Virtual detectives prowl the web’s ‘dark forest’ for criminal tracks
By studying past cyber-attacks you learn how to fend off new ones, Kaspersky Lab’s chief researcher says
Shoshanna Solomon was The Times of Israel's Startups and Business reporter

Researcher Costin Raiu likes to call himself a detective, but the term he really prefers is “cyber-paleontologist.” Raiu heads a team at the Russian cybersecurity firm Kaspersky Lab and together they trawl the web, studying viruses and cyber-attacks in an effort to prevent the next one.
“Every day is different from the previous one – every day you find something new,” Raiu, 40, said earlier this month in an interview with The Times of Israel at his firm’s new R&D center in Jerusalem.
There are “cool things to research” all the time, he said. “It is a bit of a combination of detective work – a lot of that – and also a lot of what I like to call paleontology for bones. Like archaeologists at excavations, we try to find skeletons – or beasts.”
By studying past cyber-attacks and the clues their perpetrators leave behind, he said, you learn how to protect yourself against new ones — just like paleontologists and archaeologists, who understand our present by unveiling the secrets of the past.

Raiu compares the intensified cyberattacks the world to a “dark forest” through which internet users walk without knowing what they will find around the corner.
“There could be predators out there,” he said. “Wild beasts.”
His job is to look into the past and “try to assemble unsolved mysteries. There are a lot of unsolved mysteries out there — and that allows us to understand how this dark forest looks now.”
Greater digitization and interconnectedness leads to greater prosperity but also to bigger threats. Britain’s parliament shut down external access to email accounts on Saturday following a cyberattack. Malicious software dubbed Crash Override or Industroyer was reportedly responsible for a 2016 power outage in Ukraine, while in May a worldwide extortionate ransomware attack, WannaCry, wreaked havoc on 10,000 organizations and 200,000 computers in over 150 countries, highlighting once more how vulnerable companies and nations are to the growing number of cyber threats globally.
The cybersecurity market is estimated to see growth from $112 billion in 2016 to $202 billion in 2021, according to MarketsandMarkets, a data firm.

Kaspersky Lab, a global cybersecurity company set up in 1997, has over 400 million users, of which 270,000 are corporate clients using its services and technologies to protect their businesses and infrastructures.
Raiu who lists chess, high-precision arithmetic, cryptography and chemistry as his hobbies, has been with Kaspersky since 2000, heading its global research and analysis team, or what they call GREAT.
“We make a lot of jokes about that: GREAT is great and let’s make GREAT, great again,” he said in heavily Russian-accented English.
He and his team have investigated the inner workings of some of the most intriguing viruses and attacks, including Flame, Gauss, Mask, and Stuxnet, which reportedly wrought havoc on equipment in Iran’s Natanz nuclear plant and is widely believed to have been the creation of a joint US and Israeli effort.
“Nobody has seen Stuxnet since 2010,” or the group that created it, Raiu said. “It was operating at least since 2007 – and since 2010 we haven’t seen them. Some groups will appear and then they will never be seen again. These (the Stuxnet group) had just one target and now everyone knows that the target was the Iranian enrichment plants.”
Kaspersky Lab tracks 100 threat groups around the world at all times, and each group is responsible for some kind of cyber-attack. New groups are created all the time, but their identity is difficult to ascertain.
“In most cases we don’t know who they are,” Raiu said. “To be honest this is not something that we are pursuing too deeply because this is not our job — it is the job of the law enforcement to find who they are. Our job is to protect our users.”
Even so, the detective work the team does uncovers unique clues.
“Each group is unique — it is pretty much the same if you look at the world. Each country has some unique food unique habits, their own language, their own customs,” he said. In the same way, “each attack pretty much reflects the mentality of where the people are from.”
The time zone the group operates in is one giveaway, he said. If they are a group based in China then they won’t be active on the Chinese New Year, for example. Or if the group is Israeli, then they typically won’t be working on a Saturday, in observance of the Sabbath. Language is another clue. He’s never seen groups operate in Hebrew, he said. But there is broken English, for example.
“We have seen a lot of groups which seem to have a native knowledge of Arabic, of Korean, of Russian,” he said. “But of course, Russian is spoken in several countries – Korean is also spoken in two different countries.” Simplified Chinese is also found, as well as English, of course.
Black Energy, Lazarus, Shamoon and StoneDrill
The groups have names, too. The Crash Override attack, which reportedly targeted Ukraine’s energy grid, was likely created by a group called Black Energy, “an interesting threat group that has been around for quite some time,” he said. The group acquired cyber-criminal malware developed by a Russian hacker that sold it on the black market, in cyber-criminal forums, for about $1,000, and then repurposed the malware to use it for attacks on industrial control systems.
Another group, called Lazarus, was responsible for the biggest bank heist in history — the Bangladesh bank heist, in which cyber thieves stole $81 million from the central bank of Bangladesh. “We are confident they (the Lazarus group) speak Korean — because we have seen Korean language artifacts in the malware,” said Raiu. They also operated from a Korean IP address, and they work at GMT +8.5 hours, he said.
“They were also responsible for WannaCry,” he said. “There are new groups showing up all the time, but I am worried about Lazarus because I have seen their operations grow during the last three years and they are more dynamic, more aggressive and without any kind of scruples.”
Another group, Shamoon, has been targeting Saudi Arabia and yet another one, called StoneDrill, has been targeting Israel for a while, he said.
In Israel “people understand the importance of cyber more than almost any other country in the world,” he said. “They know very well how to create technologies which allows you protection — and to how to deal with threats.”
Kaspersky Lab often does joint research with private Israeli cybersecurity companies. When these firms get complaints from their customers about attacks they check with Kaspersky Lab to find out if other firms globally are being targeted as well, Raiu said. Or they consult to find out if the attacks are criminal or state-sponsored.
“We have a global view,” Raiu said. “We have customers in pretty much any country in the world – over 300 million installations — and we can very easily understand if this threat is specific. Usually we can enrich their findings with more data. Why do we help? Because we are all driven by the desire to make the world better.”

Kaspersky also works with government-led computer emergency response teams around the world (CERTS), and with intergovernmental and European law enforcement agencies (Europol and Interpol).
Kaspersky Lab’s work has come under increased scrutiny from regulators in the US over concern that hackers might seek to use Kaspersky software for the purposes of spying or sabotage, as Russia has been blamed for meddling in the US elections through cyberattacks on the electoral system.
“We haven’t been involved directly in the investigation because we haven’t been asked to investigate,” Raiu said of the US probe into the Russian hacking suspicions.
Eugene Kaspersky, the founder of Kaspersky Lab, said in an interview earlier this month that the US suspicions about his firm’s activities “are simply not grounded in any facts. We’ve been in this business for 20 years, and we’ve always been a responsible player. We are ready to offer our source code for review in the US. It’s something we’ve already done with large government contracts in other parts of the world; it’s not a problem for us.”