Buhtrap: the evolution of targeted attacks against financial institutions
The report outlines the activity of the most dangerous and comprehensive cybercriminal group attacking internal banking systems
Request
Key facts
13
successful attacks against banking institutions conducted between August 2015 and February 2016
$25 mln
stolen from Russian banks
$2 mln
average banking losses
per incident
62%
the average amount of theft as compared to the bank’s charter capital
Find the most recent details about
Tactics, Technics and Procedures (TTPs) and detailed descriptions of attack vectors
How the malware spreads through internal banking network
The timeline of the Buhtrap group activity and the chronology of attacks against banks
Indicators of Compromise (IoCs) of banking malware
Knowing the dynamics and the ways, how threat actors develop and tune their industry‑specific attacks is vital to be one step ahead cybercriminals. Anunak, Corkow and Buhtrap are not the only cyber groups actively attacking banks. We have detected at least two more cyber gangs which are believed to be preparing attacks against financial institutions.
Due to the constantly evolving threat landscape, the necessity to keep your security strategy and tactics up to pace with it has never been more crucial. We are devoted to staying ahead of the curve and providing the industry with the latest cyber threat intelligence both through public reports and our Threat Intelligence service.
Dmitry Volkov
Chief Technical Officer, Сo‑founder Group‑IB
Group-IB research on targeted attack groups
Regin
Strategic intelligence data on state-sponsored groups, industry-specific cyberthreats, targeted attacks on banks and banking clients
Winnti
Strategic intelligence data on state-sponsored groups, industry-specific cyberthreats, targeted attacks on banks and banking clients
Hi-Tech Crime Trends 2019/20
Strategic intelligence data on state-sponsored groups, industry-specific cyberthreats, targeted attacks on banks and banking clients
Silent Cards
APT group from Kenia targeting regional banks.
BlackEnergy
BackEnergy is one of the most advanced energy sector-oriented groups and has caused disruptions in energy organizations more than once.
Xenotime
Xenotime, known for its malware called Triton (aka Trisis), had improved its malware and its new version could be used to attack various industrial safety systems.
LeafMiner
LeafMiner hackers, believed to be based in Iran, use watering hole attacks to infiltrate targeted organizations.
Thrip
The Chinese hacker group Thrip is known for espionage and sabotage attacks. In particular, they target organizations in the satellite communications sector.
Lurk
In February 2015, the group stole 150 million rubles ($2,3 million) from a Russian bank. Members of the criminal group were arrested in May 2016
Hexane
HEXANE is a new group targeting the industrial sector. Its members have been active since mid-2018, focusing on the Middle East, Central Asia, and Africa.
Dragonfly
The group Dragonfly, believed to be sponsored by Russia, focuses on collecting data from energy and industrial facilities.
Chafer
The goal of the group Chafer (aka APT39) is to collect personal data for further user monitoring and tracking operations in support of Iranian national interests.
APT10
Chinese state-sponsored group APT10 conducted the large-scale attack to obtain CDR records belonging to a large telecommunications provider.
APT33
In late 2018, APT33 (aka Elfin, Magnallium) resumed its attacks using a new variant of the Shamoon Trojan, targeting oil, gas, telecommunications, and energy companies as well as government organizations.
Muddywater
The state-sponsored group MuddyWater gained access to the local network of Korek Telecom, a mobile operator based in Erbil, Iraq.
Attacks by Silence
A comprehensive technical analysis of Silence’s tools, tactics, and evolution. This is the first time Group‑IB’s reports of this kind have been made publicly available.
Crime without punishment: in-depth analysis of JS-sniffers
In-depth analysis and new types of a growing threat — JS‑sniffers — designed to steal payment data
Hi-Tech Crime Trends 2018
Introducing the research on cybersecurity trends and predictions for the next year. Plan your cybersecurity strategy effectively.
Hi-Tech Crime Trends 2017
Introducing the research on cybersecurity trends and predictions for the next year. Plan your cybersecurity strategy effectively.
Hi-Tech Crime Trends 2016
Learn about the evolution of cyber crime in 2016 and find out what predictions for 2017 came true. Spoiler: most of them did.
2018 Cryptocurrency Exchanges
Estimation of the number of login and passwords leaks of cryptoсurrency exchanges users and analysis their nature. Recommendations for ensuring security of users and exchanges.
Cobalt: their evolution and joint operations
Learn about Cobalt’s development and modification of tools and tactics which were used to steal approximately 1 billion dollars from over 100 banks in 40 different countries.
MoneyTaker
This hacker group is noticeable for 1.5 years of silent operations and multiple attacks. They still pose a threat: learn about MoneyTaker techniques and indicators of compromise now.
Lazarus Arisen: Architecture, Techniques and Attribution
Lazarus group targets the largest international banks as well as central banks in various countries.
