ESET’s Anton Cherepanov Jean-Ian Boutin discuss their paper, titled Modern Attacks on Russian Financial Institutions, which was published earlier this year.
Today, Virus Bulletin published the paper we presented in Denver earlier this year titled Modern Attacks on Russian Financial Institutions. In this paper, we review the different actors targeting financial institutions in this region and which systems they are targeting.
Over the past few years, attacks against Russian financial institutions have increased substantially. One key aspect of this trend is the specialization of the threat actors. This is clearly visible in some of the attacks that are highlighted in our paper, such as the one targeting the ruble exchange rate. In this case documented by Group-IB, fraudsters were able to control a trading terminal, which they used to issue buy and sell orders for the Russian ruble. This led to abnormal volatility in the USD/RUB exchange rate that day, as illustrated in the figure below:
In this paper, we identified the different groups we tracked during the past few years that have the capacity to mount sophisticated attacks against Russian financial institutions, such as Buhtrap and Corkow. We also try to highlight some of the similarities that these groups share, notably the way they initially compromise an organization and the long planning and persistence in victims’ networks necessary to achieve these sophisticated attacks.
As such, most of these groups use spear phishing to try and compromise organizations of interest. As illustrated in the figure below, opening the spear phish attachment on a vulnerable system will lead to a system compromise. Additional tools, such as a remote administrator tool, will be downloaded and installed on the victim’s machine so that the attacker can control it fully. Once inside the network, criminals are usually trying to move laterally, looking for high-value systems.
In an attempt to legitimize the spear phishing email sent to their targets, attackers will often bundle a decoy document. We have seen several different types of decoy documents such as the one seen in the image below, impersonating FinCERT, an organization created by the Russian government to provide help and guidance to its financial institutions:
We chose this screenshot with good reason. The document title highlights a system – АРМ КБР – around which there has been some misunderstanding lately. This started when the Central Bank of Russia published an annual report on financial stability within financial institutions. On page 37, they wrote about cyber-risks and stated that during 2016, there were attempts to attack АРМ КБР. During these attempts, hackers wanted to steal 2.87 billion rubles (approximately $45 million). In this document, they also state that they successfully prevented 1.67 billion rubles ($26 million) of that amount from being stolen.
As many of you will not know what АРМ КБР is, here is a quote from our VB2016 paper:
Russian banks use a special system to transfer funds between themselves. A bank combines all payments made during a given period of time to other Russian banks in a settlement batch (банковский рейс). When the batch is ready to be sent, the bank signs and encrypts the data using special software called Automated Working Station of the Central Bank Client (AWS CBC) and sends it to the Central Bank of Russia. A bank will usually send such a batch five times per day. The AWS CBC software is freely available on the Central Bank official website.
When attackers successfully compromise a machine with this software installed, they can alter data in the settlement batch before such data can be signed and encrypted. For example, attackers can modify the destination account so that the transfer will be made to bank accounts controlled by attackers instead of their original destination. Alternatively, the attackers can just add new entries to the settlement batch. This is possible because the AWS CBC software does not verify the integrity or validity of the data. It is the responsibility of the banks to ensure that this data cannot be accessed and modified by unauthorized users.
The confusion arose from the fact that a few publications claimed that the Central Bank of Russia was the victim of this theft. However, during this type of attack, money is stolen from banks using AWS CBC, not from the Central Bank.
Attacks on AWS CBC is just one type of attacks we highlight in our paper. We also discuss attacks on ATMs, card processing systems, SWIFT terminals and trading terminals. As an example, in one sophisticated attack against ATMs perpetrated by the Carbanak group, criminals were waiting beside an ATM until it automatically spewed out cash without physical intervention. This was, of course, possible because an accomplice could communicate with the affected ATMs.
To conclude our research, we also try to foresee whether these types of attacks against financial institutions are likely to propagate to the rest of the world. Well, it did not take long to know the answer. Attacks against Bangladesh Bank, the central bank of Bangladesh, made the headlines, with criminals attempting to steal $950 million via the SWIFT network.
In the following months, news broke about other similar attacks against banks in other regions of the world. We have also seen other systems being targeted by criminals outside of Russia and neighboring countries. In July this year, news broke that a group of people visited ATMs in Taiwan and successfully stole money from them without any physical interaction. While we don’t know who is behind this attack, it certainly feels like déjà vu.
For more details, please refer to our Virus Bulletin article here. You can also view the presentation recording here.