The World’s Most Elite Cybercrime Fighting Unit
“This is our world now… the world of the electron and the switch, the beauty of the baud.” Those words are from The Hacker Manifesto, an essay that was published in Phrack magazine and read by anyone who grew up in the world of Hacking, Phreaking, Virii, Anarchy, and Cracking – also known under the acronym HPVAC. In those days, hacking was a romantic trade where the most trouble you might find yourself in was being stuffed into a locker at school for reasons unrelated to hacking. Today, hacking has become far more sophisticated and has split into two main areas: ethical hacking and not-so-ethical hacking, the latter of which has become a serious problem.
One country in the world that’s often associated with hacking is Russia, a place we recently decided to visit in search of tech startups with great stories. Tech or otherwise, Moscow is full of great stories to tell – powerful crotch rockets racing in the streets at night while the police turn a blind eye, the Forbeses (filthy rich men) who hunt the tiolki (filthy young girls), the largest and most opulent food court in Europe at the newly opened Depo, and Russia’s Silicon Valley, the Skolkovo Innovation Center. And of course, lots of hacking stuff.
When high-profile breaches and cyberattacks take place, the world’s most elite cybercrime fighting unit gets called in to investigate. It’s a Singapore-based cybersecurity firm named Group-IB. With an office in Moscow, they’re responsible for investigating some of the world’s most notorious hacking groups and preventing cyberattacks from happening.
Founded in 2003, Singapore-based company Group-IB has been successfully investigating cybercrime and preventing cyberattacks around the world for the past 16 years with an undisclosed amount of funding. The firm’s founder and fearless leader, Ilya Sachkov, was an 18-year-old prodigy who started the firm after learning about how lawless hackers were running rampant around the globe. Today, his firm has more than 300 employees operating in more than 60 countries around the globe and is recognized by Gartner as a global leader in threat intelligence. Recently, Group-IB announced that they will invest more than $30 million in Southeast Asia, a market with loads of potential. That’s because Southeast Asia is where all the action is. In just one year, 21 state-sponsored groups were detected in the area, more than in the United States and Europe combined.
Group-IB sells Products (70% of revenues) and Services (30% of revenues). In order to understand just how powerful their product suite is, we first need to look at the roots of the company – what their Head of R&D, Aleksandr Lazarenko, calls their “detective DNA.” You see, Group-IB doesn’t just sit around waiting for hackers to cause havoc, they’ve turned the tables and have become the hunters. It’s the cloak-and-daggers sort of stuff you just don’t get to read about that often, and it’s key to understanding what makes Group-IB so good at what they do.
The “Services” offerings from Group-IB fall into three broad areas: Prevention, Response, and Investigation. We’re going to focus on that last category, Investigation. That’s where the company started – investigating cybercrime – and today they’re arguably the most elite cybercrime fighting unit in the world with every single member of the team having passed a lie detector test to prevent espionage by the world’s most dangerous hackers. Over the years, Group-IB has led more than 1,000 successful investigations leading to more than $300 million being returned to their clients.
In 2017, Group-IB partnered with the INTERPOL to begin profiling hacker groups and hunting them down across the globe. The walls of their office are adorned with pictures of their founder, Ilya Sachkov, meeting with the Head of INTERPOL, Europol and other prominent figures who acknowledge the firm for being best in class.
Hacking has changed a lot since the days of demon dialing and beige boxing. It’s a multi-million-dollar industry now with its own ecosystem of product vendors and software tool developers – all fueled by the anonymity of cryptocurrency and the massive profits that can be realized by masters of the craft. According to Group-IB experts, more than 90% of all cybercrimes in the world now involve money theft. Think about the sort of fees one might be able to command when successfully investigating a multi-million-dollar bank heist and managing to get the money returned. It’s a lucrative business for Group-IB, and it also results in some remarkable stories that sound like they’re straight out of a crime novel. We’re going to talk about a few of them today.
A number of years back, we sent some of our MBAs into the Democratic People’s Republic of Korea (DPRK) looking for interesting startups and we came back empty-handed. What we observed was a country that’s misrepresented by Western media and – with all due respect – beyond backwards when it comes to technological advancements. That’s what we thought anyways. Turns out that the North Koreans have formidable capabilities when it comes to cyberthreats. According to Group-IB, some of these hackers might be holed up in the infamous Ryugyong Hotel seen below. The IP addresses identified in Group-IB’s investigation refer to this area.
Somewhere in this 105-story monstrosity are members of a North Korean hacker group known as “Lazarus” who failed to raise funding during their Silicon Valley road trip and consequently decided to bootstrap themselves by conducting sophisticated bank robberies. (One of those things we may have just made up.) According to several public media reports, in February 2016, Lazarus hackers attempted to steal $1 billion from the Central Bank of Bangladesh by exploiting weaknesses in the bank’s security to infiltrate its system and gain access to computers with access to the SWIFT network. One of the hackers – who pulled a Peter Pan off the 105th floor hours later – fat-fingered something on the transfers and only $81 million was stolen before the bank caught on. Group-IB did its own research on Lazarus featuring the analysis of the gang operations and issued an in-depth report outlining multiple layers of Lazarus infrastructure, thorough analysis of hacker’s tools, and evidence leading to North Korean IP addresses.
