law enforcement & investigations · law enforcement & investigations vienna 27-29.03.2019...
TRANSCRIPT
Council of Europe approach on cybercrime
“Protecting you and
your rights in
cyberspace”
Common standards:
Budapest Convention on Cybercrime and relates standards
Capacity building:
C-PROC
Technical cooperation
Programs
Follow up and
assessments:
Cybercrime Convention
Committee (T-CY)
LEA&INVESTIGATIONSAre governments able to meet their obligation to protect individuals and
their rights in cyberspace?
Council of Europe approach on cybercrime
3
Rule of law in cyberspace
Offences against confidentiality, integrity and availability of computer data and systems
Cybercrime
Offences by means of
computers
Electronic evidence
Human development and democratic governance
Cybersecurity
Human rights and rule of law
Security, confidence and
trust in IC&T
“Protecting you and
your rights in
cyberspace”
National legislation based on
common standards:
Budapest Convention on Cybercrime and related standards
National specialized
bodies
Investigation
Prosecution o Specialized training
International Cooperation
Public-Private Cooperation
Public policies
Prevention
Education
ROMANIA approach on cybercrime
CYBER SECURITY THREATS:
CYBERINT bulletin: Some activities traditionally associated with
a class of actors unfolded by other entitiesthat usually have other motivations;
The use of open source instrumentsmakes very difficult the attribution of theillegal activity to a certain actor;
Cyber threats generated by entities with astrategic motivation continues to be ones ofthe most important threats to Romania’s
cyber security, targeting mostly criticalnational IT&C infrastructure;
The most important objective of these
actors remains strategic data exfiltration
made with attacks known as AdvancedPersistent Threat (APT);
Modus operandi: social engineering,spear-phishing, the use of CC servers inmultiple layers or vulnerabilities
scanning.
CYBERCRIME TRENDS:
Ransomware attacks – mainly by self-propagated malware. They are not targeting acertain victim profile, therefore the aria ofpropagation might be unlimited – art.5 andart.6 BCC;
Social engineering tactics used forcommitting fraud (phishing, spear-phishing,vishing, smishing); Man-in-the-middle, Man-in-the browser techniques used mostly forhijacking money transfers – art.7-8 BCC;
Use of Cobalt Strike platform for attacksagainst banking system; Specialization andexcellent coordination of the offenders;hijacking of computer system control – art.2-4, art.6 and art.8 BCC;
Cryptocurrency mining and Crypto-jacking – art.2 and art.6 BCC;
Deep insert skimming and associatedcrimes – art.2 and art.6 BCC;
Use of cryptocurrencies for appropriation ofthe benefits obtains through crimes.
JACKPOTTING
A bank in Romania receives onXX.XX.XXX, on one official email,messages apparently coming froman email pertaining to the domaineuropa.eu with the subject”Challenges for European banks”signed:
General public enquiriesFor information about the ECB’s activities, please contact us by e-mail or phonefrom Monday to Friday between 8:30 and 17:30 CET.
[email protected]&n bsp;+49 69 1344 1300”
Attachment – rules for European banks.doc
Once the attachment is opened:
a temporary file generated on the
target system- ~$e rules forEuropean banks.doc;
application Cobalt Strike starts torun on the volatile memory of thetarget system;
other temporary files are created inWindows;
connection is opening to a C&Cserver allowing the perpetrators torun different commands on thetarget system in order to obtaininformation about the network andits users;
credentials are exfiltratedfollowed by a set of commands withthe purpose of modifying privileges.
As a consequence:
• within 90 min. 20 computers havebeen infected among which 2 systems
C026N11 and C026ATM3 belonging to theBank’s ATM network;
• new files downloaded andinstalled with different functions among
which: overriding critical files such as
Master Boot Records or legitim predefinedcommands;
• remote connection to ATMs;
• run commands to dispense ofmoney from the ATMs infected (31).
CASH-OUT In the same day
between 17:38 – 19:44 si 21:50 – 00:29
on 31 ATMs in 9 cities 3.818.000 lei (830.000 Euro)
1 perpetrator identified during the cash-out operation
(around 17.300 EURO delivered)
Evidence used:Computer search
(bank’s computers; perpetrator’s mobile terminals)
Call recordsImages
Malware analysis and expert opinion
INDICTIMENTArt.367 CP – organized crime group
Art.249 CP - computer fraud (art.8 of CCC)
CONVICTION 4 years and 10 months imprisonment
The investigation continues against other aprox.60 persons who haven’t been identified yet
Article 360 CP – illegal access to computer system (art.2 of CCC)Article 362 CP – computer data interference, alteration of computer data
(art.4 of CCC)Article 363 CP – serious hindering of a computer system
(art.5 of CCC)Article 249 CP – computer fraud
(art.8 of CCC)
CHALLANGES
High level of specialization of OCGs andorganization of the OCGs (goodknowledge in planning andsynchronization);
Encryption; Anonymity; Evidence gathering within international
context; Information/intelligence/cooperation
between public and privatesector/reporting system;
Insufficient/inefficient protection measures and awareness programs/education in the private and public sector;
Large no. of vulnerable IT systems
LESSONS LEARNT
Critical:o Reporting and responding time;o Possibilities for immediate
cooperation and intelligencegathering;
o Procedural powers for evidencegathering;
o Existing legislation thatcriminalize different types ofattacks;
Advantages offered by: existing specialized units; knowledge and tools to
investigate & prosecute ;
Thank you!
Ioana AlbaniDirectorate for Investigation Organized Crime and Terrorism
Deputy chief prosecutorwww.diicot.ro