– Sergey, how many people does the largest hacker group consist of and what is its name?
– From what is known, this Lurk – a Russian group, has always been and remains the largest in history at the moment. But both the organizer and the participants are already in prison. The criminals were arrested in 2016, the investigation and trial continued for another five years. Compass participants were brought to court on all buses. The criminal case consisted of 4000 volumes (one volume – 250 pages). I participated in this case as an expert witness.
How many people were in this group?
“About two hundred people arrested all over the country. Some of them were found guilty under Article 210 of the Criminal Code of the Russian Federation – this is the organization of a criminal organization. I remember there was a video of the Ministry of Emergencies on their private plane of how they were evacuated from their living quarters for trial. Some were handed over to Moscow, others were sent to Yekaterinburg, where the trial was held.
– Can Lurk be considered the largest group in the world?
– How does it count? Yes, if we talk about a grouping managed from a single centre. But there are thousands of groups like Anonymous. These are individualists adjoining some kind of formation without a clear structure, a clear hierarchy, a clear leader.
– And in Lurk, Konstantin Kozlovsky was the leader to whom these 200 people directly reported?
– Yes. And it took a record amount of time: 14 years of strict regimen. This is a very severe punishment for a crime committed in the high-tech space.
— If I were to ask you to rate Konstantin Kozlovsky as a professional as the chief expert of Kaspersky Lab, would we say that he is an extraordinary personality?
“If we talk about the main malware, the Lurk malware, then it was truly phenomenal for its time. And most importantly, it left almost no traces on the computer, so it got the name Lurk, which means “hidden” in English.
That is, when Lurk hackers accessed the hacked computers and performed some unauthorized action on them, for example transferring funds from accounts, it was very problematic to find traces of it later. Security experts who took this hacked computer for analysis had little evidence of this malware.
In that sense, it was an “extraordinary program”. Also, it was authoritatively very well written. Therefore, Konstantin Kozlovsky is definitely such a record holder, if we are talking about records.
– You mentioned a long lawsuit against hackers, but were there ad hoc lawsuits?
– Yes. We had a case from the moment of committing a crime (leaking information) to hitting the table with a hammer with the words: “Guilty!” 3 months have passed. Caused? Because the man pleaded guilty and received a suspended sentence. Here is another recording. But I can’t say anything more because the case was not public.
– The Lurk program, like any other, has a certain number of lines of code. And what is the name of the shortest malware?
– The shortest piece of malware still valid today is Web Shell. These are programs for websites, they are the shortest. This type of malware is often used to greatly compromise web servers. This hidden file provides unauthorized access to the website. They can weigh about 10 bytes.
where As far as I remember, the shortest malware that could exist weighs a few bytes, so 16 zeros and one. Its function is to start an infinite loop.
— And the longest running malware?
– There are giant ones. Stuxnet comes to mind immediately. I don’t know if it’s the biggest, but it’s definitely one of the biggest in terms of code. This is more than a megabyte and is packaged in a special way. The functionality of the malware was also huge.
What did this program do?
– Blow up factories. Technical equipment in production – centrifuges, pressure sensors, frequency sensors, etc. He changed his readings. The program has spread all over the world, causing tens of thousands of infections.
– How long would it take to write such a program?
– A few years, I guess. It doesn’t matter how many experts will be involved. But to build for at least a year and in 24/7 mode.
– The Internet talks about the assumption that Stuxnet is a special development of Israeli and US intelligence agencies against Iran’s nuclear project. Does this look like reality?
– There is such an opinion. We can neither confirm nor deny, but such an opinion exists.
— Please let us know the longest time from the moment the malware entered the computer to the time it started working. What is the record here?
This record is constantly updated. In the winter of this year, I had an incident at a particular company where an attacker stole passwords and documents from a computer. We started investigating and realized that the malware had infected the computer in 2005. It took 18 years from the moment it entered a computer network to the receipt of documents by a hacker.
– Why did this happen from your point of view?
– We had an assumption that he was in jail this whole time. And then enabled the bookmark.
Such long attacks are usually organized with the help of bookmarks. Some special malicious code is inserted into it that “sleeps”, neither seen nor heard. The attacker would need to continually extend this “hibernation” period. That is, it first notes that the bookmark “sleeps” for a week, then a month, then a year, then the bookmark “sleeps” for 2 years. And so he is 18 years old.
– On the contrary, are there any champions in terms of attack speed?
— Usually cryptographers are such champions. This can happen in just 25 minutes.
“Oh, so it doesn’t happen instantly in a second?”
– All right, let’s imagine. The attacker remotely hacked into another company’s computer, looked around, went for a cigarette, poured himself some tea, returned to his computer and pressed the Enter button, which caused all the disks in this company to be encrypted. I could be wrong, but I think it took about 25 minutes from the company’s first leak to the start of the disk encryption, the purpose was a ransom for decryption.
— Did you have programs that kept records of odd behavior?
– There were quirks that we could explain later.
For example, there was a self-checking code. When a program arrives at a place, it needs to evaluate its environment and makes a special request to the system in order to control it.
And now I remember there was a program that started itself for this procedure. So the program started running and asked the system: is it running? It sounds something like: You walk into a cafe and say, “Am I at the cafe?”
– What is this for?
– It was a strange thing for us for a very long time. But later it turned out that this problem is determined by national traditions. You can find examples of Indian and Chinese code on Lurkomorye (unofficial Wikipedia). And it turns out that these quirks are explained by national traditions that are actually used by programmers in some countries. So, for a Russian programmer this is usually nonsense, but in Asian countries this is straight forward the programming norm.
For a long time, we couldn’t understand what is called “Bothans” in a program. There was this: “The Bothans are starting” – so the cows started working, the cows finished working. And we were confused about this team for a very long time. The translator does not say anything, it is not at all clear how to read in Russian. And for us it was a real mystery.
Then we learned that there were aliens who stole the plans for the Death Star in the Star Wars movies. And these aliens were just mentioned by the authors of the malware.
– Can drawings or photos be added to the code?
– Yes. This year, I saw photos of a naked girl in the malware code. Why did the hacker insert such photos into the program code and therefore draw so much attention to him? Why? This is a big question.
We later found one of these photos, it was on OnlyFans (content subscription service). And the girl had 3 thousand paid subscribers. Apparently one of them was the author of the program.
How long was your longest search?
– 15 years. They investigated a very, very old, malicious program. He drank a lot of blood on us at the time. There wasn’t always enough detail to draw conclusions from. And 15 years later we got the answers to all the questions.
— Are there hackers at a very young age, guys, do they exist in Russia?
– In Russia, I remember only a few outstanding schoolchildren correcting their electronic diaries. But recently there was a story in the world about the group Lapsus$, led by Arion Courtage, a 16-year-old teenager from Oxford. This man, now 18, is on trial in London. And with him and his 17-year-old accomplice.
— Do we have hacker girls?
– Yes there is.
– Like in the TV series: hooded, hooded and piercing?
– Yes. Antipodes – women programmers – can be seen at conferences. Some are in platform boots and black hoodies, while others are in suits and high heels. Plus lots of boys with long hair, beards, glasses, thick backpacks and laptops.
— Have you had any funny hacking cases in your practice?
– It happened recently. We watched the hacker climb, climb and climb into the bank. Straight to the real bank. And that’s hard!
There are 2 computers in the bank, exactly the same. The only difference is that one computer controls and the second “watches”. It sees all transactions, but cannot interfere with them. These computers are twins. Why are there two? Because one is the main and the other is a backup. If the primary fails, the backup pops up.
The hacker climbed into the backup computer. Then she tried to take money from him. He couldn’t understand that there was exactly the same one nearby, he just didn’t get to it by fact-check.
At that moment, when the “appearing” computer tried to rock the boat and steal money, many security systems worked. And there, in reality, the distance between these computers is 3 cm, and on the host everything works, and the passwords are the same, everything is the same, it just did not reach him. So I would call this record: “The boy was going to be successful, but he was out of luck.”
— Are there any unusual items being hacked?
– Yes. For example, robots. I took one of them for analysis, described it directly, examined it. It was an android robot, it had hands, a computer – a head. It has a bell, a monitor and access to the corporate network. He was working in a company meeting room.
Why is a robot needed in a meeting room?
– First of all, it sends messages to the employees that a meeting will be held now. When the meeting is over, the bell rings. It can show everything on the monitor connected to the TV. You can refer to it: “Turn on the light, turn off the light” and so on. Exactly because this robot has access to business chats, can read, can show something on TV, and has access to the corporate network, it has been hacked.
Was it a successful attack?
– The attacker did not have time to do everything he wanted. I arrived at the scene, I had to take this robot with me. It has now been returned to its rightful owner.