Group-IB’s CTO, co-founder and head of Threat Intelligence, Dmitry Volkov, who led the research on Lazarus, said:
Lazarus is one of the most dangerous cybercriminal groups in the world. They carry our both financially-motivated and espionage attacks attempting to steal money and crypto along with state secrets. The group is very well organized and equipped with tools and tactics that are hard to detect. Lazarus has subdivisions responsible for their own goals and targets. We strongly recommend the banks and other organizations to learn more about targeted attacks’ tactics and techniques, increase corporate cybersecurity awareness, and always use up-to-date and relevant Threat Intelligence.
Initially, the North Koreans disguised themselves as Russians, though Group-IB experts note that the “Russian commands” received from the server were not typical of a Russian native speaker. These sophisticated masquerade techniques originally misled some researchers who conducted malware operational analysis. According to Group-IB, in order to identify their targets, Lazarus used watering hole attacks which focused on users coming from particular locations of interest of which can be seen below:
The methods used to disguise the origins of the attack were extremely formidable including three layers of servers with SSL encryption that was also used to secure all communications as well. For those of you who speak nerd, there’s an incredibly interesting blog post and accompanying report (available on demand) with loads of technical details around the investigation. For those of you who may be visiting the DPRK anytime soon, keep an eye out for this guy who is now wanted by the FBI.
Thanks to the digital forensics work and threat research activities of Group-IB, more companies can better prepare for the gang’s attacks by learning about their tactics, techniques, procedures, and indicators of compromise.
The Sound of Silence
Historically, stealing money from ATMs involved physically removing the ATM using heavy machinery or putting a “skimmer” over the slot where you insert your card (check this video of a skimmer in Vienna). Today, the techniques are far more sophisticated. Last year, the U.S. Secret Service issued a warning about ATM jackpotting attacks being conducted on U.S. soil. An article by BleepingComputer details the attacks as follows:
A Diebold Nixdorf security alert dated October 2017 says crooks are gaining physical access to the ATM’s backside, where they gain access to its internals, replace the ATM’s hard drive with a tainted one, and then use an industrial endoscope to press a reset button deep inside the ATM. The malicious hard-drive they insert in the ATM contains a copy of the ATM’s original operating system, along with the Ploutus ATM malware —known for its simple “press F3 for cash” mode of operation.
Who has time for all that? Hacker groups like Cobalt and Silence are now using “touchless jackpotting” which involves injecting malware into the ATMs remotely after which cash is withdrawn by “money mules” — the lower echelon of the criminal hierarchy – who charge about 50% of the take for their services. It’s a natural evolution for hacker groups that mimic the successful attempts of other groups and become increasingly sophisticated over time as they learn from their mistakes and develop better tools.
Mr. Lazarenko talked about how these operations reflect the sophistication of corporate org charts where everyone is kept at arm’s length such that it becomes very difficult to identify the key players. Masked men armed with cell phones and burlap sacks walk up to ATMs – not too long after the ATM has been freshly stocked with cash – and after speaking on the phone and typing in some codes on the ATM keypad, the cash comes spraying out. Here’s a look at some Ukrainian money mules in action just this past May in Bangladesh where a total of $3 million, according to the local media reports, was taken in a heist organized by Silence:
In June of 2016, the first touchless jackpotting attack by Cobalt took place at a large Russian bank. The day after, Group-IB experts came to the bank’s central office and began searching for the source of the attack, immediately recognizing that they faced a new approach to targeted attacks on banks. While the leader of Cobalt was arrested last year in Spain by Europol, the group is still very active. We visited the 24/7 Computer Emergency Response Team (CERT-GIB) at Group-IB and the team leader showed us how Cobalt had been caught with their fingers in the cookie jar that very day by sending malicious emails in an attempt to target different organizations.
Large-scale hacking attempts like those conducted by Lazarus can be prevented using up-to-date threat intelligence and Advanced Persistent Threat (APT) detection and hunting solutions but if you don’t have a simple corporate application policy that keeps all systems on the network updated with the latest fixes patches and updates – at the barest of minimums – you’re asking for it.
As a result of spending the last 16 years battling cybercriminals, Group-IB has been acknowledged by Gartner as one of the world’s leading threat intelligence providers. It’s that accumulated threat intelligence that now powers their powerful suite of products that allow them to warn banks, financial organizations and companies from other various sectors ahead of time when attacks are being planned by the world’s most elite hackers. It’s a hell of a way to cold-call a prospective client, and those who choose not to listen pay the price when the hackers attack. In our next article on Group-IB, we’re going to dig into their sophisticated suite of products that are used by some of the world’s largest companies – across all industries – to keep the world’s most dangerous hackers at bay.