A Russian cyber gang has hacked the systems at the Kazan-based Energobank and manipulate Ruble-Dollar Exchange Rate infecting them with a malware.
The event occurred exactly one year ago, in Feb 2015, when the hacking group dubbed METEL breached into the Russian Regional Bank for just 14 minutes resulting in the fluctuation of the exchange between 55 and 66 rubles per dollar.
The Moscow Exchange denied that its systems have been hacked, it also highlighted that its investigation has found no evidence of the currency market manipulation. The Moscow Exchange explained that fluctuations observed by the users could have been caused by traders’ mistakes.
The security firm Group-IB that was involved in the investigation on the case discovered that the Metel Hacking group infected Kazan-based Energobank, the hackers used the Corkow Trojan and placed more than $500 million in orders at non-market rates.
Corkow is a backdoor that breached 250,000 computers worldwide in more than 100 financial institutions.
“This is the first documented attack using this virus and it has potential to do much more damage,” Dmitry Volkov, the head of Group-IB’s cyber intelligence department, told Bloomberg. “Once the malware has penetrated a local network, it is sophisticated enough to infect computers that are even not connected to the Internet.”” Dmitry Volkov, the head of Group-IB’s cyber intelligence department, told Bloomberg.
The threat actors used spear phishing messages containing malicious links to hack the victim’s accounts. The economic impact of the attack has been estimated in 244 Million Rubles, nearly $3.2 million.
The Metel group is the same referred in the report recently published by the Kaspersky Lab on the Carbanak 2.0.
According to Kaspersky, the group targeted a Russian bank with the malware known as Metel (aka Corkow) and compromise banks’ networks via spear-phishing emails.
The financial institution targeted by the group discovered that hackers stole millions of rubles in just one night from the ATMs of other financial institutions. The hackers used ATM balance rollbacks to steal money while balances remained untouched.
“In summer 2015, a bank in Russia discovered it had lost millions of rubles in a single night through a series of strange financial transactions. The bank’s clients were making withdrawals from ATMs belonging to other banks and were able to cash out huge sums of money while their balances remained untouched. The victim bank didn’t realize this until it tried to recoup the money withdrawn from the other banks’ ATMs.” states a blog post published by Kaspersky.
“The malware, used exclusively by the Metel group, infected the bank’s corporate network via e-mail and moved laterally to gain access to the computers within the bank’s IT systems. Having gained access to the bank operator’s money-processing system, the gang pulled off a clever trick by automating the rollback of ATM transactions. This meant that money could be stolen from ATM machines via debit cards while the balance on the cards remained the same, allowing for multiple transactions at different ATM machines.”
According to Kaspersky, the Metel group is still active and targeted at least 30 Russian financial organizations.
Group-IB confirmed it, and added that the group is only known to be active in Russia where affected 73% Russian Banks.
(Security Affairs – Carbanak, Metel)