Dmitry Prendetsky, CEO of RT-Information Security, how AI has changed the speed of hacker attacks on domestic infrastructure and how Russian specialists deal with them.
Western hackers have started using malware with artificial intelligence (AI) to attack the computer infrastructure of Russian organizations and enterprises. Previously, it took weeks to find a vulnerability, but now the attack rate has increased 40 times — the breach is detected within 20 minutes. However, Rostec State Corporation has developed its own AI defender, which makes it possible to effectively deal with this threat. Dmitry Prendetsky, CEO of RT—Information Security (RT-IB), spoke in an interview about how such attacks are neutralized, why networks are hacked through HR departments or accounting, and how Russian security software prevented the country from plunging into darkness and lowering the blue screen on computers., part of Rostec State Corporation).
"Everything is under threat: energy, transport, industry, government agencies"
— Has the number of cyber attacks on Russian companies and government agencies increased recently?
— We have been seeing a surge since April 2022. Since then, our key industries have been in a Red Team state, continuously repelling attacks in 24/7 mode. And this is how, by and large, all key areas of our economy live. We now perceive this situation precisely as one of the components of the fighting. And there can be no other interpretation. Until 2023, the goal of hacker groups was to make a profit. They stole data or blocked the infrastructure and demanded a ransom for its restoration — according to open data, an average of about 40 million rubles. Now the goal is different — to stop the work. Everything is under threat: the energy sector, the transport sector, industry, and government agencies.
Photo: IZVESTIA/Anna Selina
Image source: iz.ru
— Were there many attacks on Rostec State Corporation last year?
— Over the past year, 14.5 thousand highly critical and confirmed incidents were identified, as well as almost 2 million alerts — they were recorded not only in the state corporation's circuit, but also among our other clients.
I would like to note that ensuring Rostec's cybersecurity is a complex task. In addition to RT-IB, it is also handled by other competence centers, including RT-Inform, with direct coordination from the corporation's security unit.
— Which countries are attacking us from?
— The entire Western world is focused on doing maximum damage to us. We are well aware that foreign intelligence agencies and states are behind hacker groups. We are being confronted by the best minds, and the number of attackers is not comparable to the number of our cybersecurity specialists. It is also important that we are opposed by citizens of the post-Soviet space.: they know our language and psychology well, which helps them, for example, to compose phishing messages more plausibly. Despite this, in my opinion, our specialists are more than successful in dealing with threats.
Photo: IZVESTIA/Dmitry Korotaev
Image source: iz.ru
— Is the nature of cyber attacks changing?
- yes. Since 2024, artificial intelligence has been actively used against us. As a result, the attack speed increased by about 40 times. APT groups (Advanced Persistent Threat, "advanced persistent threat", a long-term cyberattack aimed at a specific target. They try to find vulnerabilities in the infrastructure of companies: they try to penetrate networks, damage them or steal important information. Simply put, if it used to take hackers about a week or a month to find an entry point of vulnerability in the infrastructure, now it happens in 20 minutes. The speed has increased, and the load on us has increased by the same 40 times.
— How do such attacks work?
— Approximately 90% of attacks on the infrastructure occur through the user — through phishing mailings, that is, emails or messages with malware. Moreover, they try to disguise them as official messages from government agencies or companies working with this organization, so such documents are forged as plausibly as possible.
The mailing list is usually received by mail by employees of marketing, human resources and accounting departments — there is a fairly large flow of correspondence.
If the file is opened, the computer is infected, after which the appropriate tools are connected: artificial intelligence helps to spread malware further through the infrastructure. Either data is stolen or the entire infrastructure is blocked.
Photo: IZVESTIA/Eduard Kornienko
Image source: iz.ru
— What does it look like?
— For example, you will not be able to use computers inside the network. You come to work, and employees of the entire enterprise have a "blue screen" on their computer screens. As a result, work stops, and this is highly critical for individual enterprises.
— Is it easy to recover lost data?
