A huge state-of-art building on 18 Napier Road in Singapore is nestled among the green created by local flora and tropical climate, almost like a spaceship. As written on the building developers’ website, the curved form of the Interpol building responds to the need to set the bulk of the building away from Napier Road, and allows for excellent solar orientation. The final look is also the result of the initial requirement to not cut a single tree in the area during construction. Singaporeans are serious about protecting the environment.
It may have an eye-catching, futuristic look on the outside, but the inside of the IGCI building looks calm, and perhaps a bit boring: square shapes, white walls with minimum details. The only bright spots are the carefully preserved city jungles peering at you from the outside through bulletproof windows. Minimalistic, strict, official – this is the IGCI from the inside.
After a quick security check we’re in, approached by a serious agent in a suit and with a Bluetooth headset on his ear, asking that we not film him and offering a tour of how cybercrimes will be investigated in the near future.
Cyber Fusion Center
First stop: the Cyber Fusion Center, a spacious round room equipped with huge screens on the walls in front of a dozen of workstations. The screens display the latest information on cyberthreats from all over the world. If the outside of the IGCI building reminds you of an alien spaceship, the Cyber Fusion Center is its cabin. As on of INTERPOL’s partners, Kaspersky Lab provides statistics on the latest malware outbreaks. That information, along with information from other partners, is combined in this room, giving its inhabitants a clear overview of the threat landscape.
As the Head of Cyber Fusion Center, Paul Ward explains the purpose of the CFC: This unit brings all the right people who could help with addressing cyberthreats to one place. Law enforcement specialists and security industry experts are work together to close the gap which previously existed in the investigation of cybercrimes. Even if security vendors were quick to share technical data about cyberthreats with law enforcement agencies, law enforcement agencies sometimes didn’t have enough resources, time, or expertise to address all the reports fast enough. This is not the case in the Cyber Fusion Center. Employees working in the CFC (thanks to the working back-to-back format) have an opportunity to pick up threat intelligence from industry vendors and transform it into actionable intelligence that law enforcement agencies in different countries can use immediately to disrupt and investigate cybercrime.
A great example of how the Cyber Fusion Center will work is the recent Simda botnet disruption operation. All the fateful decisions weren’t made right in this room; however, the overall operation was organized and brought to life by active participants of the Cyber Fusion Center and IGCI. The investigation was initially started by Microsoft and expanded to involve a larger circle of participants including TrendMicro, the Cyber Defense Institute, officers from the Dutch National High Tech Crime Unit (NHTCU), the FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department “K” supported by the INTERPOL National Central Bureau in Moscow. Thanks to fast and coordinated communication between participants of the operation, it was successful: 14 C&C servers were seized in the Netherlands, the U.S., Luxembourg, Poland, and Russia. Preliminary analysis of some of the sinkholed server logs revealed a list of 190 countries affected by the Simda botnet.
All of the important communications during this operation were held through IGCI participants and the operation itself showed how collaborative work organized with the help of INTERPOL could efficiently disrupt massive distributed malicious networks like Simda. This kind of operation is why the Cyber Fusion Center was developed.
Next stop: Research and Innovation Department.
Research and Innovation Department
IGCI Research and Innovation Department is a rather small room with several PCs, and bunch of research and testing equipment connected to widescreen TVs. Physical space is not a crucial requirement for the operations of this department.
On the desks, a dozen of Raspberry-Pi computers are connected to each other by wires and cords. As Christian Karam, Cyber Threat Researcher at INTERPOL, explains, this is a demo installation which is fully simulating the tor-based network with a demo cryptocurrency system built above it. As Vitaly Kamluk, Kaspersky Lab’s Principal Security Researcher working on secondment at INTERPOL who helped to developed training systems, notes, both simulations are not just simplified dummies, but real working systems, built on the same technologies that are used in Tor-network, Bitcoin systems, and other cryptocurrencies that are working in the wild.
