Supplement to the 2012/3 South African Cyber Threat Barometer
Russia Case Study Report
Foreword Africa is considered to be the cradle of mankind. There is evidence that some of the earliest people lived in southern Africa. The hunter-gatherer San roamed widely over the area and the pastoral KhoiKhoi wandered in the wellwatered parts where grazing was available. Tribes from central Africa moved southwards into the eastern and central parts of the area known today as South Africa. Milestones in South African history: 1652 - Dutch Settlers arrive under the leadership of Jan van Riebeeck 1795 - British occupation of the Cape 1800 onwards - the Zulu kingdom under King Shaka rises to power 1835 - The Great Trek - Dutch and other settlers leave the Cape colony 1879 - Anglo-Zulu war 1880 - First Anglo-Boer war 1899 - Second Anglo-Boer War I am referring to the scourge of 1912 - The African National Congress (ANC) is founded cybercriminal activity that is rapidly 1961 - South Africa becomes a republic becoming a global concern and one 1990 - Mandela is freed after 27 years in prison and that we as Africans need to prioritise. opposition groups are unbanned We hope this project and proposed 1994 - South Africa's first democratic election initiatives will go a long way towards "rallying the troops" to urgently address the growing cyber threat facing South Africa has journeyed through many great obstacles our country. to become a nation whose dream of unity and common purpose is within grasp of all its people. We must not I wish to offer my sincere appreciation lose sight of this dream. As proud stakeholders of this to the British High Commission for great country we are now called upon to join hands in their funding and support to complete the fight against a new threat that is targeting all areas this vital research project. of our society - no organisation, community or child is immune to its impact. I also wish to convey my warmest thanks to all participating companies and teams for their input and For a copy of the full 2012/3 South African independent review of this report. Your Cyber Threat Barometer report and other country passion to make a positive impact in supplements please visit the research section this country has been amazing to of our website. witness. I would finally like to acknowledge the Wolfpack team for their dedication shown in the research, analysis, layout and distribution of this report. I am very proud of what we have achieved.
Corporate contact details: Building 1 Prism Office Park Ruby Close, Fourways Johannesburg, 2055 Telephone: +27 11 367 0613 Craig Rosewarne Email: info@wolfpackrisk.com Managing Director Website: www.wolfpackrisk.com Wolfpack Information Risk (Pty) Ltd
1
Russia The Security Council of the Russian Federation coordinates the four ministries in charge of cyber security (Interior, Justice, Foreign Affairs and Defence).
History of Cyber Laws to combat cyber crime in Russia Year
Bill / Act
Description
2002
Russian Law on Electronic Digital Signatures EDS
• The EDS Law replaces the written form by the electronic form, if an electronic digital signature has been applied to an electronic document.
2003
Group-IB
• On the basis of Group-IB, CERT-GIB operates as the first private computer emergency response team in Russia. • First and only public company in Russia engaged in digital crime investigation, computer forensics consulting, combating the use of domain names for the purposes of phishing, unauthorized access to third-party information systems, malware distribution, and controlling botnets. • Russian HoneyPot-Net project • 24/7 monitoring and incident response • Acquired by Leta Group in 2010 • International expansion of Group-IB from New York to Moscow to Vladivostok in 2011
Resolution No. 781
General security requirements are set out in the Personal Information Law. Additional security requirements are in place for confidential information (President’s Decree No. 188 on establishing the list of information of confidential nature). Protecting this confidential information requires a state licence (Federal Law on licensing of various types of activities). In addition, it recommends the use of encryption and other technical and organizational measures in order to prevent any unauthorized access to personal information across the private sector.
Budapest Convention of Cybercrime
• Russia announced in 2008 that it would not sign the Council of Europe Convention on Cybercrime. It has also proposed on numerous occasions that a new UN Treaty on cybercrime should be developed. • Despite this political stand-off, Russia’s criminal code contains some offences that are broadly compatible with the Convention on Cybercrime:o Article 2 Illegal access is covered in Russian Criminal Law Article 138, 272, 274 o Article 3 Illegal interception is covered in Russian Criminal Law Article 138, 272, 274 o Article 4 Information interference is covered in Russian Criminal Law Article 272, 273, 274 o Article 5 System interference is covered in Russian Criminal Law Article 272, 273, 274 o Article 6 Misuse of devices is covered in Russian Criminal Law Article 138.1, 273 o Article 7 Computer related forgery is covered in Russian Criminal Law Article 272, 273, 274 o Article 8 Computer-related fraud is covered in Russian Criminal Law Article 158-160, 165, 272, 273, 274 o Article 9 Offences related to child pornography is covered in Russian Criminal Law Article 242.1, 242.2 o Article 10 Offences related to infringements of copyright and related rights is covered in Russian Criminal Law Article 146, 180
2008
2
Year
Bill / Act
Description
Foreign Policy Concept
• Dealt with Russia’s international status, Euro-Atlantic security structures and (security) cooperation with Eastern actors • Foreign and Security Policy Principles: o International Law must have primacy; o Multi-polarity should replace the US-dominated unipolar system; o Russia has no intention of isolating itself, seeking friendly relations even with the West; o Russia considers it a priority to protect Russians wherever they may be. o Russia responds to any aggressive act against its citizens; o Russia has privileged interests in certain regions.
2009
National Security Strategy of the Russian Federation until 2020 (NSS)
• Tackles cyber crime which intends to create a national state system of detecting and preventing cyber attacks. The document was published by the Russian Security Council and the major responsibilities of bringing the policy to life are supposed to be given to the Federal Security Service. The Security Council has outlined the main course of the state policy on securing strategically important production and technology control systems. The project is to ensure Russia’s national security before 2020 and improve the IT • Concerning national interests and priorities, the document listed defence and state and societal security as the first priorities for Russia’s national security, followed by social-economic concerns, such as increasing the quality of life and economic growth. • The security policy will be implemented in 3 stages; 2012-2013, 2014-2016, 2017-2020. o The first stage will deal with concepts to liquidate the consequences of cyber incidents, amendments to adopted and future programs. o The second stage will deal with the legal base, outlining responsibilities and developments within information security. A situation room of detecting and preventing cyber attack on strategically important infrastructure facilities will be launched. This stage will also see the creation of means to liquidate cyber incidents. • The third stage will include the implementation of complex security systems, the launch of the first reference software, the launch of the single state system for detecting and preventing cyber attacks.
2011
Criminal Code of the Russian Federation and Certain Legislative Acts of the Russian Federation
• Enacted as Federal Law, addresses Article 28 of the Criminal Code regarding the additional aggravating circumstances and increased severity of penalties, both of which will have a positive impact on the effectiveness of counter-cyber crime actions. • The most significant changes to this portion of the Code which should be highlighted are the additional aggravating circumstances and increased severity of penalties, both of which will have a positive impact on the effectiveness of counter-cybercrime actions. However, the amendments to Article 28 of the Criminal Code were made without taking into account the opinions of specialized law enforcement agencies with experience in investigating cybercrime and industry organizations, creating some controversial issues. • Articles 272-274 of the Criminal Code of the Russian Federation contain key computer crime and cybercrime provisions.
CERT-GIB
• Creation of first 24/7 CERT in Eastern Europe and the first private Computer Emergency Response Team in Russia. • Russia has a national CERT (ruCERT) that participates in the informal CERT communities and is a member of FIRST. It issued strategic guidelines in 2011.
3
Industry Collaboration, Partnership Developments and Initiatives in Cybersecurity Organisation / initiative
Description
The Russia Federal Security Service (FSB) Centre
• Electronic Surveillance of Communications (TSRRSS) • Responsible for the interception, decryption, and processing of electronic communications. • Russia’s complex security laws, which require registration and cooperation by providers, allow considerable scope for the exchange of information with law enforcement agencies, without warrants or other oversight.
Federal State Unitary Enterprises(FGUP)
• Supervised by the Federal Security Service (FSB)
FGUP STC Atlas
• Responsible for developing and certifying information technology (IT) security and cryptographic systems for the Russian government.
FGUP Centre-Inform
• Leading Russian state owned systems integration company for information technology (IT) and information security.
Russian firm OOO Speech Technology Company (STC
• Provides surveillance and monitoring equipment.
Kaspersky Labs
• Licensed to provide classified work for the FSB and Defense Ministry
Russian Association of Electronic Communication (RAEC)
• Create a civilized information society, which will have its own legal system and the codes of professional activities that are to be accepted by both the users and the companies operating on the Internet. • Goal of the association is to set up an efficient dialogue between the state and the companies operating in the area of information, communication and Internet technologies. • RAEC is actively involved in the solutions of socially important objectives aimed at the development of the information society in Russia and enhancing the image of Russia as of the responsible member of the global information community. Industry's major companies have joined RAEC: Microsoft, SUP, OZON, Free-lance, ADV, RBK SOFT and others. Today RAEC comprises 45 member companies.
Security Council of the Russian Federation (SCRF)
• Established to be a forum for coordinating and integrating national security policy. • Examines issues and prepares "presidential decisions" on the "organization of defense, military organizational development, defense production, and military and military-technical cooperation of [Russia] with foreign states, as well as the formulation and implementation of foreign policy, and the monitoring of public expenditure on defence, national security and law enforcement. The Secretary will also make proposals to the Secretary Council for coordinating the work of federal and regional executive bodies in national emergencies
4
Quantitative assessments of the Russian cybercrime market Key Trends in the Russian Cyber Crime Market 2011 Russian Cybercrime Doubles: The global cybercrime market was more than $12.5 billion in 2011.
Mafia Professionalizes Russian Cybercrime: Traditional crime syndicates are beginning to organize the previously disorganized Russian cybercrime market. These crime syndicates are beginning to work more closely together, sharing compromised information, botnets, and cashing schemes.
Online Fraud and Spam Account for More than Half of Russian Cybercrime: In 2011, the largest type of Russian cybercrime was online fraud at $942 million; followed by spam at $830 million; cybercrime to cybercrime at $230 million; and DDoS at $130 million.
Criminal profiles: 5 cyber criminals caught in 2011: Vladislav Khorokhorin, Oleg Nikolayenko, Yevgeniy Anikin, Maksim Glotov, Andrey Sabelikov.
Steps For Reducing Russian Cybercrime Clarify language of new laws: Amend the law with an additional conceptual apparatus related to issues of information security and information technologies.
Increase penalties: Make the penalties for crimes committed using computer technologies more severe.
Update, amend and augment criminal procedures: Create more effective criminal procedures around gathering “digital evidence” such as describing the procedures and actions related to procuring, securing, investigating; and creating a definition for the crime scene of a cybercrime and establish a specific place of investigation of such crimes.
Improve Law Enforcement: Organize federal and regional training programs for the judicial, prosecutorial, investigative, and law enforcement agencies, including seminars regarding the issues of cybercrime investigation.
Improve International Coordination: Develop a document for submission to the UN, establishing the principles of international interaction against cybercrime, while also respecting the sovereignty of the member states, as opposed to the Budapest Convention.
General Trends Of Russian Cybercrime Market Development Consolidation of the market participants, reflected in the formation of several major cybercrime groups on a consistent basis.
Strengthening of the interlinking between the major groups, based on mutually beneficial sharing of compromised information, providing botnets, and cashing schemes.
Penetration of the cybercrime market by traditional organized crime groups, attempting to not only control the cashing of stolen funds, but the entire theft process.
5
Penetration of the cybercrime market by individuals with little technical education. Thus, cybercrime ceases to be the trade of “techies” since it mainly requires capital investments, not specialized knowledge.
Growth of the internal market. This market covers the so-called Cybercrime to Cybercrime (C2C) services provided on a paid basis by specialized teams of hackers. This year is characterized by the emergence of the new trend of IT outsourcing.
Russia Case Studies Vladislav Khorokhorin Owner of online stores Dumps.name and BadB.biz specializing in sale of compromised data of bank card users. A special undercover Secret Service agent contacted BadB, bought from him several batches of compromised data of American and Israeli bank card users. This information was forwarded to the Dutch authorities in order to gain access to the servers of Khorokhorin’s online resources Dumps.name and BadB.biz, hosted in Holland. The charges made on the basis of the collected information were presented before a jury in a Washington, DC court on November 12, 2009. On August 7, 2010, Khorokhorin was arrested by the French border agents at the airport in Nice prior to his departure for Moscow. Khorokhorin was charged with aggravated fraud and theft. If found guilty on both charges, he can face up to 12 years in prison. Additionally, each charge carries with it a fine of up to $250,000. Presently, Khorokhorin is held in custody in France. American authorities are doing everything they can for his extradition to the United States. Oleg Nikolayenko The presumed administrator and owner of the Mega-D botnet, specialized in sending spam. Mega-D had over 510,000 infected computers(bots) at its disposal. At the peak of its operational strength it sent out approximately ten billion spam messages a day. The FBI arrested Oleg Nikolayenko in Las Vegas in November 2010 on the charges of violating the CAN-SPAM Act. The FBI accuses Nikolayenko not only of violating the anti-spam law, but also of being complicit in various fraudulent schemes based on the massive use of spam, such as distributing a wide variety of counterfeit goods and illegal drugs and narcotics. Presently, Nikolayenko is awaiting sentencing in Milwaukee. According to some sources, Oleg Nikolayenko is close to reaching a deal with the American judicial authorities after which he would be extradited to Russia to serve his sentence there, having paid a large fine. Yevgeniy Anikin Yevgeniy Anikin was a member of an international hacker group responsible for the theft of $9.5 million from the accounts of theWorld Pay payment system, a processing unit of The Royal Bank of Scotland (RBS). Anikin and an accomplice found persons engaged in counterfeiting bankcards. The duo then recruited others to execute the final phase of the fraudulent operation of making cash withdrawals from ATMs in different countries and transferring the funds to a collective pool. Anikin was arrested in Saint Petersburg along with Viktor Pleschuk, his accomplice, and charged with misappropriation of funds (grand theft). The case was considered under Article 158 of the Criminal Code of the Russian Federation on February 7-8 by the Zaeltsevskiy District Court of Novosibirsk. The penalties stipulated by the Article include up to ten years in a penal colony. Based on the facts of the case, Yevgeniy Anikin was given a suspended sentence of five years in prison. Andrey Sabelikov On January 23, 2012, Microsoft filed a lawsuit at a Virginia court against Andrey Sabelnikov, charging him with the creation of the Kelihos malware. The suit states that Sabelnikov used the virus to control, support, and develop the enormous botnet. Kelihos was used for unauthorized access to personal information located on over 41,000 computers worldwide. It was also used for massive spamming and DDoS attacks. For his part, Sabelnikov denies any involvement in the unlawful acts described in Microsoft’s statement, and has publically mentioned so on his blog sabelnikov.livejournal.com. At the present time, the Kelihos botnet is active and continues its malicious activities, having undergone insignificant modifications.
Report by the Group-IB’s CERT-GIB analysts --- State and Trends of the Russian Digital Crime Market 2011 http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/cy_Octopus2012/presentati ons/Update_Grudinov_IB.pdf http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/cy_Octopus2012/presentati ons/Update_Grudinov_IB.pdf http://group-ib.com/images/media/Group-IB_Report_2011_ENG.pdf http://www.css.ethz.ch/publications/pdfs/RAD-62.pdf
6