Russian hackers stole millions from banks, ATMs

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

Tens of millions of dollars, credit cards and intellectual property stolen by a new group of cyber criminals.

Group-IB and Fox IT, in a joint research effort, released a report about the Anunak hackers group. This group has been involved in targeted attacks and espionage since 2013.

Anunak targets banks and payments systems in Russia and CIS countries. In Europe, USA and Latin America criminals were mainly focusing on retail networks as well as mass media resources.

Anunak is unique in the fact that it aims to target banks and e-payment systems. The goal is to get into bank networks and gain access to secured payment systems. As a result, the money is stolen not from the customers, but from the bank itself. If they manage to infect governmental networks, they use the infrastructure for espionage.

When malefactors gain access to internal networks, they have total control over computers of system administrators and IT-specialist, record videos of key workers actions to understand how the work is organized. They then take control over e-mails to monitor internal communications and set up remote control to the network by changing its hardware parameters.

Experts discovered that hackers had access to cash machines management systems and could remotely infect them with malware for the purpose of getting money from them upon attackers request in the future.

In the report, Group-IB and Fox IT describe in detail the methods and software that were used by hackers, and the methods and tools that can be used to protect networks and counter targeted attacks.

“We have seen criminals branching out for years, for example with POS malware,” says Andy Chandler, Fox IT’s SVP and general manager. “Anunak has capabilities which pose threats across multiple continents and industries. It shows there’s a grey area between APT and botnets. The criminal’s pragmatic approach once more starts a new chapter in the cybercrime ecosystem.”

Some of the report’s key takeaways:

  • Average theft in Russia and CIS countries for this group is 2 million US dollars.
  • Anunak group had access to more than 50 Russian banks, 5 payment systems, 16 retail companies. Most of retail companies are outside of Russia, while not a single US/EU bank has been attacked.
  • As of now around 17 million dollar (over 1 billion rubles) has been stolen by the group, most of that during the last 6 months.
  • Average time from the moment the group gains access to internal network till the money is stolen equals 42 days.
  • Today, the Anunak group is still in operation which is why Group-IB and Fox IT forecast an increase in the number of targeted attacks in 2015.