J-CAT chairman Jaap van Oss on cross-border collaboration and the challenges facing international efforts to combat cybercrime
Last month, a 36-year old man was arrested in connection with the theft of €10 million worth of IOTA cryptocurrency from dozens of victims worldwide.
The cross-border operation involved Germany’s Hessen State Police plus the UK’s National Crime Agency and South East Regional Organised Crime Unit – a successful collaboration that was facilitated by Europol’s Joint Cybercrime Action Taskforce (J-CAT).
J-CAT was established by Europol in 2014 to coordinate international law enforcement efforts against cybercriminals whose activities readily transcend geographic borders.
Its 18 cyber liaison officers come from 16 J-CAT member countries – including EU Member States Austria, France, Germany, Italy, the Netherlands, Romania, Poland, Spain, and Sweden plus non-EU partners Australia, Canada, Colombia, Norway, Switzerland, the UK and the US – as well as the representatives from Europol’s European Cybercrime Centre (EC3).
A few weeks after J-CAT’s annual board meeting in Rome, The Daily Swig spoke to the taskforce’s chairman, Jaap van Oss, about the agency’s raison d'être, operational and strategic objectives, navigating geopolitical barriers to cross-border cooperation, and the most alarming cybercrime trends right now.
What does J-CAT bring to the international fight against cybercrime?
Jaap van Oss: J-CAT is unique in having investigators from a range of countries throughout the world with a cyber background working together on a daily basis on cross-border cybercrime cases.
Cybercrimes are truly international, [they don’t stay within national] borders. In order to be quick and react correctly to the threat, you need to have a group like this in place.
The majority of the larger cybercrime cases are being coordinated through or supported by J-CAT.
Can you point to a successful outcome that demonstrates J-CAT’s value as a facilitator of international law enforcement collaboration?
JvO: A good example is the recent Operation Cepheus to take down a RAT [Remote Access Trojan] service, which allowed buyers to spy on other computers.
This case was initiated by the Australian police and coordinated through J-CAT.
These RATs are sold throughout the world via the internet, [but] are hosted centrally. This particular service was used across 124 countries, so you need an international body or group to coordinate the international law enforcement action to take down the server, apprehend the criminals running it, and to address its users one way or another.
If an investigation involves countries with which the West has challenging relations, can J-CAT foster any kind of useful cooperation or intel sharing?
JvO: We try to establish contact on an operational level about information exchange needed to identify criminal activity or cybercriminals in different countries.In that case, we might try to establish an information position, for example, on Russian-speaking criminals in Russia. Or if [for instance] we have a hunch that money is being laundered through China, we will try and get a hold there.
But we can only do so much. Sometimes we have to be patient and, although we know who the perpetrators are, [accept that we] cannot arrest them.
On the other hand, a lot of the infrastructure used in malware or ransomware cases is hosted in different countries. For example, it is not unknown that Russian cybercriminals will still host their machines in Europe or elsewhere in the western hemisphere.
In that case we cannot apprehend the criminals, but we can take down their infrastructure, which has a disruptive effect on their criminal activity.
J-CAT membership consists of cybercrime experts from 18 law enforcement agencies
What other barriers to cross-border cooperation do you typically encounter?
JvO: The formal international exchange of evidence and information is can be very slow, but I think that goes for every crime area.Where we are different from [other agencies] is being an established operational path to rapidly respond to international cyber threats.
Countries within J-CAT, supported by the rest of Europe, can exchange intelligence quite rapidly, so on that level we are filling a gap very successfully. Information flow on cross-border cybercrime is our bread and butter.
How does Europol work with western intelligence agencies in combating state-sponsored threat actors?
JvO: There is a natural divide between the police and the intelligence and security agencies. Our objective is more [focused on] criminal cases and apprehending the cybercriminals.
But occasionally, certain large cyber-attacks – for example the NotPetya and Wannacry cases – need more than just the police perspective, and the information will be triaged across the different agencies involved.
Might the UK’s departure from the EU affect its involvement in any way? If so, how?
JvO: We do not know exactly but we do, for sure, hope that the UK will stay in J-CAT.
The UK plays an important role as a relatively big country in the international combat against cybercrime and is involved most of the time. So logically there is a seat reserved for the UK in the J-CAT.
We are working on a strategic level to create awareness about J-CAT and our next roadshow is in the UK.
For now, it is still business as usual. There will be some hindrances, but they will be solved eventually.
The Joint Cybercrime Action Taskforce is based out of Europol’s headquarters in The Hague
What are the most notable cybercrime trends you’re seeing right now?
JvO: Ransomware is still one of the biggest threats. For years they have been [mostly] targeting individuals, but now you see ransomware is also targeting industrial plants and large corporations where it has a really devastating effect.
We’re also seeing more business email compromise or payment process compromise attacks, as we call them.
These fraudulent transactions, the damages are very high in value. J-CAT recently decided to put more effort into these kinds of cases.
In the old days you had one piece of malware delivered by a comprehensive infrastructure, but now you see different tiers of interlinked malware and large infrastructures being rented out and being used for banking malware, DDoS attacks, and ransomware. And the attacks for which the infrastructure is used are becoming more sophisticated and targeted.
Those infrastructures are becoming quite robust and professional, which means the effort to take them down is growing also.
What are J-CAT’s priorities for 2020 and beyond?
JvO: The more strategic one is to continue with the roadshow. We had five last year and we will have five this year in the UK, Spain, Colombia, Poland, and Canada.
Why is this important? Because we can reach beyond the national level and reach cyber units on a regional and local as well as on a national level.
Last year’s Operation Power Off is a very good example [of the benefits], as the server was in the Netherlands but many countries were involved, and whereas the server was taken down by the national unit, in many cases the criminals that used that DDoS platform were regionally and locally investigated.
The international coordination was done by the J-CAT and the intelligence packages for the different countries involved were distributed through Europol.
Ransomware and DDoS will continue to [be prime focuses] and we will put more effort into payment process compromise. We’re also doing more and more in the area of cyber currencies: on the one hand where theft of [virtual currencies] is concerned, on the other as an investigative method to follow the money.
Another focus is child sexual exploitation. Previously we had the occasional case that went very well, but we will up our efforts in that area.
In many large operations we gain a lot of knowledge from private industry [with which] we have agreed to strengthen cooperation – both to improve our information position, but also because they have specific knowledge of the cybercriminal modus operandi.
What cybercrime trends do you see emerging or worsening in the coming years?
JvO: Cybercrime and cybercriminal operations will become more complex and professionalized.
I foresee in the coming year that ransomware will still be the bigger part of our work. We will see a growing amount of payment process compromise cases because they deliver money [to the criminals].
Our challenge will be to work longer and harder in certain cases. The working methodology is going to become more complex. We will have to put more effort on dismantling the increasingly complex cybercriminal infrastructure and in identifying the organized cybercriminal organizations behind it.
It’s not only the information exchange; it’s also dealing with the growing amount of data.
You can be a very savvy cyber detective, but you probably also need data scientists to help you analyse the material.
YOU MIGHT ALSO LIKE Europol tests emergency response to attacks on critical infrastructure