Operators behind attacks on Russian financial operations are specializing, says a new study.
Operators behind attacks on Russian financial operations are specializing, says a new study.

Attacks against Russian financial institutions have increased substantially, according to a post on We Live Security.

The post follows up on a just published paper, "Modern Attacks on Russian Financial Institutions," that examines the various actors launching sophisticated attacks against financial institutions in Russia over the past few years and which networks they are going after.

One trend detected by the authors – Jean-Ian Boutin and Anton Cherepanov, ESET, Slovakia – was that the operators behind these attacks are specializing. One group, for example, went after a trading terminal managing the ruble exchange rate. The miscreants were able to issue buy and sell orders leading to volatility on the marketplace.

But, regardless of the target, the various groups focusing on Russia's financial firms used similar means, the researchers found, particularly in how they penetrated networks and their persistence in probing victims' networks until they achieved their goals.

Most of the groups under examination used spear phishing in their attempts to gain entry into financial networks, delivering attachments that once clicked on led to a system compromise, as RATs (remote administrator tool) would then be downloaded and installed on the targeted machine granting access to the attacker. At that point, the cyberthieves explore to find "high-value systems," the researchers said. 

Many of the spear phishing emails pose as legitimate-seeming documents personnel at a financial institution would expect to receieve, such as one campaign that deployed messages seeming to come from FinCERT, a Russian government agency that provides guidance to financial institutions.

The attackers are also capable of altering data on the system used by banks to make intra-bank transfers, such as modifying a destination account to siphon away funds into an account controlled by the attacker.

While these attacks once were seen only in Russia, the researchers concluded that these strategies are now being deployed across the globe. That's because those behind the attacks use old flaws and social engineering to leverage "the general lack of awareness surrounding targeted attacks against the financial sector."

The researchers' advice is to keep software up to date, educate employees and implement two-factor authentication to help defend against these attacks.

The weakest link in the chain, said the researchers, is the human factor.