Main article: Crime in Russia
State policy in the field of international cybersecurity
Main article: Russia's policy in the field of international cybersecurity
Russian IT Security Organizations
Key information technology security organizations in Russia are:
- FSB OF THE RUSSIAN FEDERATION
- Foreign Intelligence Service of the Russian Federation
- Ministry of Defense of the Russian Federation
- National Guard of the Russian Federation
- MINISTRY OF INTERNAL AFFAIRS OF THE RUSSIAN
- FSO RF
Interagency Team to Fight Cybercrime
On September 10, 2020, it became known about the creation by the Prosecutor General's Office of the Russian Federation of an interdepartmental working group to combat cybercrime. In addition to prosecutors, it included representatives of the Ministry of Foreign Affairs, the Ministry of Internal Affairs, the FSB, the Investigative Committee and the Ministry of Justice of Russia. Read more here.
Cyber wars
Russia is forced to take measures to contain other countries in the field of cyberspace and thus becomes involved in cyber wars. The key opponent in this area is traditionally the United States and Britain:
On February 25, 2022, information appeared that the Ukrainian Ministry of Defense turned to hackers for help in the confrontation with Russia. The messages sent by the Ukrainian military contain an offer to take part in the cyber war, but it is on the side of Ukraine:
Cyber military of the Russian Federation
Main article: Cyber military of the Russian Federation
Security of critical information infrastructure of the Russian Federation
Main article: Security of critical information infrastructure of the Russian Federation
Number of cyber attacks
Main article: The number of cyber attacks in Russia and in the world
System for detecting, preventing and eliminating the consequences of computer attacks
Main article: State system for detecting, preventing and eliminating the consequences of computer attacks
Number of cybercrimes
Main article: The number of cybercrimes in Russia
Hackers in Russia
Main article: Russian hackers
What exactly hackers look like in Russia and how their fate develops.
2024
Smartphones of Russians massively infect a virus that simulates notifications from banks. It locks the screen
On September 30, 2024, it became known that smartphones Russians were massively infected with a virus that simulates push notifications from banks. After infiltrating a mobile device, this Trojan locks the screen and then shows fake debit messages. The ultimate goal of the creators of the malware is to steal the victim's money.
According to the Izvestia newspaper, cybercriminals use a mixed attack scheme that combines malware distribution and social engineering. At the first stage, a Trojan is introduced on a smartphone: for this, for example, phishing messages can be sent with a link to a malicious site. After the victim of the attack follows such a link, a virus penetrates the mobile device. An infected device begins to seem to live its own life: various applications spontaneously open on it, the screen scrolls through, etc. In addition, push messages begin to appear, allegedly about the write-off of money from the accounts of those banks whose applications are installed on a smartphone.
Then the attack enters the second phase. Fraudsters call the victim on behalf of the security service of the credit institution, report a hack and offer to quickly transfer money to a "safe account." A gullible user can fall for the bait of intruders and follow their instructions. According to the Association for the Development of Financial Literacy (ARFG), the malware attacks Android devices that are not protected by antivirus.
 | The scheme works regardless of how much money is in the account: push messages come in small amounts, but people are afraid that the system has been hacked and fraudsters will withdraw everything that is in the account if they are not stopped, the ARFG said. |  |
Experts emphasize that the virus only simulates push messages from banks. In fact, no write-offs occur.[1]
The FSB detained a gang that extorted 900 thousand rubles from an IT specialist who refused to develop software for stealing money. VIDEO
On September 20, 2024, it became known that the employees, and FSB Tyumen Sverdlovsk Chelyabinsk regions as a result of joint operational-search measures, detained a gang of extortionists who were trying to get 900 thousand rubles from an IT specialist who refused to develop money to ON steal money. A criminal case was initiated under sub-item "a, d" part 2 of Art. 163 of the Criminal Code of the Russian Federation (extortion committed by a group of persons by prior conspiracy on a large scale).
According to the Kommersant newspaper, referring to information received from the RUFSB of the Tyumen region, the attackers demanded that the victim develop special software to steal money from citizens' bank accounts. A specialist in the field of IT technologies refused, after which the criminals began to extort money from him, applying threats to life and harm to health.
It is said that the suspects were detained in, To Moscow Sverdlovsk and Chelyabinsk regions. One of them turned out to be stateless, two are citizens. Russia As of September 2024, the investigation is taking measures to identify other episodes of illegal activities. Attackers face imprisonment for up to seven years with a fine of 500 thousand rubles.[2]
Certification center operating in 60 regions of the Russian Federation stopped the issuance of electronic signatures due to a cyber attack
The Zosda certification center, operating in 60 regions of Russia, has suspended the issuance of electronic signatures due to a large-scale cyber attack. The attack was aimed at the center's Internet resources, as a result of which the company's sites were unavailable. The certification center announced this in September 2024 on its official pages on social networks. The incident led to a temporary suspension of the process of issuing certificates of electronic signature keys, which affected many users, including legal entities and individual entrepreneurs. Read more here
Hackers stepped up attacks on industry, telecom and IT companies in Russia
The 4Rays company, a member of the Solar Group, published on August 29 data on its investigations of cyber incidents in the first half of 2024. Report[3] was prepared by the incident investigation department, therefore it includes information about those cases when the company was asked to investigate a computer attack. The number of cases of requests for investigation increased by 60% over the year. However, the report mainly discusses the activities of hacker groups, and the damage caused to Russian companies is not disclosed.
In accordance with the published data, over the past six months, serious changes have occurred in the activity of hacker groups that attack targets in Russia. If in the first half of 2023 the 85% of hacker attacks were directed against state resources, now the share of state victims has decreased to 31%, but the number of attacks on industrial enterprises (to 22%), telecom and IT developers (by 10%) has greatly increased. At the same time, the public sector still remains the leader in attack targets.
| | This happens, first of all, because we began to investigate more, "Gennady Sazonov, engineer of the Solar 4Rays incident investigation group, explained at the presentation of the report. - For the 1st quarter of 2024, the number of investigated incidents is already approaching the number of all investigated incidents for the whole of 2023. We have more customers and more customers who come to us from different industries. Our reach is expanding. Over the past two years, pro-Ukrainian groups have been hacking more and more different companies - the attacks are both targeted and massive. | |
At the same time, the share of attacks on companies in the financial sector decreased from 5% to 3%, which is unusual. However, the financial sector is distinguished by increased requirements for information security and an already built protection system, up to the creation of an industry response center FinCERT. While industrial companies, telecom and IT developers, although they have attractive financial resources for hackers, do not pay much attention to information security. In any case, TelCERT is only created, and PromCERT or ITCERT is only in projects. There is only a proposal to cover IT enterprises with a TelCERT umbrella created under the leadership of the Ministry of Digital Development.
Also, 4Rays experts note that the composition of hackers has also changed. If in the 1 half of 2023 year more than a third of all attackers (more precisely 35%) were hacktivist hooligans, then in the 1 half of 2024 year they were gone at all. At the same time, the share of mercenaries has greatly increased - from 10% in 2023 to 44% in 2024.
By definition 4Rays the difference between hooligans and mercenaries is that the former use common attack tools and rarely monetize an attack, while the latter develop exclusive attack tools and receive money for the result. In fact, this means that hooligans and hacktivists retrained as cyber recruits, who commit their actions not for ideological reasons, but for money.
The shares of mass infections (from 5% to 12%) and cyber fraudsters (from 25% to 28%) also increased. Against the general background, pro-government groups (more precisely, special services and cyber warfare) have become less noticeable - their share over the year has decreased from 25% to 16%. Most likely, this is due to the activation and effectiveness of cyber recruits.
The statistics on methods of penetration into corporate systems have also changed. If in the first half of 2023 more than half (54%) of attacks were related to vulnerabilities in web applications, then in 2024 the popularity of this penetration method decreased to 43%, but the share of attacks using compromised credentials increased greatly from 15% to the same 43%. At the same time, phishing attacks, during which hackers trick users into clicking on malicious links or launching malicious files, have greatly decreased - from 31% to 7%.
As Gennady Sazonov explained in the answer to the TAdviser question, this is due to the fact that various groups of attackers prefer to use hacking techniques characteristic of them. In particular, Eastern European (read Ukrainian) groups prefer to use stolen credentials, and Asian ones resort to phishing. In particular, Gennady Sazonov in his presentation gave examples of a number of Eastern European groups: Lifting Zmiy, Shedding Zmiy, Moonshine Trickster, Morbid Trickster, Fairy Trickster. The Asian group was named only one - Obstinate Mogwai.
In general, it can be assumed that the main hacker background in Russia is associated with the activity of Eastern European groups, which switched from hacktivist activities to making money, but not from financial institutions, but from terrorizing industrial companies, telecoms and IT developers in Russia.
Chinese hackers attack Russian public sector
In early August 2024, it became known that Chinese cybercriminal groups are attacking dozens of computer systems used in Russian government agencies and IT organizations. The malicious campaign, called EastWind, is aimed primarily at stealing official information.
Kaspersky Lab reports the detection of complex targeted attacks on Russian structures. The analysis showed that for the initial infection of the victim's system, attackers send letters with archives attached, inside which there are malicious shortcuts disguised as documents. Clicking on the shortcuts activates the installation of a Trojan program that interacts with cybercriminals using the Dropbox cloud storage.
One of the tools used in the cyber campaign is an updated version of the CloudSorcerer backdoor. The attackers improved this software by adding to it the ability to use the Russian social network LiveJournal as the original command server. This provides additional masking.
In addition to CloudSorcerer, malicious modules used by Chinese-speaking cyber groups APT27 and APT31 are being injected into computers. These malware have extensive functionality: they allow attackers to steal files, monitor actions on the screen and record keystrokes on infected devices.
| | During the detected attacks, malware was used by two groups that speak the same language - Chinese. This is a sign that these groups are working together, actively sharing knowledge and tools for attacks. As practice shows, such interaction allows advanced attackers to work more efficiently, Kaspersky Lab notes[4] | |
Russian federal network of auto services Fit Service lost 108 million rubles due to cyber attack
At the end of July 2024, it became known that the Russian federal network of Fit Service car services was subjected to a massive cyber attack. The damage from the actions of the attackers is estimated at more than 100 million rubles. Read more here
Hackers attacked the public sector and companies in Russia through hacked elevator systems
On July 8, 2024, it became known about a large-scale cyber attack on the public sector and companies in Russia, carried out through hacked elevator control systems. The hacker group Lifting Zmiy from Eastern Europe exploited vulnerabilities in SCADA system controllers to penetrate the IT infrastructure of various organizations. Read more here.
Hackers hacked the IT company "Smart Office," which implements 1C products
On May 29, 2024, it became known about a large-scale hacker attack on the Russian IT company Smart Office, specializing in server maintenance and the implementation of 1C software products. Cybercriminals hacked the company's information systems from May 24 to May 25, 2024, as a result of which numerous Smart Office customers had serious problems accessing 1C software products and working as usual. Read more here.
The presence of enemy state hackers in the networks of Russian companies was noticed
In May 2024, the information security company Solar announced the identification of the pro-state hacker group Shedding Zmiy, which attacked dozens of Russian organizations. Read more here.
RedKassa ticket service hacked: Hackers posted an invitation to Kobzon's concert on the website
At the end of April 2024, the RedKassa ticket service was hacked. Hackers involved in the cyber attack posted an invitation to the concert of Joseph Kobzon, who died back in 2018, on the website. Read more here.
All IT systems of the Agrocomplex named after N.I. Tkachev were subjected to a cyber attack. Hackers encrypted data and demand 0.5 billion rubles
On April 10, 2024, it became known that the Agrocomplex named after N. I. Tkachev, one of the largest agricultural enterprises in Russia, was subjected to a massive hacker attack. Attackers hacked into the enterprise's IT infrastructure by introducing ransomware into it. For restoring access to encrypted information, cybercriminals demand a ransom of 500 million rubles. Read more here.
Russian state and financial companies are attacked by a new cyber group Lazy Koala
In early April 2024, the information security company Positive Technologies announced the identification of a new hacker group called Lazy Koala, which attacks state and financial companies, as well as medical and educational institutions. Read more here.
"Cyber detectors" from India attacked the Russian oil and gas company
Perspective Monitoring released a report in late March called Slumdog Millionaires[5]revealing details of the investigation into one spam attack. The company's experts found that their customers began receiving letters with a malicious attachment in early 2024. According to experts from Perspective Monitoring, the attack affected the infrastructure of a large Russian oil and gas company. Each of the letters included the cloudsecure [.] live domain, which, as it turned out during the investigation, is associated with the Indian cyber group CyberRoot.
| | Basically, the attacks of this group were directed against individuals, - explained Anna Khromova, system analyst at Promising Monitoring. - They tried to find out some confidential information about them in order to further gain access to the infrastructure of the company itself. | |
As a result of the investigation, it was found that CyberRoot employees posed as journalists, business leaders and media personalities in order to enter the trust of their victims. At the same time, they studied information from the social networks of subscribers, friends and family members of the victim in order to create credible fake accounts, with the help of which they pulled out the information necessary for the attack.
The Future Monitoring report says that the main tool of the company is phishing, the purpose of which is to steal the credentials of the leaders of the victim company using malware. The end of the attack is a spy installed on mobile devices of the company's management, which allows you to secretly record events taking place on the phone and send them to the developer's command server. The data collected using such tools is also used to penetrate the infrastructure of the company he manages.
However, in the process of studying the CyberRoot infrastructure, it was discovered that it is part of a more general international hacker attack infrastructure that is associated with Indian Appin spyware developers. In addition to the named companies, the sphere of influence of Indian spy developers ON also includes such organizations as Rebsec, BellTrex and DarkBasin.
Appin became popular in November 2023, when SentinelOne, in conjunction with Reuters, published detailed reviews[6] activities of the company and its subsidiaries. According to international researchers, Appin was founded in 2003 and was engaged in the development of spyware for private detectives from the USA, Great Britain, Switzerland and other countries. The tools of the company called My Commando made it possible to organize hacking of mail, desktop and mobile devices of victims for their further development. However, on December 22 last year, both reports (technical SentinelOne and political Reuters) were withdrawn from publication at the request of Appin's lawyers.
However, initially information about the Appin group was published back in 2011 after hacking their infrastructure by the hacker group Tigers of Indian Cyber. Its representatives claimed that Appin uses students who study with them in courses to create phishing pages.
After the public disclosure of information, the group announced the termination of its activities in 2012. However, in fact, active renaming of companies and the creation of various subsidiaries in the group began. So, in 2012, Rebsec was created, and CyberRoot and BellTrox - in 2013. However, Appin Software Security itself was first renamed Approachinfinite Computer and Security Consulting Grp in 2014, and Adaptive Control Security Global Corp. in 2015. Appin Technology Pvt became Mobile Order Management private limited in 2015 and Sunkissed Organic Farms a year later.
2023
FSB cybersecurity center records changes in attacker behavior in 2023
Deputy Director of the National Coordination Center for Computer Incidents (NCCC) Alexei Ivanov on February 7, 2024 spoke about trends in the field of cybersecurity in Russia over the past year.
The main factors that determine the situation have not changed. First of all, this is a geopolitical situation in which an unprecedented cyber campaign has been launched against Russia, he said. At the same time, digitalization continues in full swing in the country, and in some cases systems are introduced that have vulnerabilities from the point of view of information security. As a rule, this is due to the fact that information security issues are not sufficiently worked out at the design stage of such systems. Dependence on foreign solutions and technologies also remains, which gives the enemy additional opportunities to carry out computer attacks. The industry of intruders is developing, new tools appear, the mechanisms of their joint work are being improved, the division of labor between various groups is developing.
But despite the fact that the main factors remained the same, there are changes in the enemy's goals. First of all, there is a noticeable decrease in the number of computer attacks aimed at creating and disseminating news reports that are focused on the destructive impact on Russian society, Alexei Ivanov said.
| | Without a doubt, the enemy continues to use computer attacks to promote certain information campaigns, but now we already regard this as a bonus after he gets the result for his main goals, - said the deputy director of the NCCC. | |
Also, the NCCCA observes that at present there are quite effective mechanisms for organizing the interaction of various groups and individual attackers. Some search for vulnerabilities in the information resources of the Russian segment of the Internet, others, using the results of this scan, carry out primary penetration, others extract information from the perimeter. And the fourth, based on this information, plan and implement attacks against significant target objects of organizations.
What was not used for attacks directly by those who obtained information is laid out on various sites for use by others.
With regard to targeted resources, the actions of the enemy have also undergone changes, says Alexey Ivanov. If earlier, after gaining access to the information system, the attackers tried to declare as soon as possible, demonstrating evidence of their access, now the actions are more thoughtful: the enemy carries out additional reconnaissance of information systems, receives information about their architecture, identifies key elements and makes as hidden distribution attempts as possible in these systems or is looking for options in order to attack those associated with it.
As the main direction of the enemy's activity, the NCCCI notes the extraction of various kinds of information. It is not even mined that you can directly monetize or get the effect of making the data public. Interest is manifested in almost everything, but above all - in official information, correspondence, information. Also of interest are network architecture data, device configuration data, resources, accounts, and even event logs.
Another feature of the attackers in the NCCC is the focus on causing real damage. After the data has been uploaded, the enemy seeks to destroy significant elements of the infrastructure, for which either encryption or complete destruction is used.
| | Unfortunately, such a comprehensive impact on the part of cybercriminals in some cases led to the irretrievable loss of data by their owners, - said Alexey Ivanov. | |
As the NCCCI predicted, from the end of 2022, the entire 2023 was an increase in the number of publications about data leaks. These statements are not always reliable, and sometimes the authors of such publications use the compilation of open data or previously leaked, but even taking into account this, the amount of data leaked in 2023 is "colossal."
A change in the nature of DDoS attacks is also related to leaks: there is a decrease in the number of active participants and the number of attacks themselves. There is also a feature that now a DDoS attack is used to hide the main purpose of data theft.
Another trend at the end of 2023 in NCCCA is the increase in the number of attacks through contractors - through supply chains. This penetration vector is among the top three, along with phishing mailings and exploitation of vulnerabilities, but it is the most dangerous, notes Alexei Ivanov: an attacker specially searches for companies that have a large number of orders to create and manage ICT infrastructure in the public sector, in KII. And each attack on the contractor is followed by 10-15 incidents in significant organizations with serious damage.
Such attacks are due to the fact that the contractor often does not take effective measures to protect its infrastructure and, accordingly, makes it easier for the attacker.
| | This problem is systemic, poses a threat to the security of the state, and we, for our part, consider it possible to inform the organizations that hired the relevant integrators to provide services that they had incidents. But, of course, we count on the consciousness of these companies. Now it is not uncommon for them to hide information about incidents at home so that this does not entail damage to their reputation, "says the deputy director of the NKCKI. | |
In 2023, according to the requests of the NCCC, the activities of about 38 thousand malicious resources were terminated, including more than 27 thousand domain names were divided. More than 900 new participants joined State system of detection, prevention and elimination of consequences of computer attacks over the year.
The number of cyber attacks on the IT infrastructure of Russian Railways in 2 years has grown 20 times
The number cyber attacks for IT infrastructure RUSSIAN RAILWAY January-November 2023 exceeded 600 thousand, which is 20 times more than in 2021. Such figures at the roundtable on facility safety () critical information infrastructure at CUES , transport organized by the Committee on Federation Council (Federation Council) Constitutional Legislation and State Construction, were cited by Dmitry Skachkov, Director Ministry of Transport of the Digital Development Department. More. here
The dark side of digitalization. How fraudsters can legally receive data to enrich leaked databases
In November, DarkWeb discovered a service for verifying data on phone users using the Fast Payment System (FPS) [1]. A list of phones is sent to the system input, which, after the checker, are supplemented with such information as the name, patronymic of the subscriber and the list of banks registered with it in the SBP. This allows you to enrich data with leaked databases that are published and sold on the black market. However, the SBP is not the only system through which attackers seek to enrich leaked information. And as such systems become digitalized, so will more and more. Read more here.
The most powerful hacker attack fell on the Russian public sector
In the summer of 2023, a powerful hacker attack hit the public sector. On October 24, 2023, Kaspersky Lab told about it.
According to experts from a Russian antivirus company, attackers used phishing emails to steal data from organizations using a new backdoor. It ran a malicious script [NSIS].nsi, which, using several modules, tried to steal data from an infected device.
| | Phishing emails are one of the popular ways for attackers to penetrate the infrastructure. Attackers, as in this case, seek to use plausible legends, legitimate documents and use increasingly complex tactics to hide their activities. Thus, the execution of malicious code using a.nsi script complicates the analysis of malicious activity, "said Timofey Yezhov, an expert on cybersecurity at Kaspersky Lab. | |
As explained in Kaspersky Lab, after launch, the malware checks Internet access and tries to connect to legitimate web resources - foreign media. Then it checks the infected device for software and tools that could detect its presence - for example, sandboxes or virtual environments. If there is at least one, the backdoor stopped its activity. When all the checks were passed, the malware connected to the attackers' server and loaded modules that allowed it to steal information from the clipboard, take screenshots, find user documents in popular extensions (for example, doc,.docx,.pdf,.xls,.xlsx). All data was transferred to the management server.
In mid-August 2023, a second wave of mailings was discovered. The researchers reported that the attackers made some changes to their system, but the infection chain and the bootloader script remained unchanged. It is unclear whether any organisation was affected by these two waves of mailings.[7]
Hackers attack Russian companies with leaked virus source codes
Attackers attack Russian companies using leaked source codes. programs extortioners This was announced on September 6, 2023 by the information security company. Bi.Zone
According to experts, the source codes of the Babuk, Conti and LockBit ransomware have appeared in the public domain. According to cyber intelligence Bi.Zone, three criminal groups are actively using them today: Battle Wolf, Twelve Wolf and Shadow Wolf.
Thus, the hacker group Twelve Wolf appeared in April 2023, having implemented at least four successful attacks. In its Telegram channel, the group reported an attack on one of the largest federal executive bodies of the Russian Federation, which, according to them, led to the leakage of confidential information.
| | Today, the source codes of malware published on the Web are very popular among cybercriminals. Open access to such tools reduces the threshold for entering cybercrime, making attacks much cheaper and easier from the point of view of the organization. Even those countries and industries that previously did not fall under the attacks of the original criminal groups are now under the crosshairs, "said Oleg Skulkin, head of the Bi.Zone cyber intelligence department. | |
As noted in a study by Bi.Zone, published in early September 2023, since the beginning of 2022, a discord has occurred within many criminal groups. At the same time, under the influence of geopolitical events, attention to attackers from law enforcement agencies and researchers has increased. Hacks of infrastructures used by criminals have become more frequent, groups publish data from their competitors on the network, information about the methods used and tools for conducting attacks, for example, billers that allow you to create malware. ON
Interior Ministry wants access to "traffic decryption"
In mid-August 2023, it became known that MINISTRY OF INTERNAL AFFAIRS Russia it had developed amendments to the law on operational-search activities. The agency proposes to expand the list of measures for documenting crimes using. information technology
According to the Vedomosti newspaper, the Ministry of Internal Affairs intends to add to the operational-search activities a study of the information contained in the technological systems for its transmission, including on the Internet. This is supposed to help expand operational capabilities, both in documenting the facts of criminal activity and in solving crimes committed. That is, in fact, we are talking about decrypting traffic.
The document of the Ministry of Internal Affairs, published on the website of draft regulatory legal acts, says that in 2022 more than 522 thousand crimes committed using information and telecommunication technologies were detected in Russia. This accounts for approximately 22% of the total number of wrongful acts. However, 71% of criminal cases brought on the facts of such crimes are suspended, since the person to be brought in as an accused has not been established. It is assumed that the new initiative will improve the statistics on the detection of such crimes.
The Ministry of Internal Affairs says that criminal acts using bank cards, the Internet, mobile communications and computer equipment are widespread in Russia. Moreover, attackers often use special means to hide their activities, for example, VPN or spoofing phone numbers.
The problem in documenting such crimes, as the authors of the initiative say, is the lack of tools that allow you to quickly, including in real time, investigate disparate computer data. These include text and video materials, as well as technical information such as the time and place of connection to IT systems, equipment, network address, etc.
Therefore, the Ministry of Internal Affairs considers it necessary to supplement the list of operational-search measures with a new type, which will allow you to quickly investigate data "in the form of electrical signals" regardless of the means of their storage and processing for establishing traces of a crime and in order to fix them as evidence in criminal cases.[8]
Reuters: IT systems of Russian missile developer "NGO mechanical engineering" hacked by hackers from North Korea
On August 7, 2023, it became known that hackers from North Korea hacked into the IT systems of the Russian company NPO Mechanical Engineering. This enterprise is engaged in the development, production and modernization of complexes of strategic and tactical aviation high-precision weapons of the air-to-surface, air-to-air classes and unified systems of naval weapons, domestic rocket and space technology and electronic equipment. Read more here.
Rostov hacker sentenced to two years in prison for attacks on the websites of banks, fuel and energy complex and telecom companies
On July 4, 2023, the Zheleznodorozhny District Court of Rostov-on-Don sentenced Russian Ivan Bayandin to two years in prison for hacker attacks on the critical information infrastructure of the Russian Federation (KII). Read more here.
Russian Railways website and application not working for three days due to hacker attack
On July 3, 2023, failures began to occur in the work of the official website and mobile application of Russian Railways. The company confirmed the problems, saying that the computer infrastructure was subjected to a hacker attack. Read more here.
The Russian satellite operator Dozor-Teleport was attacked by hackers. There are failures in its work
At the end of June 2023, the Russian satellite operator Dozor-Teleport was attacked by hackers. There are failures in its work. Read more here.
Putin allowed to confiscate property from hackers
The president Russia Vladimir Putin signed a law providing for the confiscation of money and property obtained as a result of cybercrime. The corresponding document was published on the portal of legal acts on June 13, 2023.
In accordance with the document, funds received as a result of illegal activities are subject to confiscation. Also, confiscation, including, is provided if the crime entailed major damage, was committed out of selfish interest, by a group of persons or using official position.
The adopted law supplements the Criminal Code of the Russian Federation with a provision expanding the list of crimes in connection with the commission of which property can be confiscated. Now these crimes include the creation, use and distribution of malicious computer programs, unlawful impact on the critical information infrastructure of the Russian Federation, as well as violation of the rules for operating storage facilities, processing or transmission of secure computer information or information and telecommunication networks and terminal equipment, violation of the rules of access to information and telecommunication networks, which led to the destruction, blocking, modification or copying of computer information, if it entailed grave consequences or created a threat of their onset.
In addition, confiscation is provided for unlawful access to computer information, if the crime entailed major damage, was committed out of selfish interest, by a group of persons by prior conspiracy, organized by the group or a person using his official position. The seizure of property and money will also threaten in case of serious consequences from the crime committed or the threat of their onset.
The law begins to apply from the day of publication.
Federal Law Amending Article 104 of the Criminal Code of the Russian Federation
A fraudulent scheme with decryption of audio recordings appeared in Russia
Swindlers began to deceive Russians under the pretext of making money on decoding audio files. Kaspersky Lab warned about a new type of Internet fraud in early June 2023.
The attackers created several resources at once with an identical design and contacts for communication, but different names. They offer "to do work that a computer cannot do - to recognize audio files and receive money for it." We are talking about recordings of public speeches, seminars, court hearings, interviews, lectures. Users are lured by promises of high income, career growth and a convenient schedule: tasks can be completed at any time of the day, and all a person needs is access to the Internet and knowledge of the Russian language.
.jpg)
To attract potential victims, attackers post information on the site about how much platform users earn per day - allegedly on average about 3-4 thousand rubles. On one of the sites it was indicated that for four months of the service, almost 5 thousand people registered in it, who were paid a total of more than $200 thousand. The cost of payments for a specific task is also indicated in foreign currency. This may be a sign that fraudsters are using the scheme not only in Russia, using automatic translation and changing individual elements of filling sites.
The victim needs to register on the portal in order to allegedly start making money on transcribing. After that, the person gains access to the platform. There are instructions and answers to popular questions. After registration, it is indeed proposed to decrypt several audio tracks and send the text for verification. But then, when a person wants to withdraw what he earned, the service will ask to verify the account and pay 500 rubles. However, a person does not receive any money.[9]
Adopted a law on the confiscation of property from cybercriminals
At the end of May 2023, the State Duma adopted in the third (final reading) amendments to the Criminal Code of the Russian Federation, which will allow confiscation of property of cybercriminals.
As reported on the website of the State Duma, changes are made to Article 104.1 of the Criminal Code of the Russian Federation. In accordance with the amendments, property obtained as a result of unlawful access "to computer information protected by law will be seized if this act entailed the destruction, blocking, modification or copying of computer information, causing major damage or committed out of selfish interest... or posed a threat to their advance. "
Also, according to the adopted document, confiscation will threaten for "the creation, use and distribution of malicious computer programs; violation of the rules for the operation of means of storing, processing or transferring protected computer information or information and telecommunication networks and terminal equipment, as well as rules for accessing information and telecommunication networks, resulting in the destruction, blocking, modification or copying of computer information, if it entailed grave consequences or created a threat of their occurrence. "
According to the co-author of the initiative, Chairman of the Committee on Security and Anti-Corruption Vasily Piskarev, the introduction of confiscation of property acquired by hackers will serve to restore justice and allow these funds to be used to compensate for damage to victims.
The parliamentarian previously noted that recently there has been an active penetration of crime into information technology and telecommunications, as well as an increase in fraud in the credit and financial sector. The number of victims of it, especially among the elderly, is growing.[10]
Sneaking Leprechaun hackers attacked 30 IT companies from Russia and Belarus in a year for ransom
The hacker group Sneaking Leprechaun attacked about 30 IT companies from Russia and Belarus in a year in order to obtain a ransom. In May 2023, RIA Novosti was told about this in the digital risk management company Bi.Zone. Read more here.
Half of fraudulent real estate transactions are made in Russia using Internet technologies
Half of fraudulent real estate transactions are made in Russia using digital technologies. Such data in March 2023, the managing partner of Metrium, Nadezhda Korkka.
| | In the field of real estate, the share of online fraud is slightly less, since there are still a lot of face-to-face schemes - for example, the sale of housing under forged documents and transactions that deliberately infringe on the interests of incapacitated persons, she told Kommersant. | |
One of the most popular types of online fraud is associated with fake sites - fake pages of writing to a notary. Users get on them when they look for the address of the nearest notary office. Fictitious sites, as experts note, look disposable, contain information about existing notaries. The task of fraudsters in this scheme is to persuade users to upload copies of their passports and documents confirming ownership of housing to the site.
Fraudsters can also gain access to documents through an account on the Public services portal by stealing the victim's electronic signature. Using it, they sell someone else's real estate, appropriating money.
In addition, false voters place ads on marketplaces in which they present themselves as employees of reliable real estate agencies and offer their professional services. To mislead people, they use the real addresses of well-known companies in the text, but leave a personal number for communication. Clients who turn to them, for example, with a request to help with renting out an apartment, swindlers are asked to make an advance payment for the upcoming work.
False sellers have a similar scheme. They ask customers to transfer the deposit through a "booking service from the site." Thus, they gain access to a bank card.[11]
How hackers hack into TV and radio channels in Russia
On the morning of February 28, 2023, the broadcast of a number of Russian TV channels and radio stations interrupted a fake message about air alarm and a request to proceed to cover. Profile experts told Kommersant FM about how hackers hack into TV and radio channels.
According to Pavel Myasoyedov, director and partner of IT-Reserve, the broadcast consists of a certain number of recordings that are pulled up by software on radio stations from storage facilities. There are certain communication channels between different elements of the software, and these individual communication channels may not be sufficiently protected. Attackers find the so-called backdoors and use them at the right time, he said.
| | As for the latest incidents, they are primarily related to the fact that for many years the software of radio stations and traffic in general have not been subjected to any attacks. We know that television channels were periodically hacked over the previous decades, but this did not happen from the radio, "Myasoedov said. | |
Attackers are able to hack access to radio station servers remotely via an Internet connection, but the human factor also plays a role, says cybersecurity specialist Sergei Vakulin. He suggested that the hackers replaced the file, which was supposed to be broadcast on the air.
The Ministry of Emergency Situations said that the servers of TV channels and radio stations were hacked, which led to the sound on the air in some constituent entities of Russia of inaccurate information about the announcement of an air raid.
Alexey Lukatsky, Internet security consultant at Positive Technologies, noted that regional media do not always have enough resources to protect against cyber attacks. To prevent such hacks, it is necessary that the IT employees of the radio or external specialists hired by the editorial office are engaged in round-the-clock control and, according to certain signs, reveal the fact of penetration into the computer network and the replacement of some files with others.[12]
Hackers hacked the IT infrastructure of the Russian manufacturer of trade automation equipment "Atol"
Hackers hacked into the IT infrastructure of the Russian trade automation equipment manufacturer Atol. This happened on January 31, 2023. Read more here.
2022
Group-IB announced an attack by Chinese hackers on Russian IT companies
On February 13, 2023, a Russian technology Group-IB company information security announced an attack on the the Chinese hackers Russian IT sector and spoke about a scheme used by attackers in their attacks. More here.
Telegram channels of Russians began to "steal" in a new way. Scheme
At the end of December 2022, it became known about the new scheme of "hijacking" Telegram accounts in Russia. It's about using fake contests. Read more here.
The Ministry of Digital Development warned of a massive "theft" of accounts in Telegram
In mid-December 2022, Ministry of Digital Development warned of a massive "theft" of Telegram accounts and talked about the scheme used by scammers. Read more here.
Russian hackers XakNet announced the hacking of the Ministry of Finance of Ukraine
The hacker group XakNet announced an operation to hack the Ministry of Finance of Ukraine. The work was carried out for several months, Russian hackers reported on November 22, 2022 in their Telegram channel. Read more here.
Chernyshenko: The number of cyber attacks on Russia in 2022 increased by 80%
In 2022, the number of cyber attacks on Russia increased by 80%, Deputy Prime Minister Dmitry Chernyshenko said at a meeting with Russian President Vladimir Putin. According to the deputy chairman of the government, the main goal of the hackers was the public sector, the Kremlin press service said on October 24, 2022.
According to Chernyshenko, Russian specialists eliminated more than 25 thousand cyber attacks on state resources and 1200 on critical infrastructure. The Deputy Prime Minister added that cyber warfare of all unfriendly countries is fighting against Russia and this struggle will continue.
| | But it is very important that, on your instructions, cyberstabs are organized in all executive authorities, in all critical infrastructure. We continue to defend effectively, "he said, addressing the president. | |
Chernyshenko noted that several information systems have already been created in Russia that will determine the future of the country's digitalization. One of them is a single biometric system, thanks to which all citizens' data will be in a secure Russian cloud and stored in a vector form, which complicates the hacking attempt.
For the second half of 2021 and the first half of 2022, almost half (46.6%) of Russian departments faced cyber attacks, and in 15% of them the attacks were multiple, follows from a study by the RANEPA Center for Training Leaders and Teams of Digital Transformation, which was carried out in May - June 2022.
Based on world statistics for the first half of 2022, public sector organizations were subjected to the largest number of attacks among all organizations (17%), says Positive Technologies Fyodor Chunizhekov, an analyst at the research group. Throughout 2021, with the exception of the IV quarter, according to Positive Technologies, government agencies were also the leaders in the number of attacks. [[13]
Muscovite received 6 years in prison for stealing 93 million rubles from banks as part of a hacker group
In October 2022, Muscovite Artem Mazurenko was sentenced to six years in prison on charges of part 2 of Art. 210 (participation in a criminal community) and part 4 of Art. 159.6 of the Criminal Code of the Russian Federation (fraud in the field of computer information committed by an organized group on an especially large scale). Read more here.
Detention of Anatoly Spirin for fakes about businessmen for ransom
Employees of the Ministry of Internal Affairs of Russia detained the owners and administrators of Telegram channels engaged in the publication of false information about high-ranking individuals and entrepreneurs, and then demanded money for their removal. This was reported in the department on October 4, 2022. Read more here.
Hackers are 4 times more likely to offer employees in Russia money for hacking systems in companies
In the first half of 2022, relative to the same period in 2021, hackers were 4 times more likely to offer employees Russia money for hacking systems in companies. On August 8, 2022, writes "" Kommersant with reference to the data of Phishman.
We are talking, for example, about services such as launching malicious code in the organization's system, which will allow remote access to it. If earlier such proposals were placed exclusively on the darknet, then from the spring of 2022 they began to appear in specialized Telegram channels, according to Phishman. The number of such offers, according to the company, at some point exceeded 200.
According to the head of Phishman Alexei Gorelkin, the cost of searching for a person's passport data by phone number in the database can vary from 2,000 to 7,000 rubles, and mobile tracking - from 80,000 rubles.
Pavel Kovalenko, director of the Infor mzaschita Fraud Prevention Center, confirmed the growth in demand for insiders in Russian companies and organizations. According to him, a significant increase in the number of such proposals occurred in the spring of 2022, and this applies not only to the darknet, but also to the public field. Against this background, the purpose of hacker attacks already plays a lesser role, since mass character comes to the fore. It is noted that the qualifications and savvy of insiders in IT companies have become not so important.
Experts interviewed by the publication found it difficult to estimate the number of responses to such proposals. They explained this by the fact that coordination of actions takes place already in closed resources and chats.
Dmitry Gorbunov, partner of Rustam Kurmaev and Partners, says that by August 2022, the law is still quite soft on persons who commit illegal actions with databases, despite the fact that in recent years the damage from such actions is growing exponentially.[14]
The number of attacks on Russian mobile applications increased by 200%
In January-June 2022, the number of cyber attacks on the API of mobile applications in Russia increased by 200% compared to the same period in 2021. This was reported to Kommersant in Informzaschita at the end of July 2022.
According to RTK-Solar, which the newspaper also cites, the number of attacks on applications in the second quarter of 2022 (that is, after the start of the Russian military special operation in Ukraine) increased four to five times compared to the first quarter of 2022.
According to Shamil Chich, an expert at the Informzaschita Center for Monitoring and Countering Computer Attacks, the increase in the number of attacks is primarily due to the removal of applications from Russian companies that have fallen under sanctions from Google Play and the App Store. They can be downloaded from the websites of a company or bank, but a file made quickly can be infected with a virus. In addition, most companies build web versions and applications on the same interface. This saves resources for development, testing, and support, but threatens data security.
An attack on an application is the easiest way for an attacker to penetrate the perimeter of an organization and gain access to infrastructure, explains Daniil Chernov, director of the solar appScreen Center at RTK-Solar. Malicious interventions include stealing data or suspending service, creating fake accounts and credit card fraud. According to RTK-Solar, 90% of Russian applications were under threat, and the attack trend itself will intensify, including because organizations are not ready to use specialized means of protecting mobile applications.
Requests for analysis of mobile applications are rare compared to testing web applications, said Alexey Chuprinin, head of Application Security Softline. In addition, specialized API protection tools are a relatively new class of solutions, not all of them use them.[15]
Hackers have changed tactics in Russia. They attack database servers
On July 20, 2022, it became known about the changed tactics of hacker attacks in Russia. Cybercriminals focused on attacking database servers - their share in the total number of leaks was 68%.
This was reported by Kommersant with reference to the DLBI darknet intelligence and monitoring service. The founder of the service, Ashot Hovhannisyan, explained that hackers gain access to servers by infecting the workplaces of IT specialists with malware that helps steal passwords and session cookies, by searching and exploiting vulnerabilities in remote access systems, as well as in CMS themselves (content management systems).
Group-IB In confirm the trend, specifying that in 2022 the number of unprotected bases in Russia increased by 37%, to 7.4 thousand. The reason was the insufficient attention of developers, administrators and database architects to security, the presence of vulnerabilities in the products and solutions used, as well as incorrect configuration, explains Positive Technologies Fyodor Chunizhekov, an analyst at the research group.
| | Often, database servers have a default security configuration, which can lead to data compromise, he added. | |
It is noted that in 2021, hacks most often occurred through vulnerabilities in management systems ([[Business Ecosystems Console Management System BE CMS 'CMS) and self-written systems, open cloud storage and access to the administrative console. Also, a significant part of the leaks fell on insiders.
According to DLBI experts, stolen data by July 2022 is used to enrich databases and phishing. The scale and number of hacker attacks in 2022 will only grow, according to Informzaschita. The tendency to hack databases - both physical and cloud, according to experts, will continue due to the growth in demand and the cost of stolen databases on shadow resources.[16]
Building materials manufacturer Knauf is attacked by hackers. Delivery of goods delayed
On June 29, 2022, Knauf's computer network was attacked by hackers. The relevant information appeared on the official website of the Russian representative office of the German manufacturer of building materials. Read more here.
Russian-speaking hackers from Killnet paralyzed the work of several Lithuanian government agencies
Hackers from the Killnet group, who warned the Lithuanian authorities about the upcoming large-scale cyber attacks due to blocking the railway transit of goods through the country to the Kaliningrad region, kept their promise and attacked Lithuanian state structures. This became known on June 27, 2022. Read more here.
The website of the Ministry of Construction of Russia was hacked. Hackers blackmail employees with data disclosure
On June 5, 2022, the website of the Ministry of Construction, Housing and Communal Services of Russia was hacked. As a result of a hacker attack, a message appeared on the main page of the department's resource that it was hacked by the team DumpForums.com. Read more here.
Cybersecurity headquarters created in 99% of regions
In 99% of the regions, cybersecurity headquarters have been created. This became known on June 1, 2022.
| | The program to create headquarters to ensure cybersecurity has already been implemented by 99% of subjects and 85% of authorities. 76 out of 85 headquarters have been created and are functioning in full, eight are at the approval stage, "the press service of the Ministry of Digital Development said. | |
The department noted that many regions showed significant activity and presented their own proposals to improve the effectiveness of this work. In addition, in the near future, the tasks of operational headquarters will be supplemented with measures to implement the Presidential Decree of May 1 "On Additional Measures to Ensure" In information security RUSSIAN FEDERATION[17] have been[18]
Russian hackers suspected of spying on Austria and Estonia
On May 24, 2022, it became known that malefactors to attack the Baltic Defense college Department, Estonia The Austrian the Economic Chamber and the electronic JDAL platform were trying. training NATO The Baltic Defense College was created by Estonia, and. This Latvia Lithuania educational institution provides military education and holds conferences for high-ranking officers from countries teachers, as well as NATO allies, and other EU countries, the European including. Ukraine The Austrian Economic Chamber is involved in the decisions and administrative procedures of the Austrian government. According to a report by Sekoia, which specializes in, the character cyber security indicates attacks interest hackers in the Eastern defense sector and themes Europe related to economic opposition. sanctions of the Russian Federation
Turla (also known as Uroborus, Snake and Venomous Bear) is a Russian-language cyber espionage group. In the past, attackers organized attacks on foreign ministries and defense organizations.
According to the researchers, in the latest spy campaign, hackers did not use malware, but limited themselves exclusively to intelligence.
This spring, a spy ON from Turla was discovered by Lab52 specialists. Malware could record audio and track the victim's location.[19]
China initiated a cycle of hacker attacks on Russian authorities
On May 4, 2022, it became known that China he went against Russia and initiated a cycle on the hacker attacks Russian authorities, analysts of Google the Threat Analysis Group (TAG) team report. According to their report, computer the Curious Gorge group attacks more actively than others.
Hackers included in this group over and over again attack government, military, logistics and production organizations in Russia. The Google TAG report was published on May 3, 2022, and it separately indicated that the last time Chinese hackers from Curious Gorge showed themselves at the end of April 2022, attacking the networks of several Russian defense contractors and manufacturers, as well as the Russian Ministry of Foreign Affairs and the Russian logistics company. Its name is not given in the report.
What exactly encourages hackers to attack Russian objects remained unknown at the time of publication of the material. The goals of the Curious Gorge group are also various companies in Ukraine and Central Asia.
According to Google TAG, Chinese authorities may be behind Curious Gorge. She is credited with strong links with the People's Liberation Army Strategic Support Force of China (PLA MTR). This is a separate type of armed forces within the PLA, and the cyber sphere is included in the area of activity of the MTR.
The Chinese threat to Russian networks at the beginning of May 2022 is not only Curious Gorge. At the end of April 2022, the Bronze President group chose Russia as its target.
In the reports of various companies specializing in, cyber security this group takes place under several names, including Mustang Panda, TA416 and RedDelta. The first mention of her activities appeared in 2018, and most often traces of her crimes were found countries in Asia.
| | This suggests that the attackers received updated tasks that reflect the changing intelligence gathering requirements data of the People's Republic of China, the researchers say. | |
Secureworks experts suggest that Russia's entry into the field of view of the Bronze President may indicate "an attempt by China to inject modern malware into the computer systems of Russian officials." They discovered and analyzed the malicious executable file Blagoveshchensk - Blagoveshchensk - Blagoveshchensk Border Detachment.exe distributed by the group, which was disguised as a PDF file and encrypted. Inside it was a bootloader of PlugX malware.
Blagoveshchensk is a city that lies near the border with China. It houses parts of the Russian army.
When launched, the file displays a decoy document written for some reason in English, which describes the situation with refugees and EU sanctions. In the meantime, the user who launched the file reads the document, on his computer in the background, the PlugX malware is downloaded from the command and control server. PlugX is a remote access Trojan used to steal files, execute remote commands, install backdoors, and deploy additional malware. This is one of the Bronze President tools - hackers also use the malware Cobalt Strike, China Chopper, RCSession and ORat.
China is one of the countries in the world that have not officially joined the anti-Russian sanctions imposed due to a special operation in Ukraine. At the same time, the PRC does not side with Russia and demonstrates neutrality in this matter. The attacks of hackers from Bronze President and Curious Gorge on Russian networks are another major confirmation that China may have its own interest in confronting Russia and the rest of the world[20].
Russian hackers launched a large-scale targeted phishing campaign
On May 3, 2022, it became known that the Russian hackers they had launched a large-scale targeted phishing campaign.
The APT29 group attacks diplomats and government organizations. Read more here.
Russian hackers suspected of cyber attacks on German renewable power companies
Three the German renewable companies to power have been hacked due to countries the Russian oil waivers. This became known on April 27, 2022. More. here
Departmental website of the Ministry of Emergency Situations was subjected to a hacker attack
On April 20, 2022, it became known that unknown persons hacked the MINISTRY OF EMERGENCY SITUATIONS Media website, which is the departmental Ministry of MEDIA Emergency Situations. Russia This was reported on the page of the same name on the network "." Vkontakte More. here
Hackers hacked the website of the Russian Emergencies Ministry and the heads of the ministry in the regions
On March 16, 2022, it became known about the official hacking of the website of the Ministry of Civil Defense, Emergencies and Disaster Management (EMERCOM of Russia). As a result of a cyber attack by unknown hackers, the Internet resource of not only the federal department, but also all its regional headquarters, became unavailable. Read more here.
Chinese authorities: 87% of cyber attacks in the world are directed against Russia
87% of cyber attacks registered by the State Monitoring Center Internet PEOPLE'S REPUBLIC OF CHINA (CNCERT/CC, responsible in the Celestial Empire for detecting and preventing cyber threats) are directed against. Russia The Chinese authorities released such data on March 11, 2022.
According to the Chinese state news agency Xinhua, citing data from CNCERT/CC, mainly attacks are carried out from the United States. In New York State alone, more than 10 of them were recorded, the traffic intensity at the peak value is about 36 Gbps. In addition, the sites are attacked by hackers from Germany, Holland and other Western countries.
| | CNCERT/CC monitoring showed that since the end of February [2022], China's Internet has constantly faced cyber attacks from abroad... Foreign organizations, through attacks, established control over computers on the territory of the PRC, and then carried out cyber attacks on Russia, Ukraine and, the Belarus publication says.[21] | |
The State Center for Internet Monitoring noted that the regulator is taking the maximum possible measures to prevent cyber attacks.
At the end of February 2022, Roskomnadzor said that "a hybrid war is being waged against Russia, which includes elements of information confrontation, as well as regular cyber attacks." Under these conditions, the duty services of the Public Communications Network Monitoring and Management Center (CMU SSOP) "have been put on high alert, interacting with the National Coordination Center for Computer Incidents to counter attacks on critical information infrastructure," the regulator reported.
On March 3, 2021, Rostelecom Vice President for Information Security Igor Lyapunov reported that in Russia recently the number of hacker attacks on the websites of authorities has sharply increased.
Russian Foreign Ministry confirms cyber attack on ministry employees
On January 18, 2022, it became known about cyber attacks on employees of the Russian Ministry of Foreign Affairs. According to the American information security companies Cluster25 (part of DuskRis) and Black Lotus Labs (part of Lumen Technologies), the North Korean hacker group Konni is allegedly behind these attacks. Read more here.
2021
Cyber attacks on Russians in 7 years has become half as much
In 2020, 29.1% of Russian residents using the Internet aged 15 to 74 faced cyber threats against 56.8% in 2013. Such data are contained in the report of the Institute for Statistical Research and Economics of Knowledge of the Higher School of Economics, the authors of which refer to the statistics of Rosstat. The study is published in 2021.
If there are fewer hacker attacks on individuals, then in relation to business this figure continues to grow from year to year. According to Positive Technologies experts, the number of cyber incidents in 2020 increased by 51% compared to 2019. 86% of all attacks were directed at organizations, most of the attackers were interested in government and medical institutions, as well as industrial companies, according to a study by Positive Technologies.
.png)
According to a report by the Institute for Statistical Research and Economics of Knowledge at the Higher School of Economics, in 2020, 75.7% of Russian Internet users had antivirus software on their computers, while in 2013 this share was higher - 84.7%. The share of people using anti-spam filters decreased from 82.7% to 73.2%, and the share of users of parental controls or filtering Internet content increased from 14.6% to 16.2%.
In 2020, 3.3% of Russians did not use the Internet for information security reasons against 1.5% in 2015. The share of those who do not want to go online due to unwillingness to disclose their personal data increased from 1.1% to 3%.
According to experts, 2020 was a challenge, including for hackers who had to adapt to new realities and invent new attack methods. Cyber threats have been dominated by ransomware viruses, attacking schools, hospitals and private companies. Not without mass seizures of accounts on social networks.
The full report is here.
A large-scale cyber attack against the public sector has been registered in Russia
On September 22, 2021, it became known about a large-scale cyber attack on state institutions and departments of Russia and neighboring countries. This was reported in the British company Cyjax, specializing in information security.
As Kommersant"" writes with reference to the Cyjax study phishing attack , organized, in particular, against the Russian Academy of Sciences (), RAS postal service, Mail.ru Group as well as government agencies of more than a dozen countries, including,,,,, Armenia,, Azerbaijan, and China. Kyrgyzstan Georgia Belarus Ukraine Turkey Turkmenistan Uzbekistan
The Mail.ru Group said it controls the emergence of phishing sites and fraudulent emails in order to "respond in a timely manner to such incidents, including those listed in the report." The company added that the mail runs an automatic antispam system that adapts to new spam scenarios, including phishing.
Experts reported the existence of 15 sites that simulate email entry portals for employees of the Ministries of Foreign Affairs, Finance or power of various countries.
