ISPI DOSSIER July 16, 2018
CYBERCRIME AS A THREAT TO
INTERNATIONAL SECURITY
CYBERCRIME AND
INTERNATIONAL
RELATIONS
Luigi Martino
Scuola Superiore Sant'Anna di Pisa
stimates about the impact of cybercrime on national economies and worldwide vary significantly, but they all come down to the same conclusion: online predatory crimes are a significant threat to the global economy. The public sector, banks and financial institutions, providers of public utilities, media outlets, big corporations as well as small and medium
enterprises and individual internet users are all targets of malicious cyber activities. As explained by Samantah Nicole van der Meulen, Senior Strategic Analyst at Europol, criminals use underground forums and criminal online marketplaces in the darknet for global trafficking of narcotics, to sell weapons, child pornography, pirated copyright and computer exploitation kits (software, that come with license schemes, update services and 24/7 support lines, so that even users with a very limited knowledge about computer science or hacking can use it). Moreover, as Corrado Giustozzi, member of the Permanent Stakeholders’ Group at the European Union Agency for cybersecurity (ENISA) explains in his contribution for this Dossier, the darknet hosts a booming crime-as-a-service industry, where highly sophisticated technical skills can be monetized and criminal capabilities assembled leveraging huge economies of scale, thus increasing the overall level of the threat posed by cybercrime. There is also a widespread, growing and worrisome promiscuity between legal and illegal markets, where the former hires criminal services from the latter in order to acquire sensitive information and gain a competitive advantage in the real economy.
This threat landscape is not likely to end soon: the cost of cybercrime will instead most likely increase
COMMENTARY
| 3 CYBERCRIME AND INTERNATIONAL RELATIONS
in the next years just like it did in the last decades, along with the development of more sophisticated attack capabilities and the digital transformation of our economies and societies, which will bring an expansion of the available “surface of attack”. The bridging of the digital divide at the global level, the development of Artificial Intelligence and of the Internet of Things will only intensify these trends. In many cases, the victims of cybercrime are the ones to blame: “fool me once, shame on you; fool me twice, shame on me”, the proverb says. Cybercriminals often leverage well-known technical vulnerabilities, which basic cyber-hygiene would avoid, and profits from the naiveté we have online. Incidentally, this is also the reason why it is hard to acquire a comprehensive estimate of the impact of cybercrime worldwide: victims often fail to notify the breach to the competent authorities and to their clients, fearing a reputational loss (or monetary sanctions, when in place) after the confirmation that yes, the defenses were in fact not as solid as they should have been. However, it is also true that internet and computer crimes may be very sophisticated, and that they are particularly difficult to punish given the governance gap that characterize cyberspace: cybercrime repression requires international coordination in a context of ambiguity regarding the actors, the motivations and the ultimate scope of the attack. Since cybercrime groups operate across borders, states cannot fight them alone, and criminals often take advantage of the inherent struggle in attributing a cyber attack, in pursuing international investigations, and in bringing criminals to justice for a crime perpetrated in a
foreign country.
The good news is that international cooperation to counter cybercrime is the one area where cyber diplomacy is actually producing good (although not sufficient) results. The Council of Europe’s Convention on Cybercrime of 2001 (the “Budapest Convention”), signed by more than 60 countries, is the first international treaty seeking to address Internet and computer crime by requiring the establishment of national point of contacts, the harmonization of national legislations, the alignment of investigative techniques and a stronger international cooperation. Notwithstanding all the efforts of the international community, the Convention stands today as the only multilateral treaty imposing obligations to states in the way they address malicious activities in cyberspace. Recognizing the importance of the Convention, we have invited Alexander Seger, Head of the Cybercrime Division of the Council of Europe, to give us an assessment of the most notable results achieved so far thanks to the agreement, and to illustrate a possible way forward to build on these accomplishments.
As explained in detail by our analyst Samuele Dominioni in his article, multilateral efforts to enhance international cooperation against transnational cybercrime go far beyond the
Budapest Convention. On the one hand, this reflects the seriousness of cybercrime’s economic burden, for which states are expected, at the domestic level, to elaborate an adequate response, which of course entails international cooperation. On the other hand, if the international community reached such a high
level of cooperation in this field this is also because cybercrime is considered primarily a matter of “public order” that needs to be dealt with a traditional “law enforcement” approach. In this sense, international cooperation does not restrain but actually reinforces national sovereignty: law enforcement and judicial international cooperation are the low hanging fruits of international cooperation in cybersecurity. At least on paper: examples of poor or non-existent international collaboration to track down transnational cyber criminals, and cases where states protected individuals suspected of serious internet and computer crimes against actual requests of extraditions, are more and more common. In most cases, the isolated hacker conducting sophisticated cyber robberies is only science fiction, as cybercrime is in fact a labor-intensive endeavor that requires a savvy combination of different technical skills. By and large, cybercrime is better understood as a transnational organized crime, against which international cooperation has been established long time ago. Transnational organized crime spreads corruption, drains tax revenues from the coffers of the state while forcing governments to dedicate resources to border control and law enforcement, and it poses a direct challenge to the authority of the state. At the international level, transnational organized crime empowers destabilizing non-state actors, imposes a financial burden to the world economy, and it corrodes international norms and stability. President Clinton, in his address to the United Nations General Assembly on its 50th anniversary, noted that the forces of international crime “jeopardize the global
trend toward peace and freedom, undermine fragile democracies, sap the strength from developing countries and threaten our efforts to build a safer, more prosperous world.” The UN Convention against Transnational Organized Crime of 2000 is a good example of the efforts of the international community to coordinate responses against this threat. The Budapest Convention and all other streams of international cooperation against cybercrime respond to the same logic.
But the cyberspace, we have seen, is the “domain of ambiguity”, and cybercrime’s damage is much larger than the loss of trust it causes among Internet users and the costs it imposes to the world economy, and requires an attention that goes beyond the law enforcement perspective. Cybercrime, as we will show in this fourth ISPI Dossier on cybersecurity, is in fact a phenomenon that directly attains national and international security on a scale that exceed in many ways traditional organized crime.
In the first place, cybercrime is an
extraordinarily profitable and a relatively “safe” industry, with a sophisticated business model, as Giorgio Mosca, Director of Strategy and Technology in the Security and Information Systems Division of Leonardo, explains in his article. A massive amount of human and financial resources are therefore invested in the research and the development of new, more sophisticated hacking tools and technics, which in turn significantly contribute to the proliferation of the international cyber arm race. Thanks to their ability to innovate, in the mouse-cat race between criminals and public authorities, the former is able to run at least as fast as the latter. As Francesca Bosco and
COMMENTARY
| 5 CYBERCRIME AND INTERNATIONAL RELATIONS
Michael Becker, of the United Nations Interregional Crime and Justice Research Institute (UNICRI) and University of Maryland, explain in their article, these sophisticated weapons in the cybercrime market are readily available to the best bidders, and therefore there is the concrete risk that, sooner or later, these weapons will be acquired by terrorists. In fact, the development of cyber weapons might directly or indirectly impact the functioning of national critical infrastructures even in the context of criminal
campaigns, as the WannaCry ransomware campaign did, impairing UK health services.
Particularly troublesome is also the fact that, given the difficulty in ascertain authors, scope and motivation of online criminal campaigns, and considering the difficulty in restraining the attacks to specific target networks, states might perceive a criminal campaign as a state’s, or a
state-sponsored attack to its critical infrastructures. This would of course entail the right to put in place countermeasures or even the use of force, with the risk of fueling an escalation in the cyber or in the conventional domain. Besides, states have a customary international law obligation not to allow malicious activities from ICT assets in their territory, and even if the state victim of an attack does not hold another State directly responsible for the cyber campaign, it could nonetheless expect cooperation in order to stop or mitigate the attack: this might lead to misunderstandings or worst to international crisis, in the case a state is not willing or able to comply to the victim’s demands.
Finally, as Alexander Klimburg explains in his excellent book The Darkening Web and in
the article he wrote for this Dossier, the most
serious threat that cybercrime poses to international security comes from the fact that states might want to use the attack capabilities developed by cybercrime in order to advance their goals in the international arena. Cybercrime develops hacking tools and technics that may directly advance states’ operational capabilities in the course of intelligence and military campaigns, or may be used to “cover” tailored computer network operations with much larger and “noisier” campaigns. Cybercrime also offers the unique advantage of providing the state with plausible deniability: in the domain of ambiguity, this is a priceless operational advantage. In this sense, cybercrime organizations represent a proxy and a multiplier of states’ cyber power. This explains why some state-actors allow a certain degree of freedom to the cyber underground involved in criminal activities, especially if it operates against foreign targets and it is available to play as a proxy in case of need. Paradoxically, a state’s power in the cyber global arena depends, in some ways, also on its implicit and voluntary tolerance to cybercriminals operating within its borders.
Since we will most likely have to live with cybercrime in the years to come, it would be useful to consider the threat it poses in a more comprehensive way than just as a law enforcement matter, putting at the center of the attention its impact on the stability of international relations. Transnational organized cybercrime is a very relevant actor of cyberspace: an understanding of how it affects international security is essential in order to mitigate the risk of future misunderstandings and escalations among States
in the context of criminal online campaigns. If, at the strategic level, we are drifting toward a militarization of cyberspace, it is important to leverage all available political-diplomatic skills and tools in order to identify and impose an undisputed principle of states’
international responsibility, and a clear threshold of not-acceptable behavior in cyberspace. It is not only a question of law and order, but also a matter of war and peace.
TRANSNATIONAL
ORGANIZED CRIME AND
VIOLENT EXTREMIST
ORGANISATIONS:
WHICH LINKS?
Francesca Bosco UNICRI Michael Becker University of Maryland | 7 ITALIAN INSTITUTE FOR INTERNATIONAL POLITICAL STUDIESCOMMENTARY
July 16, 2018Francesca BOSCO, Program Officer at UNICRI, the United Nations Interregional Crime and Justice Research Institute.
Michael BECKER has a M.A. in Criminology and Criminal Justice from the University of Maryland, where he is pursuing a PhD focusing on radicalization and violent extremism.
t is often said that the cell phone in your pocket today has thousands of times more computational power than the entirety of the United States National Aeronautics and Space Agency (NASA) when they first put two astronauts on the moon in 1969. Combined with the proliferation of the Internet and the rapid expansion of information and communication technologies (ICTs) in the past twenty years, the global community has become intertwined in sophisticated ways across a wide variety of domains. This newly developed hyperconnectivity has resulted in
massive changes to the economy, social spaces, and industries, bringing otherwise disparate and distinct groups together at blisteringly fast speeds. Through email, the use of public and private forums, and the creation of instant messaging applications, these connections have radically redefined the significance of geospatial distance and the time to establish and develop communication with like-minded others that are hundreds, if not thousands, of miles away. In just one 2018 “internet minute”, 187 million emails are sent, 3.7 million Google search queries are initiated, and over 973,000 logins on Facebook.
Unfortunately, there also exist a variety of malicious actors who use these technologies and this
interconnectedness for ill. Such actors, from those (individuals and groups) seeking to engage in transnational criminal ventures for profit, to others aiming to bring about political, social, or religious change through violence and coercion, have been observed engaging directly with these technologies. This has even extended to reports that these organizations are capitalizing on the
disruptive influence and specific techniques used by their contemporaries, and potentially collaborating in transnational criminal endeavours.
This use of cyber environments for criminal means runs counter to a variety of core values held by the United Nations (UN), which has recognized and expressed grave concern over the connection between Transnational Organized Crime (TOC) and terrorist organizations, both in the General Assembly and the Security Council. Bearing in mind the United Nations 2030 Sustainable Development Goals (SDGs), ensuring the security of integral technologies and preventing their misuse by malicious actors is an important task. As a result, state, regional, and multinational organizations have responded accordingly to bring about these changes.
Taking a step back, it is important to take stock of the character and the role of organized crime and terrorist organizations – and specifically, how they use ICTs independently and collaboratively. TOC is a broad and often complex phenomenon – defined colloquially as the profit-motivated criminal activities with international implications (planning, execution, or profit generation) by organized criminal groups. These groups engage in behaviours from drug and human trafficking, to the trade of firearms, and notably, cybercrime. In recent years, the scope of TOC has expanded to an estimated annual cost of US$870 in 2017. Groups involved in TOC utilize the internet for a variety of profit-generating activities, namely illicit sales and the theft of credit card and other personal identifying information for the purposes of identity theft and
fraud. Underground forums provide cyber-criminals with a hub for networking, creating an organized set of criminal relationships from an otherwise disparate population. Beyond providing a space for criminal networking, illicit businesses on dark web services and other environments host a variety of hidden services and marketplaces that sell the tools of the trade for criminals to rent or buy, so to launch cyberattacks. Traditional organized criminal groups may supplement their income, or augment the capabilities by buying or renting hacking tools or by employing hackers (either on individual contracts or through a more comprehensive integration) to be co-opted in more conventional TOC activities such as trafficking.
Violent extremist organizations on the other hand, tend to use the internet for high-speed operational communication, information gathering, planning and preparation of attacks, training, and recruitment of prospective members, with fund-raising being an ancillary goal in most cases. This is not to say that these are the only uses of the internet for these organizations. The United Nations Security Council (UNSC), and others in the international security sphere, have raised concern over the use of the internet as a means of engaging in “cyberterrorism”. They specifically focused on the use of computer systems to attack critical infrastructure (e.g.: energy, communications, food and agriculture, defence) in concurrence with, or instead of, or in the wake of a conventional attack.
