Dutch-Russian Cyber Criminal Offence Example Reveals How The Constabulary Taps The Internet

(Updated: August 26, 2017)

About how signals intelligence agencies, similar NSA in addition to GCHQ, are intercepting communications, nosotros learned a lot from the Snowden revelations in addition to the German linguistic communication parliamentary inquiry, but also from novel legislation inward France, the Netherlands in addition to the United Kingdom.

Much less is known nearly the practise of tapping past times law enforcement, similar for instance the FBI in addition to constabulary forces. Now, a instance from the Netherlands provides some interesting insights inward how Dutch constabulary intercepts mesh communications - inward a way that comes remarkably to a greater extent than or less the volume collection past times intelligence agencies.

- Cooperation amongst the Russians - Intercepting at Leaseweb -

- Some questions - The terminate of ZeuS -

Office of the Team High Tech Crime (THTC) of the Dutch constabulary inward Driebergen
(photo: NRC/Merlin Daleman)

Cooperation amongst the Russians

On Saturday, May 27, the Dutch paper De Volkskrant came amongst a surprising story nearly the cooperation betwixt the Team High Tech Crime (THTC) of the Dutch constabulary in addition to officials from the Russian federal safety service FSB, which is the principal successor to the notorious KGB.

Since 2009, regular meetings are held inward the Netherlands, inward which also officials from the FBI participate. The aim is to cooperate inward tracking downwards in addition to eventually arresting cyber criminals. The Volkskrant's forepart page written report is accompanied past times an extensive background story, which contains some to a greater extent than worrying details, but is alone available inward Dutch.

The cooperation amongst the Russians dates dorsum to September 2007, when the caput of THTC attended a conference inward the Russian urban nub of Khabarovsk, at which CIA, FBI, Mossad, BND in addition to other agencies were present. The caput of THTC was able to create a connexion to the FSB in addition to their deputy caput of the Center for Information Security (TsIB), Sergei Mikhailov, became the liaison for the Dutch constabulary in addition to would regularly catch the Netherlands.

Meetings inward Driebergen

Initially, the meetings amongst the Russians were held inward the Dutch hamlet of Driebergen, where the Team High Tech Crime has its offices. The Dutch safety service AIVD was obviously non real fond of this, hence every catch of for instance Mikhailov had to live on reported, in addition to since 2012, every constabulary officeholder who had contact amongst someone from the FSB was briefed past times the AIVD earlier in addition to after every meeting.

The FSB, much similar the FBI, isn't only responsible for law enforcement, but is also Russia's subway scheme service for domestic security. This made AIVD worried that FSB officers could exercise their visits to the Netherlands for spying - although strictly spoken, collecting unusual intelligence is the job of some other Russian agency, the SVR.

The constabulary chemical compound inward Driebergen started every bit highway patrol station, but nowadays houses some of the most sensitive units of the Dutch police, including the national criminal investigation branch in addition to the Unit Landelijke Interceptie (or Lawful Interception, ULI; nowadays: Interceptie & Sensing, I&S), which was created inward 2005 every bit the fundamental facility for mesh tapping, every bit good every bit for call tapping on behalf of all the smaller constabulary districts.*

The constabulary chemical compound inward the hamlet of Driebergen
(photo via Flickr)

Security incident

There was at to the lowest degree 1 safety incident inward Driebergen: De Volkskrant describes that during a coming together amongst FBI in addition to FSB, a Russian official came to a fellow member of the Dutch constabulary team, pointed at someone from the FBI in addition to said "he is copying your data". An investigator went looking in addition to saw that indeed the American had a pollex drive inward a constabulary laptop in addition to was copying Dutch information. Whether this had whatever consequences was non reported.

In 2014, the cooperation amongst Russian Federation came nether pressure: inward July, at that spot was the Russian annexation of the Crimea in addition to shortly aftwerwards, flight MH17 was shot down, killing 193 Dutch citizens. The criminal investigation of this instance also takes house inward Driebergen, hence the constabulary decided to movement to meetings amongst FSB officials from Driebergen to constabulary stations inward Amsterdam in addition to Rotterdam.

Intercepting at Leaseweb

The start instance inward which Dutch constabulary in addition to Russian FSB cooperated started inward 2008, when Russian criminals used the ZeuS trojan Equus caballus malware to spoof the login enshroud of banks inward lodge to capture user credentials, in addition to bag the coin from banking concern accounts without a trace.

Often these criminals used servers of the Dutch hosting companionship Leaseweb, which offers relatively anonymous in addition to inexpensive services every bit good every bit high-speed connections, every bit it is to a greater extent than or less the large Amsterdam mesh telephone commutation AMS-IX. To communicate amongst eachother, the criminals used the messenger service ICQ, which is nonetheless pop inward Russian Federation in addition to Eastern Europe, but doesn't exercise encryption.

To grab the criminals behind the ZeuS malware, the Dutch constabulary squad develop functioning Roerdomp (the Dutch cite for the Eurasian bittern) in addition to inward Oct 2008, they asked other countries for the ICQ numbers of known cyber criminals. Within three months, authorities from the US, Germany, Britain, the Ukraine in addition to Russian Federation provided a full of 436 ICQ numbers. In Jan 2009, the populace prosecutor in addition to an examining gauge approved the interception of communications associated amongst these numbers.

ICQ logo in addition to interface

DPI filtering

To acquire these ICQ communications, the constabulary had decided to intercept all ICQ traffic from Russian Federation that went through the Leaseweb servers. For that operate they bought equipment for deep-packet inspection (DPI) worth 600.000,- euro.

DPI devices are able to examine the packets that construct upwards mesh traffic in addition to filter them according to predefined criteria, unremarkably to foreclose viruses in addition to spam, but inward this instance for intercepting communications.

High-end DPI equipment, from manufacturers similar Narus (now component subdivision of Symantec) in addition to Verint, tin also reported that inward the construct novel Equinix AM4 information middle inward Amsterdam (with over 120.000 servers, connected to 150 networks), there's a highly secure department which is used past times the Dutch authorities - could that live on intended for intercepting the servers that (foreign) companies are hosting there?

Leaseweb headquarters inward Amsterdam
(click to enlarge)

Some questions

The description of the tapping functioning past times De Volkskrant raises some questions. Government filtering systems having access to all the mesh traffic of a companionship is the way that (signals) intelligence agencies are conducting volume collection, non the way that law enforcement is supposed to produce targeted interception.

In western countries, the constabulary is mostly alone allowed to tap communications associated amongst individually identified suspects or specific communication identifiers, similar telephone numbers in addition to e-mail addresses. In the ZeuS case, it was in all likelihood argued that it was targeted interception because at that spot were 436 specific identifiers: the ICQ numbers of known cyber criminals.

Foreign selectors

First, this instance right away reminds of the selector matter that came to calorie-free through the German linguistic communication parliamentary research into the cooperation betwixt NSA in addition to BND. For years, NSA provided the Germans amongst millions of mesh identifiers, which they entered into their satellite collection system, without beingness able to reckon to whom these identifiers belonged.

> See for more: German BND didn't aid much nearly unusual NSA selectors

Could that receive got happened to the Dutch constabulary too? Were they able to verify that each 1 of the 436 ICQ numbers was used past times a cyber criminal, or did they only trusted the unusual potency that provided them?

For this sort of international cooperation, it's ofttimes inevitable that y'all receive got to trust your unusual partners, but hence y'all should also endeavour to construct for certain that the information collection is every bit careful in addition to targeted every bit possible.

Dutch mesh tapping

One way to assure that is through technical means. For call tapping this is relatively easy, because call switches receive got built-in tapping capabilities based upon international standards. For mesh tapping this is dissimilar in addition to external devices receive got to live on used to selection out the communications of interest.

