Matt Zbrog
Sitting alongside government corruption and narcotics trafficking, cybercrime is one of the most costly illegal activities in the world. A 2014 report by the Center for Strategic and International Studies (CSIS) estimated the global cost of cybercrime to the global economy as approximately $445 billion per year. A follow-up study in 2018 put the number closer to $600 billion—amounting to almost a full 1 percent of global GDP.
Cybercrime is a category of crime practically as vast as the internet itself. Broadly defined, it is any crime that involves a computer and a network; the computer can either be the tool used to commit a cybercrime or the computer can be the specific target of a cybercrime. Underneath this large umbrella, subcategories of cybercrime can include fraud, extortion, theft, copyright infringement, narcotics trafficking, and espionage.
The FBI’s Cyber Most Wanted includes members of Chinese, Russian, and Iranian intelligence services. It also features man who stole digital copies of Game of Thrones scripts ahead of production and held them for ransom. There are people on the list who have hacked into hydroelectric dams, government agencies, and private companies. One person sold fake cars on eBay, while others sold bank and credit card information.
Compared to the standard most wanted list, the world of cybercrime proves how terrifyingly easy it is to affect huge numbers of people from a single computer. Conversely, it takes a small army to combat a single instance of cybercrime. That’s part of the reason that the FBI, along with other law enforcement agencies across the world, has increased its focus on cybercrime. The stakes are alarmingly high.
The most widespread cybercrime on record is the WannaCry ransomware attack. In what Europol called a case of unprecedented scale for cybercrime, the WannaCry virus infected some 200,000 computers across 150 countries. This went beyond simple inconvenience. The National Health Service in England and Scotland found its hospitals and medical devices affected, leading them to divert ambulances and turn away non-critical emergencies. Manufacturing giants like Nissan and Renault had to temporarily halt production at several of their sites. Numerous other banks, corporations, and governments were affected.
The WannaCry attack was launched on May 12, 2017, exploiting unsupported and non-updated versions of Microsoft Windows. When the WannaCry virus was executed on a machine, the malware first checked an unregistered domain name. If, as intended, that domain name was not found, then the virus would encrypt all of the infected device’s data, and spread itself both laterally across shared networks and randomly across the internet. The final payload of the virus would then demand a cryptocurrency payment from the owner of the now-encrypted data: $300 in bitcoin within three days or $600 within seven days.
Security experts were quick to alert the public not to pay the ransom—firstly, because there had been no reports of a successful retrieval of one’s files, and, secondly, because a high payout to the perpetrators would only encourage further attacks in the future. As a result, actual ransom payments were quite low. But the cost of cybercrime at this scale isn’t just measured in dollars. If a kill switch had not been discovered, or if the attack had been specifically targeted at critical infrastructure (e.g., nuclear power plants, electric grids, dams, air traffic and train networks), the damage could have been cataclysmic.
Researcher Marcus Hutchins solved the question of WannaCry’s attack system without even really knowing it at first. While running his initial sample analysis of the virus, he noticed it pinging an unregistered domain, so he registered it. This wasn’t, in his words, just a whim. It was best practice. In the course of his job, he’d registered thousands of suspicious domains every year as a way to track and stop cybercrime botnets. But after this routine step, his sample analyses failed to run the WannaCry virus to completion. By registering the pinged domain name and creating a “DNS sinkhole,” he’d also uncovered a kill switch. Realizing what he’d stumbled upon, Hutchins and his colleagues worked quickly to reinforce and defend their sinkhole, spread the word, and halt the most widespread cybercrime attack in history.
Learning where the attack originated and from whom turned out to be more complex than stopping the virus itself. Within five days of the attack, a Google security researcher discovered the WannaCry code to be nearly identical to the code used in earlier malware attacks against Sony Pictures and Bangladesh Bank—attacks which were both attributed to the Lazarus Group, a North Korean cybercrime outfit. This wasn’t a smoking gun; it could have been the result of one group reusing another’s code or an attempt at false-flag deception. But it was, at the least, a lead.
