Two hacker groups attacked Russian banks posing as the Central Bank of Russia
Financial Sector Computer Emergency Response Team. Group-IB experts have
November attack: Silence
The message sent on 23 October, also from a fake FinCERT email address, contained five attachments disguised to look like official CBR documents. Among them was a document entitled “Template Agreement on Cooperation with the Central Bank of the Russian Federation on Monitoring and Information Exchange .doc”. Three out of five files were empty decoy documents, but two contained a download for the Meterpreter Stager. To carry out the attack, hackers used self-signed SSL certificates. Furthermore, the server infrastructure involved had been used in the previous attacks conducted by MoneyTaker. All these factors led to the conclusion that MoneyTaker was behind the October attack.
Group-IB experts believe that hackers managed to obtain the samples of CBR documents from earlier compromised mailboxes belonging to employees of Russian banks. MoneyTaker used the information obtained to design emails and documents purporting to be from the CBR to conduct targeted attacks on banks.
“Since July, to share information, FinCERT has been using an automated incident processing system that makes it possible to securely and quickly share information about incidents and unauthorized operations based on the “Feed-Antifraud” database,” comments the Central Bank’s press service. “The backup channel for sharing information is email. All messages sent via email contain FinCERT’s electronic signature.”
phishing campaigns and
About the author Group-IB
Group-IB is one the world’s leading providers of solutions aimed at detection and prevention of cyber attacks, fraud exposure and protection of intellectual property on the Internet. GIB Threat Intelligence cyber threats data collection system has been named one of the best in class by Gartner, Forrester, and IDC.
Group-IB’s technological leadership is built on company’s fifteen years of hands-on experience in cybercrime investigations all over the world and 55 000 hours of cyber security incident response accumulated in the largest forensic laboratory in Eastern Europe and a round-the-clock centre providing a rapid response to cyber incidents—CERT-GIB.
Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE.