Researchers at Group-IB and Fox-IT have released a report detailing the activities of a hacking crew linked to the theft of more than one billion rubles ($17 million) from a mix of Russian banks and Western retailers.
According to the report, the group - known as 'Anunak' - focuses their frauds on the corporate network, targeting internal payment gateways and internal banking systems. In this way, they steal money from the banks and payment systems themselves and not from the banks' customers.
In addition to this activity, the gang has also compromised media groups and other organizations for the purpose of industrial espionage and possibly to obtain a trading advantage on the stock market. In cases where the group got access to government agency networks, their aim is believed to be espionage-related, the researchers report.
All totaled, the group is known to have hit more than 50 Russian banks, five payment systems and 16 retail companies. Most of the retail companies are outside of Russia, but no U.S./EU banks are known to have been attacked.
"We have seen criminals branching out for years, for example with POS malware," said Andy Chandler, Fox-IT’s SVP and general manager, in a statement. "Anunak has capabilities which pose threats across multiple continents and industries. It shows there’s a grey area between APT and botnets. The criminal’s pragmatic approach once more starts a new chapter in the cybercrime ecosystem."
On average, the group stayed on internal networks 42 days before money was stolen, according to the report.
"As a result of access to internal bank networks the attackers also managed to gain access to ATM management infrastructure and infect those systems with their own malicious software that further allows theft from the banks' ATM systems on the attackers command," according to the report. "Since 2014 the organized criminal group members began actively taking an interest in US and European-based retail organizations. While they were already familiar with POS malware and compromising POS terminals, the widespread media attention around the Target breach and other related breaches were the reason for this move. While the scale of breaches in this industry is still relatively low, with at least 3 successful card breaches and over a dozen retailers compromised this activity is quickly becoming a lucrative endeavor for this group."
As with many campaigns, the attackers use spear phishing emails to penetrate their targets. Since August 2014, the group began to create their own botnet for blasting out emails.
"The first successful bank robbery was committed by this group in January 2013," according to the report. "In all first cases the attackers used the program RDPdoor for remote access to the bank network and the program “MBR Eraser” to remove traces and to crack Windows computers and servers. Both programs were used by the members of the Carberp criminal group under the guidance of a person named Germes. To reduce the risk of losing access to the internal bank network the attackers, in addition to malicious programs, were also used for remote access legitimate programs such as Ammy Admin and Team Viewer."
"Later the attackers completely abandoned from usage of RDPdoor and Team Viewer," the report continues. "In addition to banking and payment systems, hackers got access to e-mail servers to control all internal communications. This approach allowed them to find out that the anomalous activity in the bank network was identified, what technique was used to identify this activity and what measures the bank employees took to solve the problem. Email control was successfully installed regardless of used email system, MS Exchange or Lotus. This approach allowed them to take countermeasures that created for bank and payment system employees the feeling that the problem had been solved."
The complete report can be read here.