Sergey Nikitin, Group-IB - about the future of cybercrime and ways to combat it

Sergey Nikitin - Leading expert on cybersecurity, Deputy Head of the Laboratory

computer forensics and researchGroup-IB malicious code. The company collaborates with the Russian Interior Ministry in investigating cybercrimes. According to Nikitin, 80% of the resonant cases in the field of information security were opened with the participation of the Group-IB laboratory.

Private IT expertise is indispensable

- Cybercrime is already punishable by applicable laws. Why do private companies do what the police should do?

- There are two aspects. The first is criminal articles and laws that determine operational-search activities. Only the police can do it. It is impossible to take this function from them. But when we talk about cybercrime, the main source of evidence is digital evidence. Separately, they are not yet registered; they fall under the definition of "others." The main evidence, and often the only one, is the expert’s opinion on some hard drive, mobile phone, that is, on their contents. It is at the stage of the qualitative collection, analysis and provision of evidence in the format of conclusions that private companies can join. Then everything is transferred to law enforcement officers who have the right to make requests, including those containing some kind of secret. For example, request billing, correspondence, withdrawals, or provider data.

Cybercrime is regulated by the Criminal Code of the Russian Federation. Chapter 28 “Crimes in the field of computer information” in this edition includes 4 articles:

  • Article 272. Illegal access to computer security.

Under this article, you can get a fine, forced labor or imprisonment for a period of 2 to 7 years.

  • Article 273. Creation, use and distribution of malicious computer programs.

Depending on the severity of the consequences, the real term under article 273 will be from 4 to 7 years in prison.

  • Article 274. Violation of the rules for the operation of means of storage, processing or transmission of computer information and information and telecommunication networks.

For copying, damage or destruction of protected information, you can get a fine of up to 500,000 rubles and imprisonment for a period of 2 to 5 years.

  • Section 274.1. Unlawful impact on the critical information infrastructure of the Russian Federation.

Under article 277.1 of the Criminal Code, you can go to prison for up to 10 years, depending on the severity of the harm done.

Law enforcement officers cannot take all workmainly because such crimes are very complex. There are not very many technical specialists, well trained and highly motivated. This is due to the size of wages and loads. Therefore, in complex resonant affairs, a private company can not do.

Sergey Nikitin

- How closely does Group-IB interact with the police during investigations? Are there any fees for examination and participation?

- It's not always the same. The investigation has a certain budget for expertise when they have to turn to independent experts. It happens that we conducted an investigation for a client, and then our report was transmitted to law enforcement agencies. The investigator checks to see if there is any reason to trust our report. According to him, they can appoint a forensic computer examination.

- What interesting investigations from practice can you name?

- There were a lot of them. All criminal hacker groups that worked on remote banking services continue to work. Previously, they stole money through client banks from individuals. Now they steal money through mobile banks. 80% of high-profile cases of such thefts took place with our participation. We were attracted by the victims, the investigation was attracted for examination.

In 2016, the Ministry of Internal Affairs detained 16 participantsthe criminal group of hackers CRON, Group-IB helped the law enforcement investigation. Fraudsters infected smartphones with malware - a banking trojan. This application, after installing on a smartphone, automatically transferred user money to hacker accounts. Victims installed the trojan on the device, following the links from SMS messages like “Your photos are published here”. Another way is to disguise the virus as a mobile application for banks. The total damage from the actions of the CRON group reaches 50 million rubles.

Carberp cybercriminals kidnapped more$ 250 million from the bank accounts of Russians in 2010-2011. Fraudsters hacked sites and popular services, and then installed programs for hidden remote access. After that, some Carberp participants transferred funds from users' remote banking clients, while others cashed them. Also, hackers were engaged in DDoS attacks.

A joint investigation of Group-IB and the Ministry of Internal Affairs made it possible to hold all eight members of the criminal group accountable.

- Back in 2011, US Secretary of State Hillary Clinton stated about the success of government hackers in the fight against Iran. Are you not afraid to go to some state in your investigations and repeat the fate, for example, of Snowden?

- Government hacker groups exist,it's not a secret. But the chance to reveal them in the investigation is not very large. Such groups work mainly in foreign countries. Perhaps this should be feared by some employees of existing law enforcement agencies. If this is done by an independent international consulting firm that provides an independent report, and if someone leaves traces, it is more likely to indicate a low quality of their work. They themselves are to blame. Therefore, there should not be any concerns or problems with this. To worry about this is not worth it.

