Italy & Romania Take Down €20m Cyber Fraud Ring

The Italian National Postal and Communication Police Unit (Polizia Postale e delle Comunicazioni) and the Romanian National Police (Poliția Română), supported by Europol and Eurojust, dismantled an organised criminal group involved in financial fraud, cybercrime and money laundering.

On 7 July, Italian and Romanian law enforcement authorities carried out 12 house searches and arrested 12 individuals (8 in Italy and 4 in Romania). The operation led to the seizures of personal computers, credit cards, properties, vehicles and other assets with an overall estimated value of over €1.5 million.

The criminal organisation was using a wide network of money mules in Italy, created to launder criminal proceeds from a variety of cybercrime activities. The criminal group was involved in financial frauds and cyber scams such as rental fraud (fraud through the advertisement of non-existent properties to rent) and CEO fraud (impersonating a company official to trigger large transfers to bogus accounts). With these frauds, the criminals were deceiving victims across Europe into making wire transfers to Italian bank accounts, owned by the money mules. It is estimated that the criminal group has generated up to €20 million losses per year for victims across Europe.

Europol supported the operation by facilitating information exchange and providing analytical support. During the two action days, Europol deployed an expert to Italy to cross-check in real time operational information against Europol’s databases and provide leads to the investigators in the field.

Eurojust facilitated the coordination of the operation and the cooperation between the judicial authorities involved in the case.

Dismantling of an encrypted network sends shockwaves through organised crime groups across Europe

At a joint press conference French and Dutch law enforcement and judicial authorities, Europol and Eurojust presented the impressive results of a joint investigation team to dismantle EncroChat, an encrypted phone network widely used by criminal networks.

Over the last months, the joint investigation made it possible to intercept, share and analyse millions of messages that were exchanged between criminals to plan serious crimes. For an important part, these messages were read by law enforcement in real time, over the shoulder of the unsuspecting senders.

The information has already been relevant in a large number of ongoing criminal investigations, resulting in the disruption of criminal activities including violent attacks, corruption, attempted murders and large-scale drug transports. Certain messages indicated plans to commit imminent violent crimes and triggered immediate action. The information will be further analysed as a source of unique insight, giving access to unprecedented volumes of new evidence to profoundly tackle organised criminal networks.

In recent years, European countries have been increasingly affected by organised crime groups who are pervasive and highly adaptive, posing one of the most pressing security challenges faced by law enforcement and judicial authorities. In this regard, the abuse of the encrypted communication technologies is a key facilitator of their criminal activities.

Since 2017, the French Gendarmerie and judicial authorities have been investigating phones that used the secured communication tool EncroChat, after discovering that the phones were regularly found in operations against organised crime groups and that the company was operating from servers in France. Eventually, it was possible to put a technical device in place to go beyond the encryption technique and have access to the users' correspondence.

In early 2020, EncroChat was one of the largest providers of encrypted digital communication with a very high share of users presumably engaged in criminal activity. User hotspots were particularly present in source and destination countries for cocaine and cannabis trade, as well as in money laundering centres.

Given the widespread use of the encrypted telephone solution by EncroChat among international criminal networks around the world, French authorities decided to open a case at Eurojust, the EU Agency for Criminal Justice Cooperation, towards the Netherlands in 2019. Further developments in the investigations led to organising the processing of the data, which was captured on the basis of the provisions of French law and with judicial authorisation, through the frameworks for international judicial and law enforcement cooperation.

The data was in first instance shared with the Netherlands. Eurojust facilitated the creation of a joint investigation team (JIT) between the two countries and with the participation of Europol, the European Union Agency for Law Enforcement Cooperation, in April 2020.

