I could be one of the best villains of the cyber world – cybercrime fighter
Technology is turning the criminals of today into computer geeks, with cybercrime becoming easier to commit. How dangerous can digital crime get? We ask Ilya Sachkov, cybercrime fighter and head of the cybersecurity firm Group-IB.
Sophie Shevardnadze: Ilya Sachkov, cybercrime fighter, head of the cybersecurity firm Group-IB, welcome to the show. It’s great to have you with us.
Ilya Sachkov: Thank you, Sophie.
SS: Crime, like everything else in our lives, is slowly moving into the cyber realm. You’ve been fighting it for years already. How big is cybercrime globally, can you compare it to illicit drug trade or arms trade? Is it still small-scale scene or is it huge like that?
IS:Simple numbers: in 2015 the amount of cybercrime money was a trillion dollars. And if we look at the classic crime like drug dealing it’s just billions. So it’s already a huge difference in terms of money.
SS: So cybercrime is actually bigger than arms trade and drug trade?
IS:Yes, it’s bigger than arms and drugs.
SS: Is virtually everyone at risk of a cybercrime right now? Is there such a thing as a petty cybercrime - aimed at average Joes - and there’s the big-scale industrial crime?
IS:There are people who can tell you: “I’m not an aim for cybercriminals, why would they need me?!” But if you have any device, if you have a plastic card you are in the risk zone because there are two simple things that cybercriminals can do to you: steal your money and steal your information. Also they can destroy your reputation, for example, if you have some confidential information on your device. So everyone is in the risk zone, first of all, because of the smartphones. Children and all other people use smartphones, they don’t really understand the rules of cybersecurity, and, of course, they are victims.
SS: Yeah, but agree with me that there’s a difference if your hack into the National Bank of America and empty its accounts of billions and trillions of dollars, and then you hack into an account of a person who has ten dollars on his account... And which crime are you most interested in - big-scale or small-scale?
IS:All of them. There are different specialisations of cybercriminal groups. Some of them do little things once a year but very big-scale in terms of money. And there are groups which are interested in a lot of little cybercriminal actions against ordinary people, for example, carding, phishing and many others. So we are interested in destroying the group legally. The idea is that we work against cybercriminal groups and it doesn’t matter what kind of cybercrime they do.
SS: So you’re not only someone who protects from cybercrime, you also investigate, find cybercriminals and hand them over to the police. Why such perseverance, shouldn’t this work be left to the governments? Are you a vigilante or a model of how cybersecurity will work in the future?
IS:First of all, I personally hate cybercriminals and criminals in general. I’m an engineer and I use my brain to do things that I like. As for the governments, if you meet a cybercrime in your life, if you call the police will they help you or not? Actually, not. You need someone fast who will collect digital evidence very fast, will use some good engineering tools and then will go to the police and will help to prosecute someone. So it’s not something that the government can do right now. And usually it’s a combination of private companies and the government. I don’t believe that in any country the government can solve all the issues about the cybercrime.
SS: I heard you say that organised crime is venturing into the cyber world. How does that work? I mean, is the realm of cybercrime already integrated into global mafia business, into cartels?
IS:I think, cartels understood that cybercrime is a safer thing for many reasons: it’s easy to buy some script tools; people don’t understand what cybercrime is right now; and it can be crossborder, so it’s very safe. That’s why classic cartels, for example, people from organised crime groups in Russia who in the 90s invested in the drug dealing or money laundering schemes, they all invest in cybercrime now. It’s safer, the money is bigger, and there are many talented people who could do technical work. So that’s why.
SS: Have you ever found a cybercriminal network and realised it’s connected to organised crime, with real weapons - and what do you do in that situation?
IS:I think, in the last ten years they all have been connected to organised crime.
SS: And have you actually found that?
IS:Of course, at the stage of investigation we work with the law enforcement, and there could be searches in flats, and in every case someone from the ex-law enforcement officers or some very good lawyer connected to organised crime appears close to you, and you realise: these are guys who do technical work and they are connected to people who do very bad things. So in any case, if we speak about a huge hacker group, without the protection… For example, very simple and popular crime right now is internet banking theft. So if you have an internet account you can lose your money. So hacker’s aim is to inject a virus into your device. It’s a technical thing, it could be easy or difficult. But after that the hacker needs to transfer the money to another account for a cash-out. This is the specialisation of organised crime - money laundering and other schemes.
SS: If you go after criminals in cyberspace, does that ever translate into your real life? Have you ever encountered a criminal in front of your porch, saying: “What’s up?!”?
