In the age of the Internet, crime has truly gone global. Explore how DHS’ digital detectives track down cyber criminals, no matter where in the world they hide.
The Sunflower that Saved
A little girl, no more than 11-years old, stares out the window as the vehicle she’s in speeds down the highway. Still in her pajamas, she turns and smiles at another passenger, who snaps a picture. This could be any family photo that one might see on Facebook, Instagram, or another such site, were it not accompanied by a caption polling viewers to submit their suggestions on how to best rape her—and get away with it.
The photo, along with a cache of others with same girl accompanied by an unknown older male, were posted to a chat board known to be frequented by pedophiles in November 2011. There, it was discovered by Danish law enforcement officials. Denmark is a member of the Virtual Global Taskforce, an international alliance of law enforcement agencies who work together to detect online sexual abuse and rescue victims. Fearing the male in the photos intended to abuse the girl any day now, Danish authorities sent the troubling material to U.S. Immigration and Customs Enforcement's (ICE) Homeland Security Investigations (HSI), the founding member of the task force.
With the clock ticking to identify, find, and rescue the girl before she could be harmed; HSI’s Cyber Crimes Center put their best man—an agent known as Cole—from the Victim Identification Program on the case.
Occupying a small lab in a nondescript office block in Fairfax, Virginia, the Victim Identification Unit has an outsized role in changing lives. In a room lit only by computer monitors, HSI agents spend countless hours using the most advanced digital forensics tools available to examine photo evidence for clues. Since nowadays most child pornography is traded online, the only evidence available is often stills of the material itself. Abusers tend to take care to keep their faces out of frame, earning them the nickname “John or Jane Doe” and making it more difficult to locate and rescue victims. For this reason, there is no pixel left unturned. Even the tiniest of peculiarities in the periphery of a photo can be the key to tracking down the predator and rescuing the victim.
In this case, the peculiarity that led Cole and the other agents down right path was in the photo of the girl in the moving vehicle. Through the window, investigators noticed the blur of a road sign the truck was passing. On it, a distinctive yellow sunflower-like shape with some numbers superimposed onto it, the only one still clear enough to be legible was a “2”.
Investigators discovered that the sign was a road sign unique to the State of Kansas—where the sunflower is the state flower. The suspect must live somewhere along a state highway, but which one? The first digit of the highway number—the “2”—was visible, but the rest were too blurred to make out. Even with the sophisticated imaging technology available at HSI’s Cyber Crimes Center, agents could not clear up the other numbers. Agent Cole made the only decision left available to him: get to Kansas and find the stretch of highway that matched the photo.
Driving in pairs, ICE HSI agents drove the full length of every state highway in Kansas that began with a “2”, looking for the exact spot where the photo was taken. The tedious undertaking took days. It had now been 13 since the Danes tipped ICE off to the plot. The agents were getting worried that each passing day could be the day the suspect decided make good on the advice he was getting from the raucous creeps on the chat board. Then at last, right as the highway he was on was about to merge with another, the sign appeared.
The moment it caught his eye, the Special Agent stopped the car and jumped out. He crossed the multi-lane highway on foot—nearly getting hit by another car in doing so—but he had to confirm that this was indeed the place. Standing at the foot of the sign and holding up the photo in question, there could be no question that this was it. Everything, even the hay bales, were placed exactly as the photo promised they would be.
The agents quickly contacted the local sheriff. They showed him the other photos from the series hoping to trigger something. Sifting through, he recognized the backyard swimming pool in one of them. Mercifully, finally, they had a fix on the girl’s location—hopefully, it wasn’t already too late.
That same morning, ICE HSI agents in conjunction with local law enforcement organized a raid of the house whose backyard contained the pool. There, they found the girl—still wearing the same pajamas.
They apprehended her abuser, who turned out to be a minor himself—he was only 16. He plead guilty and was sentenced to serve 48 months in a juvenile facility. The girl, meanwhile, is safe and living with her family in the small Kansas town.
“Operation Sunflower”, as it became known, was the first case ICE’s Victim Identification Unit undertook as part of Operation Predator, which in 2014 alone was responsible for making possible the arrests of more than 2,300 child predators and the rescues of more than 1,000 victims.
DHS Components and Offices Involved
From Broadway ATMs to Bergdorf's
Hordes of people sporting backpacks in New York City are not an uncommon sight, especially along Broadway in Manhattan’s theatre district. “Probably just tourists,” you’d think to yourself. But on December 22, 2012, eight of those backpacks weren’t filled with selfie sticks and snacks, but with stacks of cash--$400,000 in total.
