“You can’t fight when you are alone in the ring”

Ilya Sachkov, the General Director of the Russian company Group-IB, working in the field of information security. It looks and behaves like a true intellectual in the field of programming: shiny manners, courtesy, equanimity — even when reports shocking information in the midst of an interview for The Hindu. He gets a laptop, downloads the safety program developed by his company, and shows the screen to the author, and there is a… information about the last successful attack by hackers and stealing their user credentials from the Ministry of foreign Affairs on a domain owned by the government of India.

Group-IB, based the Lord of the Sachkov 14 years ago, recently participated in the prosecution of cyber criminals, and it was the 120th case of Commission of cybercrime, which it did. The last crime was the most serious criminals were sentenced to 20 years for fraud, which affected people in 60 countries.


The Hindu: it Seems that there is now a sharp increase in the number of cybercrimes. Why?

Ilya Sachkov:
Organized cybercrime mainly aims at getting money. Here widespread fraud in the banking sector. When hackers attack corporate accounts, they can also affect critical infrastructure. However, if you understand the purpose of hacking is to get the money. The ratio of cases of hacking for the sake of obtaining money to the amount of break-ins committed for other purposes (access to political information or cyber-terrorism) is 99 to one. When the tools that are used for hacking for profit, start to apply to cyber espionage is dangerous. In both scenarios, the same tools and viruses are effective. That’s why it’s important to someone like we were being pursued by those and other criminals, because they have the same methods of “work”. Methods that were originally used by organized criminal groups, have been “recycled” and used by special forces of North Korea for cyber-espionage. Trace in case of theft of 81 million dollars from the Bank Bangladesh goes clearly to North Korea, this is the data of our study.

— What is your specialization?

— First and foremost, our experience and business generally related to investigation of crimes in the digital environment and computer forensics. We are the largest forensics laboratory in Eastern Europe, are engaged in a “classic” digital technologies and the investigation of applications ON the computer. We protect the infrastructure of a very high level — at the level of ISPs in some countries, using botnets, etc. in addition, we offer services kiberrazvedki.

We participate in thousands of hacker forums around the world. Most of them have closed, and getting there is not easy. We also provide protection of the Russian domenovy,.rf.su, etc.

— How do you ensure someone’s protection, if you do not know of a cybercriminal?

— Critical infrastructure and intelligence employees. Currently our team consists of 200 people; we are considering the possibility of expanding up to 300 employees next year. Our clients are IT companies, companies providing banking, financial services and insurance (BFSI), and government agencies and famous brands, as their defense is the main area of our work.

— You have a joint venture with state Corporation rostec. This is an unlikely combination?

We are a startup, and rostec, a major state Corporation with diversified business “under one roof”. By Rostec we become involved in very large projects. In turn, they need technology. Therefore a joint venture was created. We use technology to protect critical infrastructure and intend to export these technologies to different countries. For example, to start working with very large government Agency in another country needs three years is only the basic preparatory phase. We prefer to move faster. And rostec helps us in this.

— What essential elements are not enough to protect critical infrastructure around the world?

— All countries need laws on cybercrime. Although the security of critical infrastructure is extremely important, hackers mainly target the money. We all think that this infrastructure is protected; but this is because it is not too often attacked. If such attacks occur, we have problems with this infrastructure. Those who are responsible for its protection, it seems that everything is fine, while in fact it is not. You can give an example: when a boxer alone in the ring, he is confident in his skills, however, in order to verify this, we need another fighter.

— Do you have sales in India?

— We are establishing the infrastructure sales in India. We create a base in Dubai, which will also cover India. We are looking for trade partners or integrators in India, and rostec may be interested in how to offer services for the protection of the government, military or infrastructure, etc.

We see huge potential in banks, financial and insurance companies of India, and rostec sees potential in the protection of the Indian military and government assets. The Indian market for security is beginning to grow rapidly. We also intend to offer services provider in the field of information security management on a subscription basis and not just to sell products.

You showed us an example of hacking. How does it work?

— When tracking data theft it is important to monitor network communication without any settings and do it remotely. We monitor all this and then contact the clients, if found hacking.

To obtain data on accounts hackers use phishing sites and malware. Usually they’re after the registration data stored in the internal systems or external client companies services such as Internet banking. Malware upload stolen data on command and control servers (C&C), controlled by hackers. These servers are the Central data collection points. We monitor the compromised data, analyzing the network protocols, which uses malware to communicate with the command server.

For this monitoring Group-IB uses special sensors located in different network segments. The sensors detect the command and control servers and scan the malicious software contacts this server compromised data. Thanks to joint investigations with law enforcement agencies and cooperation with the providers of the hosting Group-IB receives copies of hacker servers, which often contain large amounts of compromised data.

In the case of phishing attacks the intercepted log data can temporarily or permanently be stored locally or forwarded by email hackers. The company’s specialists keep track of phishing resources and collect configuration files of such sites to determine the methods used by hackers to log the stolen data, and then localize them with the aim of identifying all compromised users.

— What was the most challenging in your practice?

— The most difficult crimes in which we were engaged, were associated with CA, Anunak and Cron. Anunak was the Russian group of cybercriminals that attacked financial institutions and in 2014 just over a year stole nearly $ 25 million. Cron infected to 3.5 thousand mobile devices a day, and all of it affected about one million users of such devices.

Extortionist WannaCry is a good lesson for companies. In 2017 you should have a backup. Without this don’t even use the Internet on the computer. Well, the media has given it such great importance. From a technical point of view Wannacry is not something special to us. Raising awareness is very pleased us. Everyone was talking about cyber security. If the same methods will take advantage of cyberterrorists, the consequences can be much worse.

— By your estimates, in some countries, cybersecurity is at a high level?

— Japan and Germany occupy the first place to protect their systems. I think it’s part of their culture. Users from other countries are beginning to think about information security after the incident happens. It can be understood. Usually people start thinking about health when it fails.