Cybersecurity warriors from all over the world are congregating in Moscow this week for CyberCrimeCon/18, a two-day conference organised by Skolkovo resident cybersecurity company Group-IB

 Group-IB solves about 80 percent of high-profile investigations into hi-tech crime in Russia. Photo: Group-IB.

Dmitry Volkov, co-founder and CTO of Group-IB, will present the company’s findings and forecasts on hi-tech trends, alongside speakers ranging from representatives of Interpol and the Dutch and German police to Siemens and Cisco Systems. Ahead of the conference on October 9-10, Volkov gave a sneak preview of some of those findings.

"One of the trends we identified is that the hackers' focus is now shifting from software vulnerabilities to those detected at the firmware level and this is something that's not being talked about much yet," says Volkov, who heads Group-IB’s Threat Intelligence department.

While there are effective means of battling malicious programmes that affect operating systems and other software, no anti-virus programme can help when the problem is located at the level of the firmware (software that is permanently embedded on a hardware device), he warns. Moreover, it’s much harder to detect when the firmware is infected. 

Group-IB plans to share its findings on this trend at the conference, and in its accompanying annual report, Hi-Tech Crime Trends 2018, in the hope that other companies will heed their warning and start working on new methods for detecting the risk.

Volkov will also talk about attacks on critical infrastructure — a trend he predicted at last year’s conference. An attack known as Triton hit a still unidentified industrial plant at the end of last year, tampering with its safety systems.

“In Russia, no successful attacks on critical infrastructure have been recorded,” he says. “Unfortunately, that doesn’t mean that there haven’t been any.”

Group-IB CTO Dmitry Volkov co-founded the cybersecurity company back in 2003 while still at university. Photo: Group-IB.

Financial niche

Volkov will also address changes and trends in the company’s key area of expertise: the finance sector. The Skolkovo resident regularly makes the headlines for its role in solving high-profile cybercrime cases, including those involving Cobalt, which has attacked banks across the world, and the infamous North Korean group Lazarus. Group-IB is responsible for solving about 80 percent of all high-profile investigations into hi-tech crime in Russia, so it does not sound like an exaggeration when Volkov says the Russian company, which he and CEO Ilya Sachkov founded back in 2003 as students at Moscow’s prestigious Bauman Moscow State Technical University, knows more about threats to the financial sector than anyone else.

“There are two reasons for this: the first is that a great many threats come from the Russian-speaking segment: Russia, Ukraine, Kazakhstan, Belarus, etc,” he says. 

“Russian-speaking hackers have seized the financial niche. We’re based here, we speak the same language as them and are on the same forums as them, and we know a lot about them. 

“Secondly, very often hackers involved in financial fraud test their system in Russia before applying it elsewhere, so we know about it before others, which allows us to work proactively and bring that data to companies so that they can prepare and take the necessary measures. That’s an advantage that being based in Russia gives us,” says Volkov.

Group-IB, which currently employs about 300 people, has solved over 1,000 cases involving every kind of computer crime, from Trojan viruses being distributed via the Google Play Store to targeted attacks on financial institutions. Volkov’s Threat Intelligence department has compiled more than 100,000 hacker profiles and monitors about 110 criminal groups. The company’s regular stream of press releases about its involvement in catching a hacking gang is only the tip of the iceberg: it also works on a lot of cases that it can’t talk about.

“Every successful investigation is a source of knowledge for the next,” says Volkov. 

“If we reveal all of them, the people carrying out the attacks could start deleting certain traces of their activity, changing their location, replacing their pseudonyms, might stop using certain tools or contacting certain people, and that would really damage the investigation, so all the PR activity surrounding our investigations is agreed with the interested parties: either private or public companies. We have plenty of investigations we haven’t made public.”

Group-IB's CERT (Computer Emergency Response Team) monitors suspicious activities 24/7. Photo: Group-IB.

One of the company’s recent successes was in exposing attacks by a gang dubbed Silence. For various reasons, not all of which it can disclose in order not to reveal Group-IB’s working methods, the cyber detectives believe those responsible for the attacks are white hats — cybersecurity specialists, probably penetration testers or reverse engineers — who have gone over to the dark side: something Volkov describes as “an anomaly that we are seeing probably for the first time.”

During one of the Silence group’s attacks, they even targeted Group-IB. 

“They sent a letter to the address of our CERT [Computer Emergency Response Team, which monitors suspicious activities and responds to security incidences]. That was just really stupid,” laughs Volkov. 

“Our CERT is totally unique in Russia, it was the first private one in the country and is operated 24/7 by really experienced people, so the attack led to nothing, except it gave us one more new example of their programme, we saw how the hackers use infrastructure, and of course it prompted us to dig even deeper,” he said.

Prevention better than cure

Group-IB does not stop at investigating cybercrime, but is dedicated to helping companies prevent it altogether. Using data gathered over years of investigating hacker activity, cybersecurity trends and recent attacks, the company has developed its own Threat Intelligence System that makes it possible to detect threats, leaks and cyber attacks, receive notifications of planned attacks and prepare for them in advance. And while the company may be known for its expertise regarding Russian-speaking hackers, its technology is universal.

“Our speciality is global threats, not only Russian ones,” says Volkov. 

“The issue of security should rest with the service provider … Right now, everyone is trying to put the responsibility on end users, and that’s very bad” - Dmitry Volkov, co-founder and CTO of Group-IB.

“These are products designed for protection, and the methods are universal.”

 Monitoring hacker forums to collect data, for example, may involve different languages, “but we can already monitor most of the languages that are of interest to us. We have covered what happens on underground resources in Russia, Brazil, China, Thailand and Turkey. If we need to add another language or place, it’s a matter of a week or two. If something of interest comes up we can react quickly,” says Volkov.

Group-IB’s threat-hunting activities — collecting data on hacking groups — is already carried out on a global scale, according to Volkov. 

“Each group has its habits, its templates. And when you know what they do, have access to all their IP addresses, domain names, registration data, history of IP addresses, combined with knowing how they operate, you can index the infrastructure they will use for future attacks,” he explains. 

Group-IB’s solutions include its Secure Bank product, which the company launched for international markets last month. The product, designed to detect threats invisible to traditional transactional anti-fraud systems and prevent client-side fraud and attacks across sessions, platforms, and devices, was developed with the help of a grant from the Skolkovo Foundation. The module, which is built into the popular Sberbank Online and Sberbank Business banking platforms, among others, can detect fraudsters by analysing factors such as the user’s mouse movements, speed of use and keystroke dynamics to establish whether it is a legitimate user or fraudster who is logged in. 

Security before politics

As a Russian cybersecurity company, Group-IB’s global position at a time when accusations of Russian hacking attacks are rarely out of the headlines for long is not always straightforward, but the company is already present in 60 markets around the world and is continuing its international expansion. The company is officially partnered with Interpol and Europol, and Volkov himself is a member of both a Europol advisory group on internet security and a UN intergovernmental expert group on global cybercrime. 

“Our clients are big, global businesses who are aware of the risks and understand that they need expertise not only from global vendors, but also from niche players, and here politics doesn’t mean anything,” says Volkov. He said that any lack of trust in Russia tends to be encountered at an individual rather than company level, and generally disappears once Group-IB demonstrates that it can protect the company, often competing successfully for contracts with several vendors from different regions.

With increased public attention to information security, many people worry about being hacked themselves, and are anxious to learn what they can do to prevent it. While there is plenty of advice out there on basic cyber hygiene, Volkov is adamant that the responsibility does not lie with ordinary users.

“The issue of security should rest with the service provider. If you use email or banking services, it isn’t you who should have to worry about the security of your account … Right now, everyone is trying to put the responsibility on end users, and that’s very bad,” he says.

“People, as consumers of various services that they often pay for, shouldn’t have to think about information security: they shouldn’t have to be security experts.”

After all, that’s the job of Group-IB.

CyberCrimeCon/18 takes place on October 9-10 at 47 Ulitsa Pokrovka, Moscow. Simultaneous interpretation in English will be available. A full programme is available on its website.