Analysis of attacks against trading and bank card system
Group-IB annual report on speculative fluctuations of exchange rate and other incidents in 2015 caused by the Trojan program Corkow (Metel).
Anunak: APT against financial institutions
This research includes the findings of Group-IB and Fox‑IT on Anunak (Carbanak) group, which focused its activity on banks and electronic payment systems.
Regin
Strategic intelligence data on state-sponsored groups, industry-specific cyberthreats, targeted attacks on banks and banking clients
Winnti
Strategic intelligence data on state-sponsored groups, industry-specific cyberthreats, targeted attacks on banks and banking clients
Hi-Tech Crime Trends 2019/20
Strategic intelligence data on state-sponsored groups, industry-specific cyberthreats, targeted attacks on banks and banking clients
Silent Cards
APT group from Kenia targeting regional banks.
BlackEnergy
BackEnergy is one of the most advanced energy sector-oriented groups and has caused disruptions in energy organizations more than once.
Xenotime
Xenotime, known for its malware called Triton (aka Trisis), had improved its malware and its new version could be used to attack various industrial safety systems.
LeafMiner
LeafMiner hackers, believed to be based in Iran, use watering hole attacks to infiltrate targeted organizations.
Thrip
The Chinese hacker group Thrip is known for espionage and sabotage attacks. In particular, they target organizations in the satellite communications sector.
Lurk
In February 2015, the group stole 150 million rubles ($2,3 million) from a Russian bank. Members of the criminal group were arrested in May 2016
Hexane
HEXANE is a new group targeting the industrial sector. Its members have been active since mid-2018, focusing on the Middle East, Central Asia, and Africa.
Dragonfly
The group Dragonfly, believed to be sponsored by Russia, focuses on collecting data from energy and industrial facilities.
Chafer
The goal of the group Chafer (aka APT39) is to collect personal data for further user monitoring and tracking operations in support of Iranian national interests.
APT10
Chinese state-sponsored group APT10 conducted the large-scale attack to obtain CDR records belonging to a large telecommunications provider.
APT33
In late 2018, APT33 (aka Elfin, Magnallium) resumed its attacks using a new variant of the Shamoon Trojan, targeting oil, gas, telecommunications, and energy companies as well as government organizations.
Muddywater
The state-sponsored group MuddyWater gained access to the local network of Korek Telecom, a mobile operator based in Erbil, Iraq.
Attacks by Silence
A comprehensive technical analysis of Silence’s tools, tactics, and evolution. This is the first time Group‑IB’s reports of this kind have been made publicly available.
Crime without punishment: in-depth analysis of JS-sniffers
In-depth analysis and new types of a growing threat — JS‑sniffers — designed to steal payment data
Hi-Tech Crime Trends 2018
Introducing the research on cybersecurity trends and predictions for the next year. Plan your cybersecurity strategy effectively.
Hi-Tech Crime Trends 2017
Introducing the research on cybersecurity trends and predictions for the next year. Plan your cybersecurity strategy effectively.
Hi-Tech Crime Trends 2016
Learn about the evolution of cyber crime in 2016 and find out what predictions for 2017 came true. Spoiler: most of them did.
2018 Cryptocurrency Exchanges
Estimation of the number of login and passwords leaks of cryptoсurrency exchanges users and analysis their nature. Recommendations for ensuring security of users and exchanges.
Cobalt: their evolution and joint operations
Learn about Cobalt’s development and modification of tools and tactics which were used to steal approximately 1 billion dollars from over 100 banks in 40 different countries.
MoneyTaker
This hacker group is noticeable for 1.5 years of silent operations and multiple attacks. They still pose a threat: learn about MoneyTaker techniques and indicators of compromise now.
Lazarus Arisen: Architecture, Techniques and Attribution
Lazarus group targets the largest international banks as well as central banks in various countries.
Analysis of attacks against trading and bank card system
Group-IB annual report on speculative fluctuations of exchange rate and other incidents in 2015 caused by the Trojan program Corkow (Metel).
Anunak: APT against financial institutions
This research includes the findings of Group-IB and Fox‑IT on Anunak (Carbanak) group, which focused its activity on banks and electronic payment systems.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Thank you for your interest in our research.
Please fill in the form below and we will send you the Group-IB report. Please make sure to correctly fill in all fields, we will only provide materials on provision of a valid corporate email address.
Advanced protection against cyber threats
Group-IB’s security ecosystem provides comprehensive protection for your IT infrastructure based on our unique cyber intelligence and deep analysis of attacks and incident response.
Threat
Intelligence
Intelligence
Аctionable, finished intelligence to track actors and prevent attacks before they happen
Threat Detection System
Intelligence-driven network protection even from the most advanced attacks
Secure Bank
Client-side fraud and attack prevention system for online banking, working across sessions, platforms and devices
Secure Portal
Protection from bots, fraud and data leakage for e‑commerce and web portals