The attackers used a site to attack, which was disguised as a service email. The scheme works like this: employees are notified that a new portal has appeared on which they need to register. Then hackers they get their logins and passwords, as well as access to the letters of the victims. As a result, attackers manage to send infected files to company or agency partners.
According to Cyjax, the purpose of the attack is to collect logins and passwords to access the mailboxes of civil servants. Given the lack of immediate financial benefits from the attack and the focus on the Russian Federation and neighboring countries, a certain pro-state group may be behind it, Cyjax believes.
According to Alexei Novikov, director of the Positive Technologies security expert center, hackers can use the access they gain to continue the attack by sending letters with a malicious attachment to the company's partners.[22]
Ministry of Digital Development of Digital: 50% of cyber attacks on online elections came from the United States
On September 20, 2021, the Ministry of Digital Development named the countries from where the cyber attacks on electronic voting systems in Russia were carried out. About half of the IP addresses used by hackers were in the United States. Read more here.
US ambassador summoned to Russian Foreign Ministry due to interference in Russian elections
On September 11, 2021, it became known that Ministry of Foreign Affairs of Russia he summoned the ambassador USA To Moscow to John Sullivan to discuss the interference the American IT of companies in the elections in. State Duma
Foreign Ministry spokesman Sergei Ryabkov told John Sullivan, summoned by the Russian Foreign Ministry on September 10, about the inadmissibility of interference in Russian affairs. Ryabkov also told the diplomat about the presence of evidence of violation of the laws of the Russian Federation by American digital giants before the elections to the State Duma. That evidence is overwhelming, he said.
According to the US State Department, their ambassador discussed issues of bilateral relations at the Russian Foreign Ministry on Friday, namely, he participated in a conversation about support for "the desire of US President Joe Biden for stable and predictable relations with Russia."[23]
Chinese government hackers attacked the Russian public sector
Chinese government hackers attacked Russian companies. This became known on August 3, 2021.
Traces of attacks by the hacker group ART31, which is known for numerous attacks on state structures of different countries, have been recorded. The group first attacked Russian companies. According to Positive Technologies, in the first half of 2021, the ART31 group, in addition to actions in Russia, conducted about ten malicious mailings in Mongolia, the USA, Canada and Belarus.
The hacker group ART31, also known as Hurricane Panda and Zirconium, has been operating since the 2010s. Its representatives attack mainly the public sector, spying on potential victims and collecting confidential information. Microsoft previously indicated that the APT31 is operating from China, and the British government in mid-July linked the activities of this group with the Chinese Ministry of State Security.
According to Positive Technologies experts, since the spring of 2021, ART31 has begun to expand the geography of attacks and use a different way of hacking and infecting gadgets. According to the company, hackers send phishing emails that contain a link to a fake domain - inst.rsnet-devel [.] com. It completely imitates the domain of certain government agencies. When a link is opened, the so-called dropper (remote access Trojan) gets into the user's computer, which creates a malicious library on the infected device and installs a special application. Next, the application launches one of the functions of the downloaded malicious library, and control of the computer passes into the hands of the attacker.
information security Daniil Koloskov, senior specialist in the threat research department of Positive Technologies, warns that malicious developers software are trying to bring the malicious library as close as possible to the original one, the names of the function sets of the infected library partially coincide with the official one. Another trick for hackers was that in some attacks, the dropper was signed real valid, and digitally signed many security tools perceived it as a program from a certified manufacturer. Positive Technologies experts believe that the signature was most likely stolen, which indicates that the group is well prepared.
Denis Kuvshinov, head of the information security threats research department at Positive Technologies, predicts that in the near future ART31 will use other tools in attacks, including on Russia, they can be detected by matching the code or infrastructure of the Network. Positive Technologies specialists have already reported on the attack of a hacker group recorded by them in the State System for Detecting, Preventing and Eliminating the Consequences of Computer Attacks (State system of detection, prevention and elimination of consequences of computer attacks). In the near future, the company does not expect a decrease in the number of cyber attacks by ART31, so it advises commercial and other structures to implement indicators in their protective equipment that will help detect such a virus in time[24]
FSB of Russia agreed with the US authorities on the joint identification of cybercriminals
On June 15, 2021, information appeared that it Russia would work USA with in the field of detection - hackersextortioners within the framework of the agreement between the presidents of the two. countries This was announced by the director. FSB Alexander Bortnikov
| | "We carry out actions within the framework of those agreements that were implemented between our presidents. So we will work together, we hope for reciprocity, - said Bortnikov. - We do not exclude that terrorists they can be carried out cyber attacks on objects. In critical information infrastructure this regard, we see a particular danger in the complexity of timely establishing the true source of the attack and the possibility of provoking acute interstate conflicts. " | |
The head of the FSB of Russia believes that only the consolidated efforts of all security services in the vastness of cyberspace can effectively and quickly, subject to timely mutual information and coordinated work, identify a possible terrorist act. Therefore, the FSB hopes to support their initiative from the leading powers and their specialized services.[25]
Sobyanin called Ukraine the source of most cyber attacks on Moscow
At the end of April 2021, Moscow Mayor Sergei Sobyanin announced a surge in cyber attacks in the capital and noted that most of them come from Ukraine - Cybercrime and cyber conflicts: Ukraine.
| | Today, Internet crime is not even concentrated with us, but along the border. And today most of the attacks come from the territory of Ukraine, and not from Moscow to Muscovites... These are new challenges, and we must fight them differently, "he said at a session of the HSE and Sberbank discussion club. | |
It is worth noting that Ukraine repeatedly accuses Russia of hacker attacks. In January 2021, the Foreign Intelligence Service of Ukraine (SVRU) published a newsletter called "White Paper," in which she spoke about the "mechanisms of Russian information influences," one of which is work in social networks. According to the service, a characteristic feature in this sense is the infiltration of bots into local chats and comments under articles in order to sow discord and undermine confidence in existing institutions.
According to the mayor of the capital, the number of cybercrimes over the year increased by 40%. Internet crime is growing "simply in arithmetic progression," Sobyanin stressed.
| | And here, of course, everything needs to be rebuilt: law enforcement, the Criminal Code, and the criminal procedure, and in general understanding all these things. They are also not abstract, - said the mayor of Moscow. | |
He also added that against the background of the growth of Internet crime, it is possible to observe a decrease in other, but even more dangerous crimes. So, for example, with the help of a photo and video surveillance system for finding cars in the city, car theft has decreased.
According to the Ministry of Internal Affairs, in January 2021, the share of crimes in the field of high technologies from the total number increased to 25%, while a year ago it was 17.7%. Most of such crimes were detected in Moscow, as well as in the Murmansk region, Chuvashia, Khanty-Mansiysk and Yamalo-Nenets autonomous districts.[26]
A surge in hacker attacks on Russian research institutes
In mid-April 2021, it became known about a surge in hacker attacks on Russian research institutes (NII). First of all, foreign hackers are interested in institutions that are engaged in military and aviation development, as well as the creation of vaccines against the coronavirus COVID-19, according to Group-IB, a company specializing in information security.
Doctor Web confirmed this trend to Kommersant. According to Igor Zdobnov, head of the Doctor Web virus laboratory, it is difficult to detect targeted attacks, since they concern only one company, while the "blind" beat a large number of subjects. Behind the cyber attacks on the research institute are hackers who are sponsored by the authorities of the countries for the purpose of espionage, the expert is sure.
Igor Zalevsky, head of the Rostelecom-Solara cyber incident investigation department, points to the possibility of using information stolen from the research institute for political purposes, in this he sees the reason for the interest of hackers working for the state in the research institute. The work of the research institute is associated with unique information from various industries: schemes, product drawings, closed studies, which are intellectual property, the expert lists. Such data may be interesting for monetization and simply on the black market, he added.
Sometimes hackers use several viruses at once. For example, on the network of one of the clients, Group-IB specialists identified six types of such programs, including in accounting, on employees' workers and mobile devices. At the same time, attackers usually do not immediately launch research institutes into the network malwares and pre-use auxiliary modules that do not allow detection, trojans said a senior expert on cyber security "." Kaspersky Lab Denis Legezo NII[27]
Fraudsters in the Russian Federation began to use personal data collected by Telegram bots to blackmail users
In early March 2021, it became known that fraudsters Russia in began to use, personal data collected - Telegramboats to blackmail users. More. here
2020
Group-IB: Domain Theft Scheme in Russia
On November 19, 2020, a company Group-IB specializing in cyber security announced a scheme that hackers are using to steal legal domain ones in. These are Russia subsequently domains used for. phishing attacks More. here
90% of IT systems of government agencies in Russia are able to hack inexperienced cyberhuligans
About 90% of the IT systems of government agencies in Russia are capable of hacking not only highly qualified hackers, but also inexperienced cyberhuligans. This conclusion is contained in a study prepared by Rostelecom-Solar based on the analysis of data on 40 state organizations and authorities of the federal and regional level.
According to Vladimir Dryukov, director of the center for monitoring and responding to cyber attacks Solar JSOC of Rostelecom-Solar, cyberhuligans are aimed at simple monetization and are engaged in encryption of servers and computers, hidden cryptocurrency mining, creating botnets from the received resources to organize DDoS attacks or phishing mailings. More experienced specialists are trying to gain long-term control over the infrastructure or access to confidential data for the purpose of cyber espionage, he said.
Experts note a low level of "cyber hygiene" in government agencies. More than half of such institutions use an unprotected connection (most often the http protocol, in which transmitted data is not encrypted and can be intercepted).
more than 70% of organizations are exposed to classic web vulnerabilities that attackers use as an entry point into the victim's infrastructure. For example, exposure to SQL injections that allow you to hack into the site database and make changes to the script. Or an XSS vulnerability with which an attacker can integrate his own script into the page of the victim site
In addition, more than 60% of government organizations have vulnerabilities in various components (Apache servers or solutions for launching Apache Tomcat web applications, WordPress site management systems, PHP programming language) and even the operating system itself (a series of Shellshock vulnerabilities that are considered one of the most dangerous).[28]
From which countries and in what ways hackers attack Russians. 2020 statistics
In the 1 half of 2020, the number of cyber attacks on organizations in Russia was higher than the global average, Check Point analysis showed. So, on average, there were 570 attacks per company in Russia, while in the world - 474 per week, the company cited data.
The most common threat was the Emotet botnet, which sends spam to its potential victims containing attachments or links leading to malicious Office files. According to Check Point, 6% of Russian organizations were influenced by it. And the most common vulnerability was remote code execution, whereby 64% of organizations were attacked.
In June 2020, the most active malware in addition to Emotet in Russia were:
- RigEK (5%) - contains exploits for Internet Explorer, Flash, Java and Silverlight. The infection begins with a redirection to a landing page containing a Java script, which then searches for vulnerable plugins and implements an exploit.
- XMRig (5%) is a cryptominer, open source software first discovered in May 2017. Used to mine Monero cryptocurrency.
- Agent Tesla (3%) is an improved version of the RAT Trojan. AgentTesla has been infecting computers since 2014, acting as a keylogger and password thief. The malware is able to track and collect input from the victim's keyboard, take screenshots and extract credentials related to various programs installed on the victim's computer, including Google Chrome MozillaFirefox and). Microsoft Outlook
- Phorpiex (3%) is a worm designed for the Windows platform. It creates files that are automatically launched on removable devices for further self-distribution and inclusion in the list of authorized applications. This allows Phorpiex to bypass security gateway policies. The malware also serves as a backdoor agent that receives commands from a remote controller.
79% of all malicious files in Russia were delivered by e-mail. Vasily Diaghilev, head of Check Point's representative office in Russia and the CIS, notes that e-mail was used, among other things, for phishing associated with the epidemic of a new coronavirus infection.
In addition, after the outbreak of the pandemic, Check Point specialists discovered a rapid increase in the registration of new domains related to the topic of coronavirus, many of which turned out to be malicious or suspicious. Cybercriminals imitate video conferencing applications, streaming platforms, fake sites related to loans and various payments, etc., and also send employers resumes with malicious code.
In April, the Russian authorities also drew attention to this problem. Thus, Roskomnadzor warned users that among the fake sites used by attackers there are domains that imitate WHO sites, sites for the sale of hairdryers that kill coronavirus and offers from burglars to come and test for COVID-19.
At the same time, Check Point found that in Russia, the growth in the number of fake domains and associated attacks associated with coronavirus began about a month earlier than in the world as a whole. According to the company, the first sites in Russia began to appear in January, and rapid growth began in mid-February.
| | We have been trying for a long time to understand for ourselves why this is happening. This is probably due to the fact that Russian hackers and attackers adapt most quickly to changing realities. And the fact that a huge number of people were locked at home and were not ready for a pandemic in terms of IT infrastructure gave attackers easy access to information and money, says Vasily Diaghilev. | |
Another trend characteristic of Russia is associated with the countries of origin of the attacks. If globally the overwhelming number of attacks comes from other countries, from other continents, then in Russia 47% of attacks come from within the country, according to Check Point.
| | Often we hear that the overwhelming threats, defense projects are built on the basis of the paradigm that we are attacked from outside, but in reality we see that a large number of attacks come from within the country, and the idea of protection against external threats that are outside the Russian Federation is not yet justified, - said the head of the Check Point representative office in Russia. | |
Cyber attackers have been particularly active in the past few months in attacking banking applications. Many hacker groups targeting banks and financial organizations have become more active. Higher than the global average, and the level of attacks on mobile devices.
| | The main conclusions that we can draw - Russia responds faster than other countries to global trends in the field of cybersecurity, cybercriminals quickly adapt current hacking practices to Russian realities. And, most importantly, they use not only their own tools, which are developed within the country, but also quickly adapt the latest international available tools for attacking Russian organizations, "Vasily Diaghilev summed up. | |
The regions of the Russian Federation with the greatest cybercrime are listed
The highest level of cyber crime is observed in Moscow, St. Petersburg and eight other regions of Russia, the head of the Russian section of the International Police Association[29] of[30] with the[31] told RIA Novosti].
| | "If we turn to the statistics of the Ministry of Internal Affairs, we will see that the most active increase in crimes committed using information and telecommunication technologies is observed in Moscow, St. Petersburg, Moscow, Kaliningrad, Novgorod, Rostov regions, Ingushetia, Buryatia, Bashkortostan and the Jewish Autonomous Region," Zhdanov said. | |
In particular, according to him, in May of this year, criminals most often sent banking trojans programs to residents of Russia to infect devices and for the hidden. mining cryptocurrencies
Earlier, the Ministry of Internal Affairs of Russia reported that in the first five months of 2020, the number of crimes in the field of information and telecommunication technologies increased by 85.1% (including grave and especially grave ones - by 123.7%), and the share increased to 21.7% of the total compared to the same period last year. In addition, the number of crimes committed using settlement (plastic) cards increased almost 6 times.
Hackers hacked into the mail of the Pskov Metropolitan and demand a ransom of 10 million rubles
On May 2, 2020, it became known about the hacking of the e-mail of Metropolitan Tikhon (Shevkunov) of Pskov and Porkhovsky, who is also the chairman of the Patriarchal Council for Culture and a member of the Presidential Council for Culture and Art. Hackers are demanding a ransom of 10 million rubles for returning access to messages. Read more here.
Police in the suburbs created an online store for drug trafficking
At the end of April 2020 Investigative Committee Russia , he announced the detention in the Moscow region of five police officers who are suspected of to trade drugs through - Internet they sold prohibited substances through the channel to, Telegram which they themselves created.
According to Olga Vradiy, a representative of the regional department of the Investigative Committee of Russia , on April 27, 2020, a policeman was detained near a residential building in Shchelkovo near Moscow during operational-search activities by officers of the drug control department of the Ministry of Internal Affairs, who, during a personal search, was found to have a mobile phone with photographs of bookmarks with drugs. During the inspection of the caches, mephedrone was seized with a total weight of 50 grams.
Two senior sergeants and one police sergeant, according to preliminary data, were engaged in the sale of mephedrone. They sold the goods via the Internet and transferred them through bookmarks.
On this fact, an official audit was scheduled, as a result of which these employees will be dismissed from the internal affairs bodies for negative reasons and brought to justice in accordance with the law. In addition, their immediate leaders will be brought to strict disciplinary responsibility, the press service of the Main Investigation Department of the Investigative Committee (IC) of Russia in the Moscow Region reported.
By the end of April 2020, investigators of the Investigative Committee are conducting a set of investigative actions aimed at collecting and consolidating the evidence base. They will be charged and the issue of choosing a preventive measure will be resolved. Attackers can be accused of selling drugs on a large scale (part 3 of article 30, paragraph "d" of part 4 of article 228.1 of the Criminal Code of the Russian Federation).[32]
Moving to a remote location, companies open hackers access to their servers
Due to the hasty mass transition of companies to remote work, the number of corporate servers available to cybercriminals from the Internet is growing rapidly - experts from the Solar JSOC Cyber Threat Monitoring and Response Center reported on March 27, 2020. One of the main reasons is the use by companies of the unprotected RDP (Remote Desktop Protocol) protocol. According to Solar JSOC, in just one week the number of devices available from the Internet via the RDP protocol increased by 15% in Russia (the total number today is more than 76 thousand units) and by 20% in the world (more than 3 million units).
RDP is a protocol developed Microsoft for remote control, which OS Windows is a popular way to connect to the working environment. However, by default, RDP uses port 3389 and, if the company's IT service does not pay due attention to remote access security, the enterprise server becomes extremely vulnerable to attackers. For example, it is not uncommon for a remote server to be accessible and visible from the Internet - anyone can try to connect to it. In this case, an attacker can deceive the identification system and, authentications by picking up a password, spoofing the certificate or exploiting RDP vulnerabilities.
To understand how relevant these threats are, experts from the Solar JSOC Cyber Threat Monitoring and Response Center analyzed and monitored the number of devices available from the Internet using the RDP protocol using various tools. In just a week from March 17 to March 24, when companies began to massively switch to remote work, the increase in such devices was 15% in Russia and 20% in the world.
| | The resulting statistics are frightening, because not so long ago several major vulnerabilities regarding the Remote Desktop Service - BlueKeep and DejaBlue - died down. Both of them allow you to access a remote server without authentication - for this, an attacker just needs to send a special request via RDP. Thus, in the absence of the latest Windows security updates, any system accessible from the Internet is vulnerable, - comments Igor Zalevsky, head of the Rostelecom-Solar cyber incident investigation center JSOC CERT. | |
According to Solar JSOC experts, every month Windows security updates fix all new discovered vulnerabilities related to RDP. For this reason, it is highly undesirable to use normal unprotected remote desktop access. It is recommended to at least use VPN with two-factor authentication and implement remote access based on secure protocols.
FSB detained 30 credit card data merchants and seized gold bars from them
On March 24, 2020, the Federal Security Service (FSB) of Russia announced the detention of a hacker group engaged in the trade of stolen bank cards.
Cybercriminals have created over 90 online stores selling stolen data, which were subsequently used to steal funds from bank accounts of citizens of various states, including by purchasing expensive goods on the Internet.
During the special operation, over 30 members of the hacker group were detained, including citizens of Ukraine and Lithuania. 25 detainees were charged under Part 2 of Art. 187 of the Criminal Code (illegal circulation of funds for payments). They were remanded in custody.
In total, the security forces conducted searches at 62 addresses. Members of the group were detained in Moscow and the Moscow region, St. Petersburg and the Leningrad region, Crimea and Sevastopol, North Ossetia, Kaluga, Pskov, Samara and Tambov regions. In total, more than 30 hackers were arrested.
Law enforcement agencies seized more than $1 million and 3 million rubles from the suspects, forged documents, certificates of law enforcement officers, server equipment, as well as firearms (rifled) weapons, narcotic drugs, gold bars and precious coins. The equipment for hosting sites was "eliminated," the FSB said in a statement.
It was also established that the organizers of the community from among the citizens of Russia had previously been prosecuted for similar crimes.
The video, in which the FSB, together with the investigative department of the Ministry of Internal Affairs, stopped the activities of a large network of dealers in stolen credit card data of Russian and foreign banks, was posted on the website of the Federal Security Service.[33]
Cyber fraudsters take advantage of the epidemic and attack Russians on behalf of government agencies
On March 19, 2020, it became known about an increase in the number of fraudulent schemes in Runet due to the spread. coronavirus One of them is to send fake letters, including from domains similar to the addresses of government agencies.
According to Kommersant, among other things, attackers send letters offering to familiarize themselves with anti-crisis directives from the Ministry of Labor and the Ministry of Economy by opening an attached PDF file. A virus is embedded in these documents.
Positive Technologies announced the distribution of letters allegedly from the Ukrainian Foreign Ministry, which contain a document on statistics on the spread of coronavirus as a "malicious decoy." Fraudsters are actively using this topic in their attacks, Denis Kuvshinov, a leading specialist in the Positive Technologies cyber threat research group, told the publication.
Kaspersky Lab counted more than 2.5 thousand suspicious sites, the name of which includes the words covid, coronavirus and the like. The company "Rostelecom-Solar" confirmed the existence of such resources and noted that one of them, for example, under the pretext of buying a "better and faster test to determine the coronavirus" steals money and credit card details.
According to experts, employees Group-IB of companies receive phishing letters written in English or Russian, with links to information about the sick or a list of coronavirus prevention measures. These messages contain links to phishing sites that look like sites Microsoft and that invite users to enter access to their email. If the victim does this, then the information is sent to the server of the attackers.
Fraudsters expect that the user, having fallen "under the magic of the name," will open a letter, follow the link or download the application, said Andrei Arsentiev, head of analytics and special projects at the InfoWatch group, who also sees a surge in cyber attacks using the topic of coronavirus.[34]
A wave of theft of bonuses from loyalty cards began in Russia
In early March 2020, it became known about the beginning in Russia of a wave of theft of bonuses from loyalty cards. The number of attempts to write off accumulated points from personal accounts on sites in 2019 increased several times and reached several thousand a month.
As Alexey Sizov, an expert at Jet Infosystems, told Izvestia, fraudsters can access their customers' personal account and then pay with bonuses for their purchases. Another option for theft is to register your personal account with another person's card.
Alexey Fedorov, chairman of the trade committee of Delovaya Rossiya, told the publication that in 2019 the number of thefts of bonuses and discounts "increased significantly." Maxim Fedyushkin, head of Kaspersky Fraud Prevention, noted that in the second half of 2019 it increased by one and a half times compared to the first.
According to Fedorov, points are often stolen by the employees of stores or call centers themselves, who have access to data from loyalty programs. Fedorov considers the reason for the aggravation of the problem to be the massive transition of sellers from discount systems to bonus accumulation programs. Often fraudsters are guided by gas stations, which monthly receive a profit of 2-3 million rubles due to illegally written off benefits, he added.
Alexey Sizov says that bonus points most often become the target of so-called novice scammers, and not organized criminal groups. Among the attackers may be students and store employees who have access to information about loyalty programs.
The trading network Magnet"" recognizes the problem. The retailer told the publication that the damage from the actions of fraudsters for the most part is of an image nature, as buyers lose confidence and become disappointed in the loyalty program.[35]
Putin supported the idea of enshrining the rule on cybersecurity in the Constitution
Russia Vladimir Putin At the end of February 2020, the President supported the proposal to enshrine in Article 71 of the Constitution of the Russian Federation the norms for ensuring cyber security the person and state.
The head of the State Duma Committee on Budget and Taxes, Andrei Makarov, at a meeting of the working group on the development of amendments to the basic law, announced the initiative to introduce a provision on cybersecurity for individuals, society and the state into the text of the Constitution, the TASS news agency Russian News Agency reported.
| | "The jurisdiction of the Russian Federation is supposed to include ensuring the security of the individual, society and the state when using information technologies, when circulating digital data," Makarov said. | |
According to him, the inclusion of this norm will equate ensuring personal security with defense and security issues, and will also "emphasize the importance of the challenges facing the country."
Russian President Vladimir Putin supported the proposed initiative, saying that "ensuring the security of the individual, society and the state is extremely important and, of course, in demand."
| | "And the question is: what and how the state can use for the development of the economy using these digital technologies, how much the state can reveal data about a person, how publicly this data can be used, how to upload them to the information space, what will follow for a particular citizen," the president said. | |
2019
Russian-speaking hackers sell the source code of Symantec, McAfee and Trend Micro antiviruses for $300 thousand.
In mid-May 2019, the American company Advanced Intelligence (AdvIntel), specializing in information security threat intelligence, reported a hack into the servers of three antivirus manufacturers: Trend Micro, Symantec and McAfee. Behind this cybercrime, according to experts, is the Russian-language hacker group Fxmsp, which began selling source codes of antivirus products on shadow websites, asking for $300 thousand for them.
In the description, Fxmsp gives a screenshot to the materials posted for sale (see below), in which you can see folders and files with a volume of more than 30 TB. Judging by the images, among the stolen data you can find information about artificial intelligence models, development documentation, source codes of antivirus solutions and much more.
Hackers claim that from October 2018 to April 2019, their activities were centered around hacking into various antivirus companies. According to AdvIntel experts, the Fxmsp group has long and successfully specialized in selling data that was obtained during high-profile leaks. Cybercriminals attack government organizations and companies, their revenues are estimated at millions of dollars.
AdvIntel experts know that one of the members of the group is a Muscovite named Andrei. According to reports, he began a cybercriminal career in the mid-2000s and specializes in social engineering.
A representative of Trend Micro in a comment to the Computer Business Review confirmed that the company suffered "from unauthorized access of third parties to a single network of testing laboratories." McAfee said the company "found no indication that the described campaign affected McAfee products, services, or networks." Symantec denies hacking.[36]
Russian government agencies attacked hackers from China for years
On May 13, 2019, it became known about the existence of a cyber group that attacked Russian government agencies and companies for several years, using an operating system task scheduler to hack.
Positive Technologies called this hacker group TaskMasters for using a task scheduler to penetrate local networks. After the hack, hackers examined networks for vulnerabilities, downloaded malware there and engaged in espionage. How the attackers used the information received is unknown.
As Kommersant was told in Positive Technologies, a cyber group with supposedly Chinese roots attacked government agencies and companies for at least nine years, some of them were in Russia. Experts are aware of the compromise of more than 30 significant organizations from industries, construction, power, real estate, etc., of which 24 are in Russia. The names of the companies were not disclosed.
According to Positive Technologies, the code of the tools used by TaskMasters contains mentions of Chinese developers, during some attacks connections from IP addresses from China were recorded, and keys for some versions of programs can be found on the forums where residents of this country communicate.
Kaspersky Lab says it has been monitoring the activity of the same group, which is called BlueTraveler, since 2016. The targets of her attacks there are called government agencies, mainly from Russia and the CIS, confirming that the attackers most likely speak Chinese.
Kaspersky Lab adds that the method of securing in the infrastructure and further distribution using the task scheduler has long been and is often used by cybercriminals. As a rule, such attacks help political intelligence or are engaged in industrial espionage, the company noted.[37]
2018
Doubling the number of cyber attacks, hacker revenues exceeded 2 billion rubles
In 2018, the number of cyber attacks in Russia doubled, and the income of hackers exceeded 2 billion rubles. Such data in mid-April 2019 were cited by the vice-president of Rostelecom for information security Igor Lyapunov.
According to him, in 2018, the Solar JSOC Center for Monitoring and Responding to Rostelecom Cyber Attacks recorded 765,259 attacks, which is 89% more than a year earlier. Such dynamics are characteristic of the whole of Russia, since Rostelecom provides services to the largest and most attacked companies in the country, Lyapunov explained.
According to him, about 75% of cyber attacks are in credit and financial institutions, e-commerce, and gaming business. In addition, infrastructure facilities are increasingly becoming victims of hackers.
| | The term politically motivated attacks arose... The goal of the attackers is to gain control and a point of presence in this critical information infrastructure, - said Igor Lyapunov during a speech at RIF + CIB 2019. | |
Positive Technologies recorded a 27 percent increase in the number of successful cyber attacks in Russia in 2018, company spokesman Alexei Novikov told Vedomosti. Most often, attackers attacked the infrastructure (such attacks accounted for 49% of incidents) and web resources of companies (26% of attacks), he points out. In 2018, cybercriminals increasingly tried to steal information: in 30% of attacks they stole personal data, in 24% - accounting data, in 14% - payment data, Novikov said.
According to Kaspersky Lab, the total number of malware attacks in 2018 increased by 29%. But DDoS attacks are not taken into account here, Vyacheslav Zakorzhevsky, head of the antivirus research department at Kaspersky Lab, explained to the publication.[38]
German Gref proposed to create a ministry for emergency situations in the digital sphere
On October 4, 2018, the Head of Sberbank German Gref said that a separate ministry for emergency situations in the digital sphere should be created in Russia, by analogy with the usual Ministry of Emergency Situations.
| | I think we need to create a serious infrastructure. We have a ministry of emergency situations. It is necessary to create a ministry that would control emergencies in the digital sphere, which will affect all infrastructure without exception. | |
The head of Sberbank also noted that the digital component penetrates into various spheres, and called it one of the key trends and challenges of the future. He also focused on the fact that in the modern world cyber threats are becoming more and more important and make headlines, in connection with which attempts are being made to create political news from them, such as interference in elections or interference in government.
Earlier, Sberbank estimated the global damage from cyber attacks in 2018 at $1 trillion and predicted an increase in this amount to $8 trillion in 2022[39].
Putin announced the creation of an IT system for the exchange of information about cyber threats
On July 6, 2018, it became known about the creation in Russia of an automated system for exchanging information about cyber threats. This was stated by Russian President Vladimir Putin during the International Congress on Cybersecurity in Moscow.
| | A business initiative will be implemented to form a system for automated exchange of information about threats in the digital space. In cyber attacks, this system will allow better coordination of the actions of telecom operators, credit institutions, Internet companies with law enforcement agencies and thereby quickly eliminate emerging threats, he said.[40] | |
Also, the Russian authorities intend to develop a system of international exchange of information on cyber threats.
| | In the near future, the government should decide on the structure that will be responsible for this work, "Putin said. | |
According to the head, in order states to combat cyber threats, it is necessary to develop new comprehensive solutions to prevent and suppress crimes against citizens in the digital environment. For this, it is important to create appropriate legal conditions, to ensure convenient forms of interaction between citizens and state structures, he stressed.
| | We will strive to ensure that the software and infrastructure operating in Russia is based on domestic technologies and solutions that have passed the appropriate verification and certification. Of course, not to the detriment of competition, - said the Russian leader. | |
Speaking about other priorities in the information sphere, Putin named among them research in this area in cooperation with business and scientists. According to the president, this will allow promoting domestic technologies and creating popular and competitive products on their basis.
During his speech, Vladimir Putin also drew attention to the fact that the number of cyber attacks on Russian resources in the first quarter of 2018 compared to the same period in 2017 increased by a third.
2017
The Supreme Court of the Russian Federation explained the subtleties of the qualification of cyber fraud
The Supreme Court of the Russian Federation explained to the judges how cyber fraud and bank card fraud should be qualified. The Plenum of the Armed Forces of the Russian Federation issued a resolution "On judicial practice in cases of fraud, misappropriation and embezzlement," which for the first time explains in what cases and how the new articles on fraud added to the Criminal Code of the Russian Federation in 2012 should be applied, TASS reports in November 2017 The Russian Information Agency[41] of the Russian[42]
The article "Fraud in the field of computer information" (159.6 of the Criminal Code of the Russian Federation) provides for the use of software or software and hardware to influence servers, computers (including portable ones) or information and telecommunication networks in order to illegally seize someone else's property or obtain the right to it. Such actions should be qualified additionally under the articles of the Criminal Code on unlawful access to computer information or on the creation, use and distribution of malware.
The use of other people's credentials is subject to qualification under the article "Theft." The use of other people's credentials means the secret or fraudulent use of the victim's phone connected to the Mobile Bank service, authorization in the Internet payment system under stolen credentials, etc.
As an ordinary fraud provided for by Art. 159 of the Criminal Code of the Russian Federation, theft of property should be considered by disseminating deliberately false information on the Web (creating fake sites, online stores, using e-mail).
The article "Fraud using payment cards" (159.3 of the Criminal Code of the Russian Federation) should be resorted to in cases where the fraudster posed as the true owner of a bank card when paying for purchases or banking operations. Cashing funds through ATMs qualifies as theft.
As explained in the resolution of the Armed Forces of the Russian Federation, theft of non-cash funds with the help of the owner's personal data, password, card data obtained by the criminal from its owner by deception or breach of trust should also be considered by the court as theft.
The manufacture, storage, transportation of fake payment cards, technical devices and software for illegal reception, issuance, transfer of funds should be considered a preparation for a crime (if the crime was not committed for reasons beyond the control of the attacker).
The sale of unsuitable fake payment cards, technical devices and software, allegedly to steal money, is regarded as fraud or petty theft.
The manufacture or purchase of fake bank cards for the purpose of theft on a large or especially large scale without bringing intent to the end (for reasons beyond the control of the attacker) is both preparation for theft and the completed crime provided for by Art. 187 of the Criminal Code of the Russian Federation ("Illegal circulation of payment funds").
PwC: Most Russian companies cannot withstand cyber attacks
Most Russian companies cannot successfully withstand cyber attacks, according to a study by the international consulting company PwC, released in November 2017.[43].
Half of Russian respondents note that their companies do not have a common information security strategy, and 48% of companies do not have a training program aimed at increasing employee awareness of security issues.
In addition, 56% of companies admitted that they have not worked out the process of responding to cyber attacks. Only 19% of PwC study participants in Russia and 39% of respondents worldwide are fully confident in the ability to find hackers.
Among the main measures for detecting cyber risks, Russian survey participants named an assessment of cyber threats (50%), constant monitoring of the information security system (48%), an assessment of the level of vulnerability (44%) and a penetration test to check the protection system (40%).
Almost a quarter of Russian companies claim that the use of mobile devices has led to information security problems. This factor took second place after phishing attacks, which lead among the called threats.
| | Cyber incidents occur every day, while the brand and reputation of the company that has become the target of a hacker attack is seriously damaged. Companies need to protect customer confidence by investing time and money in the implementation of appropriate systems and technologies aimed at ensuring cybersecurity, "said Roman Chaplygin, head of PwC information security services practice in Russia. | |
According to him, another effective tool in the fight against cybercrime can be the regular exchange of information between companies.
Compulsory cyber risk insurance may appear in Russia in 2022
The public sector of Russia can earn about 50 billion rubles on risk insurance in the field of information protection. The initiative to introduce cyber risk insurance and the introduction of cyber insurance was announced within the framework of the state program "Digital Economy."
It is planned that cyber risks will be obliged to insure all companies, regardless of the form of ownership, which are engaged in the processing and storage of data. Mobile and Internet operators, hosting providers and large IT companies fall under this category, which certainly guarantees high profitability from this type of insurance. Under what conditions and in what amount payments will be made on insured events - it is not yet known[44].
The Ministry of Internal Affairs and Group-IB liquidated the group that stole 50 million rubles with the help of a Trojan
In May 2017, two dozen cybercriminals were detained in several cities of Russia, who stole more than 50 million rubles using malware for mobile devices.
The members of the criminal group infected more than 1 million smartphones with the Cron malware, a Trojan for the Android OS, with which attackers stole money from bank accounts. With the help of hidden SMS commands, the money was transferred to pre-prepared accounts.
| | In the course of the behavior of operational-search measures, it was established that the group includes 20 people living in the Ivanovo, Moscow, Rostov, Chelyabinsk, Yaroslavl regions and the Republic of Mari El, and the organizer of the illegal business is a 30-year-old resident of Ivanovo, - indicated in the press service of the Ministry of Internal Affairs of the Russian Federation [45]]. | |
Group-IB was actively involved in the development of the criminal group, whose experts were the first to find the Cron Trojan.
The first information about it appeared in March 2015: Group-IB recorded the activity of a new criminal group distributing malware "viber.apk," "Google-Play.apk," "Google_Play.apk" for Android on hacker forums. Cron attacked users of large Russian banks from the TOP-50, "Group-IB reported.[46]"
Infection occurred in two ways - using phishing SMS mailings and using applications disguised as legitimate ones. The Trojan was distributed under the guise of the following applications: Navitel, Framaroot, Pornhub and others. In the case of phishing emails, potential victims received links to sites controlled by attackers, where using social engineering they were prompted to manually install a malicious application for themselves.
Once on the victim's phone, the Trojan was installed in the device startup and then independently sent SMS messages to the telephone numbers indicated by the criminals, sent the text of SMS messages received by the victim to remote servers, and also hid SMS notifications from the bank.
According to Group-IB, hackers opened more than 6,000 bank accounts to which victims' money was transferred. Every day, the malware infected about 3,500 users and tried to steal money from 50-60 customers of different banks. The average volume of theft is about 8000 rubles. The total damage from Cron's actions is estimated at 50 million rubles.
The plans of the attackers, apparently, were to expand their range of activities outside the Russian Federation. In June 2016, the same group leased the Tiny.z mobile banking Trojan, which is aimed not only at Russian credit institutions, but also at, banks Great Britain,, Germany, France USA Turkey, Singapore, Australia and other countries.
As a result of the operation of Russian police and security experts, all active members of the Cron gang were detained. As it turned out, many of them already have a wealth of criminal experience.
According to the press service of the Ministry of Internal Affairs, in relation to the four detainees, the court chose a preventive measure in the form of detention, in relation to the rest - a recognizance not to leave. On the territory of six regions of Russia, 20 searches were carried out, during which computer equipment, hundreds of bank cards and SIM cards issued on dummy persons were seized.
A criminal case was initiated on the grounds of the corpus delicti provided for in Part 4 of Art. 159.6 of the Criminal Code of the Russian Federation (fraud in the field of computer information).
| | In the Western press, accusations are often heard by the Russian authorities that they do not interfere with the activities of cybercriminals and almost directly condone them, "says Dmitry Gvozdev, CEO of the Security Monitor company. - This story is one of the examples proving the failure of such an assessment. It's just that some facts fall into the focus of attention of the foreign press, while others are often ignored. | |
Danish Defense Ministry: Russian hackers hacked the mail of our employees for two years
Hackers from Russia associated with the country's leadership for two years gained access to electronic mailboxes of the Danish Ministry of Defense. This was announced in April 2017 by the Minister of Defense of the country Klaus Yort Fredriksen.
The report, cited by Berlingske, reports that during 2015 and 2016, hackers from the Fancy Bear group had access to the unclassified mail content of some military officials.
According to the publication, "for a long time, hackers sent a large number of emails to specific employees in the Ministry of Defense." Employees received messages that "the system requires an update and" they must enter their passwords. " To mislead ministry employees, the hackers used fake entry pages, which were a replica of the ministry's pages. In addition, the purpose of the alleged hackers, the newspaper informs, could be not only to obtain the necessary information, but also the possible recruitment of agents from among the ministry's employees.
It is noted that hacking became possible because not all mailboxes were sufficiently protected. Now this problem has been eliminated by the[47] of[48].
Cybercriminals disguise themselves as "Russian" hackers
The malware used in recent cyber attacks on Polish banks contains fake evidence indicating that the attacks were carried out by allegedly Russian-speaking hackers. This conclusion was reached by BAE SystemsShevchenko experts Sergei and Adrian Nish following an analysis[49].
The sample studied by experts malware contained a large number of distorted Russian words that are never used by native native speakers of the Russian language. As the analysis showed, virus writers used online translation services, such as, Google Translate to translate words from English into Russian. According to Shevchenko, the one who translated the text never dealt with the Russian language, so he did not pay attention to the difference in phonetic spelling.
In particular, when translating the English word "client," the virus writer used its phonetic spelling ("kliyent"), instead of "client" or "klient." In addition, teams were also translated with the help of online translators. For example, the "install" command was written as "ustanavlivat," the "exit" command as "vykhodit," and so on.
Such errors were found not only in malicious, ON but also in a custom exploit kit used to deliver malware to victims' computers.
Russian aerospace industry attracts growing interest of cyber spies
In February 2017, it became known that Chinese hackers began to intensively attack aerospace companies in Russia and Belarus. This conclusion was made by Proofpoint experts monitoring the activities of the group, previously seen in attacks on government structures and commercial companies around the world.[50]
Hackers allegedly acting in the interests of the PRC government used the NetTraveler Trojan and the PlugX remote administration tool. With their help, criminals carried out espionage activities around the world.
Starting in the summer of 2016, this group began to use a new malware called ZeroT, which, after entering the system, downloads and installs PlugX.
ZeroT itself is distributed using speer-phishing (narrowly directed) letters containing attachments in HTML Help (.chm) format. Hackers used.chm documents with executable files integrated into them. Account Control (UAC) responded properly to attempts to open these.chm files (and in reality, attempts to run executable components), but in at least a few cases, users "obediently" contributed to the infection.
This is in no small part due to the effectiveness of headlines in phishing emails such as the 2017-2020 Federal Target Program, Changes in the list of affiliates as of 21.06.2016, and so on.
Hackers also actively exploited the CVE-2012-0158 vulnerability by sending files for Microsoft Word with exploits, and self-extracting.rar files containing components to bypass the audit trail.
China is regularly accused of active cyber espionage against other countries. The PRC authorities categorically deny all accusations, but cybersecurity experts around the world have gained sufficient evidence that the PRC armed forces have units engaged in cyber espionage and cyber attacks.
| | Cyber espionage, like traditional espionage, has long been a factor in international politics, which has to be constantly kept in mind, "says Dmitry Gvozdev, CEO of Security Monitor. "We live in an era of" cold cyber war "of global proportions. Any industry of strategic importance becomes an object of unfriendly interest, and attempts at attacks are only a matter of time. As for their success, it all depends on how much the personnel of the attacked organizations are ready to attack, knows how to identify attempts at cyber attacks, knows how to distinguish phishing emails from legitimate ones, and how closely IT personnel monitor timely software updates. | |
2016
Germany: Russian hackers have long arms
The head of the Federal Office for the Protection of the Constitution, Hans Georg Maasen, said at the end of the year that an analysis conducted by the organization showed that there were similarities in the attack on the OSCE information system in November 2016, indicating the involvement of the APT 28 hacker group, which is also known as Fancy Bear[51].
The reason for the attack on the OSCE, according to Germany, is an attempt to interfere with the organization's mission in Ukraine. It is noted that in 2016 the chairman of the organization was just Germany.
Also, according to Maasen, the cyber attack on the OSCE was similar to the hacking of the Christian Democratic Union (CDU) party of German Chancellor Angela Merkel and the Bundestag website back in 2015, writes Frankfurter Allgemeine Zeitung[52].
Despite the long term of that event, on December 1, the WikiLeaks portal published about 90 gigabytes of data containing classified documents on the investigation of the US National Security Agency (NSA) relations with German counterintelligence.
At the same time, the reason for the leak to Julian Assange's organization is still considered not hackers, but a certain informant inside the Bundestag itself. German law enforcement agencies at the end of December came to the conclusion that the data could be transmitted by one of the deputies or employees of the parliament apparatus. In their opinion, after the 2015 attack, only 16 gigabytes of classified information were in the hands of hackers.
Perhaps after the publication of an "unclassified" version of the US intelligence report, in which WikiLeaks is actually called an accomplice of pro-Kremlin hackers, the German authorities will also change their minds and find a connection between the 2015 incident and the leaks at the disposal of the organization.
According to Bruno Kalya, head of the German Federal Intelligence Service, cyber attacks have the only goal - to cause political uncertainty. The digital traces left behind, he believes, give the impression that someone was trying to demonstrate their abilities, Deutsche Welle writes[53]
Russian companies are aware of IT risks and threats
On December 23, 2016, Ernst and Young published the results of the study "Path to cyber resilience: Sense, resist, react," according to which Russian companies are aware of the risks and threats to the development of information technologies and are ready to invest in organizing effective information security systems [54].
| | Over the past year, in the companies of Russia and the CIS at all levels of management, we note a significant increase in attention to information security issues. Organizations are aware of the risks and threats posed by today's development of information technologies and are ready to invest in building effective information security systems. Nikolay Samodaev, EY Partner, Head of Business Risk Services, IT and IT Risk Management in CIS | |
42% of respondents noted an increase in investment during 2016, with a significant part of the study participants (37%) planning to increase them in the future.
More than half of the respondents noted the operation of information security operational centers (SOC) in their companies. Compared to global trends, Russian companies are not actively interacting in terms of data exchange with other SOCs (7% in Russia compared to 32% in the world). 25% of Russian SOCs use paid subscriptions in order to proactively inform about cyber threats (41% in the world), 18% have dedicated expert analysts on cyber threats (32% in the world).
Russian study participants noted increased risks with an increase in the distribution of mobile devices. Respondents noted the importance of risks and threats of loss, theft of mobile devices (61%), their hacking (45%), non-compliance with the rules for their use (71%). In 2015, the most common drawback in internal control systems was a weak level of user awareness in responding to phishing attacks, which led to an increase in cyber attacks of this type.
| | Building an effective information security system involves a continuous process of analyzing and improving cybersecurity management processes, including reassessing current threats and revising security mechanisms. This is not only the provision of effective technical and organizational protection measures. The creation of a full-fledged program to counter cyber threats of funds is possible only with close cooperation between technical specialists and the business management of the organization, which provides a holistic vision of the business and business environment, an understanding of the relationships of business processes and used information systems, a correct assessment of cyber threats and possible consequences, and, as a result, the optimal choice of adequate preventive and reactive protection measures. Nikolay Samodaev | |
In Russia, cyber attacks will be planted for 10 years
Legislative protection against cyber threats
The Russian government submitted in December to the State Duma several bills aimed at protecting the information systems of the Russian Federation from cyber threats. The package of bills "On the security of critical information infrastructure (CII) of the Russian Federation"[55]was submitted to the State Duma on December 6, 2016, Interfax reports. In particular, for hackers, it provides for a sentence of imprisonment of up to 10 years.
Protect critical information infrastructure
The authors of the bills attribute the IT systems of state bodies, energy, defense, fuel enterprises and other important state facilities to the objects of critical information infrastructure, noting that "in the worst-case scenario, a computer attack can paralyze the critical information infrastructure of the state and cause a social, financial and/or environmental catastrophe."
"According to recent years, based on various methods of assessing damage from malware, it ranged from $300 billion to $1 trillion, that is, from 0.4% to 1.4% of global annual GDP, and these indicators tend to grow steadily. Typical examples of the consequences of the negative impact of computer attacks on the critical infrastructure of the state can be the shutdown of centrifuges of the Iranian nuclear power plant using the StuxNet computer virus in September 2010 and the paralysis of several large financial institutions in South Korea in March 2013, "the accompanying documents to the bills say.
The bills should "establish the basic principles of ensuring the security of critical information infrastructure, the powers of state bodies of the Russian Federation in the field of ensuring the security of critical information structure, as well as the rights, obligations and responsibilities of persons who own CII facilities, telecom operators and information systems that ensure the interaction of these facilities."
Register of CII facilities
As one of the security measures of the CII, it is proposed to create a special register that will include all important infrastructure facilities distributed by their political, economic, environmental and social significance. It is assumed that objects entered in the registry will have one of three categories of significance: high, medium or low.
Representatives of KII facilities included in the register will be required to inform about incidents of cyber attacks and assist in eliminating their consequences. In particular, the owners of the critical infrastructure will be obliged to create and ensure the functioning of the cyber security system of their facilities, as well as monitor the creation and storage of backup copies of information necessary for the normal functioning of IT systems.
Hackers will be given up to ten years
It is also proposed to supplement the Criminal Code of the Russian Federation with Article 274.1 "Unlawful Impact on the CII of the Russian Federation." The article will criminalize the creation and distribution of malicious computer programs designed to attack CII, for illegal access to data contained in CII, and violation of the rules of such data storage and processing systems.
The article provides for fines for intruders up to 2 million and prison terms up to 10 years, depending on the severity of the crime committed, the presence of preliminary conspiracy and the number of participants. The authors of the bills emphasize that "attacks committed for criminal, terrorist and intelligence purposes by individuals, communities, foreign special services and organizations can pose a danger."
It is planned that the amendments submitted for consideration will enter into force on January 1, 2017, with the exception of several articles, including provisions on the introduction of criminal liability for violations in the field of security of critical infrastructure. They will come into force from the beginning of 2018.
US court finds son of deputy Seleznev guilty of cyber fraud
Russian citizen Roman Seleznev was found guilty of cyber fraud by a jury in Seattle. This was reported by RIA Novosti with reference to its correspondent[56].
A total of 40 criminal episodes were charged against the Russian, he was charged with four articles, including cyber fraud, computer hacking and theft of personal data. According to investigators, Seleznev was involved in the theft and sale of 1.7 million credit card numbers. The prosecution said that Seleznev caused $170 million in damage.
Roman Seleznev, who is the son of State Duma deputy Valery Seleznev, was detained in the Maldives in 2014 and then taken to the United States.
Seleznev's defense and his father called the detention of the Russian a kidnapping. The Russian Foreign Ministry called the incident "another unfriendly step by Washington" and a violation of international law.
Information security experts: "Russian hackers" is a myth
Information security experts from Informzaschita, Kaspersky Lab, ESET and Aladdin R.D. commented on the phenomenon of "Russian hackers," whom the United States accuses of a major hack into the computers of its politicians[57].
Intellectual potential as a prerequisite for accusations
The basis for creating the myth of "Russian hackers" was laid by the successes of Russian programmers, who have been in demand in the United States since the late 1990s, says Klimov Evgeny, technical director of Informzaschita. Convinced of the professionalism of Russian programmers, foreign companies could easily assume that Russian hackers were no less talented.
There is a young generation of IT specialists in Russia, and some of its representatives are really engaged in hacking, but they are not criminals, Klimov said. These are the so-called "ethical hackers" who work for commercial and government organizations to help them protect their information and IT infrastructure. Russian ethical hackers are engaged in hacking mainly as part of bounty programs of various brands and contests for finding vulnerabilities for money.
Is it realistic to track the "Russian trace" in cybercrimes?
One of the main reasons why it is impossible to prove the involvement of citizens of a particular country in a certain cybercrime is the ability of hackers to "cover their tracks."
"In today's world, it is almost impossible to establish the source of the attack if the attacker's level of knowledge allows him to hack into the most secure information systems in the world," said Yevgeny Klimov. - Hackers have a whole pool of tools to destroy the slightest clues about their location not only in a certain city, but also on an entire planet. Moreover, these brilliant guys have the ability to create any idea of their geoposition so that suspicion falls on someone else, for example, on a specific country. "
"Russian hackers" is a classic stereotype of the nineties and early 2000s. Today it is widely used for propaganda purposes, - said Baranov Artem, a viral analyst at ESET. - Yes, it is based on some truth - Russian-speaking programmers are highly qualified and theoretically can turn their knowledge "to the dark side" - to engage in malware development. On the other hand, in the age of globalization, it is strange to emphasize the nationality of hackers. High-quality education in the field of programming can be obtained not only in Russia, cybercrimes are committed around the world, cyber groups unite immigrants from different countries. Many hackers who came to the attention of the ESET virus laboratory operated from China or, for example, Latin America. "
The political roots of the concept of "Russian hackers"
The most high-profile attacks attributed to "Russian hackers" are sabotage directed against the governments of countries bordering Russia, but adhering to a pro-Western orientation: Ukraine, Georgia, the Baltic countries. Therefore, it is highly likely that not only the real facts revealed by the investigation are behind the accusations, but also political motives.
"Of course, Russian cybercriminals exist, moreover, they are quite famous all over the world," said Kaspersky Lab expert [Gostev Alexander]]. "But here it is more correct to talk more about Russian-speaking cybercriminals." Russian-speaking in this case means cybercriminals who are not only citizens of the Russian Federation, but also some of the countries of the former Soviet Union bordering on it. In most cases, such countries include Ukraine and the Baltic countries, Kaspersky Lab believes. This leads to a paradoxical situation when immigrants from Ukraine and the Baltic states participate in attacks on the governments of their own countries, but the public blames the "Russian hackers" for this.
Who is who in the world of cybercrime
"Russian-speaking hackers have been leaders for a long time, but now they have lost the championship to the Chinese (mainly solely because of the number)." The third place in the world is occupied by the Latin American hacker community, which also includes Brazilians. In recent years, the so-called "Muslim" cybercrime has been rapidly developing, grouped mainly around the Turo-speaking community.
Investing in crime
On June 24, 2016, cybercrime actively invested funds stolen from fellow citizens in research in order to improve it became known from Ilya Medvedovsky, CEO of Digital Security (Digital Security)[58].
According to the expert, up to 30-40% of the money stolen from citizens' cards is directed by hackers to research, the purpose of which is to improve criminal schemes. Hackers began to spend significant amounts on research, in connection with the change of priority - the purpose of fraudsters was the correspondent accounts of banks. Criminals order research through legal channels.
According to the Central Bank, in 2015 the volume of losses from cyber fraud amounted to 1.14 billion rubles. A third of this amount is invested. According to Ilya Medvedovsky, hackers can send up to 300-400 million rubles for research. Previously, hackers spent no more than 10-20 million rubles for these purposes.
| | Cyber fraudsters are exploring new technologies that will allow them to simplify attack schemes. Under the crosshairs of banks and payment systems with their innovations on cards, Internet and mobile banks. Hackers order research under the guise of legal startups, fintechs. These are gigantic sums for cybersecurity research. Legal companies on the market spend many times less on research. Investments in the future help hackers to carry out such complex schemes from a technical point of view as an attack on Kuznetsky Bank, the damage from which amounted to 500 million rubles. This is also true due to the fact that cyber fraudsters began to switch to bank correspondent accounts. | |
Expert forecast: hackers will invest up to half of their "profit" in further development.
The change in priorities of cyber fraudsters to bank correspondent accounts was reported by the Artem Sychev deputy head of the main security department and. information protection Central Bank According to estimates, in CENTRAL BANK 2016, losses from cyber fraud, primarily from hacking bank correspondent accounts, will amount to about 4 billion rubles.
Sergey Nikitin, deputy head of the Group-IB computer forensics laboratory, believes that hackers invest the stolen amounts in writing high-quality malicious code; regular encryption of executable files in order to hide them from antivirus software; buying and searching for exploits - programs to exploit vulnerabilities in a variety of platforms; payment for traffic - infection of computers in order to expand their own botnets (networks of infected computers); channels for money legalization.
According to Artem Sychev, the attack coordinator gets about 40% of the stolen amount, the "loader" - he sends Trojans and other malicious software to hack the client's account, the bank's information system - 10%. 8% are received by people who withdraw stolen money (receive cards at bank branches or independently make clone cards for subsequent cash withdrawal at ATMs). 30-40% goes to those who withdraw cash through ATMs and transfer it to the customer. Malicious software (software) also costs a lot of money, up to $50 thousand per program.
The representative of the Central Bank described the technical organization of the attack scheme on bank correspondent accounts:
- fraudsters launch malware to hack the information system of a credit institution.
- the bank's information infrastructure is being seized - in fact, attackers begin to manage the network, information about all bank operations, the frequency and volume of transactions, and the balance of the correspondent account becomes available to them.
- hackers "sit" on the bank's network for a week, a maximum of two.
- a brigade is being prepared to withdraw (cash out) the stolen funds,
- false documents on debiting funds from the correspondent account are formed, certified by legal signatures of the bank's responsible persons.
- payment orders are sent to the payment system for which this is a legal payment document, therefore it is obliged to execute it in accordance with the contract and legislation.
| | To be one step ahead of criminals, banks need to concentrate on a number of aspects of interest to hackers: to conduct a thorough analysis of their own payment processes and IT technologies in terms of real hacking risks, not to place protective equipment around the perimeter, but to integrate protective technologies into an automated banking system, to train their users on the rules of Internet banking, to move from chaotic to process information security. | |
2015
FSB will take control of security in Runet
In Russia, the creation of the "System of Combating" against cyber threats has been announced. The National Coordination Center for Computer Incidents under the FSB will become one of the key components. The system is created on the basis of the FSB and another authorized federal authority, the name of which is not disclosed by the[59].
The security of the sites of domestic government bodies will be provided by a special division of the FSB - the National Coordination Center for Computer Incidents.
FSB Office, Moscow, 2013
Information about its creation is contained in the "Concept of the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of Russia," an extract from which is published on the FSB website. According to a publication on the FSB website, the President of Russia on December 12, 2014 approved a regulatory document entitled "The concept of a state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation," but its fragment is in public access for the first time.
The published extract from the "Concept" is devoted to the organizational structure of the System for the detection, prevention and elimination of the consequences of computer attacks on information resources of the Russian Federation, which is created on the basis of Presidential Decree No. 31c of January 15, 2013.
The "Concept" describes the System as a "single centralized, geographically distributed complex," which includes forces (authorized power units) and means (technological solutions) for detecting, preventing and eliminating the consequences of computer attacks.
The System will include two federal executive bodies: one of them is authorized to ensure the security of the critical information infrastructure of the Russian Federation (it is not named in the document), the second - to create and ensure the functioning of the System. The obligation to create the System by Decree No. 31c is entrusted to the FSB.
The "Concept" lists 12 functions for ensuring the information security of Internet resources assigned to the System. Among them:
- identification of signs of computer attacks,
- development of methods and means for detection, prevention and elimination of consequences of computer attacks;
- generation of detailed information on information resources of the Russian Federation under the System's responsibility (i.e. resources of authorities);
- forecasts in the field of information security of the Russian Federation;
- organization and interaction with law enforcement agencies and other government agencies, owners of information resources of the Russian Federation, telecom operators, Internet providers and other interested organizations at the national and international levels in the field of detecting computer attacks and identifying their sources;
- organization and conduct of scientific research in the field of detection, prevention and elimination of the consequences of computer attacks, etc.
Although the specified main goal of the System in the "Concept" is to protect the sites of government agencies (information resources of the Russian Federation), the study of its documented functions admits the assumption that the FSB has a limitless breadth of powers to ensure information security in Runet.
Cyber threats in online retail
The 42Future research agency commissioned by Qrator Labs conducted a survey of twenty large online retailers on DDoS attacks. The survey was attended by middle and senior managers who are well aware of this issue.
2014
Data from Kaspersky Lab and B2B International
As a result of the actions of cybercriminals in 2014, a third of financial companies (36%) in Russia faced a leak of important data related to the implementation of monetary transactions. At the same time, 81% of financial organizations believe that they "are taking all the necessary measures to maintain the relevance of protective technologies." Such data were obtained during a study conducted by Kaspersky Lab in conjunction with B2B International.
Financial institutions accept, process, and store large amounts of their customers' confidential information. That is why in a business where client confidence is highly valued, cyber attacks can be especially sensitive and lead to increased risks, both material and reputational. As the study showed, financial institutions are well aware of this - 52% of them reported that they are ready to introduce new technologies to further protect financial transactions.
After serious incidents, companies tend to pay more attention to information security. The most popular measure this year among Russian financial organizations was to ensure the safe connection of client transactions - this was followed by 86% of respondents. Companies are also more interested in providing their customers with specialized applications for working with online banking for mobile devices (61%). This indicates that the security of mobile payments is becoming a priority.
The least common measure was to provide your customers with a protective solution - free of charge or at a reduced cost. Only 53% of respondents were concerned about the introduction of specialized protection on computers and mobile devices of clients after a data breach. This indicates a higher interest of companies in ensuring the security of their own infrastructure than the user.
- Data from the Business Information Security study conducted by Kaspersky Lab and B2B International from April 2013 to April 2014. The study involved more than 3900 IT specialists from 27 countries of the world, including Russia.
Proofpoint Data
Wayne Huang of information security company Proofpoint published a detailed report in the fall of 2014 on a group of Qbot hackers secretly gaining access to other people's accounts in. banks At its peak, the Qbot group controlled about 500 thousand. PC, collecting data on entering user passwords to banking services from the keyboard[60]
Half a million infected PCs are not too big a botnet by current standards, however, a study published by researcher expert Proofpoint is interesting in that it describes the complex tactics of the authors of this botnet, and, moreover, it indicates their Russian origin.
The hypothesis about the Russian (Russian-speaking) roots of the creators of the botnet is based on the Qbot control panel, which was accessed by Proofpoint researchers. Screenshots presented in Proofpoint reports clearly show menu items and comments in the correct Russian language on the botnet's control pages.
According to the study, Qbot, which Proofpoint also calls Qakbot, was aimed at attacking the remote banking systems of American banks. The United States accounts for 75% of IP addresses with which botnet management servers contacted, with 59% of them belonging to customers of the five largest American banks. The rest of the world accounts for only a quarter of PCs controlled.
Interestingly, 52% of PCs that Qbot has infected run Windows XP, although, as the authors of the report emphasize, this OS now occupies only 20-30% of PCs in both households and the corporate sector. Support for Windows XP was discontinued by Microsoft in April 2014.
According to Proofpoint's analysis, 82% of successful Qbot infections were committed through Internet Explorer.
Attacks on the computers of potential victims were carried out from sites built on the WordPress engine. The creators of the botnet gained initial access to them by buying a database of admin names and passwords on the black market, after which they injected their malicious code into the sites.
When a potential victim visited an infected site, a special traffic management system analyzed the potential victim's PC based on the signs of its IP address, browser type, operating system, installed security software and other criteria. Thus, the creators of the botnet minimized the danger of detecting their malicious software embedded in sites.
Most infected sites performed regular antivirus scans, but the embedded malicious code went unnoticed as attackers tried to use exploits that did not cause reactions from antivirus programs. According to Wayne Huan, before downloading the malicious code, it was checked using the Scan4U database, which aggregates data from dozens of antivirus companies. If the database recognized malicious code, it was changed to one for which scanning did not cause problems.
The creators of Qbot took measures to protect against anti-Russian companies: if a visitor to their site looked like an automatic antivirus scanner, then the traffic control system redirected it to an uninfected version of the site. The hackers had at their disposal a list of IP addresses used by information security companies, and any traffic from them was also forwarded to "clean" copies of sites. As a result of these measures, as Wayne Huan writes, many owners of the sites with which he contacted did not believe that they were attacked.
For the purpose of sniffing (scanning keyboard clicks when entering a bank login and password), the authors of Qbot used a whole array of vulnerabilities in the PDF, Java, Flash and Internet Explorer plugins, which were selected on a case-by-case basis, depending on the unique features of the target system. Exploits to exploit these vulnerabilities were usually acquired on the black market, and hackers abandoned them when they became too common.
Huan writes in his study that the authors of Qbot, having scanned 500 thousand computers, were able to obtain data on about 800 thousand bank accounts.
According to him, organized criminal groups are ready to buy bank account data based on the price of $25,000 apiece, and thus, even if the creators of Qbot "sell a percentage of accounts on the black market, they will receive a multimillion-dollar profit from their operation."
Although the internal security features of the Qbot creators were good, they cannot be called perfect, Huan says and gives a funny detail: when he found the web address of the botnet control panel, it was discovered that access to it did not require a password.
Online folk squads
The Public Chamber proposed to organize people's online squads that will track and identify sites and accounts of cybercriminals on the Internet, Deputy Secretary of the OP Vladislav Grib told RIA Novosti. The[61].
"There arenot many law enforcement specialists who are fighting internet criminals. The forces of law enforcement officers in monitoring Internet criminals are very insignificant, and we now have no less criminals on the Internet than in real life. Many active Internet users from among the members of the OP are ready to organize the so-called online monitoring of cyberspace, "said Grib.
He said that the Public Chamber would like to create some people's squads on the Internet and attract several thousand people there so that they identify offenses on the network and report this to the competent authorities and Roskomsvyaznadzor.
Federation Council proposes to encourage "white" hackers
The concept of the Cybersecurity Strategy of the Russian Federation provides for the development of mechanisms for encouraging citizens who assist in finding vulnerabilities in protected information resources and forming proposals for their elimination, follows from the draft concept[62].
The draft concept contains several sections devoted to: system-wide cybersecurity measures; improvement of the regulatory framework, scientific research; creating conditions for the development, production and application of cybersecurity tools; improvement of staffing and organizational measures; organization of internal and international cooperation to ensure cybersecurity; the formation and development of a culture of safe behavior in cyberspace.
Among the proposed measures, in particular, the development of a state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation. In addition, it is proposed to tighten administrative and criminal liability for crimes committed in cyberspace.
As one of the measures, it is planned to develop system measures for the introduction and use of domestic software and hardware, including cybersecurity tools, instead of analogues of foreign production in state information systems, information and telecommunication networks, information systems of critical objects.
Recorded Future analyzed Russian pro-government hackers
The international information and analytical project Recorded Future, based USA in and, Sweden published in November 2014 a review of the activities of Russian "pro-government" hacker groups. We are talking about the malicious ON groups Uroburous, Energetic Bear and APT28, which appear under different names in the history of cybercrime in recent years[63]
Comparing information about activity, tools used and ways of action, the researchers concluded that three groups were created with different goals - political and economic espionage (Uroburous), preliminary positioning of Russia for future cyber warfare (Energetic Bear), as well as monitoring and regulation of the geopolitical situation (APT28). These goals, according to the authors of the material, can lead to the main actors behind the organization of attacks.
The activities of the described groups are well-planned at the strategic, tactical and operational levels, as evidenced by constantly changing but disjoint goals, researchers at Recorded Future believe. The organized and accurate work of Russian cyber groups, they note, makes their identification and analysis difficult compared, for example, with the negligence of Chinese hackers. All this elevates Russia to the rank of a serious cyber threat on a global scale.
2013
Symantec Data
Based on Norton Report 2013:
- 85% of Russians in 2013 faced cybercrime
- 59% of smartphone users have experienced mobile cybercrime in the last year
- 56% of mobile users in Russia do not know about the existence of security solutions for them
- 56% of working users over the age of 18 use their personal mobile device for both entertainment and work
- 60% of users over the age of 18 use public or unprotected Wi-Fi networks
Cyber Attack Damage Assessment
Each cyber attack on the networks of large Russian companies causes financial damage to the organization on average in the amount of $695 thousand. Medium and small businesses lose about $14 thousand per cyber incident. Such conclusions were made in a joint study by B2B International and Kaspersky Lab.[64].
The damage to companies was established by B2B International researchers by interviewing IT professionals from 24 countries around the world, including Russia. A total of 2,895 respondents were interviewed in the preparation of the report.
According to the compilers of the study, three main consequences of cyber attacks lead to financial losses: forced downtime of the company, missed opportunities for its business (including loss of contracts) and additional costs for specialist services. Based on the costs of these factors, the average amount of damage was calculated.
The most expensive factor according to the report is the forced downtime of the companies. For large enterprises, it cost up to $791 thousand, for SMB-segment companies - an average of $13 thousand.
The damage from lost opportunities (in particular, contracts not concluded by companies) reached $375 thousand for large companies and $16 thousand for small and medium-sized enterprises.
Finally, the involvement of third-party specialists to eliminate the consequences of cyber attacks cost, respectively, $6.6 thousand for the SMB segment and $26 thousand for large enterprises. These data collected in Russian companies differ from global data from the same report: on average worldwide, the additional costs of SMB companies after cyber attacks averaged $13 thousand, and large enterprises - $109 thousand.
Deutsche Telekom: Russia is the main source of cyber attacks in the world
German IT company Deutsche Telekom launched a site in the spring of 2013 that displays cyber attacks around the world in real time. According to the portal map, Russia ranks first in the world in terms of the number of outgoing Internet threats.
The
"Of course, not all 2.5 million attacks are the work of Russian hackers, some Internet criminals simply use Russian servers. Deutsche Telekom has developed this monitoring tool, as the company works with customers' personal data and pays special attention to information protection. The statistics presented on the site can be used by any company to assess the situation, including in dynamics, and create a comprehensive system of protection against cyber threats. Any user with public IP can install a free application and place a trap (honeyspot) on his computer, all necessary links are on the portal. In exchange for this, he is guaranteed access to the IP addresses of the attacking and attacked machines, "comments Alexey Toskin, CEO of T-Systems CIS.
The Sicherheitstacho website presents a schematic map of the world showing the sources of cyber attacks. It also indicates which targets are targeted, displays attack statistics by their forms and countries. However, attackers are not necessarily physically located in the same countries as their servers. According to the developers, the new Sicherheitstacho platform will stop cybercrime in the bud.
