Group-IB is one of the world's leading companies that specializes in cyberattack prevention and information security product development. Its founder, Ilya Sachkov, devotes almost all of his time to work. His entrepreneurial path began in his youth, and at the age of 30 he personally knows the president of the country. Ilya told in an interview with "Zhazhda" how he achieved such high professional results.
- We can say that in childhood you were a real bully. You are very restrained now. What are the reasons for such changes?
- I don't think they happened. There is an official part of my life, and there is something that remains behind the scenes. As he was a bully, he remained so. I can still fight and argue and misbehave. Recently there was a case when I had to use brute physical force against a person who tried to desecrate an architectural monument, the Yelokhovskaya church. Yes, this case, according to the Criminal Code, is hooliganism, but I have no regrets. I think I did the right thing.
These same principles have been converted into an interesting business approach.
In business, you can exist without rules. It pisses me off to disagree with those who believe that all moves in business are scheduled. This is where I show qualities that someone would call hooligan. If they tell me: “It won't work,” I take it and prove the opposite.
– It is known that your brother lent you money to start a business. Is he the only one who believed in you then?
- I shared my idea with everyone, and only he reacted vividly with the question: "How can I help?" I borrowed money, which I returned in a few months thanks to several successful orders at once.
- Tell us about your team. Whom would you gladly hire, and with whom would you never agree to cooperate?
- There is an obligatory safety criterion: the absence of a criminal past, as well as a present associated with organized crime or negative hacking experience. The trustworthiness of a person is important to me - in a very deep understanding of this word. This is a necessary, albeit insufficient, condition for working under my leadership.
It happened that very talented guys came to interviews at Group-IB, but after a thorough check, we decided to refuse them. No amount of outstanding service will override our safety requirements.
On this topic, we once had an Internet dispute with Kaspersky. He said that the use of a polygraph in a company is paranoia, and I believe that when you are involved in solving computer crimes, then safety comes first. Everyone I work with understands these stages of review.
If we talk about my personal selection criteria, it is important that a person's eyes shine. This is noticeable from the first step, from the first word of the person in the interview. If someone comes to Group-IB for a salary, and not with the aim of changing the world, then we are not on the way. It is at the energy level that relationships with such people do not develop not only with me, but also with most of the employees in the team.
Talent is also important. Whether it's in marketing, in sales, or in investigations, it doesn't matter where it comes from - there has to be talent. I can close my eyes to the lack of experience if there are prospects for the development of personal potential.
– Is it easy for you to be a manager? What qualities help you with this?
- Not easy. This is not a constant story. Each time it seems to you that you already know everything, and events occur that show that this is not so. For example, this year I had to fire my best friend.
I also train to say no all the time. Being a leader is a never-ending learning process that takes a lot of energy. But if it works out, then the energy returns, thereby compensating for all the difficulties and negative moments.
– You are doing a very interesting job. What are the pros and cons of your field of activity?
- I'll start with the downsides - it's work 24/7. The best gift I give myself 2 times a year is digital-detox. By an effort of will I deprive myself of the opportunity for a whole week to receive at least some kind of working information.
The specificity is that we have an international business and problems appear all the time. When we first started, it seemed to be cool - such every minute movement. But now it is difficult because at any moment you need to be involved in work processes - it does not matter if you are in the theater or on a run. This is the only drawback.
There are a lot of pluses - this is a very interesting area that I would not trade for anything else. There are difficulties, but I look at them philosophically, as an opportunity to solve important problems, gain experience and become better. Every day incredible things happen and we get tremendous moral satisfaction from being useful.
Part of our work is related to the investigation and counteraction of criminal groups. As I said, we help law enforcement agencies in different countries to fight crime. In Russia, 80% of high-profile high-tech crimes are investigated with our participation. Arresting a hacker group that has been robbing ordinary people like you and me for several years is a complex multidimensional task with a lot of inputs and variables. To solve it and to ensure that the criminal ends up behind bars, it is very helpful to understand that thanks to this work life on earth becomes at least a little safer and better. It turns out that we are literally fighting evil, which means that we are doing our job correctly.
Hacking group CRON: liquidated with the participation of Group-IB
What is known for: stole money from users' bank accounts. They infected 3,500 Android phones every day and installed the virus on almost 1 million devices in less than a year. The total damage from Cron's actions is estimated at at least 50 million rubles. In 2016, Cron rented a banking mobile Trojan Tiny.z, a more versatile malicious program for Android that targets clients of not only Russian, but also foreign banks.
Status: liquidated. In November 2016, 16 Cron participants were detained in 6 regions of Russia. The last active member of the group was detained in early April in St. Petersburg.
– Do you have a superhero costume hanging in your closet?
- There is no superhero costume, but there is a spotlight on the roof of the office, like Batman. So powerful, aviation, and on it - the first letter of the company "G". There is a tradition - to turn it on, directing it to the sky when some complex business is completed.
– What questions do you usually get asked, and what tasks do you solve?
- Two directions can be distinguished systematically. The first one is where the company started its activity, it is assistance in solving any problems related to information security. We help to understand why the incident occurred (a cyber attack on a bank, for example), help to collect the necessary information, interact with law enforcement agencies in order to achieve the arrest of those responsible. For example, attackers have created a fake website, deceive customers on your behalf, stole money via the Internet, sell counterfeit goods, send anonymous threats, the system has stopped working, etc. We, as a doctor, help to understand what caused the disease and eliminate it. Whoever says anything, but we are the best in what we do. The structure of Group-IB is unique - we have no competitors in Russia. In terms of technology, I can't say so - there are very powerful companies in the world, especially in the United States and Israel. It is interesting to compete with them - it is important to have such rivals.
The worst thing that Russian companies are doing is trying to rise to import substitution. This is a disastrous step. The only sure way is to fight a stronger enemy on his territory. If you want to become a cool tech company in Russia, fight against the largest corporation in America. Then you will automatically become number one in your country and step outside of it.
This is exactly the second block of our activity - the technological one. Our experience helps to prevent crimes at the stage of their preparation in a technical way. I will give you a real life example to understand the specifics of our company. When a boxer strikes and the fist is already near the face, it is difficult to prevent something. Our task is to block the attack before attempting to strike. To summarize, our company prevents cyberattacks on various types of businesses in Russia and abroad.
- After what investigation did your company gain prominence? And the loudest case that you can already talk about?
- I think that the first publications began after our joint case with the Economic Security Department of the Ministry of Internal Affairs on the blocker virus. It was a series of investigations, it was talked about on all channels, although the specific name of the criminal group was not mentioned. We can say that this was the first wave of fame.
One of the most high-profile cases was in 2016. We helped declassify the Cron group, which steals money from the bank accounts of Android smartphone users on a daily basis. But basically, our investigations are not public, they may become known later, but it will definitely not be possible to talk about them in the coming years.
– Because of its professional activity are you limited in moving around the world?
- Absolutely no restrictions. I have all possible visas in my passport, I can fly anywhere in the world without any obstacles.
– Tell us about your hobbies. What do you like to do in your free time?
- I spend my free time on sports, sleep and self-development. I try to constantly learn something new, communicate with interesting people who can teach something. Of course, it seems that I have an absolute imbalance in the sphere of family and personal life, but at the moment I look at it philosophically. I pretend that fate wants me to devote more time to work until I complete the visualization map. Yes, I have such a card, and there is everything about my professional activity, so for now all my strength is going into business.
- I cannot but ask this question. Not everyone in life manages to talk to the president. How did you feel during a personal meeting with the head of our state at the "Territory of Meanings" forum in 2015?
- Since 2012, my feeling of fear has completely dulled. Given that I went through difficult investigations, my body has learned to turn off this emotion.
During the meeting with Vladimir Vladimirovich Putin, of course, I was tense. I realized that this might be our first and last meeting, and I need to be at my best, defending the interests of my company. The difficulty was to show the activities of our team in a limited time frame. I remember the first seconds of the dialogue when my brain sent a signal to remember this moment. The moment when I stand and speak with the president of the country. My excitement turned into pride, and my body worked as it should. I told everything I had planned. Even more, because the president found our work very interesting. Frankly, I was pleasantly surprised by the correct, professionally asked questions and awareness in the field of information security. I love my job for being able to show Russian achievements that are in demand all over the world, despite the political situation.
– Why do you think foreign companies trust you in times of tense relations with Russia?
- It is important to separate what is said on TV from what actually is. The whole world lives in a market economy. Any business, regardless of the country of presence, vitally needs two things - to reduce costs and increase revenues. This is what we do well with. What difference does it make to foreign companies who will help them save money by increasing profits and reducing costs? For 15 years now, Group-IB has been helping Western companies in solving important matters. There has never been a leak of information, despite the fact that we have offices around the world and a multinational team. Therefore, if someone thinks that since the company is Russian, then it cannot be trusted, then this person is an idiot. We really don't like working with idiots when there are so many smart people... This is our strategy.
– Give advice: where to start your own business?
- First. Start by visualizing what you want to see at the end. It is important not only to start the journey, but also to see the end or at least an intermediate point. Sit down, be patient, find pictures that reflect your idea of a successful business, and get to work. It's like in Alice in Wonderland: How can I get out of here? "It depends on where you need to go."
The second is the fundamental preparation of knowledge. A lot of entrepreneurs start their way, not considering the fact that there is a huge amount of rake that most businessmen have already stepped on and have filled their bumps. You can follow their example, or you can save your nerves and spend time more efficiently. I recommend reading the literature written by people who have already gone the entrepreneurial path. This will increase the speed of your movement.
Third. Think about your health. Understand how your brain works. Take it for granted that no one needs a sick and unhappy entrepreneur.
– Have you achieved what you dreamed of, or is the main victory yet to come?
- Everything is ahead, but much of what I dreamed of has already happened. The peculiarity of my character - positive for our business and negative for me personally - is that I am never pleased with my own achievements. When I achieve something, a new plan for the future is already ripening in my head. Because of this, we have an eternal movement. I am constantly talking about new ideas and challenges. My employees do not have time to rejoice at the results, as I already demand the conquest of new heights.
– Then tell us about your plans for the coming year.
- Increase international revenue, launch new products, expand the company to 300 people. Of course, I want all my employees to be healthy and happy.
As for personal plans, this list is quite long. If we talk about sports achievements, then I want to run 2000 km, pull up not 30, but 50 times, learn how to do somersaults on a wakeboard. Just on my visualization map there is a picture of a well-known wakeboarder, so I can do it anyway. I also want to organize a concert of a young piano classic who is super talented and can bring joy to many people. And that's not all.
– Finally, our traditional question. Is there a so-called "lust for business" for you?
- Yes, considering that my business is my life. I have a lust for life. If it were not for her, then I would not have been able to overcome so many obstacles on my way. Thirst helps to live. And not just live, but live happily.
Our dossier
Ilya Sachkov, 31 years old, Moscow
CEO of Group-IB.
Group-IB has conducted more than 1000 successful investigations of cybercrimes (of which 150 are particularly complex and high-profile cases) around the world, resulting in real sentences and terms for members of hacker groups.
Briefly
The main character trait?
Strength of will.
What do you value in people?
Honesty.
What was the most memorable trip?
By car to Europe, in winter from Moscow to Germany and back.
Whose master class would you go to?
Richard Branson.
Last book you read?
Smiley People by John le Carré.
What gift do you remember?
Sherlock Holmes, first edition of the late 19th century.
The main source of inspiration?
What do you regret?
Life rule?
Do and finish.
In 10 years I will be ...
A few years ago, one of our investigations came to a standstill. The offender threatened the person with anonymous letters and at the same time did not make mistakes that would allow him to establish his identity using the methods of computer forensics. Suddenly one of our team members disappeared from life for several days (we really lost him), and then came back with a decision.
Our colleague drew attention to the fact that in one of the letters the attacker mentioned that his repressed relative once lived in a certain city. Our employee collected all possible archives and built genealogical trees of people who were repressed in a particular city in a particular year.
Even now, this work seems almost unrealistic to me. However, there were only 12 living people who fit the description. One of them was familiar to our client, and he immediately understood what the blackmailer's motives were.
The employee who solved the crime is autistic. This trait has endowed him with out-of-the-box thinking and the ability to immerse himself in amazingly deep ways. Autism can be an advantage, and I'm glad people with this trait work for my company.
In time to find
I first met an autistic person in 2007, during an investigation. It was a meeting with a criminal. Later, conducting other investigations, we saw that some types of computer crimes (for example, writing viruses) are often committed by autists - sometimes the criminals had a diagnosis, sometimes we ourselves determined it in the process of communication.
Why do autists take the wrong path? A huge problem of our state (and society) is that we do not know anything about autism and no one systematically works with these guys. It all starts in childhood. Problems in the family or at school, aggression and violence make the child angry. If he has access to a computer, he quickly realizes that with his help he can take revenge on society.
When we paid attention to this, we began to study the medical and psychological literature. Our library contains research by scientists from Harvard, Cambridge and other scientific centers. Gradually, we began to conduct our own research and found that autistic people are amazing interesting people.
There is a widespread myth in Russia that autism is a limitation. This is absolutely not the case. It's just important to find an approach - in the family, at school, at work. Then autistic people will become part of the puzzle that will allow society to solve many important problems.
Special Purposes
If you place an autistic person in a supportive environment, communicate with him and guide him in the right direction, he will become one of the best in the team. This is especially noticeable in the computer sphere, because autists are hardworking, creative, interesting. This is amazingly important and I want to build a whole system. vocational training for autists who are interested in computers.
Autists have been working in my company for a long time in different positions. Some of our patents and developments are entirely the result of the work of people with this property. I myself am also a little autistic in some personality traits and I think this is a cool advantage. For example, sometimes I become detached and it allows me to concentrate tremendously on business. But, of course, I do not show it to the same extent as some guys from our company - they are capable of truly outstanding things.
In my opinion, autistic people are well suited for analytical work, working with big data, development, routine intellectual tasks. We are talking about writing large technical texts, finding errors in the code, building long logical chains and searching for sequences in huge amounts of data.
In our business, it is very important to be able to relate events that at first glance seem random, and autists have no equal in this.
To set up a contact
But there are also difficult moments. Motivation methods that work for most employees are not suitable for autistic people. Standard corporate rules and principles of communication can provoke unexpected reactions. For example, autistic people value humor, but sometimes they don't show it outwardly. They are also not interested in corporate events - if there are a lot of such people in the team, you need to arrange something special. But if you keep in mind the peculiarities of your colleagues, you can communicate with them perfectly. The approach is important - these people need to be cherished and appreciated.
A person who believes that there is no need to communicate with autists, that they do not need to be hired, is an uneducated person. If you take the time to study psychology and build a job correctly, for any company (especially in IT), an autistic person will be the best employee. Again, autism is amazingly cool.
I also know autistic entrepreneurs. I am even friends with some, but in communication this topic remains taboo, because the word "autist" is perceived by many as a curse. It is unlikely that something can be done quickly with this, so I would introduce a new concept, make a radical rebranding.
Cover photo: Bloomberg / Getty Images
Knowing who cybercriminals are and what they are after can be the first step towards protecting your data, money, and reputation. Ilya Sachkov, the founder and CEO of Group-IB, told the audience of the corporate programs of the Moscow School of Management SKOLKOVO about this.
Thanks to films and TV series, we are accustomed to the fact that crime is something tangible, something that can be seen: a killer kills a victim, a bully snatches a purse from an old woman's hands, a "bugbear" breaks into a safe. However, every year the share of such “traditional” crimes is decreasing, while the volume of cybercrimes, on the contrary, is growing. Every one and a half minutes on site European Union one robbery is committed. And over the same period, there have been about three thousand cases of data theft, and more than a dozen new malicious programs are born.
Organized crime is increasingly using the Internet, and cyberattacks, according to experts from the World Economic Forum (WEF), have now become the main global risks along with environmental and geopolitical problems.
Ilya Sachkov believes that the key element of cybersecurity is knowledge of what modern computer crime is. By understanding the goals of cybercriminals, their motives and techniques, they can be effectively countered. The most common motive for computer crimes (about 98%) is financial gain provided by hacking of the same banking systems, extortion, fraud, and so on. Espionage, sabotage or cyber terrorism can also motivate a crime, usually typical of pro-government hacker groups, but the bulk of cyber threats are still associated with cybercrime.
Unfortunately, most Russian companies do not understand what modern computer crime is, how it attacks, what tools it uses, and therefore business owners and their information security directors (SISO) do not know how to protect their infrastructure or remote banking system (RBS). ).
For example, some people still firmly believe in antiviruses, while world practice highlights the weaknesses of this approach: the most popular antiviruses were installed on many infected computers of bank employees, but they did not save them from infection, and as a result, cybercriminals were able to take control of network of the bank and withdraw money from it. CEOs of companies talk about risks and cyber attacks, not knowing who a cybercriminal is, often cannot name hacker groups, explain how they attack, what tactics they use.
Cybercriminals follow the money and target the mass market. For example, since most of the company's accountants and bank employees work with Windows products, hackers target them rather than Apple computers. Another example is that cybercriminals do not see the point in attacking the infrastructure of power plants or other strategic institutions. This does not promise them economic benefits, only trouble - the threat of punishment for potential terrorism is extremely high. On the other hand, pro-government groups, on the other hand, rarely attack banks, and if they do, it is for the purpose of destroying banking infrastructure or espionage, and not for the purpose of robbery.
In order to gain access to finance or services of companies that deal with RBS, hackers figure out employees with access to financial flows. At risk are accountants and financiers. They are attacked either directly with the help of phishing emails, or they fake / infect sites that these employees often visit.
One of the most common vectors of attack and network penetration is still phishing emails, which allow access to an employee's device and to the services with which he works. An employee receives a letter, like two peas in a pod, similar to what is usually sent by counterparties, partner banks or regulators, and opens it. But the attachment contains malware that infiltrates internal systems and is looking for ways to "gain a foothold" in the system in order to then enable its creators to steal and withdraw money.
Most often, criminals use social engineering methods based on the following psychological factors to push a person to open a fake email:
A) Curiosity... Phishing emails can be disguised as notifications about undelivered messages or about granting access to some files.
B) Fear... In this category of messages are, for example, angry letters, allegedly sent on behalf of the management.
V) Striving for free goods. This category includes letters that "notify" the recipient of winnings, some bonuses and similar events.
Modern cybercrime sometimes has multi-million dollar budgets. These funds are used to hunt specialists, bribe officials, and develop hacker software. In fact, this is such a criminal startup in which no malware developer will waste his efforts and resources if he does not believe in success and does not have an idea of how to bypass existing security systems. Therefore, it is worth keeping in mind the rules of precaution, but be prepared for the fact that a possible attack will be delivered from where no one expected.
