Just last week, CDN reported on Kaspersky Lab’s identification of Poseidon Group, an entity that uses malware and extortion-like tactics to coerce victims into contracting it as a security firm, all within the scope of legality.
Kaspersky has since shed more details into the story. In an email exchange, Dmitry Bestuzhev, director of its global research and analysis team in Latin America discussed why the identification of the group matters, and just what the company will do with this knowledge.
CDN: The big piece here is that you guys say this group has been identified. But the question is, so what? What does it mean?
DB: It is very impressive to see how Poseidon Group has been active and actively attacking its victims for at least last 10 years or even more. Financial damage it actually has caused to the victims is really significant.
Identifying the threat actor, putting all that samples into one same shape, actually helps to stop it. At this point there are many things have been done, like sharing news with the media, providing protection for the customers, notifying law enforcement agencies (LEA) and providing security community with free [support]. This is definitely is a big step in a right direction to stop such threat actors like Poseidon.
CDN: How does tying together these attacks and the knowledge of the existence of the group help you as a security vendor or any law enforcement group in stopping or preventing hacks?
One of the problems of cybercrime is anonymity. That means when analyzing attacks, LEAs don’t always know who is behind it and this situation makes it possible for cybercriminals to stay on the market and to keep attacking.
When we work not only on the malicious samples detection but also a full research including points like who are the victims, how Poseidon actually works, what is the motivation, how can we protect people and finally who could be behind this. All that pieces together makes possible for LEAs to act according to local laws and to stop the threat actors properly.
CDN: Were you able to obtain IP addresses, names or locations of these criminals that you are passing onto law enforcement? The piece talks about Kaspersky’s forensics capabilities, but what are some concrete examples of why it matters?
There are many research techniques about how to know who are the victims. One of the them is by sink-holing domains used by the threat actor in the attacks. That technique is always done according to the law.
Once such domains, or at least one, is sink-holed, you see the actual victims infected yet and still reporting infection to the malicious C2. So, we immediately notify the victims and help them to mitigate the threat.