Editor’s Note: GIJN is running a series drawn from our forthcoming Reporter’s Guide to Investigating Organized Crime, which will debut in full on November 1 at the Global Investigative Journalism Conference. This section, which focuses on investigating cybercrime and the dark web, was written by Kate Fazzini, a technology reporter who covers cybersecurity for the American cable TV network CNBC.
Cybercrime is any criminal activity perpetrated in a digital realm. While we often think of cybercrime as defined by “hacking,” which in this context refers to unauthorized entry into a digital environment, there are many other types of crimes, including physical crimes, that extend into this world.
Everything from trafficking in child pornography, to a bank insider changing a customer’s ATM information and withdrawing illicit funds, to the theft of source code, falls into the category of “cyber” crimes. Cybercrime, when perpetrated successfully, often reveals the exploitation of legal privacy violations – for instance, when a company has improperly encrypted personal information and that data is stolen, this would constitute a violation of consumer privacy by the company, and a cybercrime by the individuals who stole the data.
Financial losses because of cybercrime are simultaneously astronomical and very difficult to predict or calculate. Billionaire investor Warren Buffett has, in the past, commented that he pushes his businesses to avoid the cyber insurance market because there is not enough data to predict how much money could be lost. This hard-to-define risk contrasts sharply with our understanding of other types of monetary losses from natural disasters, like hurricanes or floods, or other criminal activity, like bank robberies or physical sabotage. Rough estimates from various sources — including McAfee, Cybersecurity Ventures, the SANS Institute, and the FBI — point to damages from cybercrime to government and business in the trillions of dollars.
Despite this marked and rapid shift to the forefront of our security agenda, the cybersecurity underworld is structured surprisingly like the corporate world. Criminal “start-ups” of small gangs loosely connected by geography or interest can flourish, steal tools from one another, compete, and collaborate, all with an agility and ambition comparable to those in Silicon Valley. Larger underworld players seek to unite criminal interests across Asia, Europe, Africa, and the Americas, using centralized leadership, criminal recruiters who behave like human resource executives, and even surreal versions of customer service help desks where victims call in to learn how to establish a Bitcoin wallet for raking in ransom payments.
Much of this illicit activity originates or takes place on what’s been called the “dark web,” a hidden layer of the web typically only accessible via the Tor browser. On any given day, you can “apply” for jobs on the dark web as an in-country ransomware bot operator, a money-laundering Uber driver who cleans ill-gotten cyber gains with fake rides, or a money mule who uses a fake debit card to fraudulently empty cash from ATM machines.
- Academic researchers: A number of university-based centers monitor and track online attacks, and may provide useful leads on specific cases. Carnegie Mellon is the most famous of these in the United States and also serves as home of the US Computer Emergency Response Team (CERT), which is responsible for issuing critical vulnerability alerts. Cambridge University in the UK has a cybercrime center as well.
- Cybersecurity companies: Firms like McAfee, Crowdstrike, Carbon Black, FireEye, and the big cloud services providers Amazon, Microsoft, and Google have many, dedicated forensic teams that monitor the latest attacks. It is much easier to engage one of these companies to discuss the types of attacks they are seeing. Note, however, that they are vendors and have a commercial interest in these topics. This doesn’t mean that they are not experts, but keep in mind that there may be conflicts of interest skewing their objectivity. This is why it is always important to reach out to cybersecurity staffers at companies that have been attacked, even on background, to round out your understanding of what happened. These sources may be far more difficult to cultivate, but lend a critical perspective to your reporting.
- Government officials: In the US alone, at least 20 federal departments and agencies have staff devoted to cybercrime. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is possibly the most press-friendly, with an active remit to engage the public. The FBI’s cybercrime division produces valuable and impartial statistics that can help round out articles with factual, unbiased information about cyber attacks and their cost. The US Secret Service and US Department of Treasury are other sources to consider. Similar government agencies in countries around the world should also be able to help. In the UK, it’s the National Cyber Security Centre, who have a press team that works with journalists. Europol has its own European Cybercrime Centre. Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) recently announced that it was establishing a dedicated bureau to deal with cybercrime. The UN has a cybercrime program as part of its Office on Drugs and Crime.
- Victims: Victims of cybercrime may not be people, but could instead be a variety of institutions, factions, governments, social media platforms, etc. It is critical to engage with them to discuss their experience in any cyberattack. All reports of a cyberattack should include an attempt to reach the victim and/or an explanation of why he, she, or the entity declined to comment. Keep in mind that first impressions about the scale and damage from a cyberattack can be misleading. In my experience, it is frequently the case that an incident that may seem bad at the outset may not be particularly harmful to the corporation at all, while others that initially seem innocuous are extremely damaging.
