Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

There are frequent discussions of Russian related cyber-attacks, but these mainly focus on attribution of infrequent Nation State and government related incidents. This presentation focuses on what is more important to the information security community, the large and active eco-system of Russian speaking cyber criminals, whose attacks target business and information security teams daily worldwide.

ロシア語圏のサイバー犯罪事情 by Tim Bobak (Group-IB)

  • Be the first to comment


  1. 1. GROUP-IB.COM 11 A window into Russian-speaking cybercrime Tim Bobak – Group IB Threat Intel Outreach
  2. 2. GROUP-IB.COM Agenda & Clarification Different nation state attacks Not the same actors or same tools Totally different targets and goals 2 What is Russian-speaking cybercrime? Community From CarderPlanet to Help based & collaborative Business orientated Cybercrime to cybercrime business models Modulised & therefore, hard to stop Not just in Russia Criminals spread over former USSR Russian-speaking Global reach Arrest patterns, geographical hubs Language & forums
  3. 3. GROUP-IB.COM What areas of activity in cybercrime Targeted Attacks Organised attacks on legal entities and banks E.g. card processing, ATM logical attacks 3 What kinds of services & attacks are being created Malware Development 20 / 22 new trojans for stealing funds Russian in origin. Exploit kits. Muling, spam & traffic networks Money laundering schemes Spam and dissemination campaigns Phishing kits & ATS Automated tools for mass usage Largescale low cost operations Card Fraud Standard fraud patterns Tools Botcoin attacks Attacks on Bitcoin Exchanges New injects targeting sites
  4. 4. GROUP-IB.COM Why? Former Soviet – Russian speaking Arrest patterns, geographical hubs Language & forums Socio-economic STEM background Mentality Average Regional pay: 15 000 RUR / about 30 000 yen Historic Impact of instability 90’s -> forums (carder, xploit, maza, korovka, etc) 4 Infrastructure Money laundering / tax system Cash economies Legal systems Geo-politics affect policing Politics or business, what came first & combination of factors
  5. 5. GROUP-IB.COM Where? FORUMS Least worst forum Broad range of topics Traffic / rentals Broad services Value in context Value Muling 5 CRIME AS A SERVICE
  6. 6. GROUP-IB.COM What - Banking trojans Recently of note: Gozi / ursnif - Japan Trickbot – growing Majority of android bankers now Russian in origin 6
  7. 7. GROUP-IB.COM What? Tools and kits 7
  8. 8. GROUP-IB.COM What? Ransomware & Tools 8
  9. 9. GROUP-IB.COM Exploit Frameworks - Word Intruder/ CVE-2017-0199 9
  10. 10. GROUP-IB.COM Targeted attacks – in Russia *Cobalt was detected in June 10 Losses listed in Rubles Aprox total $100 - 200 mln FIN7 – mad stacks
  11. 11. GROUP-IB.COM 1111 Who are the most advanced attackers?
  12. 12. GROUP-IB.COM Who / how / where Buhtrap ARM CBR (SWIFT analog) Сobalt - active ATM, Card processing, Payment gateways & systems, SWIFT, Geography Corkow Trading terminals, Card processing, ATM Anunak related Internet banking, ARM CBR, SWIFT, Payment gateways, Card processing, ATM Lurk - arrested ARM CBR (SWIFT analog) 12 FIN7 / Moneytaker - active Card processing, ATM Geography
  13. 13. GROUP-IB.COM 13 FUTURE TARGETED ATTACKERS • Toplel - ACTIVE • Ranbyus • RTM • Vawtrak • Dridex Balance is 500 thousand pounds, inter-UK, for money mules (now such money mules now). Skip for now. Account for authorization of payments, balance is 2 million pounds No function of payment approval. Balance is 18 million pounds. Tried to transfer 2 million to China Balance is 15 million pounds, dual authorization off. No opportunity to establish sort code for transfer. It is better to ring out Future Attackers
  14. 14. GROUP-IB.COM 1414 What should financial sector worry about?
  15. 15. GROUP-IB.COM 1515 What else should you worry about?
