CyberInt Reports: TA505 Hackers Attacking US Retailers & Global Financial Institutions
April 2019 by CyberInt Research
Investigation from CyberInt’s Research Lab has connected a single gang to a range of attacks against retailers and financial institutions around the world using legitimate remote access software. CyberInt’s managed detection and response solutions protect the world’s leading companies.
The group has used the same tactics, techniques and procedures (TTPs) along with the repeated nefarious use of an off-the-shelf commercial remote administration tool, “Remote Manipulator System” (RMS), developed by a Russian-based company, TektonIT.
They were behind attacks against the global financial industry between December 2018 and February 2019, launching campaigns against financial institutions in Chile, India, Italy, Malawi, Pakistan, and South Korea, among others; and December 2018 campaigns against US-based retailers. Campaigns are continuing today.
The financially motivated TA505 has been active since 2014, when they began high-volume malicious email campaigns, including the distribution of the “Dridex” and “Shifu” banking trojans as well as the Neutrino botnet/exploit kit and Locky ransomware.
The members of TA505 are thought to be native Russian speakers, based on analysis of their code.
CyberInt’s Research Lab discovered the attack thanks to its outside-in approach, where it seeks out threats before they enter the organization. CyberInt’s machine learning-based AI detection platform automatically sorts through hundreds of thousands of events across the Internet and darknet and deep web, bringing specific patterns to the attention of cyber-analysts, who further investigate the TTPs and their impact on CyberInt’s customers.
“Although they are using phishing and social engineering to get the software into the organizations, once its installed, it’s virtually undetectable by traditional threat protection systems because it’s legitimate software,” says Adi Peretz, Senior Strategic Consultant and Head of Research at CyberInt. “They are still very much active. This is only the beginning of our deep-dive investigation.
“Our ‘white hat-hacking approach’ makes it critical that we reveal their TTPs so organizations can better prepare themselves. Signature detection doesn’t work, but if you focus on training your employees to avoid their modus operandi, you have a greater chance of protecting your organization.”
CyberInt recommends adoption of a machine learning technology platform that is tailored to the individual business’ specific requirements, where analysts determine in advance for which types of threats they need to mitigate first.