ENGLISH
ENGLISH
16.06.2022
"We find many things that others do not even see"
Nikita Rostovtsev on current cyber threats and his profession
These are the authors of the project "Cyber Professions of the Future". We often write about rising stars and established Group-IB experts, including their work and research, in order to bring you up to date about the features of new specialisms in cybersecurity. For this article we spoke to Nikita Rostovtsev, Threat Intelligence and Attribution Analyst. As a side note, at the end of the piece you will find a link to current Group-IB vacancies.
Profile:
Name: Nikita Rostovtsev.
Position: Advanced Persistent Threat Analyst in the Threat Intelligence department at Group-IB.
Specialisation: Threat Intelligence & Attribution Analyst.
Age: 27 years old.
What he is known for: Researcher into Nation-State hacker groups (APTs), teacher of the basics of Threat Intelligence. Contributor to Habr. Ambassador of Group-IB merchandise and a fan of stylish bow ties.
Author's blogs:
It's not your APT: Each of us is responsible for a strictly allocated pool of Nation-State hacker groups

Investigating APTs is like trying to complete a quest with constantly changing external and internal inputs. For the past three years, I have worked at the Advanced Persistent Threat (APT) department. APT groups are pro-government hacker groups that work for the interests of certain countries. In short, I go after pro-state groups. They are not always "hackers in uniform"; sometimes they are "civilians" who work for the state. All the members of our team, including myself, have their own pool of APT groups to monitor. The activities of APT groups are influenced by the geopolitical situation, summit meetings, statements, protests, and other circumstances that are not always clear. But the aims are generally twofold: to spy on an organization (or a specific person, usually at a high level) or to engage in either sabotage or diversion.

My first post on Habr’s blog was about Iranian pro-state hackers. In April 2019, we discovered leaked email addresses belonging to ASELSAN A.Ş., a Turkish corporation that produces tactical military radios and electronic defence systems for the Turkish military. Together with Nastya Tikhonova, Head of APT Research at Group-IB, we described the course of the attack on ASELSAN A.Ş. and identified a potential member of the attacking group known as MuddyWater. Our investigation took place just as unidentified individuals published classified information on Telegram, sharing facts about the Iranian government-linked APT groups OilRig and MuddyWater, including their tools, victims, and connections.

I have no "favourites" among APT, nor do I have any sympathy for any of them. All those "romantic" stories about hackers are based on the illusions of people who do not understand the consequences of changing chlorine levels in water, releasing toxins into the ocean, or rerouting an oil tanker. I can probably single out Longhorn (aka The Lamberts) because it is such a ghost group. Some people associate it with the US government, but no one seems to have any real information about them. The group’s members are highly skilful and very good at hiding. I assume that they receive hefty funding.

The behaviour of a server tells a lot more about its owner than one might think. Apart from tracking APTs, I have many other parallel tasks. For example, I write hunt rules that can be used to track the infrastructure used by the hackers. There are many servers and online services with this infrastructure. In the case of a malicious server, for example, it could be running any phishing kit and popular frameworks such as Cobalt Strike, Metasploit, Beef, Mythic, and Silent Trinity. Looking at a certain set of responses from the server and its behaviour, it is possible to understand what kind of server it is, who it belongs to, and for what purposes it is likely to be used. Roughly speaking, this is what attribution is all about.

No magic is involved in tracking network infrastructure. You simply need to know what you are doing. The advantage is that you find out about attacks before anyone else. Whenever a new study about a new custom backdoor or a description of a hacker group's network infrastructure goes public, I first look at the network indicators (IoC). I then look for these indicators in our graph analysis system because sometimes we are already aware of them and have relevant rules for them. Sometimes there is no data, however. In such cases, I research and determine which services are running and when. I then monitor the patterns and try to find additional servers according to certain parameters. That way, the next time attackers "up" that server or register similar domains, I use our Threat Intelligence & Attribution system to find out about it before anyone else. What's more, this means that our customers also find out about it before anyone else. I like the fact that we give our customers a significant head start to act quickly and prevent potential incidents.

At times we are like Robin Hood, preventing threats simply because we can. This is the difference between Group-IB and other cybersecurity companies. Let me tell you about an illustrative case of malware tracking. On February 23, the UK National Cyber Security Centre published a study on a new backdoor called Cyclops Blink. In short, this malware infects SOHO devices and uses them as servers to control future attacks. Cyclops Blink infects mainly WatchGuard devices. In the “network indicators” section, the researchers provided a list of 25 IP addresses. These hosts are the infected WatchGuard devices. When we looked at the research more closely, we discovered that the infected hosts had two SSL certificates. One was legitimate (which almost all WatchGuard devices have), and the other seemed suspicious. It turned out that Cyclops Blink also puts its custom SSL certificate with the values “localhost”, “Org”, “City”, and “State” in the “Common Name”, Organization, “Locality” and “State or Province” fields.
We calculated the statistics and discovered that there were 312,000 legitimate WatchGuard certificates, but just over 50 Cyclops Blink custom certificates. That is how we identified the other addresses of infected devices, determined which organizations they belonged to, and warned the potential victims about the threat.

It is crucial that researchers follow the principles of engineering neutrality, which is not a straightforward issue. About two years ago, Facebook released a report about the notorious APT32 group, also called OceanLotus and linked to the Vietnamese government. In the report, the experts tried to link the hackers to a local IT company, but they did not provide any additional attribution data in the post. Despite our business interests in the region, we found and confirmed a link between APT32 and the IT company based on documented digital fingerprints. We shared our findings on Twitter. I believe that such information should be published openly and made available to all researchers, no matter the country involved. Security is about data. That is why it shocks me when someone says: "We are no longer exchanging information with this person or entity". Do you realise that someone with whom you have decided to cut off all contact could warn you about an attack tomorrow?

The speed at which data from particular groups is replenished is directly related to their skill levels as hackers. In the case of Iranian groups, we are likely to find some of their domains and servers and successfully track them in the future. Analysing the activities of advanced groups like APT28 and Dark Halo is much more difficult. The results also depend on the tools that the group uses. On the one hand, custom tools are easier to detect. But as soon as they are discovered, analysts start examining them very actively, so the next time that the tool is found, it is more easily attributed to the corresponding group and the case is solved. On the other hand, the situation is worse when it comes to publicly available tools. For example, CobaltStrike — which is well known to all — it’s a a framework for penetration tests that means it can be used for attacks on computers. It is often used by cybercriminals and even pro-government APTs because they think it will help them blend in with other attackers and not stand out. Yet when we see how the attackers are running this server and what commands they are executing, it becomes obvious who is doing what. It's not easy to get away from us…
Threat Intelligence: "Something clicked inside"

I found out about Group-IB in 2018 from an advertisement when I was finishing the first year of my master's degree. I saw a vacancy for a Threat Intelligence Analyst. To be honest, I had little idea about what the position entailed exactly, but something inside me clicked. I wondered what "cyber intelligence" involved. As I Googled it, I found interesting blogs and research from Group-IB, but what appealed to me the most was that the team had a clear and comprehensible goal: to fight cybercrime. This seemed unusual to me. How could a private organization do something that only law enforcement agencies are supposed to be able to do? Now, of course, I know that it can and it does.

Please explain what Threat Intelligence (TI) is to your grandmother. This is a very frequent question. Many people ask for a simpler explanation. My answer is usually: "TI is a set of information and knowledge about attackers, how and with whom they work, what targets they are interested in, what tools they use, and what measures must be taken to build a defence system against them and prevent cyberattacks in their preparation phase. I hope that is clear enough for any grandmother.
It's amazing the passion with which researchers talk about their work

The most effective learning happens in the heat of battle. At Group-IB, new employees are usually immersed in the thick of things from day one. No one gives newcomers "synthetic" cases involving non-existent APT groups. They are thrown straight into the workflow. When I started, I immediately started tracking attacks by Iranian groups. I was putting new data into our system, enriching that information, and looking for additional indicators that other researchers had not uncovered. Thank goodness for our Network Infrastructure Graph! It is a powerful system for finding additional IOCs and network indicators in general. You can read about it in Dima Volkov's blog. He is the mastermind behind the graph, which has no equal. That is why it is patented. Download the demo and you will understand what I mean. All in all, thanks to him we find many things that others do not even see.

The more you read, the more you realize how deep the rabbit hole is. First you analyze a lot and simply absorb knowledge from dozens of different vendor reports every month. Little by little, you start to understand how a particular group works. And then you begin to write your own reports, enriching not only the data in our TI system, but also the knowledge of the community as a whole, which is now reading your reports, too. It's a breathtaking feeling.
I have a confession: I have read zero information security books. If you need to grow professionally and develop your practical skills, rather than study dry theory you should read vendor research on various groups and malware and watch webinars on the latest trends in InfoSec. In my opinion, webinars are extremely useful. First, they are most often led by practitioners — experts who have been directly involved in research and who have written many reports. Second, you will be amazed at the passion with which they talk about their topics. Moreover, a webinar is a chance to ask them questions. At Group-IB, we often hold such meetups. They are advertised on our LinkedIn page and in our Telegram accounts. LinkedIn is usually the number one place to find profile webinars. All you have to do is sign up with the right vendors.

Threat Intelligence is a unique market because it is all about knowledge and data. Competitors use your data, you use their data, and everyone wins. For example, I like the way Mandiant researchers write reports because they explain in detail not only the course of the attack and the tools used, but also how to track and hunt down the cybercriminals involved. Attackers use specific techniques to accomplish certain goals. We study this and use it to our advantage, they also study our reports. Recently Mandiant released a report on a group they are tracking, known as Sabbath. Mandiant has a separate section called “Hunting Samples” that includes all the indicators, network rules, and "highlights" (YARA). The researchers wrote in the report that there are two ways to hunt Sabbath. This information helped us identify Cobalt Strike servers that are assigned to this particular group. Out of more than 232 addresses, we can say with confidence that there are just over 100 of these servers on the entire Internet.
An occupation that is best not spoken about publicly

I enjoy teaching. In early 2021, I decided that I wanted to raise the level of the InfoSec community at my university. How could I help? For example, by giving lectures on Threat Intelligence. I shared the idea with Ilya Sachkov, the founder of Group-IB, and he backed it immediately: "Let's do it! Tell me how to help". I drew up a plan, sent the summary to the dean, and in response he said: "I don't know what this is exactly, but we trust you. If you think it's right for our students, let's do it". At first we were focused on online teaching, but later we decided that it would also be an optional offline course. The students seemed interested in the topic. One student admitted that he had wanted to switch to another specialism, but after this course he changed his mind and realized that he wanted to build his career in Threat Intelligence. For me, the lectures were also an opportunity to introduce students to Group-IB.
In December 2021, I was chosen to be a speaker at the CyberCrimeCom anniversary conference. I will remember the event for as long as I live. I spoke about the Chinese group APT41 and how we investigated the group’s attacks. The group has a standard work schedule: they start at 9-10am and finish at 6-7pm. Saturdays and Sundays are rest days. They are probably even in the same building, sharing findings and tools with each other. In the final part of my report, I shared what I considered most important. I explained how to hunt their infrastructure, i.e. what certificates, servers and services the group uses.

I am often asked how researchers hide from cybercriminals. It is crucial to specify what kind of criminals we are talking about. If they are untrained attackers, they don't care whether or not someone is looking for them. But the more serious hackers are paranoid about being followed. They take various steps to disguise themselves and make it harder to investigate or deanonymize them. This is called counter-forensics. We have surefire tools and ways to uncover secrets, however. But this is a field that is best not talked about publicly.

There is a simple answer to the question of why you should go into cyber security: because it is extremely interesting and the subject itself is limitless. When I told university students what they could become, they were amazed. The possibilities abound: threat intelligence analysts, malware analysts, auditors, pentesters, computer forensics analysts, reporters, and so on.

In general, Threat Intelligence is "all about everything". So when asked what competencies a TI team member should have, my answer is that they should be interested in everything. It is important to have malware analysis skills and to understand how networks work and how to interact with web resources. It is important to be able to find connections and patterns in a huge amount of data, to make hypotheses, and to either confirm or refute them. Last but not least, it is important to keep moving forward.

I'm greatly inspired by Incident Response and Forensics. I like detective investigations, when I can untangle the digital trail to the end. It is incredibly interesting to reconstruct the whole picture of the attack and explain what happens when you have one weak IP address. For example, I can determine when the infection started, how the attackers moved around the network, how they raised their privileges, how they uploaded files and what files, and what they were looking for. I would like to develop in this direction. That is partly what I am already doing: when we investigate infrastructure, we often find files left by the attackers on their servers. We then use these files to identify victims and contact them to offer help.
Group-IB members have an endless number of fascinating tasks and legendary stories to tell their grandchildren. If there is anything you don't know, your colleagues — whose skills are simply exorbitant — will always help you. The company will always support your training and development as a specialist: "You want a new certificate? We’ll pay for it. Would you like to speak at a conference? Let's create your promotional posts and go! Do you want to train students? Just tell us what you need". When working at Group-IB, you can make a genuine difference to society by taking part in special operations to apprehend cybercrime of which few people are aware. Well, apart from public operations: our operations with INTERPOL and Europol are known to many people, although they are rare. Most fall under strict and indefinite NDAs.
Advice for those looking for a career in cybersecurity but unable to decide on a specialisation

Ask yourself what you like best. If you prefer puzzles, quests and detective stories, try Computer Forensics or Incident Response. Would you like to understand how certain programs work? Then reverse engineering is for you. Are you drawn to hacking? Start with pentesting. There are plenty of free courses these days. Take a look at “Try Hack Me”. It's a great platform for learning and there are a great deal of assignments on any topic. In general, it's easier to build a career now than ever before. And probably the most important piece of advice for everyone is: learn English!

Photo: by Kristina Dolgolapteva, from the Group-IB archive.


Useful links:

Group-IB is always looking to strengthen its team of technical specialists. Become a part of the team and change the world with us! Details about current vacancies are available here. Need more information? Subscribe to Telegram about security detection, hackers, APTs, cyberattacks, scams and pirates. Stay up-to-date with Group-IB's step-by-step investigations, case studies, and tips on how not to become a victim. Be connected! And, of course, visit our blog and read our research, in Russian and English.