Civilians behind international police probe into Russian cybercriminals

An RCMP sergeant says civilian cybercrime investigators were instrumental in helping the Mounties and international partners deal a blow to cybercriminals trying to infect WordPress websites.

Sgt. Warren Krahenbil, leader of the RCMP’s Federal Cybercrime Investigative Team in Vancouver, outlined Operation Endgame in an interview with Global News on Sunday.

The operation targeted SocGholish malware – linked to the Russian cybercriminal group Evil Corp. Investigators say the group exploited thousands of WordPress sites to gain unauthorized access to computer systems.

“The malware did infect a large number of WordPress websites,” Krahenbil said, “it’s tailored to certain sites, though.”

The Mounties teamed up with counterparts in the Netherlands, the United States and Germany on the joint action, according to a media statement.

A notice from the Dutch police said agencies took down 106 servers and domains worldwide, remediated almost 15,000 websites, cleaned infected WordPress sites and notified the group’s victims.

“One of our civilian experts came up with a way to decode pieces of the SocGholish code and that sort of gave us a ‘springboard’ to work forward and share with the international community,” Krahenbil said.

Owners of WordPress websites are being urged to change their credentials, enable multi-factor authentication, delete any unknown WordPress accounts and keep their site up to date, he said.

People are warned to never trust pop-ups that appear in browsers or flashy update notices that urge immediate action to prevent a potential SocGholish malware infection.

Anyone who does not use WordPress should still take precautions “like you would every day on the internet,” Krahenbil said. This includes using antivirus software, keeping track of passwords, and using a password manager if possible.

“If you’re not using WordPress, you should be OK,” he said. “But also be aware of what you click on online. Make sure that every link that you follow is the link that you’re going to.”

It’s believed SocGholish was using its malware to both obtain money and intelligence.

“When you’re infected with SocGholish, they have access and then they use that access to download additional malware to control the computer, to search the computer and extract data,” Krahenbil added.

—with files from The Canadian Press