Would you like to know the recipe to richness, wealth, and abundance? Ask Russian hackers. The Metel crimeware package is some sort of an infamous yet ingenious passe-partout with 30 separate modules that can be customized in order to adapt to the computer it is infecting. The module which is of most interest for many – and one of the most dominant modules within the Metel – allows for almost unlimited ATM transactions.
This is possible because withdrawals – made with a payment card belonging to a compromised bank – from a different bank’s ATM points are constantly reset and rolled back so as to virtually disappear from the records. With this crafty little trick, last year, Russian hackers won the jackpot breaking some bank in just a single “game’s night”.
What Metel hacking gang does is first and foremost trying to infiltrate an employee’s PC through the exploitation of vulnerabilities in browsers or with the use of spear phishing emails. Once the malicious files have been released, the criminal gang patiently tries to drill a larger hole into the targeted computer network (a call center or IT support) by using legitimate software so that it doesn’t appear suspicious. The final aim is to gain access and control over a money transactions system.
Kaspersky Lab, the security company that unveiled the Metel attack explained how hackers targeting banks have now reached a higher level of sophistication that was believed to only belong to elite hackers, generally acting on behalf of governments. Long-term persistence is not an attribute that normally characterizes the “common hacker” and here’s why we refer to a higher degree of sophistication and more principled, structured and diligent approach encountered in more recent hacks to financial institutions.
Kaspersky also mentions two similar examples of advanced persistent threat (ATP) techniques employed by hackers against financial institutions.
A group of hacker using a GCC compiler to create malware – hence dubbed the GCMAN group – used a similar technique as it was in the case of Metel: the group first infiltrated the financial institution network through spear-phishing emails, then worked towards the long, patient “exploration” of that very network through legitimate software and finally placed its attack using automated scripts to transfer funds in a fictitious account – a so-called “mule”. It is no more and no less than a work of art just like that put in place by a feline patiently waiting for the right moment to attack its prey.
A more recent case features the Carbanak 2.0 malware which was used to eventually edit the ownership details of a big company in order to show a money “mule” as one of the shareholders.
All of the three gangs here named seem to still be active and records show they have altogether attacked 29 different organizations in Russia. Kaspersky Lab, nonetheless, asserts that the number of the victim is probably higher.