The hacker, hacked: national criminals attack Russian banks

As the investigation into the Kremlin’s alleged interference in the US presidential election continues to swirl, Russia has effectively become the poster child for all things cyber crime.

“I believe that President Putin has clearly come to the conclusion there’s little price to pay here and that therefore ‘I can continue this activity’,” NSA director Mike Rogers said in a US congressional hearing in February.

In Russia, however, the scourge of its hackers is fast becoming a problem for the country’s own businesses.

Russia was one of the countries worst affected by the WannaCry attack last year. Even though the US and UK have blamed the Kremlin for using the NotPetya attack a few months later to target Ukraine, Russian companies such as Rosneft, state-run oil giant, were also affected.

Most vulnerable, however, are Russia’s banks. Hackers used the Cobalt Strike security-testing tool to steal more than $17m from more than 240 Russian banks in 2017, according to the central bank. In the past few months, hackers used the Swift payment system to steal $6m from an unnamed bank and tried to steal nearly $1m from state-owned Globex.

Russia is now keen to change the perception of the country as a hacker’s paradise by showing that it, too, is trying to clamp down on cyber threats.

Dmitry Skobelkin, a deputy central bank governor, said last month that the central bank would create an information security department.

Banks don’t have legal reporting requirements and nobody knows what to do

Sergey Golovanov, Kaspersky Labs

Those efforts will come on top of the work already being done by state-owned Sberbank, Russia’s largest lender. The bank’s size — it is nearly three times as large by assets as its nearest rival and has half of all bank deposits in Russia — has made it a prime target for hackers.

“Sberbank gets hit by everything first,” says Ilya Sachkov, founder of Group-IB, a Moscow-based cyber security company. “They’re the first line of defence.”

In response, Sberbank has developed a state of the art cyber security centre that monitors the bank’s 16,000 branches for threats, and successfully repelled the WannaCry virus in May last year. The bank has even offered its services to other lenders in an effort to remove weak links in the system.

“Little banks can’t afford good security,” says Sergey Golovanov, principal security researcher at Kaspersky Labs in Moscow. “Banks don’t have legal reporting requirements and nobody knows what to do.”

Sberbank is planning to launch its own cyber risk insurance service this spring. “It’s very complicated and very serious,” said Stanislav Kuznetsov, Sberbank’s deputy chairman in charge of cyber security, in January, according to the state newswire RIA Novosti.

“It could be a breakthrough for us, when our platform will defend banks and companies from any and all attacks.”

Mr Sachkov says Russian hackers have turned to Russian banks in recent years because of the relative ease of making off with the proceeds of theft.

“It’s very hard to find a way to turn [stolen money] into cash in the US,” he says. In Russia, by contrast, where a third of the economy exists in cash-based “grey zones”, disguising stolen money as cash withdrawals is far easier.

The greater prize of hacking financial institutions in the US, nonetheless, still tempts Russian hackers.

Russian banks are targeted because of the relative ease of making off with the proceeds

Last December, Group-IB published a report about a new group called Money Taker, which probably has ties to Russian cyber crime and has carried out most of its 20 attacks on banks in the US, with just three in Russia.

“Most problems in Russia are from Russia,” Mr Sachkov says.

The increasing political tension over the Kremlin’s own activities in cyber space, which allegedly stretch from state-sponsored cyber espionage to the sponsoring of a “troll farm”, where employees pretend to be Americans posting bad memes on social media, has, however, severely limited Russia’s ability to co-operate with investigators internationally.

In recent years the FBI’s attempts to co-operate with Russian security services to prosecute cyber criminals have fallen apart after the US claimed that their Russian counterparts were helping protect them.

One notorious Russian cyber criminal, Evgeniy Bogachev, was placed on a US sanctions list in 2016 as part of measures retaliating for Russia’s alleged election meddling.

Talk of a joint cyber security working group fell apart last summer after Donald Trump, the US president, was lambasted in Washington for considering the Kremlin’s proposal.

The biggest victim so far has been Kaspersky Labs, the leading Russian cyber security company that has lost significant parts of its US business after the White House ordered federal agencies to stop using its antivirus software last year.

Mr Golovanov worries that the political tension may spill into a Balkanisation of the cyber security sphere that may ultimately harm all sides. “It creates a very good initiative for criminals to sit far away in a country where they [authorities] don’t co-operate with other law enforcement,” he says.