It’s often difficult for security companies to tell who launched a cyberattack, as they have to rely on imperfect clues such as the languages cybercriminals use, Kaspersky Lab’s CEO Eugene Kaspersky said while visiting Romania for a conference.
“Attribution is very tricky in cyberspace,” he said, adding that the techniques required to confirm the entity responsible for a hack can fall into “a grey zone, which is very close to the illegal zone, so we don’t want to be there.”
One thing is clear, though: Criminal gangs want money, while state-sponsored attacks are more expensive and look for documents with specific names and cryptographic keys, he said.
In many cases, the assumption of who’s behind a cyberattack relies on the language clues hidden in the code. “But [we’ve seen] Russian-speaking technology in a Chinese-speaking attack. They cooperate,” Kaspersky said. On other occasions, cybercriminals pretend to be native English speakers, yet the words they choose or the mistakes they make aren’t common to native speakers.
Security companies also note the working schedule of cybercriminals. They tend to work during business hours, so investigators can guess their time zones based on when they’re active. This is how they know if an attack originates from Russia or the US. Other information might come from the software tools they use, and the localization of their operating systems.
“Everything will be smart in a house. It’s just a question of time.”
“If we’re in touch with cyberpolice or with government agencies, and we have access to investigations, then we can tell [who’s behind an attack],” Kaspersky said. Researchers can pinpoint malicious activity originating from a command and control center, however it’s the law enforcement agencies who are able to issue warrants and knock on the criminals’ doors.
Once, his company helped Interpol investigate a criminal gang that targeted banks in a small country. “This attack was quite primitive. We reported all the technical details to Interpol, the pictures, the Facebook accounts, real names. This happens with stupid criminals,” he said.
Meanwhile, traditional crime is starting to include a cyber component. For example, criminals have stolen petrol by manipulating temperature control systems—which affects the volume of fuel—in industrial storage tanks, which allows the thieves to add more fuel to their tanker trucks.
“So when they fuel the tanks at the oil refinery, they hack the SCADA system,” Kaspersky said. “They change the temperature so they have extra petrol in the tank. And then, at the petrol station, they release that. So we have 2-3 percent extra left in the tank. It’s not a cybercrime. It’s a physical crime.”
Eugene Kaspersky met with five Romanian journalists for a joint interview during the Romanian CERT’s cybersecurity conference. Here’s what he was asked:
How tired are you of being asked about Kaspersky Lab’s ties with the Russian authorities?
Eugene Kaspersky: We have a very good relationship with many authorities across many nations. In Latin America, FBI in the US, Europol in Europe, many police departments around the world. In Asia as well. In Russia we are in touch with the cyberpolice in the FSB department [tasked with] cybercrime investigations. We are only in touch with these guys who are responsible with cybersecurity. We are a defence part, and we stay far away from offensive.
The [Kaspersky Lab] people who are in touch with government systems are a very international team. Offices and partners are everywhere, except Iran, North Korea and Antarctica. In the company, R&D is in Russia, because Russian software engineers are the best. I didn’t say this. It’s from [former US Secretary of State] Condoleezza Rice. There was a panel, and she turned to me and said this. I said, I agree with you 200 percent.
The people who are working with state-sponsored attacks are Brazilians, a guy in Mexico, a guy from Ecuador, Americans, about 10 or 15 people in Europe, 3 of them are in Romania, the team in Russia, in China, in Japan, in Dubai, Israel. So it’s quite an international team. In the past, we’ve disclosed cyberattacks that speak native Russian, so they could be linked to the Russian government, like Red October.
Do you use a smartphone or a dumb phone?
I like this one: It’s a Sony-Ericsson. When this little thing dies, I have another one [that’s] not used. It has a three- or four-day battery life. But I can’t use Uber on this one, of course. Most of the time I have someone with a smartphone around. My notebook is mostly for emails, for checking the news. I use a VPN and my email is encrypted. Everything is encrypted on my laptop except for the pictures. I don’t encrypt pictures. You can take them from the internet.
A lot of smart devices are being hacked. Do you own, for instance, a smart TV or a smart washing machine?
I don’t watch TV. TV is boring. About the washing machines: I don’t know, because I have a wife. (laughs) I don’t have any kind of smart device at home because I have little kids. It’s not compatible. My car is a six-year-old BMW. Maybe it’s not so smart. Everything will be smart in a house. It’s just a question of time. It’s more optimal to use the new devices to optimize power consumption, so all the houses in the future will be smart. Do we have a traditional telephone? No.
How do you feel about the cybersecurity of cars?
We [have yet to have] a serious attack on new cars, but the cars, they are computers. We’ve tested some cars from some vendors and they are vulnerable. It’s possible to [hack] a car [and drive it], because there’s not a physical connection there. It’s a simulator. There’s not a mechanical system. It’s driven by wire. If you hack the main computer, then you can [drive] the car.
“These projects will take years to complete, and during this period of time, we will be unprotected.”
People who own Windows computers and have a third-party antivirus installed keep getting notifications from Windows Defender. Is there any friction between your company and Microsoft?
We’re partners and we are in touch with Microsoft. There are some questions we have for Microsoft because of this behaviour, because [Windows Defender] doesn’t really make the system safer or more secure. The level of protection Windows Defender guarantees is far from perfect. Other companies, independent security vendors, can guarantee a higher level of protection. I still use Windows 7. I like it.
Should we be pessimistic about the future? Could the world collapse because of a cyberattack?
I’m paranoid, but optimistic: We will survive. There’s a worst case scenario, and there is a nothing-happens scenario. Life will end up somewhere in between.
Worst case scenarios are possible, but I’m sure it will not get to the very worst case scenarios, which are cyberterrorist attacks of critical infrastructures, attacks on the power grid, on transportation, on healthcare.
Unfortunately, it’s technically possible. Do you remember Stuxnet, the attack on Ukraine’s power grid, the attack on the Estonian internet? At a governmental level, we need to pay more attention to critical industrial infrastructure. Right now, there are very few nations who [have taken] practical steps into this direction.
I would say there are three steps: first of all, to understand the problem; second, to build a plan; and third, to realize the plan. All the nations are still on the very first stage. Two of them, Israel and Singapore, they’re building the plan. But we’re far away from the third one.
Unfortunately, there aren’t enough engineers. These projects will take years to complete, and during this period of time, we will be unprotected. The most critical are powerplants and powergrid. Then transportation, financial services, telecommunication. Attacks on hospitals are close to terrorism.