United States Computer Emergency Response Team, CTIS Botnet Operations , No Date. Unclassified.
National Security Archive
A 2016 US‑CERT memo reveals how the government began coordinating botnet takedowns with law‑enforcement and industry, laying groundwork for today’s cyber‑threat sharing ecosystem.
Source: United States Computer Emergency Response Team, CTIS Botnet Operations , No Date. Unclassified. Date: Jan 27, 2016 Archive: Public Intelligence Collection: Cyber Vault: Delegation of Authority Oct 25, 2017
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
Counter‑Botnet Coordination in the Mid‑2010s
The declassified US‑CERT brief labeled “CTIS Botnet Operations” is a snapshot of the inter‑agency, public‑private workflow that emerged after the 2013–2015 surge of financially‑motivated malware. Dated January 27 2016, the document records a routine internal request for threat information, a roster of target sectors, and a tally of indicators tied to two notorious botnets—Brobot and Dridex. It was produced by the Cyber Threat Information Sharing (CTIS) branch of US‑CERT, the civilian arm of the Department of Homeland Security tasked with aggregating and disseminating cyber‑incident data across federal, state, tribal and private networks.
The immediate catalyst for this kind of output was the rapid expansion of “cryptojacking” and ransomware families such as CryptoWall, coupled with the commoditization of banking trojans. By late 2015, Dridex alone had infected hundreds of thousands of machines, siphoned credentials, and generated an estimated $300 million in losses. US‑CERT’s internal memo reflects a shift from ad‑hoc alerts to a more formalized “operational umbrella” that could feed indicators to law‑enforcement, sector Information Sharing and Analysis Centers (ISACs), and the EINSTEIN intrusion‑prevention sensors that protect federal networks.
The Actors and Their Signals
The brief lists a handful of institutional actors: the CTIS branch, the National Cybersecurity and Communications Integration Center (NCCIC), law‑enforcement partners, and commercial organizations that supplied victim data. Their language—terms like “Joint Activity Report” and “Joint Information Bulletin”—signals a deliberate move toward coordinated response, not merely passive reporting. The inclusion of a Traffic Light Protocol (TLP) matrix underscores the sensitivity of the data; most of the content is marked AMBER, meaning it should circulate only within trusted circles that can act on it. This procedural detail reveals how the government balanced transparency with operational security, a tension that defined much of the post‑Snowden cyber‑policy environment.
The botnet profiles themselves are terse but telling. Brobot is described as a DDoS platform aimed at banking services, while Dridex is noted for HTML injection and macro‑based credential theft. The document quantifies Dridex’s global reach—37 % of detections in the United States, with Japan and Germany also heavily affected—illustrating how a single malware family can become a trans‑national threat vector. The CryptoWall snapshot adds another layer: 4,546 samples, nearly 407 k infection attempts, and a damage estimate of $325 million. By cataloguing these metrics, the memo provides a data‑driven justification for allocating scarce cyber‑defense resources.
What the Record Reveals Beyond the Numbers
Reading between the lines, the brief hints at the growing reliance on private‑sector intelligence. The “1076 victim notification distributed” entry for Dridex suggests that US‑CERT was not only sharing technical indicators but also orchestrating outreach to affected organizations—a role traditionally held by industry groups. Moreover, the mention of a single EINSTEIN 2 signature deployment indicates that, despite the scale of the threat, the federal mitigation toolkit remained modest, relying on incremental rule updates rather than sweeping architectural changes.
The document’s structure—segmented sections on “Botnets of Interest,” “Past Botnet Collaboration Activities,” and “US‑CERT Actions”—mirrors the emerging “cyber‑threat intelligence lifecycle” that would later be codified in the 2018 NIST Cybersecurity Framework. In this sense, the memo is both a product and a prototype of the intelligence‑sharing architecture that now underpins U.S. cyber‑defense.
Legacy and Contemporary Relevance
Although the CTIS brief is unclassified, its content remains instructive for today’s policymakers. The botnet ecosystem has evolved—ransomware‑as‑a‑service and supply‑chain attacks dominate—but the fundamental challenges of cross‑sector coordination, indicator‑level sharing, and balancing openness with operational secrecy persist. The TLP framework, once a niche protocol, is now standard practice in both government and industry cyber‑exchange platforms.