Forensic investigations of the linguistics used in WannaCry suggested that the creators were most likely fluent in Chinese and proficient in English, as the text displayed in those languages appeared to be written by humans as opposed to translated through machine software. Further analysis found that the computer which created the text of the WannaCry ransomware had the Korean alphabet installed (detected through a rich text format tag), while further metadata in the language files showed that the host computer had its clock set to UTC+09:00 (the time zone in Korea). The circumstantial evidence was piling up.
The question of who and how perpetrated the WannaCry attack didn’t reach the criminal courts until September 2018, when as part of a parallel investigation into an earlier cyberattack against Sony Pictures, the US Department of Justice issued a criminal complaint against Park Jin-Hyok, listing his crimes as conspiracy and conspiracy to commit wire fraud.
In that 179-page affidavit, FBI Special Agent Nathan Shields, who had previously worked for 11 years as a software engineer at NASA’s Johnson Space Center, laid out a case that connected Park Jin-Hyok to North Korean hacking rings responsible for several cyberattacks—including WannaCry. It took over 100 search warrants for approximately 1,000 different email and social media accounts to untangle this one physical connection and involved the cooperation of numerous international law enforcement agencies and private sector security firms.
Fighting cybercrime is a team effort. Broadly speaking, it can be broken down into three areas: detection, defense, and prosecution. But each of those three areas is related to one another, and all require international cooperation and interdisciplinary collaboration.
The FBI’s Cyber Division aims to bring together all these working parts, incorporating a Cyber Action Team for corporate investigations, an Internet Crime Complaint Center for the general public, and a National Cyber Forensics & Training Alliance for forensic professionals. And the Cyber Division works together with the National Cyber Investigative Joint Task Force (NCIJTF), which in turn liaises with the CIA, DOD, DHS, and NSA. And the collaboration doesn’t merely apply to government: large cybercrime investigations often rely upon cooperation with private sector security firms.
Whether working for the public or private sector, to defend the victims of cybercrime requires a forensics professional to think like a cyber criminal. This includes having a detailed knowledge of software coding, hardware vulnerabilities, network dynamics, and contemporary modes of communication. And, as the WannaCry case proves, it necessitates a mix of quick thinking, detail orientation, and methodical processing.
To trace the perpetrators of cybercrime, forensics professionals have to be obsessively detail-oriented and naturally collaborative. The connected world is more complicated than a human body and the autopsy of a single cybercrime may require the work of hundreds of coordinated professionals. But every crime leaves a trace—even if those traces have been masked, manipulated, or temporarily deleted. Digital fingerprints are left in IP addresses, dummy email accounts, social media servers, and cryptocurrency wallets. Critical clues may exist in an innocuous line of code that suggests an originating time zone or peculiar language pack. There are countless stones to overturn.
In the past, the mantra of many white-collar crime investigators was to follow the money. That mantra still holds true. But in this new world of cybercrime, today’s forensic professionals understand that it’s often more important, and more effective, to follow the data.
Colorado Technical University (BS)
Colorado Technical University offers a bachelor’s degree in criminology with a concentration in cybercrime and security. The curriculum takes criminology fundamentals about law enforcement and the court system and combines them with cutting-edge cybercrime topics. In addition to taking interdisciplinary courses and breadth subjects, students will gain an understanding of cybercrime-specific areas like network vulnerability, risk management, and cybersecurity.
Courses include topics such as the laws of evidence; cybersecurity and policy; criminal procedure; Unix fundamentals; principles of network security; computer forensics; and understanding critical infrastructures. The program consists of 182 credits and may be completed entirely online.
University of South Florida (MS)
The master of science in cybercrime program at the University of South Florida provides students with an in-depth understanding of both criminology theory and investigative practice as they relate to cybercrime. The program covers the behavioral aspects of cybercrime, the methodologies of cybercrime investigations, and the applications of digital forensics in cybercrime. Courses include topics such as profiling cybercrime; digital forensic criminal investigation; cyber victimization; and digital evidence recognition and collection. The program consists of 30 credits and may be completed entirely online.
Utica College (Certificate)
Utica College is designated as a National Center of Academic Excellence in Cyber Defense Education (CAE-CD) by the NSA and DHS and their certificate program in cybercrime and fraud investigation gives students a working understanding of the tools and techniques used in digital forensics.
Courses include topics such as cyber technologies for criminal justice; cybercrime investigations and forensics; payment systems and fraud; and fraud prevention and detection technologies. Once completed, certificate credits may be transferred seamlessly into one of Utica’s bachelor’s degree programs in cybersecurity or financial crime investigation. The certificate program consists of 18 credits and may be completed entirely online.
Scott C. Algeier sits on the advisory board of Colorado Technical University’s securities studies program. In addition to advising on the cybercrime curriculum at CTU, he’s the founder, president, and CEO of Conrad, a homeland security consulting firm that specializes in cybersecurity, information sharing, and critical infrastructure protection issues. His work has led to the development of some of the most significant cybersecurity policies in the nation: the National Cyber Incident Response Plan, the Comprehensive National Cyber Initiative, and the National Infrastructure Protection Plan, among others.
Algeier is also an executive director at the Industry Consortium for the Advancement of Security on the Internet (ICASI), which seeks to analyze, prevent, and resolve global security challenges. Outside of his professional roles, he has made mentoring a priority: first at Mach 37, an accelerator for information security startups, and then at Manifest, an incubator for cybersecurity entrepreneurs in Austin, Texas.
Dr. LeGrande Gardner is an instructor in the criminology department at the University of South Florida, where he also serves as director of the cybercrime MS degree program and oversees the graduate certificate program in digital forensics. Prior to academia, he spent 26 years in law enforcement, including as a special agent for the FBI, where he worked on the cybercrime unit. Currently, his teaching and research interests revolve around tech-related organized crime, digital forensics, and cybercrime.
Dr. Gardner has won multiple awards for excellence in teaching, but it hasn’t stopped him from remaining a perpetual student. Through personally-driven professional development, he’s become a Certified Forensic Computer Examiner (CFCE), a Certified Electronic Evidence Collection Specialist (CEECS), and a Certified E-Discovery Specialist (CEDS). Gardner is also a member of several professional associations, including the High Tech Crime Investigation Association (HTCIA), the Consortium of Digital Forensic Specialists (CDFS), and the International Association of Computer Investigative Specialists (IACIS).
Joseph Giordano is the director of cybersecurity programs at Utica College, where he also serves as a professor of practice. He received his BS from Utica College and his MS from Syracuse University. Before joining academia, he spent 25 years at the Air Force Research Laboratory, working in database security, cyber operations, cyberwarfare, and information assurance. His research has led to two dozen publications on digital forensics, cybercrime, and network security.
After his retirement from the Air Force, Giordano has worked as a technical director of a cyber information management, processing, and exploitation group at ITT. More recently, he’s founded his own cybersecurity consulting firm, Anjolen. Giordano is a member of the Armed Forces Communications and Electronics Association, the Association of Certified Fraud Examiners, and the Operations Security Professionals Society.
Matt Zbrog
Matt Zbrog is a writer and researcher from Southern California. Since 2018, he’s written extensively about the increasing digitization of investigations, the growing importance of forensic science, and emerging areas of investigative practice like open source intelligence (OSINT) and blockchain forensics. His writing and research are focused on learning from those who know the subject best, including leaders and subject matter specialists from the Association of Certified Fraud Examiners (ACFE) and the American Academy of Forensic Science (AAFS). As part of the Big Employers in Forensics series, Matt has conducted detailed interviews with forensic experts at the ATF, DEA, FBI, and NCIS.