View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 16, 2016updated 04 Sep 2016 10:12pm

From Russia with Love: why banking Trojans and malware come from the East

Analysis: How organized crime has found a use for Russia’s skilled programmers.

By Charlotte Henry

Russia, and the Eastern Block more broadly, is becoming a notorious exporter of malware, particularly Trojans aimed at the banking sector.

Chris Dye, VP Strategic Alliances, Glasswall Solutions told CBR: "The evidence that we are hearing from our customers and hearing from the market is that Russia is certainly a source, amongst others."

"The general market evidence and feeling from our customers is there’s definitely a growing presence from that region," he said.

David Emm, Principal Security researcher at Kaspersky Lab agrees. "A lot of it is certainly developed in Eastern Europe," he told CBR. " Certainly it’s one of the sort of hotspots in terms of banking Trojans, and that applies equally to the growing number of banking Trojans aimed at mobile devices now. "

Catalin Cosoi, Chief Security Strategist at Bitdefender, goes further. "Russian operators are linked to some of the nastiest viruses in the IT world," he said. "The area is known as a breeding ground for hackers."

Countries all over Western Europe are bearing the brunt of these attacks. Just recently, on February 14th 2016, cyber security expert PeterKruse wrote that Android malware aimed at Android had been seen in the wild, after previously appearing on Russian forums.

Kruse wrote that "a swarm of SMSs were sent to random phone numbers in Denmark and likely elsewhere. The content of the SMS had the purpose of luring the recipient into clicking the provided link, which would serve up a malicious APK."

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Critically, Kruse noted that phones located in Russia could not be infected by the malware.

How then did such a situation come about?

Casoi said it is "a situation facilitated by the difficulty in extraditing offenders. As hacking has become a lucrative occupation for skilled professionals incentivised by huge financial gains, the anonymous nature of organised crime and the lack of global cybercrime laws thus helps Russian hackers thrive in their business."

Others also attribute it to the prevalence of resources. Dye said: "It’s maybe the availability of resource and the skills base there that gives this particular region to exploit these attacks, but really specifically why I wouldn’t like to say really."

"Partly I think it’s the presence there of people with those kind of skills," said Emm. "What we have is perhaps a market place which in totality is not as developed as let’s say in Western Europe, but nevertheless you’ve got lots of people with cyber skills."

Tim Erlin, Director of IT Security and Risk Strategy at Tripwire, takes a similar line to Casoi, saying that there is an abundance of talent, but think it has turned to crime because there was no legitimate outlet for it.

"The former Soviet Union as a whole has produced a fairly robust population of skilled programmers," he said, "but the economics of the region haven’t necessarily provided them with opportunities that are both profitable and legal. Organized cyber-crime has stepped in to fill the void, employing savvy programmers to build their illegal businesses."

The abundance of talent finding a home in the criminal underwold is only one part of the story though. There is increasing attention and fear towards advanced gangs of cyber criminals who are state backed, or at least state ignored, in Russia.

Erlin said: "It’s important to distinguish malware created by the Russian government from malware that’s simply originating in Russia. The attribution of malware to a specific group, whether organized crime or nation state, isn’t always simple.#

One of the most notorious recent cyber attacks that Russia has been accused of is BlackEngergy. It’s a Trojan, but not aimed at the banking sector. Instead it took out the power in a Ukranian town, and is also thought to have been used in attacks against a Ukranian mining firm and railway operator.

"BlackEnergy itself is a product of the talent in the region, the criminal organizations with resources and the growing importance of Energy as a target. It was originally built as a denial of service tool, but its capabilities were expanded over time to provide more functionality," said rlin.

While many of the attacks are targeted at Western Europe, the consequences are felt within Russia too. On February 15th 2016, there was a 15% swing in the value of the Russian Ruble after malwre known as Metel or Corkow was used to break into the Kazan-based Energobank.

The malware placed on its behalf $500m worth of orders seemingly from the bank, which caused the currency swing and triggered an investigation by the Russian Central Bank.

This of course, leaders to fears as to whether British business and finance is a target. "I wouldn’t say we particular are," said Emm, somewhat reassuringly, before adding "I think this is a worldwide phenomenon actually."

"There’s a saying in England: Where there’s smoke, there’s fire," Bond says in From Russia with Love. The smoke is cyber security land is certainly blowing from Russia at the moment, and it’s not coming with much love.


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.