Do threat actors feel like walls are closing in on them? They might well be feeling that way — or maybe they should be feeling that way. From Europol, today:
This week, law enforcement authorities took action against the criminal misuse of VPN services as they targeted the users and infrastructure of VPNLab.net. The VPN provider’s service, which aimed to offer shielded communications and internet access, were being used in support of serious criminal acts such as ransomware deployment and other cybercrime activities.
On 17 January, disruptive actions took place in a coordinated manner in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom. Law enforcement authorities have now seized or disrupted the 15 servers that hosted VPNLab.net’s service, rendering it no longer available. Led by the Central Criminal Office of the Hannover Police Department in Germany, the action took place under the EMPACT security framework objective Cybercrime – Attacks Against Information Systems.
A provider of choice for cybercriminals
VPNLab.net was established in 2008, offering services based on OpenVPN technology and 2048-bit encryption to provide online anonymity for as little as USD 60 per year. The service also provided double VPN, with servers located in many different countries. This made VPNLab.net a popular choice for cybercriminals, who could use its services to carry on committing their crimes without fear of detection by authorities.
Law enforcement took interest in the provider after multiple investigations uncovered criminals using the VPNLab.net service to facilitate illicit activities such as malware distribution. Other cases showed the service’s use in the setting up of infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware. At the same time, investigators found the service advertised on the dark web itself.
As a result of the investigation, more than one hundred businesses have been identified as at risk of cyberattacks. Law enforcement is working directly with these potential victims to mitigate their exposure.
Closing in on VPN service used for criminal purposes
Commenting on the VPNLab.net takedown, the Head of Europol’s European Cybercrime Centre, Edvardas Šileris, remarked:
The actions carried out under this investigation make clear that criminals are running out of ways to hide their tracks online. Each investigation we undertake informs the next, and the information gained on potential victims means we may have pre-empted several serious cyberattacks and data breaches.
Chief of Hanover Police Department Volker Kluwe stated:
One important aspect of this action is also to show that, if service providers support illegal action and do not provide any information on legal requests from law enforcement authorities, that these services are not bulletproof. This Operation shows the result of an effective cooperation of international law enforcement agencies, which makes it possible to shut down a global network and destroy such brands.
Europol’s European Cybercrime Centre (EC3) provided support for the action day through its Analysis Project ‘CYBORG’, which organised more than 60 coordination meetings and 3 in-person workshops, as well as providing analytical and forensic support. The information exchange was facilitated in the framework of the Joint Cybercrime Action Taskforce (J-CAT) hosted at Europol’s headquarters in The Hague. Eurojust organised a coordination meeting to prepare for the operational actions and provided support to enable cross-border judicial cooperation between all Member States concerned.
The following authorities took part in this operation:
- Germany: Hanover Police Department (Polizeidirektion Hannover) – Central Criminal Office and Verden Public Prosecutor’s Office
- Netherlands: The Dutch National Hi-Tech Crime Unit
- Canada: Royal Canadian Mounted Police, Federal Policing
- Czech Republic: Cyber Crime Section – NOCA (National Organized Crime Agency)
- France: Sous-Direction de la Lutte Contre la Cybercriminalité à la Direction Centrale de la Police Judiciaire (SDLC-DCPJ)
- Hungary: RSSPS National Bureau of Investigation Cybercrime Department
- Latvia: State Police of Latvia (Valsts Policija) – Central Criminal Police Department
- Ukraine: National Police of Ukraine (Національна поліція України) – Cyberpolice Department
- United Kingdom: The National Crime Agency
- United States: Federal Bureau of Investigation
- Europol: European Cybercrime Centre (EC3)
In 2017 the Council of the EU decided to continue the EU Policy Cycle for the 2018 – 2021 period. It aims to tackle the most significant threats posed by organised and serious international crime to the EU. This is achieved by improving and strengthening cooperation between the relevant services of EU Member States, institutions and agencies, as well as non-EU countries and organisations, including the private sector where relevant. Currently, there are ten EMPACT priorities. From 2022, the mechanism becomes permanent under the name EMPACT 2022+.