Saturday, February 13, 2016

Russian hackers tested manipulation of exchange rates by hacking into bank trading system

The markets are in danger. We’ve seen market manipulation in cyber activities ranging from mining
operations to ships being held at sea.  As well, I proofed, last night a report suggesting direct access to an overseas stock exchange. Fraud is rampant, but now, attackers are testing direct market manipulation. It was only a matter of time.  

Group-IB reported recently on what it claims is the first documented case of hackers directly attacking trading system to change prices and increase volatility. Over $400M in sales executed on that day in 2015 resulted in $3.2M direct losses to the affected bank. While primary targeting by Corkow/Metel trojan being Russia infections in US were growing fast too.


·       Direct losses due to malicious trades ($3.2M)
·       Initial investigation by the country authorities who thought the bank is manipulating the market
·       Loss of the trust from partners who thought bank is covering it's own technical trading mistakes. Information about the breach may cause some reputation cost as well.

Possible benefit scenarios for hackers:

·       Direct purchases/sales on their own capital (according to Group-IB it was not the case this time)
·       Direct connections with traders who executed trades after hackers changed prices (according to Group-IB it was not the case this time)
·       Indirect and difficult to detect game on futures market which allows to multiply capital in this case up to 20-fold
·       Executing an order of competitors or having self-interest to hurt the affected financial institution
·       As a step in an extortion scheme


In February 2015 the first major successful attack on a Russian trading system took place, when hackers gained unsanctioned access to trading system terminals using a Corkow Trojan resulting in trades of more than $400 million. The criminals made purchases and sales of US dollars in the Dollar/Ruble exchange program on behalf of a bank using malware. The attack itself lasted only 14 minutes, however, it managed to cause a high volatility in the exchange rate of between 55 - 62 (Buy/Sell) rubles per 1 dollar instead of the 60 - 62 stable range. Losses to financial institution were estimated in the millions. To conduct the attack criminals used the Corkow malware, also known as Metel, containing specific modules designed to conduct thefts from trading systems, such as QUIK operated by ARQA Technologies and TRANSAQ from ZAO “Screen market systems”. Corkow provided remote access to the ITS - Broker system terminal by «Platforma soft» Ltd., which enabled the fraud to be committed.

Timeline of the attack
In August 2015 a new incident related to the Corkow (Metel) Trojan was detected. An attack on a bank card systems , which included about 250 banks which used the bank card system to service cash withdrawals from Visa and MasterCard cards under a special tariff. This attack resulted in the hundreds of millions of rubles being stolen via ATMs of the systems members.

According to Group-IB statistics, as of the beginning of 2015 this botnet encompassed over 250,000 infected devices worldwide including infecting more than 100 financial institutions with 80% of them from the top 20 list. Hackers target primarily companies in Russia and CIS countries, though it is noticed that the amount of attacks targeting the USA has increased 5 times since 2011. Antiviruses are not capable of effectively preventing these threats. The majority of computers infected by this malware have antivirus installed and active. The Trojan can stay undetected in the system for more than 6 months.

In 2014 Corkow had a QUIK v.1.0. module for collecting data from the Quik trading software developed by ARQA Technologies. In 2015 Corkow’s developers updated the QUIK module to v.1.1. and released another module TRZQ v.1.0. to copy information from the trading system’s application TRQNSAQ developed by ZAO «Screen market systems». The re-development of the old QUIK module and development of the new TRANSAQ module show the Corkow group’s continued interest in targeting trading system.

The attack itself lasted only 14 minutes, during which all losses were sustained, however, the preparations for this intrusion took a much longer time. Hackers gained access to a computer in the trading system in September 2014. From this time the Trojan was functional and constantly updated itself to avoid detection by antivirus software installed at the bank which was in functioning order. As of the Group-IB investigation of this malware program in March 2015, Corkow v. had not been detected by a single antivirus program Starting in December 2014, the criminal group began running keyloggers in the infected system. On the 27th of February, 2015 Corkow provided remote access to the trading system which enabled the hackers to launch programs and enter data at the same time as the system operator did.”
Previosly hackers from Ukraine gained access to unpublished stock reports used that information in cooperation with some brokers.

Ivan Turchynov and Oleksandr Ieremenko, two Ukrainian hackers, were indicted on 10 August 2015, for the $100 million insider trading scheme that relied on stealing unpublished press releases. These hackers likely penetrated financial and media databases for years and are likely sophisticated programmers who were very active in the Russian and Ukrainian hacker communities prior to the 2010 breach. Wapack Labs analysts were able to identify these individuals on the Ukrainian Internet as well as connections and possible co-conspirators who may have researched the targets.

One of the companies named in the SEC complaint concerning Ukrainian hackers DSU and Lamarez sharing stolen unpublished press-releases with traders is Exante LTD. This company was registered in Malta by three Russians, Knyazev, Maslyakov and Kirienko, with backgrounds in markets and IT. One of the most unusual of Exante's projects was Bitcoin Fund – ability to invest in Bitcoins. On the peak Bitcoin Fund had up to $100M (92,000 Btc). And coincidently(?) they sold their Bitcoin investments and recommended the same to their clients on the very peak of the Bitcoin price.

One of those attackers, Oleksandr Ieremenko (Alexander Eryomenko, AKA “Lamarez”, “Zl0m”, “Ded.Mcz” and “Sh..)”, is the domain registrant for a Black Energy malware command and control domain.