Skip to playerSkip to main contentSkip to footer
Khaleej Times
  • 6/26/2025
Transcript
00:00Welcome to Khaleesh Times. Today, our guest is someone who stands at the forefront of the global fight against cyber threats.
00:08Today, we have with us Dmitry Volkov, the CEO of Group IB. Welcome, Dmitry. Thank you for being with us.
00:16Thanks for having me here.
00:17So before we start, I'm going to highlight a very intricate report that you have made for CEOs around the world, anybody dealing with cyber threats and cyber security.
00:28So I just want to show this to the camera. It is the High-Tac Crime Trends Report 2025.
00:35So for many people, this might be a bit of a kind of niche topic, but I would like you to kind of tell us in one line why CEOs need this report, especially in 2025.
00:48Well, it's very easy to make strategic decisions and to build long-term cyber security program. You need to understand what are emerging threats.
00:58because you want to learn what are mistakes and threats from other regions and adopt this knowledge in your company, in your business, in your country.
01:07Okay, great. And so today's conversation is going to refer to the reports, correct?
01:13Yes.
01:14Yeah.
01:14Why not?
01:15Okay, great. So let's start with what do you think are the most urgent cyber security threats facing the Middle East right now,
01:23especially in the UAE and Saudi Arabia in 2025?
01:27Well, first of all, probably the biggest threat is fraud in different variations.
01:33We can talk about scam calls, phishing attacks, and of course, AI-driven fraud, like deep fakes, because it affects lives of everyone.
01:42It could be an individual person, it could be a business. Fraud is a topic number one, that is growing everywhere, every year.
01:50The second cyber threat is, of course, advanced persistent threat actors. So they know how to execute very complex attacks.
01:58And of course, the damage of these attacks is very high. So this is the challenge number two.
02:03And the third point, probably not a real cyber threat, but because we see how Middle East, especially UAE and Saudi invest in the AI, AI is the next big challenge.
02:14So we are at the earliest stage and we need to think about cyber security since the design stage, where we are now.
02:23Okay. So just to reiterate, it is, we can say that it's fraud, it is cyber threats and AI, correct?
02:30Yes.
02:31All right. How do you think, because you talked about AI, and that is definitely an ever-evolving kind of technology.
02:38So how are cyber threats evolving in the region? And what does this mean for CEOs and decision makers and people in leadership positions?
02:49Okay. So let's make it one by one.
02:51Yeah.
02:51The first, of course, fraud. Fraud is growing.
02:54And what we can see here at the moment, deep fake is becoming more and more popular.
03:00It doesn't mean that it's overcome traditional methods of committing fraud, but what we know at the moment, for example, in what is unique in the Middle East, when we talk about scam, scammers in the Middle East, they prefer to utilize brands of oil and gas industry, not financial anymore.
03:19Oil and gas is number one, then it goes telecommunications, and then financials, as it was like a few years ago.
03:29So it's quite unique.
03:30And we see that this threat emerge in the Asia-Pacific region, and then when they adopt it, successfully test it, they start to export it and use in other regions, including the Middle East.
03:42Okay.
03:42And then scam call centers, for example, that are highly automated.
03:46We see that the masterminds, they are from that region.
03:50They are not originally from the Middle East.
03:52So that means that we bring this bad experience across the globe.
03:57So this is probably number one.
03:59The second is advanced threat actors.
04:02By advanced actors, we can consider many different threat actors, but I would focus on probably nation-state.
04:07This goal is espionage, and of course, in some cases, sabotage campaigns.
04:13Okay.
04:14And these threat actors and their activity is driven by political decisions first, and of course, military conflicts.
04:21Okay.
04:22Unfortunately, in the Middle East, we see these conflicts happening, and this is what drives the activity of that kind of threat actors first.
04:31And the most visible part is activists.
04:34So this is more politically motivated, but not nation-state actors, but they became an extended arm of nation-state actors who actually manipulated them, and they didn't even understand that they are in this situation.
