Security Experts:

Russian Cyber Espionage Group Planning to Hit Banks: Report

APT28, the notorious cyber espionage group that is believed to be sponsored by the Russian government, is planning to attack various financial institutions from across the world, according to a report published on Tuesday by cybersecurity services and training provider root9B.

APT28 has been around since at least 2007. The threat actor, analyzed by several security firms over the past months, is known under various names, including Pawn Storm, Sednit, Fancy Bear, Tsar Team, and Sofacy. A report published by FireEye in October 2014 showed a direct link between the advanced persistent threat (APT) group and Russia.

FireEye noted in that report that APT28 had not been seen trying to steal and profit from financial account information. However, root9B says it has uncovered plans by the threat group to target international financial institutions.

The list of organizations that appear to be targeted by the attackers includes Bank of America, TD Canada Trust, Regions Bank, the United Nations Children’s Fund, United Bank for Africa, Commercial Bank International (CBI) in the United Arab Emirates, and possibly Germany-based Commerzbank.

The security firm says it has notified authorities in the United States and the UAE, and the security teams of the targeted financial institutions of APT28’s plans.

“While none of the targeted organizations are clients of root9B, we felt it imperative to disclose the findings to them, and as broadly as possible to the security community,” said Eric Hipkins, CEO of root9B.

The security firm said it discovered the threat group’s plans at the end of April during routine security analysis. Researchers stumbled upon a spear-phishing domain aimed at the UAE-based financial organization. The domain attracted the attention of experts because it was hosted on a server known to be associated with state-sponsored operations. They also discovered several pieces of new malware with signatures specific to APT28.

The attackers registered several CBI phishing domains using fictitious information. The phishing domains for the other targeted banks were discovered by researchers because they had been registered using similar fake registration details.

Researchers determined that the malicious actors started preparations for this campaign back in June 2014.

“While the continued vector of the attack remains unclear, root9B assesses that it will most likely be a spear-phishing campaign. This attack vector will likely use a well-crafted email containing either a malicious file or web hyperlink to what recipients believe is the actual website; but is instead a fake landing page,” the security firm wrote in its report.

Experts noted that while such phishing websites are usually utilized to trick users into handing over personal and financial information, it’s possible that the threat group could try to use the servers hosting the phishing pages to deliver malware that gives them access to victims’ networks.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.