LIMASSOL, Cyprus – Chinese hackers are launching more sophisticated attacks that are as frequent and technologically savvy as Russian cyber-units, but it’s difficult to identify who is behind these attacks and international cooperation is needed to tackle cybercrime, Andrey Yarnykh, the head of strategic projects at Kaspersky Lab, told New Europe in an exclusive interview in Limassol, Cyprus on the side-lines of a conference on the role of media in countering terrorism on 22 October.

It’s difficult to discuss the issue of information threats because the tools hackers use for attacks are being commercialised and these kinds of tools can be sold within an internal market of hackers,” he said, before adding, “You’re aware of the term ‘the Dark Net’? When we detect a certain tool that has been used for a particular hacker attack, it is very difficult to identify who used that tool because it can be used by a certain group of hackers or it could be purchased from that group of hackers and used by somebody else.”

“When we analyse the tools of hackers, all the programme codes, we can differentiate between the languages because there are Chinese-speaking hackers, English-speaking hackers, Russian-speaking hackers, and Spanish-speaking hackers. However, it is still difficult because hackers, on purpose, leave Russian words or Chinese words in their handles to send investigators down the wrong track and to confuse the people that deal with information security,” explained Yarnykh, who added that every investigation is exceedingly complicated because a cyber-attack cannot, with absolute certainty, be attributed to a specific group of hackers.

A laptop screen displays a message after it was infected with ransomware during a worldwide cyberattack in Geldrop, the Netherlands. At the time of the attack in 2017, Kaspersky Lab reported that the malware, despite resembling ‘Petya’ malware that had affected computers a year earlier, this case was a new type of ransomware that the cybersecurity company called ‘ExPetr’. The ransomware mostly affected Ukraine and Russia, but several cases were also found in Poland, Italy, the UK, Germany, France, and the US.EPA-EFE//ROB ENGELAAR

Yarnykh said Kaspersky is trying to identify hacker attacks through a process called ‘reverse engineering’ wherein cyber-security experts analyse the handle used by hackers to try to identify where it was created, what the target group of the handle is, and where the control centre of the group is located.

“Within Kaspersky, we regularly analyse these kind of hacker tools,” Yarnykh told New Europe. If Kaspersky Lab receives a government request, their experts act as go-to advisors following a thorough analysis of the hacker’s handle and any other background information they can gather about their activities.

“Of course, we’re not a government authority so we cannot carry out an official investigation, we act as experts and we are given certain handle and then we analyse it, which code it is, where it was created, etcetera. Our target is more of a scientific nature so we can develop software in the future that will provide the right type of security,” said Yarnykh.

Kaspersky Lab receives requests for their expert analysis from international organisations and foreign special services involved in cybercrime investigation, including Interpol’s Singapore-based cybercrime unit.

Asked if there is state-sponsored hacking from China and other countries, Yarnykh said, “It is hard to be 100% sure, but I think we can talk about consolidated cybercrime and this sort of cybercrime has no boundaries because the people who give the order to commit that type of crime can be sitting in one country, but the people executing the crime will be sitting in another, and the equipment used for the hacker attack can be located in a third country. It can be in African, in a European Union country, or anywhere else.”

In most cybercrime cases, the criminal offence is usually a one-off. That request comes from a certain party that is carrying out the attack according to the specific request and who are using their expertise to pursue another order or another request. Some time later they fight within each other depending who orders a certain hacker attack and there is a certain interaction between them, but they are independent,” Yarnykh explained.

Asked about a report by the United Kingdom’s National Cyber Security Centre and the US’ National Security Agency, as cited by the Financial Times, that a Russian cyber espionage unit – The Turla group – carried out attacks under the guise of being Iranian, Yarnykh said hack attacks are often carried out under a false flag.

“It’s difficult to say whether these are Russian hackers or Chinese hackers. We’re talking more about Chinese-speaking hackers or Russian-speaking hackers because it could be hackers from Russia or Ukraine…Belarus; from other CIS countries. It could also be Russian speakers who live abroad. They are buying tools from each other, and which are open for hackers. It’s an open marketplace for hackers,” said Yarnykh.

Yarnykh said intergovernmental agreements are an important aspect of international cooperation due to the fact that “Cybercrime is borderless and fighting cybercrime should have this trans-border nature to prosecute them.”

EPA-EFE//SASCHA STEINBACH

The Convention on Cybercrime, also known as the Budapest Convention on Cybercrime or the Budapest Convention, adopted by the Committee of Ministers of the Council of Europe in 2001 is the legal framework that Yarnykh says in key to combatting cybercrimes.

“It’s no longer just a European convention. More countries are joining in order to fight cross-border crimes. That said, however, neither China nor Russia have signed up to participate in this convention because the Budapest treaty allows for investigations to take place across all borders. This means an investigator from one country can carry out their investigation in another country and, of course, the law enforcement agencies of most countries are pushing back against this mechanism because they think they have jurisdiction over all investigations that take place within their territorial boundaries,” said Yarnykh.

China, Russia, and other players, according to Yarnykh, “Are trying to improve the existing mechanism in place, while also taking into consideration all the challenges and problems that it faces when trying to create a truly trans-boundary mechanism that is fully capable of fighting cybercrimes. This should be created and run on international level, probably under the auspices of the United Nations.”

Yarnykh stressed that any convention that would not include the participation of all large players like the United States, Russia, China, and the European Union will not be effective. “f any one element is withdrawn or is any large global player refuses to participate, it will not be an effective mechanism for following up and, most importantly, for prosecuting those responsible for committing the crime.”