Menu

16 November

Two hacker groups attacked Russian banks purporting to be the Central Bank of Russia

Group-IB, an international company that specializes in the prevention of cyber attacks, has detected massive campaigns targeting Russian financial institutions. The emails were disguised to look as if they come from the Central Bank of Russia and FinCERT, the Financial Sector Computer Emergency Response Team. Group-IB experts have discovered that the attack on 15 November could have been carried out by the hacker group Silence, and the one on 23 October by MoneyTaker. Group-IB considers both cybercriminal groups among the most dangerous to Russian and international financial organisations.

 

November attack: Silence

In the morning of 15 November, Group-IB detected a malicious mass email campaign sent to Russian banks from a fake email address purporting to belong to the Central Bank of Russia (CBR). Of course, the CBR does not have anything to do with the phishing campaign — the hackers faked the sender’s address. SSL certificates were not used for DKIM verification. Emails with the subject line «Information from the Central Bank of the Russian Federation» asked recipients to review the regulator’s decision «On the standardisation of the format of CBR’s electronic communications» and to immediately implement the changes. The documents in question were supposedly contained in the zipped files attached, however by uncompressing these files users downloaded Silence.Downloader — the tool used by Silence hackers.

Group-IB experts have observed that the style and format of the emails were almost identical to official correspondence from the regulator. The hackers most likely had access to samples of legitimate emails. According to Group-IB’s report published in September 2018, Silence gang members presumably were or are legally employed as pentesters and reverse engineers. As such, they are very familiar with documentation in the financial sector and the structure of banking systems.

 

October attack: MoneyTaker

The message sent on 23 October, also from a fake FinCERT email address, contained five attachments disguised to look like official CBR documents. Among them was a document entitled «Template Agreement on Cooperation with the Central Bank of the Russian Federation on Monitoring and Information Exchange .doc». Three out of five files were empty decoy documents, but two contained a download for the Meterpreter Stager. To carry out the attack, hackers used self-signed SSL certificates. Furthermore, the server infrastructure involved had been used in the previous attacks conducted by MoneyTaker. All these factors led to the conclusion that MoneyTaker was behind the October attack.

Group-IB experts believe that hackers managed to obtain the samples of CBR documents from earlier compromised mailboxes belonging to employees of Russian banks. MoneyTaker used the information obtained to design emails and documents purporting to be from the CBR to conduct targeted attacks on banks.

A spear-phishing campaign set up to look like it was carried out by the Central Bank is a relatively widespread vector of attack among cyber criminals; it has been used by groups such as Buhtrap, Anunak, Cobalt, and Lurk. In March 2016, for example, cybercriminals sent phishing emails from info@fincert.net. As regards to genuine notifications from the Central Bank of Russia, in the past hackers from Lurk and Buhtrap used them to send malware to bank employees.

Since July, to share information, FinCERT has been using an automated incident processing system that makes it possible to securely and quickly share information about incidents and unauthorized operations based on the „Feed-Antifraud“ database. The backup channel for sharing information is email. All messages sent via email contain FinCERT’s electronic signature.

Rustam Mirkasymov

The Central Bank’s
press service

Information and indicators of attack (IoAs) from 23 October and 15 November attacks were quickly uploaded to Group-IB Threat Intelligence, which allowed to warn Group-IB clients among Russian banks about the potential threat. Group-IB TDS (Threat Detection System) detected both phishing campaigns and signalled about the malicious activity. Group-IB system blocked this threat in inline mode.

MoneyTaker and Silence are two of the four most dangerous hacker groups that present a real threat to international financial organisations. Hackers from MoneyTaker use all possible attack vectors when targeting banks. For example, they can send spear-phishing emails, carry out a drive-by attack, or test a bank’s network infrastructure for existing vulnerabilities. After gaining access to the network’s internal nodes, hackers are easily able to carry out attacks and withdraw money through ATMs, card processing or interbank transfers systems (in Russia, AWS CBR (the Russian Central Bank’s Automated Workstation Client). Silence, for their part, are less resourceful and use only a tried and tested attack method — phishing emails. Unlike their colleagues, however, they pay closer attention to the content and design of their phishing emails.

Rustam Mirkasymov

Rustam Mirkasymov

Group-IB Head of Dynamic Analysis of malware department and threat intelligence expert

Report an incident

24/7 Incident Response Assistance +7 495 984-33-64

Thank you!
We will contact you soon.