IS:We had two cases of real danger. One of them involved someone showing up in our office with a real weapon, and another one involved someone destroying a car of our employee. In terms of investigation this is a very stupid action because it helped to trace them. And in terms of law enforcement, if someone does something like that in a combination with a cybercrime, it’s easy to prosecute them because people in courts are more aggressive to those committing a real crime.
SS: So is this like a warning to the cybercriminals: if you don’t want to be caught don’t get physical in the real world?
IS:Yes. And it’s bad for the law system, but we have many cases when we understand that we couldn’t use the law system to prosecute someone, and we try to find something in the physical world, like, illegal business operations, tax violations, or in some cases we found child pornography and many other bad things.
SS: Talking about different laws and how it helps or doesn’t help the cybercrime, before that, I know that you are very in demand not only in Russia, but also abroad because you know how Russian hackers work. Are they all the rage right now, are Russian hackers number one in the cybercrime world?
IS:I think, the proper word would be “Russian-speaking” because “Russian” doesn’t mean “Russian citizen” here. Russian-speaking hackers are number one right now.
SS: They could also be Belarusian or Ukrainian…
IS:There are many reasons for that. According to the Europol statistics 15 in 20 viruses, sophisticated viruses, came from the Russian-speaking segment. All trojans for smartphones with Android operating system came from Russian-speaking hackers. There are many reasons for that. But the first reason is that after the Soviet Union collapsed many talented people with good education couldn’t find a good job, they needed money to feed families, that’s why they chose to do something grey. Many people don’t really believe that they do something bad. They think it’s like a game. That’s why the first hackers in the world came from post-Soviet countries. After that, hacking for Russian-speaking countries is like champagne for France.
SS: What are the differences between cybercriminals of different nationalities? Can you give me examples, do they all have a different style, how does it manifest itself?
IS:Some of them are creators who develop new schemes of cybercrime: new viruses, new types of victims. For example, Russian-speaking hackers are creators. And others, like, Chinese or U.S. hackers, they usually use what creators have created, and in some cases they do it better than creators. So there are creators and those who use what’s already been created.
SS:So there are two types of cybercriminals?
IS:I think, yes.
SS:That’s not very diverse.
IS:There are many technical professions, but generally there are many groups that are international right now. We know a lot of groups of Russian, U.S. and Chinese hackers.
SS:The American hackers?
IS:Yes, of course. Like criminals - do you know any nation without criminals? So, of course, there are many...
SS:No, I don’t. But I mean, there are stereotypes, like, Latin Americans are all about drugs, Africans are about diamonds and arms… Do they have stereotypes in the cybercrime world?
IS:No, there are a lot of nations within the United States, and Americans too - we know a lot of good hackers from them, white hackers and black hackers. White hackers are good, they work for cybersecurity companies, and black hackers commit crimes. For example, there’s a huge conference Black Hat in the United States. And if you look at the programme of the conference, there are many U.S. names in it.
SS: So the perception of cybercrime, of hackers, is still somewhat romanticised, we see them as geeks, little geniuses, or anti-system warriors, is it really like that? I mean, you’ve said yourself, people who left the Soviet Union were super smart, they couldn’t find jobs here in Soviet Union to provide for their families...
IS:Twenty years ago there were many people like these, geeks and anti-system warriors, people who were just interested in technical issues. But right now, if someone steals money from your internet bank account, is there a connection with some anti-system action? I think, no, it’s just a crime because they would like to steal money. Few of them are still geeks, creators, but usually they are in the bad circle of connections, someone bad uses their brains. Most of them are just the new generation of the criminals.
SS: You know your way in the digital world - you know how to build a defence, you know how to hack, you know all the things that hackers do… You, guys, are kind of similar…
IS:Technically yes. But there’s a huge difference in our brain and soul. For us there are two ways of hacking: for white things, to protect people, to help people, and for bad things, when you do somethings that affects people from the black side. As for my team, it’s very hard to find people with white brains. But there’s a huge difference between us. I don’t think that someone from our team can do something bad. Technically...
SS:See, I always wondered where’s this fine line? You know, they say, there’s one step between love and hate, and you can be working in police and then go rogue. I’m sure, that happens in your world too. The temptations and the money in hacking and cybercrime are probably bigger than in investigating, no? I would imagine.
SS:So you were never tempted to cross that line? I don’t know, maybe you’re super morally stable, but does that happen? Do people from your side cross the borderline?
