems have been compromised, the Microsoft press release said.