04:46So those are a group of activists who are hacking governmental entities and groups.
04:52Yeah, and they are able to commit very simple attacks, like de-dose, to disturb connectivity, they launch phishing attacks.
04:59Sometimes we exploit simple vulnerabilities and do small data breaches, but they announce it publicly in social media.
05:06They try to promote this activity to attract attention.
05:10Yeah.
05:10And in some cases, it drives another type of attacks.
05:13I mean, we hear the term deepfake a lot.
05:16Do you mind just giving us one example of what that could be?
05:19Well, it's quite easy, so we actually see it almost everywhere, in social media platforms, in news, and in some cases, when you talk to your peers, you may consider that this is a real voice, you may consider that it's a real face, but in fact, this is something generated by the machine, trying to copy your voice, your face, your movement.
05:42So it's very hard nowadays to be distant, if it's a real person or it's a fake.
05:49Okay.
05:49So somebody could easily be, you know, fraud calling someone with a possibly different voice, a voice that is from like the, you know, the local police or something.
05:59It may be many different schemes.
06:02Yeah.
06:02It could be from government, from police, from a bank, from, I don't know, maybe it's your friend who will ask you to send him money urgently because he's in a hard situation.
06:13And because you have a very trusted relationship with this person, you will do this.
06:17So you wouldn't think twice.
06:18You would just say, okay, and then you will get.
06:20It's a critical situation and you need to act fast.
06:23Thank you for kind of highlighting that because I know, you know, it's important to know these terms and know exactly the examples for these terms.
06:29So tell us a little bit about which industries are being targeted the most and what do these, we kind of discussed what these attacks could look like, for example, changing the voice.
06:40But maybe we can go a little bit deeper into it.
06:44What do these attacks look like in real terms?
06:46And can you give us an example?
06:48Of course.
06:48So the most attacked in this is government, financial and telecommunications.
06:55Because we are part of critical infrastructure, we have a lot of cyber security and non-cyber security budgets that means we can spend and the many attackers, they are financially motivated.
07:07So that's why we will try to find a way how to end money.
07:11If they talk about, let's say, telecommunications.
07:15Yeah.
07:15I'm not sure if you follow the news, but it's already in public domain, so that's where I can openly speak about that.
07:22What happened in the U.S., the government, managed by government, wiretap system was compromised by a threat actor, a typhoon, this is the name of threat actors, and they managed to intercept communications that was originally created for special services.
07:40What happened in the U.S.K., what happened in the U.S.K., telecom, unfortunately, more than 26 million of people became victims of this cyber attack.
07:50Information about SIM cards was breached.
07:53What does it mean?
07:54This is a root of trust.
07:55You know, everything now is linked to your phone number, to your SIM card, your notification, access to your services, recovery processes, and so on.
08:04So that means that the root part of the trust was broken, and now they have a big problem.
08:10And what we also see now, threat actors are able to attack not only wire infrastructure, we also focus on satellite networks, and this is what happened in Ukraine a year ago.
08:22They also try to disrupt under C-cables, and again, this is what they stopped, connectivity.
08:30So we see a lot of attention from very advanced threat actors in the telecommunication industry.
08:37Of course, this is a big challenge that we need to handle.
08:40If we touch government and financial, probably just to avoid naming this organization, I will tell the story that will cover both of them.
08:52The first one, so it's basically two different countries, two different organizations, different actors, but both stories started very similar.
09:02So we received a call from our partner in these two regions, asking us to help to handle the incident, because it was very critical, because it was ransomware, business operations stopped, they didn't manage to provide services after the attack, and so on.
09:17And it takes a lot of time to recover.
09:19So what we found, first, threat actors managed to exploit well-known vulnerability in Microsoft Exchange server.
09:27This is a mail server, everyone knows what it is.
09:31It is an IT industry.
09:33Then they managed to deploy a tool that gave them remote access to the server.
