Ukrainian RATS, Israeli MiFis, and a French connection tell a tale of cyber-insecurity

Ukrainian RATS, Israeli MiFis, and a French connection tell a tale of cyber-insecurity

The brazenness of hackers, and their ability to engineer their way into a stolen fortune, is reaching new heights, says security company Symantec

A cartoon rendition of the "French Connection" hack attack (Photo credit: Courtesy)
A cartoon rendition of the "French Connection" hack attack (Photo credit: Courtesy)

There’s a whole new world of cyber-insecurity out there, and even organizations that employ the best defenses are vulnerable. The hyper-connected “always-on” world, where networks can be accessed from a plethora devices, and from almost anywhere, has proven to be a boon for many – including hackers, who have so many more opportunities to wreak havoc on businesses of all sizes than they did just a few years ago.

The reach hackers have is illustrated by an incident involving a French corporation, a Ukraine-based RAT (Remote Access Trojan program, a virus that sucked sensitive data off the corporation’s servers for months) – and an Israeli cellphone network, which the hacker apparently used to access the Ukrainian RAT and root around the French company’s computers. The story, revealed by security company Symantec, is a sobering reminder that hackers can more or less operate from anywhere, reach anyone, and do whatever they like, whenever they like.

The saga began last April, when an administrative assistant to a vice president at a French-based multinational company received an email referencing an invoice hosted on a popular file sharing service – a message that was definitely within the realm of “normal” for this business. A few minutes later, the same administrative assistant received a phone call from another vice president within the company, instructing her to examine and process the invoice.

The caller spoke with authority and used perfect French. However, the invoice was a fake, and so was the “vice president” who called her. The caller was actually a hacker, and the invoice contained a RAT, a program that, once inside a system, searches out information and sends it to a remote server, where hackers can examine it at their leisure. A RAT attack of this kind, Symantec experts said, is typical of the new kinds of attacks corporations are being subjected to daily: A custom-designed virus that is sent and used once (so it’s almost impossible to detect with standard anti-virus software) in order to gain access to specific organizations, and sometimes even specific servers in the organization.

With the RAT installed, the hackers had full control of the administrative assistant’s infected computer. They logged keystrokes, viewed the desktop, and browsed and downloaded files. In order to avert suspicion, the hacker “played it cool,” trying to make the data transfer as unobtrusive as possible by doing it slowly. Once they got what they needed, though, stealing a large sum of money from the company was like taking candy from a baby.

Chutzpa is a hallmark personality trait in many hackers, but this gang was particularly brazen. The hackers stole disaster recovery plans and contact information for the company’s Internet service providers, bank and telecom account data, and more. Using this information, the attackers were able to impersonate a company representative and called the organization’s telecom provider. They proved their authenticity to the telecom provider (using the account information they purloined), claimed that a physical disaster had occurred, and said that they needed all of the organization’s phone numbers to be redirected to attacker-controlled phones. Immediately following the phone number redirection, the attacker faxed a request to the organization’s bank, requesting multiple large-sum wire transfers to numerous offshore accounts.

As one would expect (and hope), the bank called the a company executive to get a verbal confirmation of the request – but as the hackers had managed to hijack the company’s phone system, the “executive” naturally gave the required go-ahead. The money was transferred, never to be seen again – lost in a money-laundering maze of international accounts and transactions.

The April attack was the first documented one of this attack strategy, Symantec said, but it was so successful, hackers repeated it, and by May, said Symantec, the tactic had solidly established itself in France and other European countries. The gang (or by now, gangs – it’s possible that the originators either sold the tactic to others, or subcontracted hackers to help out, said Symantec), using the basic paradigm, came up with some interesting twists.

In one case, an attacker, impersonating IT staff, called the victim and informed them that some system maintenance was required on the fund transfer system. They convinced the victim that due to customer privacy reasons, the monitor needed to be turned off while they performed the task. While the monitor was off, the attacker used the in-house system to transfer large sums of money to offshore accounts using the victims existing and active access to the system, with the victim none the wiser, of course, because s/he wasn’t watching the screen.

In another incident, said Symantec, an attacker impersonated a bank employee and sent an email to an actual bank employee, in impeccable French, mentioning that the bank’s computer systems were being upgraded. The next day the attackers called the email recipient, claiming to be working for the same bank, and requested a ‘test’ wire transfer. The ‘test’ wire transfer lead to money being sent to an offshore account.

In all cases, the hackers knew whom to e-mail and call, what the company’s procedures for transferring money were, and the hierarchy of who answered to whom in the organization. “These tactics, using an email followed up by a phone call using perfect French, are highly unusual and are a sign of aggressive social engineering,” Symantec said. “In most cases, the first victim was an administrative assistant or accountant within the organization. In cases where the initial victim did not have rights to wire funds, the attacker used the victim’s credentials to identify an employee within the accounting department that had authority. The attacker then conducted further social engineering activities to compromise that individual’s computer,” the security organization said.

There are many elements for concern in this story, from the aggressiveness of the hackers to the apparent naivete of employees who complied with orders – no doubt fearing they would be accused of slacking off if they did not do as they were told. But the scariest part of the story, said Symantec, is the method of execution. No longer are hackers restricted to fixed locations using wifi networks and ethernet cables (which, using IP address records, give authorities at least a fighting chance to track down attackers); thanks to the expansion of fast cell data networks that allow a robust surfing experience, hackers can now use those networks to invade, command, and control their victims’ networks while they are on the go.

That is exactly what happened in the “French Connection” hacking cases, said Symantec. “By examining emails and traffic, we were able to determine that the attacker is located in, or routing their attacks through Israel. The originating IP addresses in Israel, however, are unusual as they are within a netblock for mobile customers of an Israeli telecom company. Furthermore, by performing traffic analysis, we were able to determine that the attacks are indeed originating from a mobile network and, crucially, that the attacker is using MiFi cards,” an external device that allows laptop users to access the cell network for data surfing.

Unlike wifi, the cell network is ubiquitous and accessible from anywhere there is cell coverage. The hacker could have acquired an unactivated MiFi device, and bought a prepaid data access package from an Israeli cellphone service provider – or from a provider from anywhere else in the world, which had a deal with the Israeli companies to provide data services for their customers. In other words, the hackers could have been using a cellphone service provider located anywhere in the world, making tracking them down like searching for a very small needle in a worldwide haystack.

But even assuming that such information could be discovered, it would be impossible to get a fix on the hacker’s physical location, said Symantec; the traffic analysis indicated that the attackers were actually on the move when they were conducting the attacks. The only way you could catch hackers using this system, the company said, was to figure out which cellphone service provider’s package the hacker was using (from the umpteen companies around the world that provide data packages), determine where the hacker was located (i.e., which cellular data network was being accessed in which country), and triangulate the on-the-move hacker’s position – in real-time, while the attack was going on.

The odds of that happening? Next to nothing, said Symantec – and anyway, a hacker bright enough to come up with a trick like this is certainly going to get rid of the MiFi device, the only physical evidence of the crime, as soon as the money is transferred. Meaning that with a tactic like this, the authorities are basically helpless.

“These operational security techniques make the attacker extremely difficult to trace,” Symantec said. “The use of such a technique for cybercrime illustrates the increasingly sophisticated techniques that attackers employ. This is a good example of how cybercriminal operations are becoming increasingly sophisticated, a trend that is likely to continue in the future.”

Map of the 'French Connection' hack attack (Photo credit: Courtesy)
Map of the ‘French Connection’ hack attack (Photo credit: Courtesy)
Join us!
A message from the Editor of Times of Israel
David Horovitz

The Times of Israel covers one of the most complicated, and contentious, parts of the world. Determined to keep readers fully informed and enable them to form and flesh out their own opinions, The Times of Israel has gradually established itself as the leading source of independent and fair-minded journalism on Israel, the region and the Jewish world.

We've achieved this by investing ever-greater resources in our journalism while keeping all of the content on our site free.

Unlike many other news sites, we have not put up a paywall. But we would like to invite readers who can afford to do so, and for whom The Times of Israel has become important, to help support our journalism by joining The Times of Israel Community. Join now and for as little as $6 a month you can both help ensure our ongoing investment in quality journalism, and enjoy special status and benefits as a Times of Israel Community member.

Become a member of The Times of Israel Community
read more: