High-Profile Cyberattack Investigations: London’s Met Police Share Takeaways

Raymond Black | Metropolitan Police

About the Speaker

• 1990 to 1996 - Uniformed officer working in various locations across South London • 1996 to 2000 - Detective working in various locations across South London • 2000 to 2006 - Territorial Support Group (Riot police) – (2002 to 2003 - Worked in private sector management in Durban South Africa for transport and construction company)

• 2006 to 2014 - Operation Trident (proactive firearms and gangs unit) – (2012 to 2013 - Employed by European Union investigating government corruption in Guatemala) • 2014 to Present – Cyber crime investigator Specialist Cyber Crime Unit • Other deployments working in various roles in Jamaica, The Netherlands, Poland and the United States

2 #ISMGSummits ROCU Map

1. North East (NERSOU) 2. Yorkshire & Humber (ODYSSEY) 3. North West (TITAN) 4. Southern Wales (TARIAN) 5. West Midlands 6. East Midlands (EMSOU) 7. Eastern (ERSOU) 8. South West (ZEPHYR) 9. London 10. South East (SEROCU) NATIONAL COORDINATION

3 #ISMGSummits Remit of MPCCU

To deal with the most serious offences of: • Cyber-crime facilitated by the use and control of malicious software (malware). • Cyber-crime facilitated by the use of online techniques. • Computer and network intrusions (dependant upon motives and objectives). • Denial of service attacks and website defacement (dependant upon motives and objectives). • The online trade in financial, personal and other data obtained through cyber-crime. • The intentional and dishonest online provision of services, tools etc. to facilitate cyber-crime.

4 #ISMGSummits Threshold of MPCCU

• Where life is put at risk • Targeting or impacting on public safety, emergency services or other public systems and services. • Threatening the solvency or continuing existence of the targeted organisation. • Criminality affects at least two police force areas (cross border) • Minimum financial loss or gain of over £100,000. (Subject to on-going review) • The units specialist skills, knowledge and resources are necessary for an effective investigation (the too difficult tray) • There is a significant opportunity to investigate a new or emerging criminal technique.

5 #ISMGSummits A few stats with regards to the UK

• An estimated 3.6 million cases of cyber fraud and 2 million computer misuse offences, making these the U.K.'s most common offences. • The total number of all other recorded crimes stands at 6.5 million. • Gap between Police recorded and actual instances of Fraud and cybercrime represents a current under reporting of 90%. • Bank account fraud (phishing) was the most common type. • Costing the U.K. economy almost £11bn in past year. Equates to approx £210 per person over the age of 16 living in the U.K. • Unreported figure is believed to be much higher. • It is estimated that U.K. banks have managed to stop £6 in every £10 targeted by criminals.

6 #ISMGSummits London cyber crime stats

• 20% of all national fraud victims reside within London, which equates to about 41,000 individuals. • The Metropolitan Police Service receive 35% of all cyber crime disseminations that are suitable for investigation. • Reported figures for London represent a year on year average increase of 123% in this crime type. • Due to this increase in demand, OP Falcon was launched in October 2014. Falcon's remit is to investigate all fraud and cyber-crime disseminations as well as all cyber dependant crimes (from these, the MPCCU investigate only the most serious crime type as per previous remit). • The original model for Falcon was designed for 12,000 disseminations for investigation per year, a figure surpassed in in the first 5 months of Falcon’s launch. • The number of investigations currently stands at about 27,000 investigations per year. • MPCCU consists of only 26 Detectives. • OP Falcon consists of only 155 Detectives.

7 #ISMGSummits

Op Festiva - Disclaimer

• Timing – First such presentation to this type of audience regarding this particular investigation. • I cannot tell you everything. • Everything that I will show is available online and can be found through open source searching.

8 #ISMGSummits OP FESTIVA – A case study

James J Fox Ltd, London-based specialist retailer of imported handmade cigars. 11 September 2015 - www.jjfox.co.uk subject of an intrusion via SQL injection in which malicious code was injected via a website vulnerability resulting in customer personal data and addresses being obtained.