— It is good if there is a backup of data in the enterprise — this is called backup. But now, with a targeted hacker attack, they are usually infected. And you get into a vicious circle: you restore the infrastructure from backups, but there is already malicious software there that repeats its actions. As a result, enterprises can incur enormous losses due to the shutdown of production processes, theft of personal data and developments.
— What other attack features exist?
— Malicious software is written for a specific object and created in such a way as to cause maximum damage. For example, among other things, it can force the owners to replace all the hardware. We have seen such cases in commercial organizations, and it is good that they did not concern our corporation.
Photo: IZVESTIA/Polina Violet
Image source: iz.ru
— Is it possible to assess the economic damage caused by such attacks?
— For some enterprises, a week's downtime will not be critical, whereas for retail it can result in huge losses. One can only imagine how much a large supermarket chain will lose if all its stores close for at least a few hours.
We have also seen the inconvenience an effective hacker attack on transportation can cause: dozens of flights were canceled last summer, and thousands of people were injured.
"AI counteracts AI in automatic mode"
— How to properly build a cybersecurity system in the current conditions?
— Our company started by developing its own EDR (Endpoint Detection and Response) software, which provides endpoint protection. It automatically detects and responds to cyber incidents. The software is installed by the end user, including server hardware and workstations.
Photo: IZVESTIA/Polina Violet
Image source: iz.ru
— Does artificial intelligence help protect networks?
— At the beginning of 2024, when finalizing our product, we built an artificial intelligence module into it. It allows you to react faster to hacker attacks. Simply put, artificial intelligence automatically counteracts artificial intelligence.
When protected, it allows you to disable a specific host (network node. — Ed.) or block malicious programs so that they do not spread further. If automatic response is not possible, the software notifies the analyst, who quickly takes the necessary measures. Thanks to artificial intelligence, we were able to automate more than 30% of the analysts' work, which greatly facilitated their routine.
In addition, our programs automatically generate incident reports and respond to them on their own. The role of the person has not changed — he just does not get distracted by false positives. Last year alone, 125,127 suspected incidents were closed automatically using a machine learning-based classifier, so the analyst focuses on what is really important.
He does not need to analyze a huge number of events and draw appropriate conclusions. He receives a report on ten really significant incidents, and he makes decisions to eliminate them.
Photo: IZVESTIA/Dmitry Korotaev
Image source: iz.ru
— What would have been the consequences if artificial intelligence programs had not been implemented in time?
— We would have to dramatically increase the staff to a level where employees would be able to process the information received. Imagine: the staff increases from 100 people to 500 in a short period of time, and then grows again.
At the same time, it should be borne in mind that there are not enough specialists on the market. In such circumstances, it would be almost impossible to keep the situation under control.
— Have there been any cases of attempts to get to the documents that make up the state secret?
— Everything related to state secrets is stored on personal computers without access to the Internet, so it is impossible to get to it from the outside. To be honest, I have not heard that such information has been leaked somewhere - there have been no such cases. But personal data is leaking everywhere. We all face this in our daily lives.
— Which country has the most effective cybersecurity services?
— Hundreds of times more hacker attacks have been directed at Russia than at any single country in the West. At the same time, the number of effective attacks is generally comparable, and perhaps we have even less. This indicates that our system and the entire industry are at a good level.
Let's take the products of Kaspersky Lab, which is one of the world leaders in the field of information security. Until 2022, their antivirus was installed in US government agencies, and this is an indicator of quality and reliability.
Photo: IZVESTIA/Yulia Mayorova
Image Source: iz.ru
If we didn't have our own ready-made protection products, we wouldn't be able to talk about our independence. Whoever develops the software manages it. If we didn't have our own product, the West wouldn't miss the opportunity to inflict maximum damage on us.
— What would happen if Russia did not have its own developments?
— If desired, the country could probably be plunged into darkness remotely and a blue screen could be set up for everyone. In this case, the only way to save something would probably be to turn off the power supply to the entire infrastructure or install a hard firewall at the entrance to the country in order to carefully filter all incoming traffic. But we managed to keep the situation under control without resorting to extreme measures.
Bogdan Stepovoy
