Story image

Global cybercrime lord busted, but expert says just a drop in the ocean

29 Mar 18

Europol recently made the announcement that the suspected leader of an international cybercrime gang had been arrested in Spain.

It was a colossal investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Moldovan, Belarussian and Taiwanese authorities, as well as private cybersecurity companies.

After being prominent since 2013, the Carbanak gang (named from one of its more popular forms of malware) has attacked banks in more than 40 countries resulting in cumulative losses of more than EUR 1 billion.

On the surface, it is a tremendous success for law enforcement and the ‘good guys’ following no doubt an arduous investigation. But when considering the sheer size of the cybercrime underworld and its ludicrous amounts of money garnered every year, is it really that big of a deal?

Cybereason senior director of intelligence services Ross Rustici says it comes down to perspective.

“The thing that made Carbanak stand out was its organization and planning. The amount of money they were able to steal combined with the length of operation make the group one of the most successful, known groups out there. However, there are three things that make the impact of the arrest still a largely unknown quantity,” says Rustici.

“The first, is Carbanak hierarchical or amoebic? Does catching the "leader" result in an unrecoverable loss of organisation and capabilities or will the groups simply adjust and keep going. I don't think anyone has enough insight into the group to know for sure.”

Second, Rustici says, is the question of how diffuse Carbanak’s techniques are.

“Cybercrime is a copycat game for the most part, this arrest makes a larger dent in cybercrime if there is no one waiting in the wings to take up this type of intrusion against financial institutions,” says Rustici.

“Unfortunately, I think now that people have seen how this works, there are already plenty of copy cats. If Carbanak goes down, but the technique still works, others will take their place.”

And third, Rustici says we need to consider just how effective this bust is as a deterrent for other cybercriminals.

“Perhaps more effective than if you look at the impact on actual operations is the deterrent effect of the arrest. This group had a lot of mystique around them both in terms of the size of their heists and their ability to operate,” says Rustici.

“The arrest of the ringleaders might be discouraging for other groups to grow quite as large and cross as many borders. That effect would have the largest impact on overall trajectory of cybercrime.”

Rustici says in absolute terms, despite being known as the ‘billion dollar cybercrime group’, the activity of Carbanak has always been relatively small in comparison to the overall cybercrime group.

“Even if we are generous and give them double their reported earnings, sitting at 3 billion lifetime earnings is roughly 500 million a year, that is less than half a percent of estimated global cybercrime a year,” says Rustici.

“Taking out half a percent of global cybercrime is a large deal in terms of a single bust. In terms of how much cybersecurity professionals see the difference, it looks more like a rounding error.”

The sheer number of organisations, countries and law enforcement agencies behind the Carbanak investigation was well reported, and Rustici says the importance of cooperation in apprehending cybercriminals cannot be overstated.

“It is exceedingly rare these days that people hack within their own borders using only infrastructure within that same country. The Internet is global by nature and so too are the criminals who reside on it,” says Rustici.

“The two largest impediments to combating cybercrime from a law enforcement angle are trained professionals and jurisdiction. The ability to work across borders, share information, and reduce the blind spots that cybercriminals have available to them to hide in is often the key difference between a successful arrest and a cold case.”

According to Rustici, cryptocurrency offers the perfect avenue for money laundering but isn’t yet widely accepted. This is fortunate because it would appear that the downfall of the Carbanak’s gang leader came down to financial traces. Rustici says it could cause problems if it was to be accepted.

“The loss of traditional financial institution's support in tracking crime makes law enforcement's job much more difficult. However, we are already seeing attempts to regulate the space for tax purposes. Law enforcement and regulators will get more creative in how to make cryptocurrency more government friendly,” says Rustici.

“Until they do, a lot of the work will focus more on finding gaps than on actually tracing money as it flows through the system. Right now cryptocurrency is very similar to tax havens that don't share information readily. That problem will continue to expand as cryptocurrency becomes mainstream, but this is a known problem and therefore one that someone will find an answer to, even if it makes investigations take significantly longer in the meantime.”

Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.