Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Cyberbunker Germany raided 26.09.2019 (Sven Olaf Kamphuis / Herman Xennt) - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Cyberbunker Germany raided 26.09.2019 (Sven Olaf Kamphuis / Herman Xennt)

2»

Comments

  • jsgjsg Member, Resident Benchmarker
    edited September 2019

    @jackb

    Due to my work I happen to have a quite good idea what the german "cyber forces" incl. BKA are capable of and frankly, I'm not impressed.
    Two major factors that keep them relatively weak is salary levels in public service and bureaucracy (which is really overwhelming).

    Special forces (GSG9) sounds impressive but is irrelevant wrt IT security.

    The main issue I have with your statements is that one can defend against even first world nation forces - if one really knows ones trade and if one acts meticulously and diligently.

    Cyber bunker IMO wasn't f_cked because one can't defend against BKA, FBI, etc. They were f_cked because (a) they did not properly do ITsec, and frankly not even OPsec, and (b) because they "bragged" and invited to much attention.

    That said I don't think that all of them will end up in jail. I think that that operations real and main goal was to get at and take down some of their clients. "beating up" cyber bunker along the way was just a practical necessity. It seems highly likely to me that good lawyers will keep most of CB's crew out of jail, unless of course they themselves were involved/closely linked to some clients' illegal operations. And their bragging won't be helpful there but risks to turn against them.

  • jackbjackb Member, Host Rep
    edited September 2019

    @jsg said:
    Special forces (GSG9) sounds impressive but is irrelevant wrt IT security.

    Sure, but it's a good indicator of how much resource the government was willing to chuck at the investigation. You don't get GSG9 (or any special forces for that matter) without someone high up pulling strings. If they pulled those strings, they'll have pulled other, more relevant strings.

    The main issue I have with your statements is that one can defend against even first world nation forces - if one really knows ones trade and if one acts meticulously and diligently.

    One can be diligent, knowledgeable and meticulous and still get caught out. As we both know, security at that level is a cat and mouse game. If someone has that sort of attention (and maintains it) in their own jurisdiction and aren't legit, their days are numbered no matter how competent or incompetent.

    (b) because they "bragged" and invited to much attention.

    This is the big one. If they'd kept a lower profile, chances are the people running cb3rob would have gotten away with it and if not would have had a better shot at plausible deniability when they get their day in court.

    Thanked by 1uptime
  • vimalwarevimalware Member
    edited September 2019

    GSG9 for a bunch of buttery males?
    I don't buy it.

    The real goal has to be something really interesting. 🍿

    Thanked by 1jsg
  • Interesting. Perhaps this explains why bitcoin took a 20% tumble last week. I wonder how much was confiscated in the raid?

  • that_guythat_guy Member
    edited September 2019

    Sorry for splitting this into multiple posts! But cloudflare was trying to show me a captcha and failed miserably repeatedly. And this was a way to get around this.

    The press conference didn't reveal much. But I sifted through a dozen news articles, and found some more details and background infos.
    I feel like a proper modern day "journalist" - no own research, just internet copy & paste :-p
    Please forgive my germanized english. I was getting tired because it took much longer than expected.
    So I had to flush my perfectionism down the toilet. Also, translating other peoples texts gives you much less freedom, I noticed.
    The real juicy parts will probably show up much later, after the trials are over, I guess.
    Here's the summary:

    The defendants and accusations

    On request of the LZC (DE: Landeszentralstelle Cybercrime ENG: state cybercrime unit) the district
    court Koblenz issued detention orders against 7 main suspects because of "danger of absconding" and "suppression of evidence". They were found during the raid and put into investigative custody.

    1 NL, male, 59 main main suspect
    2 NL, male, 49
    3 NL, male, 33
    4 NL, male, 24
    5 BG, male, ??
    6 DE, male, 23
    7 DE, female, 52

    There are 6 more suspects, but there is no info about them in the news. I guess there are detention orders for them too, but the cops couldn't arrest them yet.

    The main suspect is oficially residing in Singapur, but investigation showed that he actually lived close to the bunker an also in the bunker since 2013, or at least lately. He "had connections to organized crime".

    The accusations:

    suspicion of membership in a criminal organisation
    Aiding in serious drug delicts
    Aiding in counterfeit money delicts
    Aiding in dealing with stolen data
    Aiding in spreading malware
    Aiding in in spreading childporn
    Aiding in counterfeit document delicts
    Aiding in cyber attacs
    in a total of 100000s of cases

    And also hosting at least one of the C&C servers of a Mirai botnet that disabled ~1.2 million routers of customers of Deutsche Telekom on november 27th 2016.
    Interesting sidenote:
    The disabled routers were just unintended collateral damage. The perpetrator, a 29 year old Brit, was a mercenary in a conflict between two Liberian mobile providers.
    He wanted to use the routers for his botnet, but the infection went wrong and disabled (or bricked) them. He was known as „Spiderman“ and „Peter Parker“, and was sentenced to 20 months probation by the district court of Cologne.

  • that_guythat_guy Member
    edited September 2019

    The areal, bunker and DC

    The areal is located on a small mountain called "Mont Royal" close to the tiny city "Traben-Trarbach" in the state of Rhineland-Palatinate (Rheinland-Pfalz).
    It was used by the german army from 1975 to 2012 for meteorological studies and related things. It housed the "Bundeswehr Amt Fuer Wehrgeophysik", which collected and analysed weather data from around the world for the army. To process the huge amounts of data, the army ran a big data center there.

    Street: Gewerbegebiet Mont-Royal
    Ort: Traben-Trarbach
    Post code: 56841
    State: Rheinland-Pfalz

    maps: https://www.google.de/maps/place/Mont+Royal/@49.9645443,7.1197652,673m/data=!3m1!1e3!4m5!3m4!1s0x47be3ad493376f13:0x8d2e9bcd881113ab!8m2!3d49.9672222!4d7.1108333
    https://imgur.com/Adblbl4 (thats the office buildings. the bunker is like 200-300m further north)

    Size of the areal: 13000 square meters or 13 hectare depending on the (illiterate) source
    (I guess its 13 hectare = 130000 sqm. because 13000 sqm. would only be e.g. 100m x 130m).

    Size of the bunker: 5000 sqm., 5 floors

    The buildings on the surface offer ~500 rooms.

    The bunker was built in 1955.

    After the site was closed in 2012, it was bought in 2013 by a dutch foundation.
    Article about the planed handover to the new owners of the bunker in 2012:
    https://www.peter-bleser.de/neuigkeit/folgenutzung-des-amtes-fuer-geo-informationswesen-in-traben-trarbach-eroertert

    Funfact: Mr. Langer, the mayor of Traben-Trarbach, worked on the areal as a technician of the "Bundeswehr Amt Fuer Wehrgeophysik" back in the day.

  • that_guythat_guy Member
    edited September 2019

    The investigation and raid

    The first tip-off came from the local association of municipalities ("Verbandsgemeinde Traben-Trabach"). When they told the LKA Rheinland-Pfalz (State Office of Criminal Investigations) in 2013 WHO bought the areal, the LKAs alarm bells rang, because the main suspect already had a reputation in NL to host criminal websites in a bunker DC.

    There were also rumours in town, because the investor was almost never seen. The mayor of Traben-Trabach visited the areal 3 times. Everything looked fine. Just lots of computers, and some free roaming dogs. But "I had a disquieting gut feeling: you never know whats on those computers... Now we know." he said.

    Investigations officially started in 2015, and was described as very time consuming and work-intensive. Besides the LKA Rheinland-Pfalz, investigators from Hessia, Bavaria, and the Netherlands were helping. (So I guess the officers from Lower Saxony, Luxembourg and Poland (and Sweden?) weren't involved in the investigations, but now need to help with local search warrants and arrests.)

    The President of the LKA Rheinland-Pfalz said that lately his whole special unit for cybercrime
    (LZA, "Landeszentralstelle Cybercrime"), which was extended to over 20 people, worked almost day and night on this case, until they had enough info on the 13 suspects behind cyberbunker.

