CyberCop: how the Russian system of hunting for cybercriminals

Although the development is not yet completed, it has already helped in the search and capture of the two major cybercrime groups who kidnapped with malware more than 60 million rubles. High-profile arrests of members of these gangs made in the spring of last year, were the result of search operations, which are actively used information extracted System Group-IB.

At the end of last year, resident innovation center "Skolkovo" company Group-IB won a grant in the amount of 30 million rubles for the development CyberCop — global cybercrime with elements of artificial intelligence. This week the company will officially unveil one of its key modules. In anticipation of startup CEO Ilya Sachkov told RIA Novosti on how intelligent search, analysis of the correlation between different data and monitoring technology botnets help catch cyber criminals and reduce the amount of fraud.

On the wall in his office Sachkova a poster with the characters of the cult movie by Quentin Tarantino's "Pulp Fiction." Black and white Vincent Vega and Jules Winfield look at Sachkova severe and, perhaps, with reproach. Of course, because they are — criminals and Sachkov — who with criminal elements helps to fight.

Just how effective is this struggle can be judged by circumstantial evidence: the forums cybercriminals Sachkov company and Group-IB now called almost the main enemies of hackers: the years of its existence the company has done a lot of investigating and responding to computer incidents and has acquired many enemies.

For more than ten years helping law enforcement catch hackers and cashing in on the investigation of incidents in the field of information security, parallel to the Group-IB has developed CyberCop — a global information system, real-time aggregating information on the different nature of cybercrime.

Unique for the Russian market consists of three main functional elements: monitoring Bot-Trek, which tracks the emergence of new botnets and extracts the data compromised customer financial institutions; Antipiracy, tracking everything related to intellectual property infringement and illegal use brand, as well as a separate database on cyber-criminals and connected with them operational data, called the Cybercrime Monitor.

Branched complex began with a simple search engine.

The urgent need to find

Around 2003, when members of the analytical division of the company faced with the need to process huge amounts of information from different sources, substantially higher than the human capacity for perception, there was a need to automate data processing. First, employees were trying to use the built-in Windows tools, creating shared folders, which were laid in the data from different participants in the investigation. However, this was inconvenient.

"A simple example: we have a case that should be investigated. And in the case we have, for example, the number of ICQ, or IP-address. We need to see whether the information featured in other materials. Was then that we realized that we have to somehow automate these procedures, "- says CEO of Group-IB.

Employees wrote a search engine that allows you to upload a file to a database, search for the file and find the intersection with the information in other previously loaded into the database, files. Initially the system was able only to signal the detection of intersections, without detailing their nature. Later, Group-IB improved algorithm — the system has learned to isolate the text of the message header, to recognize the e-mail address and be classified as source and destination addresses, IP-addresses, web pages, time of sending and receiving emails, phone numbers and other data that could help in the investigation.

"Around 2004, we made the visualization of events. For example, if we are talking about the correspondence between the two objects, the system clearly shows the link between the two. Later, when widespread social networks, we taught her to pull the data from there: if participants are correspondence More and friends on social networks, the system displays it "- says Sachkov.

Fighting DDoS-attacks

Around since 2006, have become increasingly popular DDoS-attacks on the websites of online stores and companies. In this regard, the system has a functional analysis of specific information related to such attacks — logs and traffic signatures, arrays, IP-addresses and other data that could give providers register with the attack, and its victims.

In addition, by the time Group-IB has its own network of computers that simulate the presence of vulnerabilities to lure cyber criminals ("honeynet"). Criminals such computers were infected with malware, and employees Group-IB, having access to computers, lures can see which teams come to the infected machine, and from what IP-addresses these commands were given. Individually, these data could be said about the attack and its organizers a little bit, but after a comparative analysis of the picture became clearer.

"In order to clearly see what a botnet attack which site, you need to ideally have access to its control panel to get that is not always possible. However, by analyzing the nature of the attack from a variety of sources, we were able to determine the source of the attack and its scale, even without access to Control Panel "- explains the net.

In parallel, the market has seen a variety of forensic systems that allow the image from your computer or hard drive to get to the important forensic information, the analysis of which helps to understand how the incident occurred. Group-IB trained the system to analyze the information. Since then CyberCop began to take shape today's extensive system for the investigation of cyber crime.

The analysis of the hacker underground

With each new incident in the area of cyber security in Group-IB understood the importance of analytical work. For every attack there are real people who planned to discuss the implementation details at various venues — mainly public and private forums.

"Then we decided to create a module that would collect information about ads that have appeared on hacker forums, nicknames of the participants and other data that there appeared" — says the net.

However, simply running a search "spider" on the forum, you can collect only the information that is published on it. Most critical to the investigation of incidents are available for owners of such resources — for example, the data that the forum member (and potential cyber criminals) enters when registering on it, or the content of the correspondence from the built-in private messaging system. Therefore, the Group-IB, in addition to the module to collect information from these hacker forums, created some "unreal" internet resources, including closed and paid.

"In the fight against cyber crime is a normal practice — a few years ago, the FBI has openly stated that for several years contained several such forums. If you seriously want to investigate cyber crimes, without such tools can not do," — says the net.

Usually on the "live" hacker forums, especially the closing of the meeting is to discuss and plan a real cyber crime is active in only a few dozen people. This feature is enabled a fairly accurate analysis and classification of specific members of such forums.

"At first, the forums system simply scans the subject and collects information about what ha
ppens to them. After collecting system analyzes ads and messages of each participant, compares them with network aliases, and as a result produces a kind of" profile "for each alleged cybercriminals are: what a hacking he specializes as often publishes announcements, writes in the comments and so on. If at any forum skips information about who is behind this or that alias, the system "puts" the data in the "dossier" of the user and marks them as requiring additional investigation, "- says the net.

Over time, the system has learned to recognize, under any network aliases in different forums hidden one and the same person by analyzing the overlap in the data that it points to register on the forums, as well as carry out other parallels between members of different forums. However, for an even more ambitious analysis lacked a single function.


Although the information gathered on the forums give a lot of forensic evidence, who, where, when, and at what price offers various illegal services, the value of these data in isolation from information gathered by other modules, was relatively low. Therefore, in 2007, developers have to "teach" its search engine to correlate information obtained by hacking forums with information obtained in the course of past investigations, as well as using a module created for the analysis of botnets and DDoS-attacks.

"It really helped in the investigation, because we began to see the connection between specific incidents, details of which have been received from our customers and partners, and the events that took place on the forums that we scan. Became clear about what is grouping, and public affairs they were involved, "- says Ilya net.

Even taking into account the fact that most of the information uploaded to the database system are in the public domain, their analysis reveals non-obvious connection between the defendants in cases related to cyber crime.

"The system gives a kind of tips on how law enforcement agencies, who could still be questioned on a particular incident, what information to request from any operator and so on. It does not disclose an offense, but it creates a rough map with all the main suspect," — says the expert .

Banking attack

The appearance in CyberCop possible to compare data from different modules was timely — with about 2009 widespread attacks on e-banking system. On the black market appeared malicious programs created specifically for the attack on the Russian Internet banking and e-banking. Tens of millions of rubles flowed from the accounts of large and small companies account for cybercriminals. RDPDoor, Carberb, Shiz, and other names of banking Trojans are increasingly flickering in the media and reports of anti-virus companies. In general, hackers are no longer perceived as a talented bullies. Their actions are seen as real crimes and the ability to identify who is behind this or that anybody that provides CyberCop, law enforcement agencies in handy.

"With the advent of specialized malware, we created another module — Malware Data Base, which loads all the information about the new versions of these programs, and how they were derived from, and what is the correlation with the data from our other databases ", — says the net.

The new module is added to the "map" of crimes important detail — information about tools that criminals used to commit crimes. These data help in the investigation of incidents of cyber activities qualify as a criminal offense in the area of IT and bring the case under the relevant articles of the Criminal Code.

At the same time it became necessary to record cases of theft: how much money is stolen, which company, in which bank is transferred and where cashed — collect, organize and analyze all of this information has become a necessity.

Some of the information on such incidents Group-IB could be obtained with the help of already existing modules of the system. In particular, the module is very useful for the analysis of botnets used in DDoS-attacks, as cyber-crime groups, a business of bank embezzlement, is used to distribute malware and control infected computers such as botnets, as well as to attack a denial of service. Another piece of information could be obtained from the victims of theft, which appealed to the Group-IB for help. But the lion's share of the data needed to produce pictures of such crimes, is on the bank's server through which the stolen money.

To obtain this information in the company created an additional module FraudMonitor.

According Sachkova, now with Group-IB works about 60 Russian banks, some of which have agreed to give information about the embezzlement FraudMonitor. As a result, the database has appeared regularly updated blacklist "droppers" — accounts into which the stolen money cybercriminals output for subsequent cashing.

"The black list is already bringing real benefits — if the bank has access to it, he sees an attempt to take the money to the compromised account, it can prevent theft by freezing operation" — gives an example Sachkov.

According to the CEO Group-IB, with the help of this system has managed to prevent the theft of thousands, and can even increase as the number of banks that collects data FraudMonitor, will increase.

Ideally System

CyberCop almost ready for full implementation. The money received from the "Skolkovo", in Group-IB expect to complete the development of the system in the next year.

Although the development is not yet completed, it has already helped in the search and capture of the two major cybercrime groups who kidnapped with malware more than 60 million rubles. High-profile arrests of members of these gangs made in the spring of last year, were the result of search operations, which are actively used information extracted System Group-IB.

According Sachkova, ideally the system should be fully functional tool for the investigation and prevention of cyber crime for any professional working in the field.

"The ideal is supposed to be a tool for members of the MUP, the security services of banks and other organizations that have experienced cyber crime," — says the net.

The company plans to launch the system parts. So, this week, Group-IB will introduce a system of monitoring botnets Bot-Trek at the largest security conference in the United States — RSA Conference 2013. Also in the near future the company will officially unveil another part CyberCop — service ThreatCenter, which will allow real-time tracking of DDoS-attacks, to see the lists of contaminated sites, and other information gathered from the search and analysis system of the company. Subsequently, one after the other in the "online" will be displayed and other components CyberCop.

Like this post? Please share to your friends: