Bank robbers wear masks and escape in vans with stolen licence plates. Kidnappers compose ransom letters from newsprint to elude handwriting experts. Burglars target houses with the upstairs window ajar. Cybercriminals do much the same. They hide behind software that obscures their identity and leads investigators to look in countries far from their actual hideouts. They kidnap data and hold it hostage. And they target the most vulnerable companies and people whose information is poorly protected.
Cybercrimes, like the global ransomware attack that began on Friday and has affected lakhs of computers in more than 150 countries, are in a way an updated version of ancient criminal methods. And in the global search for the criminals that continued on Sunday, investigators are following much the same process that detectives in the physical world have used for decades: secure the crime scene, collect forensic evidence and try to trace the clues back to the perpetrator.
But for all of their similarities to traditional crimes, cyberattacks have major digital twists that can make them much harder to solve and can greatly magnify the damage done.
The latest attack has claimed at least 2,00,000 victims worldwide, according to an estimate on Sunday by Europol, Europe’s police agency, and new variants of the malware are emerging, leading security experts to warn that the fallout could spread as people return to work. Such a large, complex and global crime outbreak means any hope of a successful investigation will require close teamwork among international law enforcement agencies — like the FBI, Scotland Yard and security officials in China and Russia — often wary of sharing information with one another.
“With cybercrime, you can operate globally without ever having to leave your home,” said Brian Lord, a former deputy director for intelligence and cyberoperations at the Government Communications Headquarters, Britain’s equivalent of the National Security Agency. “Catching who did this is going to be very hard, and will require a level of international cooperation from law enforcement that does not come naturally.”
The only institutional arrangement for international cooperation on cybercrime is the so-called Budapest Convention, whose membership is largely restricted to Western democracies, said Nigel Inkster, a former assistant chief of Britain’s secret intelligence service, MI6.
Authoritarian states such as Russia and China have refused to sign on to the agreement because it permits the digital equivalent of hot pursuit: A police force investigating a cybercrime can access networks in other jurisdictions without first seeking permission. “Any investigation of the recent ransomware attack will have to be done by a coalition of the willing,” Inkster said.
As with a physical crime scene, the first step with any cyberinvestigation is to make sure the criminal is no longer hiding out, about to pounce again.
“Before we get into who did it, we try to figure out if the bad guys still have access,” said Theresa Payton, a former chief information officer of the White House and founder of Fortalice, a cybersecurity firm. “Are they still hiding? Are they going to come back tomorrow? Is the door that let them in still ajar? Can they inflict more pain?” “And if so, where are they?” she added. “How do we cordon them off to mitigate further damages?”. Instead of searching the closets of a property that has been broken into, investigators will examine the affected server, online software caches and emails to identify any malware that might not have been activated yet.
In the case of the ransomware that was unleashed on Friday and is known as WannaCry, Wcry or Wanna Decryptor, it was quickly determined that updating Windows software with the latest security patch was enough to inoculate computers that had not been infected. Then the forensic work begins, with agents looking for digital fingerprints.
Because of the highly technical nature of these investigations, private data security teams can be expected to help in the search. That includes working directly with law enforcement to uncover clues left behind by the attackers, as well as tracking the virus and its effects separately to protect their corporate clients.
Infected link
In the WannaCry case, the phishing emails sent by the criminals with the infected link are a key piece of evidence. Patricia Lewis, the international security research director at Chatham House in London, likened the text of the email to a physical letter and its metadata to the envelope it arrives in.
“An envelope has lots of information on it: the stamp with the time and place it was sent from, the handwriting or printer type, a sender’s address, maybe a fingerprint or DNA from saliva on the seal,” Lewis said. Criminals are aware their emails contain revealing clues, and they try to cover their tracks. “People use cloakers, which hide your identity, making you look as if you are someone and somewhere else,” she said.
Like tracing the licence plates of a stolen car back to the wrong person, this can lead investigators astray. “But a good detective can track them,” Lewis said. “They always leave digital breadcrumbs that can be followed.” Investigators in the latest attack are looking for clues in the ransom notes written in more than 20 languages. Some suggested that the assailants might have connections to China because the Mandarin version of the text was better written than its English equivalent.
Once equipped with enough identifying data to start narrowing down suspects, investigators will go undercover to listen to the chatter on technology boards where cybercriminals are known to spend time. “It’s like using an undercover operative purporting to be part of a criminal gang, except it’s online,” Inkster said. “Half the dark web are cyberagents these days,” Lewis joked. “They’re tripping over each other.”
Deccan Herald is on WhatsApp Channels| Join now for Breaking News & Editor's Picks