'CyberBunker' Malicious Activity Continues Months After Police Raid, SANS Technology Institute's Internet Storm Center Research Finds

Analysis of IP address space used by crime organization "CyberBunker" finds hundreds of bots still infected with malware attempting command and control communication.

Bethesda, Md. – SANS Technology Institute, a college known for its cutting-edge cybersecurity research, has been able to show that victims continue to reach out to IP address space used by threat actor “CyberBunker” months after the organization was taken down in a raid.

In the fall of 2019, German police raided a Cold War-era nuclear bunker that was being used by CyberBunker, an organization selling bullet-proof hosting services for various criminal activities. In April, 2020, The SANS Technology Institute’s (SANS.edu) Internet Storm Center was able to obtain access to the IP address space used by CyberBunker, and over the course of two weeks, collected and analyzed traffic destined for addresses used by CyberBunker. As part of his work for a master’s degree in Information Security Engineering with SANS.edu, student Karim Lalji analyzed the traffic and today publishes a new paper.

Through his analysis, Karim Lalji identified several botnets and thousands of hosts infected with malware that continue to reach out to the now-defunct command and control servers that formerly were hosted by CyberBunker. In some cases, it was possible to identify encrypted command and control channels and link them to specific malware families.

“Thanks to the great collaboration that made access to the IP address space possible, and Karim’s analysis of the large amounts of data, we gained insight into how a criminal network service provider operates and the breath of services offered by them,” says Dr. Johannes Ullrich, SANS fellow and Dean of Research at the SANS Technology Institute. “Criminal enterprises today have their own supply chain with network providers like CyberBunker providing critical hosting services that are difficult to terminate.”

The analysis additionally uncovered phishing sites still receiving traffic that attempted to impersonate the Royal Bank of Canada, Apple, and PayPal, among others. An ad network that was potentially used to place malicious ads on websites was found to continue to reach out to the CyberBunker address space to load ads.

“Working on this project was a great experience, as it provided insight into a real-life hostile network,” says Karim Lalji, SANS.edu student and paper author. “Seeing so many compromised hosts continuing to call home several months after the seizure by law enforcement was a real eye opener, and hopefully the findings will help the information security community as a whole.”

The CyberBunker address space covered about 2,300 IP addresses and received about 2 Mbit/sec inbound traffic. “Cyberbunker” was also known as “Zyztm” and “Calibour,” and the individuals responsible are currently awaiting trial in Germany.

Additional Resources

Read the paper, “Real-Time Honeypot Forensic Investigation on a German Organized Crime Network,” by Karim Lalji

Read the Internet Storm Center Diary post, “Cyberbunker 2.0: Analysis of the Remnants of a Bullet Proof Hosting Provider” by Karim Lalji

About the SANS Technology Institute

The SANS Technology Institute (SANS.edu) is a community of more than 1,000 graduate and undergraduate students who are gaining the cybersecurity skills and knowledge most needed by employers right now. For working professionals, the college offers a Master of Science in Information Security Engineering and job-specific graduate certificate programs in Cybersecurity Engineering, Cyber Defense Operations, Incident Response, Industrial Control Systems Security, and Penetration Testing & Ethical Hacking. Students in the master's degree program conduct cybersecurity research that contributes cutting-edge advancements to the field. The college’s undergraduate certificate in Applied Cybersecurity provides foundational knowledge and skills for students who want to enter the field and career changers seeking to transition into cybersecurity roles. (https://www.sans.edu)

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (https://www.sans.org)