For much of the time, cybersecurity researchers can find themselves limited to informed speculation and assessment about the sort of activity that cybercriminals perform, prior to launching a large cyber-theft operation. We believe that they will be performing reconnaissance on employees at the bank, particularly those in privileged positions linked to the payment and IT platforms, but some of the more precise details are limited. However, every now and again, information will be leaked which can provide some unique insight into the activities of cybercriminal groups and what they look for in a victim.In July 2018, a user on a hacking forum leaked a set of documents and source code linked to the theft of money from financial services entities in Russia. The user initially indicated that these were linked to the Carbanak group (and may even have contained a sample of the Carbanak malware); however, subsequent analysis has indicated that the package is linked to a variant of the Buhtrap malware, dubbed Ratopak.While there has been considerable discussion about the source code and operation of the malware, perhaps more interesting are the clues that can be found in other files, offering a snapshot of historic intelligence gathering and knowledge sharing that was happening between the malware operators. This provides a unique insight into the scope of their operations, as well as the information considered valuable for perpetrating thefts.Files within the leak were organised into four folders:
The folder of interest to us is cvs_banks which contains 20 files in assorted formats (csv, doc, xls, txt) and an info.txt file in the main directory. The documents are fairly disorganised but reflect a strong focus on the targeting of Russian banking employees and evading automated anti-fraud measures. Details of some of the documents are outlined below:
Together, the files confirm the belief that attackers are willing to put many hours into the gathering and collation of personal information for thousands of banking employees, and into identifying people who are directly responsible for the systems they’re looking to manipulate. The information also appears to be kept by hackers for considerable lengths of time – filenames and properties indicate that data was collected from 2013-2015 – but such information is likely to retain its value for quite some time.We know that hackers are going to be reviewing our organisations’ open-source profiles, seeking to identify the most valuable targets and tailor their attacks to their profiles. This can be seen in a report by Symantec which appears to be describing an attack perpetrated by group behind the Ratopak malware in this dump. Educating employees about the dangers of phishing, and of revealing inappropriate amounts of information on corporate networking sites, is something which will have to continue into the foreseeable future. Reviews of a company’s online threat landscape are also useful exercises for identifying the scope of information which has been made available about them in open sources. When rigorously assessed, this information can be framed in the context of how an attacker could use it to target an organisation, prioritised, and remediated.