Vesta Matveyeva is an expert in the field of information security of Group-IB,
recognized by Business Insider UK as one of the 7 most influential global organizations in the cybersecurity industry. For 6 years, she spent dozens of examinations - technical analysis of incidents in the role of a criminalist, after which she moved to the investigation department and opened several cases.
Vesta arrived at Innopolis University at the invitation of teachers and students of the master's program in the
development of secure systems and networks as part of the CyberCrime and Forensics course. The guest gave a lecture on how cybercrime is globalizing, what tactics and tools are used to attack financial and industrial organizations, and what methods cybercriminals use to fight hackers.
Job
In Group-IB, you can’t just work from 10 to 19. We have a global goal - the fight against crime. We help businesses, the state and other victims of cyber attacks find those who are behind the crime, and bring the attackers to the dock. Working with such incidents every day, we learned to understand how attackers think, which methods, tactics and tools are used for hacking. This experience, coupled with knowledge, determines the quality of response to information security incidents and the scale of the consequences of an attack. Therefore, my colleagues and I spend a lot of time at work: learning, reading, studying, exploring.
If we compare the laboratory of computer forensics, where I worked before, and the investigation department, where I went, then in forensics, the working day is less standardized. Experts there work with real-time incidents: they quickly go to the crime scene, restore the chronology of the attack, look for compromised data. You can not throw everything and go home, because work time is over. A similar scheme works during investigative measures, when we, for example, participate in a search, examining information from drives, images, servers from a technical point of view. Here everything is brought to the end: if you need to work a day, we work a day, if a few days means several days. But the rest of the time, when you do not need to save a conditional bank, we work as usual, like all people.
Having worked in criminalistics for 6 years, I wanted to try myself in the field of investigations. Here, another specifics of the work - computer crimes are not investigated quickly. But here too, of course, we linger, when we need to promptly help the injured party. For example, parents or law enforcement agencies turn to us if the child has left home to analyze his activity in social networks and forums, in order to understand with whom he has communicated, who may know about the escape and his intended location. Another example is powerful e-commerce DDoS attacks. An hour of downtime for such a site can cost the company hundreds of thousands or millions of rubles. Therefore, we need to quickly establish the sources of attack and block it.
But each investigation is unique. Starting from technical moments, when we try to understand the services we use, identify tools for assessing the technical level of an attacker, and ending with hooks by IP addresses, phone numbers and mail, social network analysis, forums and announcements on public and hidden resources in Darknet. There is no template on which to open the case. It is always the study of a large number of sources. For example, in malware incidents, you need to understand how it works, where it goes, who registered these servers, who infected the devices and how.
However, the basic approaches in our work do not change, but the tools and what we explore are changing. Even data in operating systems varies from version to version: structure, format, approaches. If everyone used to use ICQ, the correspondence in which was stored in clear form and could be accessed during the examination of the disk, now many instant messengers use encryption. This greatly complicates the acquisition of so-called digital evidence.
Crimes
Hacker - a collective image. Speaking of crimes, this term is used for simplicity of vocabulary, but in fact it is the name of all professionals who know how to bypass computer security systems. The most serious criminals in this area are divided into several categories:
- Financially motivated hackers. The goal is cash. Steal access details from the Internet bank, payment card data or attack the servers of organizations where payment transactions are carried out;
- Prostate hackers. These people carry out surveillance in industrial and financial organizations, they often go unnoticed and steal documentation, correspondence, secrets, technology. It is believed that behind such groups are the states: Lazarus Group, Equation Group, Black Energy, Fancy Bear. There are cases when such groups carried out surveillance on energy enterprises, trying to gain control of the equipment.
In 2010, the Equation Group infected computers in Iran to prevent the production of nuclear weapons. It was the first known case of an industrial attack, when attackers gained access to Siemens equipment, influencing the technological process. Energetic Bear and Black Energy are two other groups working in the field of attacks on industrial facilities. The latter has created an Industroyer tool that allows you to control the protocols that the equipment communicates and send commands to them. Their achievement is a blackout in Ukraine, when in some regions of the country electricity was cut off for 75 minutes.
The largest amount of theft, in the investigation of which I participated as a technical specialist - 700 million rubles. First, the money goes to pay for all parts of the criminal group, providing, supporting services and infrastructure. The rest of the key group members spend on the organization of their security and luxury items - cars, yachts, apartments. The leader of the group is always aware of the risks of what he does, knows that they can come to him with a search at any moment, so I think he never has a feeling of complete security.
In searches and in the detention of a suspect, suddenness is important. Hackers are technically well-versed, and if you do not catch them by surprise, they manage to activate data protection on devices (for example, encryption), which is difficult to circumvent, or completely destroy the data.
Usually, the detention occurs early, before the person has yet had time to leave home: at 6-7 am, or when we are sure that he has woken up and turned on the computer, which depends on the specifics of his work. If the search is carried out in the company, the operative group comes to the opening of the office. Detention methods depend on the fantasy of law enforcement agencies: it is easy to work in business centers - it is enough to show that you are with the police and you need a certain company. Detention of an individual is a more complicated procedure, because the suspect must be prompted to open the door, for example, to introduce himself as a courier. Once in my practice, law enforcement agencies penetrated into the attacker's apartment from the roof on the ropes, breaking the windows.
Investigations
There are attackers who are thoroughly working on the technical implementation of thefts. They take into account how they will be looked for, how the attack mechanism works, changing the methods of penetration. Such complex cases are very interesting to us - specialists, and in my practice there are two such cases.
The first case occurred in the bank from which the money was stolen. At first glance - a common thing: getting access to the automated workplace of the client of the Bank of Russia. This scheme has been used by several groups since 2013. But, despite the understanding of the whole scheme of crime, there was one difference in it. On one of the computers on the network, hackers launched a worm program that worked exclusively in RAM - now it is fashionable to call it fileless (an incorporeal program). Thus, the attackers gained access to each computer in all branches of the organization. In other words, they set up a controlled botnet within the bank. Therefore, while at least one infected computer is turned on, it will infect the company’s machines again and again.
A fragment of a worm that is transmitted at the time of infection in the network traffic
There was a logical question: how to clean the network? Having tried technical methods, we realized that the best solution in this situation is to turn off all computers at a time in all branches of the bank, to which the bank agreed. Thus, we have achieved cleaning of the RAM, there was no worm in the autoload. It was a unique event in scale. In a normal situation, we would never be able to immediately disable the performance of all servers of the company.
The second example, which I consider to be one of the most interesting during my work, is the work of the Cobalt group, the most aggressive and successful hacker group of recent years. She began working in Russia in 2016, attacking banks and financial institutions around the world. According to Europol, for all the time of its work, she was able to withdraw 1 billion euros from the accounts of victims. In their work, they used a completely legal tool for penetration tests of the Cobalt Strike. Gaining access to computers, they could manage even those machines that are not connected to the Internet. It was not like the actions of the other criminal groups we encountered. Members of the Cobalt group constantly changed the locations of attacks, tested new tools, and for almost 2 years remained elusive for cybercriminals and law enforcement agencies. The leader of the group was arrested only this spring in Spanish Alicante. Now he is awaiting trial.
Injected payload code providing VNC access
The investigation is a long process. The longest cases are usually associated with large criminal groups that engage in targeted attacks, theft of money through the Internet Bank or mobile applications of financial organizations. They pay great attention to how to hide their identity - they use several chains of servers to access resources, they use encryption, they constantly rewrite programs for attacks in order to bypass antivirus programs and perimeter protection systems. Such people are not found one by one incident. Only in a few cases material is being collected with which to work, but even then the search process takes a long time. To understand who is behind the crime, it takes half a year (and sometimes more), usually more than a year is still needed in order to gather evidence for detention and search.
But it happens the other way around. The fastest investigation lasted only one day. We were informed that the attackers gained access to the bank’s servers. We arrived at the site and figured out several hours until we realized that one of the departments ordered a penetration test, which the others did not know about. Such tests are done to evaluate the protection of the company's infrastructure. Usually the management knows about them, checking how the team handles the situation.
Sometimes in the work we stick to the wall, but, in my experience, there is a door in it. Such cases do not let go: you come home and in your free time you are looking for a way out of the situation, you think how to unravel the matter.
In my experience, there was an examination in which it was necessary to prove that the attacker was indeed involved in the incident, because the mere presence of a malicious program on the computer is not enough to initiate a criminal case. This is used by the defense of suspects, building a position on the principle: the program did not work on the computer or the suspect did not connect to it during the incident. In this case, the logs of the program providing remote access were stored in an encrypted form for some time on the victim's computer, and then sent to the attacker's server and deleted.
It took me a few days to figure out how to solve the problem: restore the program operation logs from the free file system area before encryption (fragments of RAM). I was lucky that I did not overwrite the moment of the incident. This allowed me to prove that during the embezzlement of money, the attacker connected to the computer in parallel with the victim.
Punishment
In hacker groups, roles are clearly distributed and fragmented, so more than one person conducts cybercrime from start to finish. Only the leader of the group knows the whole scheme of the crime. He hires assistants for specific tasks: set up a server, write and distribute a program, ensure the protection of malicious software against antiviruses. Such people may be ordinary boys who are interested in information technology, sometimes even unaware that they are participating in a criminal group.
As a rule, an anonymous person is associated with a person and offers money for a certain work according to the principle: “Can you set up a server? - Can". Most likely, the organizer will not tell the performer why this server is needed.
Another thing is when a person develops a program that intercepts data. He knows that it can be used for fraudulent purposes. Sometimes such programs are bought from a third party and the author is not informed about how fraudsters use it: to intercept the password for the Vkontakte account or bank card data. The same story with a person who “encrypts” antivirus program - he must be aware that such programs are not created for legal purposes. A person distributing the program can already be attracted under Article 273 of the Criminal Code of the Russian Federation.
Russian legislation on criminal prosecution of people who have committed cybercrime requires further work. Previously, such offenses were most often given conditional sentences, even if hackers stole significant amounts of money. This did not frighten and motivate people to give up what they were doing. Since 2014, the situation has become better after condemning Carberp for a real long time.
Career
To get a job in computer forensics, a person must have a technical background. I graduated from the MEPhI, the faculty of "Information Security", when in Russia they had not yet been trained in forensic science. We were taught programming languages, basics of system administration and perimeter protection. We studied how malware works and how to overcome the protective mechanisms of operating systems.
A person with technical experience, who understands how operating systems work, how a network is built, how data is transmitted, stolen and protected, will be enough knowledge to apply for a job in the field of computer forensics. Provided that he will delve into the specifics of the area. There are examples in our company when people came without technical education - it was more difficult for them, because they had to master basic knowledge first.
For those who are interested in forensics, I advise reading File System Forensic Analysis (Brian Carrier) - a basic book on the operation of file systems, which is important for the field. Network Forensics (Sherri Davidoff) and The Art of Memory Forensics (Michael Hale Ligh) are two more books that every self-respecting forensic scientist should learn. For research of mobile devices I advise Practical Mobile Forensics (Oleg Skulkin).
To understand what is happening in forensic science, you need to read articles and blogs about successful cases and personal experience. But one should not expect that the Internet will share the secrets of hacker capture - in criminal cases the information is not distributed. And how people analyze data can be found on international and Russian resources: the SANS Institute blog (there is also a course in forensics, publishing books and writing articles), ForensicFocus and Habr.
But the most interesting thing in my work is to solve a “riddle”: to invent non-standard ways and to think outside the box, in order to find a gap in the tricks of intruders.