Anunak APT Gang Makes Off With $18 Million

Written by

Security researchers have revealed details of a new organized cybercrime group which has managed to steal over 1 billion rubles ($18m) by targeting internal banking and payment systems, mainly in the financial services space.

First spotted in January 2013, but having made most of their money in the second half of this year, “Anunak” is comprised of mainly Russian and Ukrainian members and has links to the notorious Carberp group, according to a report by Fox-IT and Group IB.

So far, they’ve managed to gain accees to over 50 banks, 5 payment systems and 16 retailers, with two of the banks losing their banking licenses as a result. The average loss per incident is around $2m.

The report continued:

“The key is that fraud occurs within the corporate network using internal payment gateways and internal banking systems. Thus money is stolen from the banks and payment systems, and not from their customers. While this is their main and most lucrative activity, the gang has also ventured into other areas including the compromise of media groups and other organizations for industrial espionage and likely a trading advantage on the stock market. In cases where the group got access to the government agency networks their aim was espionage related.”

In a classic APT-style attack pattern, the group infiltrates target networks via spear phishing emails and typically stay hidden for 42 days until theft occurs. Since August 2014 it has assembled its own botnet for sending out said emails.

In early cases of attacks on Russian banks, Anunak used two tools associated with the Carberp gang: the RDPdoor for remote access to the network; and the program “MBR Eraser” to remove traces and to crack Windows computers and servers.

As Ananuk focuses on gaining access to internal bank networks, it managed to hack ATM management infrastructure which allowed them to steal from these systems too, the report claimed.

The group has since expanded its list of targets to retail and media/PR companies.

The full report can be read here.

What’s hot on Infosecurity Magazine?