Main article: Information security

What is cybercrime

Main article: Cybercrime

Cybercrime is illegal, illegal acts carried out by people using information and telecommunication technologies, computers and computer networks for criminal purposes.

Cybercrime in countries

• Cybercrime and cyber conflicts: Russia
• Cybercrime and cyber conflicts: Ukraine
• Cybercrime and cyber conflicts: US
• Cybercrime and cyber conflicts: Europe
• Cybercrime and cyber conflicts: China
• Cybercrime and cyber conflicts: Israel
• Cybercrime and cyber conflicts: Iran
• Cybercrime and cyber conflict: India

Cyber wars between countries

Information on agreements on electronic non-aggression, as well as on cyber conflicts between countries, is highlighted in a separate article:

• Cyber wars

Cybercrime in the commercial sector

An overview of cybercrime events in the banking sector is provided in a separate article:

• Information security in banks

Losses from cybercrime

An overview of the losses of the global economy from cybercrime in the article:

• Losses from cybercrime

User Data Rates

Analysis of the working conditions of hackers in the article

• Prices for user data in the cybercriminal market

Cyber attacks

Types of cyber attacks and overview of key events.

• Cyber attacks

• The number of cyber attacks in Russia and in the world

• Mobile Network Security Threats

2025: Why is the financial data on the darknet? Information security experts called the prices and noted an upward trend

Positive Technologies experts analyzed about 3.5 thousand ads on forums for the sale of confidential information published in the second half of 2024, and on March 13, 2025, the results were published. The analyzed ads most often mention personal data (76%), payment card data (12%) and credentials (11%).

Leaks from financial companies are leading in sales announcements worth more than $10 thousand: every fifth announcement (21%) in this price segment falls on the financial sector.

The study "Confidential data leaks from organizations: the second half of 2024," presented by Positive Technologies, which includes the results of analyzing announcements on the dark web, is also based on the results of studying data on leaks from authoritative open sources. Previously, the company conducted a similar study for the first half of 2024, which allows us to assess the dynamics of changes.

For example, experts have recorded that the demand for the purchase of data on shadow forums is growing. There is a significant increase - from 3% to 12% - in the share of advertisements for the purchase of information, and the average price indicated in such an announcement has increased from $600 to $1700. Moreover, the highest prices are set for payment card data: their average cost was $2.5 thousand.

Announcement of a partial copy of the National Public Data database dump. After the incident, the company went bankrupt.

At the same time, Pavel Kovalenko, director of the anti-fraud center of Informzaschita, named TAdviser the following prices for financial information:

• Bank card data with CVV: $10-50;
• Login and password from the Internet bank (credentials): $50-200;
• Complete set of documents with financial information: $100-1500;
• Access to corporate banking systems: from $500 to several thousand;
• Access to crypto wallets: from $50 to several thousand (depends on the balance).

Approximately the same numbers were cited by TAdviser and Nikolai Kalutsky, lead specialist at the REC FTS Russia MSTU and named after N.E. Bauman, citing his own estimates:

Bank cards cost about 3 thousand rubles, and personal data usually cost from 1 thousand rubles, but it also happens for 100 rubles. If we consider access to accounting data, then the cost starts from 5 thousand rubles and then in increasing terms. Undoubtedly, tightening legislation will increase the risks, and therefore the price of data. The demand for financial data in the last year has increased due to higher prices for them and an increase in cybercrime. But at the same time, new encryption methods make trading more secure and anonymous.

The discrepancy between the world prices for financial data presented by Positive Technologies researchers (the average price is $2.5 thousand per record) and the data of Russian experts ($10-50 for recording a payment card) can be explained by a significant tightening of Russian legislation regarding the protection of the banking system. In particular, the data of cards with CVV of Russian banks is no longer enough to receive money, therefore, the cost of this information is not very large.

We collect information on prices for stolen financial data/services from various sources for our work, "Pavel Kovalenko, a source of his awareness, told TAdviser. - We track these numbers because they directly affect our services and recommendations. When we see that some type of data has risen sharply in price on the black market, we understand that we need to strengthen their protection from customers. Or vice versa - if prices fall, then protective measures work, and it becomes unprofitable for fraudsters to hunt for this data. Russian financial data are on average 10-20% more expensive than similar information from countries with less stringent security requirements. This is a direct consequence of the tightening of the law "On Personal Data," the requirements of the Central Bank of the Russian Federation for the protection of financial information and legislation on critical information infrastructure.

The switching of cybercriminals from stealing data on payment cards to more complex methods of monetizing hacking was confirmed by Kai Mikhailov, head of information security at iTProtect:

Over the past year, the demand for financial data in the dark web has grown, which is understandable, "he said for TAdviser. - If earlier they were mainly interested in card data, now there are access to online banking, account information and even internal bank data in the price. The trend actively began in a pandemic - people began to use digital services even more often than usual, which means that there is more data for leaks, and there will be no less. The cost of data depends on its type and "quality." For example, databases with data from cards with a large balance can exceed the price tenfold than the bases of competitors on the darknet. The price also depends on the freshness of the data, the level of protection and the "reputation of the seller."

However, there are other trends that affect the average value of the cost of leaks - the distribution of data from Russian financial institutions for free. This is done by hacktivists who pursue the goals of not financial enrichment, but damage to the entire Russian financial system. Thus, Alexander Bleznekov, Head of Information Security Strategy Development at Telecom Exchange, shared the following observations with TAdviser:

The cost of financial data on the darknet can vary, depending on their type, uniqueness, completeness, as well as the reputation of the seller on the forum. The average cost of one base on the darknet is at $1 thousand (about 100 thousand rubles). The average cost of a leak in which there is no passport data is noticeably lower and amounts to about 20-30 thousand rubles. It is worth noting here the trend that has become obvious in the past few years - most of the data of Russian companies on the darknet is now distributed by hacktivists for free.

Darknet forums are willing to pay more for bank secrecy

However, the increase in the average cost of leaks suggests, including that hacktivism is declining. At the same time, experts note that leaks are increasingly associated not with the financial organizations themselves, which are quite strictly regulated by the Central Bank of the Russian Federation in terms of information protection, but through contractors.

Often IT contractors work with many companies from different industries, including from the financial sector, "explained Yana Avezova, senior analyst at analytical research at Positive Technologies. - By attacking IT service providers with insufficient security, attackers can spend not so many resources, but at the same time gain access to several banks and other organizations at once. For example, in the summer of 2024, the Singapore company Ezynetic, which provides comprehensive IT solutions to financial institutions, became a victim of cybercriminals. As a result of the attack, the data of about 128 thousand customers of 12 licensed creditors of the country were compromised.

At the same time, the IT industry in Russia is not recognized as a critical information infrastructure and is not regulated by the Central Bank. Theoretically, the requirements for the protection of financial systems should be broadcast to it by the subjects of CII and organizations accountable to the Central Bank of the Russian Federation, but, quite possibly, this does not always happen, which leads to leaks of financial data, despite the good enough protection of the banking systems themselves.

2024

The convention against cybercrime initiated by Russia was adopted by the UN General Assembly

The UN General Assembly at the end of December adopted the Russian-initiated Convention^[1] against Cybercrime. The resolution on the convention was adopted by consensus, that is, without a vote, as had happened before in the relevant Third Committee of the General Assembly, the adoption of its draft in August this year. The final signing ceremony of the convention will be held in 2025 in Hanoi.

But it will still take a lot of time before the Convention is fully launched, "Oleg Shakirov, a researcher of political aspects of information security and author of the Cyber ​ ​ War telegram channel, explained the situation for TAdviser readers. - Next year its official signing will open in Vietnam. By signing, the state must then ratify it - as a rule, through the national parliament (in Russia, a separate federal law is adopted for this), as well as adapt its legislation to participate in international cooperation. The convention will enter into force after 40 states submit their instruments of ratification. This process will probably take several years.

So Georgy Gabolaev, founder and CEO of Group-A, noted that member states have more work to do to bring national legislation in line with the provisions of the Convention. First of all, they will need to do the following:

• Clarify the national definitions of cybercrime with the adaptation of criminal legislation to new realities: an unambiguous definition of such actions as illegal access to computer systems, theft of personal data, fraud using digital technologies, etc.;
• Establish clear procedural rules for the collection and use of electronic evidence, including taking into account the principles of protecting personal data and privacy.
• Expand the capabilities of law enforcement agencies - to fully counter cybercrime, it is necessary to modernize the structures of the Ministry of Internal Affairs and special units, introduce advanced technical solutions and regularly improve the skills of employees;
• Establish and strengthen mechanisms of international cooperation - States need not only to legally formalize the relevant procedures, but also to establish constant interaction between the competent authorities, ensuring timely and safe exchange of data;
• Ensure the transparency and legality of cybersecurity measures with a balance between effectively combating cybercrime and protecting human rights and freedoms.

It is important for Russia to establish the work of international mechanisms for investigating cyber incidents

It is important for all users of modern communication technologies to ensure the safety of their use, regardless of the political situation in the world and the territorial affiliation of users.

As of October 2024, there are about 5.52 billion unique Internet users in the world, which is approximately 68% of the total population of the Earth[2], - Philip Shcherbanich, IT expert, backend developer explained to TAdviser the situation. - The average user spends about 6 hours 35 minutes online every day. And along with the growth in the number of users, the number of cybercrimes is also increasing: attackers steal money, personal data, blackmail people and create an atmosphere of constant insecurity. At the same time, the level of detection of such crimes remains low. For example, in Russia in 2024 it amounted to only about 26%. In this context, it is extremely important that cybercrime issues are raised at the level of the world community.

Russia is now suffering from the active actions of hackers who mainly act not from its territory, so any relief in investigating cyber incidents with the involvement of international structures can only be welcomed.

The approval of the Convention at the level of the General Assembly indicates that cybercrimes are no longer considered as a local or "specialized" problem affecting only a narrow range of countries or industries, Georgy Gabolaev said for TAdviser. "It is now an international agenda issue recognized as important as the fight against terrorism, human trafficking and other transnational threats. Thanks to the new tool, states receive a basic framework for harmonizing legislation and practical measures in the field of cybersecurity.

In particular, in order to implement the provisions of the Convention in Russia, it may be necessary to introduce criminal liability of organizations. Now criminal prosecution is provided only for individuals who lead organizations. Organizations bear only administrative or civil consequences - receive fines or other sanctions.

Article 18 of the Convention provides that each State Party takes such measures as, taking into account its legal principles, may be required to establish the responsibility of legal entities for participation in cybercrimes, "said Oleg Matyunin, lawyer, managing partner of the law firm Matyunina and Partners. - Criminal liability is one of the possible options for influencing organizations. However, their liability may not include criminal, limited to civil and administrative liability. The main thing, as enshrined in the Convention, is that the sanctions applicable to legal entities are effective, proportionate and have a deterrent effect.

In general, the Convention, in the opinion of Yury Mitin, managing partner of the law firm Intellectual Protection, may contribute to:

• Increasing awareness: States and international organizations may be more active in education and raising awareness of cyber threats;
• Setting standards: It can help develop uniform standards and practices to combat cybercrime, which can lead to more coordinated action internationally;
• Strengthening law and order: Recognizing cybercrime as a serious threat can lead to increased funding and resources for law enforcement in many countries.

At the same time, the Convention adopted now allows states to ensure the protection of their sovereignty, since it does not require the admission of representatives of law enforcement agencies of other countries to the country, as provided for by the Budapest Convention, adopted by the Council of Europe in 2001. For Russia, this is fundamentally important.

The adopted convention regulates the access and exchange of electronic evidence between the participating states, which makes investigations and prosecutions easier, - Alexander Matveev, director of the center for monitoring and countering cyber attacks IZ: SOC of Informzaschita, shared his thoughts with TAdviser. - Moreover, the concept of digital sovereignty and the impossibility of law enforcement agencies of one state to carry out activities in the networks of another country is enshrined. This creates conditions under which the investigation process is clearly regulated.

Arrest of 1,000 people suspected of global cyber attacks with damage of $193 million

On November 26, 2024, Interpol announced a large-scale operation in which more than 1,000 people suspected of cybercrime were arrested in 19 African countries. The damage from their activities is estimated at $193 million.

The raids were carried out as part of the so-called Operation Serengeti. In total, 1006 citizens of different states were detained who are suspected of committing various illegal actions: this is the distribution of ransomware, compromise of business email, digital extortion and online fraud. The number of identified victims exceeds 35 thousand. During the operation, as noted, over 134 thousand elements of malicious infrastructures and networks were eliminated.

Suspects detained during Angola raid

Interpol discloses information about several criminal schemes. In particular, 8 people were detained in Senegal, including 5 Chinese citizens: they are suspected of organizing a financial pyramid, the victims of which were 1811 people. Losses are estimated at $6 million. More than 900 SIM-cards, $11 thousand in cash, smartphones, laptops, etc. were seized in the case.

Nigerian authorities have arrested a man accused of organizing an investment fraud on the Internet. According to the investigation, he earned more than $300 thousand, luring victims with false promises related to cryptocurrency assets. Angolan law enforcement officers liquidated an international criminal group that operated a virtual casino in Luanda. A case of credit card fraud on the Internet has been solved in Kenya: losses from this scheme are estimated at about $8.6 million. In Cameroon, a multi-level scam was uncovered, the victims of which were residents of seven countries: people were promised employment or training opportunities, but in fact they were held forcibly to attract new victims.^[3]

UN adopted a document initiated by Russia coordinating countries in the fight against cybercrime

At a meeting on August 7, a draft UN convention against cybercrime (A/AC.291/L.15) was adopted^[4], which criminalizes ten crimes in cyberspace, allows traffic control and collection of meta-data files, and also involves the creation of a network of state contact centers for the exchange of information collected to prove crimes. The text of the convention is partially agreed - there are fragments adopted by everyone at the vote, there are - adopted behind the scenes, and there are - not agreed.

Broadcast^[5] voice to the UN for the convention

In particular, the agreed types of cybercrime are as follows: illegal interception, impact on the information and communication system, misuse of devices, harassment or creation of a relationship of trust in order to commit a sexual crime against a child and laundering the proceeds of crime.

The compositions of crimes that caused disagreement in the adoption of the convention include the following: illegal access, exposure to electronic data, forgery using the information and communication system, theft or fraud using the information and communication system, crimes related to posting materials on the Internet with scenes of sexual abuse of children or their sexual exploitation, and the distribution of intimate images without consent.

Russia proposed to significantly expand the scope of the convention to include 23 types of offenses, "Oleg Shakirov, an analyst at SearchInform and a consultant at the PIR Center, wrote in his telegram channel. - However, this approach was not shared by all countries: the United States and Europe actively involved in the work on the document advocated a narrower coverage, which would be limited to purely computer crimes. Although Russia is the initiator of the development of a new convention, it is not satisfied not only with the narrow scope to which negotiators eventually came, but also with other points, for example, provisions regarding human rights. The struggle to exclude them went until the last moment - at the meeting, Iran put to a vote several points with which Russia did not agree.

Indeed, the convention turned out to be strange - out of ten offenses, three relate to the sexual sphere: creating a relationship of trust in order to commit a sexual crime against a child, crimes related to posting materials on the Internet with scenes of sexual abuse of children or their sexual exploitation, and distributing intimate images without consent. At the same time, there is not a single composition on the harm to life and property of people, such as involvement in terrorist activities or inclination to suicide, impact on critical information infrastructure, creation, use and distribution of malware, as well as incitement to subversion. These formulations were listed in the first versions of the convention.

Nevertheless, the adopted draft convention will allow legalizing tools for investigating computer crimes at the international level. In particular, the convention permits the following procedural actions: the collection in real time of traffic data and the prompt provision of security and partial disclosure of traffic data (interception and collection of traffic with the provision of this information to law enforcement agencies - in fact, the "Spring Law" and SORM), interception of content data (meta-information on transmitted data), search and seizure of stored electronic data, freezing, seizure and confiscation of proceeds of crime, and witness protection.

To carry out all these actions, it is planned to create an international network of contact centers that will interact with each other to assist in the mutual exchange of information that is necessary for the investigation of crimes. Moreover, these centers must interact in real time, for which to work 24 hours a day without days off. At the same time, such centers, although they can carry out the above procedural actions, such as arrests of accounts or searches, at the request of other states, can nevertheless comply with their sovereignty.

The generally accepted procedure for investigating international incidents did not exist at the moment, "Pavel Kuznetsov, director of strategic alliances and interaction with state authorities of the Garda Group of Companies (UK Garda), said for TAdviser. - The Convention is just an attempt to create a foundation for the subsequent concretization of such an order. And, as we can see, even at the level of fundamental entities, the very composition of the convention, there are specific contradictions in approaches. In particular, Western "partners" are trying to narrow the range of offenses in question to those related to "cybersecurity." Information security remains out of the attention zone. And subsequently, such provisions are widely used for "convenient" interpretation and attempts to deeply political influence for purposes that are completely inconsistent with the meaning of the original document.

Indeed, the generally recognized procedure for investigating international cybercrime did not exist until recently - all procedures were carried out privately through the direct interaction of law enforcement units of countries. There was no common system for all, and this was the main task of adopting the signed draft convention at the UN level.

It is gratifying that the document reflected Russian proposals for the creation of a single register of contact points for the exchange of information about cybercrimes, - said Pavel Kuznetsov. - The existing mechanisms greatly bureaucratized and slowed down this process, and the allocation of specific responsible units of the relevant bodies is designed to simplify and speed it up. Obviously, such units will be national CERTs - centers for monitoring, countering computer attacks and coordinating relevant areas of activity. It looks optimistic, but we should expect some difficulties.

