NCSC neutralizes fewer cyber crime campaigns for first time in six years

The UK’s National Cyber Security Centre (NCSC) announced today that the total number of cyber crime takedowns has fallen for the first time in six years.

According to its annual Active Cyber Defence (ACD) report, it shut down 1.8 million malicious campaigns and 2.4 million malicious URLs throughout 2022, representing a 33% and 22.5% fall on 2021’s figures respectively.

The NCSC started publishing its ACD reports in 2017 and until 2023, every year had led to an increasing number of takedowns.

Much of the reduction came from a drop in takedowns of extortion mail servers. Its figures for 2022 stood at 528,000, down from 2021’s 1,867,439,  and cryptocurrency investment scams which dropped to 459,278 from 610,621 the previous year.

The cyber security arm of GCHQ didn’t offer a concrete explanation regarding why the number of takedowns had fallen, and the campaign-by-campaign breakdown of the takedown data showed mixed conclusions. 

Some attacks dropped in frequency, like extortion mail servers, but others soared, like the takedowns of malware-associated URLs.

Both malware infrastructure URLs and web-inject malware URLs were in the top ten list of  campaign types that were taken down this year.

The former rose to 18,337 takedowns in 2022, up from 5,270 in 2021, and the latter rose to 6,287 from 1,466 the previous year.

One of the possible explanations for the drop in takedowns could be due to apparent low uptimes of the campaigns.

Mail servers have a median availability of 25.5 hours, according to the report, and cryptocurrency investment scams stand at one hour. In comparison, the next top five attack types have a combined median of 56.29 hours. 

The figures suggest that the longer an attack is available, the more time there is for a takedown to occur.

The report also noted a drop in attacks hosted from the UK to the tune of 25%.

While phishing attacks remained at the top of the list, the number of attacks fell markedly, from 113,457 in 2021 to 77,471 in 2022 and a reduction from ten to seven hours of median availability.

Brute force attacks also formed part of the report and, despite the ACD only starting the use of honeypots in August 2022, 40,890 takedowns were recorded. 

SSH was the protocol that led to most takedowns - more than 32,000 were reported from August 2022 to December 2022 - followed by RDP, WordPress, and Exchange some way behind.

Other services covered in the NCSC report include the suspicious email reporting service, which permits members of the public to report suspicious emails and web sites. According to the report, malicious URLs were removed from the internet in an average of six hours. 

What is the NCSC’s Takedown service?

The ACD’s Takedown service finds malicious sites and removes them before significant harm can be done. 

It is focussed on what it deems would cause the most harm to UK interests and also targets all malicious activity hosted in the UK.

It was initially developed with just UK government organizations in mind, but has broadened to cover a wider range of users over the years.

In 2020 it commenced takedowns against cryptocurrency investment scams, takedowns of which peaked in January 2021 before following a consistent downward trend into December 2022.