How the UK's National Crime Agency Fights Cybercrime With Hacking of Its Own

Over the past few months, more details about UK law enforcement's closely-guarded use of "equipment interference"—the government's broad term for hacking—have come to light. This is due to a series of evidence submissions for a proposed (and controversial) surveillance law, the Investigatory Powers Bill, which would usher in new authorisations for how police can use malware or exploits to take over computers.

New examples of how the National Crime Agency—essentially the UK's version of the FBI—actively uses hacking powers to combat cybercrime have been revealed in a piece of written evidence submitted by officials from the NCA, HM Revenue & Customs, and the National Police Chiefs Council, dated this month.

The evidence gives four examples of how UK law enforcement have used equipment interference, including two relating to NCA cybercrime investigations. "The NCA used targeted equipment interference techniques against an advanced cyber-crime group and those laundering the proceeds of their criminality," one details.

These criminals, the evidence continues, used malware to steal money from victims and allegedly made hundreds of thousands of pounds per attack. The group also used "encrypted means of communication to avoid detection," the evidence claims. Encryption is one of the main reasons UK law enforcement have given for using hacking capabilities.

"An equipment interference technique was deployed to capture the key strokes of members of the criminal network," the document continues, although it does not elaborate on how this key-logging ability was delivered to targets—whether this was done through physical access to a device, or remotely.

Regardless, "The deployment of this equipment interference technique provided insights into the activities of the individuals, thereby informing the investigative strategy," the evidence reads.

An NCA spokesperson told Motherboard in an email that, "The examples that were used in the written evidence relate to investigations that are still ongoing, therefore we are unable to provide you with any further information I'm afraid."

The evidence submission also includes a diagram—a scale of sorts—for the range of capabilities that fall under equipment interference. This starts with physical access and examination of a device, through to using login credentials to access an account, then the physical or remote deployment of equipment interference "tools," right up to "remote exploitation of a device."

The other cybercrime example given in the evidence pertains to an investigation into a group that installed malware onto victims' devices to steal banking details. Here, the agency deployed "advanced" hacking techniques, which "enabled the NCA to view/identify stolen data."

"By sharing this information with partners and engaging with relevant third party organizations, the NCA was able to mitigate the threat and protect potential victims," the document reads.

In both examples, no specific criminal groups are named, but in October 2015, the NCA announced it had disrupted the Dridex malware campaign, along with help from private cybersecurity company Trend Micro.

The information included in these examples may seem like small pickings, but in the UK, law enforcement's use of hacking powers has traditionally been much more opaque than in, say, the US, where the FBI's purchase and deployment of malware has been more widely reported.

Some campaigners feel like the snippets of information released are not enough though.

"The record must be set straight by the police. How long have they been hacking? How often? Who oversaw the practice? A full accounting is now needed," Eric King, an independent surveillance expert and activist told Motherboard in an email.