Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Nation-State and Crime Groups Keep Blending, Europol Warns

More Advanced Attack Tools Easier to Access, Europol's Steven Wilson Warns
Nation-State and Crime Groups Keep Blending, Europol Warns
Steven Wilson, head of Europol's EC3, speaks on March 27 in Edinburgh, Scotland. (Photo: Mathew Schwartz)

Distinguishing nation-state attacks from organized crime continues to grow more difficult because some attackers wear both hats, a Europol official reports. Further complicating the picture: Young attackers enjoy access to ever-more sophisticated and inexpensive tools and services.

See Also: Live Webinar | Digital Doppelgängers: The Dual Faces of Deepfake Technology

"The problem we see now is that ... you can be nation-state by day, organized crime by night. You have a mandate to operate as long as you don't do anything in your own country," said Steven Wilson, head of Europol's European Cybercrime Center, speaking Wednesday at the fifth annual ScotSecure cybersecurity conference in Edinburgh, Scotland.

Europol's EC3 works to help EU member states and other partners stop cybercrime, albeit in a supporting role, by gathering and providing intelligence as well as providing real-time operational support.

"We're not the European FBI; we're not allowed to go and kick in doors," Wilson said. He joined Europol in 2016 after serving for 30 years with Police Scotland, working in roles that ranged from major investigations and counterterrorism to covert policing.

Law Enforcement Intelligence

Europol includes representatives from law enforcement bodies inside all 28 EU member states, as well as international partners, including the FBI. Of course, many of them do have cause to kick down doors in the course of their investigations.

Meanwhile, cybercrime tools and tactics continue to change at a rapid pace. Wilson said that every four years, his Europol counterterrorism and organized crime colleagues release a major new report on the trends they see, while his group publishes an annual report: EC3's Internet Organized Crime Assessment (see: Cybercrime: 15 Top Threats and Trends).

Beyond the hoodie: Europol's latest threat report rounds up the biggest online threats

Take online scams: "Nigerian prince" and 419 scams once dominated. Increasingly, however, Europol sees these groups evolving to use more advanced phishing attacks, including business email compromises, to steal not just hundreds or thousands of dollars but sometimes much more.

"What we're starting to see is the high-end spear phishing," Wilson said (see: French Cinema Chain Fires Dutch Executives Over 'CEO Fraud').

At Europol, three operations teams at EC3 respectively collect cyber intelligence, track major cyberattacks - such as WannaCry, NotPetya, and attacks on the banking system targeting users of the SWIFT interbank messaging system - as well as online child sexual abuse. Wilson said the latter is arguably his group's most important work.

A new team at EC3 also looks at threats and challenges associated with the dark web, such as suppliers of fentanyl and child-abuse material, which he said "is endemic across the web."

Europol also helps coordinate investigations and disrupt everything from darknet marketplaces to money mule operations. "We were heavily involved in the takedowns of the AlphaBay and Hansa markets," Wilson said, noting that Europol is also looking for cases "where we can destabilize this huge threat to the population."

At the same time, Europol is trying to help member states respond more quickly to cybersecurity crises. For example, it has published a new protocol to help coordinate the response to major cyberattacks (see: EU Seeks Better Coordination to Battle Next Big Cyberattack).

Cybercrime: Faster, Cheaper

But the state of attack tools is such that individual attackers can increasingly destabilize businesses as well as a nation's critical infrastructure.

"Ultimately a large portion of cybercrime relates to financial benefit," said Stephen Wilson, speaking at the ScotSecure conference in Edinburgh on March 27. "They need to cash out at some point."

For example, Wilson noted that last year, the banking system in the Netherlands - where he and Europol are based - was disrupted by distributed denial-of-service attacks. Dutch banks ABN Amro, ING and Rabobank were targeted.

Some commentators suggested, without any evidence, that the attacks had been launched by Russia after press reports surfaced that Dutch intelligence had been the first to warn its U.S. counterparts that the Democratic National Committee had been hacked by Russia's Cozy Bear hacking team in 2015 (see: Steele Dossier Case: Expert Traces Spear-Phishing of DNC).

But was Russia involved? "No, it was an 18-year old teenager from Leiden," Wilson said, referring to Dutch authorities having arrested a suspect in the southern Dutch city in January 2018. "Five years ago, that would have been a nation-state attack."

Target: Ringleaders

Europol is helping to coordinate cases and more actively bring them to fruition, with Wilson saying many now get closed within a year. Identifying and detaining ringleaders also remains a major goal, as happened via the AlphaBay and Hansa disruptions.

"Unless we can take these guys at the top level, they will continue to act with utter impunity," Wilson said.

Europol has also continued to focus on disrupting money mule operations (see: Don't Be a Money Mule for the Holidays).

"Ultimately, a large portion of cybercrime relates to financial benefit," Wilson said. "They need to cash out at some point."

During Europol's European Money Mule Action IV campaign, which ran last September to November, Wilson said police in Europe made 168 arrests and identified 140 money mule organizers as well as 1,504 money mules.

Europol says many money mule operations rely on snaring end users via "work at home" and other schemes, and that many participants likely don't understand how they've been caught up in these activities (see: Cybercrime Gangs Advertise Fresh Jobs, Hacking Services).

No More Ransom Project

In February, No More Ransom released a free decryptor to unlock files infected with GandCrab, up to version 5.1.

The No More Ransom project that Europol helped launched in July 2016 continues to provide ransomware victims with free crypto-locked file decoders. Wilson said of the impetus: "We discovered that we were recovering keys from particular cases," while at the same time security firms were discovering weaknesses in ransomware crypto that they could use to build working decryptors.

No More Ransom now has 136 partners and a website that offers content in 36 languages. To access the decryptors, victims only have to upload two files - to see if they can be recognized and if a working decoder is available.

One recent success story involves GandCrab ransomware: "16,000 people in the past two and a half months have gotten their files back," Wilson said (see: The Art of the Steal: Why Criminals Love Cyber Extortion).

Brexit Uncertainty

Amidst the backdrop of Brexit uncertainty, Wilson declined to comment on Britain's planned departure from the EU.

"As a police officer I need to remain quite neutral on that one," he said in response to an audience question. "But security should be non-negotiable. ... I would hope that the security argument falls out of everything that's going on right now."

If the U.K. exits the EU without a deal, in theory, it will immediately lose access to Europol, European arrest warrants and a host of other law enforcement tools (see: No-Deal Brexit Threatens British Crime Fighting).

But Wilson said that even in a worst-case scenario, there are multiple ways of working with Europol. "You don't need to be a member state" to collaborate, he said, referring to the U.S., Australia, Canada and others who have law enforcement liaisons stationed at Europol headquarters in The Hague, Netherlands.

On the flip side, however, he said that criminals love to prey on uncertainty, of which there is an ample amount in circulation due to the Brexit debate.

"Anytime you've got people looking somewhere else, it's a potential opportunity for attacks to come," he said. "You have a perfect situation now to come at something from the opposite end."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.