SINGAPORE - “You have 52 hours to identify a blackmailer demanding a 10,000 bitcoin ransom.”
This was the task set in the INTERPOL Digital Security Challenge , the first of its kind, and a race against time for participants to solve a complex cybercrime scenario and gather enough evidence for a successful prosecution.
The 64 contestants from 26 countries were divided into eight teams each comprising a mixture of expertise including cybercrime investigators and digital forensic experts. Teams were awarded points for each successful step of the enquiry they completed – with bonus points for speed – but penalized for any hints or advice requested.
Throughout the four-day (21 – 24 March) challenge, specialists from the private sector and academia also gave presentations and hands-on training sessions on the relevant digital forensics and cyber investigation topics.
The teams also had to gather legally admissible evidence which was then presented to a mock court where they were assessed on both the investigative steps taken and their final prosecution report.
Madan Oberoi, Director of Innovation and Outreach at the INTERPOL Global Complex for Innovation (IGCI) which hosted the event, said the challenge recreated some of the issues dealt with in the field.
“Cybercrime investigations are becoming more and more complex and this challenge replicated some of the twists and turns which investigators face every day,” said Mr Oberoi.
“What was equally as important was the involvement of the private sector in this exercise. Its input in providing both hardware and software along with training and demonstrations clearly showed how essential it is for cooperation between law enforcement and industry to ensure officers have the skills and tools to tackle these crimes.
“There is a continuous need for experts from both the public and private sectors to come together to exchange expertise and best practice in combating cybercrime, and this challenge provided the ideal platform to achieve this,” concluded Mr Oberoi.
The event was organized in close collaboration with the private sector including Cellebrite, Cyber Defense Institute, Magnet Forensics, MSAB, NEC Corporation and Trend Micro and with support from University College Dublin and the Institute for Infocomm Research.
“Trend Micro has always been committed to public-private partnerships to fight a common adversary, those that would use digital technology to do harm,” said Eva Chen, Trend Micro’s Chief Executive Officer.
“This challenge further prepared the participants to effectively combat cybercrime, and we are proud to have supported this exceptional initiative,” added Ms Chen.
“The Digital Security Challenge was a very practical demonstration of INTERPOL’s commitment to improve the cybersecurity skills of investigators throughout the world, and NEC is pleased to have helped develop and participate in this forward-looking exercise, ” said Hiroyuki Nagano, General Manager of NEC Corporation’s National Security Solutions Divisions.
Kenji Hironaka, Cyber Defense Institute President added, “Cyber Defense Institute are proud to have provided forensic contents and technical support ahead of and throughout this event, which has been a great success at every level.”
The INTERPOL Digital Cybercrime Challenge
The investigation began after ‘Cracker10000’ published a page from a blueprint stolen from the fictional Petro oil refinery company on the ‘Webspace’ social media platform, and threatened to post other sensitive information unless a 10,000 bitcoin ransom demand was met.
Petro requested police assistance to identify the source of the leak which marked the beginning of the challenge hosted at the IGCI. The teams had to gather information from a range of sources, including ‘real life’ interviews with Petro staff and forensic examinations of computers and mobile phones.
To conduct their investigation, each team was provided with PCs and laptops which had been pre-loaded with a range of software tools from private sector partners involved in the challenge.
Narrowing down the suspects
After pinpointing from which fileserver the blueprints had been stolen, out of the 1,243 employees the teams identified three potential suspects who had accessed the information during the relevant time period, and then analysed their computers.
It was revealed that a phishing email had been sent to Petro the previous year resulting in multiple terminals being infected with Malware. After further examination, the teams found a suspicious process running from the recycle bin one of the suspects’ computers.
Once it was confirmed that the suspect was on a plane with no wi-fi access when the ransom demand was posted, the teams were able to eliminate him from the investigation. However, soon afterwards Webspace provided the source IP address from where the blackmail demand was posted, which was traced back to Petro.
It was discovered that shortly before the blueprint was accessed, an account belonging to a Petro IT systems administrator had been accessed via the malware which had then been used to remotely log in to the original suspect’s computer from where the blueprint was stolen.
Identifying the blackmailer
After seizing the administrator’s mobile phone, using digital forensics the teams extracted data which revealed he had been in contact with a malware developer via a chat app before exchanging files through the Tor network.
The blueprint stolen by the malware developer was among the files received by the administrator and at the same time the ransom demand was made, he was online using the company’s network – the blackmailer was identified.