Meet: Vesta Matveeva - expert in the field of information security Group-IB.
Specialization: investigation of cybercrime.
What is known: Vesta regularly participates not only in investigations, but also in detentions, interrogations and searches of members of hacker groups. For 6 years, she conducted dozens of examinations - technical analysis of incidents in the role of a criminalist, after which she moved to the Group-IB Investigation Department, successfully solved several cases and continues to work in this direction.
Background to the appearance of this material: Vesta arrived at Innopolis University at the invitation of teachers and students of the magistracy program
Developing secure systems and networks as part of the CyberCrime and Forensics course (Cybercrime and computer forensics). She gave a lecture on how cybercrime is globalizing, what tactics and tools are used to attack financial and industrial organizations, and what methods cybercriminals use to search for intruders. The guys from the department of public relations of Innopolis met with Vesta and asked a lot of questions. The most interesting - we have included in this material in the form of quotes.
My work is not just a choice in favor of the employer, it is rather a moral choice that corresponds to my life values, lifestyle. We are facing a global goal - we are fighting cybercrime, helping businesses and individual users who are victims of cyber attacks find those who are behind it and bring the attackers to the dock. We work with such incidents every day, we know how the attacker thinks, what methods he uses, what tactics he chooses and what tools he uses for hacking. The scale of the consequences of an attack depends on the quality of our work. My colleagues and I spend a lot of time at work: we research, study, learn, read, share experiences.
Continuous self-study, improvement of tools and the actualization of knowledge - this is the only right way to be able to confront criminals and investigate even the most complex computer crimes.
Forensics is a sprint, and investigations are a marathon. The Group-IB Computer Forensic Lab specialists are involved in responding to information security incidents that occur in real time: they often have to quickly go to the crime scene, restore the chronology of the attack, look for compromised data. Often the working day is not normalized: during the incident, you can not drop everything and go home, because the work time is over. Malefactors have no work schedule or days off: idleness on our part can be fatal for the affected company. The scheme of work within the framework of operational-search measures is similar, for example, when we participate in a search, investigating information from drives, images, servers from a technical point of view. Everything is brought to the end: if you need to work a day, we work a day, if a few days, it means several. But in the rest of the time, when there is no need to “save” a conditional bank, we conduct data research, make examinations and work as usual, like all normal people. Well, or almost the same.
Having worked in the Group-IB computer forensics lab for 6 years, I wanted to try myself in the field of investigations. Here is another specificity of work: more analytics, bigger task. The purpose of the investigation is to identify the criminal group that is behind the attack, its infrastructure. Due to the possibility of anonymization on the Internet, computer crimes are not investigated quickly. It happens that we are delayed when it is necessary to promptly help the injured party. For example, a child has left home and we are asked by parents or law enforcement agencies to analyze his activity on social networks and forums in order to understand who he has communicated with, who may know about the escape, about the intended place where he can be at the moment. Another example: there is a powerful DDoS attack on any resource associated with e-commerce. An hour of downtime of such a site can cost the company hundreds of thousands, and sometimes millions of rubles. We are required to quickly establish the sources of attack and block it.
The investigation is a long process. The longest cases are usually associated with large criminal groups that engage in targeted attacks, theft of money through the Internet Bank or mobile applications of financial organizations. They pay great attention to how to hide their identity - use several chains of servers to access resources, use encryption, constantly rewrite programs for attacks. Such people in one incident is not found. Only in a few cases material is being collected with which to work, but even then the search process takes a long time. To understand who is behind the crime, it usually takes about six months (sometimes longer), a long time (usually years) is necessary in order to gather an evidence base for the detention and search.
The detention of members of the hacker criminal group Cron is the result of joint work of the Ministry of Internal Affairs and Group-IB.
The fastest investigation lasted one day. We were informed that the attackers gained access to the bank’s servers. We went to the site, took a few hours to figure it out until we realized that a penetration test was being conducted at the bank. Such tests are done to evaluate the protection of the company's infrastructure. Usually the management knows about them, checking how the team handles the situation. Further, it was not difficult to understand that it was this audit that caused us to turn.
Each investigation is unique. Starting from technical moments, when we try to understand the services we use, identify tools for assessing the technical level of an attacker, and ending with hooks by IP addresses, phones, mail, social network analysis, forums, ads on public and hidden hacker resources in Darknet. There is no template on which to open the case. It is always analytics of a large number of information sources. For example, in incidents with the use of malware, you need to understand how it works, where it goes, who registered these servers, who distributed the program and how (infected the devices).
The basic approaches in our work do not change, but the tools and what we explore are changing. The same data in operating systems varies from version to version: structure, format, approaches. For example, if everyone used to use ICQ, the correspondence in which was stored in clear form and, during the examination of the disk, it could be accessed, now many instant messengers use encryption. This greatly complicates obtaining the so-called "digital evidence".
Sometimes in the work we stick to the wall, but, in my experience, there is a door in it. There are requests, the solution of which is not obvious due to their technical features. Such cases do not let go: you come home and in your free time you are looking for a way out of the situation, you think how to unravel the matter.
In my experience, there was an examination in which it was necessary to prove that the attacker was indeed involved in the incident, because the mere presence of a malicious program on the computer is not enough to initiate a criminal case. This is used by the defense of suspects, building a position on the principle: the program did not work on the computer or the suspect did not connect to it during the incident. In this case, the logs of the program providing remote access were stored in an encrypted form for some time on the victim's computer, and then sent to the attacker's server and deleted.
It took me a few days to figure out how to solve the problem: restore the program operation logs from the free file system area before encryption (fragments of RAM). I was lucky that I did not overwrite the moment of the incident. This allowed me to prove that during the embezzlement of money, the attacker connected to the computer in parallel with the victim.
“Hacker” is a collective image. Speaking of crimes, this term is used for simplicity, but in fact it is the name of all professionals who know how to bypass computer security systems. The most serious criminals in this area are divided into several categories:
Financially motivated hackers. Their goal is money. Steal access details from the Internet bank, payment card data or attack the servers of organizations where payment transactions are carried out;
Prostate hackers. These people conduct surveillance in industrial and financial organizations, they often go unnoticed and steal documentation, correspondence, secrets, technologies. It is believed that behind such groups are the states: Lazarus Group, Equation Group, Black Energy, Fancy Bear. There are cases when such groups conducted surveillance on energy enterprises, trying to gain access to equipment management.
In 2010, the Equation Group infected computers in Iran to prevent the production of nuclear weapons. It was the first known case of an industrial attack, when attackers gained access to Siemens equipment, influencing the technological process. Energetic Bear and Black Energy are two other groups working in the field of attacks on industrial facilities. The latter has created an Industroyer tool that allows you to control the protocols that the equipment communicates and send commands to them. Their loud “achievement” is blackout in Ukraine, when in some regions of the country they cut off electricity for 75 minutes.
The largest amount of theft in a Russian bank, in the investigation of which I participated as a technical specialist, was 700 million rubles. First, the money goes to pay for all parts of the criminal group, providing, supporting services and infrastructure. The rest of the key group members spend on ensuring their safety and sometimes luxury items - cars, yachts, apartments. The leader of the group is always aware of the risks of what he does, he knows that they can come to him with a search at any moment, so I think he does not have a feeling of complete security.
The challenges are interesting. There are intruders who are carefully working on the technical implementation of thefts. They take into account how they will be looked for, how the attack mechanism works, changing the methods of penetration. Such cases are very interesting to specialists.
One case occurred in a bank from which money was stolen. At first glance, this is usually the case: getting access to the AWS of the CBD (the automated workplace of the Bank of Russia client). This scheme has been used by several groups since 2013. The peculiarity of this case was that the attackers had access to each computer within the organization, including branches. To do this, they launched a computer worm on a single computer on the network, which worked exclusively in the computer’s RAM. What is now fashionable to call fileless (disembodied program). In other words, they set up a controlled botnet within the bank. As long as at least one infected computer is turned on, it will infect the company’s machines again and again.
There was a logical question: how to clean the network? Having tried technical methods, we realized that the best solution in this situation is to turn off all computers at a time in all branches of the bank, to which the bank agreed. Thus, we have achieved cleaning of the RAM, there was no worm in the autoload. It was a unique event in scale. In a normal situation, we would never have been able to immediately turn off all the servers of the company.
A fragment of a worm that is transmitted at the time of infection in the network trafficAll hackers are wrong. You just need to wait for this moment. The case of the Cobalt group - the most aggressive and successful hacker group of recent years - I consider them one of the most interesting during their work. She began operating in Russia in 2016, attacking banks and financial institutions around the world and stealing huge amounts of money. According to Europol, for all the time of her work she managed to withdraw about 1 billion euros from the accounts of her victims. Cobalt is an example of targeted (targeted) attacks. In their work, they used a completely legal tool for penetration tests of the Cobalt Strike. An interesting feature of the payload that was set by attackers when accessing a computer in an organization was the ability to control computers on the network, even those that are not connected to the Internet. It was not like the actions of the other criminal groups we encountered. Cobalt constantly changed the locations of their attacks, tested new tools and for almost 2 years they were elusive for cybercriminals and law enforcement. Cobalt leader was arrested this spring in the Spanish city of Alicante. Now he is awaiting trial.
Injected payload code providing VNC accessIn searches and in the detention of a suspect, suddenness is important. Hackers are often technically well-versed, and if you do not catch them by surprise, they manage to activate data protection on devices (for example, encryption), which can be difficult to circumvent, or, conversely, try to destroy data. Usually, the detention occurs early, before the person has yet had time to leave home: at 6-7 am, or vice versa, when he definitely woke up and turned on the computer - depends on the specifics of his work. If the search is carried out in the company, the operative group comes to the opening of the office. Detention methods depend on law enforcement agencies: in business centers, law enforcement officers sometimes just need to demonstrate a service certificate in order to be let in to a certain company. Detention of an individual is a more complicated procedure, because the suspect must be forced to open the door, for example, to introduce himself as a courier. In some cases, to avoid the destruction of data, they penetrate into the apartment more radically: from the roof on the cables, breaking the windows.
Only the leader of the hacker group knows the whole scheme of the upcoming crime. In hacker groups, roles are clearly distributed and fragmented, so more than one person conducts cybercrime from start to finish. The leader of the group hires executives of certain tasks: set up a server, write and distribute a program, ensure the protection of malicious software from antiviruses. Such people may be ordinary boys who are interested in information technology and sometimes even unaware that they are participating in a criminal group.
As a rule, an anonymous person is associated with a person and offers money for a certain work according to the principle: “Can you set up a server? - Can". Most likely, the organizer will not tell the performer what this server is for.
Another thing is when a person develops a program that intercepts data, and at the same time knows that it can be used for fraudulent purposes. Sometimes such programs are bought from a third party and the author is not informed about how fraudsters use it: to intercept the password for the VKontakte account or bank card data. The same story with a person who “encrypts” antivirus program - he must be aware that such programs are not created for legal purposes. A person distributing a malicious program can already be attracted under Article 273 of the Criminal Code of the Russian Federation.
In Russia, legislation on criminal prosecution of people who have committed cybercrime requires further work. Previously, such offenses were most often given conditional sentences, even if hackers stole significant amounts of money. This did not frighten and motivate people to give up what they were doing. Since 2014, the situation has improved after condemning the members of the Carberp group for a real long time.
Career in cybercrime or computer crime investigations is a self-taught career. In order to get a job in computer forensics, a person must have a technical background. I graduated from the MEPhI, the faculty of "Information Security", when in Russia they had not yet been trained in forensic science. We were taught the basics of system administration, perimeter protection, remedies and their principles of operation. We also studied programming languages, how malware works, how to overcome the protective mechanisms of operating systems.
A person with technical experience, who understands how operating systems work, how a network is built, how data is transmitted, stolen and protected, will be enough knowledge to apply for a job in the field of computer forensics. Provided that he will delve into the specifics of the area. There are examples in our company when people came without technical education - it was more difficult for them, because they had to master basic knowledge first.
For those who are interested in forensics, I advise reading File System Forensic Analysis (Brian Carrier) - a basic book on the operation of file systems, which is important for the field. Network Forensics (Sherri Davidoff) and The Art of Memory Forensics (Michael Hale Ligh) are two more books that every self-respecting forensic scientist must learn in order to participate in the investigation of modern cybercrime. For research of mobile devices I can advise Practical Mobile Forensics (Oleg Skulkin).
, , . , — . , , : SANS Institute ( , ), ForensicFocus, .
— «»: , .