Published October 12, 2012
Security professionals have recently learned that a cartel of Russian hackers is planning to launch a separate attack aimed at stealing money from about 30 U.S. financial institutions, an apparent attempt to piggyback and capitalize on the ongoing cyber attacks on U.S. banks.
The emergence of Russian hackers suggests a potential shift in the motivation of the cyber attacks from ideological to financial and also points to a longer duration of the ongoing attacks.
“It’s like an axis of evil. There’s nothing like having folks who are conveniently on the same side of the fight,” said Carl Herberger, vice president of security solutions at security firm Radware (RDWR).
Security experts have picked up on chatter in the cyber underworld indicating Russian cyber hackers have set their sights on about 30 U.S. financial institutions.
Dubbed “Operation Blitzkrieg,” the attack is planned for this fall on 30 U.S. banks, though it’s not clear which specific institutions will be targeted.
In a blog post last week, RSA said it “believes this is the making of the most substantial organized banking-Trojan operation seen to date.”
'Mega Heist' Planned
It’s not clear who the specific Russian hackers are, but blogger Brian Krebs pointed to series of posts beginning in early September on Underweb forums by a Russian hacker who uses the nickname “vorVzakone,” which translates to “thief in law.”
RSA said “underground chatter” indicates the gang plans to deploy a Trojan, called “Gozi Prinimalka,” in an effort to complete fraudulent wire transfers via Man-In-The-Middle (MiTM) manual session-hacking scenarios.
Herberger said MiTM is a type of attack that aims to deceive targets by violating otherwise secure communications, similar to tapping into a landline phone conversation or breaching a VPN session.
“If successfully launched, the full force of this mega heist may only be felt by targeted banks in a month or two,” RSA said.
Security professionals are intrigued by the type of Trojan set to be deployed in this round of attacks because it is well known for money transfer through session hijacking.
RSA said the use of the Gozi Prinimalka suggests that a group known as the HangUp Team or one affiliated with it may be behind this ambitious scheme.
The Trojan is part of a family of malware used by a crime gang that has successfully siphoned at least $5 million from banks, RSA said.
The Russian hackers are also offering to pay individuals who help them carry out the attacks, indicating a desire to monetize the intrusions.
Herberger suggested the revenue-sharing aspect could be part of an effort to solicit confidential information from people who work for or with the targets.
This differs from the apparent ideological nature of the ongoing attacks against the websites of a crush of U.S. banks.
After claiming credit for attacks on big banks like Bank of America (BAC) and J.P. Morgan Chase (JPM) last month, a group called the “Izz ad-Din al-Qassam Cyber Fighters” said it would target Capital One Financial (COF), SunTrust (STI) and Regions Financial (RF) this week.
The group has said the denial of service (DDoS) attacks will continue until a video mocking Islam that was first posted to YouTube is removed from the Internet.
Others, including U.S. Sen. Joseph Lieberman, have blamed Iran for the ongoing cyber attacks.
“It’s not uncommon that people who have a financial motive may try to take advantage of nefarious techniques,” said Herberger. “They will jump in because they can take advantage of the fact banks are laboring and security departments are becoming overrun and softened for a different kind of motivated attack.”
RSA said that while the Russian gang “boasts anti-American motives,” its “more likely considerations stem from convenience and prior experience with defrauding and cashing out certain banks’ accounts.”
The emergence of the threat from Russian groups underscores the prolonged nature of the attacks against corporations, especially in the financial industry.
“Security teams are coming to terms that these attacks are long,” often measured in days and weeks, said Herberger. However, security teams often aren’t “staffed for attrition.”