Eastern hackers use phishing-led APT to steal millions from banks

News by Doug Drinkwater

Security researchers say a hacking group called 'Anunak' has stolen £11 million (US$ 17 million) from banks, retailers and others firms since 2013.

In a research report released on Monday, Moscow-based Group-IB and Dutch outfit Fox-IT said that the espionage group has been primarily targeting banks and payment systems in Russia and CIS countries, although it has taken a greater interest in US and European firms over the last year.

The report notes that the hackers, which predominantly come from the Russia and Ukraine, and which have previous links to the Carberp banking bonet which resulted in several arrests in 2012, have been using a mix of spear-phishing emails (exploiting recent vulnerabilities in MS Office), backdoor malware, banking Trojans and botnets to compromise internal networks – especially in the banking sector. This attack method represents a significant move away from the traditional cyber-criminal methods of targeting bank customers.

Having gained a foothold in the internal network, the cyber-criminals secure total control over the computers of system admins and IT specialists, and record videos of key worker actions to understand how to work within the way that the company is organised.

In addition, they could take control over emails to monitor internal communications and establish remote control solutions – using readily-available tools such as Team Viewer – to keep an eye on the compromised network. Anunak also compromised ATM management systems with malware in order to generate money via future requests.

“We have seen criminals branching out for years, for example with POS malware,” says Andy Chandler, Fox-IT's SVP and general manager, in a press statement. “Anunak has capabilities which pose threats across multiple continents and industries. It shows there's a grey area between APT and botnets. The criminal's pragmatic approach once more starts a new chapter in the cyber-crime ecosystem.”

The attacks have been widespread and successful. Anunak had access to more than 50 Russian banks, five payment systems and 16 retail companies (although not a single US or EU bank has been affected), while the group is said to have stolen around US$ 17 million (£10.9 million), most of which has been gathered over the last six months.

The severity of the attack was particularly serious for two affected (but unnamed) financial institutions which were deprived of their banking licence, while Brian Krebs and Forbes report that Anunak was to blame for the data breach at Staples, where more than a million payment cards are believed to have been stolen.

Group-IB and Fox-IT say that the average time from access to the internal network to money being stolen was 42 days, but notes that the hacker group has also sought to target media companies and other firms for industrial espionage and a likely trading advantage on the stock market.

Speaking to SCmagazineUK.com shortly after the report was published, Eward Driehuis, product director at Fox-IT, said that the attack method of targeting internal networks to get to ATM machines was ‘pretty much unprecedented'.

“It's kind of the story that this group could handle such a large amount of different activities. It's the first time we've seen signs of grey areas between APTs and regular cyber-crime,” he said, before going on to detail how the group was revealed using a ‘mixture of social and technical skills'.

Driehuis continued that the ‘ultimate goal is to make money' for hackers, saying that it didn't seem political. Interestingly, the report notes the use of malware containing code from Carberp and Mimikatz, a password-breaking tool that was also recently used by Iranian hackers to infiltrate servers at a casino in Las Vegas.

Veteran security researcher Graham Cluley added in a blog post on Tripwire that it appears the hackers are wary of attacking banks in their own country.

“One curious aspect is that it appears retailers in Russia are not targeted by the Anunak hackers, although financial institutions are. Could there be a reason why the hackers feel more comfortable not targeting retailers on their doorstep?

“It would be easy to speculate that the hackers are wary of poking a grizzly bear on their own doorstep because of potential repercussions, and so avoid hacking local retailers, but that doesn't explain why they seem to be so unworried about earning the wrath of Russian financial institutions.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews