Security companies Group-IB and Fox-IT have conducted a joint investigation on a cyber espionage group called called Anunak, which has been targeting banks and payment systems in Russia and Commonwealth of Independent States countries, and that hit US and US over the last months.
“The group has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia, using standard banking malware, mainly Carberp.“ states the report issued by the companies.
The Anunak hacking crew was composed of individuals from Russia and Ukraine, which were involved in the banking frauds operated through the Carberp botnet. Many exponents of the organization behind the Carberp botnet were arrested in 2012, but one of them realized to change tactic targeting directly financial institutions, including banks and payment providers, instead the final customer.
The technique adopted by the Anunak gang initially targets an ordinary employee machine with the intent to gather credentials of a user with administrative rights on some computers within the network of the financial institution. The scope of the attackers is to obtain the domain administrator password from the server, at this point gaining access to the domain controller they can compromise of all active domain accounts. At this point, the attackers can access the email server and all the banking system administrator workstations installing software to spy in the operators. In this way, the Anunak gang is able to configure remote access to servers of interest, including firewall configuration changes.
Anunak malware was used to compromise both the network of targeted financial institutions and compromised ATM management system.
“We have seen criminals branching out for years, for example with POS malware,” says Andy Chandler, Fox-IT’s SVP and general manager, in a statement. “ Anunak has capabilities which pose threats across multiple continents and industries. It shows there’s a grey area between APT and botnets. The criminal’s pragmatic approach once more starts a new chapter in the cyber-crime ecosystem.”
The Anunak APT had access to more than 50 Russian banks, five payment systems and 16 retail companies. The hackers caused serious problems to two financial institutions, which identities were unrevealed, that were deprived of their banking license.
The experts estimated that the gang has stolen around US$ 17 million (£10.9 million), in the last six months, the expert Brian Krebs linked the Anunak gang to the data breach at Staples that caused the exposure of more than one million payment cards are.
The report states that the average time from access to the internal network to money being stolen was 42 days,
The security expert Graham Cluley explained in a blog post on that the hackers have not hacked retailers in their own country, differently from banks.
“One curious aspect is that it appears retailers in Russia are not targeted by the Anunak hackers, although financial institutions are. Could there be a reason why the hackers feel more comfortable not targeting retailers on their doorstep?
“It would be easy to speculate that the hackers are wary of poking a grizzly bear on their own doorstep because of potential repercussions, and so avoid hacking local retailers, but that doesn’t explain why they seem to be so unworried about earning the wrath of Russian financial institutions.”
(Security Affairs – Anunak APT, cybercrime)