UK-led cyber crime taskforce proving its worth, says top EU cyber cop

One month into a six-month pilot, a UK-led international cyber crime taskforce looks set to become permanent

Just one month into a six-month pilot, a UK-led international cyber crime looks set to become permanent, according to Troels Oerting, head of Europol’s European Cybercrime Centre (EC3).

EC3 is hosting the Joint Cybercrime Action Taskforce (J-CAT) set up in September 2014 to co-ordinate international investigations with partners, targeting key cyber crime threats and top targets.

Initiated by EC3, the EU Cybercrime Taskforce, the FBI and the National Crime Agency (NCA), the J-CAT is made up of cyber liaison officers from EU states, non-EU law enforcement partners and EC3.

Oerting said the unit, which is led by deputy director of the UK’s National Cyber Crime Unit (NCCU) Andy Archibald, is due for its first evaluation at the end of February 2015.

“There are already indications it will be extended for at least another six months, but I think it is likely to become permanent as it keeps acquiring cases and we are trying to get European Union (EU) funding for it,” he said.

Operation Imperium

In just one month, the unit notched up its first success by co-ordinating Operation Imperium, which resulted in 31 arrests and 42 house searches by Spanish and Bulgarian police, supported by EC3.

The raids took place mainly in Malaga, Spain and the three Bulgarian cities of Sofia, Burgas, and Silistra.

The operation was aimed at taking down an organised crime network suspected of a variety of crimes, including large-scale automated-teller-machine (ATM) skimming, electronic payment fraud and forgery of documents.

Eight criminal labs, including two very complex modern production sites for skimming equipment and counterfeit documents in Sofia and Malaga, were discovered and dismantled.

More than 1,000 devices – including micro-camera bars, card readers, magnetic-strip readers and writers, computers, phones and flash drives, as well as plastic cards ready to be encoded – were seized.

The cyber crime gang was using 3D printing equipment to produce fake plastic card slot bezels ready to be installed on bank ATMs and manipulated point-of-sale (POS) terminals.

“This was probably the most advanced print shop I have ever seen, including 3D-printing equipment,” Oerting told Computer Weekly.

Police officers also confiscated dozens of forged payment cards with records of PIN numbers, ready to be used at other ATMs.

Mobile offices set up by EC3 enabled direct access to Europol's databases for the cross-checking, analysis and exchange of intelligence in real time.

The cyber criminals were harvesting financial data from ATMs or compromised POS terminals in Italy, France, Spain, Germany and Turkey that was used to create fake payment cards.

The fake cards could then be used to withdraw large amounts of cash from ATMs outside the EU, in countries like Peru and the Philippines.

The case illustrates the cross-jurisdictional nature of cyber crime that typically adds a layer of complexity for law enforcement, particularly when non-European or allied states are involved.

“We are using J-CAT to highlight obstacles we encounter,” said Oerting.

“Even in the EU difficulties are caused by differences between member states in what is required for law enforcement officers to acquire an internet protocol (IP) address, for example.

“In some counties a police officer can do this, while in other countries police officers have to go to a prosecutor to obtain a warrant from a judge, which can lose valuable time,” he said. 

Cyber criminals operating outside the EU

The biggest challenge, however, is when cyber criminals are operating from outside the EU.

“We are trying to solve this by engaging with several states outside the EU to enable joint investigations and, so far, we have been able to achieve results,” said Oerting.

“We will continue to pursue this and I hope we will be able to report the success on four test cases soon, and they will be the catalyst for more joint cases in future."

It is a myth law enforcement agencies want to know everything about everyone – we are only interested in targeted information about criminal suspects that we can use

Troels Oerting, EC3

Oerting again underlined the importance of sharing information, not only with other authorities but also with private companies.

In this regard, J-CAT also has a role to play. The unit is currently working on an encryption system that is designed to facilitate the exchange of data.

“J-CAT is working on encrypting data sets in such a way that they can be compared to see if there are any matches,” said Oerting.

The aim is to reduce concerns about privacy because all the data will be encrypted, and will also reduce the volume of data exchanged.

“Only if there is a match between the data sets – say of an IP address or particular kind of malware linked to a case, for example – will we put in an official request for that data, which we can then use,” explained Oerting.

This means law enforcement will not have access to the full data set of collaborators, but only to specific information that relates to ongoing cases.

“This the philosophy behind the project, but it is still very much a work in progress, so it is difficult to say at this stage exactly how it will work,” Oerting said.

“J-CAT will continue to work on this because we know there are private companies that would be willing to exchange cyber attack information with us on this basis,” he added.

This approach means there will be no exchanges of bulk data, nor any disclosures of personal or proprietary information that is not directly relevant to a criminal investigation.

“It is a myth law enforcement agencies want to know everything about everyone – we are only interested in targeted information about criminal suspects that we can use,” said Oerting.

The system is expected to be up and running by March 2015 to facilitate a stream of highly targeted information to J-CAT to support international anti-cyber crime operations.

Read more on Hackers and cybercrime prevention