Cloned Boy
Professional
- Messages
- 1,113
- Reaction score
- 850
- Points
- 113
TOP RUSSIAN HACKERS.
In this thread, the famous carder Sergey Pavlovich continues his conversation with Sergey Nikitin, Deputy Head of the Computer Forensics and Malicious Code Research Laboratory of Group-IB, one of the world's leading fighters against cybercrime.
Enjoy reading!
Contents:
Did Group-IB, in cooperation with law enforcement agencies, identify those who are engaged in data encryption (ransomware)?
Pavlovich:
You are talking about these admins, these servers, the criminals themselves, well, the special services around the world, figuratively the NSA, identify them. So have you ever, with your office, Group-IB, cooperating with law enforcement agencies of the Russian Federation or the CIS, identified at least once who is engaged in these encryptions?
Nikitin:
Yes, yes, yes, we have several criminal cases, real ones, where there have already been searches, where people are now in pre-trial detention, so several groups that worked in Russia, yes, it worked, it worked out to find people, but again, after several episodes of encryption, here the weak point for hackers is naturally that they are forced to correspond with people, but so that they simply agree on how to pay the ransom.
It's like, it's a path, it's a thread to real cybercriminals, so yes.
Pavlovich:
But most often they just correspond by e-mail.
Nikitin:
Yes, there's the Proton, whatever, but still these are all certain threads. These are certain threads to people, plus if there are several episodes, we immediately see that it's the same encryptor, the same style of letters, and so on. Well, otherwise it's really possible to find people, but, of course, there are tough groups, for example, like the situation with Garmin. Garmin is a huge company specializing in navigation equipment, and... Watches, sports watches, trackers, fitness trackers of all kinds.
Probably yes, if you're an ordinary user, then this is a GPS navigator and watches. Echo-lots. Yes, but in fact this is a dual-use product company and a huge amount of navigation equipment in guided missiles, in American fighters, and so on. Well, ships, navy.
Yes, it's also connected with Garmin, and something terrible happened, they encrypted them so strongly that people buy watches, for example, in a store, they can't activate them, because the servers are down, and these watches cannot be used. So, that is, they are, well, simply useless, and they were returned right there in the stores, that is, it hit their business so hard, well, and yes, they have already written about it many times, they paid the ransom, as far as I remember, there were 100 bitcoins.
Pavlovich:
Well, for corporations, such a level, it's like going to McDonald's for me.
How to protect your data on devices
Nikitin:
Yes, but still, it's a blow to prestige, quite a serious one, here, and this again shows that they couldn't recover from backups, here, and from here This is a very simple example, if there is an individual, a legal entity, it doesn't matter. First, make backups on external media. And second, it needs to be done so that if your computer is hacked, it is impossible to delete and encrypt your backups. Here, I can give an example, that is, now there are many programs for backups, but if you have, say, a Mac, you can simply upload everything to iCloud or Time.
Machine. Everything is built in there, that is, you don't have to pay a subscription and so on. If Windows, there are many solutions there now, but what is their gimmick? Some of them can simply put a file with backups somewhere, and some of them work according to their own protocol. Well, that is, let's say, there is a client part and a server part.
Here you have a server, it just takes these backups from clients according to its protocol and stores them. And those that are not accessible from the network are ordinary, that is, it is not a Windows share, where you can go there. And then, naturally, even if you are hacked, it is not so easy to get there. That is why there is a joke about this, it means that all people are divided into three categories, those who do not make backups, those who already make backups and those who check the backups made, that is, we also had examples when people seemed to say, we backup, everything and so on, and then it turned out that at some point one engineer patched the version, he updated something like that and the format changed, but did not check, in short, backups from some date were all invalid, they stopped being made, were not made, but they are all broken. That is, sometimes you just need to check that the backups that are made, they are correct, they are recoverable at all. That's it. This is not an obvious thing, but just make sure that you backup something somewhere rarely, preferably sometimes, say, once a year and so on, but this is more for legal entities, of course.
Check that the backups you make are, firstly, accessible and correct.
Pavlovich:
Well, plus, look, depending on the importance and relevance of your information, how often you need to make backups. For example, in our company, in cashback, we do there, probably, well, once every three days, that is, someone may need daily backups, someone hourly backups, for someone it is enough to copy once every six months. And how did this story with Garmin end in general?
Nikitin:
They paid the ransom, actually, they decrypted everything, everything worked, but this is a strong precedent, there was a scandal, well, with shareholders, and in general, like, it is not very approved there, that they kind of paid you with a criminal. We got into that lucky 15%. And now recently there was news that some security guy from Uber, he got a term because they also paid cybercriminals, and he hid it, he was convicted there and so on.
This news just recently slipped through. That is, in the West, this is not very encouraged, and I know that many insurance companies do not allow this insurance to be paid to criminals. That is, they insure you against damage, but you cannot use this money, the insurance payment, to pay the villains to decrypt.
On the development of the insurance market and Client-Bank systems in the West
Pavlovich:
That is, in the West, this problem is partly, we can say, solved by the fact that you insure your entire computer network in special insurance companies.
Nikitin:
In fact, Sergey, the trick here is that in the West, insurance is generally much better developed, and they have been insuring their cyber risks very strongly for a long time, and very often they choose what is cheaper for them, to implement some technical means of protection, or simply to insure everything. Well, and very often they simply insure, and here is even an example with bank fraud, bank fraud against clients and so on, there are many who do not bother about this, in general their client banks are much
worse than ours, that is, here, it seems, is an excellent example with our Tinkov, which we talked about, if we even look in the States, they only have Apple Card, which appeared quite recently, it is at least somehow similar to our Tinkov, right?
Pavlovich:
But you go to the site, with a login and password, they have online banking.
Nikitin:
There in general, well, it is like with us there, I don’t know, in the early 2000s, very primitive, but there a huge number of all things are solved through insurance. Here. We still have an insurance market, well, cyber risks are just emerging, that’s why, yes, they solve a lot of things with insurance.
Pavlovich:
Let's have some funny cases, from searches and all sorts of reactions, yes, because I have a friend, he was sitting there in America, well, with these tax refunds, he was doing something for 6 years, he is sitting now and he boiled a laptop, this is a well-known case, he boiled a laptop for 2 hours, held them under the door, they could not break into your apartment in America and if they do not have a clear confidence that someone is in the apartment and he tiptoed there, boiled a laptop and then stuck it in the freezer after that for 2-3 hours kept them there under the door, this is a funny case, but I know the only one like this, from your practice.
About work and responsibilities in Group-IB
Nikitin:
Yes, there are many cases, I'll tell you now. First of all, so that it is clear what I do in general, yes, that is, why I have these cases. The main task of our laboratory is to conduct some examinations and research. Yes, that is, they give us some disk and say, you know, something happened to us, we need to find out how it happened, and record it in the form of some kind of conclusion, which can then be some kind of evidence in court. Now, this could be a commercial organization, maybe law enforcement officers can contact, it could be a straight forensic computer examination, for example.
Here. And the trick is that from this data to get some kind of paper that will be understandable to lawyers and will be understandable to attorneys and so on, not techies, yes. But naturally, before receiving this object, you need to get it from somewhere, yes. But if it is a victim, everything is clear, we come to the victim, there we work with their network, make copies and so on. But it often happens that law enforcement asks us to participate in searches in order to correctly seize everything from hackers, because...
Pavlovich:
Well, and in detention.
Nikitin:
And in detention. Well, and in the search immediately with the contents, then they simply write a detention order there and that's it, that's it. And here's the whole trick, firstly, you need to very correctly formalize everything procedurally, reflect it in the protocol, because if they screw up, and we had such examples when they seized without us, yes, then we conduct an excellent examination, where everything is clear, we found everything there, and this evidence can be rejected, because the operatives, when they seized it, wrote the serial numbers incorrectly, everything, in general, was packed incorrectly, violated a bunch of different instructions.
Pavlovich:
Well, or they turned it on from their computer, looked through the files, and there the dates of file modifications or openings are already different.
Nikitin:
Yes, yes, yes. That's why we are often asked to participate in such events, so that everything goes smoothly. Plus, it often happens that, let's say, the villains have everything encrypted, yes, you need to go to them when their computer is working, and you need to, let's say, copy the encryption keys from the RAM in a certain way, while the computer is unlocked, and there are a lot of different tricks there, so that if something happens, you can get access there, and for this they also take us along.
Pavlovich:
That is, when, I will explain, we are talking about encryption programs, like as I said in the last video, yes, about the glory of the CPSU, this song, there, when you have an encrypted disk, there, like DriveCrypt, BestCrypt, TrueCrypt, but now Veracrypt, I forgot to tell you about Veracrypt in the last video, now they mainly use Veracrypt, and it turns out that it creates an encrypted container on your disk, and all the information located there, if you this disk, well, climbed there, what you need to do and turned it off, then it is practically impossible to decrypt,
especially if you use a long and complex password, yes, but it is possible, here Sergey says that if you, for example, are climbing on this, this disk is not dismounted, well, in short, it is not disconnected from the computer, you are in it and your password to this, to this whole thing, even you managed, they broke down your door, you managed to disable this encrypted container, but the password with which you opened it, it is in your RAM, and they will come up, like shrimps will break you, they will take you away from
the computer and suck this one from the RAM, this one from the stack.
Funny cases related to searches and detentions of cybercriminals
Nikitin:
Yes, yes, yes. In fact, it is not even a password, but ready-made keys, decryption, yes, and it will be possible to decrypt all this. There are a huge number of special cryptographic utilities that can do all this, well, this is a direct statement on their websites. Here. And the trick is when you need to enter correctly, yes, you need to prepare the operatives there again, well and there, let's say, if there are serious ones, that is, how to do it so that they, let's say, do not turn off the light, because the equipment will go out and the keys will disappear and so on.
You need to wait until the person sits down at the computer, there, makes himself some tea and so on, that's it. And, let's say, the traffic goes, yes, there, to the provider, all this can be tracked. That's it. And then all this can be correctly removed so that it can be investigated. And, naturally, there were very different situations.
So, the first situation was funny, how they caught one hacker, he was very fat, and he bought himself a Cayenne with the stolen money, you know, a big white diesel Cayenne, cool, so, and he registered on a local forum, well, it was in the regions, Porsche Club, so, and he used his nickname there, in general, and he showed up there, and he wrote there that he was so big that he climbed into this Cayenne, and he wiped the steering wheel, that is, he wiped the steering wheel with his belly, so, and so, in general, they found him, so.
The arrest itself was not very cool, in general, I can say that participating in arrests, well, and in searches, it is an excellent cure for cybercrime, because people who crawl and squeal after a flash-bang grenade explodes on broken glass, yes, and there are also dots flashing around from laser sights, now, this is an excellent sight.
Have you watched a movie with laser sights? Yes, yes, yes. We have a laser targeting unit in the Moscow SOBR, where I participated in the arrest. We entered through the door, true, but they entered through the window, and the man who, he was just sleeping, they broke his window and detonated a flashbang grenade, and he simply crawled over the fragments in horror, so, he drove in, and he crawled towards us. He crawled to the door, to the exit, and they were already entering.
Here. And this picture, it shows perfectly why I wouldn't want to be on the dark side, for example, yes, although Naturally, there, ten years of experience investigating all these things, it gives a huge store of knowledge, here, because there is always a risk that they will come to fate like this.
Here, and here there were very different cases, here, basically they are quite tragic, yes, that is, there, knocking on your door under some pretext, there, something else was flooded, well, these are banal pretexts.
Pavlovich:
I had this happen, remove the boxes, the first time it was flooded in Ukraine, I say, so I live on the first floor. Well, really, yes, basically I always had this with sleepiness. By the way, they often come at night, more often at night.
Nikitin:
Or how? Usually in the morning, usually in the morning. Well, early in the morning. Early in the morning. 6-5 there, yes. Even before everyone leaves for work. Usually it's early in the morning. Here. And the person opens the door, they barge in. That's it. But if you know that there is an experienced person there, let's say, who has already been detained, who is already prepared, they can enter through the window. That's it. Several times I suggested blowing up the interior wall, but it never worked.
