Speaking on the sidelines of the 8th Moscow International Forum “Open Innovations”, Ilya Sachkov, CEO and founder of Group-IB, an international company specialising in preventing cyberattacks, has revealed how the field is developing in Russia, what possible threats banks face, and who stands behind them, as well as how to protect oneself from falling victim to scammers.
Sputnik: One of the main themes in recent years is the issue of cybersecurity, particularly user data protection. What do you think is hindering the development of the cybersecurity market in the country and abroad? How can you protect yourself from such leaks and attacks?
Ilya Sachkov: The reasons for all breaches are pretty commonplace: this is either an external hacking into a system that was not well protected or an internal leak via an insider – in other words, a dishonest employee who sells a service database for personal gain or revenge. I recently saw data from the Central Bank of Russia: for half a year we found 13,000 ads about the purchase and sale of personal data but only 1,500 of them were financial institutions databases.
At the same time, one must clearly understand that the scope of data breaches is sometimes greatly exaggerated, and the leaks themselves are “probes” or a combination of outdated data collected from various sources. A set of such data does not allow a scammer to steal money from an account or payment card but can be used for vishing (voice phishing –ed. note Sputnik) and social engineering techniques.
To combat cybercrime, you need to focus on studying how cybercriminals work, what weaknesses in defence they use, what threats are relevant for a particular organisation, and why exactly those.
Today, the defence paradigm itself has changed: hunting for attackers, for threats – this is what really helps to protect yourself, not a marketing leaflet. How does it work? Our systems “remember” the attacker's infrastructure used in any incident, remember it with a retrospective of decades and automatically monitor it, recording all the changes, which makes it possible to understand whether something is being prepared now and when the attack will be delivered. This is how the early cyberattack prevention system works.
Sputnik: According to your estimates, what damage did hacker attacks cause to Russian companies in 2019, and what figures do you expect in the future?
Ilya Sachkov: I can say this year cybercriminals on average stole from Russian companies and citizens a little more than 1 million roubles a day.
Sputnik: According to your information, what is the average damage to Russian banks? How fast is the number of frauds in banking transactions growing in Russia?
Ilya Sachkov: According to our data, currently there are already five hacker groups that pose a real threat to banks – Cobalt, Silence, MoneyTaker, Lazarus, and SilentCards (Africa). They are capable of hacking a bank, get to isolated financial systems and get money out. What is curious though, is three out of the five groups (Cobalt, Silence, and MoneyTaker) are Russian-speaking, however, over the past year, Cobalt and Silence have begun to attack banks mainly outside of Russia.
We see that the number of targeted attacks on banks in Russia is decreasing — the damage from them over the year (for the second half of 2018 and the first half of 2019) has decreased by about 13 times and amounted to about 100 million roubles — the hacker groups exodus from the “RU domain” continues. For example, starting with goals in Russia, Silence gradually shifted its focus to the CIS and then entered the international market. Group-IB analysts have found Silence attacks in more than 30 countries in Europe, Asia, and the CIS for the current year.
The major threat to a bank's clients remains vishing, phishing, and social engineering. A recent report by the Central Bank confirms this: 97% of thefts from individuals and 39% from accounts of legal entities in 2018 were committed through social engineering.
According to our estimates, more than 80% of monetary theft occurred using social engineering methods – this means that malware was either not used at all or only “took part” in one of the theft's stages. The most common types of internet fraud were: vishing (in just three months over the summer, the Central Bank sent information about more than 2,500 suspicious numbers to telecom operators), phishing emails, and web phishing.
Sputnik: The arsenal of cybercriminals is constantly being updated. What new methods of stealing money have you noticed?
Ilya Sachkov: A new criminal scheme involves an attempt to force bank clients to install a remote access programme on a smartphone and steal money. The average monthly amount of damage through this type of fraud for a large bank can be from 6 to 10 million roubles.
The Secure Bank system on average records more than 1,000 attempts per month to withdraw funds from individuals' accounts using a scheme with a programme for remote access.
Sputnik: How much has the number of attacks on Russian companies and banks from abroad increased? Which countries are behind these attacks?
Ilya Sachkov: The most dangerous are the pro-government hackers of developed countries since their activity is less noticeable while having a more sophisticated arsenal to conduct attacks.
In general, our forecast for last year came true. The number of targeted cyberattacks to commit espionage, sabotage or obtaining direct financial benefits has grown significantly. The so-called “digital weapons” or cyber weapons that can stop production processes and disable the networks of critical infrastructure and large commercial enterprises are actively being used. This is a serious problem.
The arsenal of pro-government hackers is now periodically published in the public domain, and anyone can download it all, configure it for themselves and start using it. I expect that the number of cyberattacks will increase and it will be more and more difficult to attribute these attacks.
Sputnik: What is the average amount of money a month or a year stolen from Russians?
Ilya Sachkov: I can cite a new figure from our report: using phishing and Android Trojans, which are still relevant, criminals daily stole on average 800,000 roubles from Russians over the past year (for the second half of 2018 and the first half of 2019).
Sputnik: Group-IB also helps companies and authorities investigate cybercrime. In April this year on the show the “Voice. Children” vote-rigging was discovered. A new stage of the project will start soon and voting will now take place only via SMS messages. Will your company cooperate with the project regarding cybersecurity and check both stages of voting and identify possible attacks? Are you planning to introduce a special protection system for the project?
Ilya Sachkov: The final report was published on 11 June. The company's experts confirmed the conclusions about the use of vote-rigging and also revealed some anomalies that accompanied the voting. In less than a month, we completed all the procedures associated with an independent investigation initiated by Channel One Russia. On the same day, the management of Channel One publicly thanked us for our work and promised to take into account all the recommendations in the future.
If Channel One in the new seasons decides to bring us in to audit the security of the voting system or other work on cybersecurity, we will tackle the problem again.
Sputnik: Could you share the basic principles of how to protect yourself from scammers and cyberattacks? How can you protect your data on the net and your funds on a bank card?
Ilya Sachkov: Most of us live in a world of delusive security. We live in the most peaceful time in the history of mankind. The chances of becoming a victim of genocide, large-scale hostilities, even a trivial armed attack on the street are minimal compared to past eras.
Quite the contrary, there are no fewer criminals. It is just that real danger no longer awaits us via a knife in a back alley, but on the internet. While one robbery takes place at an apartment 3,000 different computer attacks are recorded at the same time. Today, cybercrime is the most likely crime in the world. The fact that people and businesses do not take this problem seriously is one of the major vulnerabilities.
Therefore, one of the main recommendations that I give users is to learn as much as possible about information security, digital hygiene. There are some general guidelines.
Leave as little personal information about yourself on the internet as possible. For example, which bank you are a client of, which banking services you use; do not upload photos and scans of your documents and bank cards on social networks.
To prevent fraudsters from re-issuing your SIM card and re-linking your internet banking to it, write the office of your mobile network operator a letter restricting the change of a SIM card without your participation (for example, by proxy). Specify what your bank will do in case of re-issuance of a SIM card.
Do not follow suspicious links so that your smartphone or computer is infected with a banking Trojan. Do not download banking applications from unreliable sources – use only official bank applications in the App Store and Google Play.
Use complex passwords – different for all devices and web resources. Change them once a quarter.
Use a separate bank card for online purchases. Do not leave your card details on suspicious resources – this could be phishing.
Even if a conversation with someone who introduced themselves as a bank representative looks super-realistic, never tell CVV, a code word or code from SMS, neither by phone nor in a chat with a bank representative. As soon as you have heard this request, it means a swindler is on the line. Calmly interrupt the conversation and tell your bank what number the call came from.