Group-IB

Group-IB
Private
Industry IT security
Founded 2003
Founder Ilya Sachkov
Headquarters Moscow, Russia
Area served
 Global
Website group-ib.com

Group-IB is an international company specializing in prevention and investigation of IT-crimes. The company is known for its early cyber threats prevention system that is used for protection from cyber-attacks, theft and fraud with the help of threat intelligence data.

According to the Gartner analytic agency, the company is one of the biggest global threat intelligence providers.[1] According to Business Insider, Group-IB is one of the 7 most influential cyber security companies along with FireEye, Palo Alto Networks and Kaspersky Lab.[2] The company’s central office is located in Moscow.

History

Group-IB was founded in 2003 by a group of students of Bauman Moscow State Technical University, headed by Ilya Konstantinovich Sachkov. They were acting as an agency for investigating cyber-attacks. The company was involved in investigating the first DDoS-attacks in Russia, money thefts using mobile telephones viruses and target attacks at banks. Group-IB participates in international operations including hunting the criminals who committed attacks in the CIS.[3]

In 2010 on the Group-IB base the Computer Forensics and Malware Research Lab was created.[4]

In 2011 the company has opened the first Russian CERT — Computer Emergency Response Team (CERT-GIB).[5] Having obtained the ‘competent organization’ status from the Coordination Center for TLD RU – national .RU and .РФ[6] domains administrator, the company started developing services to fight intellectual property offenses. Group-IB developed protection for the Sochi Winter Olympic Games 2014 branding and tickets,[7] blocked pirates’ links to Sony Pictures, CTC and Amedia TV shows and films as well as to fraudulent websites using popular banks’ and payment systems’ branding.[8]

Since 2012 Group-IВ has developed the early cyber threat prevention system. The system includes the Group-IB Intelligence Service that is listed on the Gartner’s report on the threat intelligence market along with solutions by IBM, FireEye, RSA and Check Point.[9] In 2015 Group-IB has been rated by RUSSOFT[10] as one of the largest software companies in Russia.

In 2015 the Rostech State Corporation has invited Group-IB to build a (CERT) for protecting high-security objects.[11] The company is also consulting the National Welfare Fund "Samruk-Kazyna" (Kazakhstan). Since 2007 the Group-IB has been cooperating with Microsoft whose Russian representative has called the company’s specialists “the country’s leading experts in cybercrime”.[12]

Group-IB is a resident of the Skolkovo IT cluster. The company has its office in the Innopolis town of science.

Owners and leadership

In 2010, LETA Group, an investment and management company in information technology, acquired 50% of Group-IB's assets. In 2013, Group-IB management bought out LETA Group's share[13].

In mid-2016 Russian-founded Altera Capital and Run Capital each bought a 10 percent stake in Group-IB[14].

According to the company's announcement, Group-IB will leverage these investments to develop products and create R&D hubs in the Middle East, Southeast Asia and Latin America, as well as to hire local forensic specialists and improve sales performance at the American, European, and Asian markets.[15]

International cooperation

Group-IB is a Europol official partner. The agreement was signed on June 17, 2015 in Hague.[16] The company is a member of the European Cybercrime Centre, a Europol cybercrime department.[17]

Since 2013 Group-IB and CERT-GIB are members of the International Multilateral Partnership Against Cyber Threats, a professional cyber security association supported by the UN.

CERT-GIB is an accredited member of the Trusted Introducer, an international professional association and a member of the FIRST, a largest response teams association which enables it to exchange information with CERT in 78 countries and block malware websites all over the world.[18]

Group-IB is a member of OWASP, the largest community of experts in protection analysis and web application security audit. The company is working on OWASP’s SCADA Security Project, aimed at research of industrial control systems’ security.[19]

The company is a member of the OASIS international consortium dealing with developing information exchange standards. The GIB Intelligence’s data is forwarded in the STIX/TAXII format in a standardized data exchange language developed by OASIS.[20]

In 2016 Group-IB has signed an MoU with the business cluster of one of the largest technical universities of Thailand (King Mongkut’s Institute of Technology Ladkrabang) to promote the early cyber threat prevention system on the Thai market and to realize joint projects in the field of cyber security.[21]

Technologies

According to Gartner’s assessment, “participation in investigating major hi-tech crimes enables Group-IB to receive exclusive information on cyber offenders, their relations and other types of intelligence”.[22] In addition to investigation and forensic materials, obtaining of the unique information is ensured by the hi-tech infrastructure for threats data retrieval, including:


Early warning system

GIB Intelligence service uses personalized information for security strategy planning, making time-sensitive decisions and tweaking protection tools. It gives time for incidents prevention allowing to urgently discover theft of clients and employees’ identifiers, to track modifications of tactics and tools used by criminal groups potentially interested in a company and to prioritize threats based on expert forecasts.[23]

TDS is a hardware and software unit preventing infection and vulnerabilities usage in corporate networks. The TDS sensors track suspicious activities in a corporate network while the CERT-GIB experts reveal critical threats and immediately inform the information security service and help to put a stop to an incident evolving. TDS Polygon allows to start in an isolated environ suspicious files downloaded by users or received in mail and to obtain an objective conclusion of the degree of their harmfulness based on a classification formed through computerized training pattern.[24]

Secure Bank deletes “blind spots” in online-payments security through diagnosing signs of infection, remote controlling of client’s machine or identifiers being compromised during authorization. Secure Portal prevents unauthorized access to personal accounts, personal data, web users’ bonus accounts and various fraudulent scenarios from using bots to competitor’s offers displays on a portal site.[25]

Awards and prizes

In 2012 Group-IB received the Company of the Year prize in the “Telecom, IT” Sector. In the late 2013 the company received the “Runet Prize” in the “Safe Runet” category for “investigation and prevention of cybercrimes threatening the society’s stable development”.[26]

In 2015 the joint project by Group-IB and Aviasales was shortlisted for the “Runet Prize”, the “Authentic Ticket” service allowing making sure that the ticket seller is reliable before an air ticket is bought online.[27]

In 2015 the company’s founder Ilya Sachkov won in a special category “Business Internet Choice “ за the Russian stage of the EY Entrepreneur of the Year.[28]

In 2016 the company’s founder Ilya Sachkov was listed in Forbes "30 Under 30" as one of the most promising young entrepreneurs.[29]

In 2016 Ilya Sachkov won in the “IT for Business” nomination of the international EY competition «Entrepreneur of the Year 2016» in Russia.[30]

Threats discovered by Group-IB

Cobalt: logic attacks at ATMs

In July 2016 a group of young men in masks simultaneously attacked 34 ATMs of one of the largest Taiwan banks - First Bank, having taken with them 83.27 million Taiwan Dollars (over USD 2 million).[31] ATM’s body was intact, had no traces of any applied gadgets, even cards were not used by offenders. The CCTV records showed that having approached an ATM a person would make a call from his mobile phone, after which would simply take bank notes from the notes dispenser which gave them out automatically. In September similar attacks happened in Europe.

The Group-IB experts were the first to find a mechanism of attacks by the Cobalt criminal group.[32] The published investigation “Logic attacks at ATMs” gives a detailed analysis of the attacks.[33]

To penetrate the bank’s internal network Cobalt sent to the banks isolated mails containing malware attachments. Phishing mails were sent on behalf of the European Central Bank, ATM manufacturer Wincor Nixdorf or regional banks. As soon as the offenders have gained control over a local network of a bank, they began searching those segments from which they could reach the ATM controls. Having gained access to them the group uploaded to the unit a malware controlling cash withdrawals.

Corkow

In its report “Attacks at brokers and settlements systems” published in February 2016 Group-IB described the first ever attack at a broker which led to abnormal volatility on the currency exchange markets.

The Corkow criminal group, having gained access to a trading terminal of the Energobank, Kazan with the help of a malware presented orders to buy and sell currency worth over USD 400 million.[34] This resulted in the Ruble vs USD rate’s 15% plunge at the Moscow Exchange. The Bank suffered a 244 million Rubles loss.[35]

Buhtrap

In March 2016 Group-IB has published a report on the Buhtrap criminal group which from August 2015 to February 2016 has robbed several Russian banks of approx. 1.8 billion Rubles.[36] The attacks’ high efficiency was ensured by targeted phishing mailing (including that from, supposedly, Russian Central Bank) which the offenders used to penetrate the corporate networks.

The offenders gained access to Automated Workplaces of a Bank of Russia Client (АРМ КБР) and made fraudulent payments on behalf of a bank. The scheme described in the Group-IB’s report was used for thefts through the SWIFT.[37]

Buhtrap was the first criminal group that started using network worms to infect a bank’s entire infrastructure. A network’s complete cleansing would require simultaneously turning off all the infected computers, since the worm was capable to regain full control over the net even if one single work station was on.[38]

Anunak / Carbanak

In the late 2014 Group-IB along with the Dutch company Fox-IT has released a report on the Anunak (aka Carbanak) hackers group who has stolen approx. 1 billion Rubles using targeted attacks whose victims fell over 50 Russian banks. In Europe Anunak has attacked POS terminals of some large retail chains having compromised the personal data of several million customers.[39] After the report’s release the group has stopped its activity.[40]

ATM-reverse

In autumn of 2015 Group-IB informed of a new type of targeted attacks – ATM-reverse method of stealing cash from ATMs. An offender would have a bank issue a nameless card for him, deposit a small amount of money through an ATM and withdraw it immediately. He would mail a copy of a receipt to his accomplice who had an access to infected POS-terminals, mostly outside Russia. Using transaction code on the receipt the accomplice would form a command to cancel: in the POS Terminal it looked like a sale return. As a result of transaction cancellation the card’s balance would become as it was before and the cash would be again available for withdrawal. The offenders repeated this scheme until there was no cash left in an ATM.

Five large Russian banks have suffered from the АТМ-reverse, having lost 250 million Rubles in total. The banks managed to prevent further thefts by having developed and implemented protecting systems along with Visa and MasterCard.[41]

ISIS’ cyber attacks at the Russian resources

In March 2015 Group-IB has released its research report titled “ISIS’ attacks at organizations in the Russian Federation” in which informed of attempted crackings by the Islamic State’s hackers. Most often they would deface a website by posting images and videos with their propaganda components. Not only government institutions, banks and popular Internet resources were targeted but also art galleries and schools. Such a chaotic target choice, according to the company’s experts, was explained by the attacks’s massive proportions and necessity to obtain experience and learn the specifics of the Russian segment of the Web.

The investigation not only established the ISIS hackers’ team Cyber Caliphate’s responsibility for the attacks but also that of three other groups, altogether over 40 persons strong: Team System Dz, FallaGa Team and Global Islamic Caliphate.[42]

Public investigations

Exploits — Blackhole (Paunch)

In the autumn of 2013 Group-IB assisted in catching a creator of the Blackhole exploit, which was responsible for up to 40 % virus infections worldwide. In April 2016 Dmitry Fiodorov (aka Paunch) ws sentenced to 7 years term.[43]

Carberp, Germes, Hodprot

In 2012 after the joint investigation by FSB, Russian Home Ministry, Sberbank and Group-IB caught were members of a criminal group who have stolen over $250 million from corporate and individual accounts. Over the two years the hackers managed to plant the Carberp virus into over 1.5 million computers, over 100 banks worldwide have suffered from their actions.

Group-IB has involved its partners from the Netherlands and Canada to investigation; with their help it became possible to bring to light the entire criminal chain including the group’s leader who possessed a botnet, “pourers” who conducted fraudulent transaction and “drops” who directly were involved in cashing the stolen money.[44] As a result all of the group members were caught, for the first time in the Russian law enforcement history. The group’s organizers were sentenced to five and eight years terms.[45]

Same year also were caught members of other criminal groups who used modified versions of the Carberp malware for attacking individuals and corporations. In the summer of 2012 arrested was a hacker known as Germes or Arashi, creator of the world largest botnet with approx. 6 million machines.[46] Soon after that seven members of the Hodprot team were arrested, they have stolen over 120 million Rubles.[47] Despite the fact that the Нodprot botnet servers were in the Netherlands, Germany, France and US, all the members of the group were arrested.[48]

Attacks using Android-Trojans — 5th Reich, WapLook

In April 2015 the K Division of the Home Ministry of Russia with the assistance by the Group-IB and the Sberbank has arrested members of a criminal group that has infected over 340 thousand Android gadgets with the purpose of stealing cash from bank cards linked to telephone numbers. The culprits called their malware 5th Reich and used the Nazi symbols in the control system.[49]

Hackers distributed their malware through SMS containing a download link disguised as Adobe Flash Player. The Trojan allowed the offenders to intercept all incoming SMS from a bank and confirm cash transfer from a victim’s account to the hackers’ account without victim’s knowing.

