Information Security System As a Political Ping-Pong

We continue a series of materials about CyberCrimeCon 2018 conference on cybersecurity. This event gathered more than 2000 visitors. It was organized by Group-IB - the official partner of Interpol and Europol. For 15 years of work more than 1000 criminal cases ended with successful conclusion for criminals in the USA, Russia, the countries of Asia and the Middle East, and also the European Union.

The main target of hackers on 2017 became cryptocurrency exchanges. Group-IB experts, who are investigating the hacking of the largest crypto-exchanges, consider phishing emails to be one of the main hacking tools of the last two years. As an example, the researchers mentioned the case of the Chinese crypto exchange Binance, when the attackers had sent phishing emails to some traders, and then completely seized the trades in 2 minutes. They launched numerous iterations of purchases of the little-known in that days cryptocurrency MyCoin and its rate increased by 143% just in half an hour.

There is also the type of dangerous cyber attack called 51% Attack (we wrote about it earlier), which allows attackers to completely stop trading or disrupt the trading system, and also to reject transactions of other participants. But most importantly — it can make the funds re-debiting. The 5 of such attacks were detected at the beginning of 2018.

And, of course, there were the well-known cases of targeted hacking attacks on the crypto exchanges discussed. These attacks caused a damage in more than $882 million in 2017 and 2018. 14 cryptocurrency exchanges were attacked during that period, mostly by North Korean hackers from the Lazarus group. It is well known that the victims were mainly exchanges from South Korea and Japan.

According to Group-IB forecasts, it is likely that the groups Silence, MoneyTaker and Cobalt will start attacking crypto-exchanges following the Lazarus group. And they will choose target phishing as the main tool for the attack.

We talked to the CEO of Group-IB Ilya SACHKOV to find out about the reasons that lead to the possibility of attacks on the crypto-exchanges.

BNT: Now there is a lot of talk about the fact that crypto exchanges are not sufficiently protected and do not heed the recommendations of regulators. What is the main reason — the human factor or the security tools?

IS: The factors can be different and there are three main of them. The first is a high speed of this business, where people don’t always think about details, not having time to foresee everything. In other cases, a significant role is played by the high motivation of criminals: despite the fact that the exchange did everything correctly, hackers turned out to be professionals, who spent a lot of resources to make the attack successful. The third type of cases where the exchange does not pay attention to the security at all. This also happens, because these people don’t think about the risks and believe that they will be simply bypassed of the danger.

There are open criminal cases where in our investigations of the attacks on the crypto exchanges the criminals aren't detained yet. So if we say that we are engaged in some cases it will be like a hint, and in terms of operational-investigative measures it will be an out the law action. Therefore, until the arrest, we can not announce the names. But I can tell you that 3 of the top 10 break-ins are investigated by us.

BNT: What can you say about falsification of hacking when the exchange initiates an attack on itself?

IS: I know one case where the break-in was falsified. I can recommend in such cases for investors and exchange users to request an independent investigation that will show the likelihood of tampering.

BNT: What is the time frame for the disclosure of cybercrime? For example, in case that was shown by the police of the Netherlands in the CyberCrimeCon 2018 the investigation took 6 months before the hackers were caught.

IS: The investigation of cybercrime is a long process. But the first steps need to be carried out immediately: the correct collection of logs, evidence base, the transaction tracking. In addition, each exchange must have an incident response plan in case of funds withdrawal. Also in some jurisdictions it is worth considering the risk insurance process. If the exchange does not have an incident response plan, then a huge number of wrong actions will be taken in the first hours and even minutes after the hacking. Firstly, it is necessary to check the existence of such a plan, and secondly, to make all the events to be correctly logged and duplicated. All these actions are needed to make the investigation possible in principle. Because in one case that we have worked at, the lack of data impeded the investigation.

Cybercrime is rapidly evolving, and the unique threat landscape for each region or country is constantly changing. This suggests that generic tools for targeted attacks detecting cannot be found. In addition, the advanced attackers try to use the widespread methods and tools to male the penetration tests much more difficult. Therefore, researchers of cyber threats are always ready for discovering and experiments, building up their databases

BNT: What legislation system defines the punishment for a criminal, for example, in the contradictory international investigations?

IS: I consider the question of the legal framework for the consideration of cybercrime at the international level to be open today. It is very important for humanity, I am not afraid of such a lofty word, to synchronize the legislation in this field as quickly as possible. Because some countries believe that cybercrime should be regulated by the law of the country where the attacker is from, and the others think it should be controlled by the legislative system of the country where the target is located.

Besides, there is a concept of a crime completion, as the attack can take its start in one country, the infrastructure can be in another, the money can be withdrawn through the third place, and cashed in the fourth. Now synchronization of the legislation system is presented rather poorly. In my opinion, it should be taken some effort by the UN. But, unfortunately, this is not happening. None of the politicians can agree with each other.

Everything can end in a classic story way for the humanity: there can be an attack on a critical infrastructure object in any country, which will lead to human victims, and possibly to environmental violations of nature. And only after that politicians may understand that it is necessary to accelerate the process of legislation synchronization.

BNT: Have you ever investigated such kind of cybercrimes that involved several countries at the same time? What is the main difficulty of these cases?

IS: This year, our company participated in the investigation of the case, which considered the territory of three countries - Russia, USA and Ukraine. The investigation ended with the judgement of the criminal on the territory of Ukraine. However, it took about 2 years of very complicated legal synchronization work, which clearly does not benefit the economy of any of these countries.

The politicians should understand that cybercrime is the most likely crime that can ever happen. Because when there is 1 apartment robbery in the EU that happens every 1.5 minutes, there are more than 3 thousand attacks that lead to much more huge financial consequences during this time.

BNT: Are there any steps or prerequisites now to create a single international institute or commission to investigate the cybercrimes in your opinion?

IS: There are no such prerequisites. They will appear if, as I said, a large number of people die. The governments begin to negotiate when the mass loss of lives happen and they realize that there is no other way. Please pay attention to these facts: the League of Nations was created after World War I, the UN was established after World War II, Treaty on the Non-Proliferation of Nuclear Weapons was signed after the Caribbean Crisis, and the Biological Weapons Convention (BWC) - after a gas leak in Siberia in the Soviet Union period of Russian history, and Russia began to comply with the requirements because people began to die.

Unfortunately, apparently, there is something should to "kick in" or “explode”, causing a huge mass resonance, to make people start negotiation after that. Now I see a large number of politicians, who are so far from technology, that they are very much misunderstanding what the technology actually is and use information security as some kind of political ping-pong.

BNT: How can cyber attacks lead to a lethal outcome, that will cause the mass resonance you are talking about?

IS: For example, you can take a hydroelectric power plant and increase the speed of the turbines. Or you can open a dam to flood the city with water. That can be interesting to terrorists, or simply mad people, maniacs. Unfortunately, they exist in our society.

According to the Group-IB report, 2018 was marked by a new type of attack, which can completely change the level of cyber threats. In January, it became known about such malware as Meltdown and Spektr. According to the CTO of GIB Dmitry VOLKOV, “This is a hardware vulnerability, that can not be corrected by software. Moreover, they affect all lines of existing processors. And to identify them on a real machine is very difficult.”In order to eliminate this vulnerability, it is necessary to disable some technological components of the affected multi-core processors.

“And no security solutions that could objectively manage with that attacks, of course, have not existed at the time of detection yet. The industry had not been ready,” — said Dmitry VOLKOV

BNT: Does it make sense to localize the cybercrime by country and what is the impact of global policy on international investigations?

IS: Politics is a significant hindrance. Don’t think that cybercrime is settled by the countries, because it is cross-border now. Most investigations require the close cooperation of law enforcement agencies of different levels and countries in order to combine the actions in different territories and at the same time to carry out the correct operational investigative measures. This does not happen, primarily because of political differences between countries, which are, naturally, used by criminals.

The top 3 countries which are the sources of the most active pro-government hacker groups are China, North Korea and Iran. Asia-Pacific in the last 2 years has become the most actively attacked region: only for the last year the activity of 21 different groups was registered, that is more than the total number of attacks on the United States and Europe

BNT: What can you say about the blockchain technology, which is now considered by many people to become a panacea in solving of various problems, can it solve the global cybersecurity issues?

IS: There is an approach that is too early to talk about, but it can really solve the large part of political problems in the information security space. This applies primarily to the exchange of cyber threats data. There is a work on that approach that is going on now and we are involved in that process, but still it is too early to make announcements. Perhaps there will be some self-regulation of technology companies, which will unify the detecting threats process, so that everyone can use this system. We can not say yet how it will be implemented but it will work on the blockchain.