Page 8 - Cyber Warnings
P. 8
These steps were actually taken in another attack in recent memory. In 2011, the European
Carbon Credit trading system was shut down for few months after the Nimkey gang targeted
specific traders in carbon credits – a CO2 emission permit – and stole millions of Euros worth of
permits from multiple targets.
Nimkey was a Trojan horse that had a very limited number of victims – measured in thousands
– and the fact that many of them were traders in carbon credits, suggests it was far from a
random attack. It was highly targeted: first the employees were selected, then they received
spear phishing emails, their PCs were compromised, and the attacker used them to access the
emission registries and move around millions of Euros in CO2 emission permits.
RATting in
Once the specific employee’s computer was compromised, the next step was most probably to
install a Remote Administration Tool that allows free access as long as the computer is
connected to the Internet.
Then, the attackers had one of two options: either use the RAT to send commands into the
network, typically leading to privilege escalation and lateral movement until the right resource
was compromised; or directly control an application installed on the user’s computer, which is
what they’d had to have done anyway if a payment application required the transaction to be
coming from a trusted device, one that has a certain certificate, device fingerprint, or other
device-based control.
The RAT console operated by an attacker shows everything the user does on the compromised
computer, including using the mic and camera, capturing screenshots, opening applications,
moving the user’s mouse and commanding their keyboard, etc. just like a helpdesk would. Of
course, unlike in a helpdesk scenario, the end user won’t see all of that on screen and doesn’t
need to grant special permissions: the malware is designed to be covert.
Submitting wire transfers
And so, using a RAT, the hackers were able to follow the bank employee’s activities. They
understood how the SWIFT system is used, stole the credentials, and then did the same thing
remotely, moving money to a destination account they controlled.
That’s actually the easiest part of this heist. The attackers set up 35 requests totaling $951
million, and waited.
A few of the wires – totaling $81 million – went through, but the rest were luckily stopped after
someone in Deutsche Bank, a routing bank, was worried about a typo in the beneficiary’s name
(fandation instead of foundation), and made some inquiries. Suspicion about the transfers rose
and subsequent ones were stopped.
8 Cyber Warnings E-Magazine – April 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
