SANS Technology Institute, a college known for its cutting-edge cybersecurity research, has been able to show that victims continue to reach out to IP address space used by threat actor “CyberBunker” months after the organization was taken down in a raid.

In the fall of 2019, German police raided a Cold War-era nuclear bunker that was being used by CyberBunker, an organization selling bullet-proof hosting services for various criminal activities. In April, 2020, The SANS Technology Institute’s (SANS.edu) Internet Storm Center was able to obtain access to the IP address space used by CyberBunker, and over the course of two weeks, collected and analyzed traffic destined for addresses used by CyberBunker. As part of his work for a master’s degree in Information Security Engineering with SANS.edu, student Karim Lalji analyzed the traffic and today publishes a new paper.

Through his analysis, Karim Lalji identified several botnets and thousands of hosts infected with malware that continue to reach out to the now-defunct command and control servers that formerly were hosted by CyberBunker. In some cases, it was possible to identify encrypted command and control channels and link them to specific malware families.

“Thanks to the great collaboration that made access to the IP address space possible, and Karim’s analysis of the large amounts of data, we gained insight into how a criminal network service provider operates and the breath of services offered by them,” says Dr. Johannes Ullrich, SANS fellow and Dean of Research at the SANS Technology Institute. “Criminal enterprises today have their own supply chain with network providers like CyberBunker providing critical hosting services that are difficult to terminate.”

The analysis additionally uncovered phishing sites still receiving traffic that attempted to impersonate the Royal Bank of Canada, Apple, and PayPal, among others. An ad network that was potentially used to place malicious ads on websites was found to continue to reach out to the CyberBunker address space to load ads.

“Working on this project was a great experience, as it provided insight into a real-life hostile network,” says Karim Lalji, SANS.edu student and paper author. “Seeing so many compromised hosts continuing to call home several months after the seizure by law enforcement was a real eye opener, and hopefully the findings will help the information security community as a whole.”

The CyberBunker address space covered about 2,300 IP addresses and received about 2 Mbit/sec inbound traffic. “Cyberbunker” was also known as “Zyztm” and “Calibour,” and the individuals responsible are currently awaiting trial in Germany.

Additional Resources

Read the paper, “Real-Time Honeypot Forensic Investigation on a German Organized Crime Network,” by Karim Lalji

Read the Internet Storm Center Diary post, “Cyberbunker 2.0: Analysis of the Remnants of a Bullet Proof Hosting Provider” by Karim Lalji