The National Cyber Unit of the Israel Police operates under the Lahav-433 unit and handles the country's most complex cybercrime cases. Heading the unit is Chief Superintendent Avi Maiberg, a seasoned Lahav-433 investigation officer.
"To understand the uniqueness of the Lahav-433 unit, one should regard us as the Israeli FBI," say Yaniv Azani, Head of Technology and the unit's deputy chief, and Shira Bella, a technological officer of the unit. The unit operates out of its base in Lod, in the building housing Lahav-433, and is accessible through a long corridor of investigation offices branching into multiple interrogation rooms. A door at the end of the corridor leads into the unit HQ.
Lahav-433’s building resembles an average office building accommodating high-tech companies: offices extending off a main corridor, a modern boardroom and computer screens on every desk. The unit is divided into three main areas of activity: investigations, intelligence and technology. It has a dedicated legal counsel specializing in technology. In addition to the cyber unit, a sister unit, designated Unit 105, was established to prevent violence against minors on the Internet. All investigations are assigned to the unit pursuant to the approval of the head of Lahav-433, and all three areas of activity handle each case cooperatively. The unit is relatively small and intimate, and everyone is involved in everything. "We channel our resources according to the operational need," explains Azani.
One of the cases the cyber unit has cracked recently, through a cooperative effort with all other Lahav-433 sub-units, involved the "420" criminal organization – the operators of the "Telegrass" network. This criminal organization utilized the Telegram messaging app and state-of-the-art technological infrastructures to sell narcotics in Israel and around the world. Other operations of the unit that have been publicized include the capture, two years ago, of the hacker from Ashkelon and the Leumi Card hacking. "Obviously, we cannot reveal all of our methods of operation, but our capabilities with regard to technology, intelligence and investigation, are integrated and cover all of the relevant target areas – the dark web, social media, instant messaging apps, internet forums and any other platform utilized by criminals," explains Azani.
The Course of an Investigation
How does the Police conduct a cyber investigation? Well, the source of the complaint may be any civilian reporting to a police station and complaining of a suspected criminal activity in cyberspace or "the on-line realm," as the official jargon of the Israel Police calls it. Such activities may including a hack into a mobile phone, suspected monitoring, a ransom attack, money theft (e.g. a Business E-Mail Compromise/BEC attack), extortion, fraud, et al. Complaints may also arrive from overseas sources.
The Israel Police is a signatory to the Budapest Convention on Cybercrime, and maintains extensive international cooperative alliances with various countries and the Interpol. Another source could be a nation-wide phenomenon. The national cyber response center operating as part of the cyber unit monitors, as a matter of routine, the entire cybercrime activity reported in Israel. For example, if the unit notices a concentration of complaint cases from different locations around the country all sharing a common denominator, it may launch an investigation. Once again, the cyber unit only deals with complex cases. Numerous cyber investigations are conducted by the respective central investigation divisions at the relevant police districts.
Once the unit has received a case for investigation, the intelligence, investigation and technology elements confer to consolidate a course of action. In some cases, the investigation turns out to be fairly simple, as the crime had already been committed and the suspect was apprehended. In such cases, the unit will promptly collect forensic evidence from the relevant computer and communication resources so as to serve an indictment. In other cases, the investigation may take months or even more, similar to the nature of the complex investigations the Lahav-433 Unit normally conducts. In these situations, the process of handling the case normally begins with the collection of intelligence and evidence, and only when a sufficient infrastructure has been consolidated will the unit serve an indictment. "In the Telegrass case, for example, it took us months to assemble the complete charting and realize we were facing a criminal organization. Eventually, we succeeded in defining it as such in accordance with Israeli legislation. It takes painstaking work by all of the unit's organs," Azani explains.
The challenges do not end once a course of action has been decided upon. As the investigation takes place in the virtual realm, the objectives sometimes disappear from view. If the objective changes hardware, uses a VPN (Virtual Private Network) or conceals itself using various methods, the police must find creative ways to ensure the continuity of the intelligence and evidence collection effort. The transition of web browsers, instant messaging apps and social media to end-to-end encryption does not make the work of the law enforcement agencies any easier. "Encryption, decentralized currency, VPN services, et al, are tools available to any civilian, which present a technological challenge to the police," states Azani, without revealing too much.
