Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Tracking & Law Enforcement

Russian Cyber Espionage Group Planning to Hit Banks: Report

APT28, the notorious cyber espionage group that is believed to be sponsored by the Russian government, is planning to attack various financial institutions from across the world, according to a report published on Tuesday by cybersecurity services and training provider root9B.

APT28, the notorious cyber espionage group that is believed to be sponsored by the Russian government, is planning to attack various financial institutions from across the world, according to a report published on Tuesday by cybersecurity services and training provider root9B.

APT28 has been around since at least 2007. The threat actor, analyzed by several security firms over the past months, is known under various names, including Pawn Storm, Sednit, Fancy Bear, Tsar Team, and Sofacy. A report published by FireEye in October 2014 showed a direct link between the advanced persistent threat (APT) group and Russia.

FireEye noted in that report that APT28 had not been seen trying to steal and profit from financial account information. However, root9B says it has uncovered plans by the threat group to target international financial institutions.

The list of organizations that appear to be targeted by the attackers includes Bank of America, TD Canada Trust, Regions Bank, the United Nations Children’s Fund, United Bank for Africa, Commercial Bank International (CBI) in the United Arab Emirates, and possibly Germany-based Commerzbank.

The security firm says it has notified authorities in the United States and the UAE, and the security teams of the targeted financial institutions of APT28’s plans.

“While none of the targeted organizations are clients of root9B, we felt it imperative to disclose the findings to them, and as broadly as possible to the security community,” said Eric Hipkins, CEO of root9B.

The security firm said it discovered the threat group’s plans at the end of April during routine security analysis. Researchers stumbled upon a spear-phishing domain aimed at the UAE-based financial organization. The domain attracted the attention of experts because it was hosted on a server known to be associated with state-sponsored operations. They also discovered several pieces of new malware with signatures specific to APT28.

The attackers registered several CBI phishing domains using fictitious information. The phishing domains for the other targeted banks were discovered by researchers because they had been registered using similar fake registration details.

Researchers determined that the malicious actors started preparations for this campaign back in June 2014.

“While the continued vector of the attack remains unclear, root9B assesses that it will most likely be a spear-phishing campaign. This attack vector will likely use a well-crafted email containing either a malicious file or web hyperlink to what recipients believe is the actual website; but is instead a fake landing page,” the security firm wrote in its report.

Experts noted that while such phishing websites are usually utilized to trick users into handing over personal and financial information, it’s possible that the threat group could try to use the servers hosting the phishing pages to deliver malware that gives them access to victims’ networks.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Cybercrime

The owner of China-based cryptocurrency exchange Bitzlato was arrested in Miami along with five associates in Europe

Cyberwarfare

Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since when they still...

Cybercrime

A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...

Privacy

A top U.S. intelligence official on Thursday urged Congress to renew sweeping powers granted to American spy agencies to surveil and examine communications, saying...