Group-IB, an international company that specializes in the prevention of cyber attacks, has detected massive campaigns targeting Russian financial institutions. The emails were disguised to look as if they come from the Central Bank of Russia and FinCERT, the Financial Sector Computer Emergency Response Team. Group-IB experts have discovered that the attack on 15 November could have been carried out by the hacker group Silence, and the one on 23 October by MoneyTaker. Group-IB considers both cybercriminal groups among the most dangerous to Russian and international financial organisations.
November attack: Silence
In the morning of 15 November, Group-IB detected a malicious mass email campaign sent to Russian banks from a fake email address purporting to belong to the Central Bank of Russia (CBR). Of course, the CBR does not have anything to do with the phishing campaign — the hackers faked the sender’s address. SSL certificates were not used for DKIM verification. Emails with the subject line «Information from the Central Bank of the Russian Federation» asked recipients to review the regulator’s decision «On the standardisation of the format of CBR’s electronic communications» and to immediately implement the changes. The documents in question were supposedly contained in the zipped files attached, however by uncompressing these files users downloaded Silence.Downloader — the tool used by Silence hackers.
Group-IB experts have observed that the style and format of the emails were almost identical to official correspondence from the regulator. The hackers most likely had access to samples of legitimate emails. According to Group-IB’s report published in September 2018, Silence gang members presumably were or are legally employed as pentesters and reverse engineers. As such, they are very familiar with documentation in the financial sector and the structure of banking systems.
October attack: MoneyTaker
The message sent on 23 October, also from a fake FinCERT email address, contained five attachments disguised to look like official CBR documents. Among them was a document entitled «Template Agreement on Cooperation with the Central Bank of the Russian Federation on Monitoring and Information Exchange .doc». Three out of five files were empty decoy documents, but two contained a download for the Meterpreter Stager. To carry out the attack, hackers used self-signed SSL certificates. Furthermore, the server infrastructure involved had been used in the previous attacks conducted by MoneyTaker. All these factors led to the conclusion that MoneyTaker was behind the October attack.
Group-IB experts believe that hackers managed to obtain the samples of CBR documents from earlier compromised mailboxes belonging to employees of Russian banks. MoneyTaker used the information obtained to design emails and documents purporting to be from the CBR to conduct targeted attacks on banks.
A spear-phishing campaign set up to look like it was carried out by the Central Bank is a relatively widespread vector of attack among cyber criminals; it has been used by groups such as Buhtrap, Anunak, Cobalt, and Lurk. In March 2016, for example, cybercriminals sent phishing emails from firstname.lastname@example.org. As regards to genuine notifications from the Central Bank of Russia, in the past hackers from Lurk and Buhtrap used them to send malware to bank employees.
The Central Bank’s
Information and indicators of attack (IoAs) from 23 October and 15 November attacks were quickly uploaded to Group-IB Threat Intelligence, which allowed to warn Group-IB clients among Russian banks about the potential threat. Group-IB TDS (Threat Detection System) detected both phishing campaigns and signalled about the malicious activity. Group-IB system blocked this threat in inline mode.
Group-IB Head of Dynamic Analysis of malware department and threat intelligence expert