Investigator says differing names for hacker groups, hackers studying investigative methods hinders law enforcement
Malicious hacking groups pay close attention to public documents related to criminal prosecutions, and the lack of standardized names for those groups hampers U.S. federal law enforcement, an investigator said in a recent speech.
The investigator, who could not be named under the conditions of the speech, said those are just two of many problems facing investigators pursuing cybercriminals in a justice system that was set up long ago and never designed to account for the complexities created by hackers — who operate across the world and attack targets around the globe.
One particular problem the subject raised was that hacking groups make use of the Public Access to Court Electronic Records (PACER) system.
“Threat actors absolutely love PACER. Most threat actors have a PACER account,” the investigator said. “They’re studying affidavits. They’re studying how” investigations are opened and conducted.
Additionally, there’s no automated process for deconflicting cases opened in multiple locations tackling overlapping groups, the investigator noted.
“It’s not easy. It’s really hard,” they said. “Guess what makes it even harder? Fragmented naming landscapes.”
The investigator didn’t fault different cybersecurity companies that create their own cybercriminal group names for wanting to market their lexicon. But the inability of law enforcement to lean on one common standard — for group names, indicators of compromise and tactics, techniques and procedures — is a problem, they said.
And there are disincentives for law enforcement agencies and agents from different districts to work together. “Everyone wants to get theirs,” they said. “Everyone wants their stats, because that’s what they’re judged on.”
Of the 80 federal law enforcement agencies, 40 have a role in cybercrime investigations, they said. The FBI’s National Cyber Investigative Joint Task Force is meant to help with this kind of deconfliction, but it doesn’t work as well as it could because the people selected to work on it are detailed from their agencies rather than assigned, which leads to those detailees still largely just trying to fight for their agency rather than work together. EUROPOL has fewer such conflicts because of assignments, the investigator said.
The investigator said it would be beneficial if personnel were able to work anywhere in the country when they’re working cases that impact their areas of responsibility. For example, an agent in Chicago should be able to work a case on a victim in Idaho given that the crime occurred over the network that everyone is using.
“The bad guys are virtual,” the investigator noted.
