“It’s a race,” says Alexandre Dulaunoy of the cat-and-mouse relationship between criminals and cybersecurity specialists. Photo: Shutterstock

“It’s a race,” says Alexandre Dulaunoy of the cat-and-mouse relationship between criminals and cybersecurity specialists. Photo: Shutterstock

CIRCL is a Luxembourg initiative that produces open-source tools used worldwide for the detection of cyberthreats. Delano spoke to team leader Alexandre Dulaunoy about darknets, ransomware and pursuing threat actors.

Our world is going digital. And that includes criminals.

According to a 2021 Europol report, over $400m was paid to ransomware attackers in 2020, a 300% increase from the year before. Ransomware works by freezing assets on your computer until a certain sum--a ransom--is paid.

, or technology that emulates voices and images, is also on the rise: besides other illegal activities, threat actors can use fake videos to impersonate trustworthy figures and ask potential victims for money or information.

In order to discuss and coordinate attacks, threat actors rely on the dark web--a catchall term for overlay networks that use specific software or configurations to connect to the internet, meaning that users can conduct business anonymously or untraceably. Popular dark web platforms, known as darknets, might be Tor or I2P.

Not all activity on darknets is illegal or nefarious. Legitimate uses include military communications or investigative journalists exchanging information with their endangered informants.

Still, Alexandre Dulaunoy, head of Luxembourg’s Computer Security Incident Response Team (CIRCL), estimates that about 70% of Tor is used for “grey area” dealings.

Monitoring threat actors

Dulaunoy explained to Delano what kind of work the CIRCL is doing to scan and monitor darknets. For starters, they have developed an open-source tool called the AIL Project, which is composed of modules that filter through unstructured data. “This tool has been evolving over time to follow the trends of what kind of information is shared by attackers,” he says.

Ransomware crews are chief among those monitored by the CIRCL, but Dulaunoy and his team seek out phishing schemes and other cybercriminals too. For example, they check cost correlations: if two websites that sell login credentials use the same Bitcoin addresses for payments, then it’s likely the same group. From that correlation, you can better build a picture of what the group is, where it is, what it’s capable of, etc.

Forums are another area rife with criminal activity. “Forums are a marketplace for a lot of organisations,” says Dulaunoy. “Some [of these organisations] are obviously grey… and some are really, really dark.”

Gaining access to forums is the hardest part. “Obviously, the threat actors are doing everything possible to avoid being monitored,” says Dulaunoy. The CIRCL uses techniques like puppet accounts to try to get access, while the forum operators have their own defences.

“It’s no secret that it’s a race,” says Dulaunoy of the competition between criminals and those seeking to detect them. “People are creating new software, new tools. These innovations are percolating everywhere, to both the attackers and to the defenders.”

For Dulaunoy, however, it’s a problem that the defenders are bogged down by regulation. “Attackers can easily innovate without taking care of regulation. They don’t care about being regulated. They’re attackers. But if you look at the defender aspect… they have a package of regulations [to comply with] that is not really helping them defend.”

Luxembourg is punching above its weight class

“Luxembourg is producing open-source software that is used by many organisations worldwide,” said Dulaunoy. Besides the AIL Project there is also MISP, a threat intelligence and sharing platform. In January, NATO began using this platform to communicate with Ukraine about cyberthreats.

Dulaunoy spoke at the 2022 Information Security Education Day, hosted by the University of Luxembourg, on 20 May.

Related articles