A Russian cybercriminal group composed of highly skilled hackers has carried out targeted attacks on financial institutions, stealing about $25 / €20.4 million since 2013, using Anunak, a Trojan built with code from the infamous Carberp.

More than 50 Russian banks and five payment systems have been compromised, but it appears that in 2014 the interest of the group turned to US and European retailers, which have been compromised with point-of-sale malware.

In two cases, the consequence of the attack was so dire that the organizations were forced to give up their banking license.

Cybercriminals did their homework diligently

The hackers relied on spear-phishing to breach the targeted network and each heist ensured stealing $2 / €1.6 million on average. They aimed at users with administrative privileges, such as technical support engineers, and continued their move deep inside the network until they gained access to the server and banking system administrator workstations.

Compromising email servers was also part of their tasks, in order to control internal communication. “This approach allowed them to find out that the anomalous activity in the bank network was identified, what technique was used to identify this activity and what measures the bank employees took to solve the problem,” a report based on findings of Russian-based security company Group-IB and Fox-IT says.

Tracking the activity of the group, the security researchers discovered that the main members are citizens of Russian and Ukrainian origin, but they collaborated with other cybercriminals for resources, such as botnet operators, for malware distribution.

However, it has been observed that Anunak Trojan created in August 2014, their own botnet, counted more than 500,000 compromised machines in the first half of the year.

Persistence would last 42 days on average

Once inside the bank’s network, the hackers sought to gain complete control over the transactions, as well as the ATM network belonging to the target.

One of the methods used included changing the denomination of the issued banknotes in the operating system registry of the cash machine. As such, when the ATM was instructed to dispense a bill of 100, it would actually access a different money cassette and release a bill of 5,000 instead.

This was done with accomplices (drop person), who would post themselves near the targeted cash machine at the specific time the command for changing the bill denomination would be sent. At least 52 ATMs have been emptied this way.

Another method for stealing money from the bank consisted in transferring money from an account to different large legal entities, and then to smaller ones, until the funds reached private individuals. The report from the security experts says that this scenario saw between 600 and 7,000 transactions.

The hackers would spend an average of 42 days from the time of breaching a target until stealing the money.

Apart from robbing banks and retailers, the Anunak group has also been involved in cyber-espionage operations, the targets being governmental agencies, according to the researchers.

Command and control servers used by the cybercriminals have been located in Kazakhstan, Germany, and Ukraine. They relied on a bulletproof hosting service, which also offered routing of the traffic through TOR network and VPN servers.