Story image

Global cybercrime lord busted, but expert says just a drop in the ocean

29 Mar 18

Europol recently made the announcement that the suspected leader of an international cybercrime gang had been arrested in Spain.

It was a colossal investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Moldovan, Belarussian and Taiwanese authorities, as well as private cybersecurity companies.

After being prominent since 2013, the Carbanak gang (named from one of its more popular forms of malware) has attacked banks in more than 40 countries resulting in cumulative losses of more than EUR 1 billion.

On the surface, it is a tremendous success for law enforcement and the ‘good guys’ following no doubt an arduous investigation. But when considering the sheer size of the cybercrime underworld and its ludicrous amounts of money garnered every year, is it really that big of a deal?

Cybereason senior director of intelligence services Ross Rustici says it comes down to perspective.

“The thing that made Carbanak stand out was its organization and planning. The amount of money they were able to steal combined with the length of operation make the group one of the most successful, known groups out there. However, there are three things that make the impact of the arrest still a largely unknown quantity,” says Rustici.

“The first, is Carbanak hierarchical or amoebic? Does catching the "leader" result in an unrecoverable loss of organisation and capabilities or will the groups simply adjust and keep going. I don't think anyone has enough insight into the group to know for sure.”

Second, Rustici says, is the question of how diffuse Carbanak’s techniques are.

“Cybercrime is a copycat game for the most part, this arrest makes a larger dent in cybercrime if there is no one waiting in the wings to take up this type of intrusion against financial institutions,” says Rustici.

“Unfortunately, I think now that people have seen how this works, there are already plenty of copy cats. If Carbanak goes down, but the technique still works, others will take their place.”

And third, Rustici says we need to consider just how effective this bust is as a deterrent for other cybercriminals.

“Perhaps more effective than if you look at the impact on actual operations is the deterrent effect of the arrest. This group had a lot of mystique around them both in terms of the size of their heists and their ability to operate,” says Rustici.

“The arrest of the ringleaders might be discouraging for other groups to grow quite as large and cross as many borders. That effect would have the largest impact on overall trajectory of cybercrime.”

Rustici says in absolute terms, despite being known as the ‘billion dollar cybercrime group’, the activity of Carbanak has always been relatively small in comparison to the overall cybercrime group.

“Even if we are generous and give them double their reported earnings, sitting at 3 billion lifetime earnings is roughly 500 million a year, that is less than half a percent of estimated global cybercrime a year,” says Rustici.

“Taking out half a percent of global cybercrime is a large deal in terms of a single bust. In terms of how much cybersecurity professionals see the difference, it looks more like a rounding error.”

The sheer number of organisations, countries and law enforcement agencies behind the Carbanak investigation was well reported, and Rustici says the importance of cooperation in apprehending cybercriminals cannot be overstated.

“It is exceedingly rare these days that people hack within their own borders using only infrastructure within that same country. The Internet is global by nature and so too are the criminals who reside on it,” says Rustici.

“The two largest impediments to combating cybercrime from a law enforcement angle are trained professionals and jurisdiction. The ability to work across borders, share information, and reduce the blind spots that cybercriminals have available to them to hide in is often the key difference between a successful arrest and a cold case.”

According to Rustici, cryptocurrency offers the perfect avenue for money laundering but isn’t yet widely accepted. This is fortunate because it would appear that the downfall of the Carbanak’s gang leader came down to financial traces. Rustici says it could cause problems if it was to be accepted.

“The loss of traditional financial institution's support in tracking crime makes law enforcement's job much more difficult. However, we are already seeing attempts to regulate the space for tax purposes. Law enforcement and regulators will get more creative in how to make cryptocurrency more government friendly,” says Rustici.

“Until they do, a lot of the work will focus more on finding gaps than on actually tracing money as it flows through the system. Right now cryptocurrency is very similar to tax havens that don't share information readily. That problem will continue to expand as cryptocurrency becomes mainstream, but this is a known problem and therefore one that someone will find an answer to, even if it makes investigations take significantly longer in the meantime.”

Palo Alto Networks integrates RedLock and VM-Series with AWS Security Hub
AWS Security Hub is designed to provide users with a comprehensive view of their high-priority security alerts and compliance status.
Juniper simplifies data integration to improve threat detection
Updates to the Juniper Advanced Threat Prevention Appliances leverage third-party firewalls and security data sources.
Is mobile shopping compromising your enterprise security?
When employees do their holiday shopping on company resources, security teams have a challenge with the surge in browsing and online transactions.
Different approach to malware detection needed – VMware
Security needs to move away from the traditional approach of chasing after arbitrary forms of malware.
Modernising ERP systems can help organisations comply with GDPR
“Organisations need to look for modern ERP systems that are specifically designed with GDPR in mind."
Cyber attacks develop complexity, target Windows sysad tools - report
The report explores changes in the threat landscape over the past year, uncovering trends and how they are expected to impact cybersecurity in 2019.
DanaBot banking Trojan: How to protect your organisation
DanaBot is a Trojan written in the Delphi programming language that includes banking site web injections and stealer functions.
Ping Identity announces new Identity-as-a-Service solution
PingOne for Customers is built for the developer community and provides API-based identity services for customer-facing applications.