This merry bunch of backpackers—eight in all—were in reality a malicious band of bank robbers. They were armed not with guns and hostages, but with specially-encoded bank cards with no withdrawal limits. Taking a leisurely stroll down Broadway, they stopped at 140 different ATM machines along the way and—using the modified cards—completely emptied each ATM they encountered. These individuals completed a staggering 750 fraudulent transactions, stuffing the $400,000 spat out by the machines into their bags—all in just 2 hours 25 minutes.
But this crew wasn’t the only one operating that day. There were numerous others, planted in 20 countries around the world, doing the exact same thing simultaneously. In all, 4,500 fraudulent ATM transactions took place globally within those same 2 hours 25 minutes, resulting in $5 million in losses.
As they did so, shadowy figures wired in to the now not-so-secure networks of the financial institutions being robbed, watched the heists progress in real time. These were the arbiters of the plot, the backpackers merely the pawns.
How did this happen?
This sort of scheme is known in dark web circles as an “Unlimited Operation”. Here’s how it works:
- First, a sophisticated cyber crime organization hacks into the computer system of a credit card processor, and acquires the account and PIN information for prepaid debit card accounts.
- Next, the hackers manipulate the account’s security features, dramatically increasing the account balance and eliminating withdrawal limits. This turns the once ordinary debit card into a carte blanche.
- The compromised account information is then distributed to a trusted global network of cells (known as “cashers”), who encode the account data on magnetic stripe cards, such as an ordinary gift card.
- Then, at a preordained date and time, the hacker releases the PIN numbers to the network of cashers and the cashing begins, continuing until the hacker shuts down the operation.
- As the cashers empty ATMs around the world, the hacker remains inside the financial institution’s network, monitoring their progress and ensuring he gets his fair cut.
- After the cards are shut down, cashers go about laundering their proceeds into portable assets such as luxury cars and expensive watches. The hackers receive their cut via digital currency, wire transfers, or personal delivery.
- These cyber-attacks rely on highly sophisticated hackers working in close concert with organized criminal cells on the ground. By using prepaid debit card accounts, the scheme can steal money without depleting the bank accounts of real individuals, which would raise alarms much quicker.
It took only 5 compromised accounts to result in over $5 million in losses. Now, a second heist was planned. For this one, 12 new accounts were compromised—this one was going to be much, much bigger.
The second heist began the afternoon of February 19, 2013 and went into the early morning hours of February 20. In just 10 hours, the New York cell managed to withdraw in excess of $2.8 million from 2,904 ATM machines. Globally, the operation took place in 24 countries, where 36,000 ATM transactions took place resulting in a $40 million haul.
Immediately after the transactions were concluded, MasterCard—whose accounts were being targeted—contacted the U.S. Secret Service. Since 1865, the U.S. Secret Service has taken a lead role in mitigating threats from financial crime. As technology has involved, so has the scope of Secret Service’s work in this area. It now includes emerging financial, electronic and cyber-crimes.
As this coordinated cyber-attack scheme involved multiple financial network intrusions around the world, Secret Service used its advanced cyber forensics capabilities and network of field offices around the world to catch the suspects. Using ATM machine surveillance footage, Secret Service’s New York Field Office determined the New York cell was a group of coworkers from Yonkers.
Between March and April 2013, Secret Service in conjunction with U.S. Immigration and Customs Enforcement’s (ICE) Homeland Security Investigations (HSI) arrested seven of the eight members of the New York cell for their role in the $45 million cyber crime campaign. The eighth—their ring leader—fled the country before being caught, but was found murdered at his home in the Dominican Republic sometime later. In addition, ICE HSI continues to seize property purchased from the proceeds from these heists.
New technologies have eliminated traditional borders and provide new opportunities for criminals to threaten the world’s financial systems. Those same technologies enable the U.S. Secret Service to seek out and stamp out these threats with ever greater speed.
DHS Components and Offices Involved
Cyber-Firefighters Shine in the Darkness
On December 23rd, 2015 the cold, Ukrainian night was aglow with winter lights and decorations. As families closed their eyes to fall asleep and have darkness envelop them, darkness began to spread around western Ukraine; the lights went out. 225, 000 people in western Ukraine suddenly lost all electric power and had no idea as to why.
All at once, 103 cities were "completely blacked out," and parts of 186 cities were left partially in the dark. During this blackout, many of those affected were unable to report their outage. Mystery added weight to the darkness, as call centers at Prykarpattya Oblenergo and another energy provider, Kyivoblenergo, were blocked from receiving calls from customers. The call centers were inundated with thousands of calls all at once from a cryptic source.
