15% change in the ruble exchange rate in February 2015 - the work of hackers

    The high volatility of the ruble may be due not only to sanctions, falling oil prices and a slowdown in the Chinese economy. Another factor is malware and the attack on financial structures, skillfully planned by attackers. So, the reason for the sharp change in the ruble exchange rate in February last year was precisely the attack of hackers, writes RBC and Bloomberg . The attack was discovered and analyzed by information security experts from Group-IB .

    As it turned out, hackers from Russia managed to break into the security system of the regional bank Energobank, and using the virus to change the ruble exchange rate on the exchange by 15%. The Corkow Trojan virus was used to attack bank systems. During the attack, in February 2015, the bank placed orders of more than $ 500 million, moreover, at a non-market rate. “This is the first documented attack using this virus, and the damage can be much greater ... Once malware enters the local network, it is difficult to detect, and the malware can infect computers that are not connected to the Internet,” said the head of the investigation and cyber intelligence services department Group-IB Dmitry Volkov.

    Such actions of the bank led to significant fluctuations in the ruble exchange rate on the exchange, which allowed hackers to purchase dollars at the rate of 59.0560. In just 51 seconds, the attackers sold the previously purchased currency already at the rate of 62.3490. In just 15 minutes, hackers managed to achieve maximum volatility of the domestic currency, with a minimum dollar exchange rate of 55 rubles for $ 1. Prior to the attack, the dollar was 60-62 rubles per $ 1.

    As mentioned above, crackers used Corkow Trojan malware, this virus is constantly updated by the creators to bypass the main antiviruses. This is a fairly common and extremely effective virus, which in a relatively short time was able to penetrate the computer networks of various financial institutions and other organizations around the world. The total number of infected Corkow Trojan PCs is estimated by experts at 250 thousand devices. At the same time, in almost all banks where the virus was detected, experts recorded the correct operation of licensed antiviruses. The virus is designed very well, so in some cases it is able to go unnoticed for many months.

    According to representatives of Energobank, the organization’s losses in February 2015 amounted to 244 million rubles ( Vedomosti , in particular, wrote about this ). The main factor that led to such significant losses is the actions of hackers. After a detailed check, the Moscow Exchange reported that its systems were operating normally.

    After studying the situation, at the end of March 2015, the Moscow Exchange Currency Market Committee made a recommendation to the exchange board on exclusion of Energobank from the trading participants of the foreign exchange market. The reason is the lack of security of the bank’s information security system. “As a result of this fraud, the bank suffered great financial and reputational damage, as many players on the market do not trust the hacked version and are happy to blame it on the error of the trading system operator,” Group-IB representatives said.

    Also in 2015, only in August, another problematic situation occurred related to the unauthorized use of the settlement system, which brought together about 250 banks. This system allowed its participants to withdraw funds from Visa and MasterCard cards at competitive rates. And through the ATMs of one of the participants in the system in August, several hundred million rubles were withdrawn. As it turned out later, it was an unauthorized disbursement of funds, and the reason for what happened was a hacker attack using the same Corkow virus.

    A detailed report of Group-IB can be found here (pdf).

    Also popular now: