Cybersecurity experts urged countries to put politics aside and work together to tackle hackers, and to turn the tables on cyber-predators by hunting them down, at an international conference in Moscow this week organised by Skolkovo resident company Group-IB.
Ilya Sachkov, CEO and co-founder of Group-IB, a resident company of Skolkovo's IT cluster. Photo: Group-IB.
Ilya Sachkov, CEO and co-founder of Group-IB, which organised the two-day CyberCrimeCon/18 conference in central Moscow on October 9-10, said that in order to combat cybercrime, it is vital to understand the motivation of individual criminal groups.
“Having put aside all politics, as it has no place in information security, what we would like to give you at this conference is knowledge of criminal groups, their tactics, who they are, and why they do what they do,” Sachkov told the packed hall at the opening of the event.
For the sixth year in a row, the Moscow-based company presented its annual Hi-Tech Crime Trends report at the conference, which looks in detail at the methods of current threats to information security. Three major global cyber threats to banks right now are Cobalt and MoneyTaker (gangs of Russian-speaking hackers) and Lazarus, which is believed to be acting in the interests of the North Korean government, said Sachkov.
“They have completely different tactics, technologies and aims within their organisations,” he said, advising companies to “know their enemy.”
“There are no circumstances in which we can separate the issue of cybersecurity from the people involved in computer crime,” he said, urging the development of the profession of threat-hunting: following the links between hackers and their infrastructure in order to stop crimes from happening in the first place.
“For some reason, many people don’t consider this knowledge to be important,” said Sachkov.
“It isn’t taught in universities, and there’s very little exchange of information between states and private companies. And right now, because of the political situation, people have stopped trusting one another and this information is not accessible.”
Raymond Cao, digital crime officer in Interpol's cybercrime directorate, based in Singapore. Photo: Group-IB.
Raymond Cao, digital crime officer in the cybercrime directorate of Interpol, agreed that countries and organisations have to share information in order to be effective, arguing that no one can see the full picture alone.
“Due to the borderless nature of cybercrime, it provides a perfect environment for cybercriminals to conceal their physical identities,” said Cao, who is based in Singapore.
“Therefore, if [Interpol] member countries are not coordinated properly, they will only visualise the part under their jurisdiction.”
Latest trends
One of the most sinister trends seen last year was the emergence of side-channel attacks, which exploit vulnerabilities in hardware, rather than software , meaning it is very difficult, if not impossible, to fix them using software patches.
“There’s a trend that’s not being talked about much yet, and that’s how backdoors to systems are being developed at the level of hardware: the firmware that runs before the operating system, for example,” Dmitry Volkov, CTO and co-founder of Group-IB, told Sk.ru in an interview ahead of the conference. No antivirus software can help when the problem is located at the level of the hardware, he warned.
“The combination of the side channel attack that allows [the hacker] to perform a lot of actions on the operating system opens up new possibilities for advanced hackers to infect devices in such a way that it is not obvious, and so that it’s also extremely difficult to fix the problem: if your device is compromised in this way, then reinstalling the operating system or throwing away the hard drive will not solve the problem,” said Volkov.
“It doesn’t matter where you are, as soon as you connect the device to the internet, the criminal will have full control.”
Another trend during the last two years has been attacks on cryptocurrency exchanges. A total of 14 cryptocurrency exchanges have been robbed, suffering a total loss of $882 million, according to Group-IB. Cryptojacking (hidden mining) has also become widespread. Group-IB experts predict that the biggest miners may be targeted not only by cybercriminals, but also by state-sponsored groups. Given the necessary preparations, they can gain control over 51 percent of the network mining power, gaining control of cryptocurrency. Five successful “51% attacks” were registered in the first half of 2018 with direct financial losses ranging from $0.55 million to $18 million, according to Group-IB.
Dmitry Volkov, CTO and co-founder of Group-IB, outlined major trends in cybercrime. Photo: Group-IB.
Web phishing is on the rise both in Russia and internationally, while after several years of growth, the market of Android trojans in Russia has stopped growing, the company said. The number of daily thefts using Android trojans in Russia has dropped almost threefold, and the average amount stolen has also decreased from $164 (11,000 rubles) last year to $104 (7,000 rubles) this year, says Group-IB.
The focus of innovations and research on the creation of complex malware, as well as organisation of multi-layered targeted attacks, has now shifted from financially motivated cybercriminals to state-sponsored threat actors, warns Group-IB.
“Their actions are aimed at achieving long-term presence in the critical infrastructure’s networks with the purpose of sabotage and espionage targeting companies in the power, nuclear, commercial, water, aviation, and other sectors,” the company said in a statement ahead of the crime trends report’s release.
The top three countries of origin of the most active state-sponsored hacker groups are China, North Korea and Iran, while Asia Pacific was the target of most attacks carried out by hackers from multiple countries in the second half of 2017 and first half of 2018, according to Group-IB. The company said a new trend in espionage was hacking home and personal devices belonging to state officials.
Public-private partnerships
Summing up the challenges faced by countries and companies across the world, Interpol’s Cao quoted the ancient Chinese military master Sun Tzu: “Foreknowledge cannot be gotten from ghosts and spirits, cannot be had by analogy, cannot be found out by calculation. It must be obtained from people, people who know the conditions of the enemy.”
In the context of information security, those people are cybercrime investigators, digital forensic examiners and cybersecurity experts who work together in the physical world, said Cao.
Information from private companies such as Group-IB is crucial to bring cybercriminals to justice, said the Interpol digital crime officer.
“We have cutting-edge systems and the best intelligence officers, but we can’t rely only on member countries for data, so we have agreements with private companies,” he said. The international police organisation has public-private partnership information-sharing agreements with companies including Cisco, BT, Kaspersky Lab, Banco de Brasil, Palo Alto Networks and of course Group-IB to get more live data to conduct better analysis, said Cao. Some of those partners train Interpol investigators in very specific areas such as reverse engineering in specific countries, he said.
“We believe these PPPs are the best option for us to fight against cybercrime,” he said, adding that cybercrime experts also have a technical advantage that can be used to investigate other types of crime.
“They can use their knowledge to assist ordinary criminal investigators to detect traditional crimes involving cyber elements, such as money laundering cases involving bitcoin,” he said.
Group-IB’s Hi-Tech Crime Trends 2018 report is available free of charge on the company’s website in both Russian and English.