Photographer: Simon Dawson/Bloomberg

Russian Hackers Moved Ruble Rate With Malware, Group-IB Says

  • Hackers moved ruble-dollar rate more than 15% in 14 minutes
  • Corkow Trojan malware behind more than $500 million in trades

Hackers used malware to penetrate the defenses of a Russian regional bank and move the ruble-dollar rate more than 15 percent in minutes, according to a Moscow-based cyber-security firm hired to investigate the attack.

Russian-language hackers deployed a virus known as the Corkow Trojan to infect Kazan-based Energobank and place more than $500 million in orders at non-market rates in February 2015, Group-IB told Bloomberg, without identifying individuals behind the attack. The resulting rate swing prompted a Russian central bank investigation into potential market manipulation.

Malicious software of the type used in the attack can open a back door into computers via seemingly legitimate websites or files and then force them to carry out hackers’ orders. Corkow, which regularly updates itself to evade detection by anti-virus programs, has infiltrated 250,000 computers worldwide and infected more than 100 financial institutions, according to Group-IB, which investigated the attack on behalf of Energobank.

“This is the first documented attack using this virus and it has potential to do much more damage,” Dmitry Volkov, the head of Group-IB’s cyber intelligence department, said by phone. “Once the malware has penetrated a local network, it is sophisticated enough to infect computers that are even not connected to the Internet.”

The Moscow Exchange has said its currency market systems were not hacked in the incident on Feb. 27, 2015. In a separate investigation, the central bank said it found no evidence of currency market manipulation, noting the fluctuations could have been caused by traders’ mistakes.

The volatility lasted 14 minutes and caused the exchange rate to swing between 55 and 66 rubles per dollar, which “significantly differed from the prevailing market rate,” the central bank said in a statement on Dec. 17.

The bank claimed losses of 244 million rubles ($3.2 million) due to the trades, Vedomosti newspaper reported last year, citing a suit filed by Energobank in a Kazan court. There is no evidence that the hackers profited from the operation and it may have been a test to prepare for future attacks, according to Group-IB.

Energobank, the exchange and the central bank did not respond to e-mailed queries.

ATM Attack

The virus was also used in an attack on a Russian bank card system that resulted in hundreds of millions of rubles being stolen via ATMs in August, Group-IB said. Corkow infected a Russian bank network via e-mail, Moscow-based security firm Kaspersky Lab said in a statement Monday. The anti-virus maker declined to identify the lender due to a non-disclosure agreement.

The malware, created by the Metel criminal group, allowed the bank’s card holders to make withdrawals at ATMs belonging to other lenders without drawing down their balance, allowing for multiple transactions over the course of a single night.

Metel is only known to be active in Russia, although it may present a threat to financial institutions around the world, according to Kaspersky Lab.

Before it's here, it's on the Bloomberg Terminal. LEARN MORE