"If that is not enough, the police operates within a legal framework unlike most other Israeli security agencies involved in cyber. The implication of this fact is that sometimes you have an almost complete picture of who committed the crime and how, but you still lack evidence-grade information to complete the picture so as to enable arraignment. Many legal issues are still in process vis-à-vis the technological world while still challenging the legal world, including the legal counsel, the attorney general, the prosecution and even the judges.
"For the cyber unit, these constraints mean that you are sometimes forced to fight crime with your hands tied behind your back, but still we succeed. Some of the credit for that success should be attributed to the close legal supervision by our legal counsel, who monitors each investigation from the very first day, as well as to the cyber department at the state prosecution office, which supports us on a regular basis," stresses Azani. At the end of the process, most of the investigations conducted by the unit evolve into indictments. A small percentage is discontinued for lack of evidence, while other investigations are delayed pending complementary intelligence or investigative efforts.
An Essential Tool: Cooperative Alliances
The war against cybercrime had begun many years ago with the computer offense section established by the Police, and gained significant momentum about five years ago, with the establishment of the cyber unit. At the same time, the traditional law enforcement concept still has to adapt itself to the virtual realm. "One of the primary difficulties is the nature of the on-line realm and the absence of territorial boundaries," Azani explains.
"Nearly every law enforcement organ, in Israel or around the world, is basically defined by territory: a country, a region, a city and so forth. In cyberspace, on the other hand, there are no boundaries. If a civilian files a complaint with the northern district, but the hacker operates within the jurisdiction of the southern district, and there are other victims all over the country as well as in other countries, who should lead the investigative process? The same problem exists between different countries. Admittedly, international cooperation has been very productive, but if Israel submits an order with a request for information from a vendor in another country, the result will depend on the local legislation and regulation in that country, on international agreements and even on diplomatic relations.
Cybercrime is not confined by territorial boundaries. The attacker can hack into a legitimate infrastructure in one country, contaminate it and attack an objective in another country through it. The same applies within Israel. Criminal activity in Israel and overseas made the transition to cyberspace long ago, in the form of employing hackers, IT specialists, communication experts and other professionals. They develop the tool set they need to make the transition to cybercrime," says Azani.
Another aspect of the activity of the police is the need for cooperative alliances. The cyber unit of the Israel Police is just one of many similar organizations in Israel. The Israeli security agencies, the National Cyber Authority, sister enforcement agencies and the prosecution are some of the other organizations dealing with cyber in Israel. Apparently, each one has a different portion of the pie. In reality, however, the pieces of the pie sometimes overlap. The uniqueness of the police is the fact that it conducts the enforcement effort vis-à-vis the criminal axis.
"Almost every investigation in the cyber world is conducted as a cooperative effort with multiple organizations in Israel or overseas. In some situations, cases will be handed over from one organization to another: for example, if the case had started as a criminal case and subsequently evolved into a terrorist case, or vice versa. In some situations, the case may have started as a cyber investigation and subsequently evolved into an investigation by the National Economic Crime Unit. These are but a few examples," notes the officer.
The war against cybercrime undoubtedly involves some unique constraints that stem from the fact that down the road, the investigation portfolio should end up in a court of law. In most cases, defense counsel will attempt to spot loopholes in the indictment and in the evidence collection process that had led to the indictment, and the people of the cyber unit will do everything to ensure that the evidence of the case is solid and unassailable. This reality imposes some unique constraints on the people of the unit, which other security agencies do not face. These constraints require that the people of the cyber unit be creative and resourceful, within the confines of the law.
"One of our challenges for 2020 is the need to revise the existing legislative framework and regulation so that they match the technological developments and enable the police to improve its effectiveness in the war against cybercrime. The people at the Ministry of Justice understand that the legislative framework should adapt itself to the changes in technology. Criminal organizations in Israel are already active in cyberspace, along with criminal organizations from overseas that sometimes use Israeli infrastructures, which creates some of the legal complexity," concludes Azani.