Group-IB: Russian Cyber Criminals Manipulated Ruble Rate

Published: 10 February 2016

(Image Credit:  Perspecsys Photos via Flickr)(Image Credit: Perspecsys Photos via Flickr)

By Stella Roque

Cybersecurity firm, Group-IB, published a report detailing how cyber criminals accessed terminals of a Russian foreign exchange (FOREX) trading system and made trades worth more than US$ 400 million in February 2015.

According to the report, a team of Russian-speaking cyber criminals, possibly colluding with unidentified brokerage firms, used a trojan virus or malware called Corkow (also known as Metel), to loot the trading systems. The malware constantly updated itself to avoid detection from antivirus programs and allowed the criminals to have remote access to trading systems.

The trading systems belonged to Kazan-based Energobank, Group-IB told Bloomberg. They did not identify the individual attackers but said the sudden volatility on the FOREX alerted the Russian Central Bank to investigate possible market manipulation.

The Moscow Exchange reported it was not attacked in the February 2015 incident, according to Bloomberg. The Russian Central Bank found no evidence of currency market manipulation in a separate probe, suggesting traders’ mistakes may have caused the strange fluctuations.

Using Corkow, the criminals bought US dollars with rubles on behalf of the bank. The attack lasted only 14 minutes, after which one of the criminals commanded Corkow to delete itself from the system along with any traces of its activity.

The report concluded that the criminals would have needed US$ 22 million to make the trades suggesting they conspired with major brokerage clients to have the cash to buy and sell currency on the FOREX.

Experts at Group-IB believed the incident was a “test” to assess the trojan’s ability to affect the market and make money. They claimed many traders profited from market volatility that the attack created while the cyber criminals allegedly received nothing.

Group-IB added they did not believe intelligence services were involved in the attacks.

In August 2015, Group-IB found the same trojan malware was used to attack bank card systems at 250 ATMs. Hundreds of millions of rubles were stolen via ATMs by the criminals.

As of early 2015, the criminals controlled over 250,000 infected devices worldwide, a network known as a botnet. More than 100 financial institutions were infected and co-opted onto the network.

The firm noted that most of the computers infected were connected to “highly protected” internal networks and had popular antivirus software installed.

Cyber criminals are showing greater interest toward trading and brokerage systems as evidenced by the specific malware they used, according to Group-IB. They have primarily targeted companies in Russia and the former Soviet republics, although attacks targeting the United States have increased fivefold since 2011.