Sometimes they blow up the door, but it all depends on the determination of the heavy commander, that is, you need to understand that an investigator is involved in the investigative activities, he is the guy who initiates the case, he leads it, operatives are involved, who generally help, help conduct the search, there is a group of heavy guys, guys with machine guns, with fers, with all sorts of special equipment and in general, depending on what kind of villain is there, what is known about him, let's say that he is armed, there will be, there will be a different entry scenario, so, and in general there were very different options, but mostly they are tragic, that is, there will be people there, yes, they are crawling there in horror, so, they are in a state of shock, so, but there were also all sorts of comical, comical moments, of course, we detained one villain who specialized in skimmers, that is, he made overlays for ATMs himself, so, and when they came to him, he had an ATM on the balcony, he just felt like it more convenient, he tried everything on it, yes-yes-yes, he had a huge number of cards, plastic and so on, like in criminal Russia, and there was a moment, he had a laptop, an SD card was inserted into it, well, and a micro-SD card was inserted into the SD card, and so the laptop was standing next to him, he was sitting there, they put a bracelet on him, well, in front, so to speak, he was sitting, he was so quiet-quiet-quiet, well, and I was just constantly watching this laptop because well, there is a search in order and when it comes to the objects there I already sit down together with the witnesses and say let's take a look and so on, that's why I was looking at him all the time and at some point I saw that he just quickly took out this card and was going to eat it, but the microSD is very small, well, I poked the operative and said look what's happening, he broke it and took the card from him, he said damn, like they saw it and so on and so on and the operative told me a story about how their villain ate this card They don't know what to do But in fact, there will be nothing in her stomach.
He didn't break it, didn't chew it He just swallowed it They ran and bought him some kind of Laxative, liquid, colorless, tasteless, odorless They poured him some kind of horse dose And literally less than 10 minutes later This SD card was already ready on the potty But this accused He then also on them Perhaps in truth, that is, fairly, wrote a complaint to the prosecutor general's office, because they gave him such a dose that he then in the Air Force and in the pretrial detention center there took a shit for 4 days, couldn't stop.
That's it. It's kind of comical. There was one hacker, he even wrote a book about it, and such a pompous book.
Pavlovich:
Contagious, probably.
Nikitin:
There is a very pompous book there, from the series "How I Fought the Whole System" and "How Cool I Am", that's it. And he was already on the federal wanted list. What is federal, let's figure it out, is it all over Russia? All over Russia, yes. That is, they are looking for him in all regions, and he is in all the databases. That's it. He cannot buy, for example, a train ticket, tickets where necessary... There are even intercity buses where they sell only with a passport.
Pavlovich:
And the type of search above is, as far as I understand, interstate in the CIS countries, like the all-Union one used to be.
Nikitin:
Yes, and then international. Then it was international, that is, through Interpol, and in general, this hacker was exposed quite successfully, he did continue to communicate with his girlfriend, so they figured him out, but he had plastic surgery, his ears were sticking out and he made sure that they didn’t stick out, that is, just like in the movies, plastic and so on, so in general, he kept everything that was needed, all this dark material on a microSD card, and he thought that if something happened, he would simply break it or destroy it and so on.
And he simply went out for bread, and they accepted him right on the street. And when they went up to him, he just had a laptop and the card lying next to him. Human factor. And when he saw it, he just turned pale, completely changed his colors several times, and he was just about to encrypt it or something else, but in general
he didn’t get around to it, and yes, everything got caught.
Can liquid nitrogen “freeze” RAM?
Pavlovich:
And have you read, there are such cases, when everything that is currently contained in the RAM is extracted from the data. But if you reboot the computer, it is erased, you can’t turn it off.
Nikitin:
Yes, that’s right.
Pavlovich:
And I recently read a case where they cool the RAM with some kind of liquid nitrogen from a canister, so that at least some part, so that it doesn’t cool down so quickly, and some of the data can be extracted, even if in a broken form.
Nikitin:
Yes, it really works, that is, there is a kind of proof of concept, how it works, roughly speaking, your RAM consists of cells, yes, like an SSD, but when the power goes out, they start to demagnetize, well, in fact, these very zeros and ones disappear, but if we fill it with this liquid nitrogen, there will be superconductivity, and these electrons, they will not leave so quickly, and while it is frozen, the RAM, it can be found in another computer and quickly dumped. So it is real? This is real, but, it means, for those who don’t know, liquid nitrogen is carried out in such special Dewar neighbors, it’s a huge thermos, it’s very heavy, and in order to fill, say, the same laptop, you need a lot of liquid nitrogen, so, in general, if you see that some person comes into the entrance with a huge thermos, barely dragging it along, you can probably strain yourself, but this is more, like, a horror story, yes, because, well, in reality, when dragging it along with you for a search, but this is not very realistic.
That is, in laboratory conditions it works great and you can really extract everything, but it is the practical applicability that is difficult. Plus, let’s say, here is a MAC, yes, here while you take it apart, here, while you fill this with RAM, it is here, let’s say... This is more for home computers, where the case... Yes, it is generally soldered here, that is, here at all it is impossible to plug it in anywhere. Well, that is, something like this.
Have there been cases of the court not accepting evidence due to procedural violations?
Pavlovich:
How many times have you encountered in practice that evidence, yes, seized there with some minor procedural violations, is not recognized by the court. I will simply explain why. I am from Belarus and there, for example, they confiscate my laptop without packing or sealing it at all, one department of the KGB confiscates it, after 16 hours it already appears in the documents of the Ministry of Internal Affairs, but it was not packed and sealed in the presence of me and the witnesses, one department confiscated it, and then it was transferred to another. And I write that this is a direct violation of the criminal procedure code, and no matter how much you want it, it cannot be evidence and serve as grounds for initiating a criminal case. In Russia, for example, but no matter how many complaints I personally and all my friends wrote, they were never satisfied. That is, it doesn’t matter that it’s with violations, you’ll sit in jail in any case, that’s how it is in Russia.
Nikitin:
In fact, there are examples when it fell apart in the courts, especially in the courts of higher instance, and that’s why I say that it’s important to involve specialists in such hearings, so that everything is correctly sealed, described, yes, that is, you can write the model incorrectly, mix up the model, serial number, and so on, and the model, let’s say, everyone has the same numbers, well, that is, it’s not a unique identifier, and in fact it happened directly, that is, I was called to court as an expert, yes, there, for my expertise, for example, or for inspection, or something else, it happened that some of the objects were directly excluded from the cases, well, and in fact in Russia, And what can I say, if we are talking about the Moscow region, Moscow and the region, police lawlessness does not occur at all, that is, everyone is very polite, everyone... Well, you are talking about computer matters specifically. Well, yes, well, it's like now, in fact, let's say, we are also involved in economic crimes, because we come to an office that is engaged in some kind of
cashing, there are 100 computers there... No, well, on the one hand.
Pavlovich:
Smart, and on the other hand smart, that's how I got into this department, it is clear that they did not beat me there, yes, they sat, drank, well, everything is on the level. That is, even they will lock you up there for an hour, but it's not cattle, they won't beat you with rifle butts, like now in Belarus, they just beat women, children, old people, he's crazy for power, he shot that dictator.
Nikitin:
Yes, and that's why the whole search goes pretty decently, but in my practice there has never been any brutality. There was one time when one admin was warned not to lie. Well, he lied and got a slap in the face, but he didn’t even complain, in principle it was fair, well, and in general everything happened nicely, and there’s even a whole problem here, for example, with the same phones, yes, that is, if they are blocked, not all of them can be unlocked so easily, well, and you need to find out the code-password in order to get in there, well, and no one tortures anyone there, yes, they don’t beat out these codes-passwords, well, this is really a real problem for the operatives often happens, yes, that they don’t find them out, because they don’t use any force there, not in the pre-trial detention center when they are sitting, it doesn’t matter, or right at the time of the search, well, that’s why, let’s say, in the Moscow region, yes, there is a fairly soft police here, well, and that’s why, indeed, if they screwed up,
they can remove you from the case, they can scold everyone else, or the judge can exclude you right during the trial, that is, there are examples, there are such examples, yes.
Do you crack encrypted disks and is it possible?
Pavlovich:
And if we have already touched on passwords, for example, how do you crack, well, phones, of course, there are all sorts of devices there, Israeli-made and so on, they cost from 15 thousand dollars and up, let's say, and they crack any phones, but we will talk about this now, but I wonder, for example, how do you crack and do you crack cryptocontainer disks encrypted with the same Veracrypt?
Nikitin:
Veracrypt is a great example of strong encryption, if there is a strong password, nothing can be done with it, and in fact there is an example not even ours, but the example of the NSA, who then detained a Mexican fraudster, it is just a fraud, they confiscated his laptop, which at that time was encrypted with true crypto, and they brute-forced it for seven years with all their powers and officially returned it to him, nothing, they could not break it, so if it really is some kind of strong container with strong encryption, nothing can be done with it, so the most important thing is that the password itself is strong.
Pavlovich:
Well, I once had, you know, how they opened my bestcrypto disks in Belarus, when I was arrested there for the first time, but I had the same password for one of the cryptocontainers, as there is a mail program called Zabat, and I just had that in Zabat there was the same password as for one of the cryptocontainers, well, they got it from Zabat, a simple utility, and accordingly they opened one of my cryptocontainers, but they, this happened literally within the first day
after the arrest, but then they were able to get passwords for two more disks, and all only because the first part was unchanged, and they knew, then there was an underscore and some other ones were added there, that is, they already brute-forced the remaining part, and all this took them about 2-3 days, well, again, the human factor. Why did I have to set the same passwords for the mail there and for this one.
Nikitin:
Yes, this is precisely the question of resistance, that is, to be clear, there are utilities, what do they allow, for example, you have some volume of a person's correspondence and generally all his data on the computer, you can compile a unique dictionary from them, and use this dictionary to conduct a brute-force attack, this is always done, naturally, that is, if, for example, a person sent a similar password or something else, somewhere in the correspondence and so on, it doesn't matter where, that is, somewhere on the computer, all this data is used to pick up the password, Therefore, naturally, any similar passwords, similar, they are already unstable.
Well, and I also have quite a lot of examples of successful brute-force attacks. I probably have about 15. In percentage terms, did you have 100 encrypted disks? Probably a third. Probably a third or even a quarter, less than a quarter - these are successful brute-force attacks. Well, well, basically there really is either some password, or a password based on a pattern, just when it is somehow made understandable.
So, yes, passwords are very important, that is, passwords for encryption should be super strong, but there was a funny example when the cops detained a guy there, and they are trying to find out his password, and he is not very adequate, and he says, I don’t remember it, they say, well, like, good, he says, here, he says, on the cabinet, on his cabinet there
some substances, he says, I, he says, after these substances, he says, I myself can not go there, like everything was completely knocked out, that's why it is desirable to have a password that you can really forget.
About methods of data protection and encryption
Pavlovich:
Look right on the fly I have been thinking about this for a long time you just reminded me I'm not sure, let's say that I will withstand severe torture there, for example, and perhaps the pain that I or you or someone else will experience there seems stronger than the value of this data, accordingly, is it possible to stir up such a system, for example, the same verocrypt, where there will be a dynamic password, for example, that's how I would do it wisely, yes, and simply, let's say you disappeared from the computer for a day, it is clear that something happened to you there, or something bad, well, most likely, it is unlikely that you got drunk, and is it possible to make it so that no matter how they torture you, you could not give the password even if you wanted to, but will you ever still be able to access it?
Nikitin:
There are three points here, first, there is such a thing as negative encryption, you know how it works, the same TrueCrypt, I think, now faith allows you to do this. Let's say you have an encrypted container with Windows, in fact there are two Windows, and depending on which of the passwords you enter, you are given access to different systems. But this is one point. Yes, but, unfortunately, it is very difficult to deceive an expert here, because he will see simply by the occupied space, by the actual space used, that they match the container sizes.
That is, you can guess, yes, simply by entropy, that most likely this is not a real password. Yes, and again I will add here that an expert does not.
Pavlovich:
It will be, like him, he will not be on your computer, well, most often, to crawl all this and so on, he will simply remove your disk, connect to his workstation, which, again, is sold, yes, and costs many thousands of dollars there, if we buy in America, and he will simply crawl through your file system, where he, well, yes, he will see something like that, that you have not one Windows there, but two, let's say.