09:38Well-known tool, nothing secret.
09:40Then they managed to dump the process that is responsible for identification and extract clear text, logins, and passwords from domain administrators.
09:53Yeah.
09:53So it means that they got very privileged access on one machine.
09:57Yeah.
09:58And then they started to do so-called lateral movements.
10:00So we jumped from one computer to another, searching for interesting information, researching where we can find some critical systems to disrupt business operations and to ask for ransom.
10:10And in this process, they exfiltated a lot of sensitive information, the encrypted channels, and then they launched ransomware.
10:17So the possibilities of attacks are endless, basically.
10:20And it's simple.
10:21Yeah.
10:21So it was ransomware, but this was the boring part of the story.
10:25Yeah.
10:26The interesting part happened later, because when we start to do incident response, we launched a so-called threat hunting mission.
10:33We need the hypothesis to understand what else threat actors could do that is under radar for technical solutions.
10:40So we search for something very invisible.
10:44What we found that before ransomware threat actors, there was a nation-state actors who came there for espionage before ransomware attack happened.
10:56Okay.
10:56And we were under radar for a long time, exfiltrating slowly information out of these networks.
11:04Okay.
11:04We were very picky, but the way how we got access to this network was pretty same.
11:11So that means that you need to pay more attention to what happens in your network right now.
11:18Right.
11:18Because in this case, if ransomware attack wouldn't happen, nobody would even suggest that somebody else is already inside, exfiltrating sensitive information, and so on.
11:30And somebody got a pretty lot of advantages, strategic advantage.
11:35So there could be these masked actors kind of behind all these cyber threats, and we don't even kind of, we wouldn't be able to find them.
11:43This just happens all the time.
11:45Yeah.
11:45What attack techniques should CISOs and security leaders be watching very closely this year?
11:52Okay.
11:53So if you look at hacktivist or advanced actors, there are two main vectors, how we actually get initial access to the organization.
12:03And this is where you need to focus on.
12:06The first one is, of course, email.
12:08The pretty standard way, how they can send just a simple message to the mailbox, and if you click a link, if you open attachment, your computer may be infected and immediately give access to somebody else.
12:21And many organizations have various different controls to protect this channel.
12:29Another less obvious is everything that provides a remote access, legitimate remote access to your employees.
12:35And in many cases, this is cyber security solutions, like firewalls, VPN service.
12:40This is what we use now on our daily.
12:43Yeah.
12:44It's very common.
12:44Very common.
12:45Exactly.
12:46In fact, actors exploit vulnerabilities in these cyber security solutions.
12:51Mm-hmm.
12:51And this is how we get access with lots of privileges almost immediately.
12:56And how they do is sometimes they do it with their vulnerabilities.
13:01Second, if everything is already patched and there is no misconfigurations, they already can get valid credentials, valid login and valid password from other third-party breaches.
13:13Mm-hmm.
13:14And this is the second point where CISOs may need to focus their attention.
13:20Okay.
13:21They need to control what happens on DACA web forms.
13:23Mm-hmm.
13:24The threat actors buy information about logins, passwords, because threat actors, they always try to raise efficiency.
13:33Mm-hmm.
13:34They reunite their efforts.
13:37For example, there are 10 different vectors who infected millions of devices.
13:40Yeah.
13:41And they don't know what to do with this.
13:42So that's why they accumulate all the information in one place, like underground cloud logs.
13:47Other threat actors can search across this dataset, find what is interesting for them, buy these specific records, and then use to get remote access with valid logins and passwords.
13:58Okay.
13:59And in some cases, the big mistake when CISOs say it's impossible to use this data because they have two-factor identification.
14:06Oh, yeah.
14:07And unfortunately, it doesn't work always in that direction.
14:10Because if the user is already authenticated, there is a session, there is a token, and you don't need to enter your login and password all the time.
14:19Okay.
