At the headquarters of the Cybercrime Team of the East Brabant Police Unit, we find team leader Anouk Bonekamp. With regard to the ongoing investigation into the hacking attack on TU/e, she can disclose that no suspects have been identified yet. However, the team is still receiving a lot of data that is being analyzed in order to follow the trail to the perpetrators as far as they can. Information from TU/e is also being further analyzed. “That’s a lot of data to get through in order to find traces of the perpetrators.”

Hack

On the night of January 12, the hackers were spotted in the university’s network, upon which TU/e immediately called in the police. Bonekamp: “That same night, a crisis response team was set up at TU/e and we came to the campus with a police car, because when the connection is still active, the police may be able to do something.”

Bonekamp is pleased that TU/e immediately called 911. Her team has long been committed to improving relationships with companies and institutions in the region, because it’s actually not all that common for the police to be called in. “Of course, we’re taking a direct look at someone’s operations, at the victim’s network. That can be a tense affair for victims. That’s why building mutual trust is so important. It’s great that TU/e gave us access right away.”

In the act

The hackers were caught in the act. “This was possible because of an alert in the system that was handled very well by the TU/e security guards,” Bonekamp clarifies. After a cat-and-mouse game of blocking the hackers’ access to the entire network, cybersecurity firm FoxIT recommended shutting down the network, which TU/e’s Central Crisis Team did that same Sunday. As a result, education was down for a week. “A brave but wise decision,” Bonekamp calls it.

The police is also investigating the DDOS attack on the Surf network that took place around the same time. This didn’t only overload the TU/e network, but also that of some other educational institutions and hospitals in the country. Bonekamp reports that no link was found between the hack and the DDOS attack. The team considers it a separate incident.

New investigation

The police investigation is continuing. The team has requested more server data for further analysis for digital fingerprints. Bonekamp: “We aren’t at the controls ourselves, but depend on the data we get, from the victims or in this case from a number of servers. We’re waiting to get that data right now.”

Still, it’s uncertain whether this new mountain of data will lead to a suspect, Bonekamp emphasizes. “Cybercrime is different from traditional crime, such as a burglary. There are no camera images, there’s no getaway car, and the connection is often blocked by a VPN so the perpetrator disguises themselves, so to speak.” This – and the many other ways of being digitally invisible – means that in a lot of cases, the police isn’t able to track down a suspect and/or identify them.

That’s not to say criminals never make mistakes. “Those mistakes are so interesting to us, because they sometimes lead to personal data, with which the we can trace their identity.” Although Bonekamp has occasionally experienced a suspect using their private Hotmail or Gmail account to purchase cybercrime tools, that’s the exception rather than the rule. “You actually constantly have to assume that the information you find is wrong. And you have to wonder if it’s the right person. Often you’re dealing with a victim whose data has been abused, not the perpetrator.”

Cybercrime as a service

Shortly after the hack, it was revealed that the hackers had gotten in through the Windows domain by using stolen login credentials from an employee and a student. Bonekamp wasn’t surprised when she was told. “It makes sense that something like this can happen. Those credentials can be found everywhere, for example on the dark web or in Telegram groups. They’re sold in ‘combo lists’, which contain email addresses and passwords. There’s a whole trade in them.”

Such combo lists are easy to find online, and you don’t even have to go onto the dark web to do so. The police team recently shut down the website Heartsender, a web shop for ready-made cybercrime packages. The team came across the website when they found phishing software on the laptop of a Dutch suspect.

“Criminals first log in with an account and then they search by product, a ransomware tool for example. It’s cybercrime as a service. If you’re even the slightest bit skilled at making yourself invisible, you can do it.”

Give it a try

The Cybercrime Team handles about twenty cases a year, including two to three major investigations. There are different positions within the team. These include investigators, digital and financial specialists, and coordinators who are involved in the case from beginning to end. The team sees all kinds of things. From stolen company data to cases of stalking and online fraud.

Bonekamp doesn’t only see serious criminals at the station, far from it. She pulls out her phone and shows an article about a survey. Almost half of the ICT students in secondary vocational education do something with cybercrime. These are young people who are attracted to cybercrime because of its anonymity and low threshold, or lured into it by online influencers who, for example, convince them to buy a phishing tool. “Just to give it a try,” says the team leader.

Have you ever been involved with cybercrime, just to try it out or for other reasons? Have you ever purchased one of those online tools, hacked a password, or tried to penetrate a network? If you’re open to talking about it anonymously, please send an email to w.klop@tue.nl or a WhatsApp message to +31 (0)638852539.