Prykarpattya Oblenergo was forced to send out response teams across western Ukraine to manually switch on all of the power generators which had inexplicably switched off. As the Prykarpattya engineers tried to turn the power back on, they discovered that a virus had erased the computers that the engineers use to monitor equipment during such outages. This left the engineers with no way to turn the lights back on through technical means. The engineers were forced to go “old-school” and travel to each station individually. After a few hours, the engineers reached all of the power stations that service the cities, manually flipped on the switches, and there was light again in western Ukraine. With stories of the turmoil of the crisis in eastern Ukraine reaching the ears of those in the west daily, it was only natural to assume the worst; thoughts like these were not too far off.
Thousands of miles away, a phone rang. An Incident Response Team, the NPPD equivalent of a quick reaction force, prepared to be deployed to assist the Ukrainian government and the power companies in their investigations. Incident Response Teams from the National Cybersecurity and Communications Integration Center (NCCIC)/Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the U.S. Computer Emergency Readiness Team (US-CERT), all of whom are a part of NPPD, stacked up and deployed to Ukraine to assist in the investigation as part of a U.S. inter-agency team.
Incidents like these, while rare, are a perfect example of the work that NPPD carries out in order to keep cyber systems free and defended from hackers. The Department of Homeland Security’s National Protection and Programs Directorate (NPPD) is tasked, among other things, with protecting the United States’ critical infrastructure, like power grids, from cyber-attacks like this.
America is made up of networks and systems, from communicating and traveling to banking and shopping. Like the highways that move us from place to place, electrical grids and the internet are made up of infrastructure; critically important to people and businesses across the world, these infrastructures have earned the moniker “critical infrastructure.” Not unlike how the infrastructure that transports people from place to place is vulnerable to attacks, the infrastructure that moves information is also at risk from terrorist and cyber-attacks or even natural disasters, like hurricanes or floods. NPPD analysts work 24 hours a day, seven days a week, to monitor these critical infrastructures in order to defend against attacks, with their Incident Response Teams being their equivalent of cyber firefighters.
An Incident Response Team, a team of four to six designated experts in the field of cybersecurity, is always packed with the critical equipment needed for any perceivable task, ready to depart at a moment’s notice to fix any cyber crisis. The Incident Response Teams, also casually called “Fly Away Teams” are similar to deployable firefighters- but for computer and information systems. They are not always fighting fires or cyber hacks; other times they’re doing the cybersecurity equivalent of talking to kids, testing smoke alarms, and other proactive activities to prevent fires. NPPD and their various teams and subdivisions travel out to different agencies and private businesses to discuss best practices, plan strategies, and teach them to identify potential distribution vectors for malware in order to protect against it and learn how to notice it. If only Prykarpattya Oblenergo followed the lead of another Ukrainian power company, who completed an industry recognized malware search which detected and removed a very specific malware before anything bad had happened. The malware was called BlackEnergy and is well known in the cyber-security realm.
Cybercriminals have been exploiting the BlackEnergy since at least 2007 through various, edited versions. The attack scenario is a simple one. The target, such as a power company or a corporation, receives a phishing email that contains an attachment with a malicious document, for instance a Word document. Once opened, the target ends up infected with BlackEnergy- showing how one small, inadvertent click on something that looks harmless can cause massive software vulnerabilities.
Prykarpattya Oblenergo was the first electricity failure caused by a computer hack according to the U.S. Department of Homeland Security. It would be ignorant to believe that a hack that shuts down a major power grid could only happen in a country like Ukraine. BlackEnergy has been found to be the culprit in a hack to target NATO and, must worrying for those of us here in the United States, even found on systems used by the United States government and on other critical infrastructure. Luckily, the experts at NPPD and Homeland Security were able to discover the intrusion before the malware had a chance to damage, modify, or otherwise disrupt any of the industrial systems or critical infrastructure in the United States, speaking to the success and importance of those that work at NPPD.
NPPD is a lot like television’s Dr. Gregory House, but focused instead on computer viruses rather than those of the body…and hopefully a lot nicer. They are not concerned about who did the hack; they instead seek out the technical issues and focus on how best to formulate a plan to fix the issue for those who come to them for help. In the past, DHS has warned that BlackEnergy has infected various industrial control systems that make up a substantial portion of the critical infrastructure. With the American energy grid becoming increasingly more automated, any American energy company that falls victim to the same kind of attack as the one in Ukraine would be much more hard pressed to quickly turn back on their power grids by hand.
The above situation speaks to the importance of the Department of Homeland Security’s National Protection and Programs Directorate. From diagnostician like computer analysts, to the firefighter like members of the Fly Away teams, NPPD is uniquely positioned and prepared to protect the United States from attacks on our critical infrastructure.
The investigation has not officially named a culprit in the BlackEnergy cyber-attacks. While the attacks shut down power grids and darkened many people’s night lights, it shone a light on the vulnerabilities of critical infrastructures around the world and in our own country. We wouldn’t feel safe driving on a bridge that had no protection, so why shouldn’t we protect our information highway?