14:20That's why if threat actors manage to copy some part of the information from your laptop or desktop, another threat actor can reuse the same.
14:29So that means he doesn't need to enter your login and password again.
14:33All right.
14:34Because your session is still valid.
14:36And this is how it works.
14:37This is how we may pass two-factor notification.
14:39So this is all very interesting, and I feel like there is so much more information that can actually be found in this report.
14:46So the report also highlights that, you know, major risks like phishing and data breaches.
14:54How can business leaders quantify these risks and prepare for them actively?
15:01So there are many different frameworks, how you can global and, of course, localized frameworks, how to quantify risks.
15:08Usually organizations facing the challenge that they don't have relevant data, relevant statistics just to make the right quantification.
15:16This is where threat intelligence helps because the purpose of threat intelligence is to give you insights about what happens in the region, in the country, in your industry.
15:26So you can get this information and basically the report is...
15:29You can get the right strategy for it.
15:30Yeah.
15:31Exactly.
15:32And basically the report is about that.
15:33So this is number one.
15:35But what I would like to emphasize that measuring the risk just give you a possibility to prioritize where to invest in cybersecurity.
15:46Okay.
15:47Because you can't run all the...
15:48You can't cover all of it.
15:49Yeah.
15:50Exactly.
15:51But you need to ask yourself a question.
15:54In the industry, I mean cybersecurity industry, we were responsible for quantifying risk for dozens of years and didn't change situation.
16:03When you quantify risk, does it help you to detect a threat actor?
16:07No.
16:08Does it help you to prevent cybersecurity breach?
16:11In fact, no.
16:12What you need to focus on is to track threat actors.
16:15Who are they are?
16:16What they do?
16:17How exactly is my organization able to detect and basically stop this particular threat actors?
16:26Not all threat actors in the world.
16:28Right.
16:29But actors who possess a real threat to your organization and who are active in your region.
16:34So the value of your company basically that's, you know, we have to...
16:38What your company stands for, what your...
16:41The services that your company provides is the thing that you have to kind of protect the most with the cybersecurity...
16:47At a very early stage, we try to predict what is going to happen with your organization in the nearest future.
16:54So what role is Group IB playing in protecting the region?
17:00And how does that global intelligence translate into local defense?
17:05Yes.
17:06And this is our approach.
17:07We try to establish in each region the strong technical expertise.
17:15What we are actually building, so-called digital crime resistance centers.
17:19And we have in the region already three centers.
17:22One is in UAE, in Saudi and in Egypt.
17:25What does it mean, a cyber-resistant center?
17:29Then we replicate our DNA technical expertise, including digital forensics, incident response,
17:35threat intelligence, of course, anti-fraud experts, computer emergency response team, and so on.
17:41We hire locals, shift our knowledge to this local team.
17:45And this local team becomes the local community builder to transfer our expertise in the country.
17:53Through this team, we get information about what are the local threats that are relevant to a particular industry or to a particular country.
18:02And we get these insights from all our existing regions.
18:06Okay.
18:07From Asia-Pacific, Middle East, Europe, Latin America, Central Asia, so from the globe.
18:12Oh.
18:13And having these insights, we convert it into knowledge.
18:16Right.
18:17That we convert in technologies.
18:18Just to give you an example, we have a team that was looking for, researching for AI-driven fraud.
18:24Deepfake during the KYC process.
18:27We know that there is an active group.
18:29We found how exactly we operate, what type of tools and malware we use, how exactly we execute commands, and how their partnership network works.
18:40When we understood this, we managed to convert it into detective technology that helped us to detect in real time the preparation stage.
18:50Not when fraud already happened, but just when we started to prepare.
18:54And we deployed it very quickly in one financial organization and managed to track the activity of these actors, even during the stage when we were testing their technology.
19:03And during the testing process, we did a lot of mistakes.
19:07We identified these threat actors together with law enforcement agencies, the bank where we deployed this technology.
19:13And these guys were arrested.
