While data centers will often shout about the strict security around their perimeters, and in some cases even point to the presence of armed guards, it's rare there’s anything close to conflict occurring.

In the few times there has been any sort of action happening on-site, it’s usually been led by law enforcement and without resistance.

But while data centers are rarely the stuff of action films, they are regularly the source of illegal and nefarious activity, and the move to the cloud is making it much harder for law enforcement to track down and take out the infrastructure of cybercrime.

Data center raids: Rarely Hollywood fodder

While data center raids are fairly common, they are usually quiet affairs with little fuss. A couple of agents or officers with a warrant are more likely than a SWAT team breaking down the door.

“Search warrants, or raids at hosting providers, are really not all that glamorous, to be honest,” says Matt Swenson, division chief of the Cyber Division at the Homeland Security Investigations Cyber Crime Center. “You usually just go into a data center with a search warrant that says, you're legally authorized to search XYZ server, and the provider will find where that's being that's being hosted. We’ll then make a copy of the data and take it with us, and we do that fairly regularly.

“If we're doing a search warrant at a threat actor residence then it's a little different, but that is very rare these days. It's not very Hollywood at all.”

However, while most raids are done quietly, there have been examples of major law enforcement activity at data centers through the years, as well as quieter searches that made the press.

Most notably, the 'CyberBunker' facility in Traben-Trarbach, western Germany, was raided by more than 600 police officers in September 2019. Eight people were convicted in 2021.

Built by the West German military in the 1970s, the site was used by the Bundeswehr’s meteorological division until 2012. A year later, it was sold to Herman-Johan Xennt, who told locals he would build a web hosting business there. Illegal services allegedly hosted at the German data center were Cannabis Road, Fraudsters, Flugsvamp, Flight Vamp 2.0, orangechemicals, and what was then the world's second-largest narcotics marketplace, Wall Street Market.

While less malicious than drugs, Swedish Police raided the Pirate Bay more than once in an effort to take the site down, including once in 2006 when some 65 Swedish police officers entered a data center in Stockholm, and again in 2014. During the 2006 raid, servers belonging to a number of other companies, including a Russian opposition news agency and GameSwitch, a British game server host, were seized. The site is still in operation today. Apparently, at the time of the 2014 raid, Pirate Bay required just 21 virtual machines (VMs) to run; 182GB of RAM, 94 CPU cores, and 620GB of storage.

A similar example was Kim Dotcom of Megaupload. The New Zealand Police arrested Dotcom and three other Megaupload executives at a mansion outside Auckland in 2012. Reports suggest dozens of armed police swooped on the estate in helicopters around 7am on the morning of Dotcom’s birthday party, including several members of New Zealand’s elite counter-terrorist force.

Dotcom remains in New Zealand and continues to operate the successor site Mega. Mathias Ortmann and Bram van der Kolk, who were both arrested during the 2012 raid, recently reached a deal that will see them avoid being extradited to the States in exchange for facing charges in New Zealand.

In 2014, the US Drug Enforcement Administration (DEA) and Internal Revenue Service (IRS) agents raided an Albuquerque, New Mexico data center run by a local provider called Big Byte. The DEA also searched the Pagosa Springs resort in Albuquerque also owned by the same family. No arrests were made at the facility, which is still in operation today. No charges were brought against the owners, though a relative of the owners pleaded guilty to submitting a false federal income tax.

In 2011, the FBI raided a colocation site in Virginia – reported at the time as possibly CoreSite’s facility in Reston – in search of servers being used to hack into the CIA and other major institutions and corporations. The agency seized servers of Switzerland-based hosting firm DigitalOne.

The same year, Dallas-based Tailor Made Servers were raided in hopes of finding initiators of that month's cyber attacks on PayPal. As part of the same investigation, German police executed a warrant for a search of a German hosting company's offices.

Most recently in October 2021, police in South Korea raided an SK Corp data center that had suffered a major fire. Local police confiscated documents relating to the fire, which was caused by a battery and brought down the KakaoTalk messaging service and disrupted much of the country.

Working with law enforcement to bring cybercrime infrastructure down

Most cloud and colocation providers take little interest in what their customers actually do with the hardware or instances in a provider’s facility, and even providers in major data center markets can be used to host cyber criminal infrastructure.

Last year an Iranian malware campaign attacking targets across the world was found to be being hosted out of Dutch colocation data centers. Cyber firm BitDefender found the command and control (C2) infrastructure of two strains of malware linked to Iranian-attributed Advanced Persistent Threat (APT) actors were being hosted within the Netherlands. The server was being hosted by American hosting company Monstermeg, which provides services out of Evoswitch’s AMS1 Amsterdam data center in Haarlem, and the malware had been present there since April 2020.

