The markets are in danger. We’ve seen market manipulation
in cyber activities ranging from mining
operations to ships being held at
sea. As well, I proofed, last night a report suggesting direct access to an overseas stock exchange. Fraud is rampant, but now, attackers
are testing direct market manipulation. It was only a matter of time.
Group-IB reported recently on what it claims is the first
documented case of hackers directly attacking trading system to change prices
and increase volatility. Over $400M in sales executed on that day in 2015
resulted in $3.2M direct losses to the affected bank. While primary
targeting by Corkow/Metel trojan being Russia infections in US
were growing fast too.
Damages?
Damages?
· Direct losses due to malicious trades ($3.2M)
· Initial investigation by the country
authorities who thought the bank is manipulating the market
· Loss of the trust from partners who thought
bank is covering it's own technical trading mistakes. Information about the
breach may cause some reputation cost as well.
Possible benefit
scenarios for hackers:
· Direct purchases/sales on their own capital
(according to Group-IB it was not the case this time)
· Direct connections with traders who executed
trades after hackers changed prices (according to Group-IB it was not the case
this time)
· Indirect and difficult to detect game on
futures market which allows to multiply capital in this case up to 20-fold
· Executing an order of competitors or having
self-interest to hurt the affected financial institution
· As a step in an extortion scheme
Details:
“In February 2015
the first major successful attack on a Russian trading system took place, when
hackers gained unsanctioned access to trading system terminals using a Corkow
Trojan resulting in trades of more than $400 million. The criminals made
purchases and sales of US dollars in the Dollar/Ruble exchange program on
behalf of a bank using malware. The attack itself lasted only 14 minutes,
however, it managed to cause a high volatility in the exchange rate of between
55 - 62 (Buy/Sell) rubles per 1 dollar instead of the 60 - 62 stable range.
Losses to financial institution were estimated in the millions. To conduct the
attack criminals used the Corkow malware, also known as Metel, containing
specific modules designed to conduct thefts from trading systems, such as QUIK
operated by ARQA Technologies and TRANSAQ from ZAO “Screen market systems”.
Corkow provided remote access to the ITS - Broker system terminal by «Platforma
soft» Ltd., which enabled the fraud to be committed.
In August 2015 a new incident related to the
Corkow (Metel) Trojan was detected. An attack on a bank card systems , which
included about 250 banks which used the bank card system to service cash
withdrawals from Visa and MasterCard cards under a special tariff. This attack
resulted in the hundreds of millions of rubles being stolen via ATMs of the
systems members.
 |
| Timeline of the attack |
According to Group-IB statistics, as of the
beginning of 2015 this botnet encompassed over 250,000 infected devices
worldwide including infecting more than 100 financial institutions with 80% of
them from the top 20 list. Hackers target primarily companies in Russia and CIS
countries, though it is noticed that the amount of attacks targeting the USA
has increased 5 times since 2011. Antiviruses are not capable of effectively
preventing these threats. The majority of computers infected by this malware
have antivirus installed and active. The Trojan can stay undetected in the
system for more than 6 months.
In 2014 Corkow had a QUIK v.1.0. module for
collecting data from the Quik trading software developed by ARQA Technologies.
In 2015 Corkow’s developers updated the QUIK module to v.1.1. and released
another module TRZQ v.1.0. to copy information from the trading system’s
application TRQNSAQ developed by ZAO «Screen market systems». The
re-development of the old QUIK module and development of the new TRANSAQ module
show the Corkow group’s continued interest in targeting trading system.
The attack itself lasted only 14 minutes,
during which all losses were sustained, however, the preparations for this
intrusion took a much longer time. Hackers gained access to a computer in the
trading system in September 2014. From this time the Trojan was functional and
constantly updated itself to avoid detection by antivirus software installed at
the bank which was in functioning order. As of the Group-IB investigation of
this malware program in March 2015, Corkow v.7.118.1.1 had not been detected by
a single antivirus program Starting in December 2014, the criminal group began
running keyloggers in the infected system. On the 27th of February, 2015 Corkow
provided remote access to the trading system which enabled the hackers to
launch programs and enter data at the same time as the system operator did.”
Previosly hackers from Ukraine gained access
to unpublished stock reports used that information in cooperation with some
brokers.
Ivan Turchynov and Oleksandr Ieremenko, two
Ukrainian hackers, were indicted on 10 August 2015, for the $100 million
insider trading scheme that relied on stealing unpublished press releases.
These hackers likely penetrated financial and media databases for years and are
likely sophisticated programmers who were very active in the Russian and
Ukrainian hacker communities prior to the 2010 breach. Wapack Labs analysts
were able to identify these individuals on the Ukrainian Internet as well as
connections and possible co-conspirators who may have researched the targets.
One of the companies named in the SEC
complaint concerning Ukrainian hackers DSU and Lamarez sharing stolen
unpublished press-releases with traders is Exante LTD. This company was
registered in Malta by three Russians, Knyazev, Maslyakov and Kirienko, with
backgrounds in markets and IT. One of the most unusual of Exante's projects was
Bitcoin Fund – ability to invest in Bitcoins. On the peak Bitcoin Fund had up
to $100M (92,000 Btc). And coincidently(?) they sold their Bitcoin investments
and recommended the same to their clients on the very peak of the Bitcoin
price.
One of those attackers, Oleksandr Ieremenko
(Alexander Eryomenko, AKA “Lamarez”, “Zl0m”, “Ded.Mcz” and “Sh..)”, is the
domain registrant for a Black Energy malware command and control domain.
