Since 2001, the Federal Judicial Police has maintained a specialised section dedicated to serious online crime. The FCCU focuses on investigating attacks on critical infrastructure, organised international ICT crime and other cyber threats. “We work closely with the federal prosecutor and policy makers. And for ‘alpha cases’, where cyber criminals are testing a new modus operandi, we look into which investigation method is most appropriate,” Caroline Frère explains.
In addition to the federal investigators, each judicial district has a Regional Computer Crime Unit (RCCU), which is also part of the Federal Police. “These colleagues focus mainly on hacking and ransomware at companies, in close cooperation with the local public prosecutors. We work hand-in-hand with the regional investigators. In principle, the investigation starts after a complaint is made to the local police. It is investigated by the RCCU; if it concerns a more widespread phenomenon, the FCCU will coordinate the investigation.”
One major achievement has been the creation of a Quick Reaction Force (QRF) in 2019: a pool of regional and federal experts who can be deployed on an ad hoc basis. “In cases such as the wave of attacks on hospitals including CHWAPI and Vivalia, the RCCUs may not have sufficient personnel to investigate quickly enough. Then, the QRF can provide support on the ground in terms of analytical capacity, technical expertise and coordination.”
Collecting traces and data is crucial
Frère notes that companies often hesitate to file a complaint: “Understandably, this is not their first reflex. People are mainly concerned with getting their activities up and running again, and recovering as much data as possible. Some fear our actions will delay the reboot. But this is not the case: we do not seize servers and we work closely with incident response companies. Our goal is to collect the right traces, so that we have the data needed for further investigations. This is also very relevant for policy makers: what is not mentioned in the statistics, does not exist!”
To ensure that the right information is collected for each report, the Federal Police has developed the CyberAid tool for the first-line police services. “Whether someone makes a report at the front desk of a police station or an officer documents a complaint during an intervention, we now have a structured method. We provide a manual and flowchart, as well as a form for the victims indicating what elements they need to collect to enable the investigation.”
Because cyber crime is a significant cross-border phenomenon, the FCCU is in close contact with Europol and the Joint Cybercrime Action Taskforce (J-CAT), an international platform for exchanging information with countries inside and outside the EU. “We bring our intelligence to the table and receive relevant information from other countries, such as ransomware trends or impending attacks,” Frère explains. “We also participate in joint investigations. Last year, for example, Operation Magnus led to two data theft programmes being taken offline. A collaboration between the Belgian Federal Police, the Dutch police and the US FBI, it offers further proof that we are indeed achieving successes in the fight against organised cyber crime.”