Actually, contact centers have already been created in some countries today. In particular, in Russia, NCCCA is responsible for such activities as a service that controls State system of detection, prevention and elimination of consequences of computer attacks. However, similar contact centers are not available in all participating states, so critical issues remain open to them: personnel, legislative details of the authority of the center within each participating country, and the material and technical base. All of them, according to the idea, should be decided by the country in preparation for the ratification of the convention. Thus, the harmonization of criminal law in various countries can be carried out, which will allow us to come to uniform rules for the investigation of cybercrime.

The Convention unifies approaches to the suppression and investigation of cybercrimes and mutual legal assistance at the international level, - Yulia Shlychkova, vice president of Kaspersky Lab for government relations, expressed her opinion to TAdviser. - Even partial standardization of the legal regulations of different states simplifies the collection and exchange of information on crimes and creates mechanisms for cross-border interaction. In particular, a positive step in this direction is the creation of a network of national contact centers, which in 24/7 mode will maintain communication with each other to suppress and promptly investigate cybercrime, will be able to exchange electronic evidence. One way or another, the convention lays the legal framework for wide international interaction in the fight against cybercrime, but requires further adjustment and harmonization of technical standards.

The adopted document indicates the following dates for its entry into force. All states parties can sign the convention by December 31, 2026. Moreover, not only individual states can ratify it, but also entire regional organizations of economic integration, uniting several countries. 90 days after receiving 40 instruments of ratification from individual states, the convention enters into force. Thereafter, a Conference of States Parties to the Convention shall be organized to ensure the achievement of the objectives of the Convention and to monitor its observance. The first amendments to the text of the document can be made no earlier than 5 years from the date of entry into force of the convention.

Fraudsters began to create fake Internet access points on board planes to steal passenger data

In early July Australia 2024, he was charged with fraud and theft of aircraft passenger data. Australian Federal Police say the 42-year-old defendant created fake Wi-Fi hotspots at Australian airports and on domestic flight planes to trick users into entering their personal details. More. here

The servers of the South Korean manufacturer of ERP systems have been hacked. Now companies are attacking around the world

On July 1, 2024, the AhnLab SEcurve Intelligence Center (ASEC) reported that the servers of an unnamed South Korean manufacturer of ERP systems were hacked. After the invasion, attackers began to attack companies around the world, and the main targets are Korean defense and production enterprises. Read more here.

Hackers in Cambodia, Laos and Myanmar earn 40% of these countries' combined GDP

Southeast Asia has become the center of global. cyber attacks Hackers earn $64 billion a year there, and in, the To Cambodia Laos To Myanmar income of cybercriminals reaches $43.8 billion, which corresponds to 40% of the total of these GDP countries. Such data are given in a study by the Institute of Peace (USIP) USA , which was released in May 2024.

The most popular fraud scheme among swindlers from Southeast Asia is the so-called "Pig Butchering." When using such a scheme, attackers enter into confidence in victims under romantic or financial pretexts, communicate with them for a long time for several weeks or months. The goal of a fraudster is to build at least a friendly, and ideally romantic relationship with a person.

Southeast Asia has become the center of global cyber attacks

In a very short period of time, this problem has turned from regional to global, "says Jason Tower, director of the USIP unit in Myanmar. - More countries are facing this fraud. Fraudsters are creating new criminal links in the Middle East and Africa.

A study published in May 2024 said there had been a sharp rise in the number of cyber attacks on non-Chinese speakers in recent months. Perhaps this was the result of the work of the Chinese authorities to control Internet fraud.

Criminal syndicates in Southeast Asia attract people for online fraud and often force them to do so under the threat of physical violence. Victims of forced labor come from more than 60 countries. In Myanmar, fraudulent centers are defended by the armed forces, in Cambodia, criminal structures use hotels and casinos empty after the pandemic, and in Laos, specialized economic zones.^[6]

2023

Interpol arrested 3,500 people and $300 million in 34 countries in the case of a global network of cyber criminals

On December 19, 2023, Interpol announced that 3,500 suspects had been arrested during a large-scale international operation to combat financial crimes on the Internet. At the same time, assets worth approximately $300 million were confiscated in 34 countries.

In the anti-crime campaign lasting about six months (from July to December 2023),,,,,,,,,,,,,,,,,,,,,, and Australia Cambodia Hong Kong India Indonesia Ireland Japan Malaysia Nigeria Pakistan Philippines Singapore South Africa others took part Spain. Sweden Thailand UAE The purpose of Britain USA the operation states was to combat seven types of cyber fraud: voice, deception in phishing the romantic sphere, extortion on the Internet, investment crimes, money laundering in the illegal gambling market, business email compromise fraud and fraud in the commercial field.

As a result of the measures, law enforcement agencies blocked 82,112 suspicious bank accounts, confiscating a total of $199 million in ordinary money and about $101 million in virtual assets. It is noted that the share of investment fraud, business email compromise and e-commerce fraud accounted for approximately 75% of all incidents investigated.

Working in conjunction with service providers, Interpol helped identify nearly 370 accounts of virtual assets linked to transnational organized crime. Police in different countries have frozen these assets, and the investigation is ongoing as of the end of 2023. During the operation, cooperation between the Philippine and Korean authorities made it possible to arrest a famous Internet gambling criminal in Manila: the attacker was wanted for two years.^[7]

How hackers hack hotels into Booking.com and demand money from customers

On December 1, 2023, Panda Security, a company specializing in information security solutions, announced a new cybercriminal scheme, the victims of which are users of the Internet hotel booking system Booking.com. Attackers steal personal data, and then convince customers to make fictitious payments. Read more here.

4 ports in Australia stopped work due to a cyber attack. 30 thousand containers hung

On November 10, 2023, DP World, the largest port operator, Australia was subjected to a powerful cyber attack that paralyzed the work of information infrastructure. It can take weeks to fully restore systems, which, according to experts, will provoke an increase in prices for a variety of goods in the country - from medicines to Christmas toys. More. here

Who and how hackers attack in the Middle East, and why billions of dollars are being pledged there for cybersecurity

The number and complexity of cyber attacks is growing around the world, but there are regional specifics in this area. Representatives of Kaspersky Lab, which has been working in the region for several years, spoke about the features of cybercrime and approaches to protection in the Middle East in October 2023 at the GITEX international exhibition in Dubai, where TAdviser visited.

