Mike Hulett, head of operations at Britain’s National Cyber Crime Unit, delivered a speech on UK-focused cybercrime at the Security and Counter Terror Expo in London, which Government Europa attended.
In March, Government Europa attended the Security and Counter Terror Expo in London, UK, where Mike Hulett, head of operations at Britain’s National Cyber Crime Unit, delivered a presentation on some of the biggest cybercrime threats facing the UK and who and what they are affecting.
He began by highlighting the scale of the challenge experienced by the law enforcement personnel involved in investigating, and hopefully solving, cybercrime. He explained that while traditional crime inevitably leaves a trail of evidence that can be followed with relative ease, crime that takes place in cyberspace is much harder to investigate and therefore solve.
He used the example of the Hatton Garden safety deposit box robbery which saw a gang of burglars drill through a hole in the wall to steal diamonds estimated to be worth millions of pounds. The career criminals responsible were, he said, “armed robbers of some repute; they had known each other since they were kids; they met in the same pub; they drank at the same table every week and they met up and talked about their plans and what they were going to do with the money.”
And, of course, they had to be physically present at the scene of the crime and, due to the amount of CCTV in the Hatton Garden district of London due to the nature of many of the businesses there, they were later seen conducting reconnaissance of the premises they burgled by the officers investigating the robbery.
“The point I am making,” he said, “is that while there is a huge amount of money to be made in crimes like this, they leave a large number of investigative trails for us in law enforcement to follow. And follow them we did and they were caught fairly quickly.
“This is not, however, the organised crime picture that we are seeing from a cyber perspective.”
Indeed, he argued that increasingly criminals are finding that there is no need to take the kind of risk that the Hatton Garden gang took, when they can make even more money with relative safety by “just by using a keyboard and a dongle, rather than a big drill to drill through a wall.”
The prevalence of cybercrime in the UK
Hulett then informed his audience of just how prevalent cybercrime is becoming in the UK. He explained that in 2017 “about half of all recorded crime in the UK involved cyber in some way,” while some 68% of large UK businesses have also identified a cyber security breach or attack in the last 12 months.
He continued: “This is a threat, and it is there for everybody and in some way. From a victim perspective, we need to get over some of the sensitivities and realise we need to work together to have a lasting effect.”
Perhaps even more concerning was the fact that Hulett revealed that many police chiefs and police and crime commissioners around the UK “actually refuse to believe that they have a cybercrime problem.”
Turning his attention to the different kinds of cybercrimes that have been witnessed in the UK, he said that while the trends do not change dramatically year on year, there are nevertheless different types and different frequencies emerging. For instance, he explained that those attacks which are designed to steal financial data are becoming of increasing concern, while DDos Distributed Denial of Service) attacks – such as those which hit Dyn and Github are becoming increasingly powerful (the attack on Github, Hulett said, saw traffic of 1.3 terabytes per second.
Ransomware, he continued, is currently by far the most prevalent type of cybercrime, and this is no longer restricted to people being locked out of systems or the encryption of files. “We are also seeing some quite subtle attacks as well,” Hulett said, and these have included criminals gaining entry to their target’s system and changing words on contacts or files so as to make clauses in contracts either redundant or inversed.
The theft of data is also of growing concern. “Data is valuable,” Hulett said. “That is the key message,” and yet the average person is typically not overly cautious when it comes to protecting it – Hulett here used the example of the amount of people in his audience who would have logged on to the conference’s free WiFi today, which potentially made them more vulnerable to the type of cyberattack designed to steal their personal data.
There are also attacks which, Hulett explained, masquerade as ransomware but are actually designed to simply destroy and wipe systems with no attempt to actually make money.
While there are inherent complexities to cybercrimes, they can, according to Hulett, essentially be boiled down to a relatively few different ways through which individuals or businesses can be attacked, “the first and most prevalent of which is people.”
“People,” he said, “are our biggest asset… but sometimes they are also our biggest weakness. Most malware either relies on people physically doing something or not physically doing something,” and, he added, most people are connected to the internet with one or more device and are therefore vulnerable to attack.
Indeed, he also explained that people can often be the way in which criminals access a business’s systems: “We all like to work remotely and we all want to access company systems from our phones and tablets etc. They get lost, they get stolen, they get easily compromised. If I am a criminal, why am I going to compromise the £100,000 firewall at your company when I can compromise your £100 phone in the pub? We can make it easy for criminals, sometimes.”
What is law enforcement’s role in cybersecurity?
Hulett then returned to law enforcement’s role in cybersecurity, and here, he said, there are perhaps three main things that they can do. First, he said, the UK is seen by criminals as a high reward environment, and so law enforcement is now looking to make it less profitable for criminals.
“We also want to raise the risk,” he continued. “Again, there is a perception that you are unlikely to be caught when you commit a cybercrime and if you do, then will you get the sentence that your crime deserves? Probably not.”
Finally, he said, law enforcement is also trying to raise the cost: “Cybercrime, whichever way you look at it, is cheap; it is a very cheap weapon for criminals and a cheap weapon in the truest sense as well for other actors who might seek to do things….the idea that cybercrime is really sophisticated and you need a whole bunch of infrastructure behind you is not true; and so we need to make it harder.”
