Operation Anzac: A Real-Time Defence Against Cyber Threats

In today’s digital age, cybersecurity is no longer just about installing firewalls or performing software updates. It's about protecting livelihoods, securing reputations, and ensuring that businesses can continue functioning smoothly. One key player in this battle against cybercrime is Detective Constable David Holmes from the NEROCU Cyber Crime Unit. His involvement in Operation Anzac demonstrates just how vital swift action and collaboration are in preventing devastating cyberattacks. 

On 2nd October 2024, DC Holmes made a critical discovery while working on the frontlines of cybercrime. A malicious IP address linked to the notorious Phobos ransomware strain was flagged. Phobos, known for its targeted attacks, is a particularly dangerous strain of ransomware that often exploits vulnerabilities like the Microsoft Windows Remote Desktop Protocol (RDP). 

Phobos actors typically gain access to a victim’s network through phishing campaigns, using scanning tools such as Angry IP Scanner to identify weak spots in the system. Once they breach the network, they deploy remote access tools to take control and initiate a ransomware attack, locking systems and demanding hefty payments for decryption. 

This wasn’t just another routine flag; it was a potential game-changer. The threat was serious, and every minute counted. 

The team didn’t waste any time once the malicious IP was identified through open-source intelligence (OSINT) at 3:00 PM. Here’s how the process unfolded: 

3:05 PM: The IP address was cross-checked against the PCA member’s firewall logs, revealing that the malicious IP had accessed the network the day before. This was an alarming discovery, but it also showed that the attack was still in its early stages. 

3:13 PM: DC Holmes and his team immediately alerted the PCA member, providing them with critical Indicators of Compromise (IOCs) specific to the Phobos ransomware strain. These IOCs helped pinpoint exactly how the attack was operating. 

3:23 PM: The PCA member responded promptly. They had already blocked the malicious IP and began reviewing system logs. Upon inspection, they identified the entry point for the attack: the TP-Link Omada controller, a known weak spot for Phobos attacks. 

Thanks to the swift and coordinated response, the threat was neutralised before it could cause any harm. 

Because of the fast action taken, the PCA member was able to: 

Strengthen their network by updating firewall rules and restricting access.

Conduct a thorough review of syslog’s to check for any signs of further compromise.

Restrict access to the network so only VPN-connected clients could gain entry, preventing any unauthorised external access.

In a follow-up email, the PCA member expressed their gratitude “We have now restricted access to only VPN-connected clients. I have also checked the server for any signs of issues in the logs. None at present. Many thanks for the heads-up.” 

This quick and effective action prevented what could have been a significant disruption to their business. 

One of the key reasons why this response was so successful is the PCA (Police Cyber Alarm) system. PCA acts as a vital bridge between businesses and law enforcement agencies, allowing for the identification and sharing of critical network data. By acting as a Cyber Neighbourhood Watch, PCA allows businesses to work together with law enforcement to stop cybercriminals in their tracks. 

Without PCA, tracking malicious IP activity across millions of data points would be an almost impossible task. By collaborating, businesses and law enforcement can ensure that cybercriminals don’t get the opportunity to strike. 

The results of Operation Anzac speak for themselves. Between 30th September and 14th October 2024, a total of 133 malicious IPs were identified. Of these, 32 were logged on PCA, and 11 were linked to ransomware activity. Four of those IPs were in the NEROCU area, including the one that targeted the PCA member discussed here. 

Two businesses, including the one highlighted in this case, were notified in time to prevent further damage, proving the effectiveness of the NEROCU's efforts. 

The results also highlight that businesses are safer, networks are stronger, and the cyber community is more resilient. This success lays the groundwork for future collaboration between agencies like NEROCU, the NCSC, CRCs, and other regional partners to further strengthen cybersecurity efforts. 

The success of Operation Anzac has already paved the way for expanded collaboration in the fight against cybercrime. With the continued support of organisations like NCSC, PCA, and other law enforcement bodies, we are building a more robust cybersecurity infrastructure that businesses can rely on. 

The more businesses that join the PCA network, the stronger our collective ability to detect and prevent threats becomes. The collaboration between NEROCU, law enforcement, and the business community is creating a safer digital environment for everyone. 

Operation Anzac is a shining example of what can be achieved when law enforcement, businesses, and cybersecurity organisations come together to fight cybercrime. Thanks to the quick actions of DC David Holmes and the NEROCU Cyber Crime Unit, a major ransomware attack was stopped in its tracks, saving a business from potential devastation. This success underscores the power of cooperation in securing our digital world. 

As cyber threats continue to grow and evolve, initiatives like PCA and law enforcement agencies like NEROCU will be critical in defending businesses and communities from ever-present digital dangers. By working together, we can build stronger, more resilient systems that allow businesses to thrive in an increasingly complex digital landscape.