Russian hacking group APT28 planned attacks against global banks

A Russian hacking group planned on launching cyberattacks against several banks around the world, according to SC Magazine.

Banks targeted by the hackers include the Bank of America, Commercial Bank International, Toronto Dominion Canada Trust, United Nations Children’s Fund, United Bank for Africa and Regions Banks, reports Softpedia. 

The group planning the attacks is said to have been in operation since 2007, but has been referred to with different names including APT28, Pawn Storm and the Sofacy group.

Security firm Root9B made the discovery during “routine security analysis” for a client last month, uncovering a targeted spear phishing domain aiming at a financial institution.

“The server it was found on raised even more questions, because although security experts knew the server as a bad actor, it was generally associated with malware used in nation state attacks,” explained the security firm’s 11 page report.  Further analysis showed signatures and a server related to APT28.

With preparation for the attacks beginning last June, analysts concluded that they had never seen a “large-scale attack utilizing numerous zero-day exploits that were so thoroughly mapped in advance.”

The researchers have contacted the financial institutions identified as targets, but it is not clear if attacks have already begun. It is believed that if and when they do strike, it will be in the form of a targeted spear phishing campaign. Of course, public exposure of the plans may result in attacks being delayed or changed.

Another interesting piece of the analysis, Computer World reports, is that APT28 may be divided into two subgroups: one aimed at attacking government and military organizations, and another that targets financial institutions and banks.

[Update – 05/20: Veteran security reporter Brian Krebs has written a blog post questioning the validity of the research arguing that the real source of the domains may be more mundane. He writes that the details suggest that “the actors in question were relatively unsophisticated Nigerian phishers who’d simply registered a bunch of new fake bank Web sites.”

Krebs highlights that although one of the domains was previously used by APT28, there are others who call it “home for their DNS operations,” including a prominent group of Nigerian spammers. Krebs presents evidence linking email addresses cited in the report to the group, as well as a Facebook profile of someone purporting to be the CEO of a company that sounds remarkably like the URL of a known phishing site.

A spokesman for Root9B insisted that the firm stood by its initial findings: “the team stands by the report as 100 percent accurate and it has been received very favorably by the proper authorities in Washington (and others in the cyber community, including other cyber firms).”]

LesPalenik /

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.