The head of the Kaspersky Lab research center in the Middle East, Turkey and Africa, Amin Hasbini, in a conversation with TAdviser, noted that attacks on corporate users in the region often depend on the size of the organization. In the case of SMBs, they are often aimed at receiving payments and transfers to "black" accounts used to launder funds in different regions of the world, for example, in Asia or Latin America. Against organizations, ransomware is often used for this, requiring large ransoms.

Attacks on large organizations differ in their approaches. APT attacks (Advanced Persistent Threats) are often used here, which can cause much more damage. Often they are used for espionage. These may apply, for example, to banks or government organizations. And even against hospitals, because they store sensitive medical information about their clients.

Advanced attacks in the META region (Middle East, Turkey, Africa) in Kaspersky Lab are called the nightmare of users and organizations. This type of attack is characterized by the fact that attackers change their methods and tools to bypass protection, use advanced technical skills and tools to avoid detection, and often they are organized in such a way as to go unnoticed by the victim.

Anton Ivanov, director of research and development at Kaspersky Lab, cited data based on investigations conducted by their company that it is countries in the Middle East that are most often subjected to advanced attacks in the region. In 2023, the UAE, Egypt, Turkey, Jordan and Syria were among the top 5 most attacked countries. And the top 3 attackers in advanced attacks in the region are the hacker groups Lazarus (Andariel, cookietime, Bluenoroff), Kittens (CharmingKitten, Muddywater, Lyceum), as well as Chinese-speaking groups (Honeymyte, APT15, Plugx, Blackmoule).

One of the oldest and most famous hacker criminal groups operating in the region is OilRig, also known as APT34 and Helix Kitten. She was first noticed in 2012, and she is still acting, said Anton Ivanov. It predominantly attacks financial, energy, telecommunications and chemical companies.

Amin Hasmini notes the trend that when attacking large businesses in the region, cybercriminals tend to unite. Sometimes several criminal groups work together: one organizes penetration into the IT infrastructure, the other introduces malware, the third provides communication, for example, for blackmail and subsequent sale of data.

According to Amin Hasbini, this phenomenon can also be attributed to regional specifics: over the past couple of years, the hiring of hackers to carry out cybercriminal work has been gaining popularity in the Middle East. There are special companies (hack-for-hire) in which you can hire hackers for various tasks. Often they are attracted to competitive intelligence.

For example, there are two competing banks that, at the legal level, through lawyers, attack each other. And one of the banks hires a hacker team to hack into a competitor's systems, find sensitive or "dirty" information that can be used against the company in the future.

The information received is used to damage the company's reputation, or to be used by lawyers in legal disputes, explains Amin Hasbini.

Of course, this is illegal, but Kaspersky sees a lot of such activity in the Middle East region. A similar use of mercenary hackers can be found in Europe, including in Western organizations, but in the Middle East this type of hacking is very active.

It is possible that this is due to the fact that the region has very high competition in business, - believes Amin Hasbini.

This may also be due to some gaps in the current legislative framework, making it difficult to block and stop the activities of such criminals.

This is not to say that in recent years there have been more hackers in the Middle East, says Amin Hasbini. Rather, regional hackers have become characterized by teaming up to perform various tasks. Sometimes you can notice similar things in their activities, and then you can assume that they are the same group. The same group can attack industrial sites in the region, and the other - financial institutions, for example.

At the same time, IT systems and services in the Middle East have already reached a certain level of maturity, so it has become more difficult for attackers to compromise organizations. But, for example, in the industry in the field of operational technologies (OT), the situation is somewhat different, because for a long time no one has been engaged in cybersecurity in this area. In addition, many industrial systems that are used to supply water, electricity, in the field of atomic energy, etc., are old: they can be 10-20 years old, such systems are not quickly updated. And the damage from cyber attacks here can be huge, because this is a critical infrastructure.

One of the features of the Middle East region compared, for example, to Europe is that there are other priorities in the field of information security, and individual countries in the Middle East do not always work as together on the cybersecurity agenda as EU countries. Basically, each country seeks to develop in the field of information security on its own, explains Amin Hasbini.

At the same time, their own sovereignty is very important for each country in the Middle East, so they want to deploy their decisions locally. And for reasons of sovereignty, countries seek to pass laws that would oblige global vendors to localize so that they are present in the country, if anything.

Kaspersky Lab itself, for example, has offices in the UAE (here is the headquarters for the entire META region), Turkey and Saudi Arabia. Saudi Arabia has the most stringent requirements for local presence, so Kaspersky Lab also has a transparency center in this country, where customers can familiarize themselves with the source code of products, and use their local computing resources: some servers on their own site, and some from providers. This allows you to store data locally, which is important for local government, and send updates to customers faster.

In addition, penalties for cybercrime are often tougher in the Middle East than in Europe. Cybercrime is taken very seriously here and try to catch cybercrimes as quickly as possible. According to Amin Hasbini, Kaspersky Lab interacts with various local special services and shares information with them about cyber attacks to help them find attackers.

Many countries in the region are moving towards raising the maturity of their cyber defenses, they already have legal regimes to protect their states, governments and users from cyber threats. This is a matter of national security. Therefore, they are looking for advanced technologies to provide such protection. Projects in government agencies and on critical infrastructure are now among the largest, Amin Hasbini told TAdviser.

Kaspersky Lab sees the META region as a whole and the Middle East for itself, in particular, as a very promising market. According to ResearchAndMarkets estimates, the cybersecurity market in the Middle East was $20.3 billion in 2022, and in 2027 analysts predict its volume of $44.7 billion with an average annual growth of 17.1%^[8]

Rashid Al-Momani, general manager of the company for the Middle East, Egypt, Rwanda and Pakistan, says that large budgets for cybersecurity in the Middle East are laid, among other things, under the influence of geopolitical factors. In addition, if we take the UAE, various major international events are held there, for example, in the field of technology and sports, which attract more and more participants, which also requires better protection.