This scheme was similar to the WapLook method of the first in Russia criminal group that used mobile phones malware to attack individuals. The group’s organizer was arrested in September 2014 with the assistance by Group-IB.[50]

Phishing – the Popelysh brothers

With Group-IB’s assistance arrested were the Popelysh twin brothers from St.Petersburg who for four years were stealing money from the VTB Bank clients who were using online-banking platforms, by intercepting clients’ ID and using the bank’s false webpage. This case was the first process against criminals who used phishing schemes in the Russian history.[51]

References

  1. https://www.gartner.com/doc/2874317/market-guide-security-threat-intelligence
  2. http://uk.businessinsider.com/7-important-cybersecurity-companies-2015-5?op=1
  3. http://interfax.az/view/536477
  4. https://esquire.ru/cyber
  5. http://www.securitylab.ru/news/409008.php
  6. https://cctld.ru/ru/activities/competent/
  7. http://club.cnews.ru/blogs/entry/import_groupib_i_orgkomitet_sochi_2014_soobshchayut_ob_uspeshnoj_zashchite_olimpijskoj_simvoliki_i_biletnoj_produktsii_v_internete__070f
  8. http://www.cnews.ru/news/line/qiwi_i_groupib_obedinili_usiliya_dlya
  9. https://www.gartner.com/doc/2874317/market-guide-security-threat-intelligence
  10. http://www.russoft.ru/tops/2733
  11. http://rostec.ru/news/4515349
  12. http://www.forbes.ru/kompanii/internet-telekom-i-media/249833-kriminalisty-iz-interneta-kak-ustroeno-glavnoe-v-rossii-kib
  13. Group-IB management buys out LETA Group’s share, 05 November 2013
  14. http://runcapital.vc/en/
  15. (in Russian) https://vc.ru/n/group-invest
  16. https://www.europol.europa.eu/latest_news/europol-signs-agreement-group-ib-cooperate-fighting-cybercrime
  17. https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3/ec3-programme-board
  18. https://www.first.org/members/teams/cert-gib
  19. https://www.bytemag.ru/articles/detail.php?ID=21826
  20. https://wiki.oasis-open.org/cti/Products
  21. http://www.mxphone.net/250716-kmitl-group-ib-it/
  22. https://www.gartner.com/doc/2874119/competitive-landscape-threat-intelligence-services
  23. http://www.ixbt.com/news/soft/index.shtml?18/34/85
  24. https://www.anti-malware.ru/analytics/Market_Analysis/protection-market-against-targeted-attacks-review
  25. http://www.group-ib.com/secure_bank.html
  26. http://ko.ru/articles/24485
  27. http://www.therunet.com/news/5117-stali-izvestny-nominanty-premii-runeta-2015
  28. https://award2015.bfm.ru/
  29. http://www.forbes.com/30-under-30-2016/enterprise-tech/#ccb431a50230
  30. https://www.bfm.ru/news/340112
  31. http://www.ibtimes.co.uk/thai-bank-shuts-down-half-its-atms-after-eastern-european-cyber-gang-heist-1577806
  32. https://www.reuters.com/article/us-cyber-banks-atms-idUSKBN13G24Q?il=0
  33. http://www.group-ib.ru/cobalt.html
  34. http://www.rbc.ru/finances/08/02/2016/56b89bab9a7947474f91de83?from=main
  35. http://www.bloomberg.com/news/articles/2016-02-08/russian-hackers-moved-currency-rate-with-malware-group-ib-says
  36. https://www.vedomosti.ru/finance/articles/2016/03/18/634123-hakeri-rossiiskih-bankov
  37. http://www.bloomberg.com/news/articles/2016-03-17/new-russian-hacker-cell-hit-13-banks-since-august-group-ib-says
  38. http://www.group-ib.ru/buhtrap-report.html
  39. http://www.forbes.ru/tekhnologii/internet-i-svyaz/276227-brat-po-krupnomu-kak-odna-gruppirovka-khakerov-ograbila-bolee-50
  40. http://report2015.group-ib.ru/
  41. http://www.rbc.ru/finances/18/11/2015/564b66cc9a79475f244b3f49
  42. http://izvestia.ru/news/593291
  43. http://www.infosecurity-magazine.com/news/blackholes-paunch-sentenced-to-7/
  44. http://interfax.az/view/536477
  45. http://www.securityweek.com/russian-authorities-claim-capture-mastermind-behind-carberp-banking-trojan
  46. https://news.mail.ru/incident/9362274/
  47. https://www.gazeta.ru/social/2012/06/04/4612137.shtml
  48. http://hitech.newsru.com/article/05Jun2012/carberp
  49. http://ren.tv/novosti/2015-04-13/kiber-fashisty-iz-chelyabinskoy-oblasti-ispolzovali-virus-5-reyh
  50. http://report2015.group-ib.ru/
  51. https://ria.ru/incidents/20121221/915789715.html
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.