Russian Ring Blamed for Retail BreachesWhy Anunak's Cross-Industry Targets Deserve Banks' Attention
A new report from security firms Group-IB and Fox-IT suggests the reason U.S. retailers were plagued by so many breaches in 2014 is because a ring of sophisticated financial cybercriminals in Russia and the Ukraine has been targeting U.S. merchants and payments processors with malware.
Now this ring, known as Anunak, which includes the hackers who developed Carberp, a banking Trojan that emerged in 2010, has reportedly tweaked its techniques and broadened its range of targets, the two firms say.
While Anunak attacked 16 U.S. retailers in 2014, it also targeted a range of other businesses, including 50 banks in Russia and a handful of news media and public relations firms in various parts of the world, says Andy Chandler, senior vice president at Fox-IT.
"Anunak has capabilities which pose threats across multiple continents and industries," he says. "It shows there's a gray area between APT and botnets. The criminal's pragmatic approach once more starts a new chapter in the cybercrime ecosystem."
While Group-IB and Fox-IT don't identify the specific U.S. retailers targeted by Anunak, Forbes and security blogger Brian Krebs report that unnamed security sources say the Staples, BeBe Stores and Sheplers breaches are among the 16 noted in the report.
Chandler tells Information Security Media Group that Anunak's evolution into a group that targets a wide range of business sectors, beyond the banks its members targeted during the early days of Carberp, is what makes it unique.
"This is one group that is targeting different industries and in different geographies," he says. "We've never seen this before."
In Russia, Anunak is now attacking bank networks and servers, Chandler says. And, in some cases, the hackers are breaking into banks' ATMs by compromising their networks and then directly installing malware onto the machines.
Chris Pierson, an attorney and chief security officer for business-to-business payments provider Viewpost, says the attacks waged against the Russian banks' ATM networks is the most interesting pattern noted in the report.
"This attack indicates that ATMs remain a highly valuable target, and instead of targeting the outside of the machine, they are targeting the inside," he says. "And given the success of the attacks against POS terminals over the past year, this looks to be a valuable and strategic attack."
Attacks on U.S. Banks?
In the U.S., retailers and payments processors have been Anunak's primary targets, but Chandler says Group-IB and Fox-IT believe the hackers will soon shift their aim in the U.S. to also include banks.
Over the last 120 days, patterns tracked by researchers at Group-IB and Fox-IT suggest that Anunak's attention is shifting toward banks in Western markets, Chandler adds.
"We are 99.9 percent sure that some of these actors are linked to the Carberp group," Chandler says. "And that's why, fundamentally, it's so concerning to western banks."
But Andrew Komarov, CEO of cyber-intelligence firm Intelcrawler, says he disagrees that Western banks are at risk. "I have big doubts about these attacks migrating," he says. "Traditionally, the bad actors who specialize in attacks against Russian banks, for example, attack only them, just because their malware is pretty specific and targeted. That's why it won't be useful in attacks against EU banks, as they use different security controls."
Tom Kellermann, chief cybersecurity officer for Trend Micro, a security software and cloud-services provider, however, says Anunak spent 2014 perfecting its techniques. Now it only makes sense that the group would broaden its reach in 2015 by attacking more banks in more markets, he says.
"2014 was the year of a Russian crime wave," Kellermann says. "The elite hacker crews of the former Soviet Bloc are experts at robbing banks and laundering money."
In 2015, those hackers will use their skills to target more markets and more industries, Kellermann says.
Targeting the Employees
All of Anunak's malware infections noted in the report were spread through targeted spear-phishing campaigns. And the use of spear-phishing to spread malware and compromise systems is what has made this group effective, Pierson says.
"This is still the easiest and most used method to break into companies and gain access to systems that are protected," he says.
While these types of social engineering tactics have been around for a long time, Phil Hay of forensics and cybersecurity firm Trustwave says Anunak appears to have perfected its ability to compromise employees and exploit Windows vulnerabilities.
The one commonality among all of Anunak's attacks, regardless of the industry or target, is that they hit Windows-based computers and servers.
"This type of scenario is pretty common for APT attacks," says Hay, who heads up Trustwave's research team. "It works with a combination of social engineering and exploiting unpatched Microsoft Office systems. It underlies the importance of being meticulous with patching - these vulnerabilities are pretty old now. If the system had been patched, then attackers most likely would not have gotten a foothold, even if the user was sucked into opening the attachment."
According to Trustwave's 2014 State of Risk Report, 58 percent of businesses still lack adequate patch management processes, and 12 percent have no patch management process at all.
Jay McLaughlin, chief security officer for Austin, Texas-based Q2ebanking, an online banking platform provider, says hackers are increasingly targeting employees more than end-users.
"Instead of going after thousands of customers, they are just going after the bank itself," McLaughlin says. "And, ultimately, they are really successful."
That's because authentication and layered security measures for employees are much less stringent than those used for bank customers, he says.
The other problem is that too many banks are still running outdated operating systems, like Windows XP, he adds.
"Why is the regulator not coming in and telling the banks and others that they need to update their systems?" McLaughlin asks. "It's not even the most sophisticated malware or Trojans that are getting in and causing damage, because they can target vulnerabilities that have been left unpatched."