Ilya Sachkov is the CEO of Russian cybersecurity firm Group-IB. He looks and acts every bit the software intellectual stereotype - gentlemanly, suave and unflappable, even as he dishes out a shocker in the middle of an interview with The Hindu. He pulls out his laptop, boots up the security tool developed by his firm and displays the screen to this writer: what you see is data on a recent breach by hackers of login credentials of a user in the Ministry of External Affairs in a domain owned by the Government of India!
Group-IB, which Mr. Sachkov started 14 years ago, had recently contributed to the prosecution in its 120th case involving cybercrime. The last was the toughest – where the criminals got 20 years in prison for financial fraud against victims across 60 countries. Excerpts:
There seems to be a surfeit of cybercrime cases now? Why?
Organised cybercrime is mostly done for money. Banking frauds are common here. When hackers attack corporate accounts, they might also affect critical infrastructure, true. But if you look at the intent for the hacking, the main reason is money. The ratio of hacking for money, versus hacking for anything else (i.e. political information or cyber-terrorism etc.) is 99:1. When these tools, used to hack for financial gains, are put to use in cyber espionage, that is a dangerous thing. The same tools and viruses work well in both scenarios. That is why it is important for someone like us to chase after culprits of both kinds, as the methods are the same. Methods used originally by organised crime groups were redeveloped and used by North Korea special forces for cyber espionage. The trail in the case of the $81 million heist at the Bank of Bangladesh clearly leads back to North Korea, our own investigation tells us.
What is your speciality?
Our primary expertise and business has been in digital crime investigation and digital forensic investigation. We are the biggest forensic lab in Eastern Europe, both ‘classic digital’ and ‘malware forensic’. We protect huge levels of infrastructure at an ISP level in several countries, with botnets and the like. We offer threat intelligence services.
We are part of 1,000 hacker forums globally. Most are private, and it’s not easy to be part of such forums. We are also responsible for protecting Russian domains such as .ru, .rf, .su, etc. How do you protect someone if you don’t know the cyber criminal? So, infrastructure and human intelligence skills are key. We currently have 200 people in our team; eyeing 300 next year. Our clients are IT firms, BFSI sector units, government agencies and companies with famous brands as brand protection is a core area of us.
You have a joint venture with state-owned arm Rostec. An unlikely combination?
We are a start-up and Rostec is a large state-owned corporation with diversified businesses under its umbrella. Through Rostec, we get to be part of huge projects. From their side, they need high-level technology. Hence the JV. We use technology to protect critical infrastructure and intend to export this technology to different countries. Working with, for example, a huge government agency in another country takes 3 years, just to lay out the basic preparation. We prefer to move faster. Rostec helps us in this.
What’s missing in the protection of critical infrastructure, globally?
All countries need cybercrime law. Though the safety of critical infrastructure is critical, hackers predominantly focus on money. We all get the feeling that critical infrastructure is protected; but that is because not too many people attack this. If they do, we will have a problem with critical infrastructure. Those responsible for protecting such infrastructure feel things are all right, while that is not really the case. It is like a single boxer feeling good about his skills – you need two parties to do this.
Do you sell in India?
We are in the process of setting up sales infrastructure in India. We are setting up a base in Dubai which will also cover India. We are looking for channel partners, or integrators, In India, Rostec would be interested in offering protection in governance, military installations or infrastructure etc..
We see huge potential in banks, financial services, insurance firms in India, while Rostec sees potential in protection of Indian military and government assets. The security market in India is starting to boom. We also aim to offer managed security services provider on subscription basis and not just sale of products.
You showed us an example of a breach. How does this work?
In tracking data theft, it is important to track network communication, without any installations and to do this remotely. We track these and then contact our customers if there is a breach.
Hackers use phishing websites and malicious software to obtain account details. They usually hunt for login details from internal corporate systems or external client services such as online banking. Malicious programs upload stolen data to C&C servers controlled by attackers. Such servers are central data collection points. We monitor compromised data by analysing network protocols used by malware for communication with its C&C server.
To perform such monitoring Group-IB uses specialised sensors deployed in various network segments. The sensors are designed to identify C&C servers and scan malware communications with this server for compromised data. Due to joint investigative activity with law enforcement agencies and cooperation with hosting providers, Group-IB obtains copies of hackers’ servers that often contain large amounts of compromised data.
In the case of phishing attacks, intercepted data logs can be temporarily or permanently stored locally or forwarded to hackers’ email addresses. Group-IB specialists monitor phishing resources and collect configuration files of these websites to identify the methods used by hackers to store logs with stolen data and then locate it in order to identify all compromised users.
What is the most difficult case you have worked on?
The most difficult criminal cases we have dealt with are Carberp, Anunak and Cron . Anunak was a Russian cybercriminal group that attacked financial institutions and stole up to $ 25 million in just over a year in 2014. Cron infected up to 3,500 mobile devices daily, totaling about 1 million devices.
Ransomware WannaCry is good education for enterprise users. In 2017, you should have backups. Without that, don’t use the Net or a computer. It is good that media gave it so much importance. Technically, Wannacry is not very exciting for us. But the increase in awareness was perfect for us. Everyone was talking about cybersecurity. If the same methods are adopted by cyberterrorists, consequences may be worse.
Which countries would you rate high on cybersecurity?
Japan and Germany are among the first to protect their systems. It’s part of their culture, I think. Customers elsewhere start to think about information security after an incident occurs. It is understandable. Usually, people start thinking about good health after bad health hits them.
(The writer was in Russia at the invitation of Rostec)
