According to the experts at root9B - a cybersecurity firm populated by former State Department and Defense Department workers - an alleged Russian cybercrime gang is gearing up for a major attack on U.S. banking institutions. The group has been known under such names as APT28 and Pawn Storm over the last seven or eight years, and is believed to be possibly linked to Russian intelligence services.
According to experts, the attack “is still in the preparatory stages” and has been in the works “for nearly a year,” since around June 2014, root9B says.
The group's primary malware tool is a backdoor program called Sednit or Sofacy. It leverages the increasingly popular spear phishing attack method and drive-by downloads launched from compromised websites to get at enterprise computers. The banks that were apparently set to be targeted were Bank of America, Regions Bank, TD Canada Trust, Commercial Bank International in the UAE and Germany's Commerzbank. UNICEF and United Bank for Africa were also alleged planned targets.
"We've spent the past three days informing the proper authorities in Washington and the UAE,” Eric Hipkins, root9B chief executive officer noted.
Root9B analysts discovered the larger scheme a few weeks ago after finding a phishing domain that was similar to that of a Middle Eastern financial institution, according to a report published Tuesday. A closer investigation turned up a new version of the Sofacy malware samples as well as a series of servers and domains that may been being prepared for a large scale operation. Sofacy is one of the names for APT28, as the malware found is their "signature."
Root9B has released hashes for the new malware samples it has found as well as the IP address of a command-and-control server set up by the attackers which will make it easy for potential targets to block the cybercrime group from access.
Root9B also suspects that the APT28 group may have subdivided into two groups - one focused on miliatry and government targets, the other focused on banks and FIs.