Vitaly Kamluk, Chief Malware Expert from Kaspersky Lab, talks to Russia Direct about the latest cybersecurity threats and their surprising origin.
Cyberattacks: Who is to blame? Photo: Reuters
Where do cybersecurity threats come from? How have they evolved? What role do private companies play in providing global cybersecurity? Will the U.S. and Russia succeed in their collaboration to deal with cyberterrorism? Vitaly Kamluk, Chief Malware Expert from Kaspersky Lab, discuses these questions with Russia Direct and sheds light on the activity of cybercriminals.
Russia Direct: What are the main and most widespread cyberthreats currently being encountered by governments, organizations and multinational corporations?
Vitaly Kamluk: I think we need to take a broader view of this issue and talk about information threats. There are threats such as the insider attack, where an employee can extract information from a computer network and then make it publicly available or sell it to someone (and sometimes he can do it unwittingly, just by not following simple rules for information security). That’s a kind of internal espionage.
This happens regularly, but on a low scale. Insider attacks are now widespread, but not so widely reported [in the media], and unfortunately, the names of the companies and victims are not always disclosed. It can be several years before this kind of leak is discovered.
RD: What examples of insider attacks can you give us?
V.K.: I don’t want to get into politics, but we must mention the case everyone knows about, involving [former CIA agent Edward] Snowden – he carried out exactly this kind of attack. But that’s a notorious case – smaller events can happen in businesses, but people try not to let the story get out, because this kind of information has a negative effect on their reputation.
RD: Let’s turn to cyberthreats now…
V.K.: As far as cyberthreats are concerned, in our view the most dangerous ones are targeted attacks, attempts to carry out espionage, to steal intellectual property and secret information. This is linked to the use of malware programs and the deliberate penetration of the computer networks of organizations.
This kind of attack is often aimed not just at a single victim but also at a large number of them. The people launching the attack are interested in lots of organizations, not just one. These are whole campaigns of cyberattacks directed at organizations in particular industries.
RD: The examples are fairly well known – we’re talking about Stuxnet, Red October, MiniDuke. But what about how these cyber threats have evolved, say over the last five years?
V.K.: Yes, the ones you’ve named are the most famous and most prominent cyberattacks. As for the way these threats have evolved, the attackers have become more careful.
If we take the beginning of the Stuxnet cyberattack as our starting point, this virus was the most extensively distributed worm. It spread rapidly and out of control, causing damage to thousands of computers that were not even earmarked for cyberattacks.
The developers of Stuxnet realized this mistake at some point, and their later developments, such as Duqu, did not spread independently but were controlled, enabling them to remain a tool for espionage.
It’s also worth noting that these targeted attacks are gradually becoming more pinpoint and imperceptible. These days they are more like pinpricks at a specific point, so as not to create any unusual noise that might be noticed by the security service or by investigators.
In the past, malicious programs would infect files in a particular format and remove all the files from the victim’s computer. Nowadays this kind of tactic doesn’t work, because it attracts a lot of attention: It creates an unusual volume of network traffic and might be noticed.
Attackers now operate more accurately and work on each victim individually. If they infect a computer, they’ll find exactly the documents they want on that computer and download them.
Average Internet users: Targets for highly skilled cyberattack professionals. Photo: Reuters
RD: To what extent can cyberattacks affect the interests of ordinary citizens, and how serious can the consequences be for them if they don’t use the Internet properly?
V.K.: It’s worth mentioning that the average user isn’t worried about the security of their operating systems, because they assume that they’re not likely to be of interest to any highly skilled cyberattack professional.
This is a naïve assumption because intruders can use any computer software and system that has any capacity and that is also hooked up to the Internet. They will definitely find ways to do this– for example, by using the potential victim as a cover and using their computer as a proxy.
RD: You mean they get the user into trouble?
V.K.: Yes, if the police start to investigate a particular incident, what can this mean for an ordinary person who falls prey to a cyberattack? Their computer and all their digital equipment can be impounded, including memory sticks, phones and smartphones.
RD: What are the challenges currently facing companies providing cybersecurity, such as Kaspersky Lab?
V.K.: We originally specialized in countering malicious programs that affected a large number of computers. Now we’re dealing with targeted attacks.
The first sort – viruses and Trojan horse programs – quickly found their way into our laboratory, and they still do, but targeted attacks come to our attention with more of a delay, if at all.
This is one of the most complex and difficult challenges for antivirus companies today: In order to effectively protect our clients, we need to have the opportunity to work on similar attacks. We’re working on this right now.
Tackling targeted cyberattacks is one of the most serious challenges for antivirus companies. Photo: ITAR-TASS
RD: That’s why the countries that are in the lead in terms of spreading malicious programs are the ones that are most active in taking steps to counter such programs. For example, Russia, the U.S. and the Netherlands alone, which according to your lab’s data, are home to almost 60 percent of all malicious hosts.
V.K.: The criminals that engage in targeted attacks generally don’t use just one or two servers: They often use a string of servers, some of which might be located in the U.S. and Holland, while the rest might be in Asia, and then might move from Asia to somewhere else, for example to Australia.
And so, following the chain of servers to the end is one of the most difficult problems for investigators and for the police. This can lead to difficulties in relations between states and can make it impossible to ask another state for information about a specific computer operating in that state. And when that information and access is gained, it appears that this is yet another cover… Therefore there’s no point in naively assuming that there’s some IP address located in Holland and that that’s where the culprit’s main resources are located.
RD: What criteria do hackers normally use to select the countries that they will subject to a cyberattack?
V.K.: First, we have to be specific about which hackers we’re dealing with today. We usually identify three groups: the traditional cybercriminals, the hacktivists, and state-sponsored cyberespionage and cyber weapons. Each group has its own aims and tools.
In the first case, cyber criminals, as a rule, select countries in which the Internet and e-commerce are highly developed and where bankcards are widely used for online purchases. They’re interested in making money by illegal means.
As for the hacktivists, they often choose countries where they can provoke socio-political changes. Their aim is to bring some information to the general public, to make a protest. This kind of hacking will figure in regions and sectors where new prohibitions and restrictions emerge that affect freedom of expression and people’s private lives.
Finally, cyberespionage is generally found in places where there is conflict between states or regions. Frictions and differences in the political realm are reflected in cyberspace.
Infographic by Natalia Milkhailenko. Source: Internet World Stats / United Nations / International Telecommunication Union / Kaspersky Lab
RD: The U.S. and Russia recently agreed to set up a joint presidential commission on cybersecurity. How effective can this cooperation be?
V.K.: In my view, it will be quite difficult to cooperate in this area without the private sector.
The question of cybersecurity hinges on expert knowledge. The state has particular security services and personnel, of course, but it’s private companies that run into these issues on a daily basis. We’re the first to see new threats.
When agreements on cybersecurity are made between states, this should be done with the involvement of organizations that work in this field every day. Then it will be effective.
RD: Which countries are the main sources of cyberthreats?
V.K.: If we estimate the number of cyberthreats, and this could be the statistics for new malicious programs that we encounter on a daily basis, the following picture emerges: In first place is China, followed by countries in Latin America, and then Russia and Eastern Europe.
In terms of quality of attacks, the situation is a bit different: The Russian and Ukrainian hackers – the Eastern European hackers – are more successful and organized, and their tools are more advanced. Recent reports talk about several Russian-Ukrainian groups that have been hacking into various retail trade and banking networks, with thefts of more than 130 million cards reported. This is beyond the dreams of criminals in China and Latin America.
RD: Who poses more of a threat in cyberspace today – solo hackers, private companies, underground criminal organizations or states?
V.K.: Organised groups that find each other through the Internet and go into partnership to undertake joint hacking and thefts are the most successful in this sense.
They divide up their roles, as we saw in the case of the Russian and Ukrainian hackers that were arrested. According to official information from the U.S. Department of Justice, one of them did the actual hacking, one looked for valuable data, and someone else sold this data on the black market. Solo hackers cannot achieve this.
In principle private companies don’t do this. In any case, cyberattacks come from illegal groups, and they can’t be called a legitimate business.
In our view, states don’t create a large number of cyberthreats. They’re more involved in working on cyberespionage programs. These are individual computer programs that specialize in targeted attacks and are not mass-produced.
Vitaly Kamluk is Chief Malware Expert, Russian Global Research & Analysis Team, Kaspersky Lab. He joined Kaspersky Lab in 2005 as an Infrastructure Services Developer for the Antivirus Lab. In 2008, he was appointed to the position of Senior Antivirus Expert before becoming Director of the EEMEA Research Center in 2009. In 2010, Vitaly worked in Japan as a Chief Malware Expert, leading a group of local researchers. He specializes in threats focusing on global network infrastructures, malware reverse engineering and cybercrime investigations.