Ilya Sachkov shared with the students of the SKOLKOVO Business School several tips that are useful both for ensuring personal safety and for protecting your organization from potential outside interference:
– Remember that email access gives you access to your entire digital infrastructure... Many services, instant messengers, programs are tied to mail accounts. So, if an attacker can get access to mail, he can get into your infrastructure.
– Introduce two-factor authentication wherever such a procedure is available... This tool is not perfect, but it will significantly increase your protection. An attacker will need not only your Internet account, but also access to your phone. Advanced criminals can also hack a mobile device, but the threat from most hackers will be eliminated.
– Create multiple accounts / mails... There is no need to make all your services tied to one email. If a criminal can gain access to such a mailbox, he will be able to connect or even take control of all associated services.
– Use strong and secure passwords, change them regularly... The ability of attackers to guess and generate new passwords is constantly growing. Accordingly, you need to change and complicate your passwords that protect access to your information.
– Back up your information... If your device or network becomes infected, your information is also at risk. Therefore, you should always have a backup copy of your data, which you can resort to in case of a critical situation.
– Trust no one... Sometimes even a close friend of yours who needs your data for some reason may turn out to be an attacker. And often, criminals can simply use the accounts of your acquaintances to send you infected files and gain access to your money or information.
– Do not post on the network what you would not do publicly... Everything that gets into the net remains there forever. A competent specialist will be able to access information about you, even if it was published 15 years ago, for example, on the forum of St. Bernard fans. If you are not sure that some data will not be able to compromise you in the future, do not publish it.
– Maintain your cyber literacy... If you follow the news of the world of cybersecurity and follow the recommendations of experts in this area, you will be prepared for and protected from cyber threats better than the vast majority of people. Attackers want to gain access to your money or information. But few of them will try to bypass the protection, which will require additional efforts for them. For example, Ilya Sachkov recommends studying the Group-IB reports, articles published on the sites Dark Reading, SecurityLab, the book "Cybercriminal # 1" by Nick Bilton, as well as the books of the former hacker Kevin Mitnick.
Group-IB is a global cyberattack prevention company. Over 15 years of investigating complex incidents, the company's experts have accumulated a unique knowledge base and built a global infrastructure for monitoring cyber threats - Threat Intelligence. This system is recognized by Gartner, Forrester and IDC and is at the heart of the cyber security product line. Among the clients of Group-IB there are companies from Russia, EU countries, USA, Brazil, Canada, in particular Microsoft, Rostec, Aeroflot, British Petroleum, DHL.
Ilya Sachkov is a Russian entrepreneur, founder and CEO of Group-IB. Member of the expert council of the State Duma committee on information policy, information technology and communications, as well as expert committees of the Russian Foreign Ministry, the Council of Europe and the OSCE in the field of cybercrime. In 2016. included in the Forbes list of the most promising entrepreneurs under 30 years old. Three times became the national winner of the international competition EY "Entrepreneur of the Year" in Russia.
Since 2003, Group-IB has been dealing with a specific section of cybersecurity - the prevention and investigation of cybercrimes. The company assisted in uncovering high-profile cybercrimes - just a few days ago it became known that with the help of Group-IB, brothers-hackers who had stolen more than 11 million rubles from the accounts of Russian banks were detained.
In 2012, the company, using the accumulated experience in investigations, became the developer of three information security products: to protect companies from complex virus infections and targeted attacks, to protect portals and online banking systems, as well as a cyber intelligence system to prevent a cyberattack at the preparatory stage.
In April 2015, Group-IB signed a preliminary investment agreement with the Internet Initiatives Development Fund (IIDF) for 210 million rubles, was included in the Gartner list of "7 most influential cybersecurity companies in the world" and in the top four companies that will ensure the cybersecurity of the Russian the company "Rostec". The interview with Ilya Sachkov is continued by the joint project of Lenta.ru and IIDF Startup for a Million.
"Lenta.ru": What brought you to London?
Great Britain is a very important market for us. Last year we wanted to open an office here, but the events in Ukraine and the economic crisis forced us to take a wait and see attitude. It makes no sense for us to open an office in London so far, and therefore we work with some clients remotely, and with some through British partners who sell our services. I can't say who our clients are, but these are large companies. For some, this is already a risk that they are engaged in cyber intelligence, and even more so that they are doing it with a Russian company.
Photo: personal page of Ilya Sachkov on Facebook
If you don't reveal who your customers are, at least tell us what you do for them. What is the specificity of your business?
Initially, we started with computer forensics: we analyzed the actions of hackers, collected digital evidence of their crimes for law enforcement agencies and clients. Then they began to apply forensic science for any high-tech crimes where computer systems are used. It can even be murder, drug or arms trafficking, cyber terrorism.
What are the difficulties of such a business? Cyber investigations cannot be sold in advance; it is a completely unpredictable business. The second problem is that it is difficult to find people. A person must not only be prepared technically and legally, he must be super-stress-resistant. Our employees sign the examinations with their own names, and those against whom we work perfectly understand who is on the other side. Threats to Group-IB employees periodically appear on hacker forums. Not everyone can withstand this kind of pressure.
Screenshot: Group IB company
As a result, we have a team of about 100 people, all interesting people in their own way. The main part is based in Moscow, but there are representatives in New York, Singapore, London. And it's been three years since we started developing our products. While conducting an investigation somewhere, our forensic specialists came to highly protected companies, where incidents nevertheless took place. We began to understand that something was missing, and we converted the gained experience and understanding of the specifics of modern cybercrime into products that complement any protection perimeter.
"The battle for the target computer is lost"
The topic of cybersecurity is always of great interest. What's new on the market?
The most noticeable trend is the development of the Cyber Intelligence business. In Russian, "cyber intelligence" sounds very scary, but it is intelligence with the aim of gaining knowledge. Classic cybersecurity is built on the means of protection against hackers, and cyber intelligence allows you to understand who the company is protecting from, what risks it has, and when they might happen.
Let me explain with an example. In the course of investigating a number of online thefts, we discovered that the victim companies were protected: the necessary expensive software was purchased, the information security service was working. At first these were isolated cases, but already in 2011 the count went to thousands. At the same time, they found an infected botnet in Russia, where there were 1.5 million computers, 86 percent of which had antivirus installed.
We realized that the battle for the target computer is lost, and antivirus needs add-ons to anticipate infections. To do this, you need to study how the virus communicates with the attacker, what protocols it uses to send packets to the command and control servers. We use a large infrastructure - traps, analyzers, sandboxes, sensors at telecom operators, which allow us to see the communication of the virus with the server in real time.
For example, we protect online banking. If a packet from an infected computer that uses Internet banking passes through our hardware, we understand that the computer is infected and transmit the account information to the bank in real time. The bank blocks the account and informs you about the infection. This happens instantly - even before an attacker can steal money. In addition, the system analyzes the actions of criminal groups, which makes it possible to use this information in the future for the investigation and physical suppression of the activities of intruders. We launched this product in 2011, and it was immediately bought by 25 of the largest Russian banks, including Sberbank.
When they began to offer this product to banks in England, they began to ask how the virus got on the computer, how it spreads, how it technically works, who created it, for what purpose, where are they located - this is how the product from botnet monitoring grew into a whole platform. cyber intelligence, which provides clients with the ability to defend against preparatory attacks in real time and protect against new cyberattacks.
Is there a difference between the perception of Russian and British bankers?
Russian banks are actually much better protected than others. Due to the higher level of the cybercriminal environment in Russia, our banks are at the forefront of the struggle. And many of the security departments of Russian banks believe that they have nothing to improve their security. But in England, banks understand that inside the department it is often impossible to have up-to-date knowledge of all threats, so British banks are looking for the possibility of external data. Thanks to this knowledge, they can build a security strategy for the future, for several months or even years. At the same time, many small Russian banks continue to fight off malefactors here and now.
Destruction target
What new threats to the world are possible from cyber terrorists?
First of all, new cyber terrorists have no goal of stealing money or information. Their goal is to disrupt the infrastructure and tell about it. Many hackers have the ability to destroy the infrastructure, but they don't, because they won't be able to make money from it. For Islamic terrorists, disruption of systems is the main task. This is their main difference.
In a recent study, we checked how interesting Russia is for cyber terrorists. It turned out that ISIS attacked about 600 different Russian resources within a month.
Screenshot: Group IB company
When does a country become a target for this category of cyber terrorists?
ISIS hackers are interested in any country, except for the ones they have already taken over. There are absolutely no allies for them on the Internet. As soon as a country begins to oppose ISIS, it is a priority for the first few weeks. Russia was on the list almost immediately after the president announced that this threat must be fought.
Where does ISIS get qualified cyber terrorists?
First, they have many remote supporters. Secondly, the industry of lightweight attack tools is actively developing now. In the 90s, the interfaces of hacker programs were very complex and required technological literacy. Now these are web 2.0 interfaces, multilingual support, drawn icons, licenses and support services. The level of a person who begins to use this is basic knowledge of information technology. In the 2000s, there were many highly skilled hackers, it was interesting to confront them. Now the majority do not understand what they are doing - they download the program, repeat certain actions. Cyber terrorists can also buy access from companies that ordinary hackers do not need (who have not found a way to monetize).
Why do hackers do this - for fun?
For making money. There are very few people who hack something for fun. The last major case in Russia is the hacking of Wi-Fi in the Moscow metro. Prior to that, in 2010 - breaking the shield on the Garden Ring. In 99 percent of cases, such hackers are caught and end up in jail. We do not consider them a serious threat - most likely, it is done by "white hackers" or just strange people.
But people who can hack Wi-Fi in the subway could theoretically commit even more serious crimes?
When a person does something public, he comes to the attention of law enforcement agencies. “White hackers” are also sent to court: after breaking the shield on the Garden Ring, the hacker received six years in prison, and when in the same year a guy from Novosibirsk hacked the Royal Bank of Scotland, he received a five-year suspended sentence.
Screenshot: Group IB company
Risky savings
Do companies save on information security during a crisis?
Many began to save 10-20 times. Someone, on the contrary, increases the budget - it depends on the maturity of the company. In a crisis, saving money on security is a big risk. The crisis will inevitably lead to staff cuts. Fewer security personnel means less vigilance. Downsized employees are not always happy with their layoffs - and there is a risk of sabotage, the removal of commercial information. In a crisis, competition becomes fierce - accordingly, commercial espionage is possible. The crime rate is increasing due to the fact that people are looking for ways to make money in a difficult economic situation.
The end of 2014 - the beginning of 2015 are indicative in terms of large thefts, especially in companies where they saved money. Saving 60-100 thousand rubles results in the theft of almost 240 million rubles. Many companies still have little understanding of what information security is. Many businessmen in Russia do not believe that hackers exist at all. They think this is a myth. Or that all security comes down to antivirus viruses. Unfortunately, this is not the case. Equating a virus with computer crime is like considering a Kalashnikov assault rifle to be synonymous with ordinary crime. Viruses are one of the possible tools. We are trying to consider high-tech crime in a complex - and this gives a good result: in Russia alone, our products saved more than 22 billion rubles last year.
What do you think are the best protections for online and mobile banking today?
I am surprised by banks that still position tokens or one-time passwords as a means of protecting against theft of funds. Banking security does not depend on the funds that are issued to the user, but on what the bank does to predict the crime. If your computer is infected and you are making a transfer, the virus can easily change the details. And you will understand that you have transferred the money to the wrong place, you are already only on discharge. If the bank does not control the infection of the computer, it will not know about it.
What makes Russia good for information security products is that new threats are being born here. What the United States is facing now was in Russia a couple of years ago. On the one hand, the US market is the most mature, but the Russian security guards are the most advanced, combat readiness they have the best. Therefore, it is in Russia that the most secure banking products are.
"We are not yet Kaspersky, but we are no longer a startup"
Group-IB has been a prominent player in the cybersecurity market for a long time. Why did the company decide to raise money actually as a startup, from a venture fund?
We are very different from the main portfolio of IIDF. Group-IB may become the largest company in the fund's portfolio. We, of course, are not yet Kaspersky, but we are not a startup at an early stage for a long time.
We were a service company, and now that we have released products, we need to learn how to sell them. We spend a lot on developing solutions that have not yet been launched or have not yet entered the market. And in order to scale and sell already created products, you need money. We do not want to take loans now.
And IIDF are now developing an information security stack, and for them the strategic task is to cooperate with a company that is not very large, but already noticeable.
That is, you are actually closing the cash gap?
No, in fact, this is the purchase of equipment and the development of new products.
The second motive is that we want to learn how to do very large integration projects correctly. This is the construction of huge cybersecurity centers in different regions of Russia. Without such a strategic partner as IIDF, we will not be able to do this.
Have you attracted external investments before?
The first investments were from LETA Group in 2010. Then we sold 50 percent of the company, but later bought back the share.
What share in the company will the IIDF get? In February, you said that you are planning to attract investments with an estimate of $ 80-100 million. 210 million rubles at the current exchange rate is about $ 4 million. Is it true that IIDF got about five percent?
We have not yet made a deal, the IIDF has only preliminary approved it. We will receive investment when we meet certain KPIs. What share we have agreed on is not disclosed yet. If we talk about the estimate, then in our understanding, the estimate of 80-100 million is fair, but in Russia technology companies are valued differently.
Earlier, you announced plans to raise $ 20 million from Western investors. Did you start a little or did the sanctions cut off Western investors?
We will continue to raise funds. Our goal now is to capture the Russian market and completely move from the service business to the innovative product business. Although we will leave the service business, as it provides revenue and knowledge for our products.
Step two, when political tensions subside, is international expansion to the Middle East, Asia, Europe, Latin America... Well, England must be conquered to the end - it is the world banking center, and banks are most affected by cybercrime.
This will require the next round. In world markets, we plan to build cybersecurity centers, analogous to what we are doing with Rostec in Russia. Our centers allow us to outsource the cyber intrusion detection and prevention system, cyber intelligence, keep a minimum of staff.
Has the IIDF helped you to enter the public sector, if we bear in mind the recent agreement with Rostec? What will this contract give you, besides money?
The contract was concluded without the participation of IIDF. With the help of this project, we want to show the state how, with the help of innovative cybersecurity centers, save money and solve problems with cyberterrorism and cybercrime.
In addition to the financial interest in the agreement with the IIDF, is there a desire to reach out to the country's leadership? Portfolio startups are known to meet with the president ...
We want to learn how to provide the state with new services in the field of cybersecurity. Now we do a large amount of expertise free of charge, because law enforcement agencies do not have budgets for this. All over the world they pay for it, in Russia they don't. We would like to see budgets for computer forensics appear, so that legislation in the field of computer forensics changes. We also see the contamination of some critical resources for the state - and we want the IIDF to teach us how to convey this to the state.
Let's look at the political situation. Now Western investors are not very ready to invest in Russia. If there is a partner who will give both money and the opportunity to develop, and does not violate the interests of the Russian Federation, we will be completely satisfied. There are also investors for whom Group-IB is more about commercial intelligence: to find out how we work and transfer the data to their portfolio companies. We are not interested in this option.
Competition or cooperation
Group-IB is known for specializing in cybercrime investigations. Now Kaspersky Lab is actively developing in this market. At the same time, their product line is wider and global coverage. Where do you see your competitive advantage?
Group-IB is a company that initially deals with investigations and forensics, while Kaspersky Lab started with antivirus software. Our products are not a replacement, but an addition to antivirus software. For us, the flagship is a network-level intrusion detection system, into which we have invested 12 years of investigative experience. It is used by 60 Russian companies, including those that use antiviruses from various manufacturers. We can answer this question and help ensure that the person behind the virus attack ends up in prison.
Is synergy between Russian players possible - for example, Group-IB and Kaspersky Lab?
We can think about this topic. We can complement each other well: both companies have an ultimate goal - to minimize the number of cyber threats.
Is the situation real when there will be no viruses at all?
A real situation is when there will be much less viruses. For example, after a number of high-profile cases like Silk Road, when the sentence is life imprisonment. When the hackers who hacked the Sberbank system were given real terms of six and eight years, the theft rate in Russia fell by 80 percent over the next year and a half. When countries sign a UN-based convention on combating cybercrimes and synchronize legislation. And when the global cyber police will start working.
If this comes up, how do you assess the verdict on the founder of Silk Road?
This sentence does not cause any contradictory feelings in me. He is cruel, but correct. There was even a discussion on this topic on my Facebook page. I was asked the question: what are you happy about? I said that this is not joy, but a satisfied sense of justice. The site sold a huge amount of drugs. A person made a site not for the sake of interest, but for the sake of profit, and therefore is a professional drug dealer more than a professional IT specialist. I have a close person whose brother died of drugs, which he ordered through this site. And here it does not matter how professional and convenient the system is, it is a tool for the drug trade.
And most importantly, this case showed that law enforcement agencies have learned to investigate crimes on the shadow Internet. And they won't stop there. This is not a conversation about freedom of speech, let the shadow Internet develop, we ourselves use it for investigations. But when technology is used for crime, it is not necessary to eradicate the technology, it is necessary to eradicate crime.
Is it realistic to find specific criminals on the shadow internet? According to the Tor developers, this is almost impossible.
This is an illusion. Nothing is impossible in technology; it is mathematics. Information Technology contain many errors. If a person says that his system does not contain errors, then he is a liar. Shadow Internet - cool theme, but with a lot of errors in the browser, in the protocol, allowing to reveal anonymity. It is really more difficult to find a person on the shadow Internet than on the ordinary one, but not impossible.
Do you know the joke about the elusive Joe? Why are Macs more secure than Windows? The answer is simple: Russian accounting does not use a Mac, so this platform is simply less interesting for hackers so far. As soon as Russian companies begin to massively transfer accountants to Mac for making payments, this platform will no longer be secure in a month.
Our project is called "Startup for a Million". Is there a place in the Russian cybersecurity industry for new, smaller startups? What niches are not closed yet?
The Russian market is still very young. We are just beginning to reap the benefits of computer forensics, which has become very popular in the past few years. Startups that make products that allow predicting crimes, protecting against new types of crimes, and studying enemies will be in great demand. The fun is just beginning.
Group-IB was founded by Ilya Sachkov in 2003, when he was in his first year at the university. The business began as an attempt to create the profession of cybercriminal in Russia. For 15 years, the largest banks, media, universities and state-owned companies began to trust him. Group-IB helps the Russian police, Interpol and Europol catch criminals, and the OSCE encourages them to cooperate. In the new issue of the program “I’m Norm,” Ilya Sachkov told why he shares work with the state and the police, what to be prepared for when interacting with government agencies, and how business can protect itself from cyber attacks.
Ilya Sachkov, 32 years old
Education: MSTU named after N.E. Bauman, Faculty of Informatics and Control Systems, Department of Information Security
Career: in 2003 founded the Group-IB company, which is engaged in the prevention and investigation of cybercrime
Number of employees: more than 300
Company value: not disclosed. In February 2015, Sachkov said that it ranges from $ 80 million to $ 100 million.
Co-owners: In 2016, the company attracted funds Altera Investment Fund and Run Capital fund of the founder of Qiwi Andrey Romanenko as investors - they bought 10% in the company each. At the end of 2017, Altera Capital increased its stake to 25% by purchasing 15% from one of the company's shareholders. Sachkov owns 30% of the company.
Financial indicators: are not disclosed. According to open data from SPARK-Interfax, the total revenue of companies where Sachkov is the CEO is ₽538.5 million.
How did you come up with it?
"I felt like I was going crazy about this topic."
I was born in the Izmailovo district, in the east of Moscow. I studied at school №444 with in-depth study of mathematics, computer science and physics, from which I got the best computer science. As a schoolboy, I organized military detective events: lightning, quests, children's investigation games.
In the 1st year I was admitted to the Botkin hospital, where I underwent an operation to remove fluid from the sinus of the browbone. After the operation, in a stack of books on the bedside table in the ward, I saw "Computer Crime Investigation" by Kevin Mundia, brought by my classmate. The author talked about the business in the field of information security, engaged in investigations and computer forensics. At that moment everything seemed fine, not only the book, but also the hospital ward, neighbors, an uncomfortable blanket - the narcotic effect of anesthesia affected.
After reading the book, I realized that this is a combination of detective, analytical and global activities, because this is happening all over the world. And in this area you need to think a lot, solve quests, riddles, you are fighting evil on the good side. When I left the hospital and started looking for someone in Russia doing this, it turned out that no one offered such a service as a business. It became more and more interesting to me. This was the first idea that did not leave my head for a long time. I fell asleep with her, woke up, read on the topic with interest and did not feel tired. I felt that I was going a little crazy about this topic, and I began to annoy all my relatives and friends.
At that time, only the police were involved in the investigation of crimes (in 2011 it became known as the police. - The Bell). I tried to get there, at the conference I approached the staff of the Bureau of Special Technical Events with a request to hire me. But I received the answer that I need to graduate from the university, get additional education at the Academy of the Ministry of Internal Affairs, be sure to have a haircut and only then come to work.
How was the team formed?
"We played a detective agency"
I told my classmates and former classmates about my idea. After that, a team gathered, which agreed to try to play a cybercriminalistic detective agency.
At first there were 12 of us, a year later there were six left. Then, on the contrary, people began to increase, and as a result, there were those who were already interested in this specialty. My story about founding a company was not about doing business, but about trying to make this profession in Russia.
With the co-founder of Group-IB Dmitry Volkov, we studied on the same course at the university. We met by chance, near the Bauman monument. I heard him talking about information security. After that, we began to communicate. Over time, I told him about the idea of the company, he liked it, we began to create it together. Volkov first headed the investigation department, now he is the technical director: he is responsible for our technologies, their development, interaction between our developers.
Dmitry Volkov
Now our company employs about 300 people. The average age is 26-27, more than 30% are girls. They all have an intolerance to computer crime and a desire to do something good, change the world and be happy with their work, technology and engineering thought. The specialties that we need are very often not taught in universities. Therefore, we either train our employees ourselves, or they received this knowledge from books. I think that over time, the staff will be even younger, because the children of the future will understand even earlier what they like to do and go to real work earlier than waiting for graduation.
it was to Ilya Sachkov when he founded the company
returned to Group-IB clients in 16 years
investigations made by Group-IB since 2003
countries operates Group-IB
Our biggest problem is finding employees, because there are few smart people in Russia, and those who understand our topic are even fewer. When applying for a job, we check potential colleagues on a polygraph, if necessary, we carry out a point grading system, legal provocations and many other funny surprises that are not worth knowing. But thanks to this, our client is always sure that the information is safely stored in the company. None of our employees have experience of informal communication with crime and law enforcement agencies. We, as after checking on the plane, all trust each other. And at the time of the flight we still check. The main thing is that a person shares our values, corporate culture and is open to development.
We are able to compete because few companies manage to combine engineering with crime prevention and help very large clients like banks, telecoms and the media.
Where does the money come from?
"At first we didn't say anything about our preparation."
To start the company, I took the money from Dima Sachkov's older brother. It was $ 5,000. We spent them on computers, books, mini-laboratories and equipment. The first client was a friend of Dima, we had to find a person who wrote anonymous letters to one company. And we have coped with this task.
At first, we did not say anything to our clients about our preparation. And we did all the first investigations using textbooks, not really understanding how to do it correctly, but we were lucky that there were no legal and formalistic mistakes. In the beginning, we did more investigations than we do now. Sometimes we relax a little and forget what can be done with great perseverance. I am constantly teaching our Investigation and Analytics department how it was in the old days, when you could do a little more.
What is business about?
"Keeping track of crimes that have not yet occurred"
Group-IB is committed to preventing and investigating cybercrime. We collect big data about viruses, domain names, IP addresses, nicknames, analyze traffic. Based on this data, we can predict attacks not when it is in the explosion stage, but when it is just beginning. This allows many crimes to be prevented at the stage of their preparation, to understand who is committing them, to use them very correctly in risk management, to save money. The most important thing is that we save time, our client can pay attention to what really can happen to him. Because it is impossible to defend against everything.
phishing attacks were carried out in Russia per day
phishing damage
In general, our common technological line is the study of crime, monitoring it and the processes of detecting crimes that are not yet known, but which may happen to clients. That is, investigation of unknown viruses immediately with an understanding and description of who can do it. We release several of our own products for monitoring, detecting and preventing cyber threats, as well as protecting blockchain projects, brand, reputation and copyright.
On the most important investigation for me, the trial has not yet ended. But in general, I like to take part in them on my own, at least doing some of the analytical work. In my favorite investigation, I was our specialist's partner. It was not in Russia and was reminiscent of the True Detective series. Everything was like a movie: beautifully, professionally, according to plan, and when we flew back we could play the final credits, that everything worked out, and after that we had a glass of wine.
How did the company develop?