Finally, the memo underscores a turning point: the U.S. government’s acknowledgment that combating financially motivated cybercrime requires a joint operational posture, not merely a defensive posture. That realization paved the way for later initiatives such as the Cybersecurity and Infrastructure Security Agency (CISA) and the International Cyber Incident Response Team (ICIRT). By examining this 2016 snapshot, we see the early scaffolding of the collaborative ecosystem that continues to shape how the United States confronts botnets, ransomware, and the broader threat landscape.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
US-CERT CYBER THREAT INFORMATION SHARING BRANCH
CTIS Botnet Operations
Overall Classification: UNCLASSIFIED//TLP AMBER
US-CERT UNITED STATES COMPUTER EMERGENCY READINESS TEAM
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY CTIS Counter-Botnet Operational Umbrella Botnet CNE Operations targeting Federal, State , Local, Tribal and Territories enclaves Commercial enclaves ISACs US-CERT UNITED STATES COMPUTER EMERGENCY READINESS TEAM UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY CTIS Botnet Operations CTIS Receives internal request for additional threat information
- Activity Report
- Information Bulletin Collaboration Botnet Operations
- Law Enforcement
- Commercial organizations Collaboration Products
- Joint Activity Report
- Joint Information Bulletin US-CERT UNITED STATES COMPUTER EMERGENCY READINESS TEAM UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Botnets of Interest
Brobot
- Brobot conducts Distributed Denial of Service (DDoS) attacks targeting online and mobile banking services.
Dridex
- DRIDEX is an online banking malware that steals credential information through HTML injections. Leverages Microsoft Macros. Can be employed to spend spam or participate in DDoS attacks
US-CERT UNITED STATES COMPUTER EMERGENCY READINESS TEAM UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Past Botnet Collaboration Activities
Brobot
- JAR-15-20151
- 2K+ indicators reported between CTIS US-CERT and Law Enforcement
Dridex
- 1076 victim notification distributed
US-CERT UNITED STATES COMPUTER EMERGENCY READINESS TEAM
UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
BroBot Hosts Locations
Brobot Hosts - October 2015 US-CERT UNITED STATES COMPUTER EMERGENCY READINESS TEAM UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Top 10 Countries Targeted by Dridex
Switzerland 2% France 2% Australia 3% Poland 3% Austria 3% Canada 3% UK 5% USA 37% Japan 22% Germany 20%
Figure 2. Top ten countries by number of Dridex detections in 2015
US-CERT UNITED STATES COMPUTER EMERGENCY READINESS TEAM FOR OFFICIAL USE ONLY UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
CryptoWall v.3 Summary
- First seen in early 2014; infecting machines by January 2015.
- It uses unbreakable AES 256 encryption key.
- Targets 312 file extensions (where previous versions only targeted 146).
- Propagated through phishing campaigns (67.3%) and exploit kits (30.7%); commonly the Angler exploit kit.
- Version 4 now out in the wild.
US-CERT UNITED STATES COMPUTER EMERGENCY READINESS TEAM UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
CryptoWall 3 Snapshot
- 49 unique campaigns in 2015.
- Campaigns “crypt107” and “crypy13” most active.
- 4,546 malware samples discovered.
- 1,213 unique first-tier Command and Control (C2) URLs.
- Five (5) unique second-tier C2 nodes; all located in St. Petersburg, Russia.
- Nearly 406,887 attempted infections observed.
- Accounts for $325 million in damages; victim numbers continue to increase.
US-CERT UNITED STATES COMPUTER EMERGENCY READINESS TEAM UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
US-CERT Actions
- NCCIC worked with Law Enforcement on abuse notification list.
- Provided IP addresses to foreign parties.
- Deployed one (1) EINSTEIN 2 (E2) signature.
- All known 1,252 infected victims were notified. US-CERT UNITED STATES COMPUTER EMERGENCY READINESS TEAM UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY BACKUP US-CERT UNITED STATES COMPUTER EMERGENCY READINESS TEAM 11 UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY TLP | TRAFFIC LIGHT PROTOCOL
When should it be used? Color How may it be shared?
Sources may use TLP: RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. RED Recipients may not share TLP: RED information with any parties outside of the specific exchange, meeting, or conversation in which it is originally disclosed.
Sources may use TLP: AMBER when information requires support to be effectively acted upon, but carries risks to privacy, reputation, or operations if shared outside of the organizations involved. AMBER Recipients may only share TLP: AMBER information with members of their own organization who need to know, and only as widely as necessary to act on that information.
Sources may use TLP: GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. GREEN Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
Sources may use TLP: WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. WHITE TLP: WHITE information may be distributed without restriction, subject to copyright controls.