Monstermeg owner Kevin Kopp told Argos the company was not aware that this malware was on the server, despite having two scanners that should detect this type of malware, but did cooperate in the investigation and gave Argos access to the information on the server. They have since stopped working with the tenant previously utilizing that machine.

“We see stuff hosted at gig providers like AWS and DigitalOcean. We see a lot of infrastructure hosted at big Internet service providers like OVHcloud in the UK and France and throughout Europe, and a lot smaller providers that are being utilized,” explains Swenson. “You name it, these guys will utilize it. ”

He says that ‘most of the large companies’ are very cooperative and respond to the vast majority of legal processes. However, the international nature of cybercrime means US law enforcement often has to deal with actors and infrastructure based abroad, which can complicate issues.

“When we're working a case within the United States, and infrastructures being hosted abroad, we rely on the cooperation of foreign governments to respond to legal process,” says Swenson. “But the process is not fast, particularly abroad, and a lot of times we don't have months to wait.

“If that country doesn't respond or isn't responsive to the US legal process, there's nothing we can really do in order to to get a copy of that server. A lot of infrastructure is being hosted in Russia and Belarus, and we just can't get a lot of cooperation. A lot of cyber criminals know that, so they specifically stand up infrastructure in countries that are untouchable by US law enforcement.”

Swenson does note, however, that the FSB will cooperate with the US if it's a child exploitation investigation online.

Difficult, but takedowns do occur

While difficult and time-consuming, major takedowns of illegal infrastructure do happen.

Last year four men pleaded guilty in the US to conspiring to engage in a Racketeer Influenced Corrupt Organization (RICO) and face 20 years in prison for providing bulletproof hosting services to cybercriminals. According to the DOJ, between 2008 and 2015 the group rented Internet Protocol (IP) addresses, servers, and domains from which cybercriminals conducted attacks, including malware distribution, botnets, and banking trojans.

Malware hosted by the organization included Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit.

Operation Onymous was a concerted effort by agencies including the FBI, Homeland Security, and Europol to take on darkweb markets. Through the cooperation with police forces of 17 countries, notorious markets including Silk Road 2.0, Cloud 9, and Hydra were taken down.

Artem Vaulin, founder of KickAss Torrents, was arrested after investigators cross-referenced an IP address he used for an iTunes transaction with an IP address used to log into KAT's Facebook page. The FBI also posed as an advertiser and obtained details of a bank account associated with the site.

While most of the world is looking at ways to lengthen the lifecycle of hardware and reuse the likes of servers, in the wake of raids and seizures little hardware survives once the investigation is over.

“If it's used in the commission of a crime it'll be wiped and destroyed,” says Swenson. “Way back when I first started, the early 2000s, we used to wipe a lot of computers and then repurpose them. But we moved away from that. So almost all of it now gets wiped and destroyed.”

He says one of the reasons for this is precautionary security reasons, in case hardware has particularly resilient malware present that may be able to survive a hardware wipe.

Crypto: dangerous but useful

Crytomining can be profitable but dangerous for criminals. A shootout at a cryptomining data center in Abkhazia, a separatist state recognized as part of Georgia, led to one man being killed during an attempted robbery by armed gunmen.

In February 2021, Spain's national police raided a building that they thought was being used to grow marijuana, only to find out that it was an illegal cryptocurrency mining operation.

“We have seized a lot of equipment being utilized to mine for crypto,” explains Swenson. “A lot of times dark web criminals will have a side business where they are cryptomining. But it's not as common as it was a few years back, I think the hobbyists have kind of been pushed out.”

More common, however, is the use of cryptocurrency to pay for hosting and to obfuscate their identity if there is an investigation by law enforcement.

“We see a lot of movement to the payment of infrastructure via cryptocurrency,” says Swenson. “A lot of the hosting providers are now accepting various forms of cryptocurrency and that can add a layer of anonymity because they no longer have to provide a credit card or a bank account; they can just move it from a wallet that's been completely stood up without any sort of information that can be used for threat actor attribution.

“The hosting providers, they're in it to make money. And I don't necessarily think their number one concern is who's paying the bill. I don't know that they really care all that much because they're usually going to do the bare minimum that they have to do in order to be compliant.”

Cybercrime moves to the cloud

While malware and cybercrime infrastructure continues to live in physical data centers, much of it has been abstracted and virtualized to the cloud. And in the same way legitimate enterprises are looking to the cloud to reduce the amount of on-premise hardware they need to manage, criminals are copying that trend.

“[The German facility] is the only ‘illegal data center’ I've personally seen and heard of in the physical sense,” says Andrew Barratt, Principal Consultant of Adversary Ops at penetration testing firm Coalfire.