Europol has been actively involved in the investigations led by France and the Netherlands since 2018, relating to the provision and use of encrypted communication services by organised crime groups. Through its role as an information hub and its extensive analytical and technical support system, Europol was able to create and provide a unique and global insight on the scale and functioning of organised crime, as a result of this investigation. This will help law enforcement to combat organised crime in the future more successfully. Europol’s support from the early stages of this JIT included: promoting and arranging international cooperation, providing extensive analytical and financial support, technical expertise and a secured platform for the exchange of information between the countries involved. A large dedicated team at Europol investigated in real time millions of messages and data that it received from the JIT partners during the investigation, cross-checked and analysed the data, and provided and coordinated with the JIT partners the information exchange to concerned countries.

A large number of suspects have also been arrested in several countries which were not participating in the JIT but particularly affected by the illegal use of these phones by individuals active in organised crime, including in the UK, Sweden and Norway. Many of these investigations were connected with international drug trafficking and violent criminal activities.

At the same time, numerous operational meetings for the daily coordination between the law enforcement entities of the JIT partners and other countries took place at Europol, partly during COVID-19.

Eurojust intensively facilitated the judicial cooperation, during the extensive use of European judicial cooperation instruments such as European Investigation Orders. Throughout the investigation, the JIT members organised five coordination meetings at Eurojust to bring all involved parties together in a secure environment, identify parallel or linked investigations, decide on the most suitable framework for cooperation and solve potential conflicts of jurisdiction.

In France, where the operation takes place under the code name "Emma 95", the Gendarmerie has set-up a Taskforce since March 2020. With more than 60 officers, the Gendarmerie leads the investigations targeting the EncroChat encrypted telephone solution under the supervision of the magistrates of the JIRS of Lille. The Taskforce has been monitoring the communications of thousands of criminals, leading to the opening of a wide range of incidental proceedings. France does not wish to communicate further on these on-going investigations nor on the results obtained. The considerable resources deployed demonstrate the importance of these investigations and the importance attached to their success in France.

In the Netherlands, where the operation went under the code name “Lemont”, hundreds of investigators have, with authorisation of the examining magistrate, followed the communications of thousands of criminals day and night since the operation began to unravel and act on the intercepted data stream. The criminal investigation has been led by prosecutors from the Dutch National Public Prosecution Service and the information has been made available to about a hundred ongoing criminal investigations. The investigation has so far led to the arrest of 60 suspects, the seizure of drugs (more than 10 000 kilo cocaine, 70 kilo heroin, 12 000 kilo cannabis, 1 500 kilo crystal meth and 160 000 liter of a substance used to produce synthetic drugs), the dismantling of 19 synthetic drugs labs, the seizure of dozens of (automatic) fire weapons, expensive watches and 25 cars, including vehicles with hidden compartments, and almost EUR 20 million in cash. The expectation is that information will be made available in more than 300 investigations. In a number of cases, more arrests are very likely to follow in the coming period.

The interception of EncroChat messages came to an end on 13 June 2020, when the company realised that a public authority had penetrated the platform. EncroChat then sent a warning to all its users with the advice to immediately throw away the phones.

While the activities on EncroChat have been stopped, this complex operation shows the global scope of serious and organised crime and the connectivity of criminal networks who use advanced technologies to cooperate on a national and international level. The effects of the operation will continue to echo in criminal circles for many years to come, as the information has been provided to hundreds of ongoing investigations and, at the same time, is triggering a very large number of new criminal investigations of organised crime across the European continent and beyond.

The EU Cybersecurity Act’s first anniversary: one step closer to a cyber secure Europe

On 27 June 2020, the European Union Agency for Cybersecurity (ENISA) celebrated the first anniversary of the EU Cybersecurity Act (CSA) and its strengthened role towards securing Europe’s information society. The CSA gave the Agency a permanent mandate, a new list of tasks and increased resources, and also established the EU cybersecurity certification framework.

The Agency now plays a key role in setting up the framework and builds on its past work towards achieving a high common level of cybersecurity across the European Union by actively supporting Member States, EU institutions, industry, academia and citizens. Regarding the framework, the Agency is close to completing the first cybersecurity certification scheme and is making rapid progress towards a second one, on cloud services.

