Cybercrime and punishment; Cyberwar and peace

Dmitry Volkov, Co-Founder, CTO and Head of Threat Intelligence

As the pandemic hit last year in 2020, most corporations opted to work remotely, increasing the IT workload by a large margin. The cybersecurity firms have been busy as threat actors took advantage of the global pandemic situation and become more creative, developing increasingly elaborate schemes to achieve their goals. Cyberattacks hit businesses almost everyday, and cybercrime has increased every year with more and more people trying to benefit from vulnerable business systems.

According to a few key findings from Group-IB’s High Tech Crime Report 2020-2021, there were over 500 successful ransomware attacks in more than 45 countries globally, leading to total financial damages of over US$1 billion. Out of this, Asia accounted for more than 7% of the total reported ransomware incidents.

Group-IB is a provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. The company has 17 years of experience in cybercrime investigations worldwide and 65,000 hours of incident response under its belt, along with a partnership with Interpol and Europol.

Over the past year, Group-IB saw a spike in the number of cyber-attacks originating from state-sponsored threat actors and criminals using spyware, ransomware, and backdoors to exploit anxiety around COVID-19. The number of enterprise networks being hacked via infecting the computers of remote workers with malware jumped. The likes of Lazada and the New Zealand Stock Exchange have suffered breaches, and now cyberattackers are targeting the cold supply chain needed to deliver Covid-19 vaccines around the world.

We talk to Dmitry Volkov, Co-Founder, CTO and Head of Threat Intelligence, and Vitalii Trifonov, Deputy Head of Group-IB Digital Forensic Lab in APAC who share their insights on the cybersecurity landscape, functioning amid a pandemic and shifting their headquarters from Russia to Singapore.

What made you move from Russia to Singapore? How has that affected your business?

Singapore has historically been Group-IB’s stronghold business-wise. It is one of Asia’s biggest commercial, financial and cybersecurity hubs. The Singaporean government invests heavily in cyber awareness programs, cyber education and understands that cybersecurity is a cornerstone of economic stability and national security. 

Vitalii Trifonov, Deputy Head of Group-IB Digital Forensic Lab in APAC

The country has created an ecosystem that favors high-tech companies and eradicated the downsides of bureaucracy that slows business down. Singapore offers an atmosphere of political neutrality which is extremely important when you are chasing the bad guys worldwide. We have all we need here to manage our global threat hunting ecosystem. Ever since we established our global HQ in Singapore, the share of Southeast Asia revenues have been growing exponentially.  

What is the cybersecurity landscape as well as the entrepreneurship landscape like in Russia? And how did Russia manage to become such a powerhouse in the security sector?

From the cybersecurity standpoint, Russia really stands out for several reasons. There are so many good developers and engineers with outstanding educational background, but they are low paid. In Singapore, it’s hard to imagine an IT specialist with a graduate degree who is paid less than $500 a month — while it’s a decent salary in many Russian cities.

This is part of the reason why many hacker groups originate from Russia and other post-Soviet states. The region usually serves as a testing ground for their methods and tools, which they will export to the rest of the world, including to Asia-Pacific, within a one or two year gap. This inevitably pushes Russian cybersecurity industry to develop effective solutions capable to withstand the most sophisticated threats that will spread globally with a short time delay. 

How do you see the current state of geopolitics affecting the cyberthreat landscape – and has it affected your own operations? Is there a threat of cyberwarfare or are we already in a state of international cyberwar?

Cybercrime has no borders. Threat actors take advantage of the division and tensions between countries to carry out their malicious activities. Hackers often live in countries that have no extradition treaty with the jurisdiction where the crime is being committed which makes the arrest almost impossible. 

We are seeing a dangerous trend whereby international cybercrime is evolving into international terrorism. This is especially so with hacker groups sponsored by nations under international sanctions, such as Lazarus from North Korea. The details of one of their most recent cyber sabotage operation against a nuclear power plant in India were described in Group-IB’s latest annual threat report. 

We are on the verge of a cyberwar.

Countries will eventually have to bury political divides to counter cybercrime together – cooperating on cyber threat intelligence data exchange, fight against cyber terrorism and attribution of threat actors. Otherwise, it could end not so well. 

How has COVID affected the state of cybersecurity in Asia-Pacific – do you see new patterns emerging?

COVID-19 has changed the game landscape completely both offline and online, particularly in cyber. Private companies and government organisations have been building security perimeters and monitoring their integrity for years. During the pandemic, millions of people were forced to work from home using their personal computers and routers with VPN access to their corporate networks in a best-case scenario, which itself can be a great security risk when misconfigured. 

We are seeing a dramatic increase in the attacks through employees connecting from home. The increased workload on the IT staff resulted in many preventive measures such as installing fresh updates being postponed. Due to the transition to remote work, well-coordinated development processes, including secure development, have been disrupted. We forecast an increase in the number of vulnerabilities in software versions released during the pandemic.

What are your top recommendations for APAC enterprises who want to guard against cyberattacks while also moving to extended work from home policies?

The sooner organisations move from a network perimeter security policy to a zero-trust policy, the more damage can be prevented. There are no more walls and castles. Every server has to be updated, every event must be recorded, analysed, and correlated as part of threat hunting activities. Without relevant data on cybercriminals and visibility into their operations, it is impossible to build an effective defence strategy. You cannot be sure that hackers are not inside your networks right now. You must hunt for threats constantly. In order to hunt for something properly, you need to know what and who to look for, which threat intelligence and attribution data can be very helpful.

What is the most interesting forensic operation you have undertaken, could you briefly describe the scenario and the successful op?

One recent incident came to my mind. The IR engagement I’m referring to happened during the circuit breaker, at the height of the pandemic panic when most of Singapore came to a standstill. During this incident response, we had to be in the affected organisation physically. Fortunately, the Ministry of Manpower granted Group-IB an essential service provider status. As such, I ended up on empty city streets rushing towards the data centre wearing a N95 respirator. 

We got to the place and soon realised that the company had been attacked through a non-updated VPN server that was maintained by a third-party IT vendor and all files on the server have been encrypted. During the attack, the hackers left an additional backdoor for the future, escalated the privileges to a domain administrator, and installed a program for remote control. Such actions can only be detected through a proper incident response. 

The story had a happy ending. Fortunately, the files were eventually restored and the servers were updated, as well as having the hacking actions rolled back. 

What are your long-term predictions for cybersecurity – will breaches accelerate and are enterprises doomed to a lifetime of uncertainty and constant fear of data breaches and ransomware?

I hate to be a pessimist but over the years in cybersecurity, if there is one thing I learned about forecasts, it’s that it only gets worse. In addition, it is not always the evolution of current trends, such as the symbiosis of ransomware operators and cybercriminals involved in compromising corporate networks that triggered ransomware plague 2020. It could be something worse. The growing complexity of IT networks increases the attack surface every year. This means more opportunities and attack vectors for threat actors. 

We witnessed the first human death indirectly caused by a ransomware attack that targeted a German hospital in 2020. Cyberattacks will inevitably have a higher real-world impact resulting in physical destruction and casualties. That is a long-term forecast. In the future, when we will have to start counting the number of human casualties in incident response reports, and we will all remember how great life was back in the days when we only had to estimate the size of the stolen database.