Tips & Tools
Because many cybercrime attacks end up in US courtrooms — whether as criminal proceedings or civil lawsuits — one of the most valuable resources in cybersecurity journalism is the US legal database, PACER (fees apply, based on searches and documents), an acronym standing for Public Access to Court Electronic Records. Reading legal filings, particularly indictments of domestic or foreign cybercriminals, can provide a well-rounded view of cyberattacks and also highlight the limits of existing legal frameworks in prosecuting them. Reporters should also familiarize themselves with the Shodan search engine, through which laypeople can look for connected devices that are open to the internet.
Government agencies and cybersecurity companies, particularly the latter, can be valuable partners in unmasking online criminals or forensically examining a crime. Journalists should take care to monitor these relationships for other business ties or conflicts of interest, however, so they are not merely receiving a self-serving narrative from the research. Cybersecurity companies are often happy to cooperate with journalists or other public service projects because they provide good publicity – so care should also be taken to disclose the role of the company in any of your reportage.
The story was not published in a newspaper but produced by a cybersecurity research firm called Trustwave. This 2017 research paper, however, clearly demonstrates how breaking down and communicating each part of a cybercriminal conspiracy can help people better understand this complex world. (Downloadable copies are available upon request only from Trustwave.)
This was a story I produced for CNBC about the massive data breach of one of the US’s largest consumer credit bureaus. I was able to convince a security analyst – someone working at a “low-level” but in a hands-on and critical role – to describe the frustrations of searching for the enormous amount of data stolen in the Equifax breach. While the breach has been attributed to China, the stolen data has never been found on the dark web or anywhere else, a somewhat unusual circumstance as hacked data of this nature is typically sold in some fashion later. This story has been cited by legislators in US Congressional hearings on Equifax and other breaches.
This is a classic Wall Street Journal feature story about the regrets of a government employee who helped create the “letter, number, and symbol” password requirements that we all know — and loathe. This story was incredibly important in linking the cybersecurity problem from an end-user’s perspective – how we all hate coming up with endless password combinations – with the bigger picture scenario of how little we understand about cybersecurity generally.
An exhaustive investigation that looked beyond the origins of a single hack, this New Yorker story profiled what is among the largest cybercriminal entities in the world: North Korea’s state-sponsored hacking army. Despite its deceptively banal name, that country’s Reconnaissance General Bureau (RGB) is a “hydra-headed” beast that conducts everything from ransomware attacks to bank heists to thefts of cryptocurrency. It is broadly assumed to be behind one of the most audacious hacks in history — the 2014 Sony Pictures attack. One United Nations report on the organization’s illicit activities puts its global take at $2 billion, much of which is funneled into the North Korean army’s weapons program. And the New Yorker takes readers behind the scenes into how the RBG recruits and ultimately carries out its cybercrime operations around the world.
The main differences between traditional crime and cybercrime lie in three key areas; how perpetrators of cybercrime compare to more traditional criminals, how the victims of cybercrime are defined, and the emerging issues most critical to cybercrime versus traditional crime.
In traditional crime — whether we’re talking about traffic violations or murder — perpetrators generally live close to the scene of the crime. National laws vary when it comes to getting access to accused cybercriminals, but when possible, it is good ethical practice for journalists to get the criminal’s side of the story, no matter how insignificant the case. In the US, where people are innocent until proven guilty, journalists who make no attempt to reach out to the accused are committing malpractice. Even a “no comment” or “Mr. Smith could not be reached after multiple attempts” or “an attorney for Ms. Miller declined to comment” will suffice.
If there is no named suspect, such as in the case of gang-related violence or racial crime, reporters must gather information about a perpetrator from the police and the community in which the crime occurred.
In cybercrime coverage, though, these opportunities rarely come up. Indeed, many of these expectations are turned around. The “accused” may be a cybercrime group that brags about the crime online, or it may be an individual. The crime may be waged by a foreign government under the auspices of a proxy criminal group or individual. The crime may be perpetrated by a spy for one of those governments within an organization, or it may have been launched by a teenager from a basement in Helsinki.
Recorded Future — an industry publication by a cybersecurity company of the same name — recently highlighted a case where 106 members of the Italian mafia were arrested in connection with a series of cybercrime activities, including SIM card swapping and Business Email Compromise (BEC) schemes. SIM card swapping involves using fraudulent SIM cards to impersonate a person’s phone in order to dual-authenticate a bank account login and perpetrate wire fraud; while BEC also involves convincing victims to wire funds fraudulently via email. The crimes are often interconnected and used to perpetrate billions in business and personal losses every year, according to the FBI.
However, the nature of cybercriminal investigations means we are unlikely to know immediately after the attack any information about the attacker. It may take weeks, months, or sometimes years to identify even the country from which the attack originated. This presents several challenges for a journalist covering the crime. When faced with the ambiguity of the perpetrator, journalists should be mindful of the following tips:
- Cyber investigations are very far from an exact science. Claims by investigators or experts that a certain perpetrator may have been involved — whether a nation-state, a “hacker” group, or an individual — are often wrong, especially immediately after the incident. These claims should be treated warily.