"At first we combined the work of an analyst and a criminalist"
In the beginning, they found out about us through word of mouth. For many years I went to the Polyus camp in the Moscow region, after which I have a lot of friends. My brother and partners also had many connections. And we brainwashed everyone every day about what had opened up. Then we launched forensic and investigative sites. And due to the fact that no one was involved in this in Russia, the sites were quickly indexed on the Internet, and we were on the first pages of the issue on the investigation of computer crimes.
At first, we combined the work of two professions - an analyst who watched how a person acted before the crime (for example, from which server the letter was sent), and a forensic expert who did an examination of the equipment (for example, analyzed a computer after a virus attack).
How and why Ilya Sachkov began to work with the police, how Group-IB entered international markets, see the new issue of the project "I am normal".
How to build a global company from Russia?
"Maybe we will suffer for our engineering neutrality"
A global company from Russia can be built, but it is wildly difficult. Group-IB has always strived to work globally, realizing that good technology can only be done if you compete with the strongest players. This also inspires engineers if their technologies are not used in Russia. If you truly observe engineering neutrality, your products are used, here politics does not interfere.
If we were given a computer that suffered from the attack, we were told to analyze a virus, a hacked website, an anonymous letter, then we will go to the end and do all the analytical work, hand it over to the client and, at his request, to law enforcement agencies. What happens after that is none of our business. Our job as an engineer is to disassemble the attack and, if our technology is used, to prevent it.
If a company starts to make some exceptions for someone, it instantly loses its independence, it becomes impossible to make a global company out of it. All US global cybersecurity companies are strongly affiliated with one party. They don't see a lot of what they should see. We don't do that. Perhaps someday we will suffer for this, we will be closed for this engineering neutrality.
How do you protect your business?
"We need to take cyber threats seriously"
Cybercrime in Russia is primarily aimed at monetization. The most popular crimes are theft of money through Internet banking, from cards, using phishing and social engineering. It can be attacks on ATMs, theft from legal entities, targeted attacks on banks themselves using ransomware viruses.
There are three recommendations from me on how a business can protect itself from cyberattacks. First, take computer threats seriously, study them at all levels of the organization (top management should be aware of this risk, because Information Security now concerns mobile phones, personal laptops, systems in the home). Secondly, you need to constantly fight and repel attacks with the latest methods that criminals use. Third, when choosing a cybersecurity company, you need to rely not on good marketing, but look at what engineering technologies they use.
kidnapped as a result of cybercrimes in Russia
1-2 banks
attacked in Russia every month
average cyber robbery damage
Many Russian companies, relying on the technologies of American companies, make a big mistake, because they do not know anything about computer crime in Russia and on the territory of the post-Soviet countries. Accordingly, we can teach US companies how to defend themselves.
About Russian hackers
"Many people learn Russian to understand hackers"
Russian-speaking hackers are not omnipotent, but strong enough. It is one of the first largest computer crime community in the world, which was formed after the collapse Soviet Union... 80% of the cases dealt with by Europol are related to Russian-speaking computer crime. The specialization of Russian-speaking hackers is the invention of new schemes, new viruses, new interesting vulnerabilities.
The school of hacking is strong, because after 1991 a large number of people with good technical knowledge found themselves using in this area and made platforms for communication. They are mainly involved in financially motivated crime. Many foreigners study Russian in order to understand what a Russian-speaking hacker is doing.
Major mistakes?
"I want to find an inner balance between good and evil"
I was very kind to the employees, I believed the masters from the market - I hired very cool people without checking them first. I used to sleep little, but in the long run this has led to a decrease in efficiency. Sometimes I can be too cruel and can offend a person because I love him very much, but to tell him this is not at all in words of love. I want to find some kind of balance between good and evil within myself.
The main right step
"I see burning eyes and get inspired"
The most correct thing I am doing now is to give the same guys, like myself 15 years ago, opportunities to implement their own ideas. And when I see these burning eyes, it inspires me and gives me confidence that my work will continue. And their main discovery in a few years will be to find the same people who are burning with the idea. The mistake of most Russian large computer security companies is that they did not do it on time.
How has it changed?
"I am disappointed in the world"
Years in business have changed me a lot. Firstly, I learned to say "no", but I have not forgotten how to say "yes" to many crazy ideas. Of the latter - the robot "Killer", which finds insects in the room and kills them with a laser beam. You can do this from within the app or automatically.
I became tougher, but I retained my romanticism and confidence that everything is possible, but with life experience I began to ground it more on reality. During these 15 years, I have seen so many bad things that, on the one hand, to find out how many terrible people there are in the world is scary, but, on the other hand, it inspires us not to stop our work.
I was very disappointed in the world, not knowing that there are so many bad things in it. But when I see how the team works and the smiles of the people we have helped, it gives a lot of strength.
What if not a business?
"I want to do children's education"
I really like to go in for sports: running, fighting (Thai boxing, wrestling), yoga, pulling up on the horizontal bar and participating in the hero race. I go to the gym, but it's not fun for me to be in shape.
I love working with children, I often go to work as a counselor in the Polyus camp. In the future, I would like to create a new system of children's educational camps and engage in children's education. To make it so that children, while studying, become happier, so that it helps them choose a profession and remember childhood not as an endless series of classes and preparation for the university. When I work as a counselor at the Polyus camp, I feel a tremendous return from the children. I was not the most smart person in class, but thanks to Pole I got the skills that allowed me to achieve much more in communication, humor, the ability to speak in front of an audience, friendship and overcoming betrayal.
I also love animals very much. At home I have two cats - Cooper and Diana, named after the heroes of the series "Twin Peaks".
I am concerned with the subject of cruelty to animals. At work, there was a series of investigations related to flayers, and I realized how many people are doing this. They usually look, go to work, are not tracked by anyone and are not treated in a hospital. By the number of registrations on the forum, by the number of people who post videos, by transactions in cryptocurrencies for purchases of something, you can understand how many such people are. And as I unwittingly delved into this topic, I thought it was actually super dumb. I think that I am not afraid of death, but I would not want to get to such a flayer. Such a death, from these people, I would be very much afraid. They are just sick.
What's the trouble?
"I want to learn to live in an emotional break"
For me, the main difficulty is to combine the current reality with the visualization of the future in my head, this is a constant process. On the one hand, it really develops the company. On the other hand, it's hard for me to be in the moment and imagine how it should be. I want to learn how to live in this emotional break, because it creates a lot of things, but something inside me dies. I want to avoid this.