Hackers used malware to penetrate the defenses of a Russian regional bank and move the ruble-dollar rate more than 15 percent in minutes, according to a Moscow-based cybersecurity firm hired to investigate the attack.
Russian-language hackers deployed a virus known as the Corkow Trojan to infect Kazan-based Energobank and place more than $500 million in orders at nonmarket rates in February 2015, Group-IB told Bloomberg News, without identifying individuals behind the attack. The resulting rate swing prompted a Russian central bank investigation into potential market manipulation.
Malicious software of the type used in the attack can open a back door into computers via seemingly legitimate websites or files and then force them to carry out hackers' orders. Corkow, which regularly updates itself to evade detection by anti-virus programs, has infiltrated 250,000 computers worldwide and infected more than 100 financial institutions, according to Group-IB, which investigated the attack on behalf of Energobank.
"This is the first documented attack using this virus and it has potential to do much more damage," Dmitry Volkov, the head of Group-IB's cybersecurity department, said by phone.
The Moscow Exchange has said its currency market systems were not hacked in the Feb. 27 attack. In a separate investigation, the central bank said it found no evidence of currency market manipulation, noting the fluctuations could have been caused by traders' mistakes.
The volatility lasted 14 minutes and caused the exchange rate to swing between 55 and 66 rubles per dollar, which "significantly differed from the prevailing market rate," the central bank said in a statement on Dec. 17.
The bank claimed losses of $3.2 million attributed to the trades, Vedomosti newspaper reported last year, citing a suit filed by Energobank in a Kazan court. There is no evidence that the hackers profited from the operation and it may have been a test to prepare for future attacks, according to Group-IB.
Energobank, the exchange and the central bank did not respond to emailed queries.
The virus was also used in an attack on a Russian bank-card system that resulted in hundreds of millions of rubles being stolen via ATMs in August, Group-IB said. Corkow infected a Russian bank network via email, Moscow-based security firm Kaspersky Lab said in a statement Monday. The anti-virus maker declined to identify the lender because of a nondisclosure agreement.
The malware, created by the Metel criminal group, allowed the bank's card-holders to make withdrawals at ATMs belonging to other lenders without drawing down their balance, allowing for multiple transactions over the course of a single night.
Metel is only known to be active in Russia, although it may present a threat to financial institutions around the world, according to Kaspersky Lab.
Business on 02/10/2016