Cybersecurity expert Kirill Kruglov from "Kaspersky Lab" talks about the new realities of the malware market. The modern black market for implants - programs that are injected into devices during a cyberattack - offers the rental of malware that can be customized for specific tasks by simply checking the right boxes. If the software doesn't work, tech support will help the malicious actors understand the reasons and resolve them. This is precisely why, in the absence of proper cybersecurity measures in an enterprise, anyone with three grades of education can attempt to gain access to an industrial organization's network. Kirill Kruglov, Senior Researcher-Developer at "Kaspersky Lab," shared these and other insights with "Gazeta.Ru." — Is it clear where cyberattacks on Russian industrial enterprises originate? From which continent or country?
— We assume with a high degree of probability that, in addition to Africa and Europe, where cybercriminals involved in mass campaigns operate, there are persistent groups based in the Asian region. We can't specify the countries, as we must remember about false flags when groups from one country intentionally use the attributes of groups from another country or region to obfuscate their tracks. Therefore, we can only name the region.
— How does the typical chain of a cyberattack on a Russian industrial enterprise usually start?
— There can be many scenarios, and they are often universal for enterprises worldwide. An attack can be motivated by a political decision or arise due to unfair competition. A company may also be targeted because there is a high likelihood it will pay if its infrastructure is encrypted. It's also possible that an archive with logins and passwords to systems in this organization was sold on the internet. Thus, by purchasing affordable access to a large number of computers within the enterprise, malicious actors may decide at this stage that they will attack it.
— If logins and passwords are being sold, does it mean that someone has already attacked the company?
— You might be surprised, but it often happens that cybercriminals decide to hack an organization "from scratch." Large organizations, including industrial ones, are often subjected to attacks every day. Such attacks are usually aimed at collecting a small amount of data. We have interesting research on this: the data collected by cybercriminals mainly consists of access information, logins, and passwords, as well as key files. They collect them on a large scale by hacking thousands of different organizations and industrial enterprises. This is done to later sell them on various platforms or through brokers, intermediaries, for $2, $8, or $25.
However, if the company's name is quite well-known, one pair of keys can cost $100 or even $150.
— How many potential buyers are there?
— We can't count them. However, we can count the goods. Judging by the trading platforms we've managed to discover over the past two years, there are tens of thousands of compromised systems available for sale right here and right now. On average, hundreds of new accounts are added within a day. That's why every industrial enterprise needs protection.
— Let's say the first stage is complete: someone has bought data from a Russian industrial company, such as a list of employee addresses. What happens next?
— The information obtained is used by malicious actors in different ways. They may start sending phishing emails. Not just once but every day, sending one email in the hope that a user, upon receiving such an email, will open an attachment or click on a link inside the email, thereby downloading malicious software that provides remote access to the attacker. With remote access, regardless of which computer in the organization it is to, the attacker can start reconnaissance, gather information, find out where the systems of greatest interest to him are located, and systematically move toward those systems, step by step.