Millions of dollars, credit cards and intellectual property have been stolen by a newly discovered group of cyber criminals.
The Anunak hackers group has been involved in targeted attacks and espionage since 2013, we now know, and targets banks and payments systems in Russia and former CIS countries, according to joint research by computer forensics experts at Moscow-based Group-IB and Netherlands-based Fox-IT.
Anunak had access to more than 50 Russian banks, five payment systems, and 16 retail companies.
Most of the retail companies are outside Russia, while not a single US/EU bank has been attacked. More than $15m has been stolen by the group in total, most of that during the last six months, according to security researchers.
It’s common for cybercriminals to infect the computers of banks’ clients before stealing passwords and ultimately siphoning off funds from compromised accounts. However, Anunak is more ambitious than that.
It specialises in hacks against the internal networks of banks, aimed at gaining access to secured payment systems, including cash machine networks. As a result, the money is stolen not from the customers, but from the bank itself.
By gaining access to internal networks, hackers have total control over the computers of system administrators and IT specialists, allowing them to record videos of key workers' actions to understand how the work is organised.
They then take control of emails to monitor internal communications before setting up remote control of the network by changing its hardware parameters, or other similar trickery.
Security researchers discovered that hackers had access to cash machines management systems. This gave the cybercriminals the ability to remotely infect ATMs with malware. Crooks can then use their money mule accomplices to withdraw funds from compromised cash machines, which become their private piggy banks – at least, up until the time that a compromise is detected.
The average theft in Russia and CIS countries for this group is $2m per cyber-heist. The average time from the moment the group gains access to internal network until the money is stolen is 42 days.
The Anunak group is still operational, leading Group-IB and Fox-IT to forecast an increase in the number of targeted attacks in 2015.
In their joint report (PDF), Group-IB and Fox-IT describe the methods and software that were used by hackers, as well as the tools and techniques that might be used to protect networks and counter targeted attacks. ®