Announced in June 2022, the Cybercrime Atlas is an initiative from the World Economic Forum (WEF) to map activities of cybercriminals and create a database that can be used by law enforcement across the world to disrupt the cyber-criminal ecosystem.
Cybercrime Atlas officially launched in February 2023 in a partnership between WEF and Banco Santander, Fortinet, Microsoft, and PayPal. Cybercrime Atlas was conceptualised by WEF’s Partnership against Cybercrime, which includes more than 40 public and private organisations.
How the Cybercrime Atlas is being developed
The first iteration had “really smart” analysts from organisations throughout the globe brought together to come up with a normalised taxonomy from where samples would be selected.
From this, 13 major known threat actors were the initial focus. Using open-source intelligence the analysts looked at things like the bad guy's name, the address that they're known to live at, their bank account details, their crypto wallet details, their social media footprint, known bulletproof hosting, and other malicious services that they're using.
“The idea was we collect all the information that we knew we could find from open source on these guys, normalise it, vet it, and then put it into a repository,” Glenn Maiden, director of threat intelligence operations at FortiGuard Labs ANZ, tells CSO. All the information collected is investigated to find the single source of truth, cull out the noise and have human verified intelligence.
The aim is to build a comprehensive picture of the cybercrime landscape covering criminal operations, shared infrastructure, and networks. The result, the involved parties expect, will be that the links between the information gathered about threat actors will help the security industry more effectively disrupt the cybercriminal ecosystem.
For this initial iteration, actionable intelligence has been collected from 13 criminal groups across the main attack landscape — ransomware, business email compromise, malware, and card fraud.
“The insights generated will help promote opportunities for greater cooperation between the private sector and law enforcement to address cybercrime,” Jeremy Jurgens, managing director for the World Economic Forum, said in a statement.
These will eventually be shared with global law enforcement groups such as Interpol and FBI, but it will also help the analysts and vendors involved — those who lent their best analysts — to find commonalities in the attackers’ actions and ways. “We've actually found linkages between organised crime gangs and even nation state entities, they're all operating together,” Maiden says.
Build an open-source cybercrime repository
In February 2023 was when the project was deemed ready to begin to move from the prototype phase to minimum viable product. Or, in other words, from ad hoc systems and repositories to having dedicated project managers, finding the most appropriate, robust system to build the database, and working out the business logic.
“There's going to be some people that are contributors, there's going to be some people that are consumers, there's going to be some people that are both,” Maiden says. This will require the build of rules around clusters, with “need to know” clusters for those that might want to collaborate on a particular crime or case.
Information being used to build this repository is based on information that is available widely which means no issues with different countries’ laws on data. That also means once they have an open-source repository there won’t be any security or proprietary constraints and sharing. When it is ready it will be able to be shared with local law enforcement participant agencies.
Future possibilities for the Cybercrime Atlas
Unfortunately, this won’t be something that commercial organisations across the world are likely to benefit from directly. Companies that have been supporting the project by sending their best analysts to help in the creation of the data base will have access to it, but this is a tool created for law enforcement.
When the database is ready and has been in use, local law enforcement in different countries that have their own non-public intelligence could potentially use it to cross refence those two data sets and augment their own source intelligence.
The Cybercrime Atlas is still being developed and not mature enough to consider larger questions such as what happens when threat actors start seeing them as a threat and start producing convincing false information to lead the investigations somewhere else.
But “a lot of money” has been put into this and there is likely to be a lot of interest from law enforcement agencies across the world.
Maiden shares that Fortinet is looking at other opportunities with the community that was created and other opportunities to disrupt. This could be “us looking at potentially a legal or policy change in a certain jurisdiction where these bad guys are, running some of their operations or infrastructure -- looking at some of these broader implications based on that initial, platform and community.”
How a worldwide unified cybercrime database can help bring down attackers
Despite details of major attacks being usually kept under lock and key, collaboration among cybersecurity professionals has always existed. Having the support of an independent organisation such as the World Economic Forum could help not only bringing a worldwide community together, but it may also bring an extra level of trust.
It is unlikely that all nations will benefit from it, at least not while state sponsored attacks are a threat and nations where attackers may be based chose to not cooperate with other countries.
One recent example of this is that when trying to work with Russia, Five Eyes member Australia revealed it had yet to get a response from Russia regarding the cyberattack on private health insurance provider Medibank.
In November 2022, the Australian Federal Police (AFP) revealed that those responsible for the Medibank data breach were in Russia. Following a Five Eyes law enforcement meeting in Melbourne, Australia, AFP Commissioner Reece Kershaw shared in an interview with Nine’s 60 Minutes that Australia is still waiting to receive intelligence back from Russia.
“We have shared our viewpoint on who we think some of these individuals and groups are. Given the fact that we shared some very detailed, specific intelligence, we’d like to see a result come back and we are still waiting on that front.”