9 #ISMGSummits

James J Fox

The company were unaware they had suffered a data breach until they received a number of from [email protected] and [email protected] initially demanding 20 bitcoins (£3103) (£18208 or $30,121 CAD) payment to be paid to 16C39YF8gAz7T6WaTZ1wJ8snigJnUgjS2 or all customer data would be leaked online. A deadline of 72 hours was posted.

10 #ISMGSummits James J Fox

• On 16th September received another email from [email protected] titled “Last chance”– • ‘the price went up …7500’ Your business name will be ruined - how much have you lost already from no website. 7500 to the BTC wallet last chance. Or you out of luck and time’

11 #ISMGSummits James J Fox

• 21st September another email from [email protected]. • ‘Hi XXXXX, I’ve noticed that your site is back up and once again: I’m able to gain access to it. You should really just come to terms that you need to work with me on a deal. Please don’t make me ruin stuff once again.’

12 #ISMGSummits James J Fox

• 21st September (same day) another email from [email protected] • Offline again. where is our money? Your website is no more. Must we ruin your customers also?

13 #ISMGSummits James J Fox

• 22nd October • A post was put onto pastebin.com saying – • To: Customers of www.jjfox.co.uk, your data is being leaked. Each day 2k (2000) customer details will be added to the page. If 2.5 bitcoins are paid to 197qcfpNbFozv9duGg1Fso3NJdha41RdZi and emailing [email protected] with the transaction ID you can be removed from the list’.

14 #ISMGSummits OP FESTIVA – Talk Talk

• TalkTalk Plc, one of the UK’s largest Communication & Internet Service Providers. • 19 October 2015 – A significant increase in SQL ‘GET’ requests against 3 web pages that had exploitable SQL injection vulnerabilities. • 21 October 2015 - Established that they have been subject of intrusion and data breach.

15 #ISMGSummits Talk Talk

• 21 October 2015 - 11 demand emails sent to Talk Talk staff, including CEO, from [email protected] signed off with ‘0xff’; Demand made for 465 Bitcoins (£81,677)(£2014625) to be paid into 197qcfpNbFozv9duGg1Fso3NJdha41RdZi or all customer data would be leaked on line. • ‘A few days ago I managed to compromise your entire (talktalk.com)’s 64 databases. I have extracted almost all of the data and your sysadmin walled me after most of the damage had been done’.

16 #ISMGSummits Talk Talk

• Hi again, Downtime sucks right? Imagine if the data gets leaked it’ll cost more than what I’m asking for =) • At the end of day, your advisers are going to do what they are paid to do - advise against it, but if you want all these loses go away, just send that payment which is almost nothing in comparison to what will be lost. The fate of your company is in your hands now.

17 #ISMGSummits OP FESTIVA – A case study

• Same email addresses and bitcoin wallets • Sample sets of both customer data were posted onto pastebin.com • Both sets of customer data were offered for sale on a website named dbs4sale.org and also on Alphabay, a dark web market place

18 #ISMGSummits Sigaint.org

• Currently offline. • Law enforcement unfriendly. • Darknet email service available over the network and pride themselves on providing an email service without revealing your location or identity. • They believe in freedom of speech and any requests from LE would be answered by an email saying that the data requested is impossible to retrieve. • They have never provided user data. • They quote – “Snowden showed us that if we give them an inch, they take a mile. The last shred of trust with law enforcement has been destroyed”.

19 #ISMGSummits Openmailbox.org

• Server is located in France. • They promise to respect your privacy. • They claim to be totally independent of all the large service companies on the web. • Privacy is their priority and they’ll do everything they can to ensure the security of the data. • Paid for version with bitcoin.

20 #ISMGSummits Suspect 1

• Part pleaded guilty with regards to TT • Still under investigation for a number of other offences • Aged 15

21 #ISMGSummits Suspect 2

• Aged 16

22 #ISMGSummits Suspect 3

• Pleaded guilty, awaits sentencing • Aged 20

23 #ISMGSummits Suspect 4

• Has already pleaded guilty at a youth court for hacking offences against Talk Talk • Aged 16

24 #ISMGSummits Suspect 5

• Pleaded guilty to TT offences and awaits trial re another matter • Aged 18

25 #ISMGSummits In Summary

• These 5 suspects are all known to each other online and are the main offenders against Talk Talk with regards to the SQL scanning, exploiting the vulnerability, the data breach. One of the suspects was identified as being responsible for both extortions. • All devices found to contain Talk Talk customer data and in some instances the vulnerability that was exploited. • Several other U.K. suspects were identified and arrested as having received the Talk Talk data. • There are still suspects, believed to be located in the U.S. and Canada. • Another suspect has been identified and located in The Netherlands and will be further mentioned later in this presentation. • Evidence of multiple server usage, of which one was used to store the Talk Talk data immediately after the breach.

26 #ISMGSummits In Summary

• They were all initially released on police bail and most continued to offend whilst on bail. • Skype was the favoured method of communication between them. • Devices found to contain evidence of multiple offending against other companies on a global scale. • One suspect suffers from severe autism and interviewing officers presented with significant problems. • Talk Talk has estimated that it has suffered a £77m loss as a direct result of this offending (not including share value) and have lost 101,000 customers. • The Information Commissioners Office (ICO) is an office responsible for the enforcement of data protection and freedom of information in the U.K. They conducted an investigation into the Talk talk data breach and discovered a number of failings against this company. In October 2016 they imposed a record fine of £400,000 for security failings that allowed a cyber attacker to obtain customer data.

27 #ISMGSummits Additional offending

• Quickly identified some of the suspects as being a members of a hacking group known as Team Hans and this was admitted during interview. Intelligence also suggests that they are closely associated to a hacking group known as the Lizard Squad. • Forensic examination of devices revealed cyber offending on a colossal global scale, including – – Company / customer databases, Hacked databases, Extortion / blackmail, Ransomware, Possessing and supply of articles for fraud, DDOS, Threats to life / assault, Repeat offending, Suicide inducement, Target vulnerable individuals, Money laundering. • 500+ companies have been identified as being subject to some form of cyber criminality. • 100,000's of individuals have been targeted. • I believe that only a small percentage of the offending has been identified by law enforcement • Evidence obtained of multiple server usage and admitted this during interviews. • Evidence obtained of usage of . 28 #ISMGSummits Ashley Madison

Start point is a page file recovered from device - Unfortunately your data was leaked in the recent hacking of Ashley Madison and I know have your information. I have also used your user profile to find your Facebook page, using this I can now message all of your friends and family members. If you would like to prevent me from sharing this dirt info with all of your friends and family members (and perhaps even your employers too?) then you need to send 5 bitcoin to the following BTC address. Bitcoin Address: 1AEJiZFnELwRZVjmVSvDSwUaXNZy4X9bQN. You may be wondering why should you and what will prevent other people from doing the same, in short you now know to change your privacy settings in Facebook so no one can view your friends/family list. So go ahead and update that now (I have a copy if you dont pay) to stop any future emails like this. You can buy bitcoin using online exchanges easily. If the bitcoin is not paid within 3 days of 25 Sep 2015 then my system will automatically message all of your friends and family members. The bitcoin address is unique to you. Consider how expensive a divorce lawyer is. If you are no longer in a committed relationship then think about how this will affect your social standing amongst family and friends. What will your friends and family think about you? Sincerely

29 #ISMGSummits

Ashley Madison

Precis of another – We know your schedules. We know where you all live and spend your time. We also know how to kill any one of you without being caught. Now, don’t panic. This isn’t personal. You did nothing to deserve this. You were just one of a handful of families unfortunate enough to draw our attention. However, nobody has to die. Allow us to explain…………….. You are finished. Breath easy and live your life in peace knowing you will never have to deal with us again

30 #ISMGSummits Ashley Madison cont.