    The seizure of Wallstreet Market (which was hosted by cyberbunker) in April 2019 might also have yielded some helpful intel on Cyberbunker. Maybe someone spilled some beans, maybe the cops found some unencrypted e-mails, SSH keys, invoices, Realnames etc.? Other drug market busts might have helped too. Thats just my personal guess! This wasn't mentioned anywhere!

    The raid itself has been in preparation for several weeks (another article said since May).

    The investigating judge issued a total of 18 search warrants in Germany, Luxembourg, the Netherlands and Poland. One article mentioned the swedish law enforcement is somehow involved too (but no report of activities in SE yet).

    The raid started at 8 in the morning. At 6 in the evening, the 7 main suspects were arrested at the same time. Six of them in a restaurant in Traben-Trarbach, where undercover LKA officers waited for them. The other person was arrested in Schwalbach, about 130km away, near Frankfurt am Main (which is germanys hosting hotspot and home of the DE-CIX).
    At the time of the raid, no one was in the bunker.

    At the same time the search warrants in other countries were carried out. But no info about them yet.

    As a whole there were ~650 police officers (of all kinds, e.g. local normal police, LKA, GSG9, maybe BKA? etc.) and one helicopter involved in this case. 440 of them were at the bunker. So I guess the others were from Frankfurt/Schwalbach and the other countries, and investigators who didn't take part in the raid itself?

    About 200 servers, written documents, lots of storage media, mobile phones and a big amount of cash were seized. The total number of servers was estimated at ~2000.

    The technical and tactical challenges were enormous. The area was guarded and fenced-in.
    Cracking the security system was complicated (they had to "crack digital signatures").

    And then there is the legal aspect: running a DC that hosts illegal websites, is not illegal by itself. It needs to be proven that the people who run the DC knew about the illegal conduct of their customers and encouraged it.

    The analysis of the confiscated data will take months or years, due to the huge amount. It is expected that lots of further investigations will come out of that.

  • that_guythat_guy Member
    edited September 2019
  • that_guy said: a mercenary in a conflict between two Liberian mobile providers

    yeah ... I can only imagine how strange a reflection that would be to see staring back at me from the mirror, blurred through however many rails of fine fine superfine cocainum

    "hi mom!"

  • jsgjsg Member, Resident Benchmarker

    One problem I suspect to come up is that afaik in most european countries it's very, very difficult if not impossible to sue the state to reimburse for dammage done by its agencies.

    And that's one of the major outcomes I expect. From what I see chances are that one or maybe a couple of the arrested people will be put in court and jailed but others, possibly almost all, will go free. One major reason for that is the way proper courts work; "we know" is not enough, police must be able to prove it and to attribute it (which is very hard in that field).

    Their data center however is belly up now and it will be extremely hard if not impossible to rebuild any colo/hosting business there.

    I expect vengeance acts, and frankly, a part of them will be justified

  • The bottom of the cyberbunker site has "RSS" crossed out as if it's somehow part of the many surveillance programs (facebook, google, twitter, etc). Are there security and privacy implications in RSS I'm unaware of? I thought RSS was just another way of reading your favorite blogs?

  • HostSlickHostSlick Member, Patron Provider
    edited October 2019

    Cyberbunker will be back soon. They hijacked their domain Zyztm.com back From the German. Government.

    https://tarnkappe.info/cyberbunker-kommt-zurueck-domain-gekapert/

    Thanked by 1that_guy
  • Please keep us updated. This is some seriously interesting story going on.

  • RhysRhys Member, Host Rep
    edited October 2019

    @HostSlick said:
    Cyberbunker will be back soon. They hijacked their domain Zyztm.com back From the German. Government.

    https://tarnkappe.info/cyberbunker-kommt-zurueck-domain-gekapert/

    Looks like it's being transited by ex-devcapsule ex-aulerion @florianb too. A day after the raid the zyztm ASN was added to his AS-SET and then transiting of the /22 as /24's and /23's started yesterday.

    Thanked by 1bjo
Sign In or Register to comment.