This opportunity was cancelled

The buyer cancelled this opportunity, for example because they no longer have the budget. They may publish an updated version later.
National Crime Agency

Malware Attribution Team

6 Incomplete applications

2 SME, 4 large

9 Completed applications

2 SME, 7 large

Important dates

Thursday 10 January 2019
Deadline for asking questions
Thursday 17 January 2019 at 11:59pm GMT
Closing date for applications
Thursday 24 January 2019 at 11:59pm GMT


Summary of the work
Provide malware analysis, attribution analysts and malware datasets to interrogate for this performing attribution of criminal actors to malware families Provide knowledge transfer by co-locating with NCA.
Latest start date
Monday 4 March 2019
Expected contract length
24 months
Organisation the work is for
National Crime Agency
Budget range
Not to exceed £1,000,000 over two years

About the work

Why the work is being done
With an ever increasing number of malware strains, the ability, at pace and at scale, to link these to on-going campaigns, malware families and criminals/ organised crime groups is a key deliverable for the NCA.

We are looking to further uplift the effort to deliver a sustainable and in house capability.

We are therefore seeking new knowledge, skills and data to support this mission and ensure that our response is both proactive and predictive.
Problem to be solved
NCA has access to unique operational data from recent investigations gathered during proactive intelligence developments. This is only part of the overall picture and would benefit from being analysed in conjunction with other data sets.

This could include knowledge of criminal infrastructure and hosting and large volumes of current and historic malware samples and datasets to query against. NCA currently has a malware laboratory which, while helpful, will not on its own allow us to achieve the required outcomes.

It is expected this work will develop links to existing malware strains and new lines of enquiry.
Who the users are and what they need to do
The proposal will require staff from within NCCU to work alongside those brought in to deliver the outcomes. These staff will include those from the intelligence teams, operational teams, technical and forensic teams
Early market engagement
Any work that’s already been done
A capability already exists, however the desire is to take this to the next level and continue to evolve our tools, techniques and tradecraft
Existing team
The existing team is spread across a number of business areas, the aspiration with this piece of work is to develop a joined up approach to put focus on this problem
Current phase

Work setup

Address where the work will take place
The NCA, Spring Gardens, Tinworth Street, Vauxhall, London.
Working arrangements
The intention of this bid is that it provides the NCA with truly transformational capabilities – it is anticipated that over the course of the two years the upskilling and mentoring, will empower NCA to continue to evolve this capability.

This project will provide an in-house team made up of embedded industry expertise and NCCU officers to link, map and attribute malware to malware families to criminal actors and associated real world identities using NCA and partner intelligence and any additional data made available through this contract.
Security clearance
The ability to hold or achieve DV clearance. Some work can be conducted with an SC

Additional information

Additional terms and conditions
All foreground IP will remain property of the Crown. Background IP should be clearly identified before used in this engagement

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Experience of cybercrime landscape and knowledge of campaigns and malware families
  • Specific experience of malware analysis of complex malware families with a view to attribute the malware to a real world persona
  • Demonstrable experience of creation of processes and systems to process malware data at scale
  • Excellent analytical skills – ideal operated-in cybercrime environment, use experience of analysis, inference building, development of hypothesis to attribute to real world identities to make recommendations and drive decision making
  • Ability to collect malware and perform static and dynamic code analysis
  • Demonstrable experience of linking malware families based on both technical and tradecraft techniques used.
  • Experience in developing capability utilising mixed skill sets, developing and transferring knowledge to government customers
  • Ability to create tools and techniques to automate and drive insights quickly.
  • Demonstrable knowledge of working with law enforcement and wider government
Nice-to-have skills and experience
  • Access to historic malware data
  • Knowledge of Amazon Web Services for capability development
  • Access to specialist niche datasets of interest
  • Access to historic malware data