Edward Snowden - Former CIA and NSA technical officer. In 2013, he shared with The Guardian and The Washington Post newspapers the secret information of the US National Security Agency. Snowden motivated his action with the principles of justice, as the information concerned, inter alia, issues of monitoring personal correspondence of citizens.

Paper only protection

- How much lack of personnel is felt now, and where to get them? Is it possible for a young specialist who has just graduated from the university to entrust the protection of the enterprise?

- The question is complicated. Specialists are sorely lacking. University graduates are not ready to investigate real incidents and threats. I myself graduated from Moscow Engineering Physics Institute, Faculty of Information Security. Universities prepare academically competently, but the information there is outdated. Today, information changes every six months. No university in the world can change an approved university program so quickly. This is normal. The specialists we hire are always on the spot. A year and a half worker must be trained.

Sergey Nikitin

In Russia, 2,044 crimes were registeredin the field of computer security for the period January-September 2019, follows from the report of the Ministry of Internal Affairs "The state of crime in Russia." These are illegal actions under the articles of Chapter 28 of the Criminal Code of the Russian Federation. The growth in the number of crimes compared to last year amounted to 11.4%. As of the date of publication of the report, 1,416 of them were not disclosed.

The greatest increase in cybercrimeKaliningrad region. Here, the number of crimes in this area has increased one and a half times during the reporting period. In the Yamal-Nenets Autonomous Okrug, the growth of cybercrime is the smallest - 3.8% compared to the previous year.

If we are talking about protecting companies, things are worse. Many organizations are protected only on paper. People report that they are protected, and then incidents happen, they steal money.

To understand what is happening in the industry, fromwhat threats need to be protected, there is a separate service. You can see how everything works. Providers of such services provide data on what threats are, how they are implemented, how they are spread, and what indicators to look for. In companies where nothing happens, people relax and lose their vigilance.

Digital hygiene

- What are the features of information security in terms of technology?

- The essence of fraud is based on the same principles as in the XIX century. Pyramids from the 90s, zombie gypsies, street scammers use the same methods.

If we talk about the theft of money, now populartelephone scams. Ten years ago, a man often called, saying: your son shot down someone, you need to urgently bring money. A fraudster hurries people with the words "urgently, it is necessary."

Sergey Nikitin

This scenario is valid now. Receptions only evolve a little. They call from the bank: the money has been debited from the account, tell the card details to the robot. Of course, you can’t say anything.

Fear, speed, escalationthey still work, and IT is just a new tool in their service. Crime has moved online. The apartment thief does not seem to be IT. But they, too, are looking for apartments on social networks.

- How to protect yourself?

- This is also a problem. Schools do not teach digital hygiene. And modern children were born in the era of the Internet. No one explains that a person from birth needs to think about his digital profile, control all accounts, mails, social networks. The man posted a photo of an incredible party at the age of 14, and then at 24 he was not hired. Nothing can be completely removed.

Digital hygiene is not only about this. If someone sends an email with an attachment, you need to be wary and not open. It is necessary to update the operating system on the computer and phone. You are convinced to open something and become infected with a virus. Therefore, digital hygiene is comprehensive, it must be respected by people so as not to get into trouble.

- How much can you trust antiviruses? Do I need an antivirus from an antivirus?

- In terms of protection for 2019, the antivirusnecessary, but not enough. Unfortunately, the antivirus responds to the past threat. In order for a virus to appear in the anti-virus database, it must first begin to infect. Given the number of viruses, and this may be hundreds of thousands per day, the effectiveness of antiviruses is greatly reduced. They collect a lot of data. In most cases, users themselves agree that almost any file from the computer should be sent to the anti-virus cloud servers and analyzed. And they even tick off that they are ready to share everything. Even if you do not put such checkmarks, still a huge amount of information is collected and sent. This is stated in the license agreements. Antivirus for antivirus - a little absurd. It all depends on what you fear more and what kind of threat. If you are afraid of data leakage more than viruses, do not use it at all.

- Will there come a time when cybercrime will be finally defeated or, conversely, it will only become more sophisticated?

- Neither one nor the other. They find new remedies for new methods of deception and infection. This will continue indefinitely. In the future, one can predict the growth of cybercriminals. This is due to the fact that IT is increasingly penetrating our lives. You can easily compare the volume of non-cash payments 10 years ago and now. Cybercrime is growing with this figure. Victory of one of the parties I do not see.