The mandate has also expanded the Agency’s role in supporting capacity-building and preparedness capabilities, as well as operational cooperation - areas that continue to be put to the test during the COVID-19 pandemic. ENISA acted quickly at the onset of the pandemic by preparing awareness campaigns, sets of tools and publications offering in-depth guidance on cyber safety for organisations, businesses and citizens, all publically available on the webpage COVID19.

Under its expanded role in policy development and implementation, ENISA has thrived, especially in the area of emerging technologies. For 5G security, ENISA has been involved in each phase and continues to support the European Commission and Member States as a common toolbox is being implemented. Last year, the Agency also supported the EU Member States with developing an EU-wide joint risk assessment regarding the 5G roll out, and delivered a 5G threat landscape report, which analyses threats at a more technical level. On Artificial Intelligence, the Agency has set up a 15-member ad-hoc working group on Cybersecurity for AI that will further advance European expertise on AI threats and solutions.

In addition, ENISA has welcomed the newly mandated tasks around research and innovation by creating the EU cybersecurity skills framework and fostering collaboration amongst the four cybersecurity pilot projects of the European Cybersecurity Competence Network.

EU grants €38 million for protection of critical infrastructure against cyber threats

The Commission announced today that it is committing more than €38 million, through Horizon 2020, the EU's research and innovation programme, to support several innovative projects in the field of protection of critical infrastructure against cyber and physical threats and making cities smarter and safer.

Mariya Gabriel, Commissioner for Innovation, Research, Culture, Education and Youth, said, "Over the past years we have offered our support to research and innovation actions in the area of cybersecurity that contribute to better protecting key infrastructure and the people living in European smart cities. I am pleased that today we are able to offer yet another significant amount of funding through Horizon 2020 towards security, privacy and threat mitigating solutions.”

Thierry Breton, Commissioner for Internal Market, added, "Securing network and information systems and enhancing cyber resilience are key for shaping Europe's digital future. As we are faced with a diverse array of cybersecurity threats, the EU is taking concrete measures to protect critical infrastructures, cities and citizens. More investments at EU and national level in innovative cybersecurity technologies and solutions are of paramount importance to strengthen EU's resilience to cyberattacks.

Three projects (SAFETY4RAILS, 7SHIELD and ENSURESEC) will work to improve prevention, detection, response and mitigation of cyber and physical threatsfor metro and railway networks, ground space infrastructure and satellites, as well as e-commerce and delivery services. Two additional projects (IMPETUS and S4ALLCITIES) aim at enhancing the resilience of cities' infrastructures and services and protecting citizens in case of security incidents in public spaces.

The projects are expected to start between June and October 2020 and will run for two years. The Research Executive Agency will manage the five selected projects and has finalised the preparation and signature of grant agreements with the beneficiaries.

The EU's financial contribution is provided in the form of grants that can be up to 100% of the project’s total budget. All projects were selected for funding under a competitive call for proposals Protecting the infrastructure of Europe and the people in the European smart cities, under the Societal Challenge 7 ‘Secure societies’ launched on 14 March 2019.

The support is part of the EU's commitment to build a strong cybersecurity culture and enhanced capabilities to resist and respond effectively to potential cyber threats and attacks.

Mass Care/Emergency Assistance Pandemic Planning Considerations Guide

FEMA announces an advisory document to examine the unique considerations when developing mass care and emergency assistance plans associated with a pandemic scenario. The processes discussed can be implemented by the jurisdiction without federal assistance or when federal assistance is requested and available. In this document, “jurisdiction” refers to local, state, tribe or territory, insular area and federal governments.

Further details and to download the document visit www.fema.gov/media-library/assets/documents/188597

FEMA offers Business Emergency Operations Center Quick Start Guidance

A Business Emergency Operations Center (BEOC) can provide a consistent integration point for private and public coordination for sustained response and recovery operations throughout the COVID-19 pandemic, with no requirement for physical contact. This quick start guidance provides foundational concepts for establishing a BEOC to support their response and recovery operations for COVID-19.

Business Emergency Operations Center Quick Start Guidance can be downloaded at https://www.fema.gov/media-library/assets/documents/188573

Spotlight on incident reporting of telecom security and trust services

ENISA, the EU Agency for Cybersecurity, released a new version of CIRAS, a tool for statistical analysis of cybersecurity incidents. Two new sets of EU data on cybersecurity incident were made available:

Telecom security incidents reported for the year 2019
Trust services security incidents for 2016-2019

The online visual tool, accessible to the public, now gives access to 8 years of telecom security incidents, and 4 years of trust services incident reports: a total of 1100 cybersecurity incidents. The new visual tool allows for analysis of multiannual trends.

Mandatory cybersecurity incident reporting is a corner stone of cybersecurity legislation in the EU. Cybersecurity incident reporting gives the national authorities in Europe vital information about the root causes and overall impact of major incidents. Every year national authorities send summaries of these major cybersecurity incidents to ENISA for aggregation and analysis at EU level. ENISA publishes statistics in yearly reports and gives access to aggregated and anonymised data in the online visual tool, to increase transparency about cybersecurity incidents. This online visual tool allows for custom analysis of trends and patterns. For example, the user is able to select a specific time-period or specific root cause categories and get custom statistics about detailed causes and assets affected. ENISA also maintains a private repository for the national authorities.

Background and legal base:

ENISA has been supporting the EU telecom security authorities with the implementation of EU wide telecom breach reporting, under Article 13a of the Framework directive since 2010.

Under this framework, ENISA develops procedures, templates, tooling and analysis and publishes an annual report with aggregated statistics about the telecom security incidents with significant impact since 2012.

ENISA has been supporting supervisory bodies in the EU with cybersecurity breach reporting for trust services under Article 19 of the eIDAS regulation since 2016. Besides, ENISA also started to support the NIS cooperation group with the cybersecurity incident reporting along the provisions of the NIS Directive.

ENISA will be publishing the detailed annual reports in the coming weeks.

Root causes of telecom security incidents

Over the last 4 years, the most common root cause of telecom security incidents is system failures (412 out of 637 incidents). The second most common root cause is human errors with nearly a fifth of total incidents (19%, 119 incidents in total). Natural phenomena are the third root cause with 11% while only 4% of the incidents are categorized as malicious actions.

Root cause categories of trust services security incidents

Over the 4 years of trust services security incident reporting, the most common root cause is System failures (60%). Around a fifth of the reported incidents were due to human errors and a fifth of the incidents were flagged as malicious actions. Natural phenomena are not a common root cause in this sector. This sector operates differently than the telecom one. With large-scale aboveground infrastructure for the mobile networks, the telecom sector is more vulnerable to natural phenomena.

FBI and CISA Warn Against Chinese Targeting of COVID-19 Research Organisations

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a Public Service Announcement today warning organizations researching COVID-19 of likely targeting and network compromise by the People’s Republic of China (PRC). Healthcare, pharmaceutical and research sectors working on COVID-19 response should all be aware they are the prime targets of this activity and take the necessary steps to protect their systems.

China’s efforts to target these sectors pose a significant threat to our nation’s response to COVID-19. This announcement is intended to raise awareness for research institutions and the American public and provide resources and guidance for those who may be targeted.

The FBI requests organizations who suspect suspicious activity contact their local FBI field office. CISA is asking for all organizations supporting the COVID-19 response to partner with the agency in order to help protect these critical response efforts.

Additional technical details regarding the threat will be released in the coming days. CISA and the United Kingdom’s National Cyber Security Agency released a similar alert earlier this month warning of malicious actors targeting COVID-19 response organizations using a tactic of password spraying.