Financial Institution Attacks Uncovered

Thursday, May 14, 2015 @ 05:05 PM gHale

A cyber-espionage group was preparing cyber attacks against financial organizations across the world, researchers said.

Among the organizations targeted by the hackers are Bank of America, Commercial Bank International (United Arab Emirates), Toronto Dominion Canada Trust, United Nations Children’s Fund, United Bank for Africa and Regions Banks.

Warding Off EU’s Sophisticated Attacks
Stealth Malware Turns Servers into Spambots
ICANN Investigating Attack
Malware Delivers Trojan to Enterprises

Given a few names like APT28 or Pawn Storm, researchers said the hacker group has been around since at least 2007 and has attacked military, governmental and media organizations, leveraging a set of malicious tools known as Sofacy/Sednit.

Security company Root9B discovered the hackers’ toward the end of April, while carrying out a routine security check on a client’s computer network for signs of suspicious activity potentially leading to new and emerging threats.

A red flag quickly arose when the researchers found a domain that looked like a spear phishing campaign targeting a financial institution, although the server hosting appeared associated with cyber-espionage activity.

As the investigation ran deeper, they found new pieces of malware bearing the Sofacy group signature and malicious domains, some of them registered in June 2014, while others as recent as April 29, 2015.

A report from Root9B released Tuesday said the researchers were able to pull details about the group by exploiting a mistake the hackers made when registering the domains. It appears there are two different divisions at work.

“The first seemed to focus on military, diplomatic, and media targets, and relied on the cover of proxies and private domain registrations,” the report states.

The other group has a different objective and “used deliberately falsified personalities, all of which claimed to be American citizens, and focused on financial and banking targets.”

Root9B found a pattern in the domain registration information, which consisted in similar addresses, phone numbers and house numbers used for the registrant.

Root9B believes the attackers are Russian hacking organization.

Leave a Reply

You must be logged in to post a comment.