It starts with an email… How a hacking gang has stolen $17 million from banks and retailers since 2013

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

It starts with an email... How a hacking gang has stolen $17 million from banks and retailers since 2013

Researchers at Group-IB and Fox-IT have today published a detailed report, exploring a Russian hacking gang called Anunak which has successfully stolen over one billion rubles ($17 million) from the banking industry and Western retailers.

What sets the Anunak gang apart from other groups attacking online banks is that its aim is not to steal money from customers, but instead from the banks themselves by targeting e-payment systems. In addition, warns the report, when government networks are compromised the gang uses its infrastructure for espionage.

According to the report, the Anunak hackers have successfully penetrated the internal networks of more than 50 Russian financial institutions and five payment systems since 2013, even managing to install malware on ATM management infrastructure that assists theft from cash machines.

Sign up to our free newsletter.
Security news, advice, and tips.

And the attacks haven’t stopped there. This year the Anunak hacking crew’s activities have intensified and broadened – showing an active interest in compromising the POS systems of US and European retailers, stealing payment card information.

According to the researchers, the attacks’ begin quietly, without drawing attention to themselves, with a simple email being sent to a targeted employee.

Malicious email 800

In the above example, the attached file exploits security vulnerabilities in Microsoft Word to infect the recipient’s computer.

Once infected with malware, the attackers attempt to grab passwords belonging to users with admin rights – such as those belonging to a tech support engineer.

The attack then escalates, having gained access to one server, the hackers move up the network, gaining access to the domain controller, and email and workflow servers, before opening remote access to the server and making changes to the firewall’s configuration.

Creepily, the hackers are said to have even been able to record videos of the actions of key employees, to understand how their work was organised.

According to the report, the average time it would take the hacking group to steal money after initially gaining access to the internal network was 42 days.

Andy Chandler of Fox-IT says that the Anunaka hacking gang appears to be one of the most efficient ever seen:

“In our experience the scale of growth and diversity of this attack against Russian Banks, US retailers and western businesses with high levels of IP makes this one of the most financially successful cyber gangs we have seen.

“We have seen criminals branching out for years, for example with POS malware. Anunak has capabilities which pose threats across multiple continents and industries. It shows there’s a grey area between APT and botnets. The criminal’s pragmatic approach once more starts a new chapter in the cybercrime ecosystem.”

Although not confirmed in Group-IB and Fox-IT’s report, a Forbes article claims that an unnamed source has linked the gangs to high profile attacks against Staples, women’s clothier Bebe and western-wear company Sheplers.

This video explains how hacking gangs can monetise stolen credit card information:

How the Stolen Credit Card Market Works

One curious aspect is that it appears retailers in Russia are not targeted by the Anunak hackers, although financial institutions are. Could there be a reason why the hackers feel more comfortable not targeting retailers on their doorstep?

It would be easy to speculate that the hackers are wary of poking a grizzly bear on their own doorstep because of potential repercussions, and so avoid hacking local retailers, but that doesn’t explain why they seem to be so unworried about earning the wrath of Russian financial institutions.

You can read the full report into the Anunak hacking gang’s activities here [PDF].


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.