But experts are waiting for renewed attacks from the younger generation.
The two most dangerous Russian-speaking hacker groups over the past year have almost stopped attacking Russian banks and have concentrated on foreign ones. Damage from targeted attacks on credit organizations fell 14 times.
Hackers from Russian-speaking groups almost stopped attacking Russian banks and switched to foreign credit organizations, according to the annual report of Hi-Tech Crime Trends 2019 (for the second half of 2018 - the first half of 2019) of Group-IB, which specializes in cybersecurity issues.
“Until 2018, Russian-speaking groups attacked banks in Russia and the CIS more often, but over the past year this trend has changed dramatically. Now, attackers focus mainly on foreign banks and organizations, ”the authors of the report note.
As a representative of Group-IB explained to RBC, new groups "often start working in their region: this was the case with Cobalt, with Silence in Russia, this is happening now with SilentCards in Africa." The “home” regions for them are a testing ground: having worked out the techniques, they move on. For example, the same “Russian-speaking troika” focused on goals in Asia, Africa, Europe and America, ”he added.
A representative of Kaspersky Lab confirms this trend. “Attackers switched to countries that are less protected (Eastern Europe, the CIS, Asia and so on),” he notes.
Where and how do “Russian” hackers attack banks
In total, there are five groups in the world that pose a real danger to the financial sector, experts write: three of them (Cobalt, Silence, MoneyTaker) are classified as Russian-speaking, two more groups are North Korean Lazarus and Kenyan SilentCards. During the study period, Cobalt and Silence conducted only one confirmed successful attack on Russian banks and concentrated on foreign targets, which led to a multiple reduction of damage from them in the Russian sector, the report said. MoneyTaker attacked twice (in the second case, the damage was prevented).
Cobalt robbed a Russian bank in September 2018 (its name and amount of damage were not disclosed), another attack was launched in November, but its outcome is unknown. Silence in February 2019 managed to steal 25 million rubles from the Omsk IT bank. - the money was withdrawn through the Central Bank payment system, Kommersant wrote. MoneyTaker in July 2018 stole more than 58 million rubles. Moscow PIR Bank - the money was withdrawn from the correspondent account with the Bank of Russia. The second attack of this group by the bank, whose name is not indicated in the report, was repelled in April 2019.
For comparison: Silence conducted seven attacks on foreign banks in the reporting period in India, Costa Rica, Bangladesh, Bulgaria, Chile and Ghana. At least two of them were successful: one at the Bangladeshi Dutch-Bangla in May 2019, the second at an unnamed bank in Costa Rica in April 2019. This group uses phishing emails with malicious code sent to bank employees to break into banks. Money is stolen through ATMs that are previously infected with viruses, as well as through a bank card management system.
Cobalt robbed at least two foreign banks: in July 2018 in Bulgaria and in November 2018 in Georgia (other cases may be unknown due to the lack of reporting procedures in the attacked regions). To attack banks, the group is actively using phishing emails on behalf of well-known financial institutions and payment vendors.
In October 2018, Group-IB experts recorded an attack from subdomains of the Russian state portal, as a result of which one of the banks in the CIS was robbed. Since January 2019, Cobalt began using a new scheme for distributing malicious code: sending letters on behalf of people well known in financial circles. For theft, Cobalt uses the international financial messaging system SWIFT, local interbank transfer systems, card processing and payment gateways of instant money transfer systems.
“Silence, MoneyTaker, Cobalt will most likely continue their geographic expansion, increasing the number of attacks outside of Russia. To withdraw money, they will use attacks on the card processing system and trojans for ATMs. SWIFT will be much less likely to fall into the focus of these groups, ”the authors of the report predict.
But “a new generation of hackers will soon grow up, who will again begin by launching attacks on banks“ at home, ”a representative of Group-IB predicts. Experts are already recording an increase in the number of Russian-speaking young people who are still engaged in "harmless attacks."
What is the damage from cyber attacks in Russia
In the Russian financial sector, there has been a reduction in damage from all types of fraud. The volume of this market for the year fell by 85% - up to 510 million rubles.
Viruses for computers. Damage was reduced by 89% to 62 million rubles. Russian-speaking hackers almost stopped creating new Trojans for PCs, through which they steal money from banks. Now there are only two groups left that steal money in Russia using this method - Buhtrap2 and RTM. Only the latter is active, but its victims are mainly clients of weakly protected banks.
Android Trojans. The amount of theft fell by 43% and amounted to 110 million rubles. The number of groups that use these viruses in Russia has decreased from eight to five. At the same time, the Trojans with the largest number of fraudulent transactions stopped working.
Financial phishing. Damage decreased by 65%, to 87 million rubles. 15 groups ceased to earn on phishing attacks, 11 remained active.
The damage from targeted attacks by hacker groups on banks for the year (July 2018 - June 2019) decreased by 14 times compared to the previous period and amounted to 93 million rubles. The average amount of theft fell by 73% - from 118 million to 31 million rubles.
Group IB experts also include in the market volume the money that hackers spend on cashing out. During the reporting period, they allocated 158.1 million rubles for this. - 85% less than a year earlier.
“The decrease in economic efficiency from these types of attacks is forcing fraudsters to look for new ways to make money on bank card data. As a result, fraud using social engineering techniques came out on top in terms of the extent of the threat spread in Russia, ”conclude Group-IB experts. Fraudsters fake bank accounts in social networks, call bank customers on behalf of credit institution employees and use other methods of social engineering.
According to the Bank of Russia, in 2018, 97% of all unauthorized transfers from payment cards were carried out using social engineering. Fraudsters communicate with customers under the guise of bank employees through all possible channels: telephone, instant messenger, social networks. For persuasiveness, they use the personal data of customers who are sold on the Internet. In total, for the first half of 2019, about 1.5 thousand announcements on the sale of databases of clients of financial institutions were posted on the Network.
In recent years, business in Russia has become better at defending itself against attacks, companies spend more money on cybersecurity, the representative of Group-IB notes: “All this led to the fact that attacking in Russia was not so simple. Only experienced attackers continue their activities in relation to large business in the Russian Federation. At the same time, these threats are still relevant for medium and small businesses. ”