The Dridex and Simda botnets. The JPMorgan Chase hackers. Darknode.
Although cybercrime is nothing new, this year produced international coordination on digital criminal investigations like no year prior. Law enforcement agencies around the world, including Europol and the FBI, came together to take down multiple big-name botnets, arrest people suspected of committing cybercrimes and then extradited them abroad to face trial.
Citing the enormous amount of media attention given to cybercrime and the variety of law enforcement activities in tracking down suspected criminals, Jeff Brannigan, special agent with U.S. Immigration and Customs Enforcement’s (ICE) Homeland Security Investigations (HSI), called this year a “significant” one in terms of the history of cyberlaw enforcement, cybersecurity generally, and cyberlegislation.
“This year offered a lot of landmarks on how we need to address these [cyber] threats going forward,” Brannigan (left) says. “Not just in the government, but in the private sector and on personal levels. Organizations of all sizes and types are more aware now than ever before of threats that exist out there on the internet.”
It’s easy to see why more people are aware. Data breaches at the Office of Personnel Management (OPM) impacted millions of federal workers. Millions of U.S. citizens had their data compromised in the data breach at Anthem health care. Millions more have had credit card information stolen from retailer databases. Data breaches are weekly news stories. With this increased frequency comes an increased demand for law enforcement to take action by tracking down suspected criminals and bringing them to justice.
And with that comes unique challenges. “Finding an individual actor online is perhaps more challenging in a lot of respects than finding someone in the physical world,” Brannigan says.
Primarily, cyberattackers can target law enforcement from anywhere in the world. Hackers have no geographic limits and can easily “travel away from the scene of a crime,” as Brannigan puts it, which is why international coordination is essential. Plus, additional anonymity protection provided by encryption and other footprint-covering services don’t exactly make law enforcement’s job an easy one.
With that in mind, the U.S. government and its agencies rely on training to keep agents operating at the same pace as cybercriminals or, ideally, ahead of them. “The techniques that we use are constantly evolving to match those of the criminals,” Brannigan says. “Technologies we employ are crucial to ensure we are pursuing the right actors who are doing these activities.”
Not only the government but private sector companies as well have been hesitant to attribute attacks to specific people or groups. The OPM data breaches, for instance, were said to be the work of China, but the Obama administration never retaliated against the country. The attacks on Sony, on the other hand, which crippled the company and cost it millions of dollars in damages, was ultimately blamed on North Korea. President Obama issued economic sanctions against the country shortly after, definitively attributing the attack.
There have been greater successes with regard to pursuing individual attackers who operate dark web marketplaces or conduct bigger scam operations. Ross Ulbricht, the operator behind the Silk Road marketplace, was sentenced to life in prison earlier this year, for example, after a long investigation by federal authorities. Ulbricht was arrested at a San Francisco public library branch after authorities staged a domestic violence dispute that allowed them to grab Ulbricht’s computer while it was open to Silk Road operational web pages. An agent on the case said if Ulbricht had closed his computer, it would have automatically encrypted all his data.
Later in the year, when an unaffiliated Silk Road 2.0 marketplace sprung up, the FBI worked with multiple international agencies to take it down. During that investigation, an agent went undercover to infiltrate the support staff running the site, which provided access to the most essential site operators. This coordination ultimately led to the arrest of the site’s supposed administrator, Blake Benthall.
Oftentimes, alleged suspects don’t even know they are being hunted. It would seem unusual for Ulbricht to use his laptop in a public space, let alone access his illegal underground marketplace, if he knew law enforcement was watching. In other cases, suspects knowingly put themselves at risk by traveling from country to country.
“In some cases, people don’t know they’re under investigation,” says John Lynch, chief of Computer Crime and Intellectual Property Section at the U.S. Department of Justice (DOJ). “We can obtain indictments under seal or file a complaint under seal and that means law enforcement is only permitted to disclose the facts of the complaint or arrest warrant to a limited group of people.”
In other cases, wanted criminals might just feel like pushing their luck. “They might think they’ll slip under the radar or they might have a business reason, whether legitimate or non-legitimate, to be in another country,” Lynch says.
Extradition agreements clearly are essential to any successful investigation. Some of these agreements date back more than a century. Where there are no agreements, cybercrime can flourish, which is why most wanted people remain at large – including the supposed creator of the Gameover Zeus botnet, Evgeny Mikhailovich. Russia and Ukraine have not agreed to extradite citizens to the U.S. for prosecution. Both countries also remain hotbeds of criminal activity.
To work around obstacles, sometimes, U.S. officials will conduct an investigation on their own and then, when ready, send an extradition request to multiple countries. Within that request is ample information for an official to decide whether an arrest would fit individual treaty standards. Lynch has seen this coordination rise in recent years.
“We have good bilateral relationships with a lot countries in Western Europe and around the globe,” he says. “They want to have a good partnership with us, and we want one with them. We realize we’re all going to be responsible for helping one another because on the internet, these communications might require two or three or more countries to take on a case. A dozen countries can help with a takedown.”
While the case of Silk Road’s Ulbricht demonstrates effective cybercrime strategies, part of this year’s successes can be attributed to the technologies infused in all activities now, including more nefarious businesses.
“It’s hard to find a criminal investigation on the federal or local level that doesn’t have some nexus to technology or the internet,” Brannigan says. That hasn’t always been the case, he adds. “It’s really only been in the last 10 years.”
Further, as the Internet of Things brings more devices online, and as people move more and more of their daily activities to internet-connected services, it’s a near guarantee that cybercrime will only continue to proliferate. Good thing there is growing cooperation between international law enforcement agencies.