Taking into account the course towards strengthening cyber defense in the region, Kaspersky Lab is expanding its presence here, including the number of local teams, as well as strategic cooperation with local authorities, regulators, central banks, Rashid Al-Momani notes.

In addition to Kaspersky Lab, other domestic information security suppliers are showing more and more interest in the Middle East information security market: about 15 stands of companies from Russia were collectively present at GITEX, where the description declares cybersecurity as the main direction or one of the directions.

1.5 TB of data was stolen from the Argentine financial regulator. Hackers demand a ransom of $500 thousand and promise to destroy the banking system

In June 2023, the Argentine National Securities Commission was the victim of a cyber attack allegedly committed by the hacker group Medusa, which develops ransomware viruses. Hackers demand a large ransom of $500,000 within a week, otherwise threatening to leak 1.5 TB of documents and commission databases to the Internet. Read more here.

Updated Pakistani Trojan ReverseRAT targets Indian government agencies

Information security company ThreatMon has discovered a targeted phishing campaign targeting Indian government agencies that is leading to the deployment of an updated version of the ReverseRAT RAT Trojan. ThreatMon experts attributed this activity to the SideCopy group. This became known on February 21, 2023. Read more here.

Hackers attacked one of Canada's largest energy companies

In mid-January 2023, Canada's major electricity supplier Qulliq Energy was hit by a cyber attack that knocked computers out of service and left its customers unable to pay for services using bank cards. A substation in the city of Nunavut was damaged. Read more here.

APT group Dark Pink strikes Asian government and military structures

The APT group Dark Pink is delivering cyber strikes on Asian government and military structures. This became known on January 11, 2023.

During attacks, hackers use a set of powerful custom tools and new tactics.

In conducting the investigation, Group-IB stressed that Dark Pink could be a completely new APT group. The gang of hackers got its name because of the names of some electronic boxes to which the stolen data was sent. However, Chinese researchers gave it a different name - Saaiwc Group. Read more here.

One of the most complex chains of computer infection in history revealed

On January 5, 2023, Check Point Research (CPR) experts spoke about one of the most complex chains of infection in the history of cyber attacks, which the Blind Eagle group uses to organize attacks on victims in South America. Read more here.

2022

Hackers began to massively attack telecom operators around the world to take possession of someone else's phone number

On December 2, 2022, IT specialists CrowdStrike announced the discovery of a new cybercriminal scheme: attackers attack telecommunications companies and organizations in the field (outsourcing business processes BPO) in order to take possession of someone else's phone number.

The cybercriminal campaign is called Scattered Spider. Experts say the purpose of hackers is to gain access to the networks of mobile operators and carry out a substitution attack. SIM cards Subsequently, this method makes it possible to accept one-time passwords for financial transactions to bypass. As two-factor authentications a result, the funds of the victims can be stolen.

Various methods can be used to gain initial access to the attacked system. These are, in particular, social engineering schemes, including through phone calls and SMS notifications, as well as messages in instant messengers. Attackers impersonate IT professionals to force victims to enter credentials on a phishing page or download and install a specific remote access tool, such as AnyDesk, BeAnywhere, DWservice, Logmein, ManageEngine, N-Able, Pulseway or Rport. Moreover, cybercriminals use a personalized approach to obtain one-time passwords. In addition, vulnerabilities in the software can be exploited.

After penetrating the target system, hackers analyze Windows, Linux, Google Workspace, Azure Active Directory, Microsoft 365 and AWS environments. In addition, horizontal movement is performed. Additional tools can then be loaded to collect data on VPN parameters and multifactor authentication modules. It is noted that in most cases, attackers act extremely persistently and brazenly.^[9]

==

==

==

==

==

==

==

2021

==

==

2020

==

==

==

==

==

==

==

==

2019

==

==

==

==

==

==

==

Fortinet 2019 Operational Technology Security Trends Report

==

==

==

==

==

2018

==

==

==

Microsoft Security Intelligence Report

Cisco Annual Cybersecurity Report

==

==

==

2017

==

==

==

==

==

==

==

==

==

==

==

==

==

2016

Kaspersky Cybersecurity Index

==

==

==

==

==

</blockquote>

==

</blockquote>

==

==

==

==

==

==

==

==

==

==

==

Trend Micro Security Predictions

HP Cyber Risk Report

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

==

Don't forget about physical protection

Protection is not limited to data inside the computer. Organizations must also provide physical protection for their equipment. All visitors to your office should be accompanied by someone from the staff, and monitor screens should not be available to view from the corridor.

Passwords must be secure

Organizations must ensure that strong passwords are selected; this means a certain level of their complexity and periodic change. The password from the mother's maiden name is no good.

Don't skimp!

If you can afford it, hire a data protection specialist (s). In addition, the budget should provide money for equipment and software to protect against cybercriminals.

Teach staff vigilance

Office staff need to be taught to be vigilant. A few simple rules can significantly improve security in your company: never go directly to an unknown website whose address is sent to you in the mail, delete any dubious letters and never click the links sent to you. Instead, you should search through Google on this topic and from there try to find the site you need.

Integrated approach

Many of the techniques used earlier in attacks on home users have now been used in relation to business. These are modified banking Trojans that target employees of financial departments and accounting departments, and various encryption programs that began to work within corporate information networks. In addition, network worms have gained popularity, the removal of which requires the shutdown of the entire corporate network. When a similar problem is encountered by companies with many branches located in different time zones, network shutdown inevitably leads to financial losses^[10].

According to the results of a study conducted by Kaspersky Lab"" in 2014, among information security specialists, most often Russian companies face malware, ON spam, phishing. Separately, it is worth noting internal threats, among which the most serious problems are caused by vulnerabilities in the installed software, as well as accidental data leaks due to the fault of employees and the work of insiders.

Don't trust the "kings" of social engineering

No technical means will protect against the use of social engineering methods. Crackers collect data armed with knowledge of human psychology. They send malicious links to the new composition of their favorite music group on social networks or send a letter to the accountant with the application "reconciliation act," in which the virus is actually hidden.

A separate direction in this area can be noted the so-called "Nigerian spammers." They send letters asking for help in banking transactions related to the transfer of money allegedly subject to a large tax, report the recent death of a very rich person "with the same surname" as the recipient of the letter, and offer to assist in obtaining money from the bank account of the deceased.

The only opposition to such attacks is to completely ignore the message. Even if a user engages in correspondence with this kind of hacker in order to just write a refusal, then he thereby confirms his email address. Subsequently, attackers can use it for other, more ingenious mailings.

To counter attacks using social engineering methods, regular training of all employees of the company for safe work on the Internet and informing them about existing types of threats helps.

Protect against DDoS attacks, viruses, Trojans, and phishing

The number of powerful DDoS attacks is growing rapidly. Such hacker attacks can "put" the company's website for a long time and deprive its owner of income. Thus, a study by Arbor Networks says that in the first half of 2014, more than 100 incidents with a capacity of more than 100 Gb/s were recorded. The number of attacks in the range of more than 20 GB/s in the II sq. twice the figure for the entire last year.

This is also confirmed by the data of Kaspersky Lab, which in the spring of 2014 recorded a new jump in the power of DDoS attacks on the Runet. In the spring, a group of attackers organized a serious attack, choosing several sites of leading Russian banks, large companies and government agencies as their targets. Then the average attack power was 70-80 Gb/s, and at peak moments exceeded 100 Gb/s. These indicators became a record for Runet - just a year ago, the most powerful DDoS attack in the Russian segment of the network did not exceed the threshold of 60 GB/s.

A significant increase in the power of DDoS attacks was due to the spread of a new method among attackers - NTP Amplification. Its advantage is a significant gain (up to 556 times), which allows hackers to quickly achieve high attack power with minimal effort. For comparison, the sensational attacks a year ago were carried out using the DNS Amplification method, the gain of which is 10 times less - up to 54 times. In addition, Amplification allows attackers to hide their real address, which makes them difficult to identify.

Ensuring protection against DDoS attacks in-house is a difficult task for large businesses and almost unbearable for the SMB sector. The company must have the necessary resources, both human and material: two specialized specialists for shift work, expensive equipment and connection to high-speed communication channels. It should be borne in mind that DDoS is not a constant threat, you must be prepared for the fact that the equipment will be idle, and the work of specialists will not be in demand. Therefore, it often becomes more profitable to use the services of third-party companies specializing in protection against such attacks by connecting to cloud services.

PHP site owners

To protect the resources of their companies, it is important for businessmen to remember that the most unsafe sites, according to a recent study by Positive Technologies, are written in PHP, since 76% of them contain critical vulnerabilities. Web resources in Java (70%) and ASP.NET (55%) were less vulnerable.

Accordingly, sites most susceptible to attacks should be more careful about their security level. For example, it is worth strengthening the security against matching user identifiers or passwords (Brute Force attack).

Signed certificates

Corporate network administrators must control which applications employees use and which sites they visit - they must have valid (valid or signed) SSL certificates. These certificates are divided into three types of validation - confirming only the domain name, domain and organization, as well as certificates with extended verification. The best option is a certificate with extended verification, which has the so-called "green bar." When you enter the site where such a certificate is installed, a green bar with the name of the organization that received the certificate will appear in the address bar of the visitor's browser.

The last time users of IT products with invalid SSLs were threatened was when at least 350 mobile apps were found in Google Play and Amazon online stores with a man-in-the-middle attack vulnerability. During such an attack, the cracker, having connected to the channel between the counterparties, can get the transmitted information. For example, a hacker can intercept the credit card data of users who use mobile applications that involve electronic payments.

Be alert

Although technology increases the level of security of a computer, one should not forget about vigilance, for example, when receiving emails. Hackers often hide behind messages from travel services like Airbnb, Booking.com, write on behalf of airlines, inform the user that his credit card has paid for a plane ticket, and offer a link to a phishing site where you can allegedly find out information about the upcoming flight.

In September 2014, in the plots of "Nigerian" letters, "Kaspersky Lab (Kaspersky)" noted references to Ebola patients in Africa and unusual invitations to the World Health Organization (WHO) conference. The purpose of the fraudsters, as usual, was to lure funds from gullible recipients who entered into correspondence with the authors of the letters.

In October 2014, it was the turn of cybercriminals who used the hype around the Ebola virus to send malicious emails. Again, WHO was listed as the sender. In the text of the letters discovered by experts, the attackers tried to convince the recipient that WHO had prepared a file with general information and precautions that would help protect the user and others from the deadly virus and other diseases.

In addition to exploiting topics that are relevant to society, spammers also send fake receipts from online stores that bill for a completed purchase, which can only be canceled on a phishing site. The statistics of phishing attempts are not comforting: according to the Anti-phishing system developed by Kaspersky Lab, the number of positives amounted to almost 19 million in September 2014 alone.

In modern conditions, companies need to use a set of software and hardware that would ensure an acceptable level of infrastructure security while maintaining sufficient efficiency of business processes. These tools include antivirus software, intrusion prevention systems, firewalls, device control and Internet access modules, data encryption systems, mobile device management, means to protect mail servers and collaboration systems, and so on.

In addition, it is important to remember that information security does not end only with the introduction of protective equipment, it is also necessary to regularly train employees on the rules for safe work with information in electronic form, to implement correct policies and rules when working with confidential data. It is important for users to remember the golden rules: do not follow dubious links, come up with complex passwords for accounts, do not open attachments in letters and, of course, put comprehensive protection on a computer.

Key types of Internet threats

The pace of innovative development with such a competition of "offensive" and "defensive" technologies is very high. More than 100,000 new malware samples are being developed every day. software Some malicious software modules are now being paid in excess of a million. dollars Cybercriminals are ready to pay such money, because they are sure that the invested funds will be able to pay off very quickly.

Another threat to information security is the new arms race unfolding in cyberspace, during which, in particular, sabotage acts and cyber attacks are carried out. The information about the world's largest intelligence program PRISM, which has recently become public, has significantly undermined the credibility of large cloud service providers based in the United States. Trust has declined especially in Europe, where there has traditionally been a strong focus on data protection. According to the expert analytical organization InformationTechnologyandInnovationFoundation (Washington, DC), US-based cloud service providers may, as a result, receive less revenue in the amount of $22 billion to $35 billion from 2014 to 2016.

Spam - along with traditional advertising mailings, there is malicious spam, for example, containing spyware ON or spam, luring users to sites with malicious content.

Targeted phishing - Unlike spam, targeted phishing directly targets narrow groups of users and contains messages with a social context urging a potential victim to open an executable file or go to a site containing malicious code..

PDF attacks - Recently, many serious vulnerabilities have been discovered in PDF documents.

SEO (Search Engine Optimization) poisoning - threats to optimize the search engine lead to the fact that sites containing malicious code are substituted for high places in search engines ratings when entering a request related to the world championship. You can protect yourself from such threats using the latest versions of gateway antivirus and prevention systems, intrusions.

Loss of performance - Administrators can use traffic management or content filtering systems to restrict or block access to online resources.

Social media - Analysts warn of malware that can spread through popular social media. Content filtering and file blocking solutions must be configured to minimize threats.

According to IBM X-Force, the main source of threats is still such popular software as Internet browsers. A novelty of the attacks of recent years has been the transfer of the efforts of hackers from browsers to web applications, through which you can directly access the databases of companies of particular value. The percentage of vulnerabilities eliminated is consistently low - up to 60% of vulnerabilities discovered annually do not have special patches (patches) from software manufacturers at the end of the year.

The accounts of privileged users, that is, system administrators, are most at risk. Today, controlling the actions of privileged users is a mandatory requirement on the part of various standards and regulators. Illegal actions against them can be carried out both from outside the company and by unscrupulous employees themselves. The increase in the number of threats associated with privileged users is, among other things, insider threats, when employees either deliberately steal data from their company, or inadvertently allow others to do so.

Fraud scheme No. 419 is being revived under the name "FBI" (according to Trend Micro).

Computer criminals have come up with another way to attract the attention of users. This time, they impersonate employees of the Federal Bureau of Investigation (USA) from Washington and attempt fraud through spam.

As with any other fraud attempt, in this scheme, the sender of the email is impersonating another person. The sender claims he is writing from the FBI. The message itself contains information that its recipient is entitled to a payment of $10.5 million. Then the fraudster posing as an FBI employee gives the recipient of the message instructions to contact the head of the "Internet transfer department" of United Trust Bank London. The report states that the said boss is the only person who decides to pay this multi-million dollar amount. Moreover, the message states that all recipients must clearly follow the instructions for issuing an application for payment. Of course, the message contains false information. The note at the end of the message looks especially ironic and indicates that cybercriminals are able to take extreme measures in trying to succeed. In it, the recipient is advised to beware of scammers who may try to contact him. In order not to become a victim of such fraud, you must always pay attention to the smallest details in the messages received. One close look is enough to distinguish a real message from a fake. You just need to take a closer look.

The SASFIS Trojan uses a new trick (according to Trend Micro).

In early 2010, the Trojan program SASFIS, sent in fake emails allegedly sent from Facebook, earned notoriety. SASFIS infection entails the installation of a huge number of other malware, because this family of malware makes systems vulnerable to botnet attacks, especially ZeuS and BREDOLAB, and is associated with various variants of fake antiviruses, usually with those related to pornographic sites.

TrendLabsSM engineers discovered a new version of SASFIS, which uses the right- to-left override (RLO) method, which is a Unicode inversion of text that was previously popular among spammers, but has now become used as a new social engineering tactic.

The SASFIS Trojan program is distributed through spam as an.RAR application with an.XLS file inside. After extraction, the.XLS file looks like a typical MS Excel document. In fact, it is a screen saver that identifies as TROJ_SASFIS.HBC. This Trojan program activates the BKDR_SASFIS.AC program, which allows you to inject malicious branches into the normal svchost.exe process. Although the file looks like an Excel document, it contains a binary Win32 header, which only executable files have. The real name of the file (except for Chinese characters) looks like this: phone & mail). [U + 202e} slx.scr, where U + 202e ― the Unicode control character, which gives the system the command to interpret subsequent characters from right to left. Thus, for users, the file name will look like this: phone & mail).xls.scr. This will make them believe it is indeed an Excel file and therefore it is "safe" to open. Although in reality it is an executable.SCR file.

This method allows other file names to be used for the same purposes, such as BACKS [U + 2020e] FWS.BAT and I-LOVE-YOU-XOX [U + 2020e] TXT.EXE, which masquerades as BACKSTAB.SWF and I-LOVE-YOU-XOXEXE.TXT. In the first case, the package file is masqueraded as Adobe; in the second case, the ― executable is disguised as a text file.

To prevent this attack, users can use proven protection methods: do not open suspicious emails or download applications with executable files.

History of major incidents

• September 2003. Taiwan was hit by Trojans sent from Chinese provinces and damaged the networks of ten private companies.

• In April 2007, Estonian Foreign Minister Urmas Paet accused the Russian authorities of hacker attacks that paralyzed the operation of the exchange, hospitals, websites of government agencies and the media.

• From the same network addresses used against Estonia, attacks were carried out on the computer systems of oil pipelines Georgia in August 2009.

• In January 2010, Google accused China of spying through the email accounts of journalists and dissidents.

• According to British media (February 2012), Russian hackers sell account numbers and passwords from payment cards to a large number of UK residents. British data are sold on Russian web sites for $30.

Information from UK residents became available after Russian attackers created a database on the Internet. For $300, hackers also offer access to a valid bank account in the UK with a credit limit of up to $13 thousand. Attackers steal confidential information by sending malware to users' computers. In addition, fraudsters also connect special devices that read information from victims' credit cards in stores and restaurants. After theft, data is transferred to empty cards, which can be paid in those countries that do not use the new technology for identifying the authenticity of the payment means through the built-in microchip, as well as in e-commerce stores.

Notes