It Takes a Network
After more than four years of investigation, a global investigations team of 57 agents commenced an operation to take an international criminal infrastructure platform known as Avalanche offline at the end of November 2016.
Launched in 2009, the Avalanche network was used to facilitate malware, phishing, and spam activities. Criminals used the network to send more than 1 million emails with damaging attachments or links each week to victims in 189 different countries, according to Europol.
“The Avalanche network was used as a delivery platform to launch and manage mass global malware attacks and money mule recruiting campaigns,” a Europol press release said. “It has caused an estimated €6 million in damages in concentrated cyberattacks on online banking systems in Germany alone.”
German authorities began investigating the Avalanche network in 2012 after ransomware spread by the network infected several computer systems, and millions of private and business computer systems were injected with malware that allowed criminals using the network to obtain bank and email passwords.
“With this information, the criminals were able to perform bank transfers from the victims’ accounts,” Europol said. “The proceeds were then redirected to the criminals through a similar double fast flux infrastructure (an evasion technique used by botnets), which was specifically created to secure the proceeds of the criminal activity.”
German authorities investigating the network found that Avalanche was using as many as 500,000 infected computers worldwide. After analyzing 130 terabytes of data, they were able to identify Avalanche’s server structure. Working with the U.S. Attorney’s Office for the Western District of Pennsylvania, the U.S. Department of Justice, the FBI, Europol, Eurojust, the Verden Public Prosecutor’s Office, and the Lüneburg Police arrested five individuals, conducted 37 searches, seized 39 servers, and took 221 additional servers offline via abuse notifications.
“Avalanche shows that we can only be successful in combating cybercrime when we work closely together, across sectors and across borders,” said Julian King, European Union commissioner for the Security Union, in a statement. “Cybersecurity and law enforcement authorities need to work hand-in-hand with the private sector to tackle continuously evolving criminal methods.”
International law enforcement cooperation on investigations has always been important, but it has become critical as more crimes are taking place in cyberspace—beyond national borders.
“Criminals have figured out that borders mean absolutely zero, yet for countries and law enforcement agencies, sovereignty is important—our authorities generally remain within our borders,” says Richard Downing, U.S. Department of Justice (DOJ) Criminal Division acting assistant attorney general.
And that leads to complications when victims of a crime are in one country, the offender is in another country, and evidence of the crime is in yet another country.
“Of course, nowadays, it’s more likely to be that you have victims in 20 countries, offenders in 20 countries, and the evidence in 20 other countries,” Downing adds. “Criminals understand this problem for us, and they exploit it.”
To find out how law enforcement is addressing this problem, Downing led a panel discussion with law enforcement officials at the 2017 RSA Conference in San Francisco to share how agencies are working together to combat cybercrime.
Law enforcement agencies use various avenues to legally share information with other nations, including treaties, conventions, and investigative teams.
One type of agreement is called a Mutual Legal Assistance Treaty (MLAT), which allows law enforcement to exchange evidence and information in criminal cases and related matters. In the United States, MLATs are negotiated by the U.S. Department of State in cooperation with the DOJ to help facilitate cooperation during investigations. The United States has MLATs with the European Union, as well as with numerous other nations around the world.
These treaties are often referred to as an “18th century tool for a 21st century law enforcement,” says John Lynch, DOJ Criminal Division Computer Crime and Intellectual Property section chief. “But over the last 30 years, we’ve innovated in the sense that we’ve gone from this very slow court process to mutual legal assistance treaties.”
And building off those MLATs is the Convention on Cybercrime, which was completed in 2001 and went into effect in 2004. Sometimes referred to as the Budapest Convention on Cybercrime, it was the first international treaty that sought to address Internet and computer crime by harmonizing national laws, enhancing investigative techniques, and increasing international cooperation.
The Council of Europe drafted the original convention, but Canada, Japan, South Africa, and the United States also played a role in its creation. Since going into effect in 2004, 52 nations have ratified the convention. Russia, Brazil, and India are among the nations that have not joined.
The convention “provided innovation in that it recognized that cooperation had to occur quickly, and so it recognized an [evidence] preservation scheme,” Lynch adds.
This preservation scheme was implemented via the Group of Eight (G8)—France, Germany, Italy, the United Kingdom, Japan, the United States, Canada, and Russia—through the 24/7 Network made up of prosecutors and police officers who work to quickly preserve evidence for cybercrime investigations.
For instance, they often make requests to Internet service providers to freeze data so it can be obtained for an investigation. The government authorities then use existing MLATs to obtain the data and begin their investigation.
And as cybercrime has evolved and increased during the past decade, countries have started using joint investigative teams—what Lynch calls a hybrid of MLATs and police-to-police cooperation.
These teams “usually consist of some sort of agreement to essentially conduct an investigation together, and then establish rules of the road for how information is going to be exchanged and how it’s going to be treated by each of the departments,” he says. “Europe, in particular, has taken the lead because of the need for close cooperation among those countries.”
This type of process is key for cybercrime investigations, Lynch says, because the most efficient way to tackle the threat is by running a joint investigation where police-to-police cooperation, real-time sharing, and MLATs combine to authenticate evidence as it’s recovered.
An example of this is the takedown of the Avalanche network. Steve Wilson, head of business for the European Cybercrime Centre (EC3), was involved in the investigation into Avalanche and said it worked because it used the joint investigative team method.
“We brought together large groups of investigative officers from across the world, all under one roof so they could share evidence and problems, and get things done together,” Wilson says. The EC3 brought together 57 officers—40 on day shift and 17 on night shift—as well as industry partners to help locate Avalanche’s server structure and identify those involved.
“We were dealing with probably one of the most complex cybercrime gangs we had ever seen,” Wilson says, adding that Avalanche had infiltrated 880,000 devices and 200 servers around the globe—37 of which were eventually seized by law enforcement.
Coordinating the investigation into Avalanche was a “huge challenge for us,” Wilson says, and it required using the MLATs Europe had with the DOJ and other nations to conduct the investigation, share information, and ultimately decide on how to prosecute the individuals involved.
“We arrested five key individuals who were running this network; and if any of you have an idea that cybercrime is committed by…teenagers behind computers, when we searched the house of one of the main individuals involved in this, he began shooting at the police with an AK-47,” Wilson says. “Cybercrime is now every bit as bad as serious organized crime. And investigating these international networks actually takes a network, so that’s how we’re starting to tackle this.”
Another issue facing law enforcement investigating cybercrime is coordination among different agencies on what crimes are being investigated—so agencies aren’t stepping on each other’s toes or potentially tipping criminals off.
One way the FBI is staying abreast and informed about other investigations is by communicating regularly with Europol, and within the Bureau itself, about what cases are being worked on, says Steven Kelly, FBI International Cyber Crime Coordination Cell (IC4) unit chief.
“The best way we can help is when we’re getting investigators together, we’re getting requests for information from them, and then we’re seeing what it is that folks are asking about, we’re reporting on that, and helping enrich that feedback,” he explains. “That helps us to know what people are working on and interested in.”
The IC4 has also tried to prioritize cases to ensure that it’s focusing on the top-level schemes and actors. “Because there’s so much crime, if we take an uncoordinated approach—a country and agency are working on this, and we’re working on that—and all these investigations are taking two, three, four, or five years, we’re never going to have an impact on the crime problem,” Kelly says.
To prioritize cases, IC4 works with Europol and Interpol to develop a project plan for cases and initiatives it wants to prioritize for the next year. It then reviews and refreshes that plan every six months, most recently in April 2017.
“That’s a very useful process for getting on the same page and deciding what’s the important thing you want to focus on so we can actually focus on it and drive progress,” Kelly adds.
The FBI also depends heavily on the private sector to help inform the Bureau about what it should be investigating.