US-CERT UNITED STATES COMPUTER EMERGENCY READINESS TEAM 12 UNCLASSIFIED//FOR OFFICIAL USE ONLY
UNCLASSIFIED//FOR OFFICIAL USE ONLY
US-CERT Services for Federal Agencies
The United States Computer Emergency Readiness Team strives for a safer, stronger Internet for all Americans by responding to major incidents, analyzing threats, and exchanging critical cybersecurity information with trusted partners around the world. The national CERT offers a variety of services – such as malware analysis, development of machine readable indicators and actionable mitigation approaches, and programs to facilitate information sharing – at no cost to federal agencies.
Analytical Tools & Services
Network & Einstein Analytics: Support the protection of federal civilian agency networks. US-CERT is responsible for monitoring Einstein, a key component of the National Cybersecurity Protection System: an integrated intrusion detection, analysis, information sharing, and intrusion-prevention system. Capabilities will continue to expand at voluntary participating federal agencies. To pursue services, call 888-282-0870 or e-mail the SOC@us-cert.gov.
Incident Reporting Notifications: US-CERT has updated its incident notification guidelines to introduce Threat Vectors and Impact Classifications to replace the old incident categorization taxonomy. These changes align with the release of NIST Special Publication 800-61 Revision 2, "Computer Security Incident Handling Guide" and aim to produce higher quality data based on incidents with a confirmed impact. Please report incidents to https://www.us-cert.gov/.
Additional Support Services: US-CERT enables public and private sector partners to identify threats and develop effective security responses.
- Incident Management: Within the Federal Government, a cyber incident is defined as a violation of computer security policies, acceptable use policies, or standard computer security practices. To notify US-CERT of an incident, visit: https://www.us-cert.gov/forms/report or e-mail SOC@us-cert.gov.
- Incident Response: US-CERT maintains onsite and remote assistance capabilities to provide rapid operational support to respond to and mitigate cyber intrusions and risks.
- Digital Media and Code Analysis: The Advanced Malware Analysis Center allows forensic capabilities for US-CERT to exchange and analyze data related to malware threats targeting the U.S. government's network space. To submit malware artifacts for analysis, visit http://malware.us-cert.gov/ or e-mail Virus.Submit@us-cert.gov.
Information Sharing
Interagency Coordination: US-CERT facilitates collaboration for detecting and mitigating threats to the dot-gov domain through several interagency working groups and operational tempo calls.
- Joint Agency Cyber Knowledge Exchange: JACKЕ provides monthly in-person meetings among technical experts from across government security operations centers. The meetings enable detailed discussion of current threats and response strategies.
- Federal SOC Calls: US-CERT leads operational coordination calls to discuss trends observed at a tactical level. To participate in the calls, contact notification@us-cert.gov.
- US-CERT Portal: US-CERT maintains a secure, web-based collaborative portal to exchange sensitive, cyber-related information and specific technical details regarding incidents on a peer-to-peer level. Membership is open to Federal employees and contractors supporting U.S. government agencies.
US-CERT Publications: Provide subscribers with free, timely information on vulnerabilities, their potential impact, and mitigation to secure computer systems.
- STIX/TAXII: International in scope and free for public use, STIX and TAXII are community-driven technical specifications designed to enable automated information sharing for cybersecurity situational awareness, real-time network defense, and sophisticated threat analysis.
- Indicator Information: US-CERT creates time-sensitive indicator information about current anomalous and/or malicious cyber activity and disseminates actionable information through Indicator Bulletins and Analysis Reports.
- Subscriptions: The National Cyber Awareness System, US-CERT mailing lists, and other feeds offer a variety of information for users.
- NVD (National Vulnerability Database): US-CERT manages the U.S. Government's repository of standards-based vulnerability management data.
Cyber Information Sharing and Collaboration Program (CISCP): Provides a systematic approach to cyber information sharing with CI owners and operators. To learn more about the CISCP, contact the US-CERT Operations Center at soc@us-cert.gov.
Information Protection
TLP (Traffic Light Protocol): Provides a set of designations to ensure sensitive information is shared with the correct audience. For full detail on TLP, please visit https://www.us-cert.gov/tlp
Contact US-CERT
US-CERT Security Operations Center 703-235-8856 / 888-282-0870 / SOC@us-cert.gov Federal Customer Service: federal@us-cert.
US-CERT UNITED STATES COMPUTER EMERGENCY READINESS TEAM
UNCLASSIFIED//FOR OFFICIAL USE ONLY
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu