Researchers blame Dyre Wolf malware for $5m Ryanair theft

A team of cyber criminals has given Michael O'Leary something to get seriously upset about. A malware scam has relieved the Irish budget airline of $5.5m and researchers say that the banking malware Dyre Wolf is to blame.

Researchers blame Dyre Wolf malware for $5m Ryanair theft
Researchers blame Dyre Wolf malware for $5m Ryanair theft

The attack was revealed by the Irish Times last week, when the newspaper pointed out that a transfer of funds had been made to a Chinese bank account. Ryanair admitted being hit by the scam and, in a statement, said it “had investigated a fraudulent electronic transfer via a Chinese bank.”  The company is not making any further statement. “As this matter is subject to legal proceedings, no further comment will be made,” said a company spokesman.

According to Charl van der Walt, strategic director at SensePost, “there is suspicion in the information security community that this may be a variant of the “Dyre” malware, which has received considerable coverage since its discovery in June 2014. Like a mutating influenza virus, this advanced malware has the ability to change its appearance to security systems (such as firewalls and intrusion-detection systems) and become immune to these, every three days.”

Richard Cassidy, technical director of Alert Logic said there was no absolute proof that it was a Dyre Wolf attack but agreed there were some similarities. “The details on the specific threat against Ryanair are limited, but we have seen increased activity from “Dyre Wolf” malware back in late 2014 and it's absolutely feasible that it's already resurfaced in various augmented guises throughout the industry since then; this is a well known tool in the kitbag of the security underground, improvisation on existing tried and tested methods, as opposed to the harder task of re-inventing the wheel, creating new malware.”

Gavin Millard, technical director of Tenable Network Security said there had been similar attacks in the last few months, instances that left funds in the hands of cyber criminals. He said that the Ryanair attack could well have been Dyre Wolf. “Dyre manipulated users into calling a third party to be socially engineered into disclosing two factor authentication credentials that were then used to wire money.”

He said the attacks were a wake-up call to organisations. "When an attacker gains a foothold through vulnerable systems or users, the last thing a business needs is easy lateral movement to systems that could be utilised to exfiltrate funds, PII or IP. Any system that could be used to transfer funds from a business should be identified, protected with effective security controls, segregated from the rest of the corporate network and be continuously monitored to identify unusual behaviour," he said.

It's currently all speculation at the moment. With Ryanair remaining tight-lipped about the attack and little information about the nature of the breach in security circles, everything is guesswork.

Irish security consultant Brian Honan said there was nothing concrete to go on. “I'm based just a couple of miles from Ryanair and heard nothing. It could be an insider job; it could be a phishing attack. No details of the attack have leaked out,” he said.