In the Netherlands, the interception of mesh information uses the Secret Services Act comes into force, such non-public communication providers produce receive got to tolerate interception on behalf of AIVD in addition to MIVD, but they don't demand to receive got pre-installed tapping equipment.

This agency that inward both cases, fifty-fifty for targeted interception, the authorities volition command the sniffer equipment for filtering upwards to a company's entire traffic - something that digital rights groups similar the ACLU already consider to live on unlawful "bulk surveillance."

Oversight

Another enquiry is how to construct for certain that the constabulary doesn't misuse it's ability when for instance a hosting provider voluntarily provides access to their entire traffic. Maybe the constabulary has internal protocols for that, but patch interception conducted past times the subway scheme services is champaign of study to independent oversight, constabulary tapping is not.

It's considered that inward criminal cases, a gauge volition eventually create upwards one's hear whether for certain constabulary methods are lawful or not, but Secret Services Act volition also let them to behave untargeted cable interception. That agency that they may non alone filter out communications that are associated amongst already known identifiers, but also (temporarily) shop all the metadata in addition to a lot of content inward lodge to search for information that belong to yet unknown targets.

In the populace debate nearly the novel law, at that spot was a lot of speculation nearly how the novel untargeted cable access volition live on implemented, but the interception at Leaseweb, every bit described past times De Volkskrant, gives a real concrete instance of what tin live on expected.

National sentinel middle of the Royal Marechaussee inward Driebergen
amongst a large night grayness Philips PNVX crypto telephone
(photo: AmberAlert.nl)

The terminate of ZeuS

After collecting the messages associated amongst the 436 ICQ numbers in addition to afterward analysing them, it came out that 1 especial ICQ publish acted every bit the leader of the cyber offense network. In 1 of the intercepted conversations this soul fifty-fifty admitted to live on the designer of the ZeuS malware.

The constabulary gave him the codename "Umbro", but he himself used aliasses similar Lucky12345, Monstr, Slavik, IOO, Pollingsoon, in addition to Nu11. De Volkskrant storey doesn't tell how the constabulary institute out the existent identity of "Umbro" in addition to it was alone inward 2014, nether the international law enforcement Operation Tovar, that he was identified every bit Evgeniy Mikhailovich Bogachev, born Oct 28, 1983.

Already inward 2013, investigators noticed that the ZeuS virus wasn't only used for stealing coin anymore, but also for finding out real specific information nearly authorities officials of Russia's neighbours. Dutch constabulary in addition to the FBI became convinced that "Umbro" (Bogachev) had started working for Russian intelligence too.

To live on or non to live on arrested

The latter seems to live on 1 of the reasons that, after the hack of the Democratic National Committee (DNC) inward 2016, the the States authorities lay Bogachev on a listing of sanctioned individuals. Besides that, his malware was also responsible for stealing over 100 1000000 USD from American organizations. However, Bogachev is nonetheless at large, in all likelihood because he is useful for Russian intelligence operations.

For the Dutch constabulary squad at that spot was some other unpleasant surprise: Sergei Mikhailov, the FSB officeholder who had move such a familiar human face upwards for them, was of a abrupt arrested inward Dec 2016 - according to Russian press reports because he in addition to Kaspersky skillful Ruslan Stojanov had leaked information to the States intelligence.

Nobody knows whether this is truthful or where Mikhailov is now, but the cooperation betwixt Dutch constabulary in addition to the Russian FSB continues.

Update:
In August 2017, Russian media reported that Sergei Mikhailov in addition to his deputy Dmitry Dokuchaev were charged amongst treason after they were institute to receive got helped the CIA grab 2 notorious Russian hackers: Roman Seleznev, who was arrested inward 2014 on the Maldives, in addition to Yevgeniy Nikulin, who was arrested inward the Czechia inward 2016.