The whole testing system’s purpose is to educate policemen on how the so-called Dark web and cryptocurrencies systems work. In fact, knowing what those systems are made of is a crucial requirement for all policemen, not only for those who are investigating cybercrimes. It is not a secret that more and more often “ordinary” criminals are using the anonymity benefits that Tor-network and cryptocurrencies bring in order to hide their illegal activity from third-party observers. The recent Silkroad narcotics store case was only one major example of wide-scale criminal use of modern Internet technology. Given the complexity of the process of finding the criminal suspects and collecting evidences in the cyber space and especially in the deep cyber space, criminals won’t stop using such technologies. This situation highlights the importance of professional training on these technologies that are held in the Research and Innovation Department.
The Dark-webcryptocurrencies systems simulator is not the only project developed in IGCI Research and Innovation. Another example of daily activities that are being held here is the recent research on the Blockchain technology, which INTERPOL specialists – in conjunction with Vitaly Kamluk from Kaspersky Lab and other researchers – proved that certain particularities of the Blockchain technology, which powers most of modern cryptocurrencies systems including Bitcoin, allow storage of malicious payload. Since Blockchain has distributed nature, the only one able to remove it is the one who placed it there. The main goal of the research was to draw the security community’s attention to the problem and to prevent the malicious use of the technology in the future. No doubt, prevention of a crime is as important as efficient investigation of a crime, and this is why the Research and Innovation Department at IGCI is important. But if crime is already committed, those working in the IGCI Digital Forensics Lab are on it.
Digital Forensics Laboratory
Collecting digital evidence is the responsibility of the Digital Forensics Laboratory. This Lab is full of equipment dedicated to the analysis of hard drives, mobile phones, and other devices. A special installment for mobile device analysis is equipped with a faraday cage shield, which prevents the execution of remote wipe features that may be activated by a suspect in order to destroy evidence.
This Lab actively participated in the so-called “Operation Strikeback” case. In the spring of 2014, the law enforcement agencies of 5 countries arrested 58 suspects who were allegedly involved in “sextortion” or sexual blackmailing against tens of victims around the world. In exchange for not disclosing stolen nude pictures of their victims, criminals demanded a ransom ranging between USD 500 to 15,000. During the operation, 250 pieces of electronic evidence was seized and analyzed with the help of specialists in the Digital Forensics Laboratory.
So far, Operation Strikeback is the biggest publicly visible contribution made by Digital Forensics Lab; however, the Lab is involved in a lot less visible, but very important, work. In particular, it serves as a training facility for policemen from all over the world and it is a malware research facility.
For more than half the year, the Lab is also equipped with professional malware research workstations. Sponsored by Kaspersky Lab and installed and tuned by Vitaly Kamluk himself, these special workstations analyze malicious software that was spotted in frame of cybercrime investigations. Each workplace has two separate workstations: one workstation is a “regular” one: with special malware analysis software installed, another one is special. It is isolated from the Lab’s network and it is used only for one purpose: to run malware and observe its behaviour in real life conditions. As Kamluk explains, this is the only way to make sure malware demonstrates its natural behavior on a full scale. Using the sandboxing method, when the environment is emulated with virtual machines, is not always a reliable method since malware could detect the virtual environment and halt its activity.
More and more crimes are being committed with the help of digital tools, including software built and used for malicious purposes. That’s why having malware research capacities is very important for a place like the Digital Forensics Lab in IGCI.
Meanwhile the tour ends. Clearly, not all the interesting places of IGCI were shown to guests: multiple intriguing doors locked with hi-tech biometric locks can be seen while traveling from one stop to another. However, what’s been shown is enough to understand that as with many other things, Singapore is far ahead of the rest of the world when it comes to best practices of cybercrime investigating. IGCI is all about efficient and modern ways to fight crimes on a global level. And Singapore, often called a city of the future, is the perfect place to start making the world cyber-safe.