Nation state actors and cybercrime
Is it possible to differentiate between nation state activity and criminals, Hulett rhetorically asked? And, he said, from a tactical perspective it is really very difficult to tell. “Yes,” he said, “we have to marry up intelligence and so on, but what we would see a nation state doing on someone’s system and what we see a pretty good cyber criminal doing on someone’s system is pretty much the same. Unless you have that surrounding intelligence, and unless you have are joined up with all the partners that we are indeed joined up with, it is difficult for us to tell whether we are dealing with a criminal or a nation state actor.”
The Dark Web
According to the European Monitoring Centre for Drugs and Drug Addiction, over the last decade, virtual markets have been changing the dynamics of how drugs are bought and sold.
Dimitris Avramopoulos, European Commissioner for Migration, Home Affairs and Citizenship, has said: ‘Almost any kind of illegal drug can be bought today on the internet and delivered by mail, with no face-to-face contact between buyer and dealer. The illicit market is evolving, and so should our efforts to eliminate it. We should stop the abuse of the internet by those wanting to turn it into a drug market. Technology is offering fresh opportunities for law enforcement to tackle online drug markets and reduce threats to public health. Let us seize these opportunities to attack the problem head-on and reduce drug supply online’.
The so-called ‘dark web’ – the part of the World Wide Web that is only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable – is, Europol says, one manifestation of the increasingly complex nature of transnational organised crime in the EU when it comes to illicit trade.
The organisation argues in a new report that ‘darknet markets’ – also known as cryptomarkets – ‘provide a largely anonymous platform for trading in illicit goods and services. Drugs are estimated to account for around two thirds of darknet market activity. Almost any type of drug is accessible to buyers with basic technical understanding within a few clicks, including new psychoactive substances. This development poses a significant threat to the health and security of citizens and communities across the EU.’
Europol director Rob Wainwright has also called the internet, and especially the darknet, the “new field of action” of organised criminals in the European Union.
As part of its response to the threats posed by activity on the dark web, the EU has outlined details of a new consortium dedicated to preventing illegal activities tied to virtual currencies and the dark web.
This group, called ‘Titanium’ (Tools for the Investigation of Transactions in Underground Markets) consists of 15 members from seven European countries that will develop technical solutions for investigating and mitigating this types of illicit activities.
Ross King, a senior scientist at the AIT Austrian Institute of Technology and co-ordinator of the Titanium project, which is backed by European law enforcement agencies and Interpol, said: “Criminal and terrorist activities related to virtual currencies and darknet markets evolve quickly and vary in technical sophistication, resilience and intended targets.”
“The consortium will analyse legal and ethical requirements and define guidelines for storing and processing data, information, and knowledge involved in criminal investigations without compromising citizen privacy,” King concluded in the European Commission’s announcement of the new consortium.
This is further complicated by the very nature of cybercrime and the physical distance that the internet allows. Hulett returned here to the Hatton Garden burglars: this group of criminals knew one another and met regularly. In cyberspace, however, this is not necessary and, in many cases, the criminals who work together are located in different countries or continents and may never have met in person, meaning that the investigative challenge from a cybercrime perspective is therefore that much harder.
The cyberattack against the NHS
Hulett also used his presentation to discuss the cyber-attack on the NHS last year. This, he said, was an attack which, perhaps for the first time, caught the public consciousness. He explained: “Previously, cybercrime was seen as something of a victimless crime; if you were a victim then you probably managed to get your money back (at least most of the time),” but this attack, for the first time, demonstrated real-world consequences – people were unable to have the operations and procedures they needed, for instance.
Yet, according to Hulett, those responsible for the attack had targeted the NHS by accident; but nevertheless the subsequent law enforcement investigation was extremely complex. Hulett showed his audience a map of the various NS trusts which were hit by the attack, explaining that they were all crime scenes from a law enforcement perspective. “They are all victims that need a victim response,” he said. “They are all sites that have forensic artefacts to be retrieved. And how we co-ordinate that and bring it all together is incredibly difficult.” This co-ordination is made even more difficult by the fact that there is an international scale to the investigation, with sites in numerous countries all being potential crime scenes.
As such, it is important for the different actors involved in the investigation to ensure that they are all chasing the same target, he said, adding that the UK and the USA have taken something of a lead in this investigation – which, at the time of writing, is still ongoing.
Bringing his presentation to an end, Hulett focused on a positive sign amidst the many attacks that the UK has seen: the fact that cybercrime is no longer being seen by organisations as being something restricted to the realms of the IT department. It is, he said, “a boardroom issue; it is a PR issue, an HR issue, a finance issue; it is an issue for the CEO but increasingly CEOs themselves are people who are being personally targeted.”
And this final sentiment is perhaps one which needs to be extrapolated beyond the business sphere and into the private one: we are all potential victims, and we all have a role to play in protecting ourselves – and therefore, by extension, other people and the infrastructure with which we interact – from those who exploit cyberspace for criminal ends.
