Cybersecurity experts at root9B, staffed by veterans from the U.S. State Dept. and Dept. of Defense, have discovered that a powerful Russian cyber hacking group linked to Kremlin-backed cyber-espionage is making preparations for a large-scale attack on global banks.
The attack “is still in the preparatory stages,” and has been in the works “for nearly a year,” possibly starting in June 2014, root9B says.
Among the banks targeted: Bank of America (BAC), Regions Bank (RF), Canada’s TD Trust, Commercial Bank International in the UAE, and possibly Germany’s Commerzbank. Also targeted: UNICEF and United Bank for Africa.
Russian hacking syndicates have been known to conduct attacks against Estonia, Georgia, and Ukraine, and have been “credited with targeting NATO officials at conferences, stealing hundreds of millions from banks, and successfully penetrating the White House’s unclassified computer network,” root9B says.
Eric Hipkins, root9B chief executive officer, said in a statement: “We’ve spent the past three days informing the proper authorities in Washington and the UAE,” as well as the financial organizations. The banks so far are not commenting on the discovery.
Specifically, the analysts at root9B said the malware they discovered contains code signatures previously associated with the Advanced Persistent Threat group (APT), also known as APT28. The group is also thought to go by the names Pawn Storm, Sednit, Fancy Bear, Tsar Team, and Sofacy.
APT28, active since at least 2007, is known for targeting military, government and media organizations around the world. Last October FireEye (FEYE) published a report showing a direct link between the APT group and Russia.
The cybersecurity firm says in the latest planned attack, it discovered malware that acts as a backdoor program, and fake servers “generally associated with nation-state attacks” while performing surveillance for a client.
“It is rare enough to learn of an attack of this potential magnitude in advance, but to have all the information necessary to stop it before it begins is unprecedented,” says a roo9B analyst who asked to remain unnamed.
APT28’s preparations also include writing new malware and setting up command-and-control servers, root9B says. And in a new development that goes beyond spear-phishing and passwords: Russian hackers are brazen enough to build fake websites that appear to be run by banks, companies and government entities.
One fake spearphishing domain that first led root9B to the discovery is “registered to impersonate a Middle Eastern financial institution,” it says, adding that domain appeared to be set to launch a spear-phishing campaign aimed at UAE banks and customers. That domain was a red flag to cyber experts since it was hosted on a server known to be associated with state-sponsored hacks. Analysts at root9B subsequently discovered new malware with code signatures specific to APT28.
“While the continued vector of the attack remains unclear, root9B assesses that it will most likely be a spear-phishing campaign. This attack vector will likely use a well-crafted email containing either a malicious file or web hyperlink to what recipients believe is the actual website; but is instead a fake landing page,” the security firm wrote in its report.
Cyber experts have told FOX Business that phishing attacks are usually deployed to trick bank customers into revealing personal and financial information.
In addition, root9B analysts also believe APT28 might be operating two sub units: One that targets military and governments, and the other that zeroes in on banks and financial institutions
In the last year alone Russian hackers have reportedly stolen up to $900 million from banks around the world, says root9B. “Over the past three to five years they have built the largest botnets ever discovered, and stolen the log-in and password credentials to literally tens of millions of online accounts,” it adds. “Well known for their ability to infiltrate and remain undiscovered in networks for long periods of time, they may be the most successful group of hackers in the world.”
Original article on this hack can be found here. 5/14/2015