Israel cyber week: A tale of persistence

News by Tony Morbin

Fraud con 2.0 - Insights into a cyber-crime investigation - and how GDPR can inadvertently make tracking down criminals more difficult.

In an amusingly told, but ultimately worrying presentation Mirko Manske, first detective chief inspector from the German Federal Criminal Police Office detailed how he - and a cast of what seemed like thousands, tracked down and ultimately incarcerated the cyber-criminal who caused telecom services to crash for 1.2 million Deutsche Telekom users.

The actual crash was not the intended outcome of the hacker, who was creating botnets - but his instruction stream url was too long due to a problem at the Telekom provider, and the combination caused the system to keep re-trying and ultimately crash.

Under GDPR the search would have fallen at an early hurdle as it was a result of trawling hoarded old records that enabled Manske to discover an old email from when the hacker was less careful, and this identified him as BestBuy - and then further research found that he had another email as Spiderman, which in turn led to And using the domain search service of 'Who is' - now not allowed under GDPR, a billing address for Daniel Kaye based in Tel Aviv was found - and subsequently a Facebook posting with a photo of the offender with his fiancee.

 Mankse reported how German law enforcement was unable to get any help from  Facebook, because the offender was outside of German jurisdiction. In fact, he observed that Facebook, Google and other US global players tend to make it very, very, very, very complicated for non-US law enforcement to do their job.

However Manske persisted and German law enforcement  had kept tabs on a CAV service (counter- anti-virus, used by hackers to test their malware to check that it is not already known  by the AV companies) and these criminal services keep all their records.  Using its access to the backend of this CAV service, they found that BestBuy  was a customer on the service, so now they had an IP address and malware. Having previously tracked the hacker moving from Tele Aviv to the UK, they now found that he had moved to Cyprus. 

A problem was defining the exact law broken as the hacker had not sought to bring down the telekom service, but connectivity was lost because of a falw in the system giving an unintended result.

To find victims, Manske sought a wiretap on all DT backbone customers.  He acquired a valid ruling from the German courts to seach for those currently or in last seven days connecting to the specified IP in any control domains.   DT did not want to cooperate, but was given the option to provide the details or have the police go in an try to find them - acknowledging that might take eight months or so before they might find they were unable to do it..

As a result DT provided a lot of data, but it showed that only 16 victims remained, incuding himself and a friend plus 14 researchers including the chaos computer club. 

With no victim to make a case, Manske then sought to take over the botnet. First, it was necessary to take over the initial controldomains. AS is run by Newstar where Manske knew the owner, it was suggested tho transfer ownership of, he should get a warrant against a German entity.  This was done though it was actually a warrent against a closed German company, but it still allowed the domain to transfer ownership under German law..

Shadowserver -  described as a non profit which helps the goood guys, and is trying to save the internet, is strong in the domain hosting world and stepped in to help.  It gave the warrent its support, and pursuaded others to transer domain names  voluntarily.

No individidual wanted to put a target on their back as the new owner, so to combat Spiderman, the site was registered to Clark Kent, for the remaining covert phase of the operation, later moving to Superman.  

Shadowserver started sinkholing the botnet but there were now no victims. 

So a new approach was taken, issuing a warrent for computer sabotage for attacking critical infratructure. The courts agreed, which effectively made Germans' household access to the internet part of critcal infrastructure.

Kaye was arrested at Luton Airport while travelllng to London in February 2917. His fiance emptied their suitcase at the airport, repacked her own belongings and went on to Cyprus - where law enforcement had already raided their house. 

Kaye got 20 months in July 2017,  having spent five months in detention then stepped out of cout and was released.  However, despite complicated health issues, he was re-arrested  under an international arrest warrent in th UK where he is now awaiting trial for extorting UK banks. And when he is eventually released, he will then face the US courts for attacking their critical infrastructure.

Manske listed his lessons learned, but among the key points was the need for persistence by law enforcement - and the need to cooperate with others, including extending trust to people who can't always tell you how they know what they know.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews