ICC 2019, Moscow: attacks of all shapes and sizes

The International Cybersecurity Congress (ICC), hosted by Sberbank in Moscow on 20-21 June, opened its doors for its second year, and many of the overarching topics were clearly a continuation of what was discussed last year.

Kaspersky Lab and Sberbank’s subsidiary, Bi.Zone, told FinTech Futures last year that access to tools which facilitate criminal activities were surprisingly easy to obtain and have led to the creation of the modern-day petty criminal.

The plenary panel, which included personalities like Russia’s deputy Prime Minister, Maxim Akimov, and Sberbank’s CEO, Herman Gref, discussed the shocking statistic that profiles the average cybercriminal at a male under 20 years old, or often underage.

This is not exactly true when we look at statistics. Bi.Zone’s 2019 yearly cybersecurity report estimates that only 10% of criminals are that young.

Another example: a popular attack vector in the past few years has been the DarkVishnya, a method that allows the criminal to access a targeted network through a physical connection – which they can explore and exploit to reach financial transactions.

This type of attack presented a massive challenge throughout 2017 and 2018 for cybersecurity experts. On average, access to tools that made it possible required under $40 dollars – a very low entry threshold.

This is why cyber-attacks do not show signs of slowing down their numbers. What’s more, while petty criminals abound, those with much deeper pockets and more refined skills don’t run short either.

Timur Biyachuev, VP threat research at Kaspersky Lab, points out that zero-day tools are purchasable on the black market. These have a very high price and require high qualifications to be deployed efficiently. Much to our demise, there are attackers with both.

The Lazarus group is a good example. It is suspected to have ties with the North Korean government, and is allegedly responsible for Operation AppleJesus, an attack on a crypto exchange that infiltrated Mac users’ systems.

The heist on the Bank of Bangladesh in 2016, purportedly pulled off by this group, could have led to stolen funds of nearly ten times what they managed to steal, were it not for a spelling error by one of the hackers.

Unfortunately, miscreants are less likely to make mistakes than victims do. 80% of successful crimes were executed through social engineering. By the end of 2018, 83% of this type of method consisted in impersonating somebody via a phone call, and the victim was tricked into voluntarily transferring money.

Luckily enough, the number of criminals seeking human damage is very scarce. Virtually all of them seek financial profits, and there is little cyber spying activity, says Biyachuev.

As they are only motivated by money, financial institutions are a prime target. Russia reports over four billion attacks to its financial companies throughout 2018. Out of these, an increasing vector is by installing malware in internal applications embedded in companies’ workflow, which often go hidden under that software’s manufacturer.

Overall, this paints a dismaying picture on our digital future. It might look hard to keep so many vectors of attack in check, and with an evolving tech landscape, these are only going to get more creative.

Nevertheless, companies and governments have the resources, capabilities, and ambitions to develop technology and legislation that would allow nearly all of these attacks get thwarted. But like a team of colourful superheroes, they can only achieve great things by working together, which often does require the strongest wills.