Several people are hacking: Feds turn to civilian Slack groups for help during coronavirus

Internet crime has skyrocketed in recent months, leading governments to turn to cybersecurity professionals for help.
Image: Shadowy figures work on laptops in the midst of a conspiracy web
Chelsea Stahl / NBC News; Getty Images

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
SUBSCRIBE
/ Source: (re)zip
By Kevin Collier

Craig Jones, who directs cybercrime operations for Interpol from Singapore, already had phone numbers and email addresses for fraud fighters around the world. But when he joined an exclusive Slack group designed as a hub for civilian cybersecurity professionals who wanted to stop coronavirus scams, it was like finding a small army of analysts whose expertise he could tap into at any time.

"As a program manager, I'll look at the limited resources I have, where can I make the most impact to protect the community effectively, and then reduce that impact," said Jones, who now helps manage the group, the COVID-19 Cyber Threat Coalition, a Slack group of about 3,000 cybersecurity professionals.

"They start with all this expertise," Jones said. "They're all drawing on that same mission."

The Cyber Threat Coalition is one of two Slack groups — the CTI League is the other — created in recent weeks by civilian cybersecurity professionals who wanted to put their heads together to try to stem the rising tide of cybercrime that has flooded the internet during the coronavirus pandemic.

Full coverage of the coronavirus outbreak

Both groups vet every new member, but they have still swelled to thousands of users worldwide. And notably, each quickly drew an influx of government agents, leading to an unprecedented situation in which technology employees regularly find themselves chatting in internet chat rooms with cyber cops around the world, all identified by their real names and agencies.

That has allowed for the kind of real-time collaboration rarely seen in cybersecurity.

"Normally, if you wanted to reach these people, you'd have to know the right kind of numbers to call and you'd have to have the right processes to go through," said Marc Rogers, one of the CTI League's four founders. "The big difference is they're all here and they're face to face. So if I want to talk to somebody in a specific agency or a specific law enforcement group, I just call out to them. Whoever represents them is there."

The problem the chats set out to address is a big one. Whether it's by exploiting people's eagerness for information about the coronavirus, leading them to fall for scams they normally wouldn't fall for, or by taking advantage of people around the world who are learning to work from home, internet crime has skyrocketed in recent months.

The FBI, which normally gets around a thousand complaints a day at its Internet Crime Complaint Center, has been getting three to four times that number, Tonya Ugoretz, deputy assistant director of the FBI's Cyber Division, said in a recent talk. Google said it has been seeing 18 million coronavirus-themed phishing emails a day.

The U.S. alone has at least a dozen agencies in one or both groups — the FBI, the Secret Service, the Department of Homeland Security, the National Guard and New York City's Cyber Command all have presences, the agencies confirmed. For some agents, it's a marked departure from the tight bureaucracy of federal law enforcement.

"This particular partnership is a unique one for the Secret Service," Ryan Heethuis, an investigative analyst for the agency, said in an email.

"Utilizing Slack channels is an effective platform for identifying cyber leads," he said. "The Secret Service has been able to shift some of its focus on validating these existing leads and responding to them. The platform provides law enforcement access to cyber experts, who become our silent partners."

Although there's overlap, the groups aren't identical. The Cyber Threat Coalition's main focus is honing one main product: a block list of domain names that appear to be traps set by hackers or scammers. The list receives small updates every few minutes and major ones every three hours, along with a corresponding weekly threat advisory. Groups like the domain hosting company Namecheap and ICANN, the nonprofit that matches most of the internet's domain names with IP addresses — numeric designations that identify their location on the internet — use the list as a guidepost.

"Our main focus hasn't been on alerting law enforcement, although we've had a bunch of folks from law enforcement step up and get involved," said Joshua Saxe, whose day job is working as the chief scientist at the cybersecurity company Sophos, who came up with the idea for the Cyber Threat Coalition. "The FBI has been using the block list as a leads source that they then go follow up on."

Download the NBC News app for full coverage and alerts about the coronavirus outbreak

The CTI League, on the other hand, focuses more on protecting health care targets from hackers, including by helping identify vulnerabilities in hospital networks before criminals can exploit them and offering volunteer services if they are attacked. According to an assessment the groupreleased last week, about 10 percent of its 1,400 employees work for a government, and the group has helped to "lawfully take down 2,833 cybercriminal assets on the internet."

While it took a pandemic to bring the groups together, they may signal a future for fighting cybercrime.

"It kind of creates a safe space where we all sit side by side and have a routine whereby we can share information and act more quickly on what each are seeing," Rogers said. "And I really think that's the model for the future."