In December last year, the MoneyTaker hacker group attacked a Russian bank. Experts from Group-IB who detected the attack did not disclose the name of the bank or the losses it suffered. But we know something important: the attack was carried out through the automated workstation of a Bank of Russia’s client. It means that the perpetrators were able to infiltrate the regulator’s infrastructure and this is the sign of a very serious threat to which all Russian bank structures are susceptible.
What the cyber criminals did
There is nothing new about such attacks. They happen regularly to organizations with many contractors, affiliated persons, and temporary employees. The core of such organizations is traditionally in the focus of attention of the information security service and is quite secure. However, temporary users and the nodes of confluence with the contractors’ infrastructure are vulnerable and are not controlled enough.
And that’s exactly how it happened. The attack was carried out through a compromised affiliated bank. Moreover, before launching the attack, the cyber criminals studied the infrastructure using special software for six months. This means the attack was organized by serious criminals who knew what data they needed and how valuable it was. To do that, they used a technique called lateral movement, the study of infrastructure aimed at searching for sensitive data or assets to breach.
Unfortunately, we don’t know the details of the attack. We only know that it was launched from a device installed in an affiliated network. The perpetrators used a vulnerability of the device. There can be many of them, including web vulnerabilities, certain protocols and outdated software versions, open data such as links to websites and accounts. Everything that is stored on the local disk of a user’s device can be used to compromise it. The use of spyware cannot be ruled out either.
What is wrong with security systems?
It is noteworthy that the protection of end devices is a very complicated task due to a great variety of such devices (PCs running on various versions of Windows and MacOS, mobile devices) and types of software that can include encryption tools. The final target of protecting is the end elements of the server infrastructure of an organization or business app that processes the most valuable data.
Similar attacks cannot be excluded in the future. In our practice, we have encountered various incidents that occurred at financial institutions. For example, when clients make payments, files are uploaded from the bank’s accounting system to a file sharing service, and then downloaded to the automated banking system. This process is something attackers can exploit. An employee familiar with the procedure can change the amounts credited to plastic cards; the error will not be discovered until much later — during reconciliation of correspondent accounts, which can be done once every few hours or once a day — after the attackers have cashed the money.
Digital signatures are not always used. They were in the Bank of Russia incident, but the attackers stole the encryption keys and copied them to a folder. Actions with files on the file sharing service were not tracked, which is why the attack was not detected in time, let alone prevented.
Another important aspect is controlling privileged accounts, which are used by many banking systems. Most of them are created for specific users and are not always blocked when their employment is terminated. Such accounts can be hacked in a variety of ways and then used to steal data or perform unauthorized actions.
Attacks occur with annoying regularity. Hackers use a variety of equipment and often change their methods of penetrating the target infrastructure. One attack used a physical device, but the next one can involve an insider used as a Trojan horse. Information security services need to be prepared to repel attacks of various kinds.
No bank or regulator is safe
Banking systems are not the only targets for attacks. Most financial institutions are protected very reliably: they usually have a staff of highly qualified information security specialists. But in other industries, the picture is not so rosy; industrial facilities, including hazardous ones, can also be targeted.
One of the worst things about the recent attack is that it compromised a market regulator’s system. The Central Bank of Russia is not the only agency that is this critical; many regulators manage critical systems that ensure the operation of infrastructure on a federal scale. They manage energy, transport and other systems. The Bank of Russia incident suggests that those, too, can be targeted.
Another bad tendency is a slow introduction of regulations in a whole number of industries. This could give malefactors an access to the regulator’s plans, such as the ways of managing the industry and systems of interacting with industry players planned to be introduced. This could be used for further cyber attacks.
The Bank of Russia incident has shown that the regulator controls part of the infrastructure and an automated workplace of the private bank’s client, which became the victim of the attack. This poses a threat to other banks as well.
Efforts to prevent losses
First and foremost, there should be multiple levels of security. Experience has shown that efforts must be taken to promptly inform the maximum number of responsible staff members about suspicious and abnormal activities in each infrastructure segment. A system should be created to monitor and control unstructured data, which becomes the primary target of hacking attacks in the overwhelming majority of cases as it ‘absorbs’ all valuable information contained in various information systems.
The use of the systems for unstructured data control and monitoring will primarily allow for detecting vulnerabilities and then protecting designated segments of a financial organization and the regulator as well as the core facility.
Such efforts will also provide an opportunity to monitor the information exchange, when data is exported from a system and uploaded to another one. This will secure data integrity and reliability even in case malefactors have already accessed a protected network perimeter.
This should become an essential element for early detection of hacker activities and prompt response, ultimately aiming to prevent losses rather then record them.
By Vladimir Vechirny, leading system engineer at Varonis Systems