IS:I know companies which do not invest into internal security. And we know a lot of cases when people from cybersecurity companies started to do something bad after two or three years. That’s why we use a lot of things that people do not support: lie detectors, biological lie detectors, scoring systems, we talk with parents, we talk with teachers to decrease the level of risks. I agree that there’s a possibility that someone in our team in some situation can cross the line. That’s why I need to do a lot of control things. That’s why in this uneasy geopolitical situation we are still having clients from very unfriendly countries, like, the United States, because they know that we do everything we can to protect our clients from this situation.
SS:What do you mean by “unfriendly countries” in terms of cyberspace? What does that mean?
IS:You know that one Russian cybersecurity company was listed in the sanctions list. Kaspersky Lab lost the U.S. and European markets because some countries are afraid of Russian cybersecurity companies. For us, engineers, this is an unfriendly act.
SS:Ok, back to crossing the line, have you personally ever thought “damn, I’d be so good at cybercrime, I could be so much better than these guys”?
IS:Well, sometimes I think if I could be a Moriarty of the cyberworld I would be one of the best. But I would never, I’d prefer to die than do something bad with my brain.
SS:I admire you for such a strong stance! Are governments keeping pace with cybercrime? Do you feel like they’re on top of all these super advanced cybercriminals now? I mean, FBI surely has its own team to crack cybercrime, but are they on top of things?
IS:Every country has something like FBI has - the digital crimes unit. But it’s a huge HR problem for the government. To fight with cybercriminals on the government level you need very talented people who would like to work for the government with all old-style rules, like working in office, dress code, travel limitations (for example, in Russia, those who work for police or special forces can lose ability to travel outside of Russia). Why should a young and talented professional choose working for a government? That’s why governments do a lot of things to fight cybercriminals, but the main problem for them is that they cannot find talented people.
SS: Do you feel like you have the upper hand in this field? Can private companies like yours take over the cybersecurity field?
IS:I think, in any kind of business private companies are now faster than the government. In space, in the internet, in cybersecurity, in car development business, in science private companies can create a proper environment for talented people, and they would be faster than any government. The government has power, law and lobby and other things, but without talented people it’s nothing, it’s zero.
SS: So you have said that there are signals that can be detected before cybercrime is committed - can you predict where and when the next attack is going to be?
IS:We started building cybersecurity tools in the second wave of our company’s history. Our first ten years were only investigation business. So we know how hackers hack into companies. And the paradox of our business is that our clients for investigation in the first ten years were very big companies with different cybersecurity issues, and they detected crimes on the final stage when someone is already in your network. And thanks to our investigation knowledge we found out that there are many preparations steps. You can write special algorithms, set up some honeypots in the internet and collect this data, a lot of big data, and you can understand that this is preparation for the phishing site, for example, and you can detect it on the first step, not on the last. For any crime, popular and dangerous crimes, we have such algorithms to predict them at the stage of preparation.
SS: Most of us don’t fully comprehend the real threat from cybercriminals because, yes, we talk about this, you’re here explaining to me how this all works, but it’s still in parallel reality until your bank account is empty one day. We all know, for instance, that if you leave your things unattended they will get stolen. When will we realise and fully understand the extent and the danger of cybercrime?
IS:Our generation usually believe in this when we meet cybercrime.
SS: So everyone of us has to encounter cybercrime in our lives in order to believe it?
IS:Or a friend of ours, our families or business.
SS: It doesn’t work like that with real crime: you don’t need to be killed, or someone in your family doesn’t need to be killed to believe cybercrime?
IS:That’s because cybercrime is something new for the society. Cybercrime only exists for twenty years, and killing and robbery have been in our society for hundreds and thousands of years. For example, with the last year’s free waves of ransomware attacks like Bad Rabbit, WannaCry there were so many companies that lost information in networks for weeks. But this is a very simple thing and a lot of researches wrote so many articles on ransomware: how simple it is, that there’s a very high probability of them happening etc. The companies only believe it when they meet ransomware in their network. If governments, like in the United States, run educational programmes for children not about information technologies but about cybercrime and personal cyber protection the new generation will be more aware of this.
SS: Thank you very much for this interview, for this wonderful insight into the world of cybercrime. We wish you all the best of luck with all your future endeavors. That’s it. We were talking to Ilya Sachkov, cybercrime fighter and head of the cybersecurity firm Group-IB, discussing what these evil cyber geniuses are like, threats they pose to us and what is being done to reign them in.