“And I suspect because it's just really hard to do and go unnoticed; there's loads of just really dull logistical stuff that make it hard to run physically dark operations without making yourself a huge red flag to lots of people very quickly.

“But we've seen that the more sophisticated intruders are heavily leveraging compromised cloud environments where their approach is more about building up virtual data centers that can leverage infrastructure that they don't have to pay for.”

Threat reports from Unit42 suggest Cloaked Ursa, a threat actor group affiliated with the Russian government, used Google Drive cloud storage services as well as Dropbox, a company that transitioned off the cloud back to its own data centers. In 2019 and 2020, RiskIQ (since acquired by Microsoft) reported that Magecart credit card-skimming attacks were repeatedly being launched from poorly-configured Amazon Web Services Simple Storage Service (AWS S3) buckets.

According to Malwarebytes, malware delivered over the cloud increased by 68 percent in 2021. Lumen’s research arm Black Lotus Labs recently published research that points to more than 12,000 servers that are running Microsoft domain controllers hosting the company’s Active Directory services and regularly used to magnify the size of distributed-denial-of-service (DDoS) attacks.

Such attacks are called ‘living off the land’ attacks and can be harder to spot and stop as companies often whitelist legitimate companies such as Google, Amazon, and Microsoft. Access to cloud accounts with credits already in hand to procure more compute resources can be sold for a high price, reports IBM.

Coalfire’s Barratt says it's not uncommon to see cloud accounts hijacked and used to mine cryptocurrency. A 2021 report from Google said: “86 percent of the compromised Google Cloud instances were used to perform cryptocurrency mining, a cloud resource-intensive for-profit activity.”

The NSO Group, which is less a cybercrime group and more a state-sponsored hacking company for hire, was previously hosted out of AWS infrastructure until it was kicked off the platform in the wake of an Amnesty report into its operations.

NSO’s Pegasus spyware is used by numerous governments around the world to spy on media, opposition political figures, activists and NGO workers, diplomats, and others. NSO is also known to use Digital Ocean, Linode, OVHCloud, UpCloud, Neterra, Aruba, Choopa, and CloudSigma.

The difficulty enterprises face managing virtualized, multi-cloud, and increasingly serverless infrastructure is also creating huge opportunities for cybercriminals.

“Most enterprises lack awareness of what's in their environment, or even where their crown jewels sprawl to,” says Joel Fulton, CEO of security startup Lucidum and previously CISO of Splunk. “And the bad guys are building infrastructure now so that it can be transitory.”

This combination of cloud-enabled sprawl and increasingly ephemeral infrastructure is providing a safe haven from which attackers can develop, store, and launch attacks.

“Cyber criminals needs need a place to store their software and a safe environment to distribute them,” says Fulton. “And those could be cloud, EC2 instances, S3 buckets, for example, that are never well monitored; they'll find universities and non-profits and large enterprises that don't control their sprawl, and they'll squat there in order to assemble the kits, practice their exploits, execute them on unmonitored systems and refine the tool.”

He says criminals are also increasingly using short-lived cloud instances from hijacked legitimate accounts to probe and scan network perimeters and defenses, and then launch attacks.

“The attackers who make use of the cloud, do so because it makes them a continuously moving target,” says Fulton. “With autoscaling groups, elastic responsiveness can be 20,000 or more computers, spins them up in seconds and sometimes they last just minutes. And enterprises don't have the ability to know that all 20,000 are theirs or what is on them.

“If, for instance, a ‘legitimate’ server that only exists for three minutes probes you for vulnerabilities, it's fast, nobody can notice it. I would use one of those short-lived instances to collect my tools and pre-position them.”

That move to the cloud has changed how law enforcement approach and deal with investigations, and seen a massive shift in the types of devices seized during raids and investigations.

“I started as a digital forensic analyst in the mid-2000s and there was no cloud back then. Everything was stored locally, and we would see a lot of external drives and stuff like that,” says Swenson. Nowadays it's almost the opposite, and a very minimal amount of data is being stored locally.

“Where we used to go in and seize a bunch of computer towers, now it's a lot of iPads, Chromebooks, and phones that are then connecting to the cloud, and they're not storing anything locally.”

That change has made investigations far more difficult for law enforcement from a legal perspective, as cloud-hosted data can often escape warrants.

“[The cloud] has made things more problematic for us from a legal perspective: If I have a search warrant for a house and computers in a residence, I don't necessarily have the authority to grab the data from a cloud provider because it doesn't exist at the actual physical residence. I either write a separate warrant for cloud storage or add it to a warrant if we're going into a residence. It's just a matter of figuring out where that's being hosted and then adding additional legal process into what we do.”