Nikitin:
Here. The second point is that there are excellent hardware tokens. That is, in addition to the verocrypt itself, in order to decrypt you need to enter not only the password, but also insert, let's say, a token. A flash drive. Yes, a flash drive or a token, I have come across such things. And in fact, not everyone can understand that this is a flash drive, and these are actually keys. That is, well, USM, there is a flash drive, there is nothing, and there are no files on it at all.
There will be no files on it. So, they can simply forget about it, yes, that is, this has also happened, and hardware tokens are generally a problem in this sense, because it can be broken, it can be thrown away and that's it, even if you say the password, nothing will come of it. Well, and finally, there is a third option, there is an encryption system, I don't remember if the faith can do this, that there is a password for destroying data. Here. So, you say the wrong password and it destroys it? Yes, and it destroys the data, but at the same time, perhaps, they will destroy your eye, for example, or something like that.
After that. Well, that is, this is hysterical, that is, we are talking about some extreme illegal methods, yes, if you are already being tortured, this is already something beyond the pale, well, then perhaps the people who try will be very upset when they realize that the data has been destroyed, perhaps the most varied consequences. I just don't know what is worse.
Pavlovich:
In general, about 20 percent of passwords for encrypted cryptocontainers you opened, and most often this was due to the fact that you examined his correspondence and so on, and these were somewhere similar passwords, or you understood the general system for constructing his passwords.
Several stories of the arrest of real cybercriminals
Nikitin:
Yes. So, there was a case of a search of twin brothers, the Popelyshi brothers, I can name them, but we just have a press release on this matter. These are two twin brothers, they were engaged in fraud, specifically on individual clients of the bank, and they received convictions there, that's it.
Pavlovich:
You say that you immediately recognize a policeman in you, because a normal person, he says, is a convict. But everyone who is related to law enforcement agencies or the SIN, the executive penitentiary system, they say, is a convict.
Nikitin:
Yes, yes, yes. And also search, all that. Well, you talk to them, and at some point, I myself am a complete civilian, that is, I got a job in the IB group as a student and worked there, and I still work there. And at some point, we already interacted so much with law enforcement, there wasn’t that much, now we mostly deal with commercial orders,
but at first we closely helped law enforcement, and at some point I realized that I learned to see cops in a crowd, that is, I directly, they are in civilian clothes, yes, I know without fail that these are definitely some kind of police officers and so on. They were still police officers at that time, even before all these certifications. So, such a skill was acquired. Well, and in fact, regarding convicts and so on, this is more the experience of speaking in court, yes, because the operators never call them by any big words, that’s it.
But in the courts, there is this whole system, there is a state prosecutor, a lawyer, they use these terms, that's where they come from. I have appeared in court quite a lot on a variety of cases. So, Popelysha had an interesting thing, that in general, special forces were breaking down their door, and they had a very strong door, and the special forces were afraid to blow it up, so they sawed it down, they sawed it down, probably for three hours, and one of the brothers, he actually put the hard drive on a special electromagnetic gun, well, it simply demagnetizes it, yes, that is, they had a purchased electromagnetic gun, there is a whole installation... Another thing, now. No, by the way, it is even sold completely legally. On Aliexpress. No, even by offices, legal entities. persons in Russia who trade, they can even be built in, right if you take a system unit, there is a drive cage, you can build it right under the cage, and there will be, let's say, another button on the system unit, that is, even a real industrial sample, not some kind of homemade one.
Look, they had a homemade one, we even conducted an investigative experiment that it really destroys disks, without any options at all, that is, the heads lie on the surface, well, in general, everything is bad there.
Pavlovich:
And how much time is needed for it to lie on it, let's say? 30-40 seconds.
Nikitin:
Yes, yes, yes. By the way, I can immediately dispel one myth about residual magnetization. In short, there is such a myth that you can always recover data from a hard drive, even if it is broken, then you can read these tracks with an electron microscope and get the data. Well, the trick is that around 2010, the companies that produce disks, they switched to perpendicular recording technology. That is, roughly speaking, there are several layers of magnetization.
Because of this, now if something happened to the disk, then it is impossible to understand the depth with an electron microscope and count it, but if earlier it was like this linearly, here is another depth here and in depth, and now with the recording density, it is also somewhere around 4 terabytes and so on, there is still crookedness and in short there is a mess if something is deleted, a mess, it turns out that they were connected with this by the fact that the data needs to be rewritten many times, they thought that residual magnetism was read once, but with an electron microscope you can immediately read the old data.
Now even according to the guidelines of some intelligence agencies in the USA, they say that if, as far as I remember, it is a chipboard, then it can be rewritten once, just once, and if it is secret, top secret, the disk must be destroyed in a blast furnace. Well, but I mean that a single rewrite is more than enough, unfortunately, nothing ... Yes, now. On modern high-density disks.
And if the disk is badly damaged, it is almost impossible to read anything from it.
Pavlovich:
Well, we are talking about the fact that to delete data, simply when you delete it to the trash bin or even empty the trash bin, it is not enough. You need to use a program like BCWipe, well, Adjetyka, BestCryptWipe, well, and all sorts of other wipers, which simply write some other information in place of your deleted information. And so you say once, now already...
Nikitin:
Yes, if you completely rewrite the disk once, then everything, as it were, is practically impossible to recover the data. Of course, this calls for time. But wipers, they generally delete for a very long time. Yes, it is not a fast process, but the fact is that they demagnetized the disk and apparently they just panicked, one of the brothers was taken right on the spot, and the second one remained on the other side of the door, and he just panicked, apparently, and he started flushing five-thousand-ruble bills down the toilet, some flash drives, and so on, but he didn't know that there was a mesh in the collector anyway, and it all got clogged up, and as a result, all this...
Pavlovich:
Well, the mesh is just a standard plumbing mesh.
Nikitin:
I remember very well, like there was just a sea of five-thousand-ruble bills, which are all like that, they were all knocked down by the water. Here, there was another example, when we detained one fraudster, he was specifically responsible for cashing out, here, a completely normal apartment, the only thing is that he was unemployed and rented an apartment in Moscow for 100 thousand a month, but he just had a huge bag at home, where, as far as.
I remember, there were something like 15 million rubles, 40 thousand dollars and 40 thousand euros, and he was like, yeah, I don’t trust banks, I keep everything there, that’s it, such a cheerful guy.
Pavlovich:
In short, Cashin kept 300 thousand dollars, but in reality it’s nothing, because these Zakharchenkos and this one, who was arrested after him, they have hundreds of millions of dollars in cash, what are these 300 thousand unfortunates.
Nikitin:
Yes, yes, yes. And there was also a search in one bank, there was some bank that was cashing out, and it was so funny, we came to the office of the deputy chairman of this bank, who was in charge of all this, and he, I remember, also had a bag, there was something like 15 thousand dollars, 15 thousand euros, several different passports, and an Adidas tracksuit. And he also had a ticket with an open date, a ticket to
Pavlovich:
That is, there are such tickets where the date is not indicated, and you come to the airport, and if there is a seat, then you fly to any.
Nikitin:
Day or what? Some airlines offer such tickets for regular flights, that is, they are called open-date.
Pavlovich:
Well, that is if there is a seat on this flight, of course.
Nikitin:
Yes, probably yes, I don’t know about that, but I saw such a ticket, and it’s just funny, again, I just remembered about the bag. Well, well, something like that.
The most high-profile solved cybercrimes and hacker attacks
Pavlovich:
The most high-profile solved crimes, you said about this Popelysh?
Nikitin:
Well, he drank what was included there, there was also such a punch, yes, it's really cool, exactly as a tech guy, he wrote his exploit kit, and this exploit kit was so famous that even Western intelligence agencies bought it from him, so that they could use it.
Pavlovich:
Well, tell me for ordinary viewers, who have a poor understanding of technology, what an exploit kit is.
Nikitin:
Yes, this is ExploitKit – it is a set of programs that exploit vulnerabilities, for example, in visitors’ programs, and the trick is that he did not write a Trojan, he actually collected and wrote, compiled this set of programs for exploitation, and he sold it as a service, that is, it was SaaS there, yes, that is, he says, I can distribute any of your Trojans to anyone, just using my ExploitKit, it’s like a delivery tool, that is, it exploits visitors’ vulnerabilities, and they upload any Trojan.
And this can even be on a schedule. One Trojan is uploaded during the day, another Trojan is uploaded in the evening.
Pavlovich:
Well, by the way, it’s quite convenient, because in the evening, for example, people download porn more often, yes. It’s convenient to upload a banking Trojan during the day, because some financial people can go to online banks at work. In the evening, there, porn, accordingly, you can upload a Trojan to turn it into a bot and then send spam through it, use a proxy there.
Nikitin:
Yes, in general, he himself, as an entrepreneur, yes, he opened a platform, he introduced technical support, he deleted old spoofs, he made sure that they were not detected by antiviruses and so on. Did he work for a long time? Probably enough, about a year and a half, that's it. But he contacted the guys from the Carberp group, we also have a release process about them, it was a banking Trojan, the Carberp group, that stole money from legal entities and individuals. And they spilled carber through his spoof, because of which he also became interesting to law enforcement and was detained.
There were several groups associated with Android Trojans. Probably the funniest of them was the group "Fifth Reich".
Pavlovich:
I think many of them are watching you now, because they wrote to me "ezon karber", they didn't write, but the top brass knows, they are in touch, that means.
Nikitin:
The Fifth Reich, there was a very odious owner of this botnet, there is a photo of his arrest, he had an eagle laid out in the tiles of his bathroom, this one, well, not of fascist Germany, they need to throw in some cool photos, and I think it is there, in my opinion, it is even in the press releases, so, in general, and he has an admin panel, the admin panel of this botnet was there, The Fifth Reich and so on, well, there is something unusual here too.
Well, what else was so loud? There was the HotProd group, also banking Trojans, and, let's say, we investigated many incidents of the Lurk group, now, by the way, they are on trial, I don't know, it's not over, it's over yet, there is the head of this group, he actively runs Facebook, well, he writes a lot of things there, well, interesting things.
Well, I was called three times to inquiries via videoconference, because the trial is taking place in Yekaterinburg, but we did not detain the group there, did not investigate it, Kaspersky did that, we specifically studied the victims, that is, we examined the computers of their victims, there were quite a lot of them all over Russia. They are also very cool guys, specifically in technical terms, firstly, they were the first to write Torrent for 64-bit systems, that is, this was a long time ago, when Windows 7.64, like, was something new. Well, and they were the first to write their cool TrojanLurk. It allowed to penetrate into one client-bank written in Java, and it allowed to change the details in it on the fly.
And there was an example when it looks like this. A person, let's say, a businessman, he goes into his client-bank, he makes payments, his money was stolen, but Trojan allowed to recalculate the amounts, and he does not see this particular transaction. That is, he does not see malicious transactions. Statements. Yes, yes, yes. And he says, my money was not stolen, what are you saying, like everything is fine with me on my computer. And the accountant tells him, I can't make payments, we have zero in the account.
He says, well, look, everything is fine with me. That's it. That is, Troy was intelligent, he knew how to recalculate all this and forge it. And when you explain to him that you are showing on another computer that in fact the money was stolen, that's it. I just had an example that we went there with bank representatives, come on, they call the bank and so on, and there This CEO practically ran after the bankers with an axe, they say, this can't be, I have my money here, it's all in place, that is, technically Trojan was very cool, that is, but this group at some point started stealing money from banks together with another group, there, Bukhtrap, that is, they accuse each other there, they, in general, drag in all sorts of things, well, on this Facebook, yes, there, that they were recruited, well, in general, all sorts of things, but it was precisely how cool Trojan was, and the group itself, this huge group, was detained, and they worked for a really long time, they worked for probably almost 5 years.
Are hackers attracted to cooperate with law enforcement agencies in Russia?
Pavlovich:
Do law enforcement agencies in Russia involve, well, it is clear that you may not know in most cases, but do they involve any hackers, children or former ones, in cooperation? Why I ask, because I am asked this question very often, and personally I do not have such acquaintances in my practice.
Well, let's say from Belarus, and I've never been offered a similar type of cooperation, how is it in Russia?