19:14Ah.
19:15And this is how we prevented not one attack, but thousands of attacks in the future.
19:19Because of the strategy implemented in terms of which technology to use.
19:23That's very interesting.
19:24What do you think CEOs should prioritize right now when it comes to cyber resilience, especially in like the high risk sectors such as finance, government, telecom?
19:35All these things are very susceptible to attacks.
19:38We finance, it's already obvious, but we are driven through the very new emerging threat and growing and growing.
19:46And that's why we need to find a good solution how to detect that type of behavior.
19:51We know how to do this.
19:52And we see that threat actors developing new technologies very fast and implementing across the globe.
19:58So this is number one.
20:00With telcos, what we actually need is, of course, to track what happens on their network, not network, edge perimeter.
20:09What happens with their network devices, because threat actors, as I mentioned before, they know how to exploit vulnerabilities.
20:16They also manage to find valid credentials to all these networks.
20:20And to avoid incidents like happened in the U.S., what happened in South Korea, or in Ukraine, you need to take a lazy focus on everything that happens with these edge devices.
20:33Because the Spanish will keep going.
20:35And the government becomes the major data custodian.
20:40Sorry, what?
20:41Data custodian.
20:42Okay.
20:43When we hold massive data sets, and what we are going to do is to give these data sets to train AI.
20:52Okay.
20:53Yes.
20:54To provide services, to raise efficiency, and so on.
20:57So that's why we need to protect data.
21:00We need to protect the whole pipeline or workflow of AI-driven agents that will be responsible for analyzing these data sets and, of course, providing services.
21:12This is where we need to focus right now, because the pace of development is very high.
21:19It's very high.
21:20Okay.
21:21And in this rush, people may forget about cybersecurity because it's not priority number one.
21:25100%.
21:26Especially if it's like a purely online kind of business or something like that.
21:29Yes.
21:30And this is very moving.
21:31Okay.
21:32So to start things up, how does Group IB solutions like Manage XDR, threat intelligence, and attack surface management help organizations stay ahead of advanced cyber threats?
21:45Well, we look at the organization from three different dimensions.
21:49The dimension number one, what happens beyond your organization.
21:52What you can't see because you don't have anything there.
21:55For example, with our threat intelligence, we can see what threat actors are doing at the moment, how they prepare the attack to execute against your organization, and so on.
22:04So we can see and predict.
22:06That's a similar approach we apply with digitally protection, or even with our antifraud solution.
22:12Yeah.
22:13We can detect what happens, not with you as an organization, but with your clients.
22:17If you talk about banking or insurance or a threat communication industry.
22:21Then you have a network perimeter, and this is where the attack surface management can see how your organization is perceived by threat actors.
22:29Actually, we take the same techniques as threat actors use, and we will look at you by the eyes of a threat actor.
22:38Okay.
22:39If it is a healing fruit that we will focus on in the beginning.
22:42So trying to identify this zero patient asset that will be attacked.
22:47Yeah.
22:48And of course, the last mile is your internal perimeter or your cloud environment, where we can protect network traffic, email traffic, service,
22:58desktops, laptops, and so on.
23:01Then attack already executed, and we need to stop it in real time.
23:04So the two-factor verification steps that we're doing is not sufficient, is what you're saying.
23:10It's not sufficient, unfortunately.
23:11Yeah.
23:12There is no city to do it.
23:13Well, thank you so much, Dimitri.
23:14And please tell us, how can CEOs and companies receive this high-tech crime trends report?
23:20Where can they order it?
23:21Is there some place that they can actively look for it?
23:25Part of our mission is to share this knowledge, and that's why it is available for free on our website.
23:29Perfect.
23:30Thank you so much for being with us, and hopefully that companies and institutions can become a safer place with your help.
23:40Thank you very much.
23:41It was a pleasure to be here.
23:43Thank you, Joel.
23:44Thank you very much to be here.
23:59Please share.