While there have been few cyber attacks on critical infrastructure worldwide that we know of – with even fewer potentially being attributable to violent
COMMENTARY
| 9 TRANSNATIONAL ORGANIZED CRIME AND VIOLENT EXTREMIST ORGANISATIONS: WHICH LINKS?
extremist organizations – the potential future threat that such attack poses has been magnified by the collaboration between violent extremist organizations and TOC groups. In response to this threat, UNSC Resolution 2195 (2014), Threats to international peace and security, called upon states to better understand and address the nexus between organized crime and terrorism as a threat to security and development. As a result, the United Nations Interregional Crime and Justice Research Initiative (UNICRI) has done just that - assessing the role of TOC as it relates to terrorism and violent extremism. Based upon a study carried out alongside partners at the Thailand Institute of Justice, UNICRI found that in some cases there were overwhelming similarities between TOC groups and terrorist organizations (including the adoption of common tactics). Corroborating this, a panel of experts assembled to address this task through a United Nations Office on Drugs and Crime (UNODC) initiative, suggested that this overlap may take the form of coexistence, cooperation, and even convergence – and can produce mutual cooperation in the form of the transfer of technology, intellectual property, and manufacturing techniques. Not alone in the call to review this nexus of TOC and terrorism, findings from the UN are echoed in reports from the European Union›s Counter-Terrorism Monitoring, Reporting and Support Mechanism (CT-MORSE). Highlighting the reciprocal benefits of disruptive actions perpetrated by both TOC groups and terrorist organizations, CT-MORSE suggests that ongoing symbiotic relationships are a clear problem to global stability moving forward. Despite some divergence in overall structure and goals, extending this nexus
to the cyber realm has been a solution toward the common needs of these organizations, consistent with their desire to exploit cyber assets and the security of communication and transactions provided by the Dark Web.
Based upon this ongoing work, a number of questions and best practices emerge. First, it is important to ask how violent extremist organizations have continued to make use of the internet in seeking to advance their goals in the present day? Further, it is imperative to examine the nature of these relationships and the development of proprietary cyber assets online generally, as well as on the Dark Web. Just as governments have developed skills and technologies across defence, strategic communication, and security sectors in combating TOC and terrorism, so too are terrorists and TOC groups able to innovate and acquire skills in this area. While recent reports have suggested a limited overall offensive impact by extremist organizations with respect to hacking and cybercrime, clear steps have been demonstrated in seeking the means to expand a «cyber arsenal» and underground markets can serve as a training ground (e.g. tutorials for making bombs, firing missiles remotely, crossing borders illegally etc.). Naturally, this raises concerns surrounding the convergence of activities and possibility of collaboration between violent extremist groups and TOC groups who are often characterized as having distinct operational and strategic capacities and motivations. In light of recent revelations of Bitcoin allegedly used in funding operations of terrorist organizations, it is also important to ask how distributed ledgers like the Blockchain may be monitored for the purposes
of disrupting the funding of terrorism and TOC alike. While the intersection of these groups and tactics in online fundraising (extremists) and the commercialization of illicit commodities (TOC) is a particularly hot topic as of late, it does not exist in a vacuum. Other forms of collaboration - such as arms trafficking and human smuggling – have, and continue to be source of concern requiring a more robust understanding.
Based upon the UN and CT-MORSE findings, when possible, the nature of relationships between violent extremists and TOC groups should be assessed before crafting a specific solution. In cases where common conditions for the emergence of such a relationship exist, preventative measures ought to be taken, whereas in the presence of ongoing relationships a more tailored approach to disentangling should be pursued. As this specifically relates to the cyber realm, collaboration with
state and regional policing and security forces can inform these decisions and may give insight into the relationships between the respective organizations, cyber assets, and the strategic goals of their use.
DARKWEB AND
CYBERCRIME
Nicole Van Der Meulen
EUROPOl
| 11
The views expressed are the author’s and do not necessarily reflect those of her affiliated organisation
ITALIAN INSTITUTE FOR INTERNATIONAL POLITICAL STUDIES
COMMENTARY
July 16, 2018Nicole S. VAN DER MEULEN has been working in the field of cybersecurity for over a decade. She is currently a Senior Strategic Analyst at the European Cybercrime Centre (EC3) at Europol.
T
he story reads like a work of fiction, a thriller that could have been carefully crafted by a bestselling author that could evolve into an award winning series. For nearly one month in 2017, the Dutch police ran Hansa – one of the largest darknet marketplaces – impersonating its administrators in an attempt to gather as much intelligence on buyers and sellers as they could, prior to taking the market offline as a means to disrupt the criminal infrastructure. Welcome to crime fighting in the twenty-first century!BACKGROUND
The arrival of digital technologies and the more general digitalisation of contemporary society have introduced both challenges as well as opportunities for law enforcement. Much of the focus is on the challenges, since crime fighting has become plagued by, amongst others, a loss of (access to) data as well as a loss of location. A perpetrator can commit a crime anywhere and at any time, leaving behind a trail of victims in different jurisdictions. These challenges have required law enforcement to reconsider means of investigations as well as means of intervention with respect to criminal operations. This reconsideration can, as demonstrated by the example above, lead to innovative ways of disrupting criminal operations.
Despite the existence and popularity of the
concepts of the Deep Web and the Darknet during the mid-1990s, the topics only gained broader public attention after the arrest of Ross William Ulbricht, also known as “Dread Pirate Roberts.” Law enforcement carried out his arrest in October 2013, after having taken down the Silk Road
market. This action therefore brought the Darkweb out of its shadow and into the public spotlight, simultaneously and inadvertently also enhancing its popularity. Overall, Sui et al. (2015) describe how, “the emergence of the Deep Web in general and Darknet in particular offers a new economic, social, and political ecosystem that was designed to exist – and usually operates – beyond the reach of law, regulation, and government oversight.” As a result, the approach by law enforcement must be innovative in order to be effective.
FROM TAKEDOWN TO TAKEOVER
One of the main challenges with taking down a marketplace is the potential lack of impact on actually disrupting the criminal infrastructure. This is generally known as the whack-a-mole effect, since where one marketplace is taken down another appears in a different place, and users simply migrate to their new ‘home.’ As a result, the coordinated takedown of Hansa and AlphaBay aimed to go beyond the usual strategy by taking over one of the two marketplaces to gather intelligence and to plant a seed of distrust among users. After law enforcement authorities took down AlphaBay, many users migrated to the Hansa market which allowed the authorities to gather even more insight into the users – both vendors and buyers – of the market.
WHAT IS NEXT?