2012
Symantec Data
NortonLifeLock (formerly Symantec) presented in September 2012 the results of its annual study on cybercrimes committed against users, Norton Cybercrime Report 2012. Norton experts estimated the total damage to users from cybercrimes in the world at $110 billion. UNITED STATES . In Russia, the total damage amounted to about $2 billion, and 31.4 million people became victims of cybercriminals.
Despite the fact that most users take basic actions to protect personal data and information, almost 40% of them neglect simple precautions, in particular, create simple passwords or change them irregularly. Another problem is that many users are unaware of how some forms of cybercrime have changed over the years. For example, 40% of users do not know that malware can act unnoticed and it is difficult to determine that a computer is affected, and more than half (55%) are not sure if their computer is infected with a virus.
NCC Group: US leads in the number of hacker attacks, Russia in 3rd place
A study published in early 2012 by the British company NCC Group showed that the United States leads the rest of the countries in the number of outgoing hacker attacks. The results of this study are based on data from monitoring logs of attempted cyber attacks around the world provided by DShield, an information security community based in the States. The source country of the attempted attack was determined by the IP address.
According to the study, the United States generates 22.3% of all attempts to attack computers. It is followed by China 16%. According to NCC Group estimates, collectively these countries, by their hacking actions, annually cause damage global economy in the amount of over $43 billion.
By a very large margin from them, Russia ranks third in the number of attempts to attack computers - 3.6%, according to a report by British analysts. The annual damage from the actions of its cyber attackers is estimated at about $4 billion. Brazil is not far behind Russia with 3.5%. Western European countries - the Netherlands, France, Italy, Denmark, Germany on average account for 2.5% to 3.2% of all cyber attacks in the world.
The United States itself regularly points to Russia and China as the main sources of cyber security threats to its country. So, recently, the head of US national intelligence, James R. Clapper, speaking at a hearing of the Intelligence Committee of the US House of Representatives, expressed serious concern about the growing number of cyber attacks by Russian hackers on American computer networks.
"We are particularly concerned that some organisations in China and Russia are making incursions into American computer networks and stealing information. And the increasing role of these players in cyberspace is an excellent example of the easy access of such persons to potentially destructive technologies and production secrets, "Western media quoted him as saying. He also repeatedly mentioned the "Russian-Chinese" cyber threat in his official reports.
Recently, Russia has often been accused of various illegal cyber actions, while it is not uncommon for various hacks to be attributed to Russian hackers without sufficient grounds. So, at the end of 2011, Russia was accused of attacking US infrastructure: local media spread a message that Russian hackers gained access to a computer and disrupted the operation of a water station in Illinois.
As the official investigation into this matter subsequently showed, the entrance from the Russian IP address was indeed registered in the station's IT system, but it was carried out by an employee of the station itself during his stay in Russia, who later confessed to this, and the station's operation was not at all disrupted.
In January 2012, US media reported that a computer virus in the IT system of one of the colleges in San Francisco had been sending its user data to Russia, China and several other countries for several years, despite the fact that this fact had not yet been confirmed by local investigators.
Cyber police of the Russian Federation
In February 2012, the President Russia Dmitry Medvedev proposed the creation of a new structure in the system of the Ministry of the Interior to combat crimes on the Internet. At the collegium MINISTRY OF INTERNAL AFFAIRS in Medvedev, he said that "it is necessary to think about creating such units that are fundamentally new and focused on identifying and solving very complex crimes in terms of technology." According to Medvedev, the police should pay more attention to crime in the information space, and the police chiefs should be able to use. Internet He stressed that on the Web you can meet not only financial swindlers, but also drug dealers, extremists, other types of crime, Interfax reports.
A new branch of the military is being created in the Russian Armed Forces to combat cyber threats. This information was confirmed in August 2013 on the air of Radio Echo Moscow by the head of the Russian Foundation for Advanced Research Andrei Grigoriev. According to him, work is now underway on the concept of the program itself, which will be developed by the military department. The Russian Advanced Research Fund was created as an analogue of the Agency for Advanced Research. USA He is engaged in developments in the interests of the country's defense, the radio station said.
2011 Symantec Internet Threat Report
According to the annual Symantec Internet Security Threat Report (Volume 17), Russia ranked sixth in the world in terms of malicious Internet activity in 2011. At the same time, Russia is in third place in the world in terms of the number of spam zombies, and Moscow ranks 11th in the world in terms of the number of bots (malware that automatically performs actions instead of people, often without their consent).
In 2011, Russia made two significant jumps in the world rankings of the countries with the most spam and network attacks. In 2010, the country ranked 6th in the ranking in terms of spam, and in 2011 it rose by 3 positions and still ranks 1st among countries in the EMEA region, including countries in Europe, the Middle East and Africa.
Over the year, Russia also rose from 8th to 5th place in the rating for the number of network attacks. In 2011, there was a trend towards a systematic increase in the number of attacks by malicious code, as well as phishing sites. In addition, there is an increase in the number of active bots in the network - every hundredth bot in the world has a Moscow residence permit (11th place in the world). Following Moscow in terms of the number of bots are cities such as St. Petersburg, Tver, Voronezh and Nizhny Novgorod.
Of the general trend towards an increase in the number of threats, only web attacks are knocked out. Here Russia showed a good result and fell in the ranking from 7 to 8 lines. Nevertheless, against the background of others, the Russian user looks like an attractive target for cybercriminals - in the world ranking of countries in terms of malicious activity in 2011, Russia rose from 10th to 6th place.
In addition, Russia ranks 9th in the world in the number of web attacks (compared to 10th last year), retained 7th in the world in the number of web attacks.
Leaders in the ranking of source countries of malicious activity on the Internet
2010: Hackers in Russia earn 2-2.5 billion euros in a year - ESET
The amount of money earned by cybercriminals in 2010 amounts to Russia about 2-2.5 billion euros. The percentage of incidents in the region information security that occurred in individuals and legal entities was 50% by 50%. At the same time, the number of funds received by cybercriminals as a result of malicious attacks on various companies is significantly more than when distributed malware to home users.
2010 can be called the year of targeted attacks. For public access, information was opened about two similar major incidents. The first attack, implemented at the beginning of the year and codenamed Aurora, was aimed at a whole group of world-famous companies. The target for a directed attack can be not only a specific organization, but also a certain type of IT infrastructure. It was this methodology that was used in another attack, the Stuxnet worm, penetrating industrial enterprises.
The increased number of Trojan programs aimed at the banking sector, including specific banking systems, allows us to talk about targeted attacks on certain banks and remote banking systems (RBS). In addition, ESET analysts predict that the interest of cybercriminals in the spread of banking Trojans in 2011 will shift even more to popular Internet banking systems. This is due to the huge amount of profit made, since one successful incident can bring attackers up to several million rubles.
Implementing targeted attacks is largely helped by previously unknown software vulnerabilities (0-days or zero-day vulnerabilities). Last year, a large number of such "holes" were recorded, both in the most popular browsers and in no less common extensions to them. Adobe products have become the permanent leaders among the discovered and most frequently used vulnerabilities. However, in early autumn, the Java software platform intercepted the championship in the number of exploited vulnerabilities of the "zero" day. According to statistics from the ThreatSense.Net early detection technology, the following exploits and bootloader Trojans were most often used in Russia: Java/Exploit.CVE-2009-3867, JS/Exploit.CVE-2010-0806, Java/TrojanDownloader.OpenStream, Java/TrojanDownloader.Agent.
As for the most common software in our region, the Russian top ten in 2010 was led by various modifications of the Conficker worm with a total indicator of 10.76%. In second place is the family of malware transmitted on removable media - INF/Autorun (6.39%). The top three is completed by the Win32/Spy.Ursnif.A (5.73%), which steals personal information and accounts from an infected computer, and then sends them to a remote server. In addition, the Trojan can be distributed as part of other malware.
Also, the number of incidents related to the infection of computers with the Win32/Hoax.ArchSMS ransomware family (according to ESET classification) increased in relation to the Russian region, which practically did not leave the twenty most common threats in Russia in the second half of 2010. This type of fraud involves the distribution of popular content, such as flash players or e-books, with a special installer program that requires sending an SMS message during installation to continue it. Despite the fact that the malicious Hoax.ArchSMS program was not included in the TOP-10 rating of the most common threats, it caused a lot of problems to Russian users and brought considerable income to scammers in 2010. Data provided by ESET.
According to analysts at Group-IB in 2011, "Russian" hackers earned about $4.5 billion
Key trends in 2011:
- Doubling of financial indicators of the Russian market. The financial performance of the global computer crime market in 2011 amounted to $12.5 billion. Of these, "Russian" hackers account for up to a third of all revenues - about $4.5 billion. This amount also includes revenues of the Russian segment - $2.3 billion. Thus, we can talk about an almost twofold increase in last year's cybercrime market indicators in Russia.
- Centralization of the cybercrime market. Due to the consolidation of participants and the penetration of traditional criminal groups, the cybercrime market in Russia is undergoing a period of dynamic transition from a chaotic state to a centralized one.
- Internet fraud and spam account for more than half of the market. In 2011, Russian Internet scammers managed to steal about $942 million; they are followed by spammers who earned $830 million; Cybercrime to Cybercrime's domestic market amounted to $230 million; and DDoS - $130 million.
2000-2010: The loudest reports about cyber conflicts involving Russia
The Russian Association of Electronic Communications (RAEC), together with the British research agency Powerscourt, released in mid-2011 a rating of the most high-profile materials about Russia on the topic of cybercrime and cyber war. The rating is based on the materials of a large-scale content study of the Western press for the period from January 2000 to March 2010.
"The task of the rating is to show the main points of tension in relations between Russia and the West in the high-tech sphere and talk about the main anti-heroes who over the past 10 years have damaged the image of Russia and reduced the investment attractiveness of our country as a whole," says Mark Tverdynin, Chairman of the Council of NP RAEK. - The rating, like the study itself, shows that in recent years the image of our country in the IT sphere has changed in a negative direction. Russia is portrayed as the homeland of dangerous cybercriminals and one of the main enemies of the United States and Europe, capable of fighting on a virtual battlefield. In conditions when the Russian economy relies on innovations in the technological sphere, this trend is a threat to the development of our country. Especially when projects like RBN or Glavmed appear in our country. "
The rating was compiled on the basis of a full-fledged study of the largest European and American newspapers and magazines on the principle of analyzing references to Russia in connection with keywords: hackers (hacking), cybercrimes, malicious software (viruses, network worms), botnets (networks of infected computers), phishing (fraud to obtain personal information), cybersecurity and cyber warfare.
The rating includes articles about real cybercriminals, as well as materials that have become the result of active propaganda campaigns launched in the Western media. For example, a campaign related to recent events in Georgia. The topics in the ranking are distributed according to the absolute number of original publications. The total number of reprints exceeds the number of original materials by several orders of magnitude.
The loudest reports about cyber conflicts involving Russia 2000-2010
Location Event Description Time Number of Publications
- Cyber attacks on Georgia and Georgian bloggers in LiveJournal, August 2008, 65 publications
- Anniversary of the war in Georgia, cyber attacks on Georgian bloggers on Twitter and Facebook, August 2009, 60 publications
- The world's largest pharmaceutical spammer network Glavmed advertises and sells counterfeit swine flu protection products with spam, November 2009, 40 publications
- Russian hackers accused of hacking mailboxes of climate scientists discussing the absence of the problem of global warming, December 2007, 38 publications
- Messages about the activities and subsequent closure of the Russian Business Network, November 2007, 35 publications
- Cyberattacks on eBay and Yahoo!, which led to difficulties in the activities of these Internet companies and a drop in their share price, January 2000, 27 publications
- Arrest by FBI officers of hackers Vasily Gorshkov and Alexei Ivanov, who hacked into the security networks of American companies and offered protection against their own hacking, October 2000, 21 publications
- Campaign in defense of Elcomsoft programmer Dmitry Sklyarov, who hacked the protection of popular PDF files and was arrested on charges of Adobe at an exhibition in Las Vegas, USA, July 2000, 19 publications
- The virus epidemic of the MyDoom worm, which has become the fastest-spreading malware in the world, February 2004, 17 publications
- Messages about the threat of a global epidemic of the Conficker virus, the creators of which include unknown Russian programmers, February 2010, 15 publications
"Image of Russia in the Western press in connection with cyber conflicts of the last decade," Study Powerscourt, London specifically for NP RAEK
Notes
- ↑ Virus on plus: Russians are attacked by a Trojan with imitation of notifications from banks
- ↑ FSB officers of the Urals identified a group that extorted 900 thousand rubles from a resident of Tyumen
- ↑ of the DFIR Chronicle: how APT groups attacked in 1 half of 2024
- ↑ zloumyshlenniki-atakuyut-rossijskie-gosuchrezhdeniya-cherez-zhivoj-zhurnal Attackers attack Russian government agencies through Live Journal
- ↑ Slumdog Millionaires,
- ↑ of How an Indian startup hacked the world
- ↑ Kaspersky Lab detected attacks on Russian institutions to steal data
- ↑ Ministry of Internal Affairs expands the list of measures to document crimes using information technologies
- ↑ Fraudsters offer to make money on decoding audio recordings
- ↑ Property obtained as a result of cybercrime will be confiscated
- ↑ Digital crooks
- ↑ Hackers go on the air
- ↑ http://kremlin.ru/events/president/news/69665 Working Meeting with Deputy Chairman Governments Dmitry Chernyshenko]
- ↑ To work as phishing
- ↑ The company went from a mobile
- ↑ With hacks at the ready
- ↑ [https://www.securitylab.ru/news/532036.php 99% of regions, cybersecurity headquarters
- ↑ created.]
- ↑ Russian hackers suspected of spying on Austria and Estonia
- ↑ Chinese hackers have attacked Russian government agencies, defense and state-owned companies without explanation
- ↑ China's computers hacked by US to attack Russia, Ukraine, Belarus - report
- ↑ Hackers took on officials. Experts found a cyber attack on government officials
- ↑ US ambassador summoned to Russian Foreign Ministry due to interference in Russian elections
- ↑ Chinese government hackers first attacked Russian companies.
- ↑ FSB of Russia agreed with the US authorities on the joint identification of cybercriminals
- ↑ Sobyanin noted a 40 percent increase in cybercrime in Moscow
- ↑ step back. Russian science is attacked by superior forces of foreign hackers
- ↑ Rostelecom-Solar named key vulnerabilities in the IT infrastructures of state organizations and authorities
- ↑ [https://radiosputnik.ria.ru/20200624/1573391075.html lieutenant general Yury Zhdanov Perechisleny of the regions
- ↑ the Russian Federation
- ↑ greatest cybercrime
- ↑ Russian police created an online drug trafficking store
- ↑ FSB of Russia together with the Investigative Department of the Ministry of Internal Affairs of Russia carried out a large-scale special operation
- ↑ Viruses clung to the pandemic
- ↑ Who rules the score: thousands of Russians have stolen bonuses from discount cards
- ↑ Trend Micro Admits it Was Hacked, Symantec Denies Claims of `Fxmsp` Breach
- ↑ Hackers built into the system
- ↑ The number of cyber attacks in Russia doubled
- ↑ , German Gref proposed creating a ministry for emergency situations in the digital sphere
- ↑ An automated system for the exchange of information about cyber threats will appear in Russia
- ↑ [https://www.securitylab.ru/news/489707.php The Supreme Court
- ↑ Federation explained the subtleties of the qualification of cyber fraud.]
- ↑ Most Russian companies are not resistant to cyber attacks, PwC said
- ↑ In Russia, they want to introduce cyber insurance
- ↑ [https://xn--b1aew.xn--p1ai/news/item/10304447 The Office "K" of the Ministry of Internal Affairs of Russia suppressed the activities of an organized group suspected of embezzling funds from bank accounts using the Trojan program
- ↑ The fall of "Crohn
- ↑ [https://meduza.io/news/2017/04/23/minoborony-danii-rossiyskie-hakery-dva-goda-vzlamyvali-pochtu-nashih-sotrudnikov Danish Ministry of Defense: Russian hackers hacked the mail
- ↑ our employees for two years]
- ↑ Cybercriminals disguise themselves as "Russian" hackers
- ↑ Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX
- ↑ page1 Germany: Russian hackers have long arms
- ↑ Russland soll auch für Cyber-Angriff auf OSZE verantwortlich sein
- ↑ Can the Kremlin influence the German elections?.
- ↑ Cybercrime in the world
- ↑ CNews: In Russia, cyber attacks will be imprisoned for 10 years,
- ↑ The court in the United States found the son of the deputy Seleznev guilty of cyber fraud
- ↑ CNews: Information security experts: "Russian hackers" is a myth
- ↑ Cyber fraudsters spend 40% of the stolen funds on research
- ↑ FSB will lead security in Runet
- ↑ Russian hackers conducted a large-scale operation to hack bank accounts in the United States and Europe.
- ↑ Public Chamber proposed creating cyber rifles
- ↑ ixzz2qH3Y2tog The Federation Council proposes to encourage "white" hackers
- ↑ , Recorded Future analyzed Russian pro-government hackers.
- ↑ Over the year, 95% of Russian companies were subjected to cyber attacks
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |