Group-IB: Threat Intelligence for Cybersecurity

December 10. 2019. 7 mins read

One of the oldest cities in Russia is Samara, a town of just over one million people making it the ninth biggest city in Russia. It also happens to be a center for Russian aerospace and aviation which means there’s lots of talent around, any number of which can’t find work and end up turning to the dark side – hacking. Samara happens to be one of the leading centers in the world for carding, an old school hacking technique that involves using someone else’s credit card to buy stuff with. The money that can be made as a successful hacker dwarfs any entry-level corporate salary, and for many, it’s an offer that’s difficult to refuse.

In a recent article, we dove headfirst into the fascinating work being performed by an elite group of cybercrime experts, Group-IB, that’s been hunting down and helping to prosecute the world’s most notorious hacker groups. As a result, the firm has amassed a great deal of information about the hacking underworld that’s of great value in thwarting future attacks. It’s an area of cybersecurity that’s known as “threat intelligence,” and it’s the backbone of Group-IB’s powerful suite of products.

About Group-IB

Click for company websiteIf you’re not familiar with who Group-IB is, read our past article on The World’s Most Elite Cybercrime Fighting Unit. Since 2003, the company has been amassing intelligence about what’s happening in the dark underworld of unethical hacking. We sat down with the Head of R&D at Group-IB, Aleksandr Lazarenko, to talk about how threat intelligence is a critical part of preventing hacking attacks that can result in billions of dollars being lost. The first question we had is – what’s threat intelligence?

Broadly speaking, threat intelligence is any information that can be used to describe malicious threats that originate from hackers. Group-IB started out as a firm that investigated cybercrime and provided digital forensics services and over time they accumulated very useful information – like a database which profiles over 100,000 threat actors around the world. Their Computer Emergency Response Team (CERT-GIB) deals with a wide range of complex targeted attacks: those involving the use of sophisticated techniques to bypass protection systems, malware infections, phishing attacks, network intrusions. Thanks to the CERT-GIB 24/7 activity, the company regularly obtains unique knowledge about the techniques and behavior of the most advanced cyber villains in the wild rather than just digital signatures. This knowledge fuels the company’s comprehensive cybercrime prevention and monitoring systems.

Threat intelligence big data
Threat intelligence big data – Source: Group-IB

At early stages of the company’s existence, Group-IB mainly focused on providing services, in particular cyber investigations digital forensics, including dynamic malware analysis which allowed to amass a collection of threat intelligence data on the attackers. By 2010, more and more often, during incident response activities all over the world, the company experts detected infected workstations with antivirus software installed, successfully bypassed by threat actors. It became apparent that big international companies were spending a lot of money on ineffective solutions unable to protect their infrastructure. The technologies used by the attacked companies to protect themselves had proven to be irrelevant against the vectors of attack and tools used by cybercriminals. Which is why the company decided to convert its unique knowledge to products that allow companies to protect themselves from cyber threats that are relevant to them, while considering their industry specifics and geographical location.

Let’s look at some of those products starting with threat intelligence and detection.

Threat Intelligence & Detection

Proactive Threat Detection

Companies looking for threat intelligence services are usually concerned that something bad is already happening in their organization. Doesn’t it make better sense for the experts to identify the attacks as they’re taking place? That’s what Group-IB does. They can identify who is attacking your firm and other firms within your industry. The tools tactics and procedures used by hackers can help indicate which of your staff have already become victims of an attack. They can even find out what is being said about your company in underground hacker chat rooms. Mr. Lazarenko told us about how they reached out to a very large bank with information on a pending attack only to be ignored. Days later, said bank was asking Group-IB for help as they had indeed been hacked.

In order to actively monitor threats at scale, Group-IB turns to automation.

Automated Threat Intelligence

If you do not know your enemies, how can you fight them? Bearing this question in mind, in 2010-2011, the company decided to convert its knowledge about adversaries into its flagship product Group-IB Threat Intelligence – a system that understands the very nature of different cyber threats and predicts how they evolve. To allow its customers to always be a few steps of cybercriminals and prevent the attacks at early stages, Group-IB created an ecosystem, which allows extensively researching threat actors’ techniques, exposing adversaries’ infrastructure at the attacks preparation stage and attributing threats to particular actors and identifying new ones.

The system is constantly enriched with companies’ proprietary data coming from different sources: incident response and cyber investigations, technical indicators from company’s own sensors installed all over the world, honeypots, spam traps, phishing collection points, compromised data checkers, and information gathered from dark web forums and card shops using Group-IB’s unique monitoring and analysis tools, as wells as open-source threat data.

Proactively collecting threat intelligence data lets Group-IB thwart attacks before they happen. The same method of automated monitoring can also be used to thwart the “P” in “HPAVC”.

Anti-Piracy and Brand Protection

Global digital piracy costs the US film and TV industry an estimated $29.2 billion a year with 230,000 jobs lost as a result. Then there’s sound recording piracy which costs the U.S. economy $12.5 billion in total output and leads to the loss of 71,060 jobs. If you’re a company with digital products, you ought to have some eyeballs on the places where pirates distribute their warez. That’s where Group-IB can help. Their team monitors over 3 million places where warez are trafficked, 24/7, with 20,000 violations eliminated per day.

What Group-IB monitors
What Group-IB monitors – Credit: Group-IB

On average, it takes 30 minutes to identify the first pirated copy that appears on the Internet and 80% of links are removed within a week. Similar to Spanish startup Red Points, the majority of these removals don’t actually require legal action to be taken. All you Game of Thrones junkies out there will be stoked bummed to hear that Group-IB was responsible for blocking more than 43,000 links to pirated copies of GoT Season 8 on pirate websites, forums, and social media.

Blocking links of pirated Game of Thrones copies
Blocking links of pirated Game of Thrones copies – Source: Group-IB

Most violators follow the demands of a company that has successfully prosecuted dozens of violators and collaborates with international law enforcement agencies like Interpol and Europol.

Secure Bank

As noted in our previous article on Group-IB, their experts say that more than 90% of all cybercrimes in the world now involve money theft. Hackers gravitate to where the money is, and consequently, a big part of Group-IB’s security offering is about keeping more than 100 million banking customers secure by monitoring 16 million online banking sessions every day.

This is another example of Group-IB’s non-standard approach to routine problem solving. Most of the banks use transactional fraud prevention solutions which are effective to stop bad transactions. But, apparently, it is not enough. Group-IB stands out for its unique adaptive logic to correlate data on users’ behavior on their devices, as they interact with their bank through various channels.

The solution, Secure Bank, is a full stack of anti-fraud technologies that monitors user behavior in real-time. Also called “bio-chronometrics,” it’s a fascinating topic we’ve touched on before which involves tracking things like mouse movements, keystrokes, typing cadence, and delays to see if that’s really you behind the keyboard. This information is enriched with Group-IB Threat Intelligence proprietary data on threat actors, malware intelligence, malicious IPs, and compromised data. Such technology lets the bank immediately notice if a different person or a bot suddenly started interacting with the keyboard during an online banking session.

Aside from making sure users are who they say they are, Secure Bank also offers many other services such as PC and mobile malware activity identification, social engineering, and cross channel attacks or presence of legitimate remote access software on a user’s device,  watching for suspicious transactions that may be related to money laundering and helping protect against web injects, etc.

Secure Portal

Group-IB offers data security and fraud protection for websites, e-commerce, and paid subscription services under their “Secure Portal” offering which can be custom tailored by industry. From helping to recognize false insurance claims to protecting your soon-to-be-worthless crypto assets, Group-IB uses their threat intelligence information to identify industry-specific threats and fraud.

Threat intelligence solutions customized by industry
Threat intelligence solutions customized by industry – Credit: Group-IB

The solution is in the form of a module that runs seamlessly as a JavaScript snippet on your web pages or as an SDK in your mobile app. Indicators and context of fraudulent activities detected by Secure Portal are transferred in real time to analysts at Group-IB who can take immediate actions to thwart whatever sort of attack you might be experiencing.


Hacking used to be a romantic trade which attracted bright people who wanted to showcase their talents and develop a reputation among other hackers. Most weren’t interested in financial gain, then that’s changed. Now we have entered another transition. The focus of innovations and research relating to the creation of complex malware and the organization of multi-layered targeted attacks has shifted from financially motivated cybercriminals to state-sponsored threat actors.

According to Group-IB’s annual “Hi-Tech Crime Trends 2019/2020” report presented not long ago in Singapore, 38 different state-sponsored threat actors were active over H2 2018-H1 2019, including seven new ones.

“2019 has become the year of covert military operations in cyberspace. Conflicts between states have taken on new forms, and cyber activities play a leading role in this destructive dialogue. Groups acting in the national interest fly under the radar for many years. Only a few such incidents have become known, but most indicate that the critical infrastructure of many countries has already been compromised. This means that a peaceful existence is no longer possible while being out of touch with cybersecurity.,” says Dmitry Volkov, Group-IB’s CTO.

You should always be afraid of people who have nothing to lose, and the same holds true for talent in places like Samara with no place to go. Being a successful hacker now comes with more than just prestige. That’s why threat hunting and intelligence companies like Group-IB are taking the fight back to the source.


Leave a Reply

Your email address will not be published.

  1. Very interesting insight of Russian Knowledge and Expertise in Cyber Security which will be helpful to all major organizations.