- Cybercriminals use many layers to mask their identities, especially during sophisticated attacks. Initial information about a suspected criminal hacker should be treated as a possible diversion. Reporters should take care to inform their audience about the expected length of time the investigation may take.
This makes sourcing from the criminal side of the cyber equation intensely difficult. I have found, however, that it is far easier to get someone who has committed a cybercrime to talk with you, explain their point of view, and how the commission of the crime looked from their point of view, than to find a victim willing to talk. Which takes us to our next problem.
Because the identity of a cybercrime perpetrator may not be clear at first, journalists often quickly shift their focus to the victim — often an unsympathetic corporation or a government agency, both of which can be prone to public outcry because of a real or perceived lapse in their protection of private citizen/consumer data.
Yet it is important for a journalist to remember that these entities are victims, and they employ people who may be affected by the crime. Individual technology and security employees of a company that has been attacked can spend months remediating an attack, especially in the case of persistent malware or ransomware. Tech employees of victim companies have reported struggles with post-traumatic stress disorder (PTSD). Others sleep in their offices for days at a time and face vicious harassment from clients or colleagues who blame them personally for the attack.
It is true, some companies are negligent about security, and some make poor choices about where to spend their money and who to hire for key security or technology roles. Yes, some government organizations and nonprofits are cumbersome in their management approach and rely upon outdated technology. Others are quite up-to-date and practice responsible management but make a single error that an attacker can exploit.
Yet, journalists still too often blur the lines between victim and perpetrator in ways that would not be acceptable in traditional crime reporting. Rather, understanding the victim, and why they were targeted can help us understand the crime. Scrutiny of a victim’s vulnerabilities is part of this process, but it should not obscure the fact that another entity committed the crime.
Reporting on cybercrime, then, requires a nuanced perspective. While the identity of the criminal or criminals may not be readily apparent, there is still a criminal element involved. Gaining intelligence about the person or entity or country involved in the attack should be an ongoing responsibility of a cybercrime journalist, just as it is for law enforcement and other investigators.
This is where solid sourcing is most important. To understand how a breach happened, reporters should try their best to get facts, even on background, from people who are closest to the breach and who can interpret what the breach means and what the response means. These sources are very hard to cultivate. Convincing an employee to possibly violate an employment agreement to speak on background is difficult, convincing a veteran security employee — who has, in all likelihood, sought to not get tangled up with journalists over confidential information — is even harder.
But reporters should endeavor to establish the circle of individuals closest to the breach, and reach out. If the only experts available to comment are from the outside, with no direct knowledge of the incident, reporters should have a strong preference for choosing cybersecurity practitioners — as opposed to theorists or academics who have not been in the trenches recently. Practitioners, in this case, are workers who have been in hands-on cybersecurity roles of some type within the past 12 months.
Another way cybersecurity reporting differs from traditional crime reporting is in the relative importance of the outside world to how a certain crime is perceived.
Reporters approaching a story on cybersecurity will need to gain an understanding of all the national and international players within the story itself, to give readers a well-rounded understanding of the subject matter.
A good example: In writing a recent white paper about a ransomware incident in a Texas town, incident stakeholders included Texas A&M University (including volunteers), local FBI offices, the Secret Service (due to the involvement of wire fraud), the Department of Homeland Security, and a cyber incident response company based in Washington, DC. Because the company was in the oil and gas industry and owned by Saudi Arabia, it also sent investigators. The Saudi team discovered a flaw in a certain process engineering software based in France, prompting the EU to begin investigating, alongside the French government’s National Cybersecurity Agency. As a result, this apparently isolated hack in the US Southwest, triggered national security concerns both for the US and Saudi Arabia, any country or company using this French software, as well as a test for the EU’s attempt at more robust enforcement.
My last tip is that cultivating sources within global stakeholders is vital to the issue of cybersecurity. One story that I still regret not covering better involved the differences between the hacking of US presidential candidate Hillary Clinton’s 2016 run with that of the current French president, Emmanuel Macron, whose campaign came a year later. While we know much about the Russian infiltration of the former campaign, we never got the full story of how the Russians were unable to effectively harm the campaign of Macron, who won the French presidency.
Much of that has to do with the intriguing and innovative techniques used by Macron’s head of cybersecurity to anticipate Russian disinformation and respond to it proactively. This included planting false information in emails that Macron’s campaign knew were being hacked, thus giving them the ability to easily negate the entire operation publicly. If I had been able to cultivate deeper relationships within the French government and the campaign, I would have been able to create a more well-rounded story about mistakes made by the US in election security that need not be repeated. Perhaps one of you reading will write it instead.
Kate Fazzini is a technology reporter who covers cybersecurity for CNBC and is the author of the 2019 book “Kingdom of Lies: Unnerving Adventures in the World of Cybercrime.” She has a master’s degree in cybersecurity strategy from George Washington University and is an adjunct professor in the applied intelligence program at Georgetown University.