How suppliers will be evaluated

How many suppliers to evaluate
Proposal criteria
  • An overview of the supplier’s organisation
  • The supplier’s understanding of the task and key challenges in undertaking it, specifically the:
  • Technical challenges, including speed of processing and analytics approaches
  • Team mobilisation approach and composition including SFIA grades, roles and skills
  • Supplier’s ability to operate at OFFICIAL SENSITIVE
  • Approach to aligning with the NCCU culture and ways of working
  • Proposal for multi site working
  • Relevant Track Record
  • Total price presented on a monthly basis, by individual and with expenses clearly identified where relevant
Cultural fit criteria
  • The team is looking to partner with organisations that can support the aims and culture of the NCCU. Please describe the following areas:
  • Share knowledge and skills
  • Collaborative approach
  • Demonstrate integrity and support
  • Subject matter expertise
  • Work with flexibility
Payment approach
Capped time and materials
Assessment methods
  • Written proposal
  • Work history
  • Presentation
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. please can you provide a secure email address and/or point of contact.
At this stage we would expect the need for a secure email address or contact. If successful further questions can be asked at the next stage of the procurement process.
2. Is this possible to deliver this service through a combination of co-locating and remote working with NCA?
Yes this would be possible, however we would assess on a case by case basis depending on value for money and the likely loss of knowledge transfer to NCA teams.
3. Is there a requirement for access to additional intelligence sources for this requirement outside existing sources?
Yes – the tender is for anything to enable this piece of activity. Obviously as law enforcement are primary objective is on pursue of cyber criminals therefore data that enables attribution to actors is of great interest. Equally the NCA would wish to understand what these intelligence sources were and whether they could be obtained under UK legalisation instead of having to pay for the information separately.
4. How many desks would be available for our staff on client site/s?
4 initially, although this number could increase if project offered significant value. Equally there may be oppurtunities to work between our OFF-SEN enviroments and our secure enclave
5. Is the stated contract value inclusive or exclusive of VAT?
6. What is meant by ‘multi-site working’? Would that be contractors at multiple NCA sites or NCA staff working at contractor facilities?
This was meant to provide options for contractors to work off of client premises
7. Is there currently any client infrastructure hosted in AWS or is this aspirational?
Yes - not specifically for this project but we host a number of applications and services within AWS which we run ourselves.
8. Does the client have access to existing commercial datasets already, or are they willing to fund access to commercial datasets if we recommend them once work begins?
We do but these are mostly threat intelligence feeds. These could be better exploited. Proposals for exploiting would be of interest.

We would be willing to fund additional datasets although this tender was supposed to include people, technology and data. We would assess on a case by case basis but it would not be acceptable for a proposal to be lacking sufficent depth that it was essential for the additional datasets to be purchased.
9. Would software licenses and hardware be provided for contractor staff
Within reason - e.g. we would purchase desktops and small licenses such as disassembler/ debugger licenses. As above the tender is about people, technology and data - therefore responses should not require the NCA to purchase everything seperately.
10. Can you please clarify what you mean by "access to historic malware data"?
This is to include access to malware samples covering a period significant period of time to enable data science and analysis
11. Your request details a requirement for malware analysis support, and references capability transformation as a priority. Please can you delineate between the request for a transformation partner focused on the improvement, development and implementation of NCA capabilities including process and technology who is knowledgeable and experienced in the field of malware analysis, as opposed to the provision of time and materials malware analysis to fulfil the NCAs analysis requirement for the duration of the engagement.
The project is currently at vision stage, there is a background on prior work and experience. The compeition is to provide technology, people and data to make the vision a reality. This is what is meant by transformation. This work will include some design work but will focus on the need to build capability.
12. Dependant on the answer to the first question, does the NCA expect the bid to be focused on the provision of suitably experienced staff with access to their own technology and data to underpin the delivery of a time and materials service, or is the intent that NCA would also like to license direct access to technology from the provider.
This would be assessed on a case by case basis, however the NCA wish to build enduring capability. We may consider licensing access to the providers data but this would need to be considered.
13. Please can you detail the requirements for automated malware analysis vs manual reverse engineering? Can you provide an estimate on how many samples you’d require analysing on any given day?
We believe attribution is about looking at historical malware samples understanding similarities and that overlaying this knowledge with intelligence analysis to aid attribution to assist the NCA in pursuing cyber criminals in the real world.
14. Does the NCA want specific named individuals for the duration of the bid, or would a combination of named individuals and ad-hoc access to a broad spectrum of broader analyst expertise (including linguists etc.) be acceptable?
We are more interested in expertise so would like the ability and flexibility to change indivduals depending on required skill. However from a mentoring and upskilling perspective we need some consistency to aid knowledge transfer and day to day working
15. Please can you detail your expectation of co-location versus remote working and potential use of overseas resources and capabilities (for non-cleared analysis requirements)?
We recognise that skills and expertise exist outside of the UK. We would develop a security aspects letter to inform what is acceptable when working with overseas partners (for instance it would be unlikely to be acceptable to transfer samples outside of the UK where this would present national security issues). We are willing to accomodate remote working, although would expect significant on site presence. We would assess bids on a case by case basis.
16. Please can you detail any specific technical capabilities which you require, including any specific certifications or qualifications?
Where developing on AWS we would prefer AWS certfication. We don’t have other requirements around people with malware/ intel backgrounds, although we would like to see the level of experience
17. Please can you detail if the requirements also include infrastructure analysis and or tracking, specifically researching TTPs and IOCs including IP addresses, domain names and C2 servers.
Yes - We believe this is a very important way to attribute. Infrastructure presents significant law enforcement oppurtunities for intel and operations work
18. Please can you detail your malware priorities, specifically criminal, and or advanced persistent threats, such as nation state based actors.
Please review the NCA National Strategic Assessment and our website for the types of activites we are involved in. We are focused on organised crime groups, although recent our recent publications have stated the closeness of hostile state actors and OCGs. It is right to assume we are interested in many of those things