  16. 16. GROUP-IB.COM Targets: Corporate internet banking software • Compromise operator workstations of corporate accounts • Listing companies with high balances • Generating new digital signatures for each company • Transactions from corporate accounts signed with new digital signatures 16 Access to corporate internet banking enables criminals to steal from TOP clients. Anunak used this method in 2013-2014.
  17. 17. GROUP-IB.COM Targets: Payment gateways $ses = date("Ymdhis"); $url = " bin/DealerSertification/de_pay.cgi"; $data_string = "SD=XXXXXX&AP=XXXXXX&OP=XXXXX&SESSION=".$ses."&COMM ENT=Test&NUMBER=9642065662&AMOUNT_ALL=10.0&AMOUNT =10.0"; $ch = curl_init(); curl_setopt($ch,CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded','Content-Length: '.strlen($data_string))); curl_setopt($ch, CURLOPT_POSTFIELDS, "inputmessage=0000038801SM000001270000012700000125&".$ data_string); $result = curl_exec($ch); var_dump($result); • Once inside, hackers search for payment gateways • Obtain log files from payment gateways to understand the typical format of communication • Start SOCKS proxies on internal hosts to enable communication with payment gateways • Run scripts to replenish attacker’s phone balances in thousands of transactions • Transfer money from phones to cards and cash out 17 Payment gateways enables high frequency, low amount transfers. Very hard to stop and return money.
  18. 18. GROUP-IB.COM Targets: ATM 18 Europe Case Taiwan Case Cobalt and ATM Heists
  19. 19. GROUP-IB.COM Targets: Trade terminals • The attack lasted only 14 minutes • $437 million in purchases (5 trades ) • $97 million sold (2 trades) • 55 to 66 Rubles — volatility in exchange rate 19 Corkow conducted the first successful attack on broker terminals in 2015.
  20. 20. GROUP-IB.COM Targets: Trade terminals 20
  21. 21. GROUP-IB.COM Targets: Local payments systems or SWIFT SWIFT [ROOT_DRIVE]:UsersAdministratorAppDataLocalAlliansmcmin [ROOT_DRIVE]:UsersAdministratorAppDataLocalAlliansmcmout ARM CBR [ROOT_DRIVE]:uarm3exqinc [ROOT_DRIVE]:uarm3exqout • Identify working directory of SWIFT or internal CB application • Replace payment details with fraudster’s information • Intercept confirmation messages to bypass identification of fraudulent transactions 21
  22. 22. GROUP-IB.COM Targets: Card processing • Legally open bank cards in the same bank or buy new cards on dark market (usually about 30 cards) • Remove or increase withdraw limits • Remove overdraft limits (even for debit cards) • Cash out using these cards in other countries 22 Cobalt, Corkow, Anunak have been conducting these attacks since 2014. Provides very important cash-out benefits. Taiwan lesson
  23. 23. GROUP-IB.COM Blackboxing 23
  24. 24. GROUP-IB.COM Blackboxing & proliferation • Sold on forums • Low skillset • Limited losses • Welding tools / keys • Not strictly malware • Gas attacks more fun 24 Yes…
  25. 25. GROUP-IB.COM ATM Malware – Cutlet on Wincor 25
  26. 26. GROUP-IB.COM 2626 Forecasting
  27. 27. GROUP-IB.COM 27 Russian cybercrime trends & forecasts • 3rd party attacks • Tool re-use and repurposing from state sector • Scripted attacks & self-spreading • Traffic sale from routers • Destruction of infrastructure will cause biggest losses • Move to crypto-services and currencies for attacks • Automated phish & increased social engineering • Low hanging fruit continued – economically motivated
  28. 28. GROUP-IB.COM 28 Conclusion: • Economic motivation • Criminal attacks cause the largest financial losses • Has a broader geographical spread than State Sponsored • Speaking in between cyber criminal communities – e.g. Cutlet • Reuse of tools – can learn from other areas • More sharing required into order to deal with cybercrime in general • Increase the cost of conducting attacks (invest in anti-fraud, legislation, cooperation between business units – education)
  29. 29. GROUP-IB.COM 2929 Questions: