An attack takes place and either succeeds or fails. The reality however is more complicated. Attackers are often able to initially gain a minor foothold in the target and then over time leverage it into a more devastating attack.
First Published 20th July 2018
Вверх, вверх, вверх!
3 min read | Reflare Research Team
In this week’s briefing, we will take a look at a recent hack of a Russian bank to gain a better understanding of how attackers use existing footholds to gain more and more access within an organization.
What happened?
According to reports by ArsTechnica, on July 3rd a hacking group known as “MoneyTaker” managed to steal roughly US$1m from Russia’s PIR Bank. The attack is educational since it combines both common and somewhat uncommon elements which are not well understood by the public.
What was uncommon?
Unlike most hacking attacks, the attack in question led to cash being wired to pre-prepared mule accounts. Mule accounts are bank accounts usually held by unsuspecting dupes who then transfer the money to the attackers. Mules are commonly recruited using “work from home” spam emails or ads, offering the mule commissions for transferring allegedly legal funds. This final transfer is usually done in cash, cryptocurrencies or through services like Western Union. This makes it very hard to track the criminals behind the attack.
Mule accounts however are more commonly used in money laundering by classical criminal organizations. The receiving of multiple cash or almost-cash transactions requires significant organizational skills and manpower not commonly found among cybercriminal organizations at the moment. Cyber attacks more commonly focus on stealing digital assets such as cryptocurrencies and, credit card numbers or making a profit through ransoms.
This approach suggests that MoneyTaker might be a classical criminal organization that has “gone digital” or that has joined up with cyber criminals for their mutual benefit.
What is common?
According to the reports, the group first gained access to a router belonging to a local bank branch. Within the context of banking networks, this is one of the least critical possible targets. After access was established, the attackers spent several weeks gathering intelligence on the bank, its operations, individual staff and other details until they were finally able to leverage all of the gathered information to gain access to a critical control system.
While no details are available at the time of writing this briefing, one common approach taken by attackers is to leverage knowledge on one of the target’s employees to guess or reset a password used by that person. Once access to the control system was established, the funds were transferred out.
Summary
The common perception of cyber attacks is usually quite instant. An attack takes place and either succeeds or fails. The reality however is more complicated. Attackers are often able to initially gain a minor foothold in the target and then over time leverage it into a more devastating attack.
Organizations are advised to establish firm reporting policies so that employees don’t ignore the symptoms of such minor attacks. Often, the first and best line of defence against real-world cyber attacks is having a workforce that is well trained and well motivated to deal with them.