In many ways, the takedown of AlphaBay and Hansa was a step in the more general evolution of the approach taken against Darkweb marketplaces and activities. Developments with respect to the Darkweb call for this evolution as law enforcement
across the globe is confronted by a number of similar challenges, which makes coordination and cooperation essential. This coordination and cooperation is not just about going beyond national boundaries, but must also include a comprehensive approach with respect to different crimes, since the Darkweb cuts across a number of areas – from drugs to firearms and from human trafficking to terrorism. The Darkweb has made many illicit goods and services supremely accessible and allows both buyers and vendors to comfortably wear the cloth of anonymity.
Yet, criminals remain resilient. As described by a CSIS blogpost, “…the temporary interruption of market infrastructure does not deter new players from entering these markets. Improving law enforcement’s capacity to understand dark web market dynamics will allow law enforcement entities to develop new areas of expertise, make better use of limited resources, and deter illicit activity online.” This understanding requires research, as part of a coordinated approach, through intelligence gathering and observation.
MOVING FORWARD THROUGH THE INTRODUCTION OF A DEDICATED TEAM
One of Europol’s initiatives with respect to fighting crime on the Darkweb is to create a coordinated law enforcement approach. This coordinated approach includes the participation of law enforcement
agencies from across EU Member States, operational third parties as well as other partners, such as
Eurojust.
COMMENTARY
| 13 DARKWEB AND CYBERCRIME
dedicated Dark Web Team in 2018 to work together with EU partners and law enforcement globally to reduce the size of this underground illegal economy. This comprehensive approach will deliver a complete and coordinated approach.
What does this mean? This means there is a focus on sharing information, on providing operational support and expertise in different crime areas. Furthermore, such an approach includes the development of tools, tactics, and techniques to conduct dark web investigations and identify top threats and targets. Such investigations and identification shall hopefully also provide the insight into the dynamics of the different players on the darkweb and subsequently contribute to effective ways of intervention.
The team also aims to enhance joint technical and investigative actions, organise training and capacity-building initiatives, together with prevention and awareness-raising campaigns – a 360° strategy against criminality on the darkweb. The dangers on the darkweb are plentiful. A shared commitment across the global community and a coordinated approach by law enforcement agencies are essential going forward.
.
1. For more info see here (PDF)
2. For a more detailed account of the story, please see here
ENHANCED
COOPERATION ON
CYBERCRIME: A CASE
FOR A PROTOCOL TO
THE BUDAPEST
CONVENTION
Alexander Seger Council of Europe THE CHALLENGECybercrime – offences against and by means of computer systems – is a fundamental threat to core values of societies.
The large-scale theft of personal data, computer intrusions, bullying, harassment and other forms of cyber violence, or sexual violence against children online, are attacks against human rights. Hate speech, xenophobia and racism may contribute to radicalisation leading to violent extremism. Attacks against computers used in elections and election campaigns – such as compromising voter databases, tampering with voting machines, denial of service attacks on voting day, the theft of data during election campaigns and related information operations – are attacks against
democracy. Daily attacks against critical information infrastructure affect national security and economic and other national interests as well as international peace and stability.
Moreover, evidence in relation to fraud, corruption, murder, rape, terrorism, the sexual abuse of children and, in fact, any type of crime may take the form of electronic evidence stored on servers “somewhere in the cloud”. Securing such evidence is necessary to ensure the rule of law and protect society and individuals. But accessing such evidence also has implications for human rights and the rule of law. Threats are likely to increase with the Internet of Everything, the use of artificial intelligence for scanning of vulnerabilities and automating targeted attacks, and within a tense international context where cyberattacks and information operations
COMMENTARY
| 15 ENHANCED COOPERATION ON CYBERCRIME: A CASE FOR A PROTOCOL TO THE BUDAPEST CONVENTION
– hybrid warfare – are means to pursue political interests.
If only a minuscule share of offenders is brought to justice and if governments may fail in their obligation to protect the rights of individuals and society against crime, public trust in the rule of law and democratic systems will further erode.
In short, cybercrime and the challenges of electronic evidence affect everything; they are matters of human rights, democracy and the rule of law, of national interests and of national and international security.
THE RESPONSE OF THE BUDAPEST CONVENTION ON CYBERCRIME
The Budapest Convention on Cybercrime of the Council of Europe, is a binding international treaty that provides a framework to States regarding (a) the criminalisation of conduct (that is, offences against and by means of computers), (b) procedural powers for criminal justice authorities to secure electronic evidence in relation to any crime and subject to rule of law safeguards, and (c) international cooperation on cybercrime and electronic evidence. Opened for signature in Budapest in 2001, this treaty has become the global standard in this field. By the end of June 2018, 60 States had become Parties (the latest being Argentina, Cabo Verde, Morocco and the Philippines) and a further 11 States had signed it or been invited to accede. In addition to these 71 States, another seventy or so had used it as a guideline for domestic legislation. More than 160 States had cooperated with the Council of Europe in capacity building activities on the basis of the Budapest
Convention, and many of them are likely to join this treaty sooner or later.
The Convention is backed up by the Cybercrime Convention Committee which (a) assesses
implementation by the Parties, (b) develops Guidance Notes on how existing provisions of the treaty can be applied to phenomena that were not relevant (or they were less so) in 2001 (such as botnets, denial of service attacks, identification of theft and others), or (c) negotiates additions to the Budapest Convention. And finally, a dedicated Cybercrime Programme Office was set up in 2014 in Bucharest, Romania, for worldwide capacity building to help States implement the Budapest Convention and apply it in practice.
In short, with regard to cybercrime as a matter of criminal justice a functioning agreement is in place with increasing membership and use in actual law enforcement operations.
This is remarkable given conflicting interests and thus difficulties in reaching international agreement on all things cyberspace. The Convention was negotiated some twenty years ago, that is, at a time when cybercrime was sufficiently important to warrant an international treaty, but information and communication technologies were not yet that crucial to have other (national) interests stand in the way of agreement.
Towards a Protocol to the Budapest Convention Additional solutions are nevertheless required to address the problem of electronic evidence. Securing e-evidence for criminal justice purposes
is particularly challenging in the context of cloud computing where data is distributed over multiple services, providers, locations and jurisdictions. With powers of law enforcement limited by territorial boundaries and mutual legal assistance often not feasible, the investigation and prosecution of cybercrime risks becoming ineffective.
In June 2017, the Parties to the Budapest Convention, therefore, decided to prepare an additional protocol on enhanced international cooperation and access to evidence in the cloud. Negotiations are foreseen to last until the end of 2019. Options that are under consideration such as direct cooperation by law enforcement with a service provider in another jurisdiction or extending a search to a computer located in another jurisdiction, will need to be reconciled with concerns over national sovereignty, data protection rules and other human rights and rule of law safeguards.
And coherence needs to be ensured between this future protocol, proposals on e-evidence currently under discussion within the European Union and the CLOUD Act adopted by the Congress of the United States in March 2018.
PROTECTING THE RULE OF LAW AND UNINTENDED CONSEQUENCES
Obviously, the complex challenges of cybercrime and cybersecurity require a multi-faceted set of tools and solutions. Criminal justice is one of them. Protecting and defending systems, setting up incidence response mechanisms and educating users already means that the largest share of the hundreds of millions of attacks daily is denied.
National security and intelligence bodies may have prevented numerous terrorist and other attacks although there are concerns of mass surveillance and the bulk collection of data and that the activities of such bodies comprise measures beyond national security requirements such as espionage, political control and the pursuit of other national interests.
With cyberspace considered the “fifth domain of warfare” considerable resources are allocated by States to defensive and offensive military capabilities and information operations, with the obvious risk of a further militarisation of cyberspace.
Criminal justice obviously offers a higher level of protection of the rights of individuals than national security or defence solutions.
However, the very need to protect the rights of individuals and to meet data protection and other rule of law requirements may very well lead to a dilemma: if criminal justice authorities are no longer able to investigate cybercrime and secure electronic evidence in an effective manner, competencies and resources may further shift to national security and intelligence bodies without the same level of safeguards.
Current trends suggest that while the powers of law enforcement to investigate cybercrime and secure electronic evidence become more restricted (in particular following the Snowden revelations in June 2013 and reports on mass surveillance and bulk interceptions), greater margins continue to be granted to national security and intelligence bodies.
COMMENTARY
| 17
For example: §
There are good reasons to bring public WHOIS databases in line with data protection requirements. But the recent failure to adopt on time a system permitting access to data of domain registrants for legitimate reasons of public interest – such as public safety – while meeting data protection requirements, means that as from May 2018 law enforcement authorities often not be able anymore to identify the owners of criminal domains and thus to investigate and prosecute cybercrime. Incidentally, within the same week that a German court decided that a registrar was not required anymore to collect registrant data for WHOIS
purposes, another court in Germany decided that the German external intelligence service BND is entitled to extract data flowing through one of the world’s largest Internet exchanges, DE-CIX, in Frankfurt. §
Law enforcement access to traffic data should be subject to safeguards, but it is arguable whether information on a dynamic IP address needed solely for the identification of a subscriber indeed qualify as traffic data rather than subscriber information and thus requiring a higher threshold for obtaining such data (see the arguments in Benedik v. Slovenia of the European Court of Human Rights).
§
General data retention requirements are problematic as the data retained may “may allow very precise conclusions to be drawn concerning the private lives” of individuals as stated by the Court of Justice of the European Union in December
2016. However, removal of data retention requirements also means that crucial electronic evidence often is no longer available for criminal investigations. The result may well be an expansion of targeted interception of communications or mass surveillance by national security and intelligence bodies.
Clearly, law enforcement powers that interfere with the rights of individuals must only be exercised as prescribed by law and to the extent strictly necessary and proportionate.
However, increasing restrictions on the
effectiveness of criminal justice authorities may have the unintended consequence of favouring a further shift of powers to national security and intelligence bodies that are subject to lesser restrictions and can operate within broader margins.
CONCLUSION
Governments have the obligation to protect
individuals against crime, including through criminal law, as stated by the European Court of Human Rights in K.U. v. Finland ten years ago.
Solutions for more effective criminal justice access to electronic evidence – such as those foreseen under the future Protocol to the Budapest Convention – are essential. Criminal justice authorities need to have the powers to secure such evidence in specific criminal investigations also as technologies evolve. Data protection, civil society and industry
organisations should contribute to ensuring that solutions are both effective and meet human rights and rule of law requirements at the same time.
CYBERCRIMINALS AS
EXTENSIONS OF
STATE POWER?
Alexander Klimburg
GCSC Initiative and Secretariat
At the end of 2016, the outgoing Obama administration issued several decisions and executive orders as part of countermeasures designed to punish Russia for its interference in the US Presidential election.[1] Following up on its experience with similar measures against Chinese and Iranian cyber experts, the US government published a list of “specially designated persons” (SDNs) who were placed under direct sanctions. Of the six individuals whose names were published, four were very senior Russian intelligence officials. The other two were not officials, but private citizens – known cybercriminals, whose aliases included “Slavik” and “Magg”. “Magg” was at the time of
indictment 30 years old, and already had the dubious honor of being named side-by-side to the Chief the Russian military intelligence organization (GRU).[2] This public declaration officialized what had long been apparent in practice: that states can and do consider some cybercriminals as extensions of state power. This should hardly come as a surprise: one of the very first serious cyber-espionage attacks on the United States was carried out in 1986 by a German cybercriminal working on behalf of the KGB.[3] Even back then, the interest of the governments in using a cybercrime proxy was clearly three-fold: firstly it was thought to provide a certain level of plausible deniability if discovered, secondly it provided instant access to a high-grade skills set and assets that could prove difficult and expensive to build up internally, and thirdly it complicated matters in general for the defenders by raising the «noise to signal” ratio – encouraging lots of low-grade cyber-attacks to distract from the more serious state-executed operations.
COMMENTARY
| 19 CYBERCRIMINALS AS EXTENSIONS OF STATE POWER?
Twenty-two years later, these advantages remain, with some differences. After experiencing a high in 2007/2008, the “plausible deniability” advantage of cybercrime has shifted. Russian cybercrime was acknowledged to have played a decisive role in the 2007 and 2008 cyberattacks on Estonia and Georgia, respectively, sometimes in conjunction with other proxies, such as the Putin-affiliated Nashi youth group. However, the Western response to these attacks (and the likes), has been from the start to point fingers at the Russian government directly, negating any direct benefit over time. Furthermore, the actions of the US government against China first (the 2014 indictment of the so-called «PLA Five»[4] for intellectual property theft) and Iran then (in 2016), clearly showed that non-state proxies would still be considered to fall under a state’s effective control, and therefore under the state’s responsibility. Indeed the March 2018 amendment of the Iranian cyber-related sanctions lists a number of individuals and their organizations, and their purported role in supporting attacks against the United States.[5] The ability to hide behind the plausible-deniability of proxy groups is therefore decreasing, and will further do so.
However, the other two advantages certainly remain. The capacity of some cybercriminal groups easily matches or exceeds that of some states. Not only do cybercriminals produce and maintain botnets – what I have called the Swiss Army knife of cyber-conflict – but they also provide a host of other services; from secure hosting facilities to money laundering and even «weapons development”. The latter category mostly relies on the discovery
of zeroday exploits and putting them into malware code, a process that can be fairly labor intensive. In 2015, a researcher at the company FireEye stated that there were “entire villages dedicated to malware in Russia and China” - very sophisticated, very
organized, very well-funded.[6] As I have pointed out in my book The Darkening Web[7], there are numerous other examples of possible collusion between governments and cybercrime gangs – and often enough the rationale is simply practicality: while some malware might not be good enough for the hardest of cyber-targets, it is good enough for most other types of targets. Besides, even supposedly “hard” targets – like the US government Office of Personal Management, which in 2015 was breached with over 5 million applications for government clearances lost[8] – are not always really hard targets to begin with. For governments, therefore, cybercrime can be a really cheap way to exert substantial cyber power – or, as the Estonian researcher Rain Otis put in 2012, “If you want cheap cyber power, you need to tolerate a level of cybercrime.” This is especially pertinent if all the downsides of cybercrime accrue with your adversaries abroad, and not with you.
This leads us to the third advantage for governments in cooperating with cybercriminals: raising the noise-to-signal ratio by facilitating lots of little cyber-attacks, and therefore distracting from the bigger picture or more serious attacks. An outside observer may think that cybercrime might actually pose a disadvantage to serious cyber spooks: by “spooking” their targets they might after all encourage them to take a higher level defensive posture, and therefore make it more difficult for the
heavy-hitting state cyber teams to infiltrate. However, as many cyberattacks all the way back to a legendary 1998-2000 Russian campaign known as Moonlight Maze has shown us, this just is not the case. On the operational level, cyber defence does not scale well - even if there are various “defensive levels” that can be activated and resource levels that can be mobilized, the best time to launch a cyberattack is still when another cyberattack is already ongoing, for other defenses will simply be lacking. For cyber defenders everywhere there is a limit to how many hours there are in the day, and in that case you go for the quick and easier wins, rather then trying to untangle some of the much more complicated (and very possibly not-malicious) indicators that you have. Simply put, cyberdefense is always a bit like the Dutch boy putting his finger in the dikes: there is always going to be a prioritization going on. Serious and highly capable cyber intrusions are therefore often executed in the “noise” of more visible cybercrime attacks.
It is however not too late to turn this equation around. In fact, the very visibility of cybercrime and the ease with which it can penetrate most targets should be able to encourage some of the most sorely-needed basic protective measures that are still not common across the private sector, and sometimes even government. This includes enforcing “cyber hygiene” across all organizations to take care of the basics, while at the same time enforcing product standards and service level agreements within the private sector to make sure that monster holes in products and services do not remain that easy to exploit for an attacker. And finally, it means that both
the insurance industry, but also legislation, should make it much more painful to fail in basic cyber defense.
There is some hope in this happening. In part, this is because some governments which previously enjoyed “cheap cyberpower” are now experiencing a substantial rise in cybercrime – China is only one such example. Data protection – previously seen as only something of concern to some fanatics – is now rapidly becoming an issue for the average citizen as well. Furthermore, there are also clear signs that standards could become a substantial trade issue – enforcing basic standards of protection (for instance in the Internet of Things galaxy) could have a dramatic effect on the manufacturing and trading of these devices, with significant economic impact. Indeed, cybercrime could actually finally help accomplish what has sometimes been seen as a lost cause: getting basic cyberdefense right. If that happens, then indeed we could finally say that cybercrime does work – for everyone.
1. For an unclassified first assessment of this, see the DNI report: Office of the Director of National Intelligence. Background to “Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic Process and Cyber Incident Attribution. 06.01.2017. Available at: https://www. dni.gov/files/documents/ICA_2017_01.pdf (Last visited: 14.06.2018).
2. U.S. Department of the Treasury. Issuance of Amended Executive Order 13694; Cyber-Related Sanctions
Designations. 29.12.2016. Available at: https://www. treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20161229.aspx(Last visited:
COMMENTARY
| 21 CYBERCRIMINALS AS EXTENSIONS OF STATE POWER?
14.06.2018).
3. See the story on the Cuckoo’s Egg episode in The Darkening Web: Klimburg, Alexander. The Darkening Web (New York: The Penguin Press, 2017), p: 161.
4. Department of Justice. U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage. 19.05.2014. Available at: https://www.justice.gov/opa/ pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor (Last visited: 14.06.2018).
5. See for instance: U.S. Department of the Treasury. Treasury Sanctions Iranian Cyber Actors for Malicious Cyber-Enabled Activities Targeting Hundreds of Universities. 23.03.2018. Available at: https://home. treasury.gov/news/press-releases/sm0332 (Last visited: 14.06.2018).
6. Miller, Roger LeRoy. Cengage Advantage Books: Business Law: Text & Cases – an Accelerated Course. (Cengage Learning, 2015).
7. Klimburg, Alexander. The Darkening Web (New York: The Penguin Press, 2017).
8. Larter, David, and Tilghman, Andrew. “Military clearance OPM data breach ‘absolute calamity”. Navy Times, June 17, 2015. Available at: https://www.navytimes.com/news/ your-navy/2015/06/17/military-clearance-opm-data-breach-absolute-calamity/ (Last visited: 14.06.2018).
RESEARCH AND
IMPAIRMENT:
CYBERCRIMINALS AS
STIRRERS OF
NEW MALICIOUS
CYBER CAPABILITIES
Giorgio MoscaLeonardo and Confindustria Digitale
W
e may not agree on how and why technology has become the driving force behind human development. Many could even deny its supremacy versus philosophy, economy, mathematics or psychology, but no one can deny that the impact of technology is well evident, particularly if we consider the exponential development of ICT in the last 50 years. In fact, if we follow the viewpoint smartly expressed by the Italian philosopher and Oxford’s professor Luciano Floridi in his book The Fourth Revolution, we must say that one particular and very wide set of technologies labeled as ICT (Information and Communication Technologies) have been the foremost enabler of human development, since it is only through the capability to record and transmit knowledge to future generations that humanity has been able to assert its dominance in the world [1]. In his book, Floridi leads us on a path describing the evolution of humanity from ‘history’, where society has the capability of recording and transmitting information, to "hyper-history", where society depends on its capability to process and use information, concluding that all modern civilizations in developed countries are hyper-historical societies and adding a very important corollary, i.e. that only hyper-historical societies can be harmed by cyberattacks and, therefore, by cybercrimes.Activities aimed at obtaining undeserved benefits or utilities through the application of violent and/ or illegal methods, a.k.a. crimes, have always been part of the history of humanity. Though many crimes have a personal or social nature, the majority are performed by structured groups - what we call
COMMENTARY
| 23 RESEARCH AND IMPAIRMENT: CYBERCRIMINALS AS STIRRERS OF NEW MALICIOUS CYBER CAPABILITIES
organized crime - and have some sort of economic rationale, aiming at extracting “value” from victims. When the management of economic and business operations started relying on digital technologies – vis-à-vis analog ones – criminal environments, which operate under the motto “follow the money”, opened new avenues to pursue their aims in cyberspace. They adapted to the rapid change that has taken over the field, creating ad hoc technological solutions, required to achieve criminal objectives. The most evident example of this behavior took place in 2017, when cyber-threat researchers observed a very particular situation. After a steep rise in ransomware attacks and some very significant events related to this class of malware ("WannaCry" has made the front pages of newspapers for several days in all major countries) the end of 2017 saw the sudden emergence of new criminal activities with the creation of botnets [2] whose goal is not, as often happened in the past, to launch DDoS [3] or other types of attacks, but to create "coin-mining networks". While cybercriminals, in the last years, opted for ransomware as the major source of returns, the increased value of cryptocurrencies (Bitcoin, Monero, etc.) has in fact prompted cybercriminals to start creating brand new money instead of stealing it. Symantec’s Internet Security Threat Report (ISTR) [4] describes an increase of 34.000% in coin-mining activity from January to December 2017, with millions of infected computers and hundred thousands of dollars in cryptocurrency [5] generated. While coin-mining is not, in fact, stealing money directly from the victims of the attack, it is anyhow a costly and disruptive activity: infected machines will reduce execution speed on regular tasks because they will
be busy processing coin-mining software and will increase their energy consumption and components’ wear since they will constantly run at full capacity to perform the illegal code. Coin mining is also an easier to distribute type of attack and can infect any machine (the basic version can run in any browser) thus being able to leverage a much wider base than other types of malware and creating more widespread effects and damages.
This example shows that few things actually stimulate human ingenuity – though, in this case, criminal ingenuity - as the possibility to obtain quick gains. Therefore many ideas for developing malwares or illicitly using vulnerabilities are
originating in the cybercrime domain. Unfortunately, developments in cyberspace very rarely remain confined in one area, since it is so easy to copy and use good (or bad) ideas and codes. For example, last year untargeted ransomware (“untargeted” because the cybercrime goal is, obviously, to obtain the widest possible reach of its money-making activities) was used as a decoy to cover other types of attacks, as in the case of Petya/NotPetya. This was a ransomware code based on the same exploit used by WannaCry, but the encryption key used to cipher the disk was unrecoverable, making it a disk wiper, and the vector used for dissemination was the most used Ukrainian tax and accounting software, making it a targeted attack.
"Cybercrime" obviously allows for some degree of plausible deniability that can be useful to muddy the cyber waters when actors prefer to bury actions under layers of doubts. Just to go on with the same example, following in the footsteps of Petya/
NotPetya, a new ransomware (dubbed BadRabbit) was recently spread through a dissemination vector targeting only Russian computers. Many thought that compromising the supply chain of the Russian version of a very popular software was, in fact, an act of retaliation. However, BadRabbit was a full-fledged ransomware, allowing payment and recovery of the encryption key. Hence, even though the software generated high disruption, the hypothesis that its spread was an act of retaliation was thinly supported by evidence.
The examples above clearly show that: ·there is a high degree of overlap between techniques used by criminals and other malicious actors;
•
there is a certain degree of uncertainty / overlap between the two groups, partly because state actors and targeted attack groups (both more interested in espionage or sabotage than in straight money raising) like to muddy the waters regarding this issue;•
there is a clear indication that crime is a collateral activity for many cyber actors and contributes not only to building technical innovations, but also new "business models";If we focus a little on what we could call “criminal cyber business models” the innovation in this field is again significant for many different reasons.
At the beginning of the Internet era, crime quickly discovered the value of e-commerce and started applying this approach to the cyber world. The general public in fact discovered the dark web when news were published about the e-commerce
activities ongoing in that domain, where it was, and still is, possible to find drugs, weapons, contraband, forgeries, stolen goods, chemicals and other illicit materials. "Silk Road" was probably the first mention of a dark web site that reached the public opinion. The second step for criminal innovation of business models was to start selling not illicit goods, but illicit software, making it possible for almost everyone to find different types of malware - at different prices according to their uniqueness and value – applicable to any criminal scheme, from small to large. As an example, SpyEye, a large financial fraud (estimated to exceed $1 billion, in the US alone) discovered and prosecuted by the US DoJ in 2013, was based on a malware toolkit developed by a Russian computer scientist, sold on a Russian dark web site and
bought by an Algerian who used it to create a botnet collecting financial data (access to accounts, credit cards, etc.) from more than 50 million computers. The third step was the shift to a service based model, delivering "crime as-a-Service" platforms and software, allowing criminals to manage their operations in a cloud-like approach, mimicking the “sharing economy” in which the service provider does not need to own the assets required to carry on its business. According to dark web sources, for instance, the cost to hire a botnet to deliver 1 hour of DDoS attack amounts to less than $20.
The last step (until now, at least) has been to start selling not the malware, but the outcomes of the malware, i.e. financial data, credit cards numbers, credentials to many types of accounts, up to full stolen identities. This market is flourishing and it is frightful to discover that credentials to log into bank
COMMENTARY
| 25
accounts are priced at a percentage of the value of the account itself, or that credit cards’ data can be bought starting from $0.50 up to $100 according to the country, type, level, amount of details available for each card.
Once again, cyberspace demonstrates its
pervasiveness. It is truly the mirror of the physical world in which we all live and we cannot consider strange that all the types of human behaviors that we find in the real world have their cyber counterpart. The good news is that, from a technical viewpoint, the approach to fighting cybercrime is very similar to the approach to fighting any other malicious activity in the cyberspace: vulnerabilities and attack vectors are shared across different groups and when security providers stay abreast of technical evolutions in the malware, they can protect their clients from different kind of actors. Obviously, awareness, training and the “human factor” play, as usual in the cyber context, a significant role in protecting assets and data.
From the viewpoint of security agencies, instead, the situation is much more complicated. Cybercrime is a truly global phenomenon (see, for example, the above mentioned SpyEye botnet). Therefore, discovering and prosecuting criminals requires a long time, undercover activities, cooperation among different states and agencies: this is not easily obtained and, in some cases, could also be “softly” discouraged because of contaminations and plausible deniability, as discussed above.
To conclude, implementing cyber security and creating cyber awareness are the two most
important priorities to protect against cybercriminals:
they represent the highest possibility to be rapidly effective against threats that are often untargeted and less sophisticated than targeted attacks or APTs [6]. If these are the priorities, the collaboration between the public and private sector and the role of security providers such as Leonardo in delivering cybersecurity tools, services and training must be, once again, considered particularly relevant in the global fight against cybercrime.
[
1. Luciano Floridi, "The Fourth Revolution, How the Info-sphere is reshaping the world", Oxford Press, 2014 ("La Quarta Rivoluzione, Come l’infosfera sta trasformando il mondo", Cortina, 2017).
2. "Botnets" are networks of infected computers perfor-ming some tasks for the malicious organization controlling the infection
3. "DDoS – Distributed Denial of Service" is an attack aimed at disrupting the capability of a digital asset to perform its main task by saturating its networking and/or computing capabilities through a flooding of legitimate requests.
4. Internet Security Threat Report, n.23, April 2018, Syman-tec Corporation.
5. Generally "Monero" crytpcurrency has been targeted sin-ce it is easier to mine than Bitcoin and it is fully anonymous. The value of Monero currency in 2017 raised from $12 in January to $321 in December.
6. Advanced Persistent Threat (APT) is sophisticated form of attack capable of infecting an organization’s networks and computers for a long period of time, slowly collecting data, performing a progressive expansion across the network itself and slowly exfiltrating data or staying quie-scent until a massive exfiltration or other action is required.
CYBERCRIME
AS A SERVICE
Corrado Giustozzi
PSG, Enisa
C
rime exists since the beginning of human society, and cybercrime exists since the beginning of the digital society. However, as noted by the European Commission in the introduction to the Cybersecurity Strategy of the European Union [1]: “Recent years have seen that while the digital world brings enormous benefits, it is also vulnerable. […] The EU economy is already affected by cybercrime activities against the private sector and individuals. Cybercriminals are using ever more sophisticated methods for intruding into information systems, stealing critical data or holding companies to ransom.”In effects, nowadays the major threat agents are no longer improvised amateurs or wanna-be hackers as it was in the past, but structured, motivated, and competent organizations, which are well funded and provided with significant resources because they mostly belong to transnational organized criminal cartels. And what’s worst is that professional cybercriminals have started to sell tools and services to less-organized individuals or gangs, thus enabling them to carry on sophisticated criminal actions in the cyberspace as well.
CYBERCRIME: NO MORE A BUSINESS PER SE
Cybercrime is now a consolidated business, based on a well-run and efficient supply chain. It starts from the development of technical components for the attack (usually contracted to specialized experts), it goes through the monetization of illegal profits (often via virtual currencies), and ends with the laundering of dirty money (commonly outsourced to traditional crime organizations).
COMMENTARY
| 27 CYBERCRIME AS A SERVICE
The most striking result of this
progressive industrialization of cybercrime is perhaps the creation of an entire portfolio of «professional services” which are offered by sector organizations to those who, not being regular criminals, nevertheless seek some specialized collaboration which could help them quickly put in place some lucrative but illegal activity. This ‘customerization’ of cybercrime is known as “Crime-as-a-service”, a term that includes a broad and well-structured offering portfolio ranging from the development of custom malware (including such things as «ransomware-in-a-kit») to the massive deployment of attack vectors through «satisfaction guaranteed» spam campaigns based on millions of real and reliable email addresses. And again, from the handling of huge Distributed-Denial-of-Service attacks down to the illegal mining of bitcoins using botnets made up of hundreds of thousands of unaware end-user computers or compromised computing infrastructures in the cloud.
Evidence of such hidden activities can be found in recent data coming from several threat monitoring sources, all of which report a steady growth either in the number of botnets or in the number of Command and Control servers (C&C), which are the management centers from which botmasters give commands and program the activities to be performed by compromised computers that compose the botnets. This is a clear indication that those kind of cybercrime-enabling infrastructures are built not only for direct use by criminal organizations but also to be rent, so to say, to “third parties”.
NEW TERRITORIES ON THE CYBERCRIME LANDSCAPE: IOT AND CLOUD
It is also interesting to note that the fastest growing botnets are now those related to cloud services and “Internet of Things” (IoT) devices. The latter in particular are the ideal victims of this threat as they are more vulnerable and therefore easier to compromise compared to traditional servers; despite being equipped with relatively scarce computing resources, IoT devices are so many that they constitute a powerful army in the hands of bad guys. Evidence of this is the fact that the recently recorded DDoS attacks - which originated from compromised small devices such as surveillance cameras or home ADSL routers - are more massive than those that were common until some time ago, both in terms of duration (even several days) and bandwidth.
This increase in offensive power is also due to the use of “attack amplification” techniques never seen before. These were especially developed because traditional techniques (for example those based on the NTP protocol) are proving increasingly less applicable, due to the progressive spread of protocols and systems not affected by the
vulnerabilities that allowed malicious users to obtain the amplification effect.
Other recent data emerging from specialized reports is the increase in the number of compromissions related to services in the cloud: both Amazon Web Services and Google Cloud Platform have been victims, usually through the use of fraudulent
accounts. The computing power illegally gathered by the criminals in the cloud is sometimes used to run
botnets or launch DDoS attacks, but more often to perform specific tasks that require large processing capability, such as cracking complex passwords and/or massive password lists obtained from leaks, or mining Bitcoins. As of now, it is no longer profitable to mine Bitcoin in one’s own house, since the energy cost required to do so is likely to be higher than the expected gain. It is therefore very common to find massive hidden mining plants which operate entirely on the shoulders of computing systems, which were ‘kindly’ made available to illegal organizations by unaware users, who then unwittingly bear the related costs.
ATTACK TOOLKITS AND NEW VICTIMS
It is worth to note that in the recent past, sophisticated “attack toolkits” appeared on the market, specifically developed to target new, and more profitable, classes of victims. Last year, several operators in the power generation and oil&gas sectors were hit by a specialized malware designed to attack the most common industrial control systems. More recently, a few healthcare organizations were threatened by a new malware specifically designed to address medical diagnostic systems.
The healthcare sector has become one of the favorite targets of cyber criminals: attacks on companies and medical facilities are constantly increasing, and the sector is completely
unprepared to face them. The reason for this
escalation of the threat is twofold: compared to other sectors, healthcare has much more to lose and is inherently much more vulnerable, which make it the perfect victim.
This in turn depends essentially on two factors. On the one hand, the ICT infrastructure of healthcare organizations is often not state-of-the-art, and sometimes even obsolete; this is especially true with regards to electro-medical and diagnostic systems such as RIS-PACS, which are often still based on operating systems no longer supported (such as Windows XP). On the other hand, there is a growing tendency, for obvious needs, to interconnect systems that, in the past, were essentially stand-alone: this exposes to external threats many critical systems that should not be easily reached by intruders or malware, and which are not inherently secure or even well protected against intrusion and attacks.
The result is that more and more criminal
organizations are targeting the healthcare sector, either for extortion (usually based on ransomware or DDoS attacks) or for stealing patients’ clinical data. And more and more often those attacks are conducted by a cooperation of several organizations, some of which are just selling specialized state-of-the-art cybercrime services or products to the others.
THE (CHEAP) PRICES OF CYBERCRIME SERVICES
It is also amazing to discover that the growing competition among resellers of cybercrime goods has recently led to a substantial price decrease for services and products in this special kind of black market, which is usually hosted in the so-called Dark Web.
For one, the cost of a massive Denial-of-Service attack has dropped from the $80-$100 per hour
