Russian banks hit by major phishing attacks from two hacker groups

The Silence and MoneyTaker hacking crews have been targeting Russian financial institutions.
Written by David Meyer, Contributor

A cybersecurity firm says it has identified two major phishing campaigns targeting Russian financial institutions with emails purporting to come from the country's central bank and financial cybersecurity authorities.

One of the attacks took place Thursday morning. Attributed by Moscow-based Group-IB to the notorious Silence hacker group, the attack involved emails claiming to come from the Central Bank of Russia (CBR).

The emails came with .zip file attachments that were supposedly to do with "the standardization of the format of CBR's electronic communications", but were actually the Silence downloader.

Group-IB said in a September report that at least one member of the Silence crew had ties to the cybersecurity industry, working either currently or previously for a firm in the field. The company said Silence had been merrily hacking away since 2016.

In the case of the Thursday hack, Group-IB said the emails are convincingly close in format to those genuinely sent by the CBR, suggesting that "the hackers most likely had access to samples of legitimate emails".

However, while the email addresses have been plausibly spoofed, the emails themselves did not pass DomainKeys Identified Mail (DKIM) validation.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

The other phishing campaign took place on October 23, involving emails that came from a fake address associated with Russia's Financial Sector Computer Emergency Response Team (FinCERT), and that also carried fake CBR attachments that, in this case, triggered downloads for the Meterpreter stager.

This attack, Group-IB said, was probably the work of a splendidly named hacker group called MoneyTaker. It made this claim because the attack used server infrastructure that had been previously used in MoneyTaker attacks.

Group-IB previously blamed MoneyTaker for a July attack that relieved PIR Bank of at least $920,000. Late last year, when it identified MoneyTaker as a threat, Group-IB said the outfit had targeted banks, law firms and financial software vendors.

The cybersecurity firm said in a Friday statement that MoneyTaker was the more dangerous of the hacker groups, using a range of weapons that include spear-phishing emails, drive-by attacks and tests of banks' network infrastructure.

"Silence, for their part, are less resourceful and use only a tried-and-tested attack method -- phishing emails," said Group-IB's head of dynamic malware analysis, Rustam Mirkasymov.

"Unlike their colleagues, however, they pay closer attention to the content and design of their phishing emails."

ZDNet has asked the Association of Russian Banks for comment, but had received none at the time of writing.

Previous and related coverage

This banking malware just added password and browser history stealing to its playbook

Latest version of the malware uses Excel to install information stealing campaign.

GPlayed Trojan's baby brother is after your bank account

GPlayed has been making the rounds this month and now researchers have uncovered a new member of the family.

Necurs botnet launches fresh assault against banks

The spam botnet has been harnessed in order to compromise close to 3,000 financial institutions.

Breaking bank security: Record theft rises to new heights

Recorded data breaches impacting the financial sector have close to tripled since 2016, new research suggests.

Account takeover attacks ramping up, leading to explosion of phishing TechRepublic

ATO attacks steal a person's credentials and use them to send emails from their account, according to a recent Barracuda Networks report.

Online phishing sites skyrocket in number during past year CNET

Fake retail websites can harvest your personal information and credit card numbers, warns a new report.

Editorial standards