One initiative that keeps this dialogue open is the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh, Pennsylvania. The NCFTA is a nonprofit founded in 2002 that focuses on identifying, mitigating, and neutralizing cybercrime threats around the globe.
“The NCFTA operates by conducting real time information sharing and analysis with subject matter experts in the public, private, and academic sectors,” according to its website. “Through these partnerships, the NCFTA proactively identifies cyber threats in order to help partners take preventative measures to mitigate those threats.”
To do this, the NCFTA provides forums for partners, staff who specialize in their respective initiatives, meetings and events for targeted cyber initiatives, intelligence feeds, monthly initiative calls on trends, and assessments and reports based on NCFTA intelligence.
The NCFTA is a “great platform for banks and tech firms to come together and share information, and help tip law enforcement off as to what’s important,” Kelly adds. “And if we have questions on our investigation, we can ask them.”
This model has been so effective, Kelly says, that the NCFTA is expanding its offices into two new locations: one in Newark, New Jersey, to focus on the financial sector; and one in Los Angeles, California, to focus on the technology and entertainment industries.
EC3 is also getting involved in the NCFTA after Wilson signed a memorandum of understanding with the center while at the RSA Conference in February. EC3 is making this move, Wilson says, because it mirrors similar efforts to partner with the private sector in Europe.
“We’ve got advisory groups from industry, Internet service providers, and the security industry and financial services,” he says. “We meet three times a year in relation to the problems they see…and very much in the last year we’ve recognized that law enforcement has been guilty of telling industry what they should be reporting and what they should do.”
In an effort to change that, EC3 has tried to be more open and encourage industry to bring its top two or three main problems to see how they overlap with law enforcement. “It’s really surprising how many common problems we have,” Wilson says.
Since adopting this approach, EC3 has introduced a European threat assessment that allows law enforcement to focus on the key priorities for the industry in each European country. It’s also helped foster better relationships with the private sector, which Wilson says Europol depends on for the assistance.
“We will never have staff at the top level that industry has,” Wilson explains. “We depend on that assistance, and what I’m seeing increasingly is the willingness of industry to work with us pro bono to do something—to put something good back into it.”
This dynamic is similar in the United States, according to Lynch, who says that the DOJ has found it can cooperate with the private sector to accomplish things neither law enforcement nor industry could do on its own, either due to lack of authority or expertise in an area of cyber.
“We have figured out ways so that we’re sitting together, we’re sharing information using established protocols, and can effectively take down a botnet or a criminal organization while respecting privacy and adhering to the national laws and the constitution of the United States,” Lynch says.
While law enforcement and industry have been cooperating in some areas, a new challenge stemming from a court case involving Microsoft might prohibit future collaboration.
The case (Microsoft v. United States, U.S. Court of Appeals for the Second Circuit, No. 14-2985, 2017) was brought when Microsoft challenged a search warrant issued by a court in New York City for information that was in Microsoft’s possession but stored in a data center in Ireland.
Microsoft acknowledged that it could access the information from inside the United States, but said that because the information was stored outside of the country, the U.S. Electronic Communications Privacy Act and the U.S. Stored Communications Act did not require it to provide the information to law enforcement.
Instead, Microsoft argued, the U.S. government should use its MLAT with the Irish government to request the information.
The DOJ sued Microsoft, and a U.S. district court sided with the government. Microsoft appealed the decision, however, and the U.S. appeals court agreed with Microsoft in a ruling issued in July 2016.
The U.S. Second Circuit Court of Appeals explained that the Stored Communications Act “does not authorize courts to issue and enforce against U.S.-based service providers warrants for the seizure of customer email content that is stored exclusively on foreign servers.”
Lynch says that the DOJ is still weighing its options about whether to appeal the Second Circuit’s ruling, but in the meantime the decision will have some effect on the U.S. government’s ability to get access to information for investigations.
“On the one hand, not everyone stores their data the same way Microsoft does,” Lynch explains. “For example, Google stores its information all over the world—it sometimes splits it up and puts it into databases so it doesn’t even assemble the data until there’s a request. And in those cases, Google has made the choice that the information is only available in the United States.”
Google’s approach has also caused problems for international law enforcement wanting access to information the company has in its servers.
“Because for information located outside the United States, there’s essentially no law that can reach the data—the United States can’t reach it because of the Microsoft decision,” Lynch adds. “Foreign law enforcement can’t reach it because there’s no one in that country who has authority to access the data.”
The DOJ has also challenged Google’s position, and a district court in Philadelphia sided with the government requiring Google to turn over data to law enforcement, but the matter is far from settled.
“There’s going to be ongoing litigation in this area, and it continues to be a very difficult issue for law enforcement,” according to Lynch “We’re trying to grapple with it, because it is a problem when we can’t get the data under any regime. It can stymie an investigation altogether.”
Another major challenge for law enforcement is the perception that there are no consequences to committing cybercrime—few people appear to be charged, arrested, and then convicted of cybercrimes. This is a problem because “we’re not going to develop and build a deterrence model for cybercrime if we can’t get our hands on these people,” Kelly says.
As of February 2017, there were 123 individuals who had been charged with U.S. cybercrimes but have not been arrested, Kelly says.
“It’s a lot of people who have not been brought to justice because they are all over the world,” he explains. “They are in places we can’t get them—maybe there’s not an extradition treaty, and that’s a problem. If we’re spending a couple of years to make a case, bring it to a grand jury, get it charged, and then we can’t get the guy or gal, then that’s a problem. We’re not going to deter cybercrime if people continue to act with impunity and in safe havens.”
A recent example of this was the DOJ’s charges against two Russian spies and two criminal hackers in connection with the 2014 Yahoo data breach. One of the hackers, Karim Akehmet Tokbergenov, 22, was a Canadian national and was arrested. The other three individuals—Dmitry Aleksandrovich Dokucahaev, Igor Anatolyevich Suschin, and Alexsey Alexseyevich Belan—remain at large because Russia does not have an extradition agreement with the United States.
To address this problem, the FBI is looking at how it keeps track of cases where an individual has been charged with a cybercrime but has not been arrested. If it’s a priority apprehension, such as for a major crime, then the FBI will look at its options to possibly arrest the individuals while they are on vacation or traveling to a country that does have an extradition treaty with the United States.
And while Russia doesn’t have an extradition treaty with the United States and often refuses to extradite its own nationals, it has been known to cooperate with law enforcement for certain types of crimes, such as child exploitation charges.
“This is the one area where countries drop their individual stances,” Wilson says. “Police forces drop their egos and agree that the only thing to do is work together. I’ve seen some countries we’ve spoken about here who will not cooperate on extradition, but they will take immediate action against people who are passing out child pornography.”
Wilson says that law enforcement should use cases and moments of collaboration like this to open a dialogue about how they can work together to extradite individuals facing cybercrime charges.
“We need to keep these channels open to see if these countries will take on some of these investigations, because if we can’t have these people—if there’s no consequence to commit cybercrime—they’ll just continue to commit time and time again,” Wilson adds.
And for cases where dialogue isn’t effective, Wilson says that the European Union is looking at the possibility of using diplomatic responses and sanctions to pressure nations into cooperating.
The EU already has an agreement that if there is a terrorist attack on a member state, all of the members will stand together in response—whether it’s issuing a statement of condemnation or taking military action.
“There’s a process coming underway right now in the EU to look at the practicalities of this in relation to cyber—to actually put a consequence back to a country that either condones or actively decides to push people to commit this type of crime,” Wilson says.
The United States has taken a similar approach. Former President Barack Obama issued an executive order that allows the president to place sanctions on a nation and other actors in response to cyberattacks.
“At the end of last year, we actually implemented [the order] against a couple of actors who had been charged in the United States with ransomware schemes, botnets, and involvement in some major data breaches,” Lynch says.