• Significant number of bitcoin addresses recovered from devices also linked to numerous other Ashley Madison victims. Located in Canada, US, UK and Czech Republic. • Skype chat logs revealed numerous chats regarding Ashley Madison customers • Précis - We need help with smtp and spamming. we need to send at least 35k per minute. we are trying to send extortion letters to ashley madison users our net profit will be much more than 20k. can we do this illegally with ur software? we have hacked smtp's. we aren't promoting a product. we are blackmailing users and extorting them. scam scheme much fraud. • I'm trying to send 74.4m emails. Can you help me with this? Yes, to confirm 74 million emails. • Openmailbox server from France contains an email sent to 3000 Ashley Madison users, threatening to leak info etc unless bitcoin payment is made. • Many of the same emails (or similar content) sent to UK victims often with the same bitcoin addresses. • Admitted downloading the Ashley Madison data, although no trace on device. Probably on a shared server.

31 #ISMGSummits Ransomware

• File named coinvault with numerous file logs of Dutch websites. • Dutch investigation • Coinvault ransomware • Source codes and log files • Analysis revealed in executable format

32 #ISMGSummits Ransomware

33 #ISMGSummits Ransomware

• 17kkmDx8eSwj2JTTULb3HkJhCmexfysExz HAS PAID 225,93369176 BTC! • Todays rate = £950,600

34 #ISMGSummits The Antichrist

• Identified during the Talk Talk investigation as an associate. • Took approximately 8 months to establish his real identity. • Aged 19 • Search warrant executed at his home address in The Netherlands last year. • Prolific cyber criminal • Search not only recovered his laptop open and connected but also his server located within his premises. • This find caused significant distress amongst fellow cyber criminals • Links to the hacking group the Lizard Squad

35 #ISMGSummits The Antichrist cont.

• Talk Talk customer data is present on his server • There are 80+ virtual machines present on his laptop and 8 on his server. • There are numerous references to the Lizard Squad hacking group and online user names of members. • There are numerous hacking tools present, including - SQL Map, GoldenEye.py, DNSRecon.py, b1nary.py, Palkia/Dialga, root.c. • 130+ website databases have so far been recovered, which are likely to be as a result of hacking. • There are a further 327 SQL databases from various sources (likely to be compromised data). • There is an additional folder containing 83 text files of compromised data and a database of stresser users (stresser is used for DDOS attacks) • There are databases of cracked passwords. • Within the server there are further files containing databases, doxes, back up files, botnet files, scripts and related malware. • There is evidence of many further deleted databases which may have been moved elsewhere. • Credit card details (likely to be compromised data). • There is a Dox folder containing personal data relating to thousands of individuals, including celebrities. • Facebook accounts with username and password. • There are at least 6 different forms of malware present. 36 #ISMGSummits The Antichrist cont.

• Recent pic from • Did not have that set up in The Netherlands • Over 6 TB of data in total – mainly text files • Hacked suicide website

37 #ISMGSummits Why forensic examinations take so long…

• 1 TB of data is equal to 75 million pages of text (A4). If you worked a 40 hour week and had the weekends off, reading a page every second, it would take you 10.42 years to complete the task. • Or if printed would replicate 100 shards in height. • CN tower is 1,815 feet – shard is 1,017 feet.

38 #ISMGSummits The Challenges

• Remember – these are kids • Methods of interviewing • Sheer volume of work • Multiple jurisdictions – Data availability – UK compared to overseas • Computer Misuse Act 1990 • Can be confusing for the jury / judges / lawyers • How to deal with suspects in other countries • Although a group not organised in the true sense of the word

39 #ISMGSummits The Challenges

• New language – – Fulz, – retard, – script kid, – black hats, – white hats, – grey hats, – doxing, – botnet, ships, navy, farming

40 #ISMGSummits To conclude

• Is this a police problem or a social problem?

• The way forward

• Protect yourself – (haveibeenpwned.com)

41 #ISMGSummits “When people built the internet, they forgot about the bad guys.” “It didn’t occur to us that there were criminals.”

Eric Schmidt

42 #ISMGSummits Questions Thank you for attending!

Submit your feedback via the ISMG Events app.