Encrochat – the evolution of Cybercrime

Author: Gary Hibberd

Date: 3rd July 2020

On the morning of 2nd July 2020, it was revealed that UK law enforcement agencies had performed a major ‘sting’ operation that resulted in the arrest of more than 700 suspected criminals, involved in drugs, guns and other criminal activities.

The suspects are thought to be major players in the criminal underworld, but today 746 of them are sat behind bars, the Police have seized over £54 million in cash, dozens of guns, and over 2 tonnes of drugs(with an estimated street value of £28 million). Today the world is a slightly safer place.

What’s the Cyber connection?

You might be wondering what this has to do with a Cybersecurity blog? Well, of course just like your business, you have scaled your operation to use the latest in technology, and perhaps you’ve also considered the risks and security of your operations too.

Maybe you’ve considered the use of security tools that will ensure safe communication. If you have, then most likely you’ve considered the use of encryption in emails but stopped short of anything else.

What we need to remember is that criminals are people, just like you and me. Of course, they have a different moral code and highly questionable code of conduct, but if we think of them as some other species, we run the risk of forgetting that they act just like other humans do.

Like any sector, Criminal gangs need to know who they can trust, and they need to know they can communicate securely. Their motives are partly driven by greed, the need to be trusted by their ‘clients’, and the need to keep ahead of the law.

What emerged yesterday was a story that has illustrated that there is no such thing as ‘good technology’ and ‘bad technology’. It’s simply how they are used.

Enter the world of Encrochat

If you’ve never heard of this device before, it’s not surprising, as few people have.  Therefore allow me to introduce you to what is reported to be the most secure mobile phone on the planet.  You won’t find a fancy camera, and you won’t find the latest games upon it, but the list of features are no less impressive;

– Guaranteed Anonymity – No way to associate the SIM/device to a customer

– End-to-End Encryption – All communication is encryption

– Fully Encrypted platform – No way to access the information without authorisation

– Panic Wipe – From a locked screen a user can enter a PIN to wipe all content immediately

– Password Wipe – After a set number of password attempts the device will auto-wipe

– Brute-Force Protection – FIPS 140-2 Certified to prevent brute force attacks

It is little wonder that this device became so popular with those who would rather keep their activities away from prying eyes. But does all of this come at a super high cost? No. You can purchase this for less than £1,600.

But while the device itself is secure, and it reports end-to-end encryption, it transpires that the NCA was able to plant a device on servers owned by Encrochat. This allowed them and other law enforcement agencies to intercept messages, download, and decode them.

Cybersecurity is not a technology problem

So how did this happen? Of course, what law enforcement has achieved is highly technical, but how were they able to get the ‘technical device’ installed on servers in Encrochat? And The answer to that question, I believe, rests outside of the technology and brings us back to a point I find myself repeatedly making; Security isn’t a technology issue. It’s a business risk.

Exact details of how they were able to carry out the sting will (quite rightly) be a closely guarded secret. But there is little doubt that this will have been a joint operation, across multiple agencies, including the National Crime Agency (NCA), Europol (perhaps Interpol), and the National Cyber Security Center (NCSC). From the legal side of the fence, we would call this attack an APT; Advanced Persistent Threat, which means that there are multiple skills and capabilities being used against us.

But how did they manage to crack a device that claims to be the most secure device on the planet?

Again, I can only speculate, but it’s fair to say that the Criminals on this occasion did what a lot of people do; They put too much trust in technology. Did they perform adequate background checks on their new recruits? Did they conduct any form of training and awareness around security? Did they train them not to click on infected links (yes, law enforcement do use phishing attacks against known criminals).

What about Encrochat? How good was their physical security at their premises? Did they train their staff NOT to insert USB drives that they found on the street?! One can only guess.

Technology gave the criminals a false-sense of security, as they believed their conversations were free from prying eyes and ears.  But of course, it only takes one of these devices to be placed into the hands of someone who is under the control of law enforcement, and that includes servers at the host company. At that point, all the security features in the world can’t help you.

Evolution of Cybercrime

In truth, there is now only two forms of Cybercrime; Cyber-enabled crime and Cyber-dependent crime.

Cyber-dependent crime are the ones we most associate with technology and include; Hacking, ransomware, malware, DDoS attacks, logic bombs, phishing attacks, social engineering, identity theft

But Cyber-enabled crime is no less damaging, as it includes; Fraud, theft, IP Theft, money laundering, drug trafficking, human trafficking, blackmail, ransom, burglary, bullying, stalking and sexual abuse.

This is why it is thought that Cybercrime will generate at least $1.5 trillion this year. It is big business and has been a growing concern for some time.

 Back in 2017, Dr Michael McGuire, spoke at the RSA Conference and stated that;

“The emergence of a complex and multi-layered cybercrime economy has [also] begun to suggest a fundamental shift in the very nature of the crime itself. In this context, overt acts of crime become less central features of the criminal ecosystem when compared to the services and platforms that feed off and support crime – which become increasingly low-investment, high-yield and low-risk operations.”

Conclusion

While some may seek to vilify Encrochat for creating a device that is used broadly by criminals, I would simply remind you that criminals have used cars for a very long time to rob banks, shops, and houses.

Technology is neither good nor bad. It just exists.  What a user decides to do with technology is an entirely different thing.

One thing is for sure; There is no such thing as 100% secure. The 746 criminals now languishing in prison now know this. They relied too heavily on the technology to keep them out of reach of their adversary (law enforcement).

As business owners and leaders, it’s important that you don’t make the same mistake. Don’t rely on technology to save your operation.  Focus on screening processes of people. Focus on training them and understanding how they’re using technology and Data.

Technology can only help you so much. To stand any chance of being truly secure, you need to rely on people supporting you, and knowing that your third-parties (your suppliers) are focusing on security too.

Finally; While I offer a sincere thank you to to all law enforcement agencies involved in the fight against crime, cyber-enabled or cyber-dependent. We must all recognise that we’re in this fight together.

But for today; It’s Good Guys 1 – Bad Guys Nil.