Nikitin:
Yes, I'll tell you. In fact, we don't hire, for example, former hackers to work for us, although we could have them in the department there to test for penetration and so on, for the reason that in most cases, people who, especially on a large scale, well, stole money, their psychology simply changes, yes, they are not very ready to sit in an office to work, well, and here we are talking about their moral qualities. Well, okay, you have your reasons. I'm talking about the special services.
And the special services, this is how it usually looks, yes, that is, how everyone imagines it, that, let's say, if we are talking about Russia, you will be put in intelligence there, you will break the Pentagon. Well, conditionally, conditionally. In fact, hackers are actively used, but mainly used as agents, that is, as agents, as informants. That's it. Because in order to, for example, tell a hacker about some attack, we need to hack, let's say, some enemy government organizations.
You still need to tell him the background, you need to tell him top secret information, you need to trust him, yes, and this is impossible, well, they simply will not pass these checks with the special services.
Pavlovich:
But the level of commercial hackers is probably higher,
Nikitin:
Than those who work for the government? - There are much higher, yes, that is, there are examples when it is much higher, although now we have all sorts of scientific companies there, yes, well, and it is known that almost all large countries now have their own cyber intelligence units. The Americans regularly accuse us of being Russian hackers. Well, like the GRU, there, if there were battalions there...
Pavlovich:
Well, that is, these are no longer myths, right?
Nikitin:
Well, no, these are not 100% myths, because I, for example, personally met with Chinese Trojans, Chinese hacker groups that attack our enterprises, and I can practically see even by the time when they start working, they have a different time zone there in China, they got up there in the morning to form up, dispersed, that is, in this part, and that’s it, they started working, it’s clearly visible that it’s Chinese time there, and that’s why there are exactly the same accusations from the relations between the USA and Russia, they accuse us, and, roughly speaking, they attract precisely, well, precisely cybercriminals almost never directly, that is, only as informants, or there are also examples specifically about virus writers. I just always single out virus writers as a separate class, because very often they are normal programmers, even high-class ones, and they do not directly participate in fraud at all.
They wrote their own thing, three sold it, support it, but they themselves do nothing, do not steal, nothing like that.
Pavlovich:
Well, you know, there is such a legislative boundary, I simply encountered it in my business and in America, but you know how it sounds, if you knew that it was used to steal money, or to hack the Pentagon, then that's it, they'll come.
Nikitin:
No, from a legal point of view, everything is as you say, that is, they will be held accountable 100%, I mean that they are often not involved in this criminal process itself, but sometimes special services can buy some modules from them. So, there are examples when, for example, Russia is accused there on the basis, let's say, that somewhere there is Cyrillic in some module of their malware, and the trick is that this module, perhaps, was bought in the Darknet, or written for them on order in the Darknet.
That is, pro-government hacker groups, they do not shy away from using any tools and can also buy them, or even outsource the writing, but they carry out the attacks themselves, naturally, independently, without involving, as a rule, any of the blacklisters.
That is, as agents, as informants without problems, even as consultants sometimes, yes-yes-yes, but not as real, directly active fighters.
On the purchase of "0-day" vulnerabilities
Pavlovich:
Well, in exactly the same way, American intelligence agencies, yes, and all sorts of former agents who have retired, you know what they do, well, I just know, both directly and through intermediaries with such people, they simply buy up vulnerabilities all over the world for hundreds and millions, well, there are vulnerabilities for five hundred thousand dollars, they buy up vulnerabilities for their own just for exploits for the American government.
Nikitin:
Yes, there are even entire companies that are officially engaged in buying up these vulnerabilities, there are even price lists, for example, now a full chain on iOS costs one and a half million dollars. What is a full chain? It means that you don’t need to do anything, it’s a full chain of all the viruses that are needed to infect a user, yes, that is, a person simply opens a page and there must be a full set of tools to get full access to his iPhone. One and a half million dollars.
One and a half million dollars, and for Android now it’s a million dollars, also a full set, that is, not just a vulnerability, yes, they buy up, but a ready-made toolkit, it’s just that the vulnerabilities are cheaper there, in my opinion, 500 thousand, or something.
Are Russian-speaking hackers the best in the world and why?
Pavlovich:
Let this sound a little subjective, but in your opinion, are Russian hackers, where we include programmers, the best in the world?
Nikitin:
I would say, as a rule, the media and the Americans and politicians, they incorrectly accept this term "Russian hackers". I can say that Russian-speaking hackers are definitely the best in the world as engineers, because simply by studying a huge amount of malicious code, ours really write and do better than anyone else.
Pavlovich:
What do you associate it with, that it is in the CIS, and I will tell you, it is Russia more, and they are wrong when they say Russia, because Belarus is also a little bit, because there are more carders in Ukraine, more scammers. But I personally know about 20 hackers in the world, yes, this is Chelyabinsk, then it is Syktyvkar, there is Scorpio, yes, Drinkman and his brothers, then I only
know one person who hacked the SEC there, this American stock exchange and generally very large targets from Ukraine, basically all top hackers, well, I know a few from Belarus, basically out of these 20 people, 14 of them will be from Russia, that is why probably the media are right when they say well, Russian, well, of course, like you and me, we live here, we understand that this is the entire CIS, but what do you associate with what exactly, how did it happen, yes, what exactly, well, like Swiss watches, yes, we conditionally consider the best in the world, why exactly this land, Russian hackers, Russian-speaking ones, are the best in the world, in your opinion.
Nikitin:
Subjective view? Well, there are actually a number of reasons, the first of which is the excellent Soviet education, which they didn’t have time to ruin, and hackers are mostly young people under 40, that is, they still received, well, maybe in the 90s, a school education, but all the same, it’s still the remnants of Soviet education, this is the first, that is, an engineering education, I’m not saying that it’s higher education, and most of the hackers that I know either have no education or an incomplete higher education.
And this, by the way, is not important at all, because they are mostly self-taught and so on. But the base, the school base, it’s excellent, and this is the first thing in the dispute. Secondly, a huge number of these young people were unable to realize themselves, that is, many of them are from the regions. There are very few hackers from Moscow, and most of them, from whom I know, again, are from the regions, because they could not find a normal job there.
I remember we were detaining, well my colleague was detaining a dedoster near Irkutsk, that is, it was in Irkutsk, and there was another city near it, and there was a guy there who was dedostering, and he was earning quite well, tens of thousands of dollars a month, by local standards, I mean. So, we came there, well they came there, and there was this plump young man, very young, so, he says, I have little choice, we either mine coal here, and I have, he says, asthma, or, he says, pluck chicken at a poultry farm, and I have an allergy, he says.
That's why I was doing dedonedos, that's it, but there is no other work in the city at all.
Pavlovich:
First education, the second was not realized, well, there is no opportunity for realization.
About punishment for cybercrimes in Russia: how it was before and how it is now?
Nikitin:
Yes, and leniency, leniency of punishment for crimes, that is, for a long time we had, there were only these three computer articles, and if anyone does not know, there is the third article, it is not working at all, it is like improper use of computers in the network, in general there are practically no cases under it, and it is not working. Only two articles, the first is illegal access to legally protected computer information, and the second is the creation, distribution of viruses, programs or computer information and so on.
Pavlovich:
Is there anything here under the Russian Criminal Code, similar to the Belarusian 212, this is theft using computer equipment?
Nikitin:
Now I will finish this, yes. Initially, there were these three articles, one of which was completely inoperative, that is, two, and there, if this is the first sentence, the first time, then there is almost always a suspended sentence, and the article itself, related to fraud, 159, it had no sub-clauses at all, and there was nothing about it, and there was a separate explanation from the Supreme Court about how to apply it, and that, for example, through DBO it is fraud, because in fact the villains, they seem to be abusing the bank's trust and so on, legal casuistry. But then amendments were made to the Criminal Code, and now we have 159 part 6, which is specifically fraud using computer equipment, and there is also a separate fourth, I think, it is specifically with bank cards, and now they are judged on a collective basis, that is, there are computer articles, yes, that is exactly it, but computer articles have long ceased to be an end in itself, that is, no one is interested in just illegal access, yes, and for some reason it, Well, they are looking for money. Yes. And there is already the next article. And there you can already prove damage, but in fact, according to Russian punishment there is already a million rubles - this is an especially large amount. And this is awesome.
Pavlovich:
Well, in Belarus it is even less, there 10-12 thousand dollars, well here 15 thousand.
Nikitin:
Yes, and it's fucking awesome, what a term, there already, that is, if there is also a proven computer article, they will be added up, and there you can even get 8 years for the first time, well, that's pretty harsh.
Pavlovich:
But with all this, you know, in Russia this has long been an expression from the old days, I don't remember which classic said that in Russia the severity of the laws is compensated by the non-obligation of their implementation. And I still see guys who, having stolen a million dollars, get five years.
Nikitin:
Conditionally. Of course, there are examples, but that is weak legislation, yes. For example, we still have a huge number of cybercrimes, which are singled out as separate ones all over the world, there are none at all. The same DDoS, the same spam and so on, that is, and here it is very difficult, it is DDoS, let's say, you need to prove that you have a botnet, these are already viruses, which will attack someone, which led to the blocking of information. Well, what should a doser be judged for then?
No, what, from practice, how is he judged? He is judged under a combination of articles, that is, he is judged for distributing bots with which he doses, and he is judged for the fact that bots blocked information on some resource, but all this is so complicated for lawyers, investigators and judges that in general, well, like in court it looks very, very sluggish.
Pavlovich:
And what if he rented a ready-made bot from someone, essentially?
Nikitin:
I can tell you, there was even an example when a person was implementing anti-Dos protection, and one of his clients was a whore site, that is, brothels, individual girls, and he was tried for involving in prostitution together with this group, because he was protecting them.
Pavlovich:
This is already going too far, of course.
Nikitin:
And he says, yes, from me, he says, anyone can buy my services, they just change the A-record, yes, and that's it, I protect, my IP appears there instead of theirs, and I just, I don't even, he says, know what these clients are doing.
Pavlovich:
Yes, I admit it, I use Dosguard, and, of course, tomorrow I'll change it, and they won't see anything at all that I changed there.
Nikitin:
Well, and that's why, well, there are absurdities, yes, there are absurd situations, but weak legislation. That's a minus. So that all participants in the process understand why they are being tried, how they are being tried. Even something banal. We have what's called malware. But there is no definition of what malware is. That is, the Criminal Code has an article on malware, but there are no criteria for harmfulness and a definition in the Criminal Code.
That's it. And it turns out that, it turns out, harmfulness is a legal concept. And an expert, like me, a techie, he cannot say that a program is malicious. I can say that, look, the program does this, that, that, and only the court or the investigation can recognize, yeah, we believe that these actions are malicious. I have an example in practice.
Pavlovich:
But you can, on the other hand, in this case, Merila, yes, you are acting like that, you can turn in this direction and in that. The judge may also turn back because clear criteria are not spelled out.
Nikitin:
That's right, that's exactly what I'm talking about. That is, I, as an expert, always simply describe the functionality of the malware, I say, this is what it does. That's it. And then they decide what and how, and in the courts, as it were, this has long been a well-established practice, but this is always a problem for, even for the defendants, they would like, well, some greater understanding in the process. That's it. And again, that is, there are some kinky examples, time machines, which we just talked about, I know an example of one court decision, where a time machine was accepted, recognized as a malicious program.
And I'll tell you how it happened. That the admin set up a time machine on the boss's computer, and the time machine was dumping these backups onto a time capsule, and he was stealing them from there. And it turns out that the time machine acted as a Trojan, because the boss did not know that these backups were being made, and the court recognized the time machine as malicious in this particular case.
Because it's not just the program itself that's important, but also how and for what it was used, all these legal circumstances.
Pavlovich:
It's good that we're doing this so that more talented Russian guys don't end up behind bars, and we know them as the creators of Google.
To be continued...
In this thread, the famous carder Sergey Pavlovich continues his conversation with Sergey Nikitin, Deputy Head of the Computer Forensics and Malicious Code Research Laboratory of Group-IB, one of the world's leading fighters against cybercrime.
Enjoy reading!
Contents:
- Has Group-IB, in cooperation with law enforcement agencies, identified those involved in data encryption (ransomware)?
- How to protect your data on devices
- On the development of the insurance market and Client-Bank systems in the West
- About work and responsibilities at Group-IB
- Funny Cases Related to Searches and Detentions of Cybercriminals
- Can liquid nitrogen "freeze" RAM?
- Have there been cases where evidence was not accepted by the court due to procedural violations?
- Do you open encrypted disks and is it possible?
- About methods of data protection and encryption
- Several stories of real cybercriminals being detained
- The most high-profile cybercrimes and hacker attacks solved
- Are hackers in Russia being recruited to cooperate with law enforcement agencies?
- About buying "0-day" vulnerabilities
- Are Russian-speaking hackers the best in the world and why?
- On punishment for cybercrimes in Russia: how it was before and how it is now?
Did Group-IB, in cooperation with law enforcement agencies, identify those who are engaged in data encryption (ransomware)?
Pavlovich:
You are talking about these admins, these servers, the criminals themselves, well, the special services around the world, figuratively the NSA, identify them. So have you ever, with your office, Group-IB, cooperating with law enforcement agencies of the Russian Federation or the CIS, identified at least once who is engaged in these encryptions?
Nikitin:
Yes, yes, yes, we have several criminal cases, real ones, where there have already been searches, where people are now in pre-trial detention, so several groups that worked in Russia, yes, it worked, it worked out to find people, but again, after several episodes of encryption, here the weak point for hackers is naturally that they are forced to correspond with people, but so that they simply agree on how to pay the ransom.
It's like, it's a path, it's a thread to real cybercriminals, so yes.
Pavlovich:
But most often they just correspond by e-mail.
Nikitin:
Yes, there's the Proton, whatever, but still these are all certain threads. These are certain threads to people, plus if there are several episodes, we immediately see that it's the same encryptor, the same style of letters, and so on. Well, otherwise it's really possible to find people, but, of course, there are tough groups, for example, like the situation with Garmin. Garmin is a huge company specializing in navigation equipment, and... Watches, sports watches, trackers, fitness trackers of all kinds.
Probably yes, if you're an ordinary user, then this is a GPS navigator and watches. Echo-lots. Yes, but in fact this is a dual-use product company and a huge amount of navigation equipment in guided missiles, in American fighters, and so on. Well, ships, navy.
Yes, it's also connected with Garmin, and something terrible happened, they encrypted them so strongly that people buy watches, for example, in a store, they can't activate them, because the servers are down, and these watches cannot be used. So, that is, they are, well, simply useless, and they were returned right there in the stores, that is, it hit their business so hard, well, and yes, they have already written about it many times, they paid the ransom, as far as I remember, there were 100 bitcoins.
Pavlovich:
Well, for corporations, such a level, it's like going to McDonald's for me.
How to protect your data on devices
Nikitin:
Yes, but still, it's a blow to prestige, quite a serious one, here, and this again shows that they couldn't recover from backups, here, and from here This is a very simple example, if there is an individual, a legal entity, it doesn't matter. First, make backups on external media. And second, it needs to be done so that if your computer is hacked, it is impossible to delete and encrypt your backups. Here, I can give an example, that is, now there are many programs for backups, but if you have, say, a Mac, you can simply upload everything to iCloud or Time.
Machine. Everything is built in there, that is, you don't have to pay a subscription and so on. If Windows, there are many solutions there now, but what is their gimmick? Some of them can simply put a file with backups somewhere, and some of them work according to their own protocol. Well, that is, let's say, there is a client part and a server part.
Here you have a server, it just takes these backups from clients according to its protocol and stores them. And those that are not accessible from the network are ordinary, that is, it is not a Windows share, where you can go there. And then, naturally, even if you are hacked, it is not so easy to get there. That is why there is a joke about this, it means that all people are divided into three categories, those who do not make backups, those who already make backups and those who check the backups made, that is, we also had examples when people seemed to say, we backup, everything and so on, and then it turned out that at some point one engineer patched the version, he updated something like that and the format changed, but did not check, in short, backups from some date were all invalid, they stopped being made, were not made, but they are all broken. That is, sometimes you just need to check that the backups that are made, they are correct, they are recoverable at all. That's it. This is not an obvious thing, but just make sure that you backup something somewhere rarely, preferably sometimes, say, once a year and so on, but this is more for legal entities, of course.
Check that the backups you make are, firstly, accessible and correct.
Pavlovich:
Well, plus, look, depending on the importance and relevance of your information, how often you need to make backups. For example, in our company, in cashback, we do there, probably, well, once every three days, that is, someone may need daily backups, someone hourly backups, for someone it is enough to copy once every six months. And how did this story with Garmin end in general?
Nikitin:
They paid the ransom, actually, they decrypted everything, everything worked, but this is a strong precedent, there was a scandal, well, with shareholders, and in general, like, it is not very approved there, that they kind of paid you with a criminal. We got into that lucky 15%. And now recently there was news that some security guy from Uber, he got a term because they also paid cybercriminals, and he hid it, he was convicted there and so on.
This news just recently slipped through. That is, in the West, this is not very encouraged, and I know that many insurance companies do not allow this insurance to be paid to criminals. That is, they insure you against damage, but you cannot use this money, the insurance payment, to pay the villains to decrypt.
On the development of the insurance market and Client-Bank systems in the West
Pavlovich:
That is, in the West, this problem is partly, we can say, solved by the fact that you insure your entire computer network in special insurance companies.
Nikitin:
In fact, Sergey, the trick here is that in the West, insurance is generally much better developed, and they have been insuring their cyber risks very strongly for a long time, and very often they choose what is cheaper for them, to implement some technical means of protection, or simply to insure everything. Well, and very often they simply insure, and here is even an example with bank fraud, bank fraud against clients and so on, there are many who do not bother about this, in general their client banks are much
worse than ours, that is, here, it seems, is an excellent example with our Tinkov, which we talked about, if we even look in the States, they only have Apple Card, which appeared quite recently, it is at least somehow similar to our Tinkov, right?
Pavlovich:
But you go to the site, with a login and password, they have online banking.
Nikitin:
There in general, well, it is like with us there, I don’t know, in the early 2000s, very primitive, but there a huge number of all things are solved through insurance. Here. We still have an insurance market, well, cyber risks are just emerging, that’s why, yes, they solve a lot of things with insurance.
Pavlovich:
Let's have some funny cases, from searches and all sorts of reactions, yes, because I have a friend, he was sitting there in America, well, with these tax refunds, he was doing something for 6 years, he is sitting now and he boiled a laptop, this is a well-known case, he boiled a laptop for 2 hours, held them under the door, they could not break into your apartment in America and if they do not have a clear confidence that someone is in the apartment and he tiptoed there, boiled a laptop and then stuck it in the freezer after that for 2-3 hours kept them there under the door, this is a funny case, but I know the only one like this, from your practice.
About work and responsibilities in Group-IB
Nikitin:
Yes, there are many cases, I'll tell you now. First of all, so that it is clear what I do in general, yes, that is, why I have these cases. The main task of our laboratory is to conduct some examinations and research. Yes, that is, they give us some disk and say, you know, something happened to us, we need to find out how it happened, and record it in the form of some kind of conclusion, which can then be some kind of evidence in court. Now, this could be a commercial organization, maybe law enforcement officers can contact, it could be a straight forensic computer examination, for example.
Here. And the trick is that from this data to get some kind of paper that will be understandable to lawyers and will be understandable to attorneys and so on, not techies, yes. But naturally, before receiving this object, you need to get it from somewhere, yes. But if it is a victim, everything is clear, we come to the victim, there we work with their network, make copies and so on. But it often happens that law enforcement asks us to participate in searches in order to correctly seize everything from hackers, because...
Pavlovich:
Well, and in detention.
Nikitin:
And in detention. Well, and in the search immediately with the contents, then they simply write a detention order there and that's it, that's it. And here's the whole trick, firstly, you need to very correctly formalize everything procedurally, reflect it in the protocol, because if they screw up, and we had such examples when they seized without us, yes, then we conduct an excellent examination, where everything is clear, we found everything there, and this evidence can be rejected, because the operatives, when they seized it, wrote the serial numbers incorrectly, everything, in general, was packed incorrectly, violated a bunch of different instructions.
Pavlovich:
Well, or they turned it on from their computer, looked through the files, and there the dates of file modifications or openings are already different.
Nikitin:
Yes, yes, yes. That's why we are often asked to participate in such events, so that everything goes smoothly. Plus, it often happens that, let's say, the villains have everything encrypted, yes, you need to go to them when their computer is working, and you need to, let's say, copy the encryption keys from the RAM in a certain way, while the computer is unlocked, and there are a lot of different tricks there, so that if something happens, you can get access there, and for this they also take us along.
Pavlovich:
That is, when, I will explain, we are talking about encryption programs, like as I said in the last video, yes, about the glory of the CPSU, this song, there, when you have an encrypted disk, there, like DriveCrypt, BestCrypt, TrueCrypt, but now Veracrypt, I forgot to tell you about Veracrypt in the last video, now they mainly use Veracrypt, and it turns out that it creates an encrypted container on your disk, and all the information located there, if you this disk, well, climbed there, what you need to do and turned it off, then it is practically impossible to decrypt,
especially if you use a long and complex password, yes, but it is possible, here Sergey says that if you, for example, are climbing on this, this disk is not dismounted, well, in short, it is not disconnected from the computer, you are in it and your password to this, to this whole thing, even you managed, they broke down your door, you managed to disable this encrypted container, but the password with which you opened it, it is in your RAM, and they will come up, like shrimps will break you, they will take you away from
the computer and suck this one from the RAM, this one from the stack.
Funny cases related to searches and detentions of cybercriminals
Nikitin:
Yes, yes, yes. In fact, it is not even a password, but ready-made keys, decryption, yes, and it will be possible to decrypt all this. There are a huge number of special cryptographic utilities that can do all this, well, this is a direct statement on their websites. Here. And the trick is when you need to enter correctly, yes, you need to prepare the operatives there again, well and there, let's say, if there are serious ones, that is, how to do it so that they, let's say, do not turn off the light, because the equipment will go out and the keys will disappear and so on.
You need to wait until the person sits down at the computer, there, makes himself some tea and so on, that's it. And, let's say, the traffic goes, yes, there, to the provider, all this can be tracked. That's it. And then all this can be correctly removed so that it can be investigated. And, naturally, there were very different situations.
So, the first situation was funny, how they caught one hacker, he was very fat, and he bought himself a Cayenne with the stolen money, you know, a big white diesel Cayenne, cool, so, and he registered on a local forum, well, it was in the regions, Porsche Club, so, and he used his nickname there, in general, and he showed up there, and he wrote there that he was so big that he climbed into this Cayenne, and he wiped the steering wheel, that is, he wiped the steering wheel with his belly, so, and so, in general, they found him, so.
The arrest itself was not very cool, in general, I can say that participating in arrests, well, and in searches, it is an excellent cure for cybercrime, because people who crawl and squeal after a flash-bang grenade explodes on broken glass, yes, and there are also dots flashing around from laser sights, now, this is an excellent sight.
Have you watched a movie with laser sights? Yes, yes, yes. We have a laser targeting unit in the Moscow SOBR, where I participated in the arrest. We entered through the door, true, but they entered through the window, and the man who, he was just sleeping, they broke his window and detonated a flashbang grenade, and he simply crawled over the fragments in horror, so, he drove in, and he crawled towards us. He crawled to the door, to the exit, and they were already entering.
Here. And this picture, it shows perfectly why I wouldn't want to be on the dark side, for example, yes, although Naturally, there, ten years of experience investigating all these things, it gives a huge store of knowledge, here, because there is always a risk that they will come to fate like this.
Here, and here there were very different cases, here, basically they are quite tragic, yes, that is, there, knocking on your door under some pretext, there, something else was flooded, well, these are banal pretexts.
Pavlovich:
I had this happen, remove the boxes, the first time it was flooded in Ukraine, I say, so I live on the first floor. Well, really, yes, basically I always had this with sleepiness. By the way, they often come at night, more often at night.
Nikitin:
Or how? Usually in the morning, usually in the morning. Well, early in the morning. Early in the morning. 6-5 there, yes. Even before everyone leaves for work. Usually it's early in the morning. Here. And the person opens the door, they barge in. That's it. But if you know that there is an experienced person there, let's say, who has already been detained, who is already prepared, they can enter through the window. That's it. Several times I suggested blowing up the interior wall, but it never worked.
Sometimes they blow up the door, but it all depends on the determination of the heavy commander, that is, you need to understand that an investigator is involved in the investigative activities, he is the guy who initiates the case, he leads it, operatives are involved, who generally help, help conduct the search, there is a group of heavy guys, guys with machine guns, with fers, with all sorts of special equipment and in general, depending on what kind of villain is there, what is known about him, let's say that he is armed, there will be, there will be a different entry scenario, so, and in general there were very different options, but mostly they are tragic, that is, there will be people there, yes, they are crawling there in horror, so, they are in a state of shock, so, but there were also all sorts of comical, comical moments, of course, we detained one villain who specialized in skimmers, that is, he made overlays for ATMs himself, so, and when they came to him, he had an ATM on the balcony, he just felt like it more convenient, he tried everything on it, yes-yes-yes, he had a huge number of cards, plastic and so on, like in criminal Russia, and there was a moment, he had a laptop, an SD card was inserted into it, well, and a micro-SD card was inserted into the SD card, and so the laptop was standing next to him, he was sitting there, they put a bracelet on him, well, in front, so to speak, he was sitting, he was so quiet-quiet-quiet, well, and I was just constantly watching this laptop because well, there is a search in order and when it comes to the objects there I already sit down together with the witnesses and say let's take a look and so on, that's why I was looking at him all the time and at some point I saw that he just quickly took out this card and was going to eat it, but the microSD is very small, well, I poked the operative and said look what's happening, he broke it and took the card from him, he said damn, like they saw it and so on and so on and the operative told me a story about how their villain ate this card They don't know what to do But in fact, there will be nothing in her stomach.
He didn't break it, didn't chew it He just swallowed it They ran and bought him some kind of Laxative, liquid, colorless, tasteless, odorless They poured him some kind of horse dose And literally less than 10 minutes later This SD card was already ready on the potty But this accused He then also on them Perhaps in truth, that is, fairly, wrote a complaint to the prosecutor general's office, because they gave him such a dose that he then in the Air Force and in the pretrial detention center there took a shit for 4 days, couldn't stop.
That's it. It's kind of comical. There was one hacker, he even wrote a book about it, and such a pompous book.
Pavlovich:
Contagious, probably.
Nikitin:
There is a very pompous book there, from the series "How I Fought the Whole System" and "How Cool I Am", that's it. And he was already on the federal wanted list. What is federal, let's figure it out, is it all over Russia? All over Russia, yes. That is, they are looking for him in all regions, and he is in all the databases. That's it. He cannot buy, for example, a train ticket, tickets where necessary... There are even intercity buses where they sell only with a passport.
Pavlovich:
And the type of search above is, as far as I understand, interstate in the CIS countries, like the all-Union one used to be.
Nikitin:
Yes, and then international. Then it was international, that is, through Interpol, and in general, this hacker was exposed quite successfully, he did continue to communicate with his girlfriend, so they figured him out, but he had plastic surgery, his ears were sticking out and he made sure that they didn’t stick out, that is, just like in the movies, plastic and so on, so in general, he kept everything that was needed, all this dark material on a microSD card, and he thought that if something happened, he would simply break it or destroy it and so on.
And he simply went out for bread, and they accepted him right on the street. And when they went up to him, he just had a laptop and the card lying next to him. Human factor. And when he saw it, he just turned pale, completely changed his colors several times, and he was just about to encrypt it or something else, but in general
he didn’t get around to it, and yes, everything got caught.
Can liquid nitrogen “freeze” RAM?
Pavlovich:
And have you read, there are such cases, when everything that is currently contained in the RAM is extracted from the data. But if you reboot the computer, it is erased, you can’t turn it off.
Nikitin:
Yes, that’s right.
Pavlovich:
And I recently read a case where they cool the RAM with some kind of liquid nitrogen from a canister, so that at least some part, so that it doesn’t cool down so quickly, and some of the data can be extracted, even if in a broken form.
Nikitin:
Yes, it really works, that is, there is a kind of proof of concept, how it works, roughly speaking, your RAM consists of cells, yes, like an SSD, but when the power goes out, they start to demagnetize, well, in fact, these very zeros and ones disappear, but if we fill it with this liquid nitrogen, there will be superconductivity, and these electrons, they will not leave so quickly, and while it is frozen, the RAM, it can be found in another computer and quickly dumped. So it is real? This is real, but, it means, for those who don’t know, liquid nitrogen is carried out in such special Dewar neighbors, it’s a huge thermos, it’s very heavy, and in order to fill, say, the same laptop, you need a lot of liquid nitrogen, so, in general, if you see that some person comes into the entrance with a huge thermos, barely dragging it along, you can probably strain yourself, but this is more, like, a horror story, yes, because, well, in reality, when dragging it along with you for a search, but this is not very realistic.
That is, in laboratory conditions it works great and you can really extract everything, but it is the practical applicability that is difficult. Plus, let’s say, here is a MAC, yes, here while you take it apart, here, while you fill this with RAM, it is here, let’s say... This is more for home computers, where the case... Yes, it is generally soldered here, that is, here at all it is impossible to plug it in anywhere. Well, that is, something like this.
Have there been cases of the court not accepting evidence due to procedural violations?
Pavlovich:
How many times have you encountered in practice that evidence, yes, seized there with some minor procedural violations, is not recognized by the court. I will simply explain why. I am from Belarus and there, for example, they confiscate my laptop without packing or sealing it at all, one department of the KGB confiscates it, after 16 hours it already appears in the documents of the Ministry of Internal Affairs, but it was not packed and sealed in the presence of me and the witnesses, one department confiscated it, and then it was transferred to another. And I write that this is a direct violation of the criminal procedure code, and no matter how much you want it, it cannot be evidence and serve as grounds for initiating a criminal case. In Russia, for example, but no matter how many complaints I personally and all my friends wrote, they were never satisfied. That is, it doesn’t matter that it’s with violations, you’ll sit in jail in any case, that’s how it is in Russia.
Nikitin:
In fact, there are examples when it fell apart in the courts, especially in the courts of higher instance, and that’s why I say that it’s important to involve specialists in such hearings, so that everything is correctly sealed, described, yes, that is, you can write the model incorrectly, mix up the model, serial number, and so on, and the model, let’s say, everyone has the same numbers, well, that is, it’s not a unique identifier, and in fact it happened directly, that is, I was called to court as an expert, yes, there, for my expertise, for example, or for inspection, or something else, it happened that some of the objects were directly excluded from the cases, well, and in fact in Russia, And what can I say, if we are talking about the Moscow region, Moscow and the region, police lawlessness does not occur at all, that is, everyone is very polite, everyone... Well, you are talking about computer matters specifically. Well, yes, well, it's like now, in fact, let's say, we are also involved in economic crimes, because we come to an office that is engaged in some kind of
cashing, there are 100 computers there... No, well, on the one hand.
Pavlovich:
Smart, and on the other hand smart, that's how I got into this department, it is clear that they did not beat me there, yes, they sat, drank, well, everything is on the level. That is, even they will lock you up there for an hour, but it's not cattle, they won't beat you with rifle butts, like now in Belarus, they just beat women, children, old people, he's crazy for power, he shot that dictator.
Nikitin:
Yes, and that's why the whole search goes pretty decently, but in my practice there has never been any brutality. There was one time when one admin was warned not to lie. Well, he lied and got a slap in the face, but he didn’t even complain, in principle it was fair, well, and in general everything happened nicely, and there’s even a whole problem here, for example, with the same phones, yes, that is, if they are blocked, not all of them can be unlocked so easily, well, and you need to find out the code-password in order to get in there, well, and no one tortures anyone there, yes, they don’t beat out these codes-passwords, well, this is really a real problem for the operatives often happens, yes, that they don’t find them out, because they don’t use any force there, not in the pre-trial detention center when they are sitting, it doesn’t matter, or right at the time of the search, well, that’s why, let’s say, in the Moscow region, yes, there is a fairly soft police here, well, and that’s why, indeed, if they screwed up,
they can remove you from the case, they can scold everyone else, or the judge can exclude you right during the trial, that is, there are examples, there are such examples, yes.
Do you crack encrypted disks and is it possible?
Pavlovich:
And if we have already touched on passwords, for example, how do you crack, well, phones, of course, there are all sorts of devices there, Israeli-made and so on, they cost from 15 thousand dollars and up, let's say, and they crack any phones, but we will talk about this now, but I wonder, for example, how do you crack and do you crack cryptocontainer disks encrypted with the same Veracrypt?
Nikitin:
Veracrypt is a great example of strong encryption, if there is a strong password, nothing can be done with it, and in fact there is an example not even ours, but the example of the NSA, who then detained a Mexican fraudster, it is just a fraud, they confiscated his laptop, which at that time was encrypted with true crypto, and they brute-forced it for seven years with all their powers and officially returned it to him, nothing, they could not break it, so if it really is some kind of strong container with strong encryption, nothing can be done with it, so the most important thing is that the password itself is strong.
Pavlovich:
Well, I once had, you know, how they opened my bestcrypto disks in Belarus, when I was arrested there for the first time, but I had the same password for one of the cryptocontainers, as there is a mail program called Zabat, and I just had that in Zabat there was the same password as for one of the cryptocontainers, well, they got it from Zabat, a simple utility, and accordingly they opened one of my cryptocontainers, but they, this happened literally within the first day
after the arrest, but then they were able to get passwords for two more disks, and all only because the first part was unchanged, and they knew, then there was an underscore and some other ones were added there, that is, they already brute-forced the remaining part, and all this took them about 2-3 days, well, again, the human factor. Why did I have to set the same passwords for the mail there and for this one.
Nikitin:
Yes, this is precisely the question of resistance, that is, to be clear, there are utilities, what do they allow, for example, you have some volume of a person's correspondence and generally all his data on the computer, you can compile a unique dictionary from them, and use this dictionary to conduct a brute-force attack, this is always done, naturally, that is, if, for example, a person sent a similar password or something else, somewhere in the correspondence and so on, it doesn't matter where, that is, somewhere on the computer, all this data is used to pick up the password, Therefore, naturally, any similar passwords, similar, they are already unstable.
Well, and I also have quite a lot of examples of successful brute-force attacks. I probably have about 15. In percentage terms, did you have 100 encrypted disks? Probably a third. Probably a third or even a quarter, less than a quarter - these are successful brute-force attacks. Well, well, basically there really is either some password, or a password based on a pattern, just when it is somehow made understandable.
So, yes, passwords are very important, that is, passwords for encryption should be super strong, but there was a funny example when the cops detained a guy there, and they are trying to find out his password, and he is not very adequate, and he says, I don’t remember it, they say, well, like, good, he says, here, he says, on the cabinet, on his cabinet there
some substances, he says, I, he says, after these substances, he says, I myself can not go there, like everything was completely knocked out, that's why it is desirable to have a password that you can really forget.
About methods of data protection and encryption
Pavlovich:
Look right on the fly I have been thinking about this for a long time you just reminded me I'm not sure, let's say that I will withstand severe torture there, for example, and perhaps the pain that I or you or someone else will experience there seems stronger than the value of this data, accordingly, is it possible to stir up such a system, for example, the same verocrypt, where there will be a dynamic password, for example, that's how I would do it wisely, yes, and simply, let's say you disappeared from the computer for a day, it is clear that something happened to you there, or something bad, well, most likely, it is unlikely that you got drunk, and is it possible to make it so that no matter how they torture you, you could not give the password even if you wanted to, but will you ever still be able to access it?
Nikitin:
There are three points here, first, there is such a thing as negative encryption, you know how it works, the same TrueCrypt, I think, now faith allows you to do this. Let's say you have an encrypted container with Windows, in fact there are two Windows, and depending on which of the passwords you enter, you are given access to different systems. But this is one point. Yes, but, unfortunately, it is very difficult to deceive an expert here, because he will see simply by the occupied space, by the actual space used, that they match the container sizes.
That is, you can guess, yes, simply by entropy, that most likely this is not a real password. Yes, and again I will add here that an expert does not.
Pavlovich:
It will be, like him, he will not be on your computer, well, most often, to crawl all this and so on, he will simply remove your disk, connect to his workstation, which, again, is sold, yes, and costs many thousands of dollars there, if we buy in America, and he will simply crawl through your file system, where he, well, yes, he will see something like that, that you have not one Windows there, but two, let's say.
Nikitin:
Here. The second point is that there are excellent hardware tokens. That is, in addition to the verocrypt itself, in order to decrypt you need to enter not only the password, but also insert, let's say, a token. A flash drive. Yes, a flash drive or a token, I have come across such things. And in fact, not everyone can understand that this is a flash drive, and these are actually keys. That is, well, USM, there is a flash drive, there is nothing, and there are no files on it at all.
There will be no files on it. So, they can simply forget about it, yes, that is, this has also happened, and hardware tokens are generally a problem in this sense, because it can be broken, it can be thrown away and that's it, even if you say the password, nothing will come of it. Well, and finally, there is a third option, there is an encryption system, I don't remember if the faith can do this, that there is a password for destroying data. Here. So, you say the wrong password and it destroys it? Yes, and it destroys the data, but at the same time, perhaps, they will destroy your eye, for example, or something like that.
After that. Well, that is, this is hysterical, that is, we are talking about some extreme illegal methods, yes, if you are already being tortured, this is already something beyond the pale, well, then perhaps the people who try will be very upset when they realize that the data has been destroyed, perhaps the most varied consequences. I just don't know what is worse.
Pavlovich:
In general, about 20 percent of passwords for encrypted cryptocontainers you opened, and most often this was due to the fact that you examined his correspondence and so on, and these were somewhere similar passwords, or you understood the general system for constructing his passwords.
Several stories of the arrest of real cybercriminals
Nikitin:
Yes. So, there was a case of a search of twin brothers, the Popelyshi brothers, I can name them, but we just have a press release on this matter. These are two twin brothers, they were engaged in fraud, specifically on individual clients of the bank, and they received convictions there, that's it.
Pavlovich:
You say that you immediately recognize a policeman in you, because a normal person, he says, is a convict. But everyone who is related to law enforcement agencies or the SIN, the executive penitentiary system, they say, is a convict.
Nikitin:
Yes, yes, yes. And also search, all that. Well, you talk to them, and at some point, I myself am a complete civilian, that is, I got a job in the IB group as a student and worked there, and I still work there. And at some point, we already interacted so much with law enforcement, there wasn’t that much, now we mostly deal with commercial orders,
but at first we closely helped law enforcement, and at some point I realized that I learned to see cops in a crowd, that is, I directly, they are in civilian clothes, yes, I know without fail that these are definitely some kind of police officers and so on. They were still police officers at that time, even before all these certifications. So, such a skill was acquired. Well, and in fact, regarding convicts and so on, this is more the experience of speaking in court, yes, because the operators never call them by any big words, that’s it.
But in the courts, there is this whole system, there is a state prosecutor, a lawyer, they use these terms, that's where they come from. I have appeared in court quite a lot on a variety of cases. So, Popelysha had an interesting thing, that in general, special forces were breaking down their door, and they had a very strong door, and the special forces were afraid to blow it up, so they sawed it down, they sawed it down, probably for three hours, and one of the brothers, he actually put the hard drive on a special electromagnetic gun, well, it simply demagnetizes it, yes, that is, they had a purchased electromagnetic gun, there is a whole installation... Another thing, now. No, by the way, it is even sold completely legally. On Aliexpress. No, even by offices, legal entities. persons in Russia who trade, they can even be built in, right if you take a system unit, there is a drive cage, you can build it right under the cage, and there will be, let's say, another button on the system unit, that is, even a real industrial sample, not some kind of homemade one.
Look, they had a homemade one, we even conducted an investigative experiment that it really destroys disks, without any options at all, that is, the heads lie on the surface, well, in general, everything is bad there.
Pavlovich:
And how much time is needed for it to lie on it, let's say? 30-40 seconds.
Nikitin:
Yes, yes, yes. By the way, I can immediately dispel one myth about residual magnetization. In short, there is such a myth that you can always recover data from a hard drive, even if it is broken, then you can read these tracks with an electron microscope and get the data. Well, the trick is that around 2010, the companies that produce disks, they switched to perpendicular recording technology. That is, roughly speaking, there are several layers of magnetization.
Because of this, now if something happened to the disk, then it is impossible to understand the depth with an electron microscope and count it, but if earlier it was like this linearly, here is another depth here and in depth, and now with the recording density, it is also somewhere around 4 terabytes and so on, there is still crookedness and in short there is a mess if something is deleted, a mess, it turns out that they were connected with this by the fact that the data needs to be rewritten many times, they thought that residual magnetism was read once, but with an electron microscope you can immediately read the old data.
Now even according to the guidelines of some intelligence agencies in the USA, they say that if, as far as I remember, it is a chipboard, then it can be rewritten once, just once, and if it is secret, top secret, the disk must be destroyed in a blast furnace. Well, but I mean that a single rewrite is more than enough, unfortunately, nothing ... Yes, now. On modern high-density disks.
And if the disk is badly damaged, it is almost impossible to read anything from it.
Pavlovich:
Well, we are talking about the fact that to delete data, simply when you delete it to the trash bin or even empty the trash bin, it is not enough. You need to use a program like BCWipe, well, Adjetyka, BestCryptWipe, well, and all sorts of other wipers, which simply write some other information in place of your deleted information. And so you say once, now already...
Nikitin:
Yes, if you completely rewrite the disk once, then everything, as it were, is practically impossible to recover the data. Of course, this calls for time. But wipers, they generally delete for a very long time. Yes, it is not a fast process, but the fact is that they demagnetized the disk and apparently they just panicked, one of the brothers was taken right on the spot, and the second one remained on the other side of the door, and he just panicked, apparently, and he started flushing five-thousand-ruble bills down the toilet, some flash drives, and so on, but he didn't know that there was a mesh in the collector anyway, and it all got clogged up, and as a result, all this...
Pavlovich:
Well, the mesh is just a standard plumbing mesh.
Nikitin:
I remember very well, like there was just a sea of five-thousand-ruble bills, which are all like that, they were all knocked down by the water. Here, there was another example, when we detained one fraudster, he was specifically responsible for cashing out, here, a completely normal apartment, the only thing is that he was unemployed and rented an apartment in Moscow for 100 thousand a month, but he just had a huge bag at home, where, as far as.
I remember, there were something like 15 million rubles, 40 thousand dollars and 40 thousand euros, and he was like, yeah, I don’t trust banks, I keep everything there, that’s it, such a cheerful guy.
Pavlovich:
In short, Cashin kept 300 thousand dollars, but in reality it’s nothing, because these Zakharchenkos and this one, who was arrested after him, they have hundreds of millions of dollars in cash, what are these 300 thousand unfortunates.
Nikitin:
Yes, yes, yes. And there was also a search in one bank, there was some bank that was cashing out, and it was so funny, we came to the office of the deputy chairman of this bank, who was in charge of all this, and he, I remember, also had a bag, there was something like 15 thousand dollars, 15 thousand euros, several different passports, and an Adidas tracksuit. And he also had a ticket with an open date, a ticket to
Pavlovich:
That is, there are such tickets where the date is not indicated, and you come to the airport, and if there is a seat, then you fly to any.
Nikitin:
Day or what? Some airlines offer such tickets for regular flights, that is, they are called open-date.
Pavlovich:
Well, that is if there is a seat on this flight, of course.
Nikitin:
Yes, probably yes, I don’t know about that, but I saw such a ticket, and it’s just funny, again, I just remembered about the bag. Well, well, something like that.
The most high-profile solved cybercrimes and hacker attacks
Pavlovich:
The most high-profile solved crimes, you said about this Popelysh?
Nikitin:
Well, he drank what was included there, there was also such a punch, yes, it's really cool, exactly as a tech guy, he wrote his exploit kit, and this exploit kit was so famous that even Western intelligence agencies bought it from him, so that they could use it.
Pavlovich:
Well, tell me for ordinary viewers, who have a poor understanding of technology, what an exploit kit is.
Nikitin:
Yes, this is ExploitKit – it is a set of programs that exploit vulnerabilities, for example, in visitors’ programs, and the trick is that he did not write a Trojan, he actually collected and wrote, compiled this set of programs for exploitation, and he sold it as a service, that is, it was SaaS there, yes, that is, he says, I can distribute any of your Trojans to anyone, just using my ExploitKit, it’s like a delivery tool, that is, it exploits visitors’ vulnerabilities, and they upload any Trojan.
And this can even be on a schedule. One Trojan is uploaded during the day, another Trojan is uploaded in the evening.
Pavlovich:
Well, by the way, it’s quite convenient, because in the evening, for example, people download porn more often, yes. It’s convenient to upload a banking Trojan during the day, because some financial people can go to online banks at work. In the evening, there, porn, accordingly, you can upload a Trojan to turn it into a bot and then send spam through it, use a proxy there.
Nikitin:
Yes, in general, he himself, as an entrepreneur, yes, he opened a platform, he introduced technical support, he deleted old spoofs, he made sure that they were not detected by antiviruses and so on. Did he work for a long time? Probably enough, about a year and a half, that's it. But he contacted the guys from the Carberp group, we also have a release process about them, it was a banking Trojan, the Carberp group, that stole money from legal entities and individuals. And they spilled carber through his spoof, because of which he also became interesting to law enforcement and was detained.
There were several groups associated with Android Trojans. Probably the funniest of them was the group "Fifth Reich".
Pavlovich:
I think many of them are watching you now, because they wrote to me "ezon karber", they didn't write, but the top brass knows, they are in touch, that means.
Nikitin:
The Fifth Reich, there was a very odious owner of this botnet, there is a photo of his arrest, he had an eagle laid out in the tiles of his bathroom, this one, well, not of fascist Germany, they need to throw in some cool photos, and I think it is there, in my opinion, it is even in the press releases, so, in general, and he has an admin panel, the admin panel of this botnet was there, The Fifth Reich and so on, well, there is something unusual here too.
Well, what else was so loud? There was the HotProd group, also banking Trojans, and, let's say, we investigated many incidents of the Lurk group, now, by the way, they are on trial, I don't know, it's not over, it's over yet, there is the head of this group, he actively runs Facebook, well, he writes a lot of things there, well, interesting things.
Well, I was called three times to inquiries via videoconference, because the trial is taking place in Yekaterinburg, but we did not detain the group there, did not investigate it, Kaspersky did that, we specifically studied the victims, that is, we examined the computers of their victims, there were quite a lot of them all over Russia. They are also very cool guys, specifically in technical terms, firstly, they were the first to write Torrent for 64-bit systems, that is, this was a long time ago, when Windows 7.64, like, was something new. Well, and they were the first to write their cool TrojanLurk. It allowed to penetrate into one client-bank written in Java, and it allowed to change the details in it on the fly.
And there was an example when it looks like this. A person, let's say, a businessman, he goes into his client-bank, he makes payments, his money was stolen, but Trojan allowed to recalculate the amounts, and he does not see this particular transaction. That is, he does not see malicious transactions. Statements. Yes, yes, yes. And he says, my money was not stolen, what are you saying, like everything is fine with me on my computer. And the accountant tells him, I can't make payments, we have zero in the account.
He says, well, look, everything is fine with me. That's it. That is, Troy was intelligent, he knew how to recalculate all this and forge it. And when you explain to him that you are showing on another computer that in fact the money was stolen, that's it. I just had an example that we went there with bank representatives, come on, they call the bank and so on, and there This CEO practically ran after the bankers with an axe, they say, this can't be, I have my money here, it's all in place, that is, technically Trojan was very cool, that is, but this group at some point started stealing money from banks together with another group, there, Bukhtrap, that is, they accuse each other there, they, in general, drag in all sorts of things, well, on this Facebook, yes, there, that they were recruited, well, in general, all sorts of things, but it was precisely how cool Trojan was, and the group itself, this huge group, was detained, and they worked for a really long time, they worked for probably almost 5 years.
Are hackers attracted to cooperate with law enforcement agencies in Russia?
Pavlovich:
Do law enforcement agencies in Russia involve, well, it is clear that you may not know in most cases, but do they involve any hackers, children or former ones, in cooperation? Why I ask, because I am asked this question very often, and personally I do not have such acquaintances in my practice.
Well, let's say from Belarus, and I've never been offered a similar type of cooperation, how is it in Russia?
Nikitin:
Yes, I'll tell you. In fact, we don't hire, for example, former hackers to work for us, although we could have them in the department there to test for penetration and so on, for the reason that in most cases, people who, especially on a large scale, well, stole money, their psychology simply changes, yes, they are not very ready to sit in an office to work, well, and here we are talking about their moral qualities. Well, okay, you have your reasons. I'm talking about the special services.
And the special services, this is how it usually looks, yes, that is, how everyone imagines it, that, let's say, if we are talking about Russia, you will be put in intelligence there, you will break the Pentagon. Well, conditionally, conditionally. In fact, hackers are actively used, but mainly used as agents, that is, as agents, as informants. That's it. Because in order to, for example, tell a hacker about some attack, we need to hack, let's say, some enemy government organizations.
You still need to tell him the background, you need to tell him top secret information, you need to trust him, yes, and this is impossible, well, they simply will not pass these checks with the special services.
Pavlovich:
But the level of commercial hackers is probably higher,
Nikitin:
Than those who work for the government? - There are much higher, yes, that is, there are examples when it is much higher, although now we have all sorts of scientific companies there, yes, well, and it is known that almost all large countries now have their own cyber intelligence units. The Americans regularly accuse us of being Russian hackers. Well, like the GRU, there, if there were battalions there...
Pavlovich:
Well, that is, these are no longer myths, right?
Nikitin:
Well, no, these are not 100% myths, because I, for example, personally met with Chinese Trojans, Chinese hacker groups that attack our enterprises, and I can practically see even by the time when they start working, they have a different time zone there in China, they got up there in the morning to form up, dispersed, that is, in this part, and that’s it, they started working, it’s clearly visible that it’s Chinese time there, and that’s why there are exactly the same accusations from the relations between the USA and Russia, they accuse us, and, roughly speaking, they attract precisely, well, precisely cybercriminals almost never directly, that is, only as informants, or there are also examples specifically about virus writers. I just always single out virus writers as a separate class, because very often they are normal programmers, even high-class ones, and they do not directly participate in fraud at all.
They wrote their own thing, three sold it, support it, but they themselves do nothing, do not steal, nothing like that.
Pavlovich:
Well, you know, there is such a legislative boundary, I simply encountered it in my business and in America, but you know how it sounds, if you knew that it was used to steal money, or to hack the Pentagon, then that's it, they'll come.
Nikitin:
No, from a legal point of view, everything is as you say, that is, they will be held accountable 100%, I mean that they are often not involved in this criminal process itself, but sometimes special services can buy some modules from them. So, there are examples when, for example, Russia is accused there on the basis, let's say, that somewhere there is Cyrillic in some module of their malware, and the trick is that this module, perhaps, was bought in the Darknet, or written for them on order in the Darknet.
That is, pro-government hacker groups, they do not shy away from using any tools and can also buy them, or even outsource the writing, but they carry out the attacks themselves, naturally, independently, without involving, as a rule, any of the blacklisters.
That is, as agents, as informants without problems, even as consultants sometimes, yes-yes-yes, but not as real, directly active fighters.
On the purchase of "0-day" vulnerabilities
Pavlovich:
Well, in exactly the same way, American intelligence agencies, yes, and all sorts of former agents who have retired, you know what they do, well, I just know, both directly and through intermediaries with such people, they simply buy up vulnerabilities all over the world for hundreds and millions, well, there are vulnerabilities for five hundred thousand dollars, they buy up vulnerabilities for their own just for exploits for the American government.
Nikitin:
Yes, there are even entire companies that are officially engaged in buying up these vulnerabilities, there are even price lists, for example, now a full chain on iOS costs one and a half million dollars. What is a full chain? It means that you don’t need to do anything, it’s a full chain of all the viruses that are needed to infect a user, yes, that is, a person simply opens a page and there must be a full set of tools to get full access to his iPhone. One and a half million dollars.
One and a half million dollars, and for Android now it’s a million dollars, also a full set, that is, not just a vulnerability, yes, they buy up, but a ready-made toolkit, it’s just that the vulnerabilities are cheaper there, in my opinion, 500 thousand, or something.
Are Russian-speaking hackers the best in the world and why?
Pavlovich:
Let this sound a little subjective, but in your opinion, are Russian hackers, where we include programmers, the best in the world?
Nikitin:
I would say, as a rule, the media and the Americans and politicians, they incorrectly accept this term "Russian hackers". I can say that Russian-speaking hackers are definitely the best in the world as engineers, because simply by studying a huge amount of malicious code, ours really write and do better than anyone else.
Pavlovich:
What do you associate it with, that it is in the CIS, and I will tell you, it is Russia more, and they are wrong when they say Russia, because Belarus is also a little bit, because there are more carders in Ukraine, more scammers. But I personally know about 20 hackers in the world, yes, this is Chelyabinsk, then it is Syktyvkar, there is Scorpio, yes, Drinkman and his brothers, then I only
know one person who hacked the SEC there, this American stock exchange and generally very large targets from Ukraine, basically all top hackers, well, I know a few from Belarus, basically out of these 20 people, 14 of them will be from Russia, that is why probably the media are right when they say well, Russian, well, of course, like you and me, we live here, we understand that this is the entire CIS, but what do you associate with what exactly, how did it happen, yes, what exactly, well, like Swiss watches, yes, we conditionally consider the best in the world, why exactly this land, Russian hackers, Russian-speaking ones, are the best in the world, in your opinion.
Nikitin:
Subjective view? Well, there are actually a number of reasons, the first of which is the excellent Soviet education, which they didn’t have time to ruin, and hackers are mostly young people under 40, that is, they still received, well, maybe in the 90s, a school education, but all the same, it’s still the remnants of Soviet education, this is the first, that is, an engineering education, I’m not saying that it’s higher education, and most of the hackers that I know either have no education or an incomplete higher education.
And this, by the way, is not important at all, because they are mostly self-taught and so on. But the base, the school base, it’s excellent, and this is the first thing in the dispute. Secondly, a huge number of these young people were unable to realize themselves, that is, many of them are from the regions. There are very few hackers from Moscow, and most of them, from whom I know, again, are from the regions, because they could not find a normal job there.
I remember we were detaining, well my colleague was detaining a dedoster near Irkutsk, that is, it was in Irkutsk, and there was another city near it, and there was a guy there who was dedostering, and he was earning quite well, tens of thousands of dollars a month, by local standards, I mean. So, we came there, well they came there, and there was this plump young man, very young, so, he says, I have little choice, we either mine coal here, and I have, he says, asthma, or, he says, pluck chicken at a poultry farm, and I have an allergy, he says.
That's why I was doing dedonedos, that's it, but there is no other work in the city at all.
Pavlovich:
First education, the second was not realized, well, there is no opportunity for realization.
About punishment for cybercrimes in Russia: how it was before and how it is now?
Nikitin:
Yes, and leniency, leniency of punishment for crimes, that is, for a long time we had, there were only these three computer articles, and if anyone does not know, there is the third article, it is not working at all, it is like improper use of computers in the network, in general there are practically no cases under it, and it is not working. Only two articles, the first is illegal access to legally protected computer information, and the second is the creation, distribution of viruses, programs or computer information and so on.
Pavlovich:
Is there anything here under the Russian Criminal Code, similar to the Belarusian 212, this is theft using computer equipment?
Nikitin:
Now I will finish this, yes. Initially, there were these three articles, one of which was completely inoperative, that is, two, and there, if this is the first sentence, the first time, then there is almost always a suspended sentence, and the article itself, related to fraud, 159, it had no sub-clauses at all, and there was nothing about it, and there was a separate explanation from the Supreme Court about how to apply it, and that, for example, through DBO it is fraud, because in fact the villains, they seem to be abusing the bank's trust and so on, legal casuistry. But then amendments were made to the Criminal Code, and now we have 159 part 6, which is specifically fraud using computer equipment, and there is also a separate fourth, I think, it is specifically with bank cards, and now they are judged on a collective basis, that is, there are computer articles, yes, that is exactly it, but computer articles have long ceased to be an end in itself, that is, no one is interested in just illegal access, yes, and for some reason it, Well, they are looking for money. Yes. And there is already the next article. And there you can already prove damage, but in fact, according to Russian punishment there is already a million rubles - this is an especially large amount. And this is awesome.
Pavlovich:
Well, in Belarus it is even less, there 10-12 thousand dollars, well here 15 thousand.
Nikitin:
Yes, and it's fucking awesome, what a term, there already, that is, if there is also a proven computer article, they will be added up, and there you can even get 8 years for the first time, well, that's pretty harsh.
Pavlovich:
But with all this, you know, in Russia this has long been an expression from the old days, I don't remember which classic said that in Russia the severity of the laws is compensated by the non-obligation of their implementation. And I still see guys who, having stolen a million dollars, get five years.
Nikitin:
Conditionally. Of course, there are examples, but that is weak legislation, yes. For example, we still have a huge number of cybercrimes, which are singled out as separate ones all over the world, there are none at all. The same DDoS, the same spam and so on, that is, and here it is very difficult, it is DDoS, let's say, you need to prove that you have a botnet, these are already viruses, which will attack someone, which led to the blocking of information. Well, what should a doser be judged for then?
No, what, from practice, how is he judged? He is judged under a combination of articles, that is, he is judged for distributing bots with which he doses, and he is judged for the fact that bots blocked information on some resource, but all this is so complicated for lawyers, investigators and judges that in general, well, like in court it looks very, very sluggish.
Pavlovich:
And what if he rented a ready-made bot from someone, essentially?
Nikitin:
I can tell you, there was even an example when a person was implementing anti-Dos protection, and one of his clients was a whore site, that is, brothels, individual girls, and he was tried for involving in prostitution together with this group, because he was protecting them.
Pavlovich:
This is already going too far, of course.
Nikitin:
And he says, yes, from me, he says, anyone can buy my services, they just change the A-record, yes, and that's it, I protect, my IP appears there instead of theirs, and I just, I don't even, he says, know what these clients are doing.
Pavlovich:
Yes, I admit it, I use Dosguard, and, of course, tomorrow I'll change it, and they won't see anything at all that I changed there.
Nikitin:
Well, and that's why, well, there are absurdities, yes, there are absurd situations, but weak legislation. That's a minus. So that all participants in the process understand why they are being tried, how they are being tried. Even something banal. We have what's called malware. But there is no definition of what malware is. That is, the Criminal Code has an article on malware, but there are no criteria for harmfulness and a definition in the Criminal Code.
That's it. And it turns out that, it turns out, harmfulness is a legal concept. And an expert, like me, a techie, he cannot say that a program is malicious. I can say that, look, the program does this, that, that, and only the court or the investigation can recognize, yeah, we believe that these actions are malicious. I have an example in practice.
Pavlovich:
But you can, on the other hand, in this case, Merila, yes, you are acting like that, you can turn in this direction and in that. The judge may also turn back because clear criteria are not spelled out.
Nikitin:
That's right, that's exactly what I'm talking about. That is, I, as an expert, always simply describe the functionality of the malware, I say, this is what it does. That's it. And then they decide what and how, and in the courts, as it were, this has long been a well-established practice, but this is always a problem for, even for the defendants, they would like, well, some greater understanding in the process. That's it. And again, that is, there are some kinky examples, time machines, which we just talked about, I know an example of one court decision, where a time machine was accepted, recognized as a malicious program.
And I'll tell you how it happened. That the admin set up a time machine on the boss's computer, and the time machine was dumping these backups onto a time capsule, and he was stealing them from there. And it turns out that the time machine acted as a Trojan, because the boss did not know that these backups were being made, and the court recognized the time machine as malicious in this particular case.
Because it's not just the program itself that's important, but also how and for what it was used, all these legal circumstances.
Pavlovich:
It's good that we're doing this so that more talented Russian guys don't end up behind bars, and we know them as the creators of Google.
To be continued...
