The Lurk financial cybercrime group: What businesses can learn

What lessons can businesses learn from the story of our investigation of the activity of the Lurk gang?

In early June 2016, Russian police arrested alleged members of the criminal group known as Lurk. The group is suspected of stealing nearly $45 million using malicious software to systematically withdraw large sums of money from the accounts of commercial organizations, including banks.

For Kaspersky Lab, the arrests marked the culmination of a nearly six-year investigation by the company’s Computer Incidents Investigation team. During these years, we’ve collected an enormous volume of intelligence about how a typical Russian-speaking cybercriminal group operates. And we think some of our findings could help all businesses protect themselves better.

In early June, we published a technical analysis of the malware, also called Lurk, which you can read here. And we recently published the full story of our investigation of the activity of the Lurk gang, which is available here. So: What lessons can businesses learn from our recent story?

  1. If you have remote access to your company’s banking account, you are a target.
    Lurk began as a very low-profile threat and targeted only a limited number of organizations. But as the group, and its tools, developed, the list of organizations of interest widened. At one point, Lurk was attacking anyone it could, including ordinary users, some with access to no more than a few hundred dollars.
  2. The attackers are pros.
    Don’t expect any group behind an attack on your organization to be amateurs. The results of our investigation reveal the opposite.

    In 2013, around the middle of our investigation, we determined that we were dealing with a group of about 15 people (although by the time Lurk was shut down, the number had risen to 40). This team provided the so-called full cycle of malware development — delivery and monetization — rather like a small software developer.

    At that time the “company” had two key “products”: the malicious program, Lurk, and a huge botnet of computers infected with it. The malicious program had its own team of developers responsible for developing new functions, searching for ways to “interact” with remote banking systems, providing stable performance, and fulfilling other tasks. A team of testers supported the developers, checking program performance in different environments.

    The botnet also had its own team (administrators, operators, a money flow manager, and other partners working with the bots via an administration panel) that ensured the operation of the command-and-control (C&C) servers and protected them from detection and interception.

    Developing and maintaining this class of malicious software requires professionals, and the leaders of the group recruited them on job search sites. Examples of such job postings are covered in my article about Russian financial cybercrime. The job descriptions did not mention the illegal nature of the work. At the interview, the “employer” questioned candidates about their moral principles, then tell agreeable applicants what kind of work they would be expected to do. Those who agreed got in.

    When thinking about financial hackers and how to protect your company against them, think of them the way you think about a business competitor: a team of highly motivated professionals that want your money. Unlike your legitimate competitors, however, criminal hackers are not constrained by any laws. In other words, do not underestimate this threat. Even though in recent years the banking and IT security industries have implemented a lot of security measures, and law enforcement agencies have caught many suspects, criminal groups are still out there.

  3. Report suspected attacks to the police immediately, and call forensic experts as well.
    During our investigation, we hit a stretch when we had to put our activities around Lurk on hold. In 2011 and 2012, there simply wasn’t much to investigate; there were no reports of Lurk malware. At one point, we even thought the Lurk group might have left the scene. But as we learned later, that was incorrect.

    The problem was that many victims were not reporting the incidents: not to law enforcement, not to us, not to other security experts. In some cases, companies found it preferable to cover their losses and move on rather than deal with time-consuming communications with police and security experts. The risk of loss to reputation kept some quiet. And in some cases, victims eventually reported the incident, but only after a considerable amount of time.

    Time is of the essence in criminal investigations, however. It is crucial to collect evidence as soon as possible; the more time that passes, the better criminals can cover their tracks.

    Another reason to report immediately is that financial data exchange systems can provide a real chance of thwarting theft. On its way to money mules’ accounts, money is usually routed through several other accounts. The sooner victims report theft, the better the chances of stopping the money flow at one of those checkpoints.

  4. There is a point to reporting crimes like these. They’re not unstoppable. It takes time, but eventually criminals get caught.
    Another reason organizations cite for not reporting cybercrime is a lack of confidence in law enforcement agencies and security specialists. Even those organizations that do report crimes say they are not really sure their reporting will have a positive result.

    Well, let us sound a bright note. Yes, the investigation of Lurk was long — we were dealing with a very sophisticated criminal enterprise that had a strong focus on staying undetected. Although some types of evidence are easier to hide on the Internet than in a physical crime scene, some traces cannot be hidden, and eventually a professional team of investigators will find a way to read and understand them.

    Lurk is neither the first nor will it be the last example of a long investigation paying off. The infamous banking Trojan SpyEye was used to steal money between 2009 and 2011. Its alleged creator was arrested 2013 and convicted in 2014. Carberp began attacking banks in 2010; the members of the group suspected of creating and distributing this Trojan were arrested in 2012 and convicted in 2014. The list goes on.

    The history of these and other cybercriminal groups spans times when everyone (members of the groups in particular) believed that the criminals were invulnerable and the police could do nothing. History has proved them wrong.

  5. Make sure your remote banking software is up to date and well secured.
    While investigating the activity of Lurk, we witnessed big changes in how banks, banking software vendors, and the security community regard the security of financial transactions.

    At the very beginning, in 2011, Lurk was able to steal money in a way that was almost automatic, simply because the remote banking services software of that time allowed it to. Now in 2016, that is not possible anymore in most cases. I say in most cases because even though plenty of solutions now exist for secure banking for consumers and corporate users, some banks and companies still work with software from that less-secure epoch. That is a terrible decision; even though Lurk was the biggest financial cybercrime group to date, it was certainly not the last one. That is why, when dealing with remote banking software, it’s critical to make sure that you use a product that accounts for all known risks that come from groups like Lurk.

    In addition to making sure the software is up to date, use multifactor authentication to protect accounts. And don’t use just any multifactor authentication; use reliable multifactor authentication. That means using a bank whose authentication includes not just a SIM card number (which can be cloned) but also its unique IMSI number.

    Some background: While Lurk was still operating, several cities were swamped with announcements about fraudulent requests to reissue SIM cards. As it turned out, the Lurk group was cloning SIM cards of employees of organizations they planned to rob. The cellular numbers were attached to corporate financial accounts — using two-factor authentication, banks sent one-time passwords to those numbers. Banks that identify IMSI numbers require users to register new cards in person.

  6. Educate staff. In particular, educate everyone who works with financial documents and software.
    No matter how sophisticated an attack may be, it usually starts with a human: An employee clicks on an e-mail attachment or link. The best way to mitigate financial cyberattack is to avoid it in the first place, and education is the first step. Teaching your employees, especially those who work with remote banking systems on daily basis, how to distinguish real e-mails from malicious one, what phishing is, and how to spot social engineering, will reduce the risk of being hacked significantly.

    That advice also applies to the IT people in your organization. Especially if yours is a small business, you may not have a dedicated cybersecurity unit. And just because your IT staff is capable of setting up and maintaining the tools necessary for day-to-day operations doesn’t mean that they are security pros. As we’ve seen in another episode of Lurk’s activity, IT staff may easily become the entry point for cybercriminals. That is why if IT security tasks in your organization are handled by your system administrator, it is very important to make sure that sysadmin is sufficiently educated — and stays up to date — in cybersecurity.

    To sum up: Don’t scrimp on staff education. Spending now could save you a lot of money in the long run.

  7. Use proven security solutions and apply strict IT security policies, particularly on terminals from which financial transactions are made and for employees working with them.
    This advice should not be new; we repeat it all the time: A proven corporate-grade security solution will cover financial malware problem for your organization — if not 100% then very close to it.

If your organization has thousands of endpoints, you should consider also installing a solution that blocks targeted attacks, one that is capable of spotting network anomalies and reporting them to a security officer. Another strong security measure is smart network segmentation that hardens external Internet access to workstations from which financial operations are made; that will make intrusion into your network if not impossible at least very expensive.

The latter is much more important than it may look at first glance. When we analyzed network infrastructure behind Lurk we tried to estimate its cost of ownership. By our estimates, its monthly costs may have run to the hundreds of thousands of dollars. Additional costs include salaries for “employees” as well as purchasing exploits and more. To cover all of those bills, the Lurk group had to be quite profitable. The